FreeBSD/src d516e52sys/fs/nfs nfs.h, sys/fs/nfsserver nfs_nfsdkrpc.c nfs_nfsdport.c

nfsd: Optionally enable use of M_EXTPG mbufs for read replies

A test site determined that, for a Mellanox NIC which can handle
M_EXTPG mbufs, an improvement of 5-15% for read rate could be
achieved if the read reply was in M_EXTPG mbufs.

A patch that tried to determine if the outbound NIC supported
M_EXTPG mbufs (IFCAP_MEXTPG) did not pass review.
However, it does appear that this can be useful for NFS-over-RDMA.
(Which just happen to use NICs that do support M_EXTPG mbufs.)

As such, this patch enables them is xp_extpg is set to true,
which is never for now, but might be set true for RDMA or
when vfs.nfsd.enable_mextpg is set non-zero. (It is 0 by
default, so this is never enabled by default at this time.)

Tested by:      Greg Becker <becker.greg at att.net>
MFC after:      2 weeks
DeltaFile
+17-1sys/fs/nfsserver/nfs_nfsdkrpc.c
+10-6sys/fs/nfsserver/nfs_nfsdport.c
+5-2sys/fs/nfsserver/nfs_nfsdserv.c
+1-0sys/fs/nfs/nfs.h
+1-0sys/rpc/svc.h
+34-95 files

FreeBSD/ports 0063585net/turnserver Makefile distinfo

net/turnserver: Update 4.10.0 => 4.14.0 (fix 4 CVEs)

Changelogs:
https://github.com/coturn/coturn/blob/4.14.0/ChangeLog
https://github.com/coturn/coturn/releases/tag/4.11.0
https://github.com/coturn/coturn/releases/tag/4.12.0
https://github.com/coturn/coturn/releases/tag/4.13.0
https://github.com/coturn/coturn/releases/tag/4.13.1
https://github.com/coturn/coturn/releases/tag/4.14.0

- Remove dead mirror from MASTER_SITES.
- Switch from http to https in MASTER_SITES.
- Remove unused dependency gettext-runtime.

PR:             296555
Approved by:    blanket (fix 4 CVEs)
Security:       CVE-2026-53450
Security:       CVE-2026-53449
Security:       CVE-2026-53448

    [6 lines not shown]
DeltaFile
+3-4net/turnserver/Makefile
+3-3net/turnserver/distinfo
+6-72 files

FreeBSD/ports fd77dbcnet/turnserver Makefile distinfo

net/turnserver: Update 4.10.0 => 4.14.0 (fix 4 CVEs)

Changelogs:
https://github.com/coturn/coturn/blob/4.14.0/ChangeLog
https://github.com/coturn/coturn/releases/tag/4.11.0
https://github.com/coturn/coturn/releases/tag/4.12.0
https://github.com/coturn/coturn/releases/tag/4.13.0
https://github.com/coturn/coturn/releases/tag/4.13.1
https://github.com/coturn/coturn/releases/tag/4.14.0

- Remove dead mirror from MASTER_SITES.
- Switch from http to https in MASTER_SITES.
- Remove unused dependency gettext-runtime.

PR:             296555
Approved by:    blanket (fix 4 CVEs)
Security:       CVE-2026-53450
Security:       CVE-2026-53449
Security:       CVE-2026-53448

    [4 lines not shown]
DeltaFile
+3-4net/turnserver/Makefile
+3-3net/turnserver/distinfo
+6-72 files

FreeBSD/ports ba80bc9devel Makefile, devel/rhg distinfo Makefile.cargo

devel/rhg: New port

Experimental Rust backend for Mercurial.

Sponsored by:   tipi.work
DeltaFile
+507-0devel/rhg/distinfo
+252-0devel/rhg/Makefile.cargo
+28-0devel/rhg/Makefile
+1-0devel/Makefile
+1-0devel/rhg/pkg-descr
+789-05 files

FreeBSD/ports 54bba80www/deno Makefile, www/deno/files patch-cli_task__runner.rs patch-tests_unit__node_process__test.ts

www/deno: Improve port

- Fix dependencies.
- Fix PREFIX and LOCALBASE usage.
- Fix warnings from portclippy.
- Merge INSTALL_PROGRAMs.
- Split long line in do-test.

PR:             296548
Sponsored by:   UNIS Labs
DeltaFile
+23-25www/deno/Makefile
+4-4www/deno/files/patch-cli_task__runner.rs
+1-1www/deno/files/patch-tests_unit__node_process__test.ts
+28-303 files

FreeBSD/ports 2fb62f7security/zeek/files patch-src_file__analysis_analyzer_x509_OCSP.cc patch-src_file__analysis_analyzer_x509_functions.bif

security/zeek: Update to 8.0.9

    https://github.com/zeek/zeek/releases/tag/v8.0.9

This release fixes the following potential DoS vulnerabilities:

 - The NVT, Rlogin, and RSH analyzers have received fixes to avoid
   unbounded state growth. Due to the fact that these packets can
   be received from remote hosts, these are considered DoS risks.

 - A specially crafted WebSocket payload can cause the Spicy WebSocket
   analyzer to use excessive memory when processing close, ping,
   and pong frames. Due to the fact that these packets can be
   received from remote hosts, these are considered a DoS risk.

 - A specially crafted series of Finger packets can cause the Spicy
   Finger analyzer to use excessive amounts of memory and potentially
   crash Zeek. Due to the fact that these packets can be received
   from remote hosts, this is considered a DoS risk.

    [100 lines not shown]
DeltaFile
+0-84security/zeek/files/patch-src_file__analysis_analyzer_x509_OCSP.cc
+0-38security/zeek/files/patch-src_file__analysis_analyzer_x509_functions.bif
+0-20security/zeek/files/patch-auxil_spicy_hilti_toolchain_src_compiler_driver.cc
+0-20security/zeek/files/patch-src_file__analysis_analyzer_x509_X509.h
+0-20security/zeek/files/patch-auxil_spicy_hilti_runtime_include_types_stream.h
+0-12security/zeek/files/patch-src_digest.cc
+0-19412 files not shown
+10-30018 files

FreeBSD/ports 76913ffsecurity/vuxml/vuln 2026.xml

security/vuxml: Mark security/zeek < 8.0.9 as vulnerable as per:

    https://github.com/zeek/zeek/releases/tag/v8.0.9

This release fixes the following potential DoS vulnerabilities:

 - The NVT, Rlogin, and RSH analyzers have received fixes to avoid
   unbounded state growth. Due to the fact that these packets can
   be received from remote hosts, these are considered DoS risks.

 - A specially crafted WebSocket payload can cause the Spicy WebSocket
   analyzer to use excessive memory when processing close, ping,
   and pong frames. Due to the fact that these packets can be
   received from remote hosts, these are considered a DoS risk.

 - A specially crafted series of Finger packets can cause the Spicy
   Finger analyzer to use excessive amounts of memory and potentially
   crash Zeek. Due to the fact that these packets can be received
   from remote hosts, this is considered a DoS risk.

    [52 lines not shown]
DeltaFile
+86-0security/vuxml/vuln/2026.xml
+86-01 files

FreeBSD/ports d471570devel/aws-crt-cpp distinfo Makefile

devel/aws-crt-cpp: Update to 0.41.0

ChangeLog: https://github.com/awslabs/aws-crt-cpp/releases/tag/v0.41.0
DeltaFile
+3-3devel/aws-crt-cpp/distinfo
+1-1devel/aws-crt-cpp/Makefile
+4-42 files

FreeBSD/ports 1f9c3acsecurity/qt-sudo distinfo Makefile

security/qt-sudo: Update to 2.4.1

ChangeLog: https://github.com/aarnt/qt-sudo/releases/tag/v2.4.1
DeltaFile
+3-3security/qt-sudo/distinfo
+1-1security/qt-sudo/Makefile
+4-42 files

FreeBSD/ports e9034acgames/CWR-CE/files patch-engine_Poseidon_AI_AIGroupImpl.cpp patch-engine_Poseidon_World_Entities_Vehicles_TransportCore.cpp

games/CWR-CE: roll upstream fork forward and fix aarch64 build
DeltaFile
+0-118games/CWR-CE/files/patch-engine_Poseidon_AI_AIGroupImpl.cpp
+0-39games/CWR-CE/files/patch-engine_Poseidon_World_Entities_Vehicles_TransportCore.cpp
+18-0games/CWR-CE/files/patch-engine_Poseidon_Foundation_Math_V3QuadsP3.cpp
+17-0games/CWR-CE/files/patch-engine_Poseidon_Foundation_Math_Quatrix.hpp
+0-16games/CWR-CE/files/patch-engine_Poseidon_World_Entities_Vehicles_Transport.cpp
+0-15games/CWR-CE/files/patch-engine_Poseidon_World_Entities_Infantry_SoldierOldMove.cpp
+35-1884 files not shown
+72-19410 files

FreeBSD/ports 4766551devel/moon distinfo Makefile.crates, devel/moon/files patch-cargo-crates_wasmtime-41.0.4_src_runtime_vm_sys_unix_signals.rs patch-cargo-crates_wasmtime-43.0.2_src_runtime_vm_sys_unix_signals.rs

devel/moon: update to 2.4.1
DeltaFile
+385-405devel/moon/distinfo
+191-201devel/moon/Makefile.crates
+0-16devel/moon/files/patch-cargo-crates_wasmtime-41.0.4_src_runtime_vm_sys_unix_signals.rs
+16-0devel/moon/files/patch-cargo-crates_wasmtime-43.0.2_src_runtime_vm_sys_unix_signals.rs
+1-1devel/moon/Makefile
+593-6235 files

FreeBSD/src ee5d87asys/netinet raw_ip.c

raw ip: fix race of two connect(2)

The historical design of sockets is that on a re-connect the disconnect is
performed at the socket layer in soconnectat().  Since SMP times this is
known to be racy and the function has appopriate comment.  I missed that
in the recent change.  The pr_connect method should normally expect the
socket to be already disconnected, however should be able to handle a race
where socket is actually connected.  Convert the check that incorrectly
tried to handle normal path of re-connect into check that handles the
race.

Reported by:    markj
Fixes:  ece716c5d34728a170f1dfe1b3389c267d6ddd1e
DeltaFile
+1-2sys/netinet/raw_ip.c
+1-21 files

FreeBSD/src 4dd9e4esys/powerpc/booke pmap_32.c

powerpc/booke(pmap): Flash-invalidate TLB on TID rollover

When the TID rolls over on a given CPU, simply flash-invalidate the
TLB instead of walking the TLB to only invalidate the repurposed TID.
Walking 256 entries is expensive, and we'll likely be inserting a bunch
new ones anyway in the new environment, since 256 really only handles
1MB of storage, so the likelihood of other mappings continuing to exist
in the TLB when their thread owner is scheduled again is very very
small.
DeltaFile
+2-22sys/powerpc/booke/pmap_32.c
+2-221 files

FreeBSD/src dec79d2sys/powerpc/booke pmap.c

powerpc/pmap(booke): Fix TLB TID eviction

Fix tid_set_busy() for when `pmap` is NULL. Obviously a NULL pointer
cannot be correctly used, so I'm not sure how it worked in testing on
64-bit.
DeltaFile
+8-5sys/powerpc/booke/pmap.c
+8-51 files

FreeBSD/doc d21a710website/content/ru/releng _index.adoc

website/ru: Update releng/_index.adoc

Update to EN 8ead66a97f9ac8f2440f5e2126dc85eee4594315
DeltaFile
+2-2website/content/ru/releng/_index.adoc
+2-21 files

FreeBSD/ports 80c2db1mail/postfix distinfo Makefile

mail/postfix: Update to 3.11.5
DeltaFile
+3-3mail/postfix/distinfo
+2-2mail/postfix/Makefile
+5-52 files

FreeBSD/doc feb78c7website/themes/beastie/i18n ru.toml

Update website/themes/beastie/i18n/ru.toml

Update to EN 1429387ea6272ab62c87ba6488bb20742cf95dbd
Improve wording
DeltaFile
+50-44website/themes/beastie/i18n/ru.toml
+50-441 files

FreeBSD/ports e3c08besysutils/cpdup-FreeBSD distinfo Makefile

sysutils/cpdup-FreeBSD: update to 1.1.0

Approved by:    Gianmarco Giovannelli <gmarco at giovannelli.it> (maintainer, via email)
DeltaFile
+3-3sysutils/cpdup-FreeBSD/distinfo
+1-1sysutils/cpdup-FreeBSD/Makefile
+4-42 files

FreeBSD/src 5f4c87etools/tools/git git-mfc

git-mfc: Allow merging merge commits

In order to merge merge commits (such as vendor imports), we need to
tell git cherry-pick which of the two branches referenced in the commit
is the mainline.  In our case, it is always the first.

Approved by:    markj
DeltaFile
+1-1tools/tools/git/git-mfc
+1-11 files

FreeBSD/src f01c509lib/libsysdecode mktables, sys/netpfil/pf pf_nl.h

pf: revert netlink commands back to enum

Revert pf_nl.h part of 017690e50913 and use new libsysdecode build glue
that parses enums.

Reviewed by:    kp, glebius
Differential Revision:  https://reviews.freebsd.org/D57866
DeltaFile
+52-51sys/netpfil/pf/pf_nl.h
+1-1lib/libsysdecode/mktables
+53-522 files

FreeBSD/src 8b19780lib/libsysdecode mktables

libsysdecode: Teach mktables to handle enums

While here, clean up and simplify the existing code.

MFC after:      1 week
Reviewed by:    glebius, jhb
Differential Revision:  https://reviews.freebsd.org/D57993
DeltaFile
+40-21lib/libsysdecode/mktables
+40-211 files

FreeBSD/src 6a6d6d7cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/scripting tst.sid.ksh tst.uid.ksh

dtrace tests: Fix finding multiple process results

When looking up self process we can use `ps -p $$` directly rather
than grep which may find other processes ending in the expected PID.

Sponsored by:   Dell Inc.
Reviewed by:    markj, vangyzen
Differential Revision: https://reviews.freebsd.org/D58019
DeltaFile
+1-1cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/scripting/tst.sid.ksh
+1-1cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/scripting/tst.uid.ksh
+1-1cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/scripting/tst.euid.ksh
+1-1cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/scripting/tst.egid.ksh
+1-1cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/scripting/tst.gid.ksh
+5-55 files

FreeBSD/ports 7a7dea4dns/knot3 Makefile, net/samba416 Makefile

*: Fix dependency on lmdb0
DeltaFile
+1-1net/samba423/Makefile
+1-1net/samba422/Makefile
+1-1net/samba420/Makefile
+1-1net/samba419/Makefile
+1-1net/samba416/Makefile
+1-1dns/knot3/Makefile
+6-63 files not shown
+9-99 files

FreeBSD/ports 4cbac2cdevel/cpp2py Makefile

devel/cpp2py: Fix build broken by python-3.12 transition

Reported by:    fallout
DeltaFile
+4-2devel/cpp2py/Makefile
+4-21 files

FreeBSD/ports c3f806dscience/gpaw-setups Makefile

science/gpaw-setups: Improve install target
DeltaFile
+2-1science/gpaw-setups/Makefile
+2-11 files

FreeBSD/src d7d7134lib/libc/posix1e acl_from_text.c

acl_from_text.c: Allow negative uid/gid numbers to be handled

getfacl / acl_to_text() incorrectly prints uid/gid numbers as signed integers.
This causes uid / gid numbers larger than 2G (2147483648) to print as
negative numbers.
The libc acl_from_text() function does not handle negative numbers.
This diff adds a backwards compatiblity fix to allow negative numbers...

Reviewed by:    rmacklem
MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D57180
DeltaFile
+32-9lib/libc/posix1e/acl_from_text.c
+32-91 files

FreeBSD/ports b5eb1f6devel/tree-sitter-cli Makefile

devel/tree-sitter-cli: use llvm:lib to solve rquickjs-sys build failure

PR:          296016
Approved by: Artur Manuel <amadaluzia at disroot.org> (maintainer)
Approved by: dch (mentor)
Approved by: portmgr (build fix blanket)
Fixes:       9f53adf51b02
DeltaFile
+1-1devel/tree-sitter-cli/Makefile
+1-11 files

FreeBSD/ports 205c8a2devel/appstream Makefile

devel/appstream: Fix dependency on lmdb0

PR:             296530 296560
DeltaFile
+1-1devel/appstream/Makefile
+1-11 files

FreeBSD/ports fd4f4e6www/ot-recorder Makefile

www/ot-recorder: Fix dependency on lmdb0

PR:             296530
DeltaFile
+1-1www/ot-recorder/Makefile
+1-11 files

FreeBSD/ports c66ca7alang/luajit distinfo Makefile

lang/luajit: update to the recent snapshot

Sponsored by:   tipi.work
DeltaFile
+3-3lang/luajit/distinfo
+1-1lang/luajit/Makefile
+4-42 files