Build date: 1772146803 - Thu Feb 26 23:00:03 UTC 2026 Build cvs date: 1772138187 - Thu Feb 26 20:36:27 UTC 2026 Build id: 2026-02-27.1 Build tags: amd64-regress ports sysupgrade Applied the following diff(s): /home/anton/tmp/robsd/src-sys-em.diff /home/anton/tmp/robsd/src-sys-uhidev-sispm.diff /home/anton/tmp/robsd/src-sysupgrade.diff P lib/libc/sys/pledge.2 P regress/sys/uvm/mmap_hint/mmap_hint.c P sbin/unwind/parse.y P sys/dev/acpi/acpidmar.c P sys/dev/ic/re.c P sys/dev/pci/if_ixl.c M sys/dev/usb/uhidev.c P sys/kern/kern_pledge.c P sys/netinet/igmp.c P sys/netinet/igmp_var.h P sys/netinet/in.c P sys/netinet6/in6.c P sys/netinet6/mld6.c P sys/netinet6/mld6_var.h P sys/sys/pledge.h P usr.bin/tmux/input.c M usr.sbin/bgpd/session.c P usr.sbin/httpd/server_http.c P usr.sbin/rad/rad.c P usr.sbin/rad/rad.conf.5 P usr.sbin/rad/rad.h commit dD9nIMvm1K8nOdW0 Author: kettenis Date: 2026/02/26 20:36:27 Reserve the first MB of the DVA address space because qwx(4) doesn't succeed in doing DMA when the DVA is 0x1000 and PCI-PCI bridges may not forward address in part of that first MB as well. ok chris@ sys/dev/acpi/acpidmar.c commit e9zQnduASyARz0ek Author: claudio Date: 2026/02/26 19:49:41 Error out on presence of Content-Length and Transfer-Encoding headers for GET, HEAD and other methods that should have no body. Ignoring the Content-Length header makes httpd vulnerable to HTTP request smuggling. A crafted GET request may embed an extra HTTP request which could bypass a proxy or WAF but then is handled by httpd. Remove the special case for TRACE and CONNECT in the Content-Length handling. Move those checks into the method switch at the end of the header parsing phase and by that also cover more methods including GET and HEAD. If either header is present simply abort the connection, nobody should send extra data along GET and HEAD requests. Add an an explicit HTTP_METHOD_TRACE case above the default case to indicated that we deliberately don't handle TRACE requests. This security vulnerability was found by Nicola Staller of SySS GmbH. With and OK rsadowski@ previous version also OK florian@ usr.sbin/httpd/server_http.c commit eCK9N4nNgTard6fy Author: brynet Date: 2026/02/26 18:57:35 Fix checking of of RL_FLAG_PCIE and accidental clobbering of sc->rl_flags confirmed by sthen and kettenis@ "please apply that fix" sys/dev/ic/re.c commit pqceev0V15SlfQHx Author: jcs Date: 2026/02/26 18:46:57 enable forced resolvers that aren't in a preference block allows a config such as: preference { autoconf } forwarder { 127.0.0.1 port 5300 } force forwarder { local } also fix a typo while i'm here ok florian sbin/unwind/parse.y commit cKjhDWmEcxU8OBmp Author: cludwig Date: 2026/02/26 14:05:25 regress/mmap: Test hints in VM-area edge cases Test mmap(2) with hint above VM_MAXUSER_ADDRESS without MAP_FIXED. This tests uvm_map.c,v 1.355. Also test the lower boundary below PAGE_SIZE. ok kettenis@ regress/sys/uvm/mmap_hint/mmap_hint.c commit jGT51xG5M887azCe Author: nicm Date: 2026/02/26 11:01:48 Do not free buffer after adding to paste (since it now owns it). usr.bin/tmux/input.c commit dQzixpwoMTKnwEEo Author: mvs Date: 2026/02/26 09:45:39 Enable 64-bit DMA transfers on the PCIe variants of re(4) cards. ok kettenis sys/dev/ic/re.c commit vhzipJqkzAK87p5z Author: deraadt Date: 2026/02/26 07:44:18 Improve the discussion about "tmppath" feedback from various people based upon my first attempts. lib/libc/sys/pledge.2 commit 2277yDAF7OZvFDbp Author: deraadt Date: 2026/02/26 07:42:26 pledge "tmppath" goes away because it sucks. The history is kind of sad: unveil(2) was invented by Bob Beck and myself because a couple of us struggled and couldn't expand the "tmppath" mechanism to general use. unveil(2) ended up being kind of "upside down" different, and so we never deleted "tmppath" because the refactorings seemed complicated. However over the last two weeks, we're removed all the "tmppath" in base pretty easily, and the 18 ports using it have also been fixed. The majority of situations now use unveil "/tmp" "rwc", unveil "/" "r" or similar, and then pledge "rpath wpath cpath", and this is generally needed to satisfy the mkstemp(3) family of functions in libc. Use of "tmppath" will now cause pledge(2) to return EINVAL. There is no backwards compatible way of mimic the behaviour correctly using kernel-internal unveil hackery. Prompted by a report from David Leadbeater; and extensive conversations with beck and semarie. lib/libc/sys/pledge.2 sys/kern/kern_pledge.c sys/sys/pledge.h commit tJNxVhPTLmOFn0jm Author: florian Date: 2026/02/26 07:17:50 Update various lifetimes. This raises the router, dns and nat64 lifetimes from 30 minutes to 60 minutes and lowers the prefix valid lifetime from 90 minutes to 60 minutes. This brings us in line with the values of draft-ietf-6man-slaac-renum which is going to be published soon. Aligning all these lifetimes to a single value (60 minutes) makes sense because the information is transmitted in one router advertisement packet. It does not make sense for one piece of information to time out before another. OK phessler usr.sbin/rad/rad.c usr.sbin/rad/rad.conf.5 usr.sbin/rad/rad.h commit AJzBhwv3rnzcKzzr Author: bluhm Date: 2026/02/26 00:53:18 Call igmp_sendpkt() and mld6_sendpkt() with pktinfo argument. Gather all information needed to send an IGMP or MLD6 packet in a struct pktinfo. This allows splitting access to multicast data structures from sending packets. Then adding locks to multicast will be easier. OK mvs@ sys/netinet/igmp.c sys/netinet/igmp_var.h sys/netinet/in.c sys/netinet6/in6.c sys/netinet6/mld6.c sys/netinet6/mld6_var.h commit b7PcHW185F624hSR Author: bluhm Date: 2026/02/25 23:40:49 ixl(4) can handle 64 bit DMA transfers. OK kettenis@ jmatthew@ sys/dev/pci/if_ixl.c