BSD Commit Log Search

   Send illegal parameter alerts for various HelloRetryRequest violations.

   Be more RFC compliant and send illegal parameter alerts when the client
   receives a HelloRetryRequest that requests a group that we did not offer
   or a group that we sent a key share for in the ClientHello. These were
   annotated as missing, but not previously implemented.

   Prompted by a report from the tlspuffin team.

   ok tb@

   shells/atuin: update to 18.16.1

   Improve renegotation regress.

   Include coverage of Renegotiation Indication and legacy connection
   handling.

   Mop up SSL_CTX_set_options(3).

   SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is now a no-op, tidy up
   SSL_OP_LEGACY_SERVER_CONNECT and reflect the current state of SSL_OP_ALL
   Delete the entire "SECURE RENEGOTIATION" section that contained ancient
   ramblings.

   ok beck@ tb@

   Remove SSL_OP_LEGACY_SERVER_CONNECT from default options.

   Remove SSL_OP_LEGACY_SERVER_CONNECT from the default SSL options and the
   SSL_OP_ALL define. This means that we will now refuse to connect to a
   TLSv1.2 server if it does not support the Renegotiation Indication (RI)
   extension. This prevents a class of attacks against TLS clients that are
   talking to TLSv1.2-only servers that permit client initiated renegotiation.

   Raised by Lucca Hirschi et al from Inria.

   ok beck@ tb@

   editors/jmigpin-editor: update to 3.13

   www/dufs: remove unexpected output from crates.inc

   pointed by espie@

   no build changes

   cargo-module.5: document more variables

   From Andrew Kloet andrew kloet.net

   Update to rocksndiamonds-4.4.2.1.

   devel/sbt: update to 1.12.12

   Update tig to 2.6.1.

   update to xsettingsd-1.0.4

   update to yle-dl-20260520, from Timo Myyra (maintainer)

   update to 26.2.4.2

   lang/gcc/16: added i386 bootstrap; updated plist for i386

   Remove oxygen Qt5/KDE5 support

   Remove USE_WXNEEDED, qtwebengine is no longer used

   Fix typo and remove min mlt version

   Typo spotted by espie@, thanks

   Add README to build in-house providers.

   Drop maintainer, I have moved to opentofu.

   lang/gcc/11: added new i386 bootstrap; explain that it required for dlang

   drop junk variables (renamed to "comment out" while checking if they're still
   needed during the update). spotted by espie.

   relayd: drain OpenSSL error queue on TLS failures

   Borrowed from smtpd. Without draining we just log "RSA_meth_dup failed"
   and lose the actual reason.

   Wire ssl_error() into ca_engine_init(), which also kills a dead
   RSA_meth_free() on a NULL pointer there, and into ssl_load_key()s fail
   path.

   Tweaks and OK tb

   relayd: remove from and toptr to simplify

   feedback and OK claudio

   relayd: use ibuf_get_string() and ibuf_get_data() to read imsg payloads

   Drop the local get_string() and read variable-length string and binary
   payloads through the ibuf getters instead of the raw imsg->data pointer.

   ibuf_get_string() no longer trims the input at the first non-printable
   byte like the old get_string() did; the payloads come from the parent
   over privsep imsg.

   idea and ok claudio

   fix knfmt

   Check error in proc_forward_imsg

   relayd: read parent_dispatch_pfe() payloads via the imsg getters

   Use imsg_get_data() for the fixed-size messages and imsg_get_ibuf() for
   the variable-length IMSG_CTL_RELOAD path, taking the config name from
   the ibuf via ibuf_data()/ibuf_size().

   Remove IMSG_SIZE_CHECK and IMSG_DATA_SIZE, no consumer left.


   OK claudio

   misc/brltty: update to 6.9.1

   with and ok volker@

   relayd: use imsg_get_ibuf() for variable-length CA key operations

   The IMSG_CA_PRIVENC/PRIVDEC messages carry a ctl_keyop header followed
   by cko_flen (request) or cko_tlen (response) trailing bytes, so the
   exact-size imsg_get_data() cannot be used. Read the header with
   imsg_get_ibuf() + ibuf_get() and take the payload from the same ibuf
   via ibuf_data()/ibuf_size().

   Tweaks (in a different commit) and OK claudio