BSD Commit Log Search

   Unbreak build by updating plist

   Spotted by naddy

   sndiod: Use chars (instead of uint8_t's) for the MIDI slot name

   No behavior change

   Add missing dependency on ksvg

   spotted by naddy

   sndiod: Fix ctl_match() when arg0 == NULL

   No behavior change as sndiod doesn't call ctl_match() with
   arg0 == NULL (yet).

   sndiod: Log unknown network messages to ease debugging the protocol

   Minor spacing tweak

   Validate -O flags, from Dane Jensen in GitHub issue 4889.

   Fix memory leak, from Chris Lewis, reported by Huihui Huang.

   Update to terraform-1.14.6.

   Update to adwaita-fonts-50.0.

   Update to amazon-ssm-agent-3.3.3883.0.

   Update to libphonenumber-9.0.25.

   Update to PostgreSQL 18.3

   Fixes:

   CVE-2026-2003: PostgreSQL oidvector discloses a few bytes of memory

   CVE-2026-2004: PostgreSQL intarray missing validation of type of input
   to selectivity estimator executes arbitrary code

   CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow executes
   arbitrary code

   CVE-2026-2006: PostgreSQL missing validation of multibyte character
   length executes arbitrary code

   CVE-2026-2007: PostgreSQL pg_trgm heap buffer overflow writes pattern
   onto server memory

   OK landry@

   ix(4) and ixv(4) can handle 64 bit DMA transfers.

   prodded by Brad Smith; tested by Hrvoje Popovski; OK kettenis@

   update to py3-icalendar-searcher-1.0.5

   Reserve the first MB of the DVA address space because qwx(4) doesn't
   succeed in doing DMA when the DVA is 0x1000 and PCI-PCI bridges may not
   forward address in part of that first MB as well.

   ok chris@

   Error out  on presence of Content-Length and Transfer-Encoding headers
   for GET, HEAD and other methods that should have no body.

   Ignoring the Content-Length header makes httpd vulnerable to
   HTTP request smuggling. A crafted GET request may embed an extra
   HTTP request which could bypass a proxy or WAF but then is handled
   by httpd.

   Remove the special case for TRACE and CONNECT in the Content-Length
   handling. Move those checks into the method switch at the end of the
   header parsing phase and by that also cover more methods including
   GET and HEAD. If either header is present simply abort the connection,
   nobody should send extra data along GET and HEAD requests.

   Add an an explicit HTTP_METHOD_TRACE case above the default case
   to indicated that we deliberately don't handle TRACE requests.

   This security vulnerability was found by Nicola Staller of SySS GmbH.

   With and OK rsadowski@ previous version also OK florian@

   update to py3-virtualenv-21.0.0

   Fix checking of of RL_FLAG_PCIE and accidental clobbering of sc->rl_flags

   confirmed by sthen and kettenis@ "please apply that fix"

   enable forced resolvers that aren't in a preference block

   allows a config such as:

       preference { autoconf }
       forwarder { 127.0.0.1 port 5300 }
       force forwarder { local }

   also fix a typo while i'm here

   ok florian

   update to anubis-1.25.0

   update to libmaxminddb0.13.2 (no real change for us)

   Add hints regarding colors etc used by default in recent GDB releases

   so that we can just answer "check the readme" when asked about it. :)

   databases/postgresql: update -stable from 17.7 to 17.9

   fixes CVE-2026-2003, CVE-2026-2004, CVE-2026-2005 & CVE-2026-2006
   see https://www.postgresql.org/docs/release/17.8/
   and https://www.postgresql.org/docs/release/17.9/
   discussed with jeremy@ (MAINTAINER)

   regress/mmap: Test hints in VM-area edge cases

   Test mmap(2) with hint above VM_MAXUSER_ADDRESS without MAP_FIXED.
   This tests uvm_map.c,v 1.355.

   Also test the lower boundary below PAGE_SIZE.

   ok kettenis@

   Update mame to 0.286.

   geo/gpxsee: update to 15.11

   bugfix update to 5.516

   Do not free buffer after adding to paste (since it now owns it).

   Add missing version bump to 6.6.1