FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2026-05-14T18:59:30Z 2026-05-14T18:59:30Z Ed Maste emaste@FreeBSD.org 2026-05-14T18:59:30Z urn:sha1:2574974648c68c738aec3ff96644d888d7913a37 Full release notes are available at https://www.openssh.com/txt/release-10.3 Selected highlights from the release notes: * ssh(1), sshd(8): remove bug compatibility for implementations that don't support rekeying. If such an implementation tries to interoperate with OpenSSH, it will now eventually fail when the transport needs rekeying. * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new names is advertised via the EXT_INFO message. If a server offers support for the new names, then they are used preferentially. * ssh(1): add a ~I escape option that shows information about the current SSH connection. * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is applied to login attempts for usernames that do not match real accounts. Defaults to 5s to match 'authfail' but allows administrators to block such attempts for longer if desired. * Support the ed25519 signature scheme via libcrypto. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D56999 2026-05-12T20:24:10Z Ed Maste emaste@FreeBSD.org 2026-05-12T20:24:10Z urn:sha1:644b4646c7acab87dc20d4e5dd53d2d9da152989 Full release notes are available at https://www.openssh.com/txt/release-10.1 Selected highlights from the release notes: Potentially-incompatible changes * ssh(1): add a warning when the connection negotiates a non-post quantum key agreement algorithm. * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS) keywords in the IPQoS configuration directive. * ssh-add(1): when adding certificates to an agent, set the expiry to the certificate expiry time plus a short (5 min) grace period. * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). Security * ssh(1): disallow control characters in usernames passed via the commandline or expanded using %-sequences from the configuration file, and disallow \0 characters in ssh:// URIs. New features * ssh(1), sshd(8): add SIGINFO handlers to log active channel and session information. Sponsored by: The FreeBSD Foundation 2026-04-27T09:33:09Z Dag-Erling Smørgrav des@FreeBSD.org 2026-04-27T09:32:51Z urn:sha1:07b52233e8b74c5ac884b9c9a894f57fad8dbd00 Regenerate using certificate data from NSS 3.123.1. MFC after: 1 week Reviewed by: kevans 2026-04-27T09:33:09Z Dag-Erling Smørgrav des@FreeBSD.org 2026-04-27T09:32:19Z urn:sha1:ce33d6396aadb0613f1e74661bdbec571f836a60 * Get certdata.txt directly from the NSS Mercurial repository, rather than from the Mozilla Firefox repository which imports it from NSS at irregular intervals. * Instead of always fetching the latest certdata.txt, fetch a specific version. For this commit, we set this to the version that was last imported in May 2025. * Add a refrence to the MPL to the generated files. * Regenerate with latest OpenSSL. This is purely cosmetic; mostly, the certificate names now contain less unnecessary whitespace and some elements are quoted. MFC after: 1 week Reviewed by: michaelo, kevans Differential Revision: https://reviews.freebsd.org/D56620 2026-04-22T20:34:25Z Enji Cooper ngie@FreeBSD.org 2026-04-21T23:46:19Z urn:sha1:48d6db4932c8ec04ca3df79119803f8c7c1570d7 `PIC_FLAG` should be used strictly for `-fPIC`, `-fpic`, etc, options. `SHARED_CFLAGS` is the more appropriate place to this flag to be set. Requested by: jrtc27 MFC after: 3 days MFC with: 3797fe720a 2026-04-12T18:07:24Z Po-Chuan Hsieh sunpoet@FreeBSD.org 2026-04-12T18:07:14Z urn:sha1:98118af4f08a020c8c5925e933bdd523d6a6e8aa Add missing header file (openssl/ml_kem.h) of OpenSSL 3.5 Reviewed by: fluffy, ngie Approved by: ngie (maintainer) Differential Revision: https://reviews.freebsd.org/D56291 2026-04-09T02:00:10Z Enji Cooper ngie@FreeBSD.org 2026-04-09T02:00:10Z urn:sha1:9f7080ba6bcf18d013ae3b91dc9d92cfa731a8c0 MFC after: 1 day (the security issues warrant a quick backport). MFC with: 10a428653ee7216475f1ddce3fb4cbf1200319f8 2026-04-09T01:55:43Z Enji Cooper ngie@FreeBSD.org 2026-04-09T01:54:40Z urn:sha1:5254e16213ff1bb136ef24e0b0fe30625ac53563 A new manpage and any associated links will be added in the next commit. MFC after: 1 day (the security issues warrant a quick backport). MFC with: 10a428653ee7216475f1ddce3fb4cbf1200319f8 2026-03-22T01:38:49Z Enji Cooper ngie@FreeBSD.org 2026-03-22T00:39:16Z urn:sha1:3797fe720a37ff9fb5b20546494ef1c4a6c01541 This change modifies the libcrypto PIC objects to always compile with `-DOPENSSL_PIC -fPIC` to restore parity with the upstream build process. This ensures that the legacy provider is built with parity to the upstream legacy provider. MFC after: 12 days Tested with: `make check` (legacy provider), `make universe` Fixes: 14b9955e Differential Revision: https://reviews.freebsd.org/D44896 2026-03-20T20:12:26Z Enji Cooper ngie@FreeBSD.org 2026-03-20T20:08:09Z urn:sha1:67b918e03475e780854a43fe4eb7c8e95f4deb29 This commit broke the build with some build options. Some validation needs to be done to confirm that moving the preprocessor argument to `secure/lib/libcrypto/Makefile.inc` works without breaking the build, but revert for now until a `tinderbox` run can be done with the change. PR: 293934 Reported by: Jenkins, Trond Endrestøl This reverts commit 14b9955e57cc28b61e785165b9effcbe620edb46.