FreeBSD/src 08cda4bshare/man/man4 ktls.4, sys/kern uipc_ktls.c

ktls: Add a tunable to disable TLS receive

TLS receive offload is really only beneficial for in-kernel use cases
(such as NFS over TLS) or when using a hardware offload.  In addition,
several recent SAs have involved the TLS receive path, but the only
current mitigation for those is to disable TLS offload entirely.

Reviewed by:    ziaee, gallatin, markj
Relnotes:       yes
Sponsored by:   Netflix
Sponsored by:   Chelsio Communications
Co-authored-by: John Baldwin <jhb at FreeBSD.org>
Differential Revision:  https://reviews.freebsd.org/D57974
DeltaFile
+58-32tests/sys/kern/ktls_test.c
+6-1sys/kern/uipc_ktls.c
+3-1share/man/man4/ktls.4
+67-343 files

FreeBSD/src 9cee481sys/kern uipc_ktls.c

ktls: Centralize the check for CBC ciphers

Move the check out of ktls_enable_(rx|tx) and into ktls_create_session.

Reviewed by:    gallatin, markj
Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D57973
DeltaFile
+3-6sys/kern/uipc_ktls.c
+3-61 files

FreeBSD/ports f96acb2security/vuxml/vuln 2026.xml

security/vuxml: add FreeBSD SAs issued on 2026-06-30

FreeBSD-SA-26:37.vm affects all supported releases
FreeBSD-SA-26:38.jail affects 15.0R and 15.1R
FreeBSD-SA-26:39.execve affects all supported releases
FreeBSD-SA-26:40.zfs affects all supported releases
FreeBSD-SA-26:41.libalias affects all supported releases
FreeBSD-SA-26:42.unlinkat affects all supported releases
FreeBSD-SA-26:43.tcp affects all supported releases
FreeBSD-SA-26:44.posixshm affects all supported releases
FreeBSD-SA-26:45.audit affects all supported releases
FreeBSD-SA-26:46.ktls affects all supported releases
FreeBSD-SA-26:47.linux affects 14.3R, 14.4R and 15.0R
FreeBSD-SA-26:48.compat32 affects 14.3R, 14.4R and 15.0R
FreeBSD-SA-26:49.iconv affects all supported releases
DeltaFile
+480-0security/vuxml/vuln/2026.xml
+480-01 files

FreeBSD/ports 805e608security/openconnect Makefile distinfo, security/openconnect/files patch-openconnect-internal.h

security/openconnect: Update 9.12 => 9.21

Changelog:
https://www.infradead.org/openconnect/changelog.html

- Remove unnecessary GNU_CONFIGURE_MANPREFIX.
- Fix warnings from portclippy.
- Add P11KIT option.

PR:             296085
Approved by:    zi (maintainer, timeout 2 weeks)
Sponsored by:   UNIS Labs
Co-authored-by: Vladimir Druzenko <vvd at FreeBSD.org>
MFH:            2026Q2

(cherry picked from commit 9fdee93d72012d505371d25f8b5bc9a4242bde0c)
DeltaFile
+29-25security/openconnect/Makefile
+8-16security/openconnect/files/patch-openconnect-internal.h
+3-3security/openconnect/distinfo
+40-443 files

FreeBSD/ports 9fdee93security/openconnect Makefile distinfo, security/openconnect/files patch-openconnect-internal.h

security/openconnect: Update 9.12 => 9.21

Changelog:
https://www.infradead.org/openconnect/changelog.html

- Remove unnecessary GNU_CONFIGURE_MANPREFIX.
- Fix warnings from portclippy.
- Add P11KIT option.

PR:             296085
Approved by:    zi (maintainer, timeout 2 weeks)
Sponsored by:   UNIS Labs
Co-authored-by: Vladimir Druzenko <vvd at FreeBSD.org>
MFH:            2026Q2
DeltaFile
+29-25security/openconnect/Makefile
+8-16security/openconnect/files/patch-openconnect-internal.h
+3-3security/openconnect/distinfo
+40-443 files

FreeBSD/src 43b1adelib/libpkgconf Makefile, lib/libpkgconf/libpkgconf config.h

pkgconf: match the update to version 2.9.93

This update brings spdxtool(1), with the ability to generate software
bill of material files (SBOM) in the SPDX 3.0.1 format (JSON-LD).

Reviewed by:    markj
Approved by:    markj
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D57953
DeltaFile
+58-35lib/libpkgconf/libpkgconf/config.h
+29-4lib/libpkgconf/Makefile
+30-0usr.bin/spdxtool/Makefile
+4-4packages/pkgconf/pkgconf.ucl
+2-0usr.bin/pkgconf/Makefile
+1-0usr.bin/Makefile
+124-431 files not shown
+125-437 files

FreeBSD/src 592efe2contrib/pkgconf/cli main.c core.c, contrib/pkgconf/cli/spdxtool core.c

Merge commit '0cf7106da9f36671ef62142c27de98eee9d874d6' into khorben/pkgconf-2.9.93
DeltaFile
+173-1,493contrib/pkgconf/cli/main.c
+1,585-0contrib/pkgconf/tests/test-runner.c
+1,464-0contrib/pkgconf/cli/core.c
+194-975contrib/pkgconf/libpkgconf/win-dirent.h
+475-447contrib/pkgconf/libpkgconf/pkg.c
+854-0contrib/pkgconf/cli/spdxtool/core.c
+4,745-2,915542 files not shown
+24,800-6,437548 files

FreeBSD/src bb1e071sys/dev/asmc asmc.c asmcmmio.c

asmc: try PIO before MMIO to avoid false T2 detection

Add hw.asmc.system-state and hw.asmc.board-id read-only sysctls to
expose the T2 system state register and Mac board identifier via SMC.

Try PIO access before MMIO during probe to prevent false T2 detection
on Macs that happen to have something mapped at the T2 BAR address.

Reviewed by:    adrian
Differential Revision:  https://reviews.freebsd.org/D57844
DeltaFile
+34-27sys/dev/asmc/asmc.c
+1-1sys/dev/asmc/asmcmmio.c
+1-1sys/dev/asmc/asmcvar.h
+36-293 files

FreeBSD/src a2d087bsys/net80211 ieee80211_crypto.c

net80211: fix CCMP/GCMP AAD for MFP frames

Update ieee80211_crypto_init_aad() to do what 802.11-2020 says -
only mask fc[0] bits 4-6 on data frames, not on management frames.
This (with other diffs to actually negotiate MFP and configure
ath(4) for MFP + software keys) allows the CCMP path to decrypt
CCMP MFP frames in the software path.

Differential Revision:  https://reviews.freebsd.org/D57799
DeltaFile
+7-2sys/net80211/ieee80211_crypto.c
+7-21 files

FreeBSD/src 126f82asys/dev/asmc asmc.c

asmc: deduplicate sensor converters and cause sysctls

Replace per-type spXX_to_milli() functions with a table-driven
asmc_sensor_convert() that looks up the divisor by SMC type string.

Reviewed by:    adrian
Differential Revision:  https://reviews.freebsd.org/D57854
DeltaFile
+46-109sys/dev/asmc/asmc.c
+46-1091 files

FreeBSD/src 6a1bd52sys/dev/asmc asmc.c asmcvar.h

asmc: add system state and board identity sysctls

Add dev.asmc.0.system subtree with read-only sysctls for SMC diagnostic
and identity keys: shutdown_cause (MSSD), sleep_cause (MSSP),
thermal_status (MSAL), time_of_day (CLKT), power_state (MSPS),
board_id (RPlt), and chip_gen (RGEN).

Each sysctl is registered only if the key exists on the hardware.

Reviewed by:    adrian
Differential Revision:  https://reviews.freebsd.org/D57853
DeltaFile
+220-0sys/dev/asmc/asmc.c
+86-0sys/dev/asmc/asmcvar.h
+306-02 files

FreeBSD/ports 468bc70. UPDATING

UPDATING: Add description how to migrate from audio/murmur to audio/mumble-server

Sponsored by:   UNIS Labs
DeltaFile
+31-0UPDATING
+31-01 files

FreeBSD/doc 4eb8e14website/content/en/releases/14.3R errata.adoc, website/content/en/releases/14.4R errata.adoc

Add errata affecting 14.3R, 14.4R, 15.0R and 15.1R

FreeBSD-EN-26:16.arm64 affects all supported releases
FreeBSD-EN-26:17.rpcsec_tls affects 15.0R and 15.1R
DeltaFile
+2-3website/content/en/releases/15.1R/errata.adoc
+2-0website/content/en/releases/15.0R/errata.adoc
+1-0website/content/en/releases/14.3R/errata.adoc
+1-0website/content/en/releases/14.4R/errata.adoc
+6-34 files

FreeBSD/doc c825b69website/content/en/releases/14.3R errata.adoc, website/content/en/releases/14.4R errata.adoc

Add security advisories affecting 14.3R, 14.4R, 15.0R and 15.1R

FreeBSD-SA-26:37.vm affects all supported releases
FreeBSD-SA-26:38.jail affects 15.0R and 15.1R
FreeBSD-SA-26:39.execve affects all supported releases
FreeBSD-SA-26:40.zfs affects all supported releases
FreeBSD-SA-26:41.libalias affects all supported releases
FreeBSD-SA-26:42.unlinkat affects all supported releases
FreeBSD-SA-26:43.tcp affects all supported releases
FreeBSD-SA-26:44.posixshm affects all supported releases
FreeBSD-SA-26:45.audit affects all supported releases
FreeBSD-SA-26:46.ktls affects all supported releases
FreeBSD-SA-26:47.linux affects 14.3R, 14.4R and 15.0R
FreeBSD-SA-26:48.compat32 affects 14.3R, 14.4R and 15.0R
FreeBSD-SA-26:49.iconv affects all supported releases
DeltaFile
+11-3website/content/en/releases/15.1R/errata.adoc
+13-0website/content/en/releases/15.0R/errata.adoc
+12-0website/content/en/releases/14.4R/errata.adoc
+12-0website/content/en/releases/14.3R/errata.adoc
+48-34 files

FreeBSD/ports 02e0410net-mgmt/geom-exporter distinfo Makefile.crates

net-mgmt/geom-exporter: 0.1.4

This version no longer requires bindgen at build time.

https://github.com/asomers/gstat-rs/blob/master/freebsd-geom-exporter/CHANGELOG.md#014---2026-06-30

Sponsored by:   ConnectWise
DeltaFile
+11-35net-mgmt/geom-exporter/distinfo
+4-16net-mgmt/geom-exporter/Makefile.crates
+1-4net-mgmt/geom-exporter/Makefile
+16-553 files

FreeBSD/ports 28b57c3sysutils/gstat-rs distinfo Makefile.crates

sysutils/gstat-rs: 0.1.9

This version no longer requires bindgen at build time

https://github.com/asomers/gstat-rs/blob/master/gstat/CHANGELOG.md#019---2026-06-30

Sponsored by:   ConnectWise
DeltaFile
+21-31sysutils/gstat-rs/distinfo
+9-14sysutils/gstat-rs/Makefile.crates
+1-4sysutils/gstat-rs/Makefile
+31-493 files

FreeBSD/ports 1c810a0net/webalizer-geodb distinfo Makefile

net/webalizer-geodb: Update to 20260701
DeltaFile
+3-3net/webalizer-geodb/distinfo
+1-1net/webalizer-geodb/Makefile
+4-42 files

FreeBSD/src 9ea1324usr.sbin/bhyve bhyverun.c

bhyve: Add CPU pinning diagnostic message

When pinning a vcpu to a hostcpu fails, print out a diagnostic message
to stderr indicating the failing CPU pair.

MFC after:      1 month
Reviewed by:    bnovkov
Differential Revision:  https://reviews.freebsd.org/D57619
DeltaFile
+10-4usr.sbin/bhyve/bhyverun.c
+10-41 files

FreeBSD/ports 095f8c0devel/py-json5 distinfo Makefile

devel/py-json5: Update to 0.15.0

Changes:        https://github.com/dpranke/pyjson5/blob/main/README.md#version-history--release-notes
PR:             296364
DeltaFile
+3-3devel/py-json5/distinfo
+2-3devel/py-json5/Makefile
+5-62 files

FreeBSD/ports 2a1e1fddevel/libccid distinfo Makefile

devel/libccid: Update to 1.8.2

Changes:        https://github.com/LudovicRousseau/CCID/releases
PR:             296255
DeltaFile
+3-3devel/libccid/distinfo
+1-1devel/libccid/Makefile
+4-42 files

FreeBSD/ports b2071d2dns/py-idna distinfo Makefile

dns/py-idna: Update to 3.18

Changes:        https://github.com/kjd/idna/releases
PR:             296142
DeltaFile
+3-3dns/py-idna/distinfo
+1-1dns/py-idna/Makefile
+4-42 files

FreeBSD/ports 948ea40databases/py-redis Makefile, databases/py-redis/files patch-pyproject.toml

databases/py-redis: Relax RUN_DEPENDS for py-xxhash

- Bump PORTREVISION for package change

PR:             296097
Reported by:    <vermiculous at mailbox.org>
DeltaFile
+11-0databases/py-redis/files/patch-pyproject.toml
+2-1databases/py-redis/Makefile
+13-12 files

FreeBSD/ports cb89620www/py-lektor Makefile

www/py-lektor: Update BROKEN

The original issue was already fixed in 8efcc1c369a0048035fc0022072f9003c37b65e8.

Approved by:    portmgr (blanket)
With hat:       python
DeltaFile
+1-1www/py-lektor/Makefile
+1-11 files

FreeBSD/ports cf4931eirc/ircd-hybrid Makefile, mail/fetchmail Makefile

security/wolfssl: Bump PORTREVISION of dependent ports for shlib change (followup of ebd1ab3805d31a82613a1db818e6dc2bf5cdf75d)

wolfssl was updated to 5.9.2 in ebd1ab3805d31a82613a1db818e6dc2bf5cdf75d which
updates from libwolfssl.so.44 to libwolfssl.so.45. Therefore, PORTREVISION bump
is required. ftp/curl and net/libngtcp2-wolfssl are skipped because both ports
have version updates after ebd1ab3805d31a82613a1db818e6dc2bf5cdf75d.

% readelf -d /usr/local/lib/libwolfssl.so | grep SONAME
  0x000000000000000e (SONAME)     Library soname: [libwolfssl.so.45]
DeltaFile
+1-1www/wget2/Makefile
+1-1mail/fetchmail/Makefile
+1-0net/vde2/Makefile
+1-0irc/ircd-hybrid/Makefile
+1-0net/haproxy/Makefile
+1-0net/haproxy30/Makefile
+6-24 files not shown
+10-210 files

FreeBSD/ports bb99743lang/python-tools Makefile

lang/python-tools: Fix build with Python 3.12+

- While I'm here:
  - Reorder knobs
  - Sort USE_PYTHON
  - Remove WRKSRC_SUBDIR
  - Cosmetic change

These scripts have been removed from python 3.12+ repository [1][2][3].

===>  Patching for py312-python-tools-3.12.13_1
find: byteyears.py: No such file or directory
find: copytime.py: No such file or directory
find: crlf.py: No such file or directory
find: dutree.py: No such file or directory
find: lfcr.py: No such file or directory
find: ptags.py: No such file or directory
find: untabify.py: No such file or directory
*** Error code 1

    [5 lines not shown]
DeltaFile
+23-22lang/python-tools/Makefile
+23-221 files

FreeBSD/ports 3a5b9e2devel/py-freebsd/files patch-src-kqueue.c

devel/py-freebsd: Fix build with Python 3.12+

cc -fno-strict-overflow -Wsign-compare -Wunreachable-code -DNDEBUG -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -fPIC -I/usr/local/include/python3.12 -c src/freebsdmodule.c -o build/temp.freebsd-15.0-RELEASE-p10-amd64-cpython-312/src/freebsdmodule.o
In file included from src/freebsdmodule.c:172:
In file included from src/.sources.def:7:
src/kqueue.c:248:2: error: incompatible pointer to integer conversion initializing 'Py_ssize_t' (aka 'long') with an expression of type 'void *' [-Wint-conversion]
  248 |         PyObject_HEAD_INIT(NULL)
      |         ^~~~~~~~~~~~~~~~~~~~~~~~
/usr/local/include/python3.12/object.h:142:9: note: expanded from macro 'PyObject_HEAD_INIT'
  142 |         (type)                   \
      |         ^~~~~~
In file included from src/freebsdmodule.c:172:
In file included from src/.sources.def:7:
src/kqueue.c:556:2: error: incompatible pointer to integer conversion initializing 'Py_ssize_t' (aka 'long') with an expression of type 'void *' [-Wint-conversion]
  556 |         PyObject_HEAD_INIT(NULL)
      |         ^~~~~~~~~~~~~~~~~~~~~~~~
/usr/local/include/python3.12/object.h:142:9: note: expanded from macro 'PyObject_HEAD_INIT'
  142 |         (type)                   \
      |         ^~~~~~

    [7 lines not shown]
DeltaFile
+26-0devel/py-freebsd/files/patch-src-kqueue.c
+26-01 files

FreeBSD/ports 0d96e3aMk bsd.default-versions.mk

Mk/bsd.default-versions.mk: Update comment: Add python 3.15
DeltaFile
+1-1Mk/bsd.default-versions.mk
+1-11 files

FreeBSD/ports 006c634www/py-flask-cors Makefile

www/py-flask-cors: Take maintainership (part of 0976f8b90b6c6d6f81000e65dba8c9260b1e2e0e)
DeltaFile
+1-1www/py-flask-cors/Makefile
+1-11 files

FreeBSD/ports 97f0190textproc/py-mistune0 Makefile

textproc/py-mistune0: Fix build with Python 3.12+

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/usr/local/lib/python3.12/site-packages/installer/__main__.py", line 115, in <module>
    _main(sys.argv[1:], "python -m installer")
  File "/usr/local/lib/python3.12/site-packages/installer/__main__.py", line 100, in _main
    with WheelFile.open(wheel) as source:
         ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/contextlib.py", line 137, in __enter__
    return next(self.gen)
           ^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/installer/sources.py", line 179, in open
    with zipfile.ZipFile(path) as f:
         ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/zipfile/__init__.py", line 1352, in __init__
    self.fp = io.open(file, filemode)
              ^^^^^^^^^^^^^^^^^^^^^^^

    [4 lines not shown]
DeltaFile
+2-2textproc/py-mistune0/Makefile
+2-21 files

FreeBSD/ports cf55aa1graphics/py-pygeos Makefile, graphics/py-pygeos/files patch-cython patch-pyproject.toml

graphics/py-pygeos: Allow build with cython 3.x

- Change from USE_PYTHON=cython0 to USE_PYTHON=cython
- Bump PORTREVISION for package change
DeltaFile
+11-0graphics/py-pygeos/files/patch-cython
+4-2graphics/py-pygeos/files/patch-pyproject.toml
+2-2graphics/py-pygeos/Makefile
+17-43 files