<feed xmlns='http://www.w3.org/2005/Atom'>
<title>src, branch releng/13.5</title>
<subtitle>FreeBSD source tree</subtitle>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/'/>
<entry>
<title>Add UPDATING entries and bump version</title>
<updated>2026-04-30T21:21:13+00:00</updated>
<author>
<name>Mark Johnston</name>
<email>markj@FreeBSD.org</email>
</author>
<published>2026-04-30T21:14:06+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=2e6399fe39b3497c7d949b905025082232418793'/>
<id>2e6399fe39b3497c7d949b905025082232418793</id>
<content type='text'>
Approved by:	so
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Approved by:	so
</pre>
</div>
</content>
</entry>
<entry>
<title>dhclient: Improve server and filename validation</title>
<updated>2026-04-30T21:20:57+00:00</updated>
<author>
<name>Dag-Erling Smørgrav</name>
<email>des@FreeBSD.org</email>
</author>
<published>2026-04-30T16:45:35+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=b362b6b6c8f28c1ff545bf7c6cdd09388879d1d8'/>
<id>b362b6b6c8f28c1ff545bf7c6cdd09388879d1d8</id>
<content type='text'>
* Don't iterate over each string three times; once is enough.

* Reject control characters (anything below space) in addition to the
  double quote and backslash.

* If an unsafe character is encountered, discard the string instead of
  rejecting the entire lease.

* If backslashes are encountered in the file name option, convert them
  to forward slashes instead of rejecting the option.

* Tweak the warning messages a bit.  Looking through the rest of the
  code, it seems to me that notes generally end with a period while
  warnings generally don't.

Approved by:	so
Security:	FreeBSD-EN-26:11.dhclient
Fixes:		8008e4b88daf ("dhclient: Check for unexpected characters in some DHCP server options")
PR:		294886
MFC after:	1 week
Reviewed by:	brooks, markj
Differential Revision:	https://reviews.freebsd.org/D56740

(cherry picked from commit 873a195ba63575e46686cfd6ea9670a0ca340fa0)
(cherry picked from commit b1ece85741db0db60ce68daca564f03dc711fe30)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
* Don't iterate over each string three times; once is enough.

* Reject control characters (anything below space) in addition to the
  double quote and backslash.

* If an unsafe character is encountered, discard the string instead of
  rejecting the entire lease.

* If backslashes are encountered in the file name option, convert them
  to forward slashes instead of rejecting the option.

* Tweak the warning messages a bit.  Looking through the rest of the
  code, it seems to me that notes generally end with a period while
  warnings generally don't.

Approved by:	so
Security:	FreeBSD-EN-26:11.dhclient
Fixes:		8008e4b88daf ("dhclient: Check for unexpected characters in some DHCP server options")
PR:		294886
MFC after:	1 week
Reviewed by:	brooks, markj
Differential Revision:	https://reviews.freebsd.org/D56740

(cherry picked from commit 873a195ba63575e46686cfd6ea9670a0ca340fa0)
(cherry picked from commit b1ece85741db0db60ce68daca564f03dc711fe30)
</pre>
</div>
</content>
</entry>
<entry>
<title>Add UPDATING entries and bump version</title>
<updated>2026-04-28T20:32:11+00:00</updated>
<author>
<name>Mark Johnston</name>
<email>markj@FreeBSD.org</email>
</author>
<published>2026-04-28T20:31:11+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=bf0db64e038118d5fe6071b1910743790484755e'/>
<id>bf0db64e038118d5fe6071b1910743790484755e</id>
<content type='text'>
Approved by:	so
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Approved by:	so
</pre>
</div>
</content>
</entry>
<entry>
<title>libnv: fix heap overflow in nvlist_recv()</title>
<updated>2026-04-28T20:32:11+00:00</updated>
<author>
<name>Mariusz Zaborski</name>
<email>oshogbo@FreeBSD.org</email>
</author>
<published>2026-04-28T14:36:09+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=f7f48005fbe256e3af42db3cc5ad33b140050f03'/>
<id>f7f48005fbe256e3af42db3cc5ad33b140050f03</id>
<content type='text'>
nvlist_check_header() validated nvlh_size for overflow before
performing conversion. An mallicous user can set
NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that
the orginall value passes the check, but after the conversion the
sizeof(nvlist_header) + size can overflow.
This can lead to a heap buffer overflow.

Approved by:	so
Security:	FreeBSD-SA-26:17.libnv
Security:	CVE-2026-35547
Fixes:		36fa90dbde0060aacb5677d0b113ee168e839071
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D56342
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
nvlist_check_header() validated nvlh_size for overflow before
performing conversion. An mallicous user can set
NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that
the orginall value passes the check, but after the conversion the
sizeof(nvlist_header) + size can overflow.
This can lead to a heap buffer overflow.

Approved by:	so
Security:	FreeBSD-SA-26:17.libnv
Security:	CVE-2026-35547
Fixes:		36fa90dbde0060aacb5677d0b113ee168e839071
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D56342
</pre>
</div>
</content>
</entry>
<entry>
<title>libnv: switch fd_wait() from select(2) to poll(2)</title>
<updated>2026-04-28T20:32:11+00:00</updated>
<author>
<name>Mariusz Zaborski</name>
<email>oshogbo@FreeBSD.org</email>
</author>
<published>2026-04-28T14:35:10+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=32d12677ff45da6b3152803430990997c3f218b1'/>
<id>32d12677ff45da6b3152803430990997c3f218b1</id>
<content type='text'>
The previous implementation used FD_SET() on a stack-allocated fd_set,
which is an out-of-bounds write whenever the socket fd is &gt;= FD_SETSIZE
(1024).

Approved by:	so
Security:	FreeBSD-SA-26:16.libnv
Security:	CVE-2026-39457
Reported by:	Joshua Rogers of AISLE Research Team (https://aisle.com/)
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D56689
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The previous implementation used FD_SET() on a stack-allocated fd_set,
which is an out-of-bounds write whenever the socket fd is &gt;= FD_SETSIZE
(1024).

Approved by:	so
Security:	FreeBSD-SA-26:16.libnv
Security:	CVE-2026-39457
Reported by:	Joshua Rogers of AISLE Research Team (https://aisle.com/)
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D56689
</pre>
</div>
</content>
</entry>
<entry>
<title>pf: improve SCTP validation</title>
<updated>2026-04-28T20:32:11+00:00</updated>
<author>
<name>Kristof Provost</name>
<email>kp@FreeBSD.org</email>
</author>
<published>2026-04-26T09:34:55+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=0ab05345fb408b70f37a6b1c522ef3e084fc5f58'/>
<id>0ab05345fb408b70f37a6b1c522ef3e084fc5f58</id>
<content type='text'>
As per RFC5061 "4.2.  New Parameter Types" the add/delete IP address
parameters (0xc001, 0xc002) may not be present in an INIT or INIT-ACK
chunk. They are only allowed to be present in an ASCONF chunk.

This also prevents unbounded recursion while parsing an SCTP packet.

Approved by:	so
Security:	FreeBSD-SA-26:14.pf
Security:	CVE-2026-7164
PR:		294799
Reported by:	Igor Gabriel Sousa e Souza
MFC after:	3 days
Sponsored by:	Orange Business Services
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
As per RFC5061 "4.2.  New Parameter Types" the add/delete IP address
parameters (0xc001, 0xc002) may not be present in an INIT or INIT-ACK
chunk. They are only allowed to be present in an ASCONF chunk.

This also prevents unbounded recursion while parsing an SCTP packet.

Approved by:	so
Security:	FreeBSD-SA-26:14.pf
Security:	CVE-2026-7164
PR:		294799
Reported by:	Igor Gabriel Sousa e Souza
MFC after:	3 days
Sponsored by:	Orange Business Services
</pre>
</div>
</content>
</entry>
<entry>
<title>dhclient: Fix reallocation of dhclient script environments</title>
<updated>2026-04-28T20:32:11+00:00</updated>
<author>
<name>Mark Johnston</name>
<email>markj@FreeBSD.org</email>
</author>
<published>2026-04-27T20:56:21+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=5a5e7883a3bb85cbdcf9e2fc0f40b0a391659c30'/>
<id>5a5e7883a3bb85cbdcf9e2fc0f40b0a391659c30</id>
<content type='text'>
When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers.  The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.

Approved by:	so
Security:	FreeBSD-SA-26:15.dhclient
Security:	CVE-2026-42511
Reported by:	Joshua Rogers of AISLE Research Team (https://aisle.com/)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers.  The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.

Approved by:	so
Security:	FreeBSD-SA-26:15.dhclient
Security:	CVE-2026-42511
Reported by:	Joshua Rogers of AISLE Research Team (https://aisle.com/)
</pre>
</div>
</content>
</entry>
<entry>
<title>dhclient: Check for unexpected characters in some DHCP server options</title>
<updated>2026-04-28T20:32:11+00:00</updated>
<author>
<name>Mark Johnston</name>
<email>markj@FreeBSD.org</email>
</author>
<published>2026-04-27T20:03:09+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=a2d45189b9eec1ebf33f4ee844c4098c2f345447'/>
<id>a2d45189b9eec1ebf33f4ee844c4098c2f345447</id>
<content type='text'>
Some options are written directly to the lease file, which may be parsed
by subsequent dhclient invocations.  We must make sure that a malicious
server can't control the "medium" field of a lease definition, otherwise
they can achieve RCE by injecting one into the lease file, whereupon it
will be passed to dhclient-script, which passes it through eval.

Approved by:	so
Security:	FreeBSD-SA-26:12.dhclient
Security:	CVE-2026-42511
Reported by:	Joshua Rogers of AISLE Research Team (https://aisle.com/)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Some options are written directly to the lease file, which may be parsed
by subsequent dhclient invocations.  We must make sure that a malicious
server can't control the "medium" field of a lease definition, otherwise
they can achieve RCE by injecting one into the lease file, whereupon it
will be passed to dhclient-script, which passes it through eval.

Approved by:	so
Security:	FreeBSD-SA-26:12.dhclient
Security:	CVE-2026-42511
Reported by:	Joshua Rogers of AISLE Research Team (https://aisle.com/)
</pre>
</div>
</content>
</entry>
<entry>
<title>execve: Fix an operator precedence bug</title>
<updated>2026-04-28T20:32:11+00:00</updated>
<author>
<name>Mark Johnston</name>
<email>markj@FreeBSD.org</email>
</author>
<published>2026-04-22T17:58:35+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=7c5c37ac8f8fe9228e3f97b3876da3701a89b139'/>
<id>7c5c37ac8f8fe9228e3f97b3876da3701a89b139</id>
<content type='text'>
The buggy version allowed userspace to overflow the copy into adjacent
execve KVA regions, which enables, among other things, injecting
environment variables into privileged processes.

Approved by:	so
Security:	FreeBSD-SA-26:13.exec
Security:	CVE-2026-7270
Reported by:	Ryan Austin of Calif.io
Reviewed by:	brooks, kib
Fixes:		f373437a01a3 ("Add helper functions to copy strings into struct image_args.")
Differential Revision:	https://reviews.freebsd.org/D56665
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The buggy version allowed userspace to overflow the copy into adjacent
execve KVA regions, which enables, among other things, injecting
environment variables into privileged processes.

Approved by:	so
Security:	FreeBSD-SA-26:13.exec
Security:	CVE-2026-7270
Reported by:	Ryan Austin of Calif.io
Reviewed by:	brooks, kib
Fixes:		f373437a01a3 ("Add helper functions to copy strings into struct image_args.")
Differential Revision:	https://reviews.freebsd.org/D56665
</pre>
</div>
</content>
</entry>
<entry>
<title>contrib/tzdata: import tzdata 2025c, 2026a and 2026b</title>
<updated>2026-04-28T20:32:11+00:00</updated>
<author>
<name>Philip Paeps</name>
<email>philip@FreeBSD.org</email>
</author>
<published>2026-04-27T05:00:43+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=f7e6b9f128e3054f3c14263b79da4d65bb4f4003'/>
<id>f7e6b9f128e3054f3c14263b79da4d65bb4f4003</id>
<content type='text'>
Changes: https://github.com/eggert/tz/blob/2025c/NEWS
Changes: https://github.com/eggert/tz/blob/2026a/NEWS
Changes: https://github.com/eggert/tz/blob/2026b/NEWS

Approved by:	so
Security:	FreeBSD-EN-26:09.tzdata

(cherry picked from commit a86dc94b84d177da8f00d1c9420ef0860576e4c4)
(cherry picked from commit c7edaaf43fe894f4915e05dc11295c0ad4d31a3f)
(cherry picked from commit 6becc3dff922476d667c15f029e520da496d4295)
(cherry picked from commit c0b2aff48ff3fa1b0176003fb0f0dedd9e6cb2dc)
(cherry picked from commit 9b95cab0a2927dfe07dbe6dc0056a80d5c730414)
(cherry picked from commit 18787e4ae2bc909637f61856819c317493b6b5a8)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Changes: https://github.com/eggert/tz/blob/2025c/NEWS
Changes: https://github.com/eggert/tz/blob/2026a/NEWS
Changes: https://github.com/eggert/tz/blob/2026b/NEWS

Approved by:	so
Security:	FreeBSD-EN-26:09.tzdata

(cherry picked from commit a86dc94b84d177da8f00d1c9420ef0860576e4c4)
(cherry picked from commit c7edaaf43fe894f4915e05dc11295c0ad4d31a3f)
(cherry picked from commit 6becc3dff922476d667c15f029e520da496d4295)
(cherry picked from commit c0b2aff48ff3fa1b0176003fb0f0dedd9e6cb2dc)
(cherry picked from commit 9b95cab0a2927dfe07dbe6dc0056a80d5c730414)
(cherry picked from commit 18787e4ae2bc909637f61856819c317493b6b5a8)
</pre>
</div>
</content>
</entry>
</feed>
