OpenBSD/src cCnXAHyusr.sbin/vmd config.c parse.y

   vmd(8): remove config parsing TOCTOU with disk parsing.

   When vmd parses vm.conf, it's inspecting any provided disk images
   to determine the disk format (raw or qcow) if left unspecified.
   This is a big TOCTOU because nothing prevents these files from
   changing between vmd startup and vm launch.

   This change defers detection to vm launch time and tracks the disk
   format as an enum instead of an int to make things more interpretable.

   ok hshoexer@
VersionDeltaFile
1.81+34-7usr.sbin/vmd/config.c
1.74+11-29usr.sbin/vmd/parse.y
1.137+12-11usr.sbin/vmd/virtio.c
1.146+9-7usr.sbin/vmd/vmd.h
1.28+7-4usr.sbin/vmd/vioblk.c
1.62+2-1usr.sbin/vmd/virtio.h
+75-596 files

OpenBSD/ports maHxvbdgraphics/tiff Makefile, graphics/tiff/patches patch-libtiff_tif_jpeg_c

   backport fix for an issue creating tiled 12-bit JPEGs, triggered by a recent
   change in libjpeg-turbo.  ok tb naddy
VersionDeltaFile
1.5+24-121graphics/tiff/patches/patch-libtiff_tif_jpeg_c
1.113+1-1graphics/tiff/Makefile
+25-1222 files

OpenBSD/ports cvKWfh4graphics/tiff Makefile, graphics/tiff/patches patch-libtiff_tif_getimage_c patch-libtiff_tif_dirwrite_c

   graphics/tiff: fix integer overflows leading to heap overflows

   CVE-2026-4775
   https://gitlab.com/libtiff/libtiff/-/commit/782a11d6

   Further fixes
   https://gitlab.com/libtiff/libtiff/-/commit/67713aae

   ok tb@ sthen@
VersionDeltaFile
1.19+39-257graphics/tiff/patches/patch-libtiff_tif_getimage_c
1.3+42-63graphics/tiff/patches/patch-libtiff_tif_dirwrite_c
1.3+15-14graphics/tiff/patches/patch-libtiff_tif_print_c
1.112+1-1graphics/tiff/Makefile
+97-3354 files

OpenBSD/ports V86q3ZSwayland/xwayland distinfo Makefile

   Update to Xwayland 24.1.10

   This release contains the fixes for the following issues:
   * CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()
   * CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()
   * CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()
   * CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()
   * CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()

   Additionally, it contains a number of other various fixes from the stable
   xwayland-24.1 branch
VersionDeltaFile
1.12.2.1+2-2wayland/xwayland/distinfo
1.18.2.1+1-1wayland/xwayland/Makefile
+3-32 files

OpenBSD/ports qtFDMzdwayland/xwayland distinfo Makefile

   Update to Xwayland 24.1.10

   This release contains the fixes for the following issues:
      * CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()
      * CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()
      * CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()
      * CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()
      * CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()

   Additionally, it contains a number of other various fixes from the stable
   xwayland-24.1 branch
VersionDeltaFile
1.14+2-2wayland/xwayland/distinfo
1.20+1-1wayland/xwayland/Makefile
+3-32 files

OpenBSD/ports KEyyLiaeditors/vim-classic Makefile distinfo

   drop back to commit before 147722bb which introduced breakage with some build
   options (including python3)
VersionDeltaFile
1.12+2-2editors/vim-classic/Makefile
1.7+2-2editors/vim-classic/distinfo
+4-42 files

OpenBSD/ports JFR5Mahwayland/fuzzel Makefile

   wayland/fuzzel: Fix License comment

   fuzzel is MIT licensed
VersionDeltaFile
1.3+1-1wayland/fuzzel/Makefile
+1-11 files

OpenBSD/src 77Lz6Kqusr.sbin/tcpdump privsep.c

   Clear the pointer in tm data structures before passing them to
   unprivileged side. Prevents address information leak.

   Reported by Systopia Team, thanks!

   ok deraadt@ (for the previous version).
VersionDeltaFile
1.60+9-6usr.sbin/tcpdump/privsep.c
+9-61 files

OpenBSD/ports VubMJfzdatabases/timescaledb distinfo Makefile, databases/timescaledb/pkg PLIST

   update to timescaledb-2.26.2, from Mark Patruck, looks good to maintainer
   (this is the version that was tested with the zabbix update that went in
   a few days ago)
VersionDeltaFile
1.31+4-4databases/timescaledb/distinfo
1.37+2-2databases/timescaledb/Makefile
1.32+3-0databases/timescaledb/pkg/PLIST
+9-63 files

OpenBSD/ports X6w7f0isysutils/ansible-runner Makefile distinfo

   update to ansible-runner-2.4.3, from Mikolaj Kucharski (maintainer)
   plus add missing RDEP and TDEPs
VersionDeltaFile
1.3+10-2sysutils/ansible-runner/Makefile
1.3+2-2sysutils/ansible-runner/distinfo
+12-42 files

OpenBSD/ports 3WkaQ6osecurity/openssl/4.0 Makefile distinfo, security/openssl/4.0/pkg PLIST

   Update to OpenSSL 4.0.0

   The 00: printing still is the most important thing. Rest mostly the same
   as in the beta.

   https://github.com/openssl/openssl/releases/tag/openssl-4.0.0
VersionDeltaFile
1.4+2-2security/openssl/4.0/Makefile
1.2+2-2security/openssl/4.0/distinfo
1.2+2-0security/openssl/4.0/pkg/PLIST
+6-43 files

OpenBSD/ports ZimmRvZnet/monitoring-plugins Makefile distinfo, net/monitoring-plugins/patches patch-plugins_check_disk_c patch-plugins_check_snmp_c

   update to monitoring-plugins-3.0.0rc3, from Alvar Penning, + tweak to pkgnames
VersionDeltaFile
1.5+1-24net/monitoring-plugins/patches/patch-plugins_check_disk_c
1.58+2-3net/monitoring-plugins/Makefile
1.16+2-2net/monitoring-plugins/distinfo
1.2+2-2net/monitoring-plugins/patches/patch-plugins_check_snmp_c
1.3+1-1net/monitoring-plugins/patches/patch-plugins_Makefile_am
+8-325 files

OpenBSD/xenocara 07hkFfo. MODULES

   update
VersionDeltaFile
1.556+2-2MODULES
+2-21 files

OpenBSD/ports PgT25Dwlang/go go.port.mk

   Bump _MODGO_SYSTEM_VERSION for lang/go update.
VersionDeltaFile
1.99+1-1lang/go/go.port.mk
+1-11 files

OpenBSD/ports E8Wu17Flang/go distinfo Makefile, lang/go/pkg PLIST

   Update lang/go to 1.26.2.

   ok naddy@
VersionDeltaFile
1.96+18-0lang/go/pkg/PLIST
1.118+2-2lang/go/distinfo
1.178+1-1lang/go/Makefile
+21-33 files

OpenBSD/src VQLI8d0usr.sbin/vmd virtio.c vmm.c

   vmd(8): zero potential heap pointers before IPC.

   vmd sends two large structs over an ipc socket after fork+exec:
   vmd_vm and virtio_dev.

   Both have heap pointers from being put in TAILQs in the parent
   process and both carry some used for setting up imsg event channels.
   Zero all these things before send to be safe and not leak deatils
   on the parent's address space.

   Issue raised by Systopia Team.

   ok hshoexer@
VersionDeltaFile
1.136+22-6usr.sbin/vmd/virtio.c
1.137+15-4usr.sbin/vmd/vmm.c
1.173+1-2usr.sbin/vmd/vmd.c
+38-123 files

OpenBSD/xenocara FmMjbJlxserver/miext/sync misync.c, xserver/xkb xkb.c

   Merge fixes from upstream for multiple Xserver issues:
   * CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()
   * CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()
   * CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()
   * CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()
   * CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()
   from matthieu@

   this is errata/7.7/034_xserver.patch.sig
VersionDeltaFile
1.26.2.2+79-19xserver/xkb/xkb.c
1.6.16.1+12-6xserver/miext/sync/misync.c
+91-252 files

OpenBSD/xenocara Hz2gKKixserver/miext/sync misync.c, xserver/xkb xkb.c

   Merge fixes from upstream for multiple Xserver issues:
   * CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()
   * CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()
   * CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()
   * CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()
   * CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()
   from matthieu@

   this is errata/7.8/028_xserver.patch.sig
VersionDeltaFile
1.26.4.2+79-19xserver/xkb/xkb.c
1.6.24.1+12-6xserver/miext/sync/misync.c
+91-252 files

OpenBSD/xenocara PCiGqw0xserver/miext/sync misync.c, xserver/xkb xkb.c

   Merge fixes from upstream for multiple Xserver issues:
    * CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()
    * CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom()
    * CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence()
    * CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap()
    * CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes()
VersionDeltaFile
1.28+79-19xserver/xkb/xkb.c
1.7+12-6xserver/miext/sync/misync.c
+91-252 files

OpenBSD/ports kLhf6tdgraphics/jpeg Makefile, graphics/jpeg/patches patch-simd_CMakeLists_txt

   Tweak cmake files to avoid build errors on archs without SIMD support

   This is nicer than hardcoding in the port a list of archs with/without
   SIMD.  Add an url to this 3.1.x-specific fix, master has more changes
   in this area.

   Prompted by a diff from matthieu@, ok tb@
VersionDeltaFile
1.1+14-0graphics/jpeg/patches/patch-simd_CMakeLists_txt
1.91+0-3graphics/jpeg/Makefile
+14-32 files

OpenBSD/ports zeK7Upnwww/webkitgtk4 distinfo Makefile, www/webkitgtk4/patches patch-Source_JavaScriptCore_runtime_MathCommon_cpp patch-Source_cmake_OptionsCommon_cmake

   Update to webkitgtk{41,60}-2.52.2.
VersionDeltaFile
1.4+7-35www/webkitgtk4/patches/patch-Source_JavaScriptCore_runtime_MathCommon_cpp
1.145+2-2www/webkitgtk4/distinfo
1.28+1-1www/webkitgtk4/patches/patch-Source_cmake_OptionsCommon_cmake
1.22+1-1www/webkitgtk4/patches/patch-Source_cmake_WebKitFeatures_cmake
1.8+1-1www/webkitgtk4/patches/patch-Source_WebCore_CMakeLists_txt
1.256+1-1www/webkitgtk4/Makefile
+13-412 files not shown
+13-418 files

OpenBSD/src jsGNE6Lusr.bin/tmux format.c

   Do not leak old time format if it is replaced in same format.
VersionDeltaFile
1.359+4-2usr.bin/tmux/format.c
+4-21 files

OpenBSD/ports uzPrG6Glang/python/3/patches patch-Modules_pyexpat_c patch-Lib_webbrowser_py, lang/python/3/pkg PLIST-tests

   Update to Python 3.13.13, ok kmos sthen

   https://www.python.org/downloads/release/python-31313/

   Apply the fixes for CVE-2026-6100 (also ok kmos sthen) and on top of this
   pull in an additional missing bit in the fix for CVE-2026-4519.
VersionDeltaFile
1.3+1-61lang/python/3/patches/patch-Modules_pyexpat_c
1.1+28-0lang/python/3/patches/patch-Lib_webbrowser_py
1.12+15-11lang/python/3/pkg/PLIST-tests
1.1+26-0lang/python/3/patches/patch-Lib_test_test_webbrowser_py
1.1+21-0lang/python/3/patches/patch-Modules_zlibmodule_c
1.1+21-0lang/python/3/patches/patch-Modules__bz2module_c
+112-729 files not shown
+141-8015 files

OpenBSD/ports HKWWaLLwww/libmicrohttpd Makefile distinfo, www/libmicrohttpd/patches patch-src_include_microhttpd_h

   update to libmicrohttpd-1.0.4
VersionDeltaFile
1.1+12-0www/libmicrohttpd/patches/patch-src_include_microhttpd_h
1.18+2-2www/libmicrohttpd/Makefile
1.14+2-2www/libmicrohttpd/distinfo
+16-43 files

OpenBSD/ports 7NX03URdevel/py-virtualenv distinfo Makefile, devel/py-virtualenv/pkg PLIST

   pudate to py3-virtualenv-21.2.3
VersionDeltaFile
1.61+2-2devel/py-virtualenv/distinfo
1.95+1-2devel/py-virtualenv/Makefile
1.62+1-1devel/py-virtualenv/pkg/PLIST
+4-53 files

OpenBSD/ports aAhjxrOdevel/py-zipp distinfo Makefile

   update to py3-zipp-3.23.1
VersionDeltaFile
1.5+2-2devel/py-zipp/distinfo
1.14+2-1devel/py-zipp/Makefile
+4-32 files

OpenBSD/ports TcwtCYFdevel/py-jaraco-test Makefile

   add missing RDEP on python,-tests
VersionDeltaFile
1.4+3-1devel/py-jaraco-test/Makefile
+3-11 files

OpenBSD/ports tRkljuPgeo/geoclue2 distinfo Makefile

   Update to geoclue2-2.8.1.
VersionDeltaFile
1.25+2-2geo/geoclue2/distinfo
1.61+1-2geo/geoclue2/Makefile
+3-42 files

OpenBSD/ports ckI9xaZsysutils/terragrunt distinfo modules.inc

   Update to terragrunt-1.0.1.
VersionDeltaFile
1.388+314-342sysutils/terragrunt/distinfo
1.106+118-131sysutils/terragrunt/modules.inc
1.395+1-1sysutils/terragrunt/Makefile
+433-4743 files

OpenBSD/src udxOVrtusr.bin/tmux popup.c

   If job_run fails, do not crash but instead free the popup.
VersionDeltaFile
1.67+27-16usr.bin/tmux/popup.c
+27-161 files