13 files changed, 113 insertions, 17 deletions

diff --git a/Mk/Features/bind_now.mk b/Mk/Features/bind_now.mk
index 99361c487265..5f4b6abf3718 100644
--- a/Mk/Features/bind_now.mk
+++ b/Mk/Features/bind_now.mk
@@ -1,4 +1,9 @@
 # BIND_NOW Support
+#
+# When generating an executable or shared library, mark it to tell the dynamic
+# linker to resolve all symbols when the program is started, or when the shared
+# library is loaded by dlopen, instead of deferring function call resolution to
+# the point when the function is first called.
 
 .if !defined(_BIND_NOW_MK_INCLUDED)
 _BIND_NOW_MK_INCLUDED=	yes
diff --git a/Mk/Features/fortify.mk b/Mk/Features/fortify.mk
new file mode 100644
index 000000000000..2e43ca98242f
--- /dev/null
+++ b/Mk/Features/fortify.mk
@@ -0,0 +1,18 @@
+# This enables mitigations of common memory safety issues, such as buffer
+# overflows, by adding checks to functions like memcpy, strcpy, sprintf,
+# and others when the compiler can determine the size of the destination
+# buffer at compile time.
+#
+# Depends opon the FORTIFY_SOURCE implementation in the basesystem.
+
+.if !defined(_FORTIFY_MK_INCLUDED)
+_FORTIFY_MK_INCLUDED=	yes
+FORTIFY_Include_MAINTAINER=	netchild@FreeBSD.org
+
+.  if !defined(FORTIFY_UNSAFE)
+FORTIFY_SOURCE?=2
+FORTIFY_CFLAGS?=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+CFLAGS+=	${FORTIFY_CFLAGS}
+CXXFLAGS+=	${FORTIFY_CFLAGS}
+.  endif
+.endif
diff --git a/Mk/Features/pie.mk b/Mk/Features/pie.mk
index 06174b403c31..7ecefa9eb611 100644
--- a/Mk/Features/pie.mk
+++ b/Mk/Features/pie.mk
@@ -1,4 +1,13 @@
 # PIE Support
+#
+# Produce a Position-Independent Executable (PIE) instead of a “normal”
+# fixed‐address ELF.
+# A PIE is an executable whose code sections are compiled and linked so that,
+# at runtime, they can be loaded at any base address in memory.
+#
+# Because it can be loaded at unpredictable addresses, PIE enables full Address
+# Space Layout Randomization (ASLR) for your main executable—making certain
+# classes of memory‐corruption exploits much harder.
 
 .if !defined(_PIE_MK_INCLUDED)
 _PIE_MK_INCLUDED=	yes
diff --git a/Mk/Features/relro.mk b/Mk/Features/relro.mk
index 6ceb68d5d668..8074ce09edd7 100644
--- a/Mk/Features/relro.mk
+++ b/Mk/Features/relro.mk
@@ -1,4 +1,9 @@
 # RELRO Support
+#
+# Tells the linker to emit RELocation Read-Only (RELRO) protection for certain
+# sections of your ELF file. In short, it makes parts of the binary read-only
+# after relocations have been applied at program startup, helping to prevent
+# GOT- and PLT-based overwrite attacks.
 
 .if !defined(_RELRO_MK_INCLUDED)
 _RELRO_MK_INCLUDED=	yes
diff --git a/Mk/Features/ssp.mk b/Mk/Features/ssp.mk
index 4213e6d668a6..631104da9f6c 100644
--- a/Mk/Features/ssp.mk
+++ b/Mk/Features/ssp.mk
@@ -1,4 +1,12 @@
 # SSP Support
+#
+# The -fstack-protector-strong flag enables “stack smashing” protection on a
+# wider set of functions than the default -fstack-protector, but without the
+# full performance cost of -fstack-protector-all. Under the hood it inserts a
+# small “canary” value on the stack just before the saved return address; at
+# function exit it checks that the canary hasn’t been overwritten by a buffer
+# overflow. If it has been clobbered, the runtime aborts the program rather
+# than returning into corrupted code.
 
 .if !defined(_SSP_MK_INCLUDED)
 _SSP_MK_INCLUDED=	yes
diff --git a/Mk/Features/stack_autoinit.mk b/Mk/Features/stack_autoinit.mk
new file mode 100644
index 000000000000..4d79416dbcce
--- /dev/null
+++ b/Mk/Features/stack_autoinit.mk
@@ -0,0 +1,23 @@
+# The STACK_AUTOINIT feature mimics the corresponding FreeBSD basesystem feature.
+#
+# This enables a compiler specific option to automatically initialize
+# local (automatic) variables to prevent the use of uninitialized memory.
+#
+# Variables that can be used:
+#
+# WITH_STACK_AUTOINIT		Enable for all ports.
+# WITH_STACK_AUTOINIT_PORTS	Enable for specified category/port-name
+# STACK_AUTOINIT_TYPE		Valid options: zero (default), pattern, unitialized
+#
+
+.if !defined(_STACK_AUTOINIT_MK_INCLUDED)
+_STACK_AUTOINIT_MK_INCLUDED=		yes
+STACK_AUTOINIT_Include_MAINTAINER=	netchild@FreeBSD.org
+
+STACK_AUTOINIT_TYPE?=	zero
+
+.  if !defined(STATIC_AUTOINIT_UNSAFE)
+CFLAGS+=	-ftrivial-auto-var-init=${STACK_AUTOINIT_TYPE}
+CXXFLAGS+=	-ftrivial-auto-var-init=${STACK_AUTOINIT_TYPE}
+.  endif
+.endif
diff --git a/Mk/Features/zeroregs.mk b/Mk/Features/zeroregs.mk
new file mode 100644
index 000000000000..2e21b16c5c66
--- /dev/null
+++ b/Mk/Features/zeroregs.mk
@@ -0,0 +1,28 @@
+# Zero call-used registers at function return to increase program
+# security by either mitigating Return-Oriented Programming (ROP)
+# attacks or preventing information leakage through registers.
+# This depends upon support from the compiler for a given architecture.
+#
+# Variables that can be used:
+#
+# WITH_ZEROREGS		Enable for all ports.
+# WITH_ZEROREGS_PORTS	Enable for specified category/port-name
+# ZEROREGS_TYPE		See
+# 			https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-zero_005fcall_005fused_005fregs-function-attribute
+# 			for options
+#                       Default: used
+#
+
+.if !defined(_ZEROREGS_MK_INCLUDED)
+_ZEROREGS_MK_INCLUDED=		yes
+ZEROREGS_Include_MAINTAINER=	netchild@FreeBSD.org
+
+ZEROREGS_TYPE?=	used
+
+#.  if !defined(ZEROREGS_UNSAFE) && !empty(${ARCH:Mriscv*}) && \
+#	!empty(${ARCH:Mpower*}) && !empty(${ARCH:Marmv7*})
+CFLAGS+=	-fzero-call-used-regs=${ZEROREGS_TYPE}
+CXXFLAGS+=	-fzero-call-used-regs=${ZEROREGS_TYPE}
+#.  endif
+.endif
+
diff --git a/Mk/Uses/kde.mk b/Mk/Uses/kde.mk
index cdeb7ff7ed77..ba70acfacf22 100644
--- a/Mk/Uses/kde.mk
+++ b/Mk/Uses/kde.mk
@@ -99,7 +99,7 @@ KDE_FRAMEWORKS5_VERSION?=	5.116.0
 KDE_FRAMEWORKS5_BRANCH?=	stable
 
 # Current KDE Frameworks (Qt6 based).
-KDE_FRAMEWORKS6_VERSION?=	6.13.0
+KDE_FRAMEWORKS6_VERSION?=	6.14.0
 KDE_FRAMEWORKS6_BRANCH?=	stable
 
 # Current KDE applications. Update _${PORTNAME}_PROJECT_VERSION for the following ports:
@@ -223,6 +223,7 @@ MASTER_SITES?=		KDE/${KDE_FRAMEWORKS_BRANCH}/frameworks/${KDE_FRAMEWORKS_VERSION
 .        endif
 DIST_SUBDIR?=		KDE/frameworks/${KDE_FRAMEWORKS_VERSION}
 .        if ${_KDE_VERSION:M6}
+DIST_SUBDIR=		KDE/frameworks/${KDE_FRAMEWORKS_VERSION:R}
 DESCR=			${.CURDIR:H:H}/x11/kf6-frameworks/pkg-descr
 .        endif
 .      else
diff --git a/Mk/Uses/linux.mk b/Mk/Uses/linux.mk
index bf62f887899a..dae71fc94289 100644
--- a/Mk/Uses/linux.mk
+++ b/Mk/Uses/linux.mk
@@ -189,11 +189,7 @@ _linux_rl9_qtxmlpatterns=		linux-rl9-qt5-qtxmlpatterns>0:textproc/linux-rl9-qt5-
 _linux_${linux_ARGS}_sdl12=		linux-${linux_ARGS}-sdl>0:devel/linux-${linux_ARGS}-sdl12
 _linux_${linux_ARGS}_sdl12-extralibs=	linux-${linux_ARGS}-sdl12-extralibs>0:misc/linux-${linux_ARGS}-sdl12-extralibs
 _linux_${linux_ARGS}_sdl20=		linux-${linux_ARGS}-sdl20>0:devel/linux-${linux_ARGS}-sdl20
-_linux_${linux_ARGS}_sdl2gfx=		linux-${linux_ARGS}-sdl2_gfx>0:graphics/linux-${linux_ARGS}-sdl2_gfx
-_linux_${linux_ARGS}_sdl2image=		linux-${linux_ARGS}-sdl2_image>0:graphics/linux-${linux_ARGS}-sdl2_image
-_linux_${linux_ARGS}_sdl2mixer=		linux-${linux_ARGS}-sdl2_mixer>0:audio/linux-${linux_ARGS}-sdl2_mixer
-_linux_${linux_ARGS}_sdl2ttf=		linux-${linux_ARGS}-sdl2_ttf>0:graphics/linux-${linux_ARGS}-sdl2_ttf
-_linux_${linux_ARGS}_sdl2sound=		linux-${linux_ARGS}-sdl2_sound>0:audio/linux-${linux_ARGS}-sdl2_sound
+_linux_${linux_ARGS}_sdl20-extralibs=	linux-${linux_ARGS}-sdl20-extralibs>0:misc/linux-${linux_ARGS}-sdl20-extralibs
 _linux_rl9_shaderc=			linux-rl9-shaderc>0:graphics/linux-rl9-shaderc
 _linux_rl9_spirv-tools=			linux-rl9-spirv-tools>0:graphics/linux-rl9-spirv-tools
 _linux_${linux_ARGS}_sqlite3=		linux-${linux_ARGS}-sqlite>0:databases/linux-${linux_ARGS}-sqlite3
diff --git a/Mk/Uses/nodejs.mk b/Mk/Uses/nodejs.mk
index 89a528ddc43e..d758bba2adcb 100644
--- a/Mk/Uses/nodejs.mk
+++ b/Mk/Uses/nodejs.mk
@@ -7,13 +7,13 @@
 #   - build     use node as build-time dependency
 #   - run       use node as runtime dependency
 #   - env       set the environment (NODEJS_VERSION and NODEJS_SUFFIX)
-#   - version   available version: lts, current, 18, 20, 22, 23
+#   - version   available version: lts, current, 18, 20, 22, 23, 24
 #
 # Note:
 # - The supported versions follow upstream release schedule
 #   https://github.com/nodejs/Release/blob/main/README.md#release-schedule
 #   - lts is 22 now
-#   - current is 23 now
+#   - current is 24 now
 # - USES=nodejs means USES=nodejs:build,run
 # - If you define a version, you must provide run and/or build
 #
@@ -22,13 +22,13 @@
 .if !defined(_INCLUDE_USES_NODEJS_MK)
 _INCLUDE_USES_NODEJS_MK=	yes
 
-_VALID_NODEJS_VERSIONS=	18 20 22 23 current lts
+_VALID_NODEJS_VERSIONS=	18 20 22 23 24 current lts
 
 .  if ! ${_VALID_NODEJS_VERSIONS:M${NODEJS_DEFAULT}}
 IGNORE=	Invalid default nodejs version ${NODEJS_DEFAULT}; valid versions are ${_VALID_NODEJS_VERSIONS}
 .  endif
 
-.  if !empty(nodejs_ARGS:Nbuild:Nenv:Nrun:Nlts:Ncurrent:N18:N20:N22:N23)
+.  if !empty(nodejs_ARGS:Nbuild:Nenv:Nrun:Nlts:Ncurrent:N18:N20:N22:N23:N24)
 IGNORE=		USES=nodejs has invalid arguments ${nodejs_ARGS}
 .  endif
 
@@ -47,7 +47,7 @@ _NODEJS_VER=	${version}
 _NODEJS_VER=	${NODEJS_DEFAULT}
 .  endif
 
-NODEJS_VERSION=	${_NODEJS_VER:S|current|23|:S|lts|22|}
+NODEJS_VERSION=	${_NODEJS_VER:S|current|24|:S|lts|22|}
 NODEJS_SUFFIX=	-node${NODEJS_VERSION}
 
 .  if ${nodejs_ARGS:M*build*}
diff --git a/Mk/Uses/python.mk b/Mk/Uses/python.mk
index d2b787504316..aba9c48df38c 100644
--- a/Mk/Uses/python.mk
+++ b/Mk/Uses/python.mk
@@ -319,6 +319,8 @@
 .if !defined(_INCLUDE_USES_PYTHON_MK)
 _INCLUDE_USES_PYTHON_MK=	yes
 
+ZEROREGS_UNSAFE=	yes
+
 # What Python version and what Python interpreters are currently supported?
 # When adding a version, please keep the comment in
 # Mk/bsd.default-versions.mk in sync.
@@ -615,7 +617,7 @@ _PYTHONPKGLIST=	${WRKDIR}/.PLIST.pymodtmp
 
 # cryptography* support
 .  if ${PYCRYPTOGRAPHY_DEFAULT} == rust
-CRYPTOGRAPHY_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cryptography>=44.0.2,1:security/py-cryptography@${PY_FLAVOR}
+CRYPTOGRAPHY_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cryptography>=44.0.3,1:security/py-cryptography@${PY_FLAVOR}
 .  else
 CRYPTOGRAPHY_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cryptography-legacy>=3.4.8_3,1:security/py-cryptography-legacy@${PY_FLAVOR}
 .  endif
diff --git a/Mk/bsd.default-versions.mk b/Mk/bsd.default-versions.mk
index 772d28798aa0..8fa74cfc77dd 100644
--- a/Mk/bsd.default-versions.mk
+++ b/Mk/bsd.default-versions.mk
@@ -64,7 +64,7 @@ GHOSTSCRIPT_DEFAULT?=	10
 # Possible values: mesa-libs, mesa-devel
 GL_DEFAULT?=		mesa-libs
 # Possible values: 1.20, 1.21, 1.22, 1.23, 1.24, 1.25-devel
-GO_DEFAULT?=		1.21
+GO_DEFAULT?=		1.24
 # Possible values: 1.8, 2.2, 3.0
 GUILE_DEFAULT?=		2.2
 # Possible versions: 6, 7
@@ -75,11 +75,11 @@ GUILE_DEFAULT?=		2.2
 IMAGEMAGICK_DEFAULT?=	7
 # Possible values: 8, 11, 17, 18, 19, 20, 21, 22, 23, 24
 JAVA_DEFAULT?=		8
-# Possible values: 3.8.0, 4.99
+# Possible values: 4.0, 4.99
 .  if (defined(WANT_LAZARUS_DEVEL) && !empty(WANT_LAZARUS_DEVEL)) || ${ARCH:Maarch64}
 LAZARUS_DEFAULT?=	4.99
 .  else
-LAZARUS_DEFAULT?=	3.8.0
+LAZARUS_DEFAULT?=	4.0
 .  endif
 # Possible values: rust, legacy
 .  if empty(ARCH:Naarch64:Namd64:Narmv7:Ni386:Npowerpc64:Npowerpc64le:Npowerpc:Nriscv64)
@@ -109,7 +109,7 @@ MONO_DEFAULT?=		5.20
 MYSQL_DEFAULT?=		8.0
 # Possible values: ninja, samurai
 NINJA_DEFAULT?=		ninja
-# Possible value: 18, 20, 22, 23, current, lts (Note: current = 23 and lts = 22)
+# Possible value: 18, 20, 22, 23, 24, current, lts (Note: current = 24 and lts = 22)
 NODEJS_DEFAULT?=	lts
 # Possible value: 25, 26
 OPENLDAP_DEFAULT?=	26
diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk
index 4596b773b6d3..1df8af1fd63b 100644
--- a/Mk/bsd.port.mk
+++ b/Mk/bsd.port.mk
@@ -1000,7 +1000,8 @@ LC_ALL=		C
 # These need to be absolute since we don't know how deep in the ports
 # tree we are and thus can't go relative.  They can, of course, be overridden
 # by individual Makefiles or local system make configuration.
-_LIST_OF_WITH_FEATURES=	bind_now debug debuginfo lto pie relro sanitize ssp testing
+_LIST_OF_WITH_FEATURES=	bind_now debug debuginfo fortify lto pie relro \
+			sanitize ssp stack_autoinit testing zeroregs
 _DEFAULT_WITH_FEATURES=	ssp
 PORTSDIR?=		/usr/ports
 LOCALBASE?=		/usr/local