FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.4 2026-03-25T06:54:10Z 2026-03-25T06:54:10Z Mark Johnston markj@FreeBSD.org 2026-03-24T02:12:42Z urn:sha1:7ea03a4238e8bf6b80824cd9a31e219020f4feb1 svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini <npc@anthropic.com> Reviewed by: rmacklem Fixes: a9148abd9da5d 2026-03-06T00:00:00Z Colin Percival cperciva@FreeBSD.org 2026-03-06T00:00:00Z urn:sha1:a456f852d14544460204036ea55f45a9c7e04972 - Bump BRANCH to RELEASE - Add the anticipated RELEASE announcement date - Set a static __FreeBSD_version Approved by: re (implicit) Sponsored by: OpenSats Initiative 2026-02-26T18:00:38Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-21T01:18:15Z urn:sha1:ca76ec7c4e563292a0c75781683b0421a4439a02 This fixes an issue where the first address that DNS returns is blocked by a packet filter, so we hang for a while, then the user hits Ctrl-C, interrupting connect(2), whereupon we move on to the next address, get a connection, request the file, and return to fetch(1), which sees that SIGINT was caught and bails. Note that we make no attempt to enforce fetchTimeout in the connection phase, and never have. It's feasible, but non-trivial, so we'll leave it as an exercise for future us. PR: 293312 MFC after: 1 week Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D55406 (cherry picked from commit afbdcd402bb439bd3d487baaad63b68e95929265) (cherry picked from commit cca6f5eadb796b03379eb21f38c74ca46a64e45b) 2026-02-19T19:21:21Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-18T15:10:47Z urn:sha1:8755b5f3a590560996fb122abe22644d3be3836a PR: 293124 MFC after: 1 week Fixes: 792ef1ae7b94 ("Refactor fetch_connect() and fetch_bind() to improve readability and avoid repeating the same DNS lookups.") Reverts: 8f8a7f6fffd7 ("libfetch: apply timeout to SSL_read()") Reviewed by: eugen, imp Differential Revision: https://reviews.freebsd.org/D55293 (cherry picked from commit 73b82d1b0a2f09224e6d0f7a13dd73c66d740207) (insta-mfc requested by re@) (cherry picked from commit d97c824f5b4c9e7e3a1400699022cba146e450fa) 2026-02-12T21:24:34Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-07T14:24:40Z urn:sha1:53e0a1d1ff9b9a8bd27fa65e0f84ca95f0e41298 * Drop the ssl_meth member, there is no reason to hang on to it. * Replace deprecated SSLv23_client_method() with TLS_client_method(). * Check the return value from SSL_CTX_new(). Approved by: re (cperciva) MFC after: 1 week PR: 292903 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D55098 (cherry picked from commit 4e160c6197f75fda3d5d5997ce893087058cf718) (cherry picked from commit 4781aeb5b9cb564a53fee8128f6827402deaf9df) 2026-02-09T03:09:29Z Bojan Novković bnovkov@FreeBSD.org 2026-02-02T10:13:12Z urn:sha1:5d7d22588dada885d7d8e2db306aa6e0ac030ef1 Approved by: re (cperciva) Reviewed by: mhorne Sponsored by: Klara, Inc. Obtained from: Intel perfmon (JSON event definitions) Differential Revision: https://reviews.freebsd.org/D55081 MFC after: 2 days (cherry picked from commit a3ff85e11925ba1e25465c8ba633356f405f9214) (cherry picked from commit 625ed651833e76a439a7010aa28c93bc83013168) 2026-02-05T14:50:01Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-03T14:39:21Z urn:sha1:0018cfdb91c399342a0facd04dfe72cb689d86ea Mainly, avoid reusing the name of one of the functions we should be testing (but aren't) for local variables. Sponsored by: Klara, Inc. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D55054 (cherry picked from commit d70b9eb74fc4aa430bd2ff4bca37e6a9b6c8004f) 2026-02-05T14:48:36Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-02T15:46:57Z urn:sha1:77dedead8539c76d1f452c2c0073ee13ed7cf54a POSIX states that dirfd() should set errno to EINVAL and return -1 if dirp does not refer to a valid directory stream. Our interpretation is that this applies if dirp is null or the file descriptor associated with it is negative. MFC after: 1 week Sponsored by: Klara, Inc. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D55025 (cherry picked from commit 5074d5c9845e142883cdbb9ad212be66e57615d0) libc: Fix missing include Although not needed on FreeBSD due to namespace pollution, we should technically #include <stddef.h> to secure a definition of NULL. Fixes: 5074d5c9845e ("libc: Improve POSIX conformance of dirfd()") (cherry picked from commit 1c00d5a3b234ef937d848956027e9de5ea8010f9) 2026-02-05T14:48:36Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-02T15:46:53Z urn:sha1:b614c9893fa38771075d1f329763a0151b53b86d Fix style nits (mostly whitespace issues) and clean up the manual page. MFC after: 1 week Sponsored by: Klara, Inc. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D55024 (cherry picked from commit 387ae6390534b6e9b48931840e7bc76eeb0b258d) 2026-02-05T14:48:34Z Dag-Erling Smørgrav des@FreeBSD.org 2025-07-09T20:34:22Z urn:sha1:98b041239c252d0c2433e5d412d74f90a235d0f2 Use either size_t or off_t (as appropriate) instead of long. Sponsored by: Klara, Inc. Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D51210 (cherry picked from commit 42e613018da50ee6877d24815c7626d79629e707) readdir: Fix error check. Now that dd_size is unsigned, we need to check if the return value from getdirentries() was negative before assigning it to dd_size. While here, simplify the scandir_error test case slightly, and verify that calling readdir() again after EOF still returns NULL. Fixes: 42e613018da5 Sponsored by: Klara, Inc. Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D51266 (cherry picked from commit 920b2183919e430cf85c4aa1fa337bfded12aee5)