openssh: Install libssh.so in /usr/lib/private.
This way it doesn't get exposed to applications accidentally, and we
don't need to worry about breaking ABI when updating openssh in base.
PR lib/58648: private shared libraries should go in /usr/lib/private,
not /usr/lib
Add logic for /usr/lib/private libraries.
New variables for makefiles to define:
<bsd.lib.mk> LIBSUBDIR -- If nonempty, install library into
${LIBDIR}/${LIBSUBDIR} instead of ${LIBDIR}. Typically set
either to empty or to `private'.
<bsd.lib.mk> LIBDPSUBDIRS -- List of subdirectories _subdir_ to add
-L${SHLIBDIR}/${_subdir_} -Wl,-R${SHLIBDIR}/${_subdir_} to
ldflags when linking library. Note: Should only be used inside
private libraries, not inside public libraries to link against
private libraries, which can't work -- see comment.
<bsd.prog.mk> PROGDPSUBDIRS -- List of subdirectories _subdir_ to add
-L${SHLIBDIR}/${_subdir_} -Wl,-R${SHLIBDIR}/${_subdir_} to
ldflags when linking program.
(XXX bsd.lib.mk/bsd.prog.mk should figure LIBDPSUBDIRS/PROGDPSUBDIRS
[25 lines not shown]
crunchgen(1): Implement -L <lib-dir> option for real.
Pass it through via LDADD in the generated .mk output, before any -l
options.
The original logic -- which was disabled in 2001, apparently by
accident -- had a default libdir of /usr/lib. But it didn't do
anything with that string, so removing it as a default doesn't change
anything. But the linker doesn't need us to specify that path anyway
(and it would really have to be -L=/usr/lib rather than -L/usr/lib,
whereas we want -L/path/to/obj/lib/libfoo without the `=').
PR toolchain/59841: crunchgen(1) ignores -L argument
Will be needed for:
PR lib/58648: private shared libraries should go in /usr/lib/private,
not /usr/lib
[Prereq for PR bin/58609] Add EL_GETENV to libedit
When interacting with the shell, and perhaps other applications,
editline needs to obtain the values of some environment variables.
Normally getenv(3) does that - but that doesn't work when being
used in sh(1) as getenv() simply accesses the environment as it
was when sh(1) was invoked - after that, in sh anyway, that
environment is simply abandoned (well, kind of) - but certainly
no changes made by the shell will be reflected there.
To allow editline to obtain current values of environment
variables, add a new el_set()/el_get() "op" parameter value,
which can be used to instruct editline which function to use
for the purpose. That is EL_GETENV.
This is part of a (long pending, awaiting testing) fix for
PR bin/58609 - but I'm getting tired of having it sitting uncommitted
in my source tree - and I think this part is self contained,
and simple enough, to simply commit.
Eliminate recursive dependency on <sys/bswap.h> in MD <byte_swap.h>
On certain NetBSD archs, it isn't possible to include <sys/bswap.h>
directly without including <sys/endian.h> first. This has been
broken since at least before netbsd-10, but recent changes elsewhere
have made this problem more visible for some reason.
Fix this by not including <sys/types.h>, eliminating recursive
inclusion - <sys/types.h> includes <machine/endian.h>. It would
be nice to remove that line from types.h, since it's no longer
necessary, but currently the kernel assumes that <sys/endian.h> is
included from <sys/types.h> in various places (and possibly userspace
software does too).
For now we can take the less dangerous option by avoiding
including <sys/types.h> from these bswap headers. They don't need the
full header, and applications that assume transclusion aren't portable
anyway, since architectures like sparc64 don't include <sys/types.h>
via <sys/bswap.h>.
[2 lines not shown]
uriparser: update to 1.0.0.
Security fix release.
2025-12-15 -- 1.0.0
>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
* Fixed: [CVE-2025-67899]
Protect from stack overflow during parsing by dissolving all 13 cases
of recursion, both direct and indirect. The attack vector was long
(or crafted) URI input. The known impact is denial of service or more.
Thanks for the report to Sergey Svistunov!
Thanks for in-depth review to Tim Düsterhus! (sponsored by Tideways GmbH)
Thanks for C callgraph tool "egypt" (https://www.gson.org/egypt/)
to Andreas Gustafsson and for "dot_find_cycles.py" to Jason Antman!
(GitHub #282, GitHub #284)
>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
* Changed: Start requiring a C99 compiler (GitHub #264, GitHub #273)
* Changed: Require CMake >=3.15.0 (GitHub #270)
[53 lines not shown]
pngcheck: update to 4.0.1.
4.0.1
This release builds on version 4.0.0 with the following improvements:
New Features
Added support for Content Credentials caBX chunk from PNG Fourth Edition
Added support for Apple iDOT chunk (now registered)
Added cICP autodetect for BT.601 PAL, SECAM and NTSC
Added validation that cICP chunk must accompany the use of mDCV
Build System Improvements
Added GitHub Actions CI for CMake and Make builds on Ubuntu, macOS, and Windows
Required zlib library as a non-optional dependency
Auto-detect Windows platform without requiring the WIN32 macro
Imported the wildargs library for automatic wildcard argument expansion on Windows
[23 lines not shown]
shells/fish: fix build
Disable dynamic linking against pkgsrc pcre2, otherwise fish fails the
runtime library search path check.
This will be reported upstream.
py-dnslib: Import py-dnslib-0.9.26
A library to encode/decode DNS wire-format packets supporting both
Python 2.7 and Python 3.2+.
The library provides:
* Support for encoding/decoding DNS packets between wire format,
python objects, and Zone/DiG textual representation (dnslib.dns)
* A server framework allowing the simple creation of custom DNS
resolvers (dnslib.server) and a number of example servers
created using this framework
* A number of utilities for testing (dnslib.client, dnslib.proxy,
dnslib.intercept)