FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f and later extended it to the client in
commit 9e2cbe04ff.
In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10. They did not add client support.
We removed the client support in commit bffe60ead0 ("ssh: retire
client VersionAddendum").
As of the 10.0p2 release upstream has added client-side VersionAddendum.
Make note of this in FREEBSD-upgrade's patches section.
Sponsored by: The FreeBSD Foundation
Full release notes are available at
https://www.openssh.com/txt/release-10.0
Selected highlights from the release notes:
Potentially-incompatible changes
- This release removes support for the weak DSA signature algorithm.
[This change was previously merged to FreeBSD main.]
- This release has the version number 10.0 and announces itself as
"SSH-2.0-OpenSSH_10.0". Software that naively matches versions using
patterns like "OpenSSH_1*" may be confused by this.
- sshd(8): this release removes the code responsible for the user
authentication phase of the protocol from the per-connection
sshd-session binary to a new sshd-auth binary.
Security
- sshd(8): fix the DisableForwarding directive, which was failing to
disable X11 forwarding and agent forwarding as documented.
[This change was previously merged to FreeBSD main.]
New features
- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
used by default for key agreement.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630
The Systembase SB16C1054 and SB16C1058 are PCI quad- and octal-UART
complexes, based on multiple Systembase SB16C1050 cores, which appear to
be compatible with the NS8250 family (except for the "enable interrupts"
bit in the other BAR).
The SB16C105x family are one of two families of PCIe UART complexes on
cards by StarTech.com, such as the PEX4S1050 and PEX8S1050. (Other
StarTech.com serial offerings use the ASIX AX99100 or ASIX MCS990x.)
This is derived from the NetBSD driver.
Reviewed by: imp
Tested by: Jashank Jeremy <jashank@rulingia.com.au>
Obtained from: Jashank Jeremy <jashank@rulingia.com.au>
MFC after: 1 week
Differential Revision: <https://reviews.freebsd.org/D52150
etc/mail/Makefile includes bsd.own.mk, which includes bsd.compiler.mk,
which fails with an error if it can't locate a C compiler. Set
_WITHOUT_SRCCONF=yes before including bsd.own.mk to disable this
behaviour.
Reviewed by: gshapiro
Differential Revision: https://reviews.freebsd.org/D52134
Fix potential crash in the ng_nat module when attaching directly
to the layer 2 (ethernet) while calculating TCP checksum.
The issue is due to in_delayed_cksum() expecting to access IP
header at the offset 0 from the mbuf start, while if we are
attached to the L2 directly, the IP header at going to be at the
certain offset.
Reviewed by: markj, tuexen
Approved by: tuexen
Sponsored by: Sippy Software, Inc.
Differential Revision: https://reviews.freebsd.org/D49677
MFC After: 2 weeks
The need for such a variant comes from the fact that we need to
re-calculate checksum aftet ng_nat(4) transformations while getting
mbufs from the layer 2 (ethernet) directly.
Reviewed by: markj, tuexen
Approved by: tuexen
Sponsored by: Sippy Software, Inc.
Differential Revision: https://reviews.freebsd.org/D49677
MFC After: 2 weeks
When actual_pages is -1, calling vm_page_unhold_pages will loop
forever. We don't actually need to loop. In fact, it will either be -1
or the right number of pages: we never return a partial allocation. It
might be more proper to assert this, but since this is contrib code,
make a minimal change to avoid the infinite loop.
Sponsored by: Netflix
Reviewed by: kib, markj
Differential Revision: https://reviews.freebsd.org/D52154
The exports.5 man page is a bit of a monster.
One place of common confusion is the use of
the "V4:" line(s) for defining the location of the
root of the NFSv4 export subtree.
This patch adds a paragraph in an attempt to
clarify this.
This is a content change.
Reviewed by: kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D52141
The sysdecode_syscallname function was accidentally documented as being
plural. Move it to reflect it's actual name, and adjust all references.
PR: 278383
Reviewed by: ziaee
Differential Revision: https://reviews.freebsd.org/D51002
Avoid implicitly converting a potentially negative page offset
to size_t and then back to int. While this was not a bug and the end
result was portably correct, Alexander Ziaee@ privately reported to me
that the GCC 14 in the FreeBSD Jenkins CI felt uneasy about it.
For clarity and readability, rewrite the truncation statement
to not mix signed and unsigned types, to not use explicit casts,
and make handling of the lower and upper cutoff more similar
to each other.
Fixes: 6410c1b51637 (mandoc: vendor import of upstream at 2025-07-27)
MFC after: 3 days
Reported by: ivy
Reviewed by: ivy
Differential Revision: https://reviews.freebsd.org/D52127
Mask all interrupts coming from the AMD GPIO controller and service any
potential interrupts. Unserviced interrupts can block entry to S0i3 on
certain AMD CPUs.
Reviewed by: aokblast, mckusick (mentor)
Approved by: aokblast, mckusick (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51588
When asking for IFF_PROMISC when modifying interfaces with netlink, set
permanent flag instead (IFF_PPROMISC) as netlink interface modification
has no way of doing promiscuity reference counting through ifpromisc().
We can't do reference counting because every netlink interface
modification necessarily either sets or unsets IFF_PROMISC in ifi_flags,
and ifi_change is usually set to 0xFFFFFFFF.
This logic was the same between this and SIOCSIFFLAGS, so factor out
if_setppromisc() function.
Reviewed by: melifaro, saheed, kp, mckusick (mentor)
Approved by: melifaro, saheed, mckusick (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52056
Print out error message if setting MTU fails when modifying interface
using netlink.
Reviewed by: saheed, melifaro, mckusick (mentor)
Approved by: saheed, melifaro, mckusick (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52132
Fix list-old-dirs to not generate empty line at the end of the
output if OLD_DIRS happens to have a space at the end of the
last word of the output before the final \n. Then that space
is turned into \n and we end up with a blank line.
Futhermore this gets converted into a "/" i.e. root fs when
calling check-old-dirs.
This is the regression since a8267ecc3d.
Reviewed by: emaste
Approved by: emaste
Sponsored by: Sippy Software, Inc.
Differential Revision: https://reviews.freebsd.org/D52153
MFC After: 3 days
Until now, the untrusted directory has been maintained manually. Modify
the script used to maintain the trusted directory so it can handle both.
While here, clean it up a bit.
MFC after: 1 week
Reviewed by: mandree, markj
Differential Revision: https://reviews.freebsd.org/D51774
IFF_UP could previously only be unset via RTM_NEWLINK. Requests to set
IFF_UP, though they succeeded, did not actually set the flag.
Reviewed by: obiwac, kp, mckusick (mentor)
Approved by: obiwac, kp, mckusick (mentor)
Sponsored by: Google LLC (GSoC)
Differential Revision: https://reviews.freebsd.org/D51871
- Bump the library version.
- Don't load the legacy provider. It is no longer enabled by default
and looks like kdc doesn't actually need it.
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D52114
The intel 6300ESB watchdog is a special ICH-based watchdog device with a
different interface.
QEMU implements this watchdog for x86 systems.
This change enables watchdog mode (rather than free-running mode) and
introduces 1 sysctl:
- hw.i6300esbwd.0.locked: locks the watchdog register after the event is
triggered, preventing it from being disabled until a hard reset.
This feature has been tested on a Vultr AMD guest machine and local qemu
machine.
PR: 259673
Approved by: markj (mentor), lwhsu (mentor)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52049
If the user specified a prefix length with either the internal or
external prefix, we'd jump to check_prefix where we'd dereference p
which was most likely uninitialized.
Instead, store the various prefix lengths separately and check them
all after the loop.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D50597
Multicast filter updates are done at different times and either
triggered by net80211/if code or within LinuxKPI.
Keep the setting and address list and update that (only) if triggered
from net80211. Otherwise we will (depending on state) just update
additional flags.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Hook into net80211's (*iv_recv_mgmt)() callback so we can track
beacons. This is mostly for us to know if we have seen any after
assoc or for further debugging when we run into beacon/connection loss
based on a firmware/driver event.
Also set/reset dtim_period depending on state and beacon/probe response
so that the value available to the driver reflects reality.
Sponsonred by: The FreeBSD Foundation
MFC after: 3 days
During initial LinuxKPI 802.11 bringup looking at the usage in one
driver I started using hw_value as an equivalent for ic_ieee.
That is not correct. Remove all usage but logging of hw_value
from LinuxKPI 802.11 code and leave the field to the drivers.
We have to go through some hoops to get the needed ic_ieee value
but so be it. At some point we may want to clear this up in
net80211 (especially given we'll have to handle more per-band data
in the future).
Sponsored by: The FreeBSD Foundation
MFC after: 3 days