FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F14.4.0-p4 2026-04-28T20:33:58Z 2026-04-28T20:33:58Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:36:09Z urn:sha1:4f0992ce23b0934043daca0b85a7b73f0e0dc0a3 nvlist_check_header() validated nvlh_size for overflow before performing conversion. An mallicous user can set NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that the orginall value passes the check, but after the conversion the sizeof(nvlist_header) + size can overflow. This can lead to a heap buffer overflow. Approved by: so Security: FreeBSD-SA-26:17.libnv Security: CVE-2026-35547 Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56342 2026-04-28T20:33:58Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:35:10Z urn:sha1:a5cb4863d65a64cc16a81f49b35b944d9b9b14f2 The previous implementation used FD_SET() on a stack-allocated fd_set, which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE (1024). Approved by: so Security: FreeBSD-SA-26:16.libnv Security: CVE-2026-39457 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56689 2026-04-28T20:33:58Z Mariusz Zaborski oshogbo@FreeBSD.org 2024-08-29T13:46:01Z urn:sha1:adaed0700d2d1a84c0c1d6826fb9a1a23d83b603 Approved by: so Differential Revision: https://reviews.freebsd.org/D46131 (cherry picked from commit 241a7ddd7112982ed41ccdd047c1dad59ee0256e) 2026-04-28T20:33:58Z Mariusz Zaborski oshogbo@FreeBSD.org 2024-08-29T13:44:03Z urn:sha1:64c0919d2c63b3108b958f666b8a5332ba8eb1d1 Approved by: so Differential Revision: https://reviews.freebsd.org/D46138 (cherry picked from commit 2981431e044fae3bc87e6fa891b8230b484dc84b) 2026-04-21T15:45:06Z Mark Johnston markj@FreeBSD.org 2026-03-31T13:37:43Z urn:sha1:5787df30dc3ee1d8389f2fcfef324d0f6e086779 pmap_pkru_update_range() did not handle the case where a PDPE has PG_PS set. More generally, the SET_PKRU and CLEAR_PKRU sysarch implementations did not check whether the request covers a "boundary" vm map entry. Fix this, add the missing PG_PS test, and add some tests. Approved by: so Security: FreeBSD-SA-26:11.amd64 Security: CVE-2026-6386 Reported by: Nicholas Carlini <npc@anthropic.com> Reviewed by: kib, alc Differential Revision: https://reviews.freebsd.org/D56184 2026-03-25T06:54:10Z Mark Johnston markj@FreeBSD.org 2026-03-24T02:12:42Z urn:sha1:7ea03a4238e8bf6b80824cd9a31e219020f4feb1 svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini <npc@anthropic.com> Reviewed by: rmacklem Fixes: a9148abd9da5d 2026-03-06T00:00:00Z Colin Percival cperciva@FreeBSD.org 2026-03-06T00:00:00Z urn:sha1:a456f852d14544460204036ea55f45a9c7e04972 - Bump BRANCH to RELEASE - Add the anticipated RELEASE announcement date - Set a static __FreeBSD_version Approved by: re (implicit) Sponsored by: OpenSats Initiative 2026-02-26T18:00:38Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-21T01:18:15Z urn:sha1:ca76ec7c4e563292a0c75781683b0421a4439a02 This fixes an issue where the first address that DNS returns is blocked by a packet filter, so we hang for a while, then the user hits Ctrl-C, interrupting connect(2), whereupon we move on to the next address, get a connection, request the file, and return to fetch(1), which sees that SIGINT was caught and bails. Note that we make no attempt to enforce fetchTimeout in the connection phase, and never have. It's feasible, but non-trivial, so we'll leave it as an exercise for future us. PR: 293312 MFC after: 1 week Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D55406 (cherry picked from commit afbdcd402bb439bd3d487baaad63b68e95929265) (cherry picked from commit cca6f5eadb796b03379eb21f38c74ca46a64e45b) 2026-02-19T19:21:21Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-18T15:10:47Z urn:sha1:8755b5f3a590560996fb122abe22644d3be3836a PR: 293124 MFC after: 1 week Fixes: 792ef1ae7b94 ("Refactor fetch_connect() and fetch_bind() to improve readability and avoid repeating the same DNS lookups.") Reverts: 8f8a7f6fffd7 ("libfetch: apply timeout to SSL_read()") Reviewed by: eugen, imp Differential Revision: https://reviews.freebsd.org/D55293 (cherry picked from commit 73b82d1b0a2f09224e6d0f7a13dd73c66d740207) (insta-mfc requested by re@) (cherry picked from commit d97c824f5b4c9e7e3a1400699022cba146e450fa) 2026-02-12T21:24:34Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-07T14:24:40Z urn:sha1:53e0a1d1ff9b9a8bd27fa65e0f84ca95f0e41298 * Drop the ssl_meth member, there is no reason to hang on to it. * Replace deprecated SSLv23_client_method() with TLS_client_method(). * Check the return value from SSL_CTX_new(). Approved by: re (cperciva) MFC after: 1 week PR: 292903 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D55098 (cherry picked from commit 4e160c6197f75fda3d5d5997ce893087058cf718) (cherry picked from commit 4781aeb5b9cb564a53fee8128f6827402deaf9df)