CVSROOT: /cvs Module name: www Changes by: bcook@cvs.openbsd.org 2026/04/18 19:43:10 Modified files: libressl : index.html releases.html Log message: LibreSSL 4.3.1 CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/04/19 03:36:56 Modified files: sys/dev/ic : com.c Log message: Get rid of the COM_CONSOLE ifdef maze. This was introduced for sparc which is no longer with us. ok jsg@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/04/19 03:59:22 Modified files: sys/arch/amd64/amd64: autoconf.c bus_dma.c sys/arch/amd64/include: bus.h Log message: Extend the SEV bounce buffer implementation to make it usable for bouncing memory that isn't DMA reachable. ok deraadt@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/04/19 13:29:53 Modified files: sys/arch/arm64/stand/efiboot: efiboot.c Log message: Terminate SMBIOS vendor/product matching at first match. ok jsg@, tobhe@, deraadt@ CVSROOT: /cvs Module name: ports Changes by: matthieu@cvs.openbsd.org 2026/04/19 13:38:52 Modified files: graphics/png : Makefile distinfo Log message: Update to png 1.6.58. ok deraadt@, naddy@. Fixes a regression introduced in 1.6.56 xenocara will be updated after unlock as it's not affected. CVSROOT: /cvs Module name: ports Changes by: matthieu@cvs.openbsd.org 2026/04/19 13:43:31 Modified files: graphics/png : Tag: OPENBSD_7_8 Makefile distinfo Log message: Update to png 1.6.58. ok deraadt@, naddy@. Fixes a regression introduced in 1.6.56 CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/19 13:54:02 Modified files: libexec/login_chpass: Makefile Log message: login_chpass: No longer need to install this setuid root When the YP code was removed login_chpass became wrapper that just execs login_lchpass. OK deraadt@ CVSROOT: /cvs Module name: ports Changes by: volker@cvs.openbsd.org 2026/04/19 14:18:57 Modified files: shells/elvish : Makefile distinfo modules.inc shells/elvish/pkg: PLIST Log message: shells/elvish: Update to 0.21.0 The current version in ports is broken/non-functional. approved by naddy@ CVSROOT: /cvs Module name: ports Changes by: bcook@cvs.openbsd.org 2026/04/19 14:37:52 Modified files: sysutils/btop : Makefile Added files: sysutils/btop/patches: patch-src_openbsd_btop_collect.cpp Log message: Patch btop to report active CPU usage correctly from upstream https://github.com/aristocratos/btop/pull/1587 This also allows building on spark64 with gcc 15. CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2026/04/19 17:37:22 Modified files: usr.bin/ssh : clientloop.c Log message: correctly set extended type for client-side channels. Fixes interactive vs bulk IPQoS for client->server traffic. ok job@ CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/19 18:18:21 Modified files: sys/conf : newvers.sh Log message: 7.9-current ok deraadt@ CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/19 19:25:12 Modified files: sys/dev/pci/drm/i915/gt: intel_engine_heartbeat.c Log message: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat From Sebastian Brzezinka 2af8b200cae3fdd0e917ecc2753b28bb40c876c1 in linux-6.18.y/6.18.23 4c71fd099513bfa8acab529b626e1f0097b76061 in mainline linux CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/19 19:27:42 Modified files: sys/dev/pci/drm/i915/display: intel_psr.c Log message: drm/i915/psr: Do not use pipe_src as borders for SU area From Jouni Hogander de9aa7e89b98157d2650f25691e40711b8404151 in linux-6.18.y/6.18.23 75519f5df2a9b23f7bf305e12dc9a6e3e65c24b7 in mainline linux CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/19 22:26:12 Modified files: lib/libcrypto/ec: ec_pmeth.c Log message: ec_pmeth: fix 20yo comment: *outlen -> *keylen CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/19 22:35:00 Modified files: lib/libtls : tls_keypair.c Log message: tls_keypair: add missing from bcook kenjiro CVSROOT: /cvs Module name: ports Changes by: ajacoutot@cvs.openbsd.org 2026/04/20 00:34:11 Modified files: x11/gtk+4 : Makefile distinfo Log message: Update to gtk+4-4.22.3. ok naddy@ CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2026/04/20 01:43:52 Modified files: usr.bin/ssh : channels.c Log message: Clarify comment on what setting extended types for channels does OK djm@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/20 02:14:29 Modified files: lib/libcrypto/mlkem: mlkem_internal.h Log message: mlkem: use instead of "mlkem.h" patch from portable CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/20 02:44:48 Modified files: usr.bin/vi/cl : cl_funcs.c usr.bin/vi/common: recover.c usr.bin/vi/ex : ex_append.c ex_bang.c ex_global.c usr.bin/vi/vi : vs_split.c Log message: vi: avoid set but not used warnings From Walter Alejandro Iglesias ok claudio CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/20 04:30:02 Modified files: usr.bin/vi/cl : cl_funcs.c cl_read.c cl_screen.c usr.bin/vi/common: cut.c delete.c exf.c gs.h key.c line.c main.c mark.c mem.h msg.c options.c seq.c usr.bin/vi/ex : ex.h ex_argv.c ex_cmd.c ex_filter.c ex_global.c ex_init.c ex_join.c ex_read.c ex_script.c ex_subst.c ex_tag.c ex_txt.c ex_util.c usr.bin/vi/vi : v_cmd.c v_delete.c v_ex.c v_screen.c v_search.c v_txt.c v_yank.c vi.c vs_msg.c vs_smap.c vs_split.c Log message: vi: whitespace fixes Zap trailing whitespace, remove spaces before tabs, and expand 8 spaces to tabs. Prompted by a diff by Walter Alejandro Iglesias CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/20 05:37:18 Modified files: usr.bin/vi/common: screen.c Log message: vi: fix indent by trailing extra space from Walter Alejandro Iglesias CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2026/04/20 10:46:15 Modified files: geo/mapserver : Makefile distinfo Log message: geo/mapserver: security update to 8.6.2. see https://mapserver.org/development/changelog/changelog-8-6.html#changelog-8-6 fixes https://github.com/MapServer/MapServer/security/advisories/GHSA-4g9f-ph64-hg2x ok naddy@ CVSROOT: /cvs Module name: ports Changes by: kn@cvs.openbsd.org 2026/04/20 12:16:56 Modified files: net/gelatod : Makefile distinfo Log message: update to gelatod-1.7; same fix as 029_v6daemons; OK naddy CVSROOT: /cvs Module name: ports Changes by: volker@cvs.openbsd.org 2026/04/20 13:07:42 Modified files: graphics/lcms2 : Makefile distinfo Log message: graphics/lcms2: Update to 2.19rc2 Fixes several issues, for reference see https://marc.info/?l=oss-security&m=177646929211758&w=2 pointed out by and ok tb@, ok naddy@ CVSROOT: /cvs Module name: src Changes by: kirill@cvs.openbsd.org 2026/04/20 15:18:37 Modified files: sys/arch/octeon/dev: octeon_intr.c Log message: sys/octeon: accept linux,phandle for IRQs SRX300 firmware DT describes the CIU root and several CIB interrupt controllers with linux,phandle, but omits phandle. octeon_intr_register() consumed only the latter; the controllers therefore never entered the interrupt controller registry, and every later interrupt-parent lookup for CIB, AHCI, and xHCI failed. Thus, dev/ofw/fdt lookup code already treats phandle and linux,phandle as equivalent; so the Octeon interrupt layer should do the same when registering interrupt controllers. OK: kettenis@, visa@ CVSROOT: /cvs Module name: src Changes by: kirill@cvs.openbsd.org 2026/04/20 15:20:38 Modified files: sys/arch/octeon/dev: cn30xxuart.c Log message: sys/octeon: preserve bootloader console baud The SRX300 console runs at 9600 baud under U-Boot; OpenBSD forced 115200 during console handoff, which garbled output immediately after early memory setup and made a live kernel look dead. Here, I read the programmed UART divisor instead and derive comconsrate from it, so the kernel preserves the bootloader console configuration. OK: visa@ CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2026/04/20 15:35:08 Modified files: distrib/notes/riscv64: prep Log message: Move hw-specific parts at the end of this file CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2026/04/20 15:38:55 Modified files: distrib/notes/riscv64: prep Log message: Document specifics for spacemit K1-based boards Orange Pi RV2, BananaPi F3, and Milk-V Jupiter Requested by deraadt CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2026/04/20 15:43:39 Modified files: distrib/notes/riscv64: prep Log message: Add post-install hints for boards without distro_bootcmd (like BPi F3/Jupiter) The default bootcmd is useless on these boards, so suggest some simple default boot command. CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2026/04/20 15:47:00 Modified files: distrib/notes/riscv64: hardware Log message: Mention some Spacemit K1 boards that kettenis added support for BananaPi F3, Orange Pi RV2, and Milk-V Jupiter CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2026/04/20 15:51:22 Modified files: distrib/notes/riscv64: prep Log message: Better wording and typo fix for the Spacemit K1 boards CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2026/04/20 16:20:07 Modified files: distrib/notes/riscv64: prep Log message: Remove the bootcmd hint for now On this jupiter box, U-Boot's bootcmd can't be interrupted on the serial console by pressing any key, Ctrl+C or ESC, even though the official docs say it should be possible by pressing any key. sigh CVSROOT: /cvs Module name: ports Changes by: bket@cvs.openbsd.org 2026/04/20 21:20:14 Modified files: sysutils/rclone: Makefile distinfo Log message: Update to rclone-1.73.5 CVE-2026-41176 rc: add AuthRequired to options/set to prevent auth bypass rc: snapshot NoAuth at startup to prevent runtime auth bypass CVE-2026-41179 operations: add AuthRequired to operations/fsinfo to prevent backend creation Changelog: https://rclone.org/changelog/#v1-73-5-2026-04-19 OK sthen@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/20 23:18:35 Modified files: regress/lib/libcrypto/pkcs7: pkcs7test.c Log message: pkcs7test: factor main into a helper so we can add some unit tests easily CVSROOT: /cvs Module name: src Changes by: sashan@cvs.openbsd.org 2026/04/21 00:38:28 Modified files: sys/net : pf_if.c Log message: PFI_FLAG_SKIP may be lost when interface disappears and then reappears if 'set skip on ...' in pf.conf(5) refers to interface (or interface group) which is yet to be created in system, then all is good. However if the interface (or interface group) exists in system at the time when pf.conf(5) is being loaded to pf(4) the effect of skip flag might get lost. The scenario for tap0 interface goes as follows: tap0 (and tap interface) exist in system and is known to pf(4), meaning 'pfctl -sI' reports tap0 and tap. pf.conf with 'set skip on tap' is loaded. The pf(4) sets the flag on `kif` instance without obtaining a reference to keep it in table until skip flag (PFI_FLAG_SKIP) is reset. tap0 interface is removed from system (ifconfig tap0 destroy), the tap0 is removed from system and also corresponding kif instance is removed from pf(4). kif is forgotten together with flag settings. If tap0 happens to be the last tap interface, then tap interface group (including its kif) is also removed from system (and pf(4)). Now tap0 is going to be re-created by running 'ifconfig tap0 up'. The corresponding kif instances (kif instance for tap0 interface and tap interface group) are inserted to interface table in pf(4) with default interface flags, loosing 'set skip on tap...' setting found in pf.conf. To workaround this one has to reload pf.conf so interface flags are set again. The issue has been noticed and kindly reported by Atanas Vladimirov OK bluhm@ CVSROOT: /cvs Module name: src Changes by: renaud@cvs.openbsd.org 2026/04/21 01:42:38 Modified files: libexec/tradcpp: macro.c Log message: expand_domacro() handled a defined() with the wrong argument count via an error path that doesn't drain es->args OK jsg CVSROOT: /cvs Module name: src Changes by: mglocker@cvs.openbsd.org 2026/04/21 02:56:22 Modified files: sys/dev/ic : qwz.c Log message: Enable nwid scanning by doing two things: 1. Disable the 802.11d scanning command for now, since it causes a firmware error for which we currently have no solution. This isn't a critical feature, and we can progress without it until we find a solution. 2. Send the HTT software ring setup messages for the receive rings, otherwise the firmware never initializes its RXDMA pipeline, and delivers no frames to the host. For that we did port over the ath12k_dp_rxdma_ring_sel_config_wcn7850() and ath12k_dp_rx_htt_setup() functions from the linux driver. Tested and ok kettenis@, kirill@ CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2026/04/21 05:31:15 Modified files: devel/opendht : Makefile Log message: avoid picking up doxygen during build, to avoid build failure with dpb junking requested by naddy CVSROOT: /cvs Module name: src Changes by: henning@cvs.openbsd.org 2026/04/21 06:35:45 Modified files: usr.sbin/ntpd : ntp_dns.c Log message: we use clock_gettime() here and thus shall explicitely include time.h from bcook's portable repo, ok bcook CVSROOT: /cvs Module name: xenocara Changes by: matthieu@cvs.openbsd.org 2026/04/21 07:19:01 Modified files: lib/libXpm/src : data.c parse.c Log message: Fix Out-of-bounds read. CVE-2026-4367 CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2026/04/21 07:22:18 Modified files: www/mozilla-firefox: Makefile distinfo www/mozilla-firefox/patches: patch-widget_NativeKeyToDOMCodeName_inc www/firefox-i18n: Makefile.inc distinfo Log message: www/mozilla-firefox: update to 150.0. see https://www.firefox.com/en-US/firefox/150.0/releasenotes/ fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/ - disable PGO again, fixes wasm crashes seen with element-web (cf #2030583) - will need to move to llvm 21 or patch llvm 19 to reenable PGO - add workaround to avoid fetching some pip wheels during configure (#2026497), another workaround would be to move to ./mach configure ? ok naddy@ CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2026/04/21 07:24:36 Modified files: www/firefox-esr: Makefile distinfo www/firefox-esr-i18n: Makefile.inc distinfo Log message: www/firefox-esr: update to 140.10.0. see https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/ fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-32/ ok naddy@ CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2026/04/21 07:25:31 Modified files: www/firefox-esr: Tag: OPENBSD_7_8 Makefile distinfo Log message: www/firefox-esr: MFC update to 140.10.0. see https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/ fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-32/ CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2026/04/21 07:26:10 Modified files: www/mozilla-firefox: Tag: OPENBSD_7_8 Makefile distinfo www/mozilla-firefox/patches: Tag: OPENBSD_7_8 patch-security_manager_ssl_nsNSSCallbacks_cpp patch-security_nss_lib_nss_nss_h Log message: www/mozilla-firefox: MFC update to 150.0. see https://www.firefox.com/en-US/firefox/150.0/releasenotes/ fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/ CVSROOT: /cvs Module name: xenocara Changes by: bluhm@cvs.openbsd.org 2026/04/21 08:06:16 Modified files: lib/libXpm/src : Tag: OPENBSD_7_8 data.c parse.c Log message: Fix Out-of-bounds read. CVE-2026-4367 from matthieu@ this is errata/7.8/032_libxpm.patch.sig CVSROOT: /cvs Module name: xenocara Changes by: bluhm@cvs.openbsd.org 2026/04/21 08:07:07 Modified files: lib/libXpm/src : Tag: OPENBSD_7_7 data.c parse.c Log message: Fix Out-of-bounds read. CVE-2026-4367 from matthieu@ this is errata/7.7/038_libxpm.patch.sig CVSROOT: /cvs Module name: src Changes by: henning@cvs.openbsd.org 2026/04/21 08:20:00 Modified files: usr.sbin/ntpd : control.c Log message: in control_check(), rename struct sockaddr_un sun to sa - for consistency with control_init() just underneath, and because "sun" causes problems for portable on solaris pretty much from bcook's portable repo, but another name, ok bcook CVSROOT: /cvs Module name: www Changes by: bluhm@cvs.openbsd.org 2026/04/21 08:29:25 Modified files: . : errata77.html errata78.html Log message: Release libxpm and slaacd errata. CVSROOT: /cvs Module name: src Changes by: henning@cvs.openbsd.org 2026/04/21 08:31:03 Modified files: usr.sbin/ntpd : ntp.c Log message: newer gcc thinks it's smart (do they call it AI yet?) and points out peercount may be used unitialized. of course it is utterly wrong. move peercount = 0 initialization 2 lines up to shut gcc up pointed out by bcook, dicussed with, gcc-checked by and ok bcook claudio CVSROOT: /cvs Module name: src Changes by: henning@cvs.openbsd.org 2026/04/21 08:36:00 Modified files: usr.sbin/ntpd : ntpd.c Log message: newer gcc is so smart to point out that settime_deadline may be used uninitialized. of course it is wrong. sprinkle a "= 0" to shut it up. pointed out by bcook, discussed with, gcc confronted by and ok claudio bcook CVSROOT: /cvs Module name: xenocara Changes by: matthieu@cvs.openbsd.org 2026/04/21 08:42:57 Modified files: lib/libpng : .gitignore ANNOUNCE CHANGES CMakeLists.txt README configure configure.ac libpng-manual.txt libpng.3 libpngpf.3 png.5 png.c png.h pngconf.h pngrtran.c pngtest.c lib/libpng/contrib/libtests: pnggetset.c lib/libpng/scripts: libpng-config-head.in libpng.pc.in pnglibconf.h.prebuilt Log message: update to libpng 1.6.58. ok deraadt@ CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/21 08:44:29 Modified files: libexec/spamd : spamd.c Log message: Fix handing of multi-line blacklist error strings in spamd.conf When appending the blacklist error string, spamd splits the message on a newline and continues the message on a new line. There was a bug where the current pointer was incremented too far, which resulted in the message being truncated at the newline instead of continued. For very long blacklist messages (around 8K) in spamd.conf, this could result in heap corruption. However, this is very unlikely in practice. OK jsg@ Reported by and fix from Dhiraj Mishra CVSROOT: /cvs Module name: xenocara Changes by: matthieu@cvs.openbsd.org 2026/04/21 09:03:11 Modified files: . : MODULES 3RDPARTY Log message: update CVSROOT: /cvs Module name: src Changes by: miod@cvs.openbsd.org 2026/04/21 10:23:21 Modified files: distrib/sets/lists/comp: md.loongson Log message: sync CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2026/04/21 11:24:40 Modified files: usr.sbin/rad : frontend.c Log message: Fix PREF64 option corruption if DNSSL is also set On octeon (but not amd64) setting both a NAT64 prefix and a search domain causes the former ICMPv6 option to be corrupted due to how it is added last in the Router Advertisement packet, following too much zero padding. Bytes after the DNSSL option are zeroed up the next 8-byte boundary to align options inside the packet. Instead of checking alignment of the pointer address somewhere inside the packet buffer that lives on the stack, which is thus architecture specific, use their offset, i.e. see how many bytes were already written, in order to zero-fill what is left between last search domain and next 8-byte boundary. This makes RAs byte-identical between octeon and amd64 and prevents rad(8) from sending the kind of invalid packets that clients like slaacd(8) and gelatod(8) (from ports) need 029_v6daemons for. OK florian CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2026/04/21 12:18:11 Modified files: sys/sys : systm.h sys/kern : subr_xxx.c Log message: the enosys() stub has not been used for decades ok jsg jca CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/21 12:36:13 Modified files: sys/netinet : tcp_input.c Log message: A packet with a FIN flag needs to act as a barrier in tcp_flush_queue. Once a FIN packet is received all following data should simply be discarded. tcp_input handels this FIN but for that tcp_reass() needs to properly return TH_FIN when a FIN is processed in tcp_flush_queue. This reassembly was not quite correct. Unexpected data directly following the FIN packet was also reassembled and the FIN was actually lost. The failure to return TH_FIN caused the regression in the previous fix. tcp_input() passes some FIN packets through reassembly even though they are in sequence and the queue is empty. tcp_flush_queue() needs to treat packets with TH_FIN set as a barrier and stop reassembly after processing this last packet. This ensures that tcp_reass() returns TH_FIN to tcp_input which then changes the state of the session. It also ensures that only data up to the FIN packet are passed to userland. Reported by Xint Code OK sashan@ CVSROOT: /cvs Module name: src Changes by: kirill@cvs.openbsd.org 2026/04/21 13:43:47 Modified files: sys/arch/octeon/dev: octpcie.c Log message: sys/octeon: fix PCIe config tag layout Octeon PCIe config-space MMIO uses a 12-bit register field; function, device, and bus begin at bits 12, 15, and 20. octpcie_make_tag() and octpcie_decompose_tag() used the conventional PCI tag layout instead, so config accesses to non-zero device or function numbers used the wrong MMIO offset. On SRX300 this breaks enumeration of the second Broadcom switch function at 0:0:1, which reads back garbage until the tag layout is corrected. OK: kettenis@, visa@ CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2026/04/21 13:58:21 Modified files: share/man/man4 : gpio.4 Log message: Mention sfgpio(4) and smtgpio(4) CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2026/04/21 13:58:49 Modified files: share/man/man4 : iic.4 Log message: Mention smtiic(4) CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2026/04/21 14:00:55 Modified files: share/man/man4 : openprom.4 Log message: Mention powerpc64 and riscv64 support CVSROOT: /cvs Module name: www Changes by: tb@cvs.openbsd.org 2026/04/21 14:16:15 Modified files: . : 79.html Log message: Add libressl 4.3.0 changelog (portable changes to be added later) CVSROOT: /cvs Module name: ports Changes by: rapha@cvs.openbsd.org 2026/04/21 14:18:54 Modified files: audio/csound : Makefile Log message: disable pipewire ok naddy@ CVSROOT: /cvs Module name: src Changes by: kirill@cvs.openbsd.org 2026/04/21 14:20:09 Modified files: sys/arch/octeon/dev: if_cnmac.c Log message: sys/cnmac: support SoftLRO This work based on previous work of Janne Johansson OK: visa@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/21 14:55:21 Modified files: regress/lib/libcrypto/wycheproof: wycheproof.go Log message: wycheproof: skip BLS test vectors to prepare for update CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2026/04/21 15:23:28 Modified files: net/librenms : Makefile distinfo net/librenms/pkg: PLIST-doc PLIST-main Log message: update to librenms-26.4.0, ok naddy includes fix for cross-site scripting in alert template list, and adds missing escaping for a few cli commands etc https://github.com/librenms/librenms/releases/tag/26.4.0 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2026/04/21 15:25:44 Modified files: net/librenms : Tag: OPENBSD_7_8 Makefile distinfo net/librenms/patches: Tag: OPENBSD_7_8 patch-LibreNMS___init___py patch-app_ConfigRepository_php patch-resources_definitions_config_definitions_json Added files: net/librenms/pkg: Tag: OPENBSD_7_8 DESCR-doc DESCR-main PLIST-doc PLIST-main README-main Removed files: net/librenms/pkg: Tag: OPENBSD_7_8 DESCR PLIST README Log message: MFC update to librenms-26.4.0 CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/21 19:43:48 Modified files: sys/nfs : nfs_var.h nfs_vnops.c Log message: change nfs_ioctl() from a macro with enoioctl() to a proper function this was the only use of enoioctl() ok claudio@ CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/21 19:51:37 Modified files: sys/sys : systm.h sys/kern : subr_xxx.c Log message: remove unused enoioctl() ok claudio@ CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2026/04/21 23:39:56 Modified files: mail/mozilla-thunderbird: Makefile distinfo mail/thunderbird-i18n: Makefile.inc distinfo Log message: mail/mozilla-thunderbird: update to 140.10.0. see https://www.thunderbird.net/en-US/thunderbird/140.10.0esr/releasenotes/ fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-34/ ok naddy@ CVSROOT: /cvs Module name: ports Changes by: robert@cvs.openbsd.org 2026/04/22 00:12:24 Modified files: devel/llvm/22/patches: patch-lld_ELF_LinkerScript_cpp devel/llvm/20 : Makefile devel/llvm/20/patches: patch-lld_ELF_LinkerScript_cpp devel/llvm/21 : Makefile devel/llvm/21/patches: patch-lld_ELF_LinkerScript_cpp Log message: fix section merging for .srodata and .openbsd.randomdata there was a bad merge of changes and a comma was lost and with that section merging for .srodata and .openbsd.randomdata ok naddy@, sthen@ CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/22 00:57:08 Modified files: usr.bin/tmux : tty-features.c tty-keys.c Log message: Add a default set of features for WezTerm. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/22 00:58:59 Modified files: usr.bin/tmux : tmux.1 Log message: Remove no longer accurate statement from tmux.1, reported by dkuettel at gmail dot com. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/22 01:03:06 Modified files: usr.bin/tmux : window-copy.c Log message: Do not leak hyperlinks in copy mode, from Barrett Ruth in GitHub issue 5020. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/22 01:05:03 Modified files: usr.bin/tmux : format.c Log message: Add a fairly low time limit to format evaluation to stop absurdly nested formats from making tmux appear to hang. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/22 01:05:59 Modified files: usr.bin/tmux : window-clock.c Log message: Make clock visible on terminals without colours, from Manuel Einfalt in GitHub issue 5001. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/22 01:10:16 Modified files: usr.bin/tmux : cmd-new-session.c cmd-rename-session.c format.c input.c names.c screen.c session.c spawn.c tmux.c tmux.h window.c Log message: Sanitize pane titles and window and session names more consistently and strictly, prevents C0 characters and other nonvisible characters causing problems. Reported (with a different fix) by Chris Monardo in GitHub issue 4999. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/22 01:13:26 Modified files: usr.bin/tmux : key-bindings.c options-table.c Log message: Add a couple of controls (kill, zoom) to default pane-status-format. Will be more to come with floating panes. From Dane Jensen in GitHub issue 4981. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/22 01:15:34 Modified files: usr.bin/tmux : status.c Log message: Translate keypad keys to text in prompt input. From Barrett Ruth in GitHub issue 4996. CVSROOT: /cvs Module name: src Changes by: renaud@cvs.openbsd.org 2026/04/22 01:15:43 Modified files: usr.bin/vi/ex : ex.c Log message: Fix underflows in ex(1) and vi(1) +cmd parser OK millert@ CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/22 01:25:17 Modified files: usr.bin/tmux : server-client.c tmux.1 tmux.h tty-features.c tty-term.c tty.c Log message: Add feature for progress bar and pass to outside terminal, GitHu issue 4972 from Eric Dorland. CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2026/04/22 02:32:31 Modified files: mail/mozilla-thunderbird: Tag: OPENBSD_7_8 Makefile distinfo Log message: mail/mozilla-thunderbird: MFC update to 140.10.0 see https://www.thunderbird.net/en-US/thunderbird/140.10.0esr/releasenotes/ fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-34/ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/22 04:02:34 Modified files: share/man/man9 : tsleep.9 Log message: tsleep.9: add const volatile qualifiers for ident This matches the changes with kern_synch.c r1.90 (2009). ok claudio jca CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/22 04:04:41 Modified files: share/man/man9 : tsleep.9 Log message: tsleep.9: replace two instances of -- with em dashes per mandoc -Tlint makes sense to jca CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/22 06:28:08 Modified files: sys/scsi : scsi_base.c Log message: Use &nowake as ident in tsleep_nsec call instead of using a stack variable for the same goal. Using &nowake is becomes clear that there is no wakeup call for this sleep. noticed by robert@ with llvm22 OK jca@ krw@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/22 07:51:46 Modified files: usr.sbin/bgpd : bgpd.conf.5 Log message: Add missing It in '.It Ic min-version Ar number' CVSROOT: /cvs Module name: src Changes by: henning@cvs.openbsd.org 2026/04/22 07:54:50 Modified files: usr.sbin/ntpd : ntpd.c Log message: in show_peer_msg, grow the buffer to hold the sprintf'd stratum by 1 byte. the previous buffer was large enough since startum is clamped to 0..15, however, it is a bit much to ask for analyzers - including those in compilers - to detect that, an extra byte on the stack costs us effectively nothing, and it feels a bit more robust. triggered by bcook's portable diffs, ok claudio CVSROOT: /cvs Module name: src Changes by: henning@cvs.openbsd.org 2026/04/22 07:57:58 Modified files: usr.sbin/ntpd : util.c Log message: grow the buffer to hold the sprintf'd rtable id by 8 bytes so it can hold the full range an int can express. the previous buffer was large enough since the rtable id is clamped to 0.. RT_TABLEID_MAX which is 255, however, it is a bit much to ask for analyzers - including those in compilers - to detect that, 8 extra bytes on the stack cost us effectively nothing, and it feels a bit more robust. triggered by bcook's portable diffs, ok claudio CVSROOT: /cvs Module name: ports Changes by: caspar@cvs.openbsd.org 2026/04/22 09:14:43 Modified files: meta/tor-browser: Makefile www/tor-browser: Makefile.inc www/tor-browser/browser: Makefile distinfo Log message: Tor Browser: update to 15.0.10 OK naddy@ CVSROOT: /cvs Module name: ports Changes by: caspar@cvs.openbsd.org 2026/04/22 09:15:02 Modified files: meta/tor-browser: Tag: OPENBSD_7_8 Makefile www/tor-browser: Tag: OPENBSD_7_8 Makefile.inc www/tor-browser/browser: Tag: OPENBSD_7_8 Makefile distinfo Log message: Tor Browser: update to 15.0.10 CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/22 09:17:43 Modified files: sys/net : route.c Log message: Use M_RTABLE and not M_TEMP for MPLS data attached to rt_llinfo. OK phessler@ CVSROOT: /cvs Module name: src Changes by: renaud@cvs.openbsd.org 2026/04/22 09:54:08 Modified files: usr.bin/vi/vi : vs_split.c Log message: vs_split() uses sp's visual map without checking it exists. OK millert CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/22 10:01:08 Modified files: usr.bin/vi/ex : ex_global.c Log message: When updating the ranges after an insertion or deletion, the range should be up to and including the current line number. This behavior is consistent with historic vi as well as modern vim. Reported by Tim Case, fix from Walter Alejandro Iglesias CVSROOT: /cvs Module name: www Changes by: tj@cvs.openbsd.org 2026/04/22 10:55:44 Modified files: openssh : history.html Log message: fix typos that have been on this page for 26 years CVSROOT: /cvs Module name: src Changes by: kirill@cvs.openbsd.org 2026/04/22 13:11:04 Modified files: sys/arch/octeon/dev: cn30xxgmx.c cn30xxgmxvar.h if_cnmac.c Log message: sys/cnmac: support CN71xx 1000BASE-X ports Some CN71xx boards describe active GMX ports only in the PIP device tree, and mark the CPU facing link as cavium,sgmii-mac-1000x-mode with cavium,disable-autonegotiation, but without a PHY handle. OpenBSD otherwise trusts GMX0_INF_MODE for port discovery and insists on a PHY attach in cn30xxgmx_attach(), so such ports never reach cnmac with a usable media setup. Enumerate CN71xx SGMII ports from pip/interface@N when that description is present, carry the 1000x and disable-autonegotiation flags into the per port state, and let cnmac seed fixed 1000baseT full duplex media for that case. Ports that still use a normal SGMII PHY path continue to go through cn30xxsmi_get_phy() and mii_attach() unchanged. Tested on two CN71xx Octeon systems: Juniper SRX300, which uses 1000BASE-X DT ports, and Ubiquiti EdgeRouter 4, which does not. OK: visa@ CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2026/04/22 15:58:53 Modified files: usr.bin/netstat: mbuf.c sys/kern : uipc_mbuf.c Log message: increase the 9k mbuf clusters to 9k + 128 bytes pools try to amortise the cost of items against the underlying kernel memory allocator by rounding the "page" size up to fit at least 8 items, and then rounding that up to the next power of 2. the 9k clusters are 9 * 1024 bytes, which is 72k after being multiplied by 8, which becomes 128k cos it's the next power of 2. if you divide 128k by 9k, you get 14 and some change. there's enough change that we can raise the cluster size by 128 bytes without affecting the page size or the number of items on the page. ie, it's still going to use 128k "pages" and fit 14 clusters. i can take advantage of this in some drivers for stupid hardware, so given the above it seems like a plan without any drawbacks apart from the pool name getting a bit bigger. ok claudio@ CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2026/04/22 16:09:18 Modified files: sys/dev/pci : if_ix.c Log message: fix rss hashing on big endian archs i noticed that packets seem to be hashed differently by the network stack and this hardware on sparc64. mucking around with how we handle the endianness of the rss key programmed via registers makes it consistent on both big and little archs. tested by me on sparc64 and arm64 ok claudio@ CVSROOT: /cvs Module name: ports Changes by: jca@cvs.openbsd.org 2026/04/22 16:10:17 Modified files: net/openvpn : Tag: OPENBSD_7_8 Makefile distinfo net/openvpn/patches: Tag: OPENBSD_7_8 patch-configure Log message: SECURITY update to openvpn-2.6.20 fix race condition in TLS handshake that could lead to leaking of packet data from a previous handshake under specific circumstances (CVE-2026-40215) fix server ASSERT() on receiving a suitably malformed packet with a valid tls-crypt-v2 key (CVE-2026-35058) Other changes: https://github.com/OpenVPN/openvpn/blob/v2.6.20/Changes.rst CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2026/04/22 16:12:49 Modified files: sys/dev/pci : if_ix.c Log message: fix tx dma segment size i thought it was weird that an MI driver like ix(4) is using an MD number like PAGE_SIZE for the maximum segment size in its tx dma maps. the manual says tx segments can be 16k (and goes into a 16bit field), so let's try using the documented value here. the rx descs also use 16 * 1024 as a magic number here, so it's in keeping with other code in the same driver. tested by me on arm64 and sparc64 (which has 8k pages) tested by and ok jan@ CVSROOT: /cvs Module name: src Changes by: sashan@cvs.openbsd.org 2026/04/22 17:06:01 Modified files: sys/net : if_pfsync.c Log message: pf_purge_states() may trip assert(st->timeout == PFTM_UNLINKED) in pf_free_state(). Once member ->timeout in pf_state structure reaches PFTM_UNLINKED value, then the ->timeout member must not not be updated. This diff reminds pfsync(4) to follow PFTM_UNLINKED rule too. The pfsync(4) currently may accidentally update ->timeout member while state is being purged, causing pf_purge_states() to trip the assert. Issue was kindly reported by Stuart Henderson. OK @bluhm CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/22 19:08:46 Modified files: sys/dev/pci/drm/amd/amdgpu: amdgpu_vm.c Log message: drm/amdgpu: Handle GPU page faults correctly on non-4K page systems From Donet Tom 6a9f2683c66dc54d3598589684c0b3c5cb2862ad in linux-6.18.y/6.18.24 4e9597f22a3cb8600c72fc266eaac57981d834c8 in mainline linux CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/22 19:08:47 Modified files: lib/libc/time : difftime.c Log message: Fix difftime() result when it is passed a negative value We need to cast the result of bitwise AND to time_t before the cast to double in the HI and LO macros. Otherwise, we get a very large positive floating point value instead of a negative value. Reported by Xuntao Chi CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/22 19:10:33 Modified files: sys/dev/pci/drm/amd/amdkfd: kfd_queue.c Log message: drm/amdkfd: Fix queue preemption/eviction failures by aligning control stack size to GPU page size From Donet Tom 647fb0dc3818733024fc96c1df1ec3af806b0256 in linux-6.18.y/6.18.24 78746a474e92fc7aaed12219bec7c78ae1bd6156 in mainline linux CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2026/04/22 19:15:07 Modified files: sys/ddb : db_input.c Log message: make ctrl-w remove trailing space from words too this makes it more consistent with what i experience with ctrl-w in the shell. ok deraadt@ claudio@ CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/22 19:16:32 Modified files: sys/dev/pci/drm/i915: i915_gem.c Log message: x86: rename and clean up __copy_from_user_inatomic_nocache() From Linus Torvalds 03fd014cd9f3a3d173740ab9c5cbede82fd6322c in linux-6.18.y/6.18.24 5de7bcaadf160c1716b20a263cf8f5b06f658959 in mainline linux CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/22 19:16:55 Modified files: sys/dev/pci/drm/include/linux: uaccess.h Log message: rename __copy_from_user_inatomic_nocache() to copy_from_user_inatomic_nontemporal() to follow changes in linux 6.18.24 CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/22 19:28:03 Modified files: sys/net : art.h art.c Log message: remove unused art_walk() ok dlg@ CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/22 19:33:01 Modified files: sys/net : pf_ioctl.c Log message: remove unused pf_statelim_clr() ok dlg@ CVSROOT: /cvs Module name: ports Changes by: phessler@cvs.openbsd.org 2026/04/23 01:51:18 Modified files: cad/openscad : Makefile Log message: add missing build dep. it wouldn't build without the build dep being available, so no need for a REVISION bump. noticed by myself and naddy on arm64 and amd64 bulk package builds. OK sthen@ CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/23 05:29:23 Modified files: usr.bin/tmux : screen-redraw.c Log message: Redraw correctly when a popup is present above pane borders, GitHub issue 4997 from Manuel Einfalt. CVSROOT: /cvs Module name: ports Changes by: jca@cvs.openbsd.org 2026/04/23 05:46:03 Added files: devel/orc/patches: patch-orc_riscv_orcriscvtarget_c Log message: Fix orc riscv64-specific code paths orc previously failed to build because of inconsistent #ifdefs that exposed Linux-only calls. While here hook up call to (__builtin)__clear_cache and correct default assumptions (the 'V' extension can't be assumed, on any OS). Prompted by a report from matthieu@, maintainer timeout, ok sthen@ CVSROOT: /cvs Module name: ports Changes by: robert@cvs.openbsd.org 2026/04/23 06:00:58 Modified files: devel/clang-tools-extra: Makefile devel/py-llvmlite: Makefile lang/zig : Makefile www/chromium : Makefile www/iridium : Makefile www/ungoogled-chromium: Makefile Log message: bump REVISION after the fixes in the llvm ports ok sthen@ CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/23 06:36:15 Modified files: usr.bin/tmux : file.c server-client.c tmux.h Log message: Kill client rather than fatalx on bad file handling messages, reported by Tim Zheng. CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/23 06:57:47 Modified files: regress/usr.bin/ssh/unittests: Makefile.inc Log message: Drop -Winline from CDIAGFLAGS it breaks on sparc64 On sparc64 ssh/unittests/kex fails to build with: usr.bin/ssh/libcrux_mlkem768_sha3.h:8196: warning: inlining failed in call to 'libcrux_ml_kem_polynomial_ZERO_89_ea': --param max-inline-insns-single limit reached OK djm@ (long time ago) reminded by tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/23 08:15:53 Modified files: usr.sbin/rpki-client: parser.c Log message: Move repo_tree_free() up to where the other repo functions live. OK tb@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/04/23 13:51:37 Modified files: sys/arch/riscv64/dev: simplebus.c sys/arch/riscv64/include: bus.h sys/arch/riscv64/riscv64: autoconf.c bus_dma.c Log message: Implement bounce buffers for riscv64. ok jca@ CVSROOT: /cvs Module name: ports Changes by: kmos@cvs.openbsd.org 2026/04/23 14:00:09 Modified files: audio/ncmpc : Makefile Log message: span.h is provided by GCC 15. Drop BROKEN-sparc64 ok naddy CVSROOT: /cvs Module name: ports Changes by: kmos@cvs.openbsd.org 2026/04/23 14:00:49 Modified files: math/libqalculate: Makefile Log message: Now that ports-gcc is gcc 15, this is no longer BROKEN on sparc64 Remove BROKEN-sparc64 ok naddy CVSROOT: /cvs Module name: ports Changes by: kirill@cvs.openbsd.org 2026/04/23 15:11:39 Modified files: net/ejabberd : Makefile Log message: net/ejabberd: prevent linking agains wayland/libei instead erlang's libei.a CVSROOT: /cvs Module name: ports Changes by: naddy@cvs.openbsd.org 2026/04/23 15:44:49 Modified files: lang/gawk : Makefile Log message: lang/gawk: do not pick up gettext-tools in configure configure picks up xgettext and it is then used during the build, but to no effect. Reported by jca@ CVSROOT: /cvs Module name: www Changes by: tj@cvs.openbsd.org 2026/04/23 17:21:41 Modified files: build/mirrors : openbgpd-ftp.html.head libressl : mail.html openbgpd : ftp.html openiked : manual.html openntpd : features.html opensmtpd : report.html Log message: fix broken/outdated links CVSROOT: /cvs Module name: www Changes by: tj@cvs.openbsd.org 2026/04/23 17:22:40 Modified files: libressl : papers.html openbgpd : users.html openntpd/txt : release-6.1p1.txt release-6.8p1.txt opensmtpd : list.html opensmtpd/announces: libasr-1.0.0.txt libasr-1.0.1.txt libasr-1.0.2.txt Log message: fix some typos CVSROOT: /cvs Module name: ports Changes by: matthieu@cvs.openbsd.org 2026/04/23 23:59:22 Modified files: sysutils/ttyplot: Makefile sysutils/ttyplot/patches: patch-ttyplot_c Log message: Fix ttypplot by moving pledge() call after open(/dev/tty). Add 'use pledge()' marker to Makefile while there. ok tb@, fcambus@, naddy@ CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/24 04:08:52 Modified files: usr.bin/tmux : window.c Log message: No need to stravis the window name twice. CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/24 07:25:44 Modified files: sys/net : pipex_local.h trunklacp.c Log message: use __kprintf__ not __printf__ for format attributes avoids format warnings with clang 21 and later ok robert@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/24 09:10:20 Modified files: lib/libcrypto/pkcs7: pk7_doit.c Log message: Simplify PKCS7_get_issuer_and_serial() The i variable is unused. Likewise for the first assignment to ri. Instead of an incomplete check that idx is in range, which still results in a NULL deref if idx < 0, check if ri is not NULL before accessing, as sk_value() checks the index correctly. ok jsing kenjiro CVSROOT: /cvs Module name: ports Changes by: jca@cvs.openbsd.org 2026/04/24 10:01:38 Modified files: net/openvpn : Makefile distinfo Log message: SECURITY update to openvpn-2.7.2 fix race condition in TLS handshake that could lead to leaking of packet data from a previous handshake under specific circumstances (CVE-2026-40215) fix server ASSERT() on receiving a suitably malformed packet with a valid tls-crypt-v2 key (CVE-2026-35058) Other changes: https://github.com/OpenVPN/openvpn/blob/v2.7.2/Changes.rst ok naddy@ CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2026/04/24 11:31:12 Modified files: security/nss : Makefile distinfo Log message: security/nss: bugfix update to 3.123.1 fixes #2033783: invalid DTLS CertificateVerify signature breaks Firefox WebRTC to pion and webrtc-rs servers see https://hg-edge.mozilla.org/projects/nss/raw-file/tip/doc/rst/releases/nss_3_123_1.rst ok naddy@ CVSROOT: /cvs Module name: ports Changes by: phessler@cvs.openbsd.org 2026/04/24 11:42:24 Modified files: graphics/ImageMagick: Makefile Log message: remove BROKEN marker to try building on arm(v7). the platform has changed a lot since 2019 OK sthen@ naddy@ CVSROOT: /cvs Module name: www Changes by: kmos@cvs.openbsd.org 2026/04/24 16:33:40 Modified files: . : plus.html Log message: Added changes for November and December 2025 Done with pamela@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/04/24 23:47:03 Modified files: lib/libcrypto/sha: sha256.c Log message: Add FIPS 180-4 references for SHA-256 constants. CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/25 04:30:11 Modified files: lib/libcrypto/pkcs7: pk7_doit.c Log message: pkcs7: Simplify PKCS7_type_is_other() Remove unnecessary isOther and nid variables and use direct returns. The function should probably be removed... ok jsing kenjiro CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/25 04:48:59 Modified files: lib/libcrypto/pkcs7: pk7_doit.c Log message: pkcs7: avoid assignment to i in PKCS7_dataInit() We can switch over the return value of OBJ_obj2nid() rather than using i for an indirection. ok jsing kenjiro CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/25 04:50:50 Modified files: lib/libcrypto/pkcs7: pk7_doit.c Log message: pkcs7: don't use i and j for NIDs in PKCS7_dataDecode() There's no need to assign to i before the switch and j is a terrible name for a NID. Inline the latter and switch directly over the return value of OBJ_obj2nid(). ok jsing kenjiro CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/25 04:53:13 Modified files: lib/libcrypto/pkcs7: pk7_doit.c Log message: pkcs7: don't use i, j for NIDs in PKCS7_dataFinal() Use nid for NIDs and use i only for for loops. ok jsing kenjiro CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/25 04:54:30 Modified files: lib/libcrypto/pkcs7: pk7_doit.c Log message: pkcs7: drop silly use of i in PKCS7_dataVerify() ok jsing kenjiro CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/04/25 05:41:41 Modified files: sys/dev/fdt : dwpcie.c Log message: If the PCIe link is down, provide access to config space for bus 0, but return 0xffffffff (and ignore writes) for other busses. This gets rid of the "can't initialize hardware" messages that confuse some users and better matches what happens on other platforms with PCIe when a slot is empty. ok jca@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/25 06:14:38 Modified files: sys/arch/sparc64/sparc64: trap.c Log message: Do not clear the dirty upper and lower bits when enabling the FPU in fprs When handling a FPU disabled trap and the FPU context is still pointing to curproc then all that needs to be done is enable the FPU but on sparc64 this needs to be done in two places. In pstate and %fprs. Writing FPRS_FEF into %fprs clears the DU and DL bits which marks the FPU state as clean (but it may not be). If the proc only reads the FPU state and later a lazy FPU switch is forced the FPU context is not correctly saved. Instead read %fprs and or FPRS_FEF into it, keeping the DU and DL bits intact. See also rev 1.68 for why %fprs needs to be fumbled with. This fixes various issues seen during ports bulk builds. Like perl tripping over "use 5.12.0;" with a -NaN is not a version error, various awk issues and even cmake failures via 'std::bad_array_new_length'. OK kettenis@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/04/25 08:36:12 Modified files: regress/lib/libssl/dtls: Makefile Added files: regress/lib/libssl/dtls: dtls_wire_test.c Log message: Add DTLS wire tests. Add tests that ensure the wire bytes for DTLS are what we expect for both CCS and fragmented handshake messages. CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/25 11:47:46 Modified files: usr.bin/vi/common: delete.c Log message: Fix a misapplied patch in rev 1.12, the goto belongs outside the len check. CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/25 11:51:11 Modified files: usr.bin/vi/vi : v_sentence.c Log message: Prevent '(' from moving the cursor forward. Fixes an issue where '(' moved forward the start of the next (not previous) sentence when used within whitespace at the start if a line. From Debian bug 193498 (Tommy Pettersson) via nvi2. CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/25 11:58:56 Modified files: usr.bin/vi/vi : v_sentence.c Log message: Fix special case of ')' when the cursor is on white-space. The forward sentence code has a special case to support moving to the start of the next sentence when it is in the middle of a empty line or whitespace between sentences. However, the logic was incorrect and applied when the curson was on _any_ white-space. This change adds logic to look back and detect whether the cursor is actually in between two sentences. Based on a diff from Walter Alejandro. CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/25 13:30:59 Modified files: usr.bin/vi/vi : v_paragraph.c v_sentence.c Log message: Allow '!}' and '!)' at EOF, even though there is no forward movement. The updated behavior differs from traditional vi but matches vim. It is already possible to run bang commands at EOF in conjunction with some other forward movement commands such as 'l' and 'w'. From Walter Alejandro Iglesias CVSROOT: /cvs Module name: www Changes by: naddy@cvs.openbsd.org 2026/04/25 14:07:56 Modified files: . : 79.html Log message: 13044 amd64 packages CVSROOT: /cvs Module name: www Changes by: tj@cvs.openbsd.org 2026/04/25 15:04:11 Modified files: faq : upgrade78.html Log message: zap invalid

tag CVSROOT: /cvs Module name: www Changes by: tj@cvs.openbsd.org 2026/04/25 15:05:16 Modified files: faq/ports : differences.html specialtopics.html Log message: fix some typos CVSROOT: /cvs Module name: www Changes by: tj@cvs.openbsd.org 2026/04/25 15:21:15 Modified files: faq : faq17.html Log message: android's vpn client supports ikev2 now, so remove some outdated info. discussed with landry CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/25 22:19:11 Modified files: lib/libcrypto/pkcs7: pk7_doit.c Log message: Fix PKCS7_set_{un,}signed_attributes() In both these functions, if the X509_ATTRIBUTE_dup() fails, the remainder of the sk stack is shared with p7si->{un,}auth_attr and the caller will likely end up freeing it twice. Fix this by writing another sk_deep_copy() patterned after the existing ones in x509_lu.c and x509_vpm.c. PKCS7_set_{un,}signed_attributes() become trivial wrappers of that. ok jsing kenjiro CVSROOT: /cvs Module name: www Changes by: matthieu@cvs.openbsd.org 2026/04/26 00:22:19 Modified files: . : 79.html Log message: Update versions of base+xenocara CVSROOT: /cvs Module name: www Changes by: matthieu@cvs.openbsd.org 2026/04/26 00:24:32 Modified files: . : 79.html Log message: 7.7 -> 7.8 where needed. CVSROOT: /cvs Module name: www Changes by: matthieu@cvs.openbsd.org 2026/04/26 01:00:54 Modified files: . : 79.html Log message: ports versions CVSROOT: /cvs Module name: www Changes by: tb@cvs.openbsd.org 2026/04/26 01:07:31 Modified files: . : 79.html Log message: zlib 1.3.2 CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/04/26 03:27:15 Modified files: sys/dev/ic : com.c Log message: Attempt to drain the transmit FIFO before resetting or disabling it such that output that is currently in the FIFO makes it out. We already do this when attaching as a console by using a fixed delay, but not in compwroff() which runs when userland closes the associated tty. Instead of using a fixed delay, look at the LSR_TSRE bit which should get set if the FIFO (or the itransmit shift register if the FIFO is disabled) is empty. Use a fixed timeout such that on hardware with a non-functional LSR_TSRE bit the loops still terminate. This should fix issues where we lose serial output when userland closes a tty or when com(4) attaches to the port that is used as the console. ok deraadt@ CVSROOT: /cvs Module name: www Changes by: tb@cvs.openbsd.org 2026/04/26 03:42:46 Modified files: . : 79.html Log message: go 1.26.2 CVSROOT: /cvs Module name: www Changes by: sthen@cvs.openbsd.org 2026/04/26 07:09:56 Modified files: . : 79.html Log message: 10631 i386 packages CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/26 11:58:58 Modified files: lib/libcrypto/x509: x509_addr.c Log message: make_addressRange: unused bits in max must be zero X509v3_addr_add_range() requires that min and max of an address range have network encoding. In the RFC 3779 encoding of an actual address range (as opposed to a prefix) as a SEQUENCE OF two ASN.1 BIT STRINGs, the trailing one bits of the maximum become unused bits and therefore must be DER encoded as zeroes. The DER encoder will clear them via i2d but these trailing ones are annoying. Make a copy in which the unused bits are cleared. ok kenjiro CVSROOT: /cvs Module name: www Changes by: kirill@cvs.openbsd.org 2026/04/26 12:27:12 Modified files: . : 79.html Log message: 79.html: jdk8 was removed CVSROOT: /cvs Module name: src Changes by: mglocker@cvs.openbsd.org 2026/04/26 13:25:08 Modified files: sys/dev/pci : if_qwz_pci.c sys/dev/ic : qwz.c qwzreg.h qwzvar.h Log message: Bring the qwz driver up to WPA2 association on the Qualcomm WCN7850 chip. Major changes: 1. Fix the RX path. 2. Fix the TX path. 3. Fix MSI interrupt routing. 4. Make the WPA2 4-way handshake complete. 5. Add bus_dmamap_sync() barriers on RX and TX. 6. Update register/descriptor defines from ath11k to ath12k WiFi7. Known limitations: - DHCP does not yet complete on most setups: TX of DISCOVER works (the DHCP server sees it), but the OFFER does not reach the host. Likely an RX-path or post-handshake GTK state issue. Reported by kettenis@ with an athn(4) AP on a Vivobook. - Some hardware (e.g. Honor laptop) hits a firmware page fault during association. RDDM dump shows a fault in dlpager_main.c inside the firmware; likely a memory addressing issue specific to that silicon stepping or IOMMU configuration. Reported by kirill@. - On APs with PMF (Protected Management Frames) enabled, the association flaps continuously; on APs without PMF (Apple hotspot, athn(4)) the connection reaches a stable "active" state and survives subsequent firmware crashes via the recovery path. - Firmware occasionally crashes after sustained traffic on some APs (FritzBox in particular can drive the device into an unrecoverable "tx credits timeout" state); the driver normally recovers via the existing RDDM path in if_qwz_pci.c without a system reboot. - One PN-replay loop in qwz_dp_peer_rx_pn_replay_config doesn't iterate the non-QoS TID slot. Cosmetic for normal use; will land as a separate small commit. This is a foundation commit: enough to associate and exchange some frames, but not yet a usable network connection. Further work is required. OK kettenis@, kirill@ CVSROOT: /cvs Module name: src Changes by: dtucker@cvs.openbsd.org 2026/04/26 23:49:41 Modified files: regress/usr.bin/ssh: keyscan.sh Log message: Use supported hostkeyalgorithms specifically in sshd_config instead of supported key types, which is almost but not completely correct. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/27 06:31:11 Modified files: usr.bin/tmux : cmd-parse.y Log message: Add a limit on maximum length of environment variable assignment in configuration files. CVSROOT: /cvs Module name: src Changes by: hshoexer@cvs.openbsd.org 2026/04/27 07:06:14 Modified files: usr.sbin/vmd : config.c Log message: vmd(8): Avoid reuse of dead filedescriptor When the vmd process sends a kernfd to the vmm process, that descriptor will be closed in msgbuf_write() after a successful sendmsg(). However, that descriptor number is still stored in vm->vm_kernel. When termination of one VM is interleaved with lauch of another VM, that number might be reassigned to a _new_ kernfd of the launching VM. Now we have a race: - the vmd process queues an imsg with that descriptor in config_setvm() (for the launching VM) - the vmd process calls in vm_stop() close() on that descriptor (for the terminating VM) - when the vmd process calls proc_dispatch() imsgbuf_send() for imsg queued in config_setvm(), sendmsg() will return EBADF (the descriptor in the control message is invalid) By dupping kernfd we can avoid this race. ok dv@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/27 09:06:01 Modified files: usr.sbin/bgpd : bgpd.h rde.c rde.h rde_filter.c session.c session.h Log message: Change to enum filter_action and enum direction since the plural form does not work well with these enums. OK denis@ tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/27 09:24:43 Modified files: usr.sbin/bgpd : rde.c Log message: Shuffle the softreconfig functions into an order that makes more sense. OK tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/27 09:52:20 Modified files: usr.sbin/bgpd : rde.c Log message: Rename out_rules to simply rules. In the near future this list will be used for both 'from' and 'to' filter rules. OK tb@ CVSROOT: /cvs Module name: src Changes by: kirill@cvs.openbsd.org 2026/04/27 10:39:50 Modified files: sys/arch/octeon/dev: cn30xxgmx.c cn30xxgmxvar.h if_cnmac.c iobusvar.h octeon_iobus.c octpip.c Log message: sys/cnmac: read MAC address from device tree Read local-mac-address from the matching ethernet port node in device tree; fall back to the old board address allocation when it is absent. As suggested by visa@, this changes HW address assignment on the EdgeRouter Pro, and probably on the ER-8, by swapping ports as follows: cnmac0 <-> cnmac4 cnmac1 <-> cnmac5 cnmac2 <-> cnmac6 cnmac3 <-> cnmac7 Affected devices uses the same MAC addresses as the original firmware. OK: visa@ CVSROOT: /cvs Module name: src Changes by: kirill@cvs.openbsd.org 2026/04/27 10:54:49 Modified files: sys/arch/octeon/dev: cn30xxpip.c cn30xxpipvar.h if_cnmac.c if_cnmacvar.h Log message: sys/cnmac: add RX queues Add RX queues to cnmac, backed by shared POW groups. Use PIP tags for RX group selection and pass the tag up as M_FLOWID. OK: visa@ CVSROOT: /cvs Module name: www Changes by: thfr@cvs.openbsd.org 2026/04/27 14:18:03 Modified files: . : 79.html Log message: mention Vulkan 1.4.341.0 CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2026/04/27 16:23:27 Modified files: usr.sbin/rpki-client: parser.c Log message: adjust style OK tb@ CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/27 19:14:07 Modified files: sys/dev/pci/drm: drm_linux.c Log message: Make xarray cyclic start looking for a free id at the position specified by the next argument and stop after wrapping back to that position. Previously looking for a free id started at the beginning of the allocation range and stopped at the end, ignoring the next argument. Currently xarray cyclic id allocations are only used by the GuC code in inteldrm. In 6.18.25 drm, the amdgpu PASID allocation changes from using cyclic idr to cyclic xarray. CVSROOT: /cvs Module name: www Changes by: jsg@cvs.openbsd.org 2026/04/27 21:02:50 Modified files: . : 79.html Log message: suporting -> supporting CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/27 21:25:46 Modified files: sys/dev/pci/drm/include/linux: xarray.h Log message: add DEFINE_XARRAY_FLAGS() for 6.18.25 drm CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/27 21:33:56 Modified files: sys/dev/pci/drm/include/linux: xarray.h Log message: use DEFINE_XARRAY_FLAGS() for DEFINE_XARRAY_ALLOC() CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/27 21:44:14 Modified files: sys/dev/pci/drm: drm_linux.c Log message: Change xarray pool from IPL_NONE to IPL_TTY as amdgpu will soon use it from interrupt context. Matches the IPL of the IDR pool. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/28 02:32:44 Modified files: usr.bin/tmux : cmd-join-pane.c Log message: Fix -p for for join-pane, from Dane Jensen. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/28 02:34:15 Modified files: usr.bin/tmux : cmd-run-shell.c Log message: Do not hang run-shell when job_run fails, from Barrett Ruth in GitHub issue 5037. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/28 02:35:21 Modified files: usr.bin/tmux : window-copy.c Log message: Do not deref NULL job in window_copy_pipe_run when job_run fails. From Barrett Ruth in GitHub issue 5036. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/28 02:47:55 Modified files: usr.bin/tmux : cmd-pipe-pane.c Log message: Do not leak socketpair fds in pipe-pane when fork fails. From Barrett Ruth. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/28 02:52:37 Modified files: usr.bin/tmux : paste.c Log message: Sanitize paste buffer names in paste_set and paste_rename, GitHub issue 5032 from Barrett Ruth. CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/28 03:23:22 Modified files: sys/dev/pci/drm/amd/amdgpu: amdgpu_ids.c Log message: drm/amdgpu: replace PASID IDR with XArray From Mikhail Gavrilov b7cddf6c017510cd0c79980ea551e7bcdf0edc7e in linux-6.18.y/6.18.25 3c863ff920b45fa7a9b7d4cb932f466488a87a58 in mainline linux CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/04/28 04:01:07 Modified files: usr.bin/tmux : key-bindings.c menu.c mode-tree.c status.c Log message: Make C-[ have the same bindings as Escape for terminals with extended keys where they are different, GitHub issue 5035 from Eric NICOLAS. CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/28 07:25:04 Modified files: usr.sbin/rdate : Makefile ntp.c rdate.8 rdate.c Removed files: usr.sbin/rdate : ntpleaps.c ntpleaps.h Log message: rdate: remove -c option, we don't install the "right" zone files This option was non-functional since OpenBSD does not ship with the /usr/share/zoneinfo/right time zone files, which include leap seconds. OK dgl@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/28 08:06:44 Modified files: usr.sbin/bgpd : rde.c Log message: Fix possible reload bug that leave old filters on a peer. In rde_reload_done() the code handling the peer->reconf_rib case has a continue which skips the code path that actually reapplies the outbound filters. The result is that such a peer keeps on running with the old filters -- a subsequent reload will then fix this. Removing the continue changes the way peer->reconf_rib and peer->reconf_out interact. Now reconf_rib needs to be checked before reconf_out since it is possible for both to be set. Adjust the code in rde_softreconfig_in_done() accordingly. OK tb@ CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/28 09:36:52 Modified files: lib/libc/gen : cgetent.3 Log message: Escape is octal 33, not 27 (which is escape in decimal) From Eric Mulholland CVSROOT: /cvs Module name: www Changes by: sthen@cvs.openbsd.org 2026/04/28 10:23:08 Modified files: . : 79.html Log message: 12883 aarch64 packages CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/04/28 15:31:48 Modified files: share/zoneinfo/datfiles: northamerica southamerica zone.tab zone1970.tab zonenow.tab Log message: Update to 2026bgtz from https://github.com/JodaOrg/global-tz CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2026/04/28 15:32:05 Modified files: usr.bin/ssh : ssh-agent.c Log message: unveil the actual listening socket path and its directory so it can be cleaned up at exit. Reported by / tested by David Krause, ok markus@ CVSROOT: /cvs Module name: www Changes by: kmos@cvs.openbsd.org 2026/04/29 00:49:05 Modified files: . : plus.html Log message: Changes for January 2026 Done with pamela@ CVSROOT: /cvs Module name: src Changes by: renaud@cvs.openbsd.org 2026/04/29 02:18:55 Modified files: sbin/pfctl : parse.y Log message: The dual-pool form of the af-to action, af-to af FROM redirpool pool_opts TO redirpool pool_opts was writing the TO side options in the FROM side. OK sashan@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/29 05:14:11 Modified files: usr.sbin/rpki-client: parser.c Log message: rpki-client: properly ignore missing unsupported files in -n mode RFC 9286 section 6.5 mandates that we fetch all the files in a manifest fileList and validate their hashes. By design, RRDP will ship all the available files whereas in rsync we decided to fetch only the files of types we explicitly support. While we check the hashes of unsupported files, they won't be copied into the cache of validated files. Since unsupported files are not in the validated cache and may or may not be present in the temporary directory of fetched objects, there is logic that ensures that the hashes of all available files are correct and attempts to avoid an error for files absent from both directories. Whether all the above decisions in both, standards and our code, are fully sound is not entirely clear. Be that as it may, Job observed that this logic was incorrect in noop mode where no temporary directory is available. This resulted in rejecting the one manifest that still lists a Ghostbuster's record (RFC 6493) and as a consequence marking the corresponding CA incorrectly non-functional. This is a clear bug and this is fixed in this commit by adding a special case for noop mode. Further refinements may follow. ok claudio job CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/04/29 08:55:21 Modified files: lib/libssl : d1_both.c Log message: Convert DTLS code to ssl_msg_callback(). ok kenjiro@ tb@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/04/29 08:57:29 Modified files: lib/libssl : d1_both.c Log message: Inline dtls1_fix_message_header(). This is only used in one place and it makes no sense to have it as a separate function. Furthermore, pull up an assertion so that we check before assigning frag_len. ok kenjiro@ tb@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/04/29 08:59:26 Modified files: lib/libssl : d1_both.c dtls_local.h Log message: Make dtls1_retransmit_message() static. This function is only called from dtls1_retransmit_buffered_messages(). Make it static and move it above the caller. ok kenjiro@ tb@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/04/29 09:00:53 Modified files: lib/libssl : d1_both.c Log message: Remove unused frag_off argument from dtls1_retransmit_message(). ok kenjiro@ tb@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/04/29 09:04:15 Modified files: lib/libssl : d1_both.c Log message: Avoid unnecessary lookups in dtls1_retransmit_message(). dtls1_retransmit_buffered_messages() is iterating over the sent_messages pqueue, only to pass dtls1_retransmit_message() a sequence number that it turns back into a priority, to then do a lookup on the sent_messages pqueue. This is pointless given that we already have the message that we need to retransmit - just pass that to dtls1_retransmit_message() directly. ok kenjiro@ tb@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/04/29 09:13:27 Modified files: lib/libssl : d1_both.c Log message: Split dtls1_do_write() into handshake message and CCS handling. dtls1_do_write() is currently a single function that handles both handshake messages and CCS. This is a strange mix that only serves to complicate the code - handshake messages have their own headers and may need to be fragmented, while CCS must be sent verbatim (and only contain a single byte). Pull the CCS part out into a separate function, simplifying the code. By definition, when sending a CCS message the MTU will already be set appropriately. ok kenjiro@ tb@ CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2026/04/29 12:07:41 Modified files: lib/libexpat : Changes lib/libexpat/lib: internal.h xmlparse.c Log message: Backport fixes from libexpat version 2.8.0. Relevant for OpenBSD are security fixes #47 #1183. Library bump is not necessary. CVE-2026-41080 OK tb@ CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2026/04/29 16:22:10 Modified files: usr.bin/ssh : scp.c Log message: fiddle with mask after umask call and not before; avoids fortify warnings on android. bz3954 CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/04/29 22:33:06 Modified files: sys/dev/pci/drm/i915: i915_driver.c Log message: disable GuC submission for Raptor Lake-S volker@ reports it fails to init on a desktop machine with a i9-14900K CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/04/30 05:06:29 Modified files: usr.sbin/bgpctl: Makefile Added files: usr.sbin/bgpctl: log.c Log message: bgpctl: add log.c for bgpctl This provides log_{warn{,x},info,debug}() and fatal{,x}() implementations that wrap the err.h API. They are API compatile with bgpd's log.h and will help undo some contortions where we had to put log calls into weird spots because of code sharing between bgpd and bgpctl. ok claudio CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/30 07:52:59 Modified files: usr.sbin/bgpd : log.c log.h Log message: Unexport vlog() from log.c nothing uses it outside of log.c. OK henning@ CVSROOT: /cvs Module name: www Changes by: naddy@cvs.openbsd.org 2026/04/30 08:12:02 Modified files: . : 79.html Log message: 10079 sparc64 packages 9507 powerpc64 packages CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2026/04/30 08:44:10 Modified files: mail/exim : Tag: OPENBSD_7_8 Makefile distinfo mail/exim/patches: Tag: OPENBSD_7_8 patch-Local_Makefile mail/exim/pkg : Tag: OPENBSD_7_8 MESSAGE-main Added files: mail/exim/patches: Tag: OPENBSD_7_8 patch-src_tlscert-openssl_c Log message: update to exim-4.99.2 in 7.8-stable (at this point in the release cycle -stable ports updates are mostly not possible as they'll interfere with updates to 7.9, however this has been removed in -current so that doesn't apply here). this brings recent cve fixes, plus other older ones from 4.99.1 that didn't get into -stable yet. also update MESSAGE to warn about removal in 7.9. ok phessler renaud CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/30 09:20:15 Modified files: usr.sbin/bgpd : rde_filter.c Log message: In rde_filter_free() release the referenc to the rde_filterset by calling rde_filterset_unref() for every rule. OK tb@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/04/30 09:38:52 Modified files: lib/libssl : d1_both.c Log message: Refactor dtls1_do_write_handshake_message(). If the call to dtls1_write_bytes() fails, handle the potential MTU update and return/continue, which allows for the remainder to be moved out of an else statement. ok kenjiro@ tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/30 09:48:13 Modified files: usr.sbin/bgpd : logmsg.c Log message: Convert logit() to either log_warnx() or log_info() depending on the log level. OK sthen@ tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/30 09:51:07 Modified files: usr.sbin/bgpd : rde.h rde_attr.c Log message: Add a bit of const to attr_writebuf(), aspath_get() and aspath_deflate(). OK tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/04/30 12:22:59 Modified files: usr.sbin/bgpd : rtr_proto.c Log message: In the rtr_reader_callback() make sure that the PDU length is not only smaller than RTR_MAX_PDU_SIZE but also larger than sizeof(struct rtr_header). Passing a too small value will trigger a fatal error later on which is not great. Also switch the type of len to size_t, there is no need for a signed value here. OK tb@ CVSROOT: /cvs Module name: src Changes by: anton@cvs.openbsd.org 2026/04/30 22:54:56 Modified files: regress/usr.sbin/bgpd/unittests: rde_community_test.c Log message: Cope with recent const corrections. CVSROOT: /cvs Module name: www Changes by: kmos@cvs.openbsd.org 2026/05/01 00:05:47 Modified files: . : plus.html Log message: Changes for February 2026 Done with pamela@ CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2026/05/01 01:53:05 Removed files: mail/exim/patches: Tag: OPENBSD_7_8 patch-src_dane-openssl_c patch-src_lookups_spf_c patch-src_osfunctions_h patch-src_spf_h patch-src_tls-openssl_c Log message: missed cvs rm CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/01 03:34:05 Modified files: usr.bin/tmux : format.c Log message: Check time inside repeat (R:) loop as well. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/01 03:44:42 Modified files: usr.bin/tmux : cmd-copy-mode.c options-table.c screen.c tmux.1 tmux.h window-copy.c Log message: Add support for line numbers in copy mode. A new copy-mode-line-numbers option has the following modes: off, default (tmux's normal line numbering where 0 is the top visible line), absolute (first line in history is 1), relative (relative to the cursor) and hybrid (current line is absolute, others relative). Also adds copy-mode-line-number-style and copy-mode-current-line-number-style to set the style of the line numbers. When copy mode is entered with the mouse, line numbers stay off. From Leo Henon in GitHub issue 5025. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/01 03:59:42 Modified files: usr.bin/tmux : control.c Log message: Do not leak cached last result from control subs, from Aaron Campbell in GitHub issue 5047. CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/01 05:22:24 Modified files: usr.sbin/rpki-client: Makefile extern.h Added files: usr.sbin/rpki-client: asn1_bit_string.c Log message: rpki-client: add compat for BIT STRING accessors ASN.1 bit strings are DER encoded by zero-padding the bit string at the end to a length divisible by eight. The number of padding bits ("unused bits"), a number between 0 and 7, is stored in the first value octet, the remainder of the value octets are formed by the zero-padded bit string. Since asn1_string_st is opaque in OpenSSL 4, there need to be accessors for length and unused bits, which is what is added here. The getter assumes the ASN1_STRING_FLAG_BITS_LEFT flag is set on a bit string, which is always the case for deserialized bit strings. I prefer not to elaborate on the madness hiding here at this point in time... LibreSSL will likely add these accessors to libcrypto in the ongoing cycle, but we will need this compat code for OpenSSL and older LibreSSL anyway. The code is not yet used in rpki-client. The conversions will be committed soon. ok claudio job CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/01 05:23:57 Modified files: regress/usr.sbin/rpki-client: Makefile.inc regress/usr.sbin/rpki-client/openssl: Makefile regress/usr.sbin/rpki-client/openssl/build: Makefile Log message: rpki-client: add asn1_bit_string.c to TEST_COMMON. Prepare its use. CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/05/01 05:25:21 Modified files: lib/libc/gen : opendir.3 Log message: correct history, dirfd() did not appear until tahoe CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/01 05:56:41 Modified files: usr.bin/tmux : mode-tree.c Log message: Add some checks on line size to avoid underflow, from san65384 at gmail dot com in GitHub issue 4955. CVSROOT: /cvs Module name: src Changes by: miod@cvs.openbsd.org 2026/05/01 14:03:58 Modified files: sys/arch/hppa/dev: sti_sgc.c sys/dev/ic : sti.c stireg.h stivar.h sys/dev/pci : sti_pci.c Log message: More work to handle devices which don't have a copy of the STI ROM available through one of the regular BARs, and have a shared decoder for BAR and ROM. Such devices can't have their BAR accessed when the ROM is mapped. In this case, we make a memory copy of the ROM contents and point the STI routines to it, without leaving the ROM mapped. This ought to be able to make the FireGL-UX work, but unfortunately it still hangs the PCI bus when accessing the frame buffer memory at low addresses. A good side effect of these changes, though, is that we no longer keep a bus_space mapping on the PCI ROM after initial ROM grovelling. On systems where the PDC firmware maps all PCI ROM at the same address (since only one may be active at any time), this lets multiple STI PCI devices attach and operate correctly, rather than only one attaching and the others complaining being unable to map the ROM, with errno being EAGAIN. CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/01 16:58:08 Modified files: . : 79.html Log message: add changes CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/01 17:41:00 Modified files: . : 79.html Log message: more updates CVSROOT: /cvs Module name: www Changes by: jsg@cvs.openbsd.org 2026/05/01 19:00:40 Modified files: . : 79.html Log message: spelling CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/05/01 21:05:31 Modified files: lib/libc/gen : getdiskbyname.3 Log message: correct history, getdiskbyname() appeared in 4.2BSD CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/05/01 21:20:45 Modified files: lib/libc/gen : getfsent.3 Log message: correct history; endfsent(), getfsfile(), getfsspec(), and setfsent() appeared in 4BSD CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/02 03:25:48 Modified files: usr.sbin/rpki-client: cert.c Log message: rpki-client: rename INR extension handlers These are the only two extension handlers having an sbgp_ prefix. Rename them to cert_ipaddrblocks() and cert_asids() for consistency. ok job (part of a larger diff) CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/02 04:28:20 Modified files: usr.sbin/rpki-client: cert.c Log message: rpki-client: remove variable indentation in sbgp_* functions requested by job CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/02 04:35:18 Modified files: usr.sbin/rpki-client: cert.c ip.c Log message: rpki-client: move RFC 3779 IP address parsing from cert.c to ip.c ok job CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/02 04:36:21 Modified files: usr.sbin/rpki-client: as.c cert.c Log message: rpki-client: move RFC 3779 AS number parsing from cert.c to as.c ok job CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2026/05/02 07:08:36 Modified files: usr.sbin/acme-client: json.c netproc.c Log message: Prevent memory leaks from json_getstr. json_getstr returns the result of strdup (or NULL) to the caller so the caller has to free the memory. While here, setting order->finalize to NULL once is enough. From Jan Schreiber (jes AT posteo.de), with input from tb. OK tb (some time ago) CVSROOT: /cvs Module name: www Changes by: visa@cvs.openbsd.org 2026/05/02 07:52:27 Modified files: . : 79.html Log message: 9309 mips64 packages CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2026/05/02 08:09:17 Modified files: sys/arch/riscv64/include: cpu.h elf.h sys/arch/riscv64/riscv64: autoconf.c cpu.c Log message: Improve CPU identification and hwcap for riscv64. On riscv64 we currently only expose a fixed hwcap value (G + C) and do not actually report any of what the CPUs provide via extensions. This means that userland cannot detect and make use of additional instructions that exist. Rework cpu_identify() so that we build hwcap/hwcap2, then use this to select the correct functions/support to use if we're on the primary CPU (rather than doing this for every CPU). Check that the secondary CPUs have the same features as the primary CPU (although this is coming from the DTB and not the actual hardware). Finally report available extensions via hwcap/hwcap2 so that we can make use of these instructions in userland. ok kettenis@ jca@ CVSROOT: /cvs Module name: ports Changes by: phessler@cvs.openbsd.org 2026/05/02 08:24:16 Modified files: lang/gcc/15/patches: patch-libgcc_config_arm_unwind-arm_h Log message: gcc-15 failed to build on arm(v7) because it didn't know what a bool was in an MD specific file. Add the header, so gcc-15 builds again. Does not affect any other architecture. OK pascal@ OK for -release naddy@ sthen@ CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/02 12:19:54 Modified files: . : 79.html Log message: more changes CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/02 13:52:02 Modified files: . : 79.html Log message: up to March CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/02 14:00:22 Modified files: . : 79.html Log message: add signify keys for this release CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/02 14:41:22 Modified files: . : 79.html Log message: up to March 4th CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/02 15:00:10 Modified files: . : 79.html Log message: some cleanup CVSROOT: /cvs Module name: www Changes by: jsg@cvs.openbsd.org 2026/05/02 17:07:41 Modified files: . : 79.html Log message: spelling CVSROOT: /cvs Module name: www Changes by: dtucker@cvs.openbsd.org 2026/05/02 17:28:02 Modified files: . : 79.html Log message: Initial pass at OpenSSH 10.3 changes. Could still use a bit of polish. CVSROOT: /cvs Module name: www Changes by: jsg@cvs.openbsd.org 2026/05/02 17:34:49 Modified files: . : 79.html Log message: correct man links CVSROOT: /cvs Module name: www Changes by: jsg@cvs.openbsd.org 2026/05/02 17:50:55 Modified files: . : 79.html Log message: correct html comment declarations CVSROOT: /cvs Module name: www Changes by: jsg@cvs.openbsd.org 2026/05/02 18:20:39 Modified files: . : 79.html Log message: mention drm version CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/03 03:50:36 Modified files: . : 79.html Log message: a few more pieces CVSROOT: /cvs Module name: www Changes by: stsp@cvs.openbsd.org 2026/05/03 04:12:53 Modified files: . : 79.html Log message: tweak wireless sections; ok benno@ CVSROOT: /cvs Module name: www Changes by: jsg@cvs.openbsd.org 2026/05/03 05:28:04 Modified files: . : 79.html Log message: prioritze -> prioritize CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2026/05/03 06:48:57 Modified files: www/mozilla-firefox: Tag: OPENBSD_7_8 Makefile Added files: www/mozilla-firefox/patches: Tag: OPENBSD_7_8 patch-third_party_rust_neqo-crypto__cargo-checksum_json patch-third_party_rust_neqo-crypto_min_version_txt Log message: www/mozilla-firefox: unbreak runtime by adding forgotten patches bourasz at proton noticed that at runtime neqo-crypto complained about the nss version - i forgot to cvs add the patches reverting the runtime requirement, but in my testing everything was fine with the version we had in 7.8. note: since 150.0p0 in 7.8-stable will be ahead of 150.0 that'll ship with 7.9-release, after updating to 7.9 if the 7.8 binaries dont work, one might need to reinstall firefox via pkg_add -r firefox. or wait for 7.9-stable packages to ship 150.0.1 or 150.0.2... sorry, shit happens when i get to juggle with too many chainsaws. CVSROOT: /cvs Module name: src Changes by: stsp@cvs.openbsd.org 2026/05/03 07:10:46 Modified files: sys/arch/amd64/stand/boot: conf.c sys/arch/amd64/stand/efiboot: conf.c diskprobe.c sys/arch/amd64/stand/libsa: diskprobe.c sys/arch/i386/stand/boot: conf.c sys/arch/i386/stand/libsa: diskprobe.c Log message: Avoid setting boothowto flags based on information read through a NULL pointer + an offset into the diskinfo structure. Fixes boot from RAID 1C softraid volumes where the kernel could be tricked into believing it is booting to unhibernate the machine, skipping devices such as network interfaces, which would then be missing in the running system once booted. Debugged together with jtt@ when several of our gothub.org servers lost their network interfaces after reinstallation with RAID 1C. ok kettenis@ CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/03 08:55:43 Modified files: usr.bin/tmux : format.c Log message: Free working stuff when R formats fail. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/03 08:57:09 Modified files: usr.bin/tmux : window.c Log message: Do not check for NULL after dereferencing, from alexarama at yahoo dot com in GitHub issue 5051. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/03 09:01:21 Modified files: usr.bin/tmux : control.c Log message: Fix control client hang on exit after toggling no-output, GitHub issue 5049 from Aaron Campbell. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/03 09:02:48 Modified files: usr.bin/tmux : options-table.c tmux.1 window-tree.c Log message: Allow the indicator in tree mode to be customized by two new options: tree-mode-preview-format and tree-mode-preview-style. CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2026/05/03 09:49:09 Modified files: sbin/dhcp6leased: engine.c Log message: Prevent unsigned underflow leading to a crash. An IA_PD option contains one or more nested dhcp options. We first need to make sure that the length field of the option header does not point outside of the encapsulating option, which we did. When we then parse the nested options we need to make sure that nested option header length field is large enough for the nested option, not that the encapsulating option length is large enough for the encapsulated option. Otherwise opt_hdr.len - 2 can underflow, which strvisx(3) interprets as a size_t, i.e. a very large number, leading to a crash once we hit a guard. Underflow pointed out by an AI tool (sorry, don't know which one) in a somewhat convoluted way. It also provided an reproducer for the issue which was more helpful. AI reports triaged by millert. While here fix the same bug in the DHO_IA_PREFIX case and prevent a memory leak. OK tb CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/03 12:06:15 Modified files: regress/lib/libcrypto/certs: README Log message: cert regress: update README for tests 14a and 14b. CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/03 13:24:34 Modified files: . : 79.html Log message: more changes from MArch CVSROOT: /cvs Module name: www Changes by: matthieu@cvs.openbsd.org 2026/05/03 13:29:18 Modified files: . : 79.html Log message: Mention XDG_RUNTIME_DIR addition. CVSROOT: /cvs Module name: www Changes by: krw@cvs.openbsd.org 2026/05/03 14:46:42 Modified files: . : 79.html Log message: Emphasize 7.9 is preparing for, not implementing, support of up to 52 partitions. CVSROOT: /cvs Module name: www Changes by: benno@cvs.openbsd.org 2026/05/03 16:23:01 Modified files: . : 79.html Log message: some more entries CVSROOT: /cvs Module name: src Changes by: daniel@cvs.openbsd.org 2026/05/03 17:06:15 Modified files: usr.bin/awk : awk.1 Log message: awk(1): the flush function was added to POSIX.1-2024 Remove this function from the list of POSIX extensions. ok millert@ CVSROOT: /cvs Module name: www Changes by: jsg@cvs.openbsd.org 2026/05/03 17:42:44 Modified files: . : 79.html Log message: Inreased -> Increased CVSROOT: /cvs Module name: www Changes by: dtucker@cvs.openbsd.org 2026/05/03 22:47:11 Modified files: openssh : specs.html Log message: Add draft-josefsson-sshsig-format to supported specs; ok djm@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 01:33:22 Modified files: sys/dev/fdt : rkpmic.c Log message: The RK806 can be connected over I2C as well. ok dlg@, patrick@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 01:35:53 Modified files: sys/dev/fdt : rkcomphy.c Log message: Add RK3576 support. ok jmatthew@, dlg@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 02:00:27 Modified files: sys/dev/fdt : rkclock.c rkclock_clocks.h Log message: Add support for OTP related and temparature sensor related clocks and resets for the RK3576. ok patrick@, dlg@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 02:02:05 Modified files: sys/dev/fdt : files.fdt Added files: sys/dev/fdt : rkotp.c Log message: Add rkotp(4), a driver for reading the OTP fuses on Rockchip SoCs. ok patrick@, dlg@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 02:02:42 Modified files: sys/arch/arm64/conf: GENERIC Log message: Enable rkotp(4). CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 02:04:21 Modified files: sys/dev/fdt : rktemp.c Log message: Add RK3576 support. ok patrick@, dlg@ CVSROOT: /cvs Module name: src Changes by: dtucker@cvs.openbsd.org 2026/05/04 04:57:24 Modified files: regress/usr.bin/ssh: kbdint.sh Log message: Fix skip message. CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 06:52:57 Modified files: sys/dev/fdt : rkvop.c Log message: Also support DRM_FORMAT_XRGB8888; this gets rid of some warnings. ok jsg@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/04 07:49:07 Modified files: regress/lib/libcrypto/x509: callback.c verify.c Log message: verify regress: allow setting verify depth and callback This is pretty ugly and probably the the vct should be handed down to the verify_cert*() functions, but this works and doesn't make these tests any uglier than they already are. The callback regress was modified with a least effort approach. CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/04 07:52:39 Modified files: regress/lib/libcrypto/x509: callback.c verify.c Log message: libcrypto: extend verify and callback regress Add three more test variants for scenario 2a: 1) verify that a chain of length 3 validates with depth 2. 2) verify that a chain of length 3 fails to validate with depth 1. 3) verify that a chain of length 3 validates with depth 1 if we allow the callback to override the depth. Variant 3) fails in -current and reproduces a scenario reported by kirill. Also add two test variants for the scenarios in 14: 4): run the chain of length 32 with a yolo callback returning 1 5): run the chain of length 33 with a yolo callback returning 1 Test 5) fails because we currently bail out at the wrong depth. The verify callback should allow overriding the failure and will then hit the bounds check added in x509_verify.c r1.74 to avoid an overwrite. Reuse the existing test cases 2a and 14a/14b for this and add an optional vct->desc that uniquely identifies the test case. incorporates various feedback from jsing CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/04 07:55:20 Modified files: lib/libcrypto/x509: x509_verify.c Log message: verifier: re-enable the callback override for depth kirill reported that his nginx reverse proxy setup stopped working with x509_verify.c r1.74 and r1.75. It turns out that nginx relies on a verify callback that always returns 1. In revision 1.74 we removed the possibility of the verify_cb() to override X509_V_ERR_CERT_CHAIN_TOO_LONG, which is what breaks the config in kirill's setup since it used to use the nginx default of setting the depth to 1. Re-enable this to make the new scenario "2a with depth 1 and depth callback" pass. As shown by the other new test scenario "14b with yolo calback" with a "just say yes" cb, the guard added in r1.74 still prevents the overwrite. This makes kirill's reproducer work as verified by kirill and myself. It was also tested by kirill in the real life setup. discussed with beck ok jsing kenjiro CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/04 08:00:34 Modified files: regress/lib/libcrypto/certs: README Log message: certs/README: fix previous: 14b should fail to verify CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 10:08:57 Modified files: sys/dev/pci/drm: drm_bridge.c sys/dev/pci/drm/include/drm: drm_bridge.h Log message: Unstub select_bus_fmt_recursive(). This fixes output on the HDMI port on my firefly-rk3399. ok jsg@ CVSROOT: /cvs Module name: www Changes by: volker@cvs.openbsd.org 2026/05/04 11:03:57 Modified files: . : 79.html Log message: Mention Wayland 1.24.0 and compositors CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2026/05/04 11:05:59 Modified files: sys/nfs : nfs_serv.c Log message: Add checks for invalid dir count and max size for readdir/readdirplus. A zero count or max size value is now rejected early instead of relying on VOP_GETATTR to return an error. Also verify that the max size after rounding up to a multiple of DIRBLKSIZ is positive. A negative value would turn into a large allocation, causing the malloc() to fail. From an LLM bug report. With help from miod@ and kirill@. CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2026/05/04 11:34:57 Modified files: usr.sbin/rpki-client: print.c Log message: When printing a CCR's ManifestState, sort the entries by AKI Sorting this particular listing by AKI (instead of by hash of the Manifest object) makes diffs between CCRs much more readable. With & OK tb@ CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2026/05/04 11:39:35 Modified files: usr.sbin/rpki-client: ccr.c Log message: Explicitly check mostRecentUpdate on otherwise empty ManifestState OK tb@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/04 13:11:01 Modified files: regress/lib/libcrypto/wycheproof: wycheproof.go Log message: wycheproof: go fmt CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/04 13:15:45 Modified files: regress/lib/libcrypto/wycheproof: wycheproof.go Log message: wycheproof.go: simplfiy for loop CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 13:44:29 Modified files: share/man/man4 : Makefile Added files: share/man/man4 : rkotp.4 Log message: rkotp(4) CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 14:18:42 Modified files: sys/arch/arm64/arm64: locore.S Log message: When running in VHE host mode, HCR_EL2.TGE must be set, as otherwise a bunch of problems occur: - EL0 is guest EL0, not host, and the kernel will catch fire on the first ERET to EL0 - EL1 TLB invalidations target the guest, and not the host Make sure that HCR_EL2.TGE is set, instead of relying on firmware to have set it (when booting with UEFI, only the first CPU is correctly configured). From Marc Zyngier CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 14:21:02 Modified files: sys/arch/arm64/arm64: locore.S Log message: Handle HCR_EL2.E2H RES1 behaviour An implementation is allowed to make HCR_EL2.E2H RES1, which means that the CPU behaves as if this bit was 1, even if it reads as 0 or can be written with 0. While the architecture advertises this via ID_AA64MMFR4_EL1.E2H0, hypervisors cannot always expose this to a guest if the hardware doesn't implemtn FEAT_FGT. Instead, detect the effects of HCR_EL2.E2H being RES1 by checking for the aliasing property between accessors targetting the same register (FAR_ELx in this case). This gives a reliable litmus test for CPUs that are stuck in VHE mode. From Marc Zyngier CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/04 14:43:42 Modified files: sys/arch/arm64/dev: agtimer.c sys/arch/arm64/include: armreg.h Log message: Pick the correct interrupt for the virtual timer if we're running in EL2. Based on a diff from Marc Zyngier. ok jsg@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/04 14:44:36 Modified files: lib/libcrypto/mlkem: mlkem_internal.c Log message: mlkem: also zero the failure_key from logan https://github.com/libressl/openbsd/pull/154 CVSROOT: /cvs Module name: src Changes by: kenjiro@cvs.openbsd.org 2026/05/04 21:32:46 Modified files: usr.bin/openssl: speed.c Log message: openssl: centralize speed benchmark timer handling The speed benchmark currently arms alarm() from print_message() and pkey_print_message(), making the output helpers also control benchmark lifetime. This hidden coupling makes the code harder to maintain and led to missing alarm cleanup on Windows, as reported in #1245. Move alarm setup and run-state initialization into speed-specific timer helpers so benchmark timing is controlled explicitly at the start and stop points. ok tb joshua CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2026/05/04 23:34:27 Modified files: usr.bin/ssh : channels.h Log message: classify dynamic-tcpip channels as bulk, not interactive; bz3958, ok markus@ CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2026/05/05 00:21:14 Modified files: usr.bin/ssh : channels.h Log message: unbreak; spotted by Darren's test army CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/05/05 02:26:50 Modified files: usr.sbin/bgpd : rde_rib.c Log message: Re-evaluate prefixes if just PREFIX_FLAG_FILTERED changed With the introduction of 'rde rib Loc-RIB include filtered' it is possible that prefixes change from filtered to unfiltered state during a filter reload. In that case prefix_update() takes a shortcut path since no other attributes change and that path is missing a call to prefix_evaluate(). Add the missing prefix_evaluate() call in this codepath so that prefixes are correctly redistributed in that case. OK tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/05/05 02:37:45 Modified files: usr.sbin/bgpd : rde_attr.c Log message: Prevent overflow of the uint8_t length value in attr_optadd. bin_of_attrs() jumps from 240 to 256 elements but the length of the others attributes array is limited to a uint8_t type and overflows. Switch type of the local length value to int and make sure that the maximum length of UCHAR_MAX is not exceeded. OK tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/05/05 03:12:04 Modified files: usr.sbin/bgpd : util.c bgpd.h Log message: Limit all from of ASPATH attributes to 750 elements Having super long ASPATH attributes can lead to various issues including attribute length overflows. Especially the transformation of 2-byte ASPATH attributes to 4-byte ones can trigger overflows. Because of this limit the number and therefor the maximum size of an ASPATH. Our default config has a limit of 100 elements on paths. That limit is already much larger then what is seen in the DFZ (max ~20). The limit of 750 is again much larger and is really just a safeguard. OK tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/05/05 03:12:41 Modified files: usr.sbin/bgpd : version.h Log message: Bump version to 9.2 CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2026/05/05 03:23:06 Modified files: sbin/iked : ikev2.c Log message: check address size; from markus via millert CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/05 03:29:16 Modified files: usr.sbin/rpki-client: ccr.c Log message: rpki-client: convert ccr.c to ASN1_BIT_STRING_set1() This becomes slightly simpler and more correct with this change. In particular, this now makes sure that the unused bits are set to 0 as required by the DER. ok claudio job CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/05 03:33:15 Modified files: usr.sbin/rpki-client: ip.c mft.c Log message: rpki-client: convert ip.c and mft.c to ASN1_BIT_STRING_get_length() This isn't the greatest of APIs, but we're going to be stuck with it since better APIs depend on libcrypto not doing the implicit truncation nonsense, which only OpenSSL 4 and BoringSSL dropped by now. Some of the error checks become now unreachable. This will be cleaned up another time. ok claudio job CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/05/05 04:23:06 Modified files: sys/dev/pci/drm/include/linux: xarray.h Log message: add parentheses around use of a macro argument CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/05 04:23:27 Modified files: sys/dev/fdt : rkclock.c rkclock_clocks.h rkrng.c Log message: Add RK3576 support. ok dlg@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/05/05 05:40:02 Modified files: usr.sbin/ldpd : address.c Log message: Ensure that alt_len includes at least the size of alt.family member to ensure that the parser is not going off the rails. OK renato@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/05/05 05:42:56 Modified files: usr.sbin/ldpd : labelmapping.c Log message: Unlike all other TLV encodings in ldp the sub-tlv includes the header size in its length. Therefore check that the size is at least that of the header. OK renato@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/05/05 05:44:27 Modified files: usr.sbin/ldpd : notification.c Log message: Fix minimal length check for notification status messages. Found while reviewing all the length checks in ldpd. OK renato@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2026/05/05 05:46:18 Modified files: usr.sbin/eigrpd: packet.c Log message: In eigrp the TLV encoding includes the header length in the length encoding. So check that the minimal length is at least that of the TLV header. OK renato@ CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/05 06:02:12 Modified files: usr.bin/tmux : control.c Log message: Discard queued data and clear offsets when turning pane off to prevent later read of data that has been removed. From Aaron Campbell in GitHub issue 5054. CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/05 06:06:52 Modified files: usr.bin/tmux : screen.c Log message: Add missing flags to screen_mode_to_string and do not write before before if any are missed, second bit from qingliu at alauda dot io. CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2026/05/05 06:28:59 Modified files: sys/kern : kern_time.c Log message: Use the correct struct itemerval when recording the old value for ktrace. This fixes a potential information leak from an uninitializes stack variable. Found by Frank Denis using the Swival Security Scanner. ok deraadt@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2026/05/05 06:56:12 Modified files: regress/lib/libcrypto/wycheproof: Makefile Log message: wycheproof: add regress target to ensure proper go formatting CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2026/05/05 07:00:00 Modified files: sys/kern : kern_pledge.c Log message: Frank Denis using the Swival Security Scanner concludes that kill(0,sig) should not be allowed because of a source code comment. Actually, kill of the default pgid 0 MUST be allowed or large amounts of userland software won't work. What pledge prevents is playing with other process groups (ie. -pid where pid is not 0) which require permission from the "proc" pledge. Killing the default pgrp 0 is a common way for privsep (and other) software to tear itself down it's process trees, for cases where a pipe read of 0 doesn't work. The current behaviour is intentional, and the proposed diff was not considered nor tested for consequences. Change the comment very subtly to see which AI/human collaboration fails next. CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2026/05/05 07:01:42 Modified files: usr.bin/rdistd : server.c Log message: correct bounds test found with smatch, ok tb@ deraadt@ CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2026/05/05 07:18:46 Modified files: usr.bin/tmux : screen.c tmux.h Log message: Do not sanitize title when popping it from stack, also add a limit to number of pushed titles. CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2026/05/05 08:01:56 Modified files: sys/kern : vfs_syscalls.c Log message: When I added UF_PLEDGEOPEN in the sys_fchflags() chunk I mistakenly used the wrong vnode operation. spotted by Frank Denis using the Swival Security Scanner ok claudio