FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2026-05-15T16:19:49Z 2026-05-15T16:19:49Z Ed Maste emaste@FreeBSD.org 2026-05-15T16:16:45Z urn:sha1:6531070132b0210aaaeb08c0dc93cb272bed348e A bug fix was committed locally and submitted upstream. Document it in our upgrade instructions, as these sometimes take a long time before getting merged. Sponsored by: The FreeBSD Foundation 2026-05-14T18:59:30Z Ed Maste emaste@FreeBSD.org 2026-05-14T18:59:30Z urn:sha1:2574974648c68c738aec3ff96644d888d7913a37 Full release notes are available at https://www.openssh.com/txt/release-10.3 Selected highlights from the release notes: * ssh(1), sshd(8): remove bug compatibility for implementations that don't support rekeying. If such an implementation tries to interoperate with OpenSSH, it will now eventually fail when the transport needs rekeying. * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new names is advertised via the EXT_INFO message. If a server offers support for the new names, then they are used preferentially. * ssh(1): add a ~I escape option that shows information about the current SSH connection. * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is applied to login attempts for usernames that do not match real accounts. Defaults to 5s to match 'authfail' but allows administrators to block such attempts for longer if desired. * Support the ed25519 signature scheme via libcrypto. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D56999 2026-05-12T21:12:09Z Ed Maste emaste@FreeBSD.org 2026-05-12T21:12:09Z urn:sha1:e68aa5ab80ab57bdbcbe94dd2922a018d675e7f0 Full release notes are available at https://www.openssh.com/txt/release-10.2 Selected highlights from the release notes: Bugfixes -------- * ssh(1): fix mishandling of terminal connections when ControlPersist was active that rendered the session unusable. bz3872 Sponsored by: The FreeBSD Foundation 2026-05-12T20:24:10Z Ed Maste emaste@FreeBSD.org 2026-05-12T20:24:10Z urn:sha1:644b4646c7acab87dc20d4e5dd53d2d9da152989 Full release notes are available at https://www.openssh.com/txt/release-10.1 Selected highlights from the release notes: Potentially-incompatible changes * ssh(1): add a warning when the connection negotiates a non-post quantum key agreement algorithm. * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS) keywords in the IPQoS configuration directive. * ssh-add(1): when adding certificates to an agent, set the expiry to the certificate expiry time plus a short (5 min) grace period. * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). Security * ssh(1): disallow control characters in usernames passed via the commandline or expanded using %-sequences from the configuration file, and disallow \0 characters in ssh:// URIs. New features * ssh(1), sshd(8): add SIGINFO handlers to log active channel and session information. Sponsored by: The FreeBSD Foundation 2026-05-01T00:11:25Z Cy Schubert cy@FreeBSD.org 2026-04-30T19:27:31Z urn:sha1:c9dd7bffa58c50b2f7ed9e66ace39197c468d8e6 Bring in upstream commit 2e75f0d93 fixing two CVEs. Upstream commit log is: In parse_nego_message(), check the result of the second call to vector_base() before dereferencing it. In parse_message(), check for a short header_len to prevent an integer underflow when calculating the remaining message length. Reported by Cem Onat Karagun. CVE-2026-40355: In MIT krb5 release 1.18 and later, if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech, an unauthenticated remote attacker can trigger a null pointer dereference, causing the process to terminate. CVE-2026-40356: In MIT krb5 release 1.18 and later, if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech, an unauthenticated remote attacker can trigger a read overrun of up to 52 bytes, possibly causing the process to terminate. Exfiltration of the bytes read does not appear possible. 2026-05-01T00:10:53Z Cy Schubert cy@FreeBSD.org 2026-04-30T19:24:20Z urn:sha1:736e411a737b9f57c1303e6d15c5afd4f63af0d3 Merge commit '90c687295e2d62f9411fc5b571f5af4e8ee187a7' 2026-04-09T01:55:43Z Enji Cooper ngie@FreeBSD.org 2026-04-09T01:54:40Z urn:sha1:5254e16213ff1bb136ef24e0b0fe30625ac53563 A new manpage and any associated links will be added in the next commit. MFC after: 1 day (the security issues warrant a quick backport). MFC with: 10a428653ee7216475f1ddce3fb4cbf1200319f8 2026-04-09T01:44:24Z Enji Cooper ngie@FreeBSD.org 2026-04-09T01:44:24Z urn:sha1:10a428653ee7216475f1ddce3fb4cbf1200319f8 This change brings in version 3.5.6 of OpenSSL, which features several security fixes (the highest of which is a MEDIUM severity issue), as well as some miscellaneous feature updates. Please see the release notes [1] for more details. PS Apologies for the confusing merge commits -- I was testing out a new automated update process and failed to catch the commit message issues until after I pushed the change. 1. https://github.com/openssl/openssl/blob/openssl-3.5.6/NEWS.md MFC after: 1 day (the security issues warrant a quick backport). Merge commit 'ab5fc4ac933ff67bc800e774dffce15e2a541e90' 2026-04-07T22:35:35Z Enji Cooper ngie@FreeBSD.org 2026-04-07T22:35:35Z urn:sha1:ab5fc4ac933ff67bc800e774dffce15e2a541e90 This change adds OpenSSL 3.5.6 from upstream [1]. The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3]. This is a security release, but also contains several bugfixes. More information about the release (from a high level) can be found in the release notes [4]. 1. openssl-3.5.6.tar.gz 2. openssl-3.5.6.tar.gz.asc 3. openssl-3.5.6.tar.gz.sha256 4. https://github.com/openssl/openssl/blob/openssl-3.5.6/NEWS.md 2026-02-17T14:46:52Z Mark Johnston markj@FreeBSD.org 2026-02-17T14:45:50Z urn:sha1:4c247f120492d999ac90efcfc73e5fea29206d1f compile_et.sh is run during buildworld and prints a bunch of debug output. It's intrusive and probably not needed, at least by default, so let's make the build output a bit cleaner. This is an upstream script, but it hasn't been modified in 15 years so the local modification is unlikely to cause any pain. Also remove a print that shows up in buildworld -s output. Reviewed by: cy MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D55317