OpenBSD/src c0m33fesbin/dhcp6leased engine.c

   Make sure replies contain the expected server-id.

   We only speak to and expect an answer from a specific server when we
   are requesting or renewing a lease. In all other case we accept an
   answer from any server.

   Pointed out by Clouditera Security.
   OK tb
VersionDeltaFile
1.39+11-1sbin/dhcp6leased/engine.c
+11-11 files

OpenBSD/src eXw6y3Osbin/dhcp6leased engine.c

   Make sure we received a client identifier.

   Pointed out by Clouditera Security.
   OK tb
VersionDeltaFile
1.38+8-1sbin/dhcp6leased/engine.c
+8-11 files

OpenBSD/src 4i24SVtsbin/dhcp6leased engine.c

   Make sure the message belongs to the current transaction.

   Pointed out by Clouditera Security.
   OK tb
VersionDeltaFile
1.37+11-1sbin/dhcp6leased/engine.c
+11-11 files

OpenBSD/ports eeyrtpRlang/deno distinfo Makefile, lang/deno/patches patch-cli_lib_rs patch-runtime_js_99_main_js

   lang/deno: Update to 2.9.3
VersionDeltaFile
1.6+5-5lang/deno/patches/patch-cli_lib_rs
1.53+4-4lang/deno/distinfo
1.8+1-1lang/deno/patches/patch-runtime_js_99_main_js
1.68+1-1lang/deno/Makefile
1.53+1-1lang/deno/crates.inc
1.6+1-1lang/deno/patches/patch-ext_node_lib_rs
+13-136 files

OpenBSD/ports u98AATXwww/chromium distinfo, www/chromium/patches patch-chrome_browser_about_flags_cc patch-BUILD_gn

   update to 150.0.7871.124
VersionDeltaFile
1.158+35-35www/chromium/patches/patch-chrome_browser_about_flags_cc
1.100+10-10www/chromium/patches/patch-BUILD_gn
1.7+5-5www/chromium/patches/patch-ui_ozone_platform_wayland_host_wayland_frame_manager_cc
1.68+4-4www/chromium/patches/patch-third_party_blink_renderer_platform_runtime_enabled_features_json5
1.483+4-4www/chromium/distinfo
1.119+3-3www/chromium/patches/patch-content_browser_browser_main_loop_cc
+61-613 files not shown
+65-659 files

OpenBSD/ports 9aG4otWdevel/uthash distinfo Makefile, devel/uthash/patches patch-tests_Makefile

   Update uthash to 2.4.0.
VersionDeltaFile
1.16+2-2devel/uthash/distinfo
1.13+2-2devel/uthash/patches/patch-tests_Makefile
1.23+1-1devel/uthash/Makefile
+5-53 files

OpenBSD/src BJPUnTolib/libssl ssl_clnt.c

   Check that the server selected ciphersuite is valid for use with TLSv1.2.

   In the legacy stack, ensure that the server selected ciphersuite is valid
   for use with TLSv1.2 - this effectively means that it is not a TLSv1.3
   ciphersuite. We currently fail the handshake, but at a later stage.

   Reported by Tom Gouville from the tlspuffin team.

   ok tb@
VersionDeltaFile
1.175+9-0lib/libssl/ssl_clnt.c
+9-01 files

OpenBSD/src DADnnFcusr.sbin/mrouted vif.c

   mrouted(8) logs errno message when ioctl(2) fails.

   from Russell Howe
VersionDeltaFile
1.17+1-2usr.sbin/mrouted/vif.c
+1-21 files

OpenBSD/src uXHmwNBsys/kern kern_exit.c

   When signaling untraced processes with a SIGKILL check the right process
   for PS_EXITING.

   Fix for the sys/kern/ptrace regress hangs.
   OK kettenis@
VersionDeltaFile
1.254+2-2sys/kern/kern_exit.c
+2-21 files

OpenBSD/src ikhrfdLusr.bin/tmux server-client.c

   Small section missed from previous.
VersionDeltaFile
1.494+31-4usr.bin/tmux/server-client.c
+31-41 files

OpenBSD/src KhaMdCnlib/libssl ssl_clnt.c

   Remove check for use of TLSv1.2 ciphersuites with TLSv1.1 and earlier.

   We no longer negotiate any TLS version lower than TLSv1.2, so this is now
   redundant.

   ok tb@
VersionDeltaFile
1.174+1-9lib/libssl/ssl_clnt.c
+1-91 files

OpenBSD/src wUNaOB6distrib/special/libstubs Makefile, lib/libc/hash sha512.c sha256.c

   Replace SHA-256 and SHA-512 implementations in libc.

   Replace the existing SHA-256 and SHA-512 implementations in libc with
   versions that leverage some of the recent code in libcrypto. The existing
   API is retained, along with reuse of the existing SHA2_CTX definitions.

   These versions use static inline functions instead of macros and spell
   out the full variable rotations to follow the specification, rather than
   trying to outsmart the compiler.

   This also gives us a basis to provide per-architecture accelerated
   implementations, based on those in libcrypto.

   ok naddy@ tb@
VersionDeltaFile
1.1+515-0lib/libc/hash/sha512.c
1.1+455-0lib/libc/hash/sha256.c
1.4+8-1lib/libc/hidden/sha2.h
1.27+4-3distrib/special/libstubs/Makefile
1.26+2-2lib/libc/hash/Makefile.inc
1.29+1-1lib/libc/hash/sha2.c
+985-76 files

OpenBSD/src m5RK7SXusr.bin/tmux window.c spawn.c

   Add modal panes, created currently with new-pane -O. There is one modal
   pane per window and it must be a floating pane. These are intended to
   replace popups. Currently a modal pane will unzoom a zoomed window and
   rezoom it when it is closed (a bit like modes do), but this is planned
   to change when we get an always-on-top flag.
VersionDeltaFile
1.364+92-2usr.bin/tmux/window.c
1.49+29-4usr.bin/tmux/spawn.c
1.405+30-1usr.bin/tmux/format.c
1.145+19-5usr.bin/tmux/cmd-split-window.c
1.72+17-5usr.bin/tmux/cmd-join-pane.c
1.493+11-4usr.bin/tmux/server-client.c
+198-217 files not shown
+240-3313 files

OpenBSD/ports 0KskfKrsysutils/ansible distinfo Makefile, sysutils/ansible/pkg PLIST

   Update ansible 14.1.0 -> 14.2.0
   Changelog: https://github.com/ansible-community/ansible-build-data/blob/14.2.0/14/CHANGELOG-v14.md#v14-2-0
VersionDeltaFile
1.109+161-14sysutils/ansible/pkg/PLIST
1.167+2-2sysutils/ansible/distinfo
1.224+1-1sysutils/ansible/Makefile
+164-173 files

OpenBSD/src qU14wywusr.bin/tmux window-buffer.c window-customize.c

   Clear the "waiting for editor" area before writing so stray characters
   aren't visible from underneath.
VersionDeltaFile
1.51+3-1usr.bin/tmux/window-buffer.c
1.35+3-1usr.bin/tmux/window-customize.c
+6-22 files

OpenBSD/ports LjWDmlTsysutils/ansible-core distinfo Makefile, sysutils/ansible-core/pkg PLIST

   Update ansible-core 2.21.1 -> 2.21.2
   Changelog: https://github.com/ansible/ansible/blob/stable-2.21/changelogs/CHANGELOG-v2.21.rst#v2-21-2
VersionDeltaFile
1.25+9-0sysutils/ansible-core/pkg/PLIST
1.61+2-2sysutils/ansible-core/distinfo
1.68+1-1sysutils/ansible-core/Makefile
+12-33 files

OpenBSD/ports im3Hy0fsysutils/exoscale-cli distinfo Makefile

   Update to exoscale-cli-1.96.0.
VersionDeltaFile
1.154+2-2sysutils/exoscale-cli/distinfo
1.157+1-1sysutils/exoscale-cli/Makefile
+3-32 files

OpenBSD/src 2giyHKzusr.sbin/bgpd rde_peer.c rde_update.c

   rework the force_update logic in the adj-rib-out

   On initial connect the system needs to sync the adj-rib-out of a peer with
   the Loc-RIB. This happens via peer_dump() and in this case the system
   needs to push out all updates (but can drop any withdraw).

   To do this a force_update flag was introduced but actually it is better to
   use the mode argument and introduce EVAL_SYNC for this case.
   If mode == EVAL_SYNC adjout_prefix_update needs to force the update and
   adjout_prefix_withdraw can drop the withdraw.

   The other user of peer_dump() is during config reloads where the RIB of a
   peer is altered. In that case the adj-rib-out is first flushed. Because of
   this flush peer_dump can be used to push out all updates.

   This also removes the NOTYET block in peer_generate_update() and
   replaces it with inside up_generate_addpath_all() with a call
   up_generate_addpath().

   OK tb@
VersionDeltaFile
1.80+14-22usr.sbin/bgpd/rde_peer.c
1.201+17-15usr.sbin/bgpd/rde_update.c
1.358+9-5usr.sbin/bgpd/rde.h
1.22+7-5usr.sbin/bgpd/rde_adjout.c
1.709+2-2usr.sbin/bgpd/rde.c
+49-495 files

OpenBSD/src OiJpL3Jsys/arch/octeon/dev if_cnmac.c

   cnmac: Fix packet corruption with veb(4)

   Account for VLAN header when setting IP packet offset for TCP/UDP
   checksum offload on transmit. Otherwise cnmac(4) can corrupt packets
   that are sent through veb(4).

   Initial patch from Sergii Rudchenko.
   ether_extract_headers() usage added by me.

   OK kirill@
VersionDeltaFile
1.92+13-4sys/arch/octeon/dev/if_cnmac.c
+13-41 files

OpenBSD/src GnZitsSusr.sbin/bgpd rde_attr.c

   test pointer against NULL not 0; ok claudio@
VersionDeltaFile
1.149+2-2usr.sbin/bgpd/rde_attr.c
+2-21 files

OpenBSD/src w54slFXusr.sbin/bgpd rde_filter.c

   NULL not 0 for last arg to community_match() since it is a pointer.
VersionDeltaFile
1.150+2-2usr.sbin/bgpd/rde_filter.c
+2-21 files

OpenBSD/ports ZnmUEC8devel/rust-analyzer distinfo crates.inc, devel/rust-analyzer/patches patch-xtask_src_codegen_rs

   Update to rust-analyzer 2026-07-13, tested by & ok volker

   https://github.com/rust-lang/rust-analyzer/releases#release-2026-07-13
VersionDeltaFile
1.5+418-408devel/rust-analyzer/distinfo
1.5+208-203devel/rust-analyzer/crates.inc
1.4+8-8devel/rust-analyzer/patches/patch-xtask_src_codegen_rs
1.10+1-2devel/rust-analyzer/Makefile
+635-6214 files

OpenBSD/ports xJn5Ugodevel/zizmor distinfo crates.inc

   Update to zizmor 1.27.0

   https://github.com/zizmorcore/zizmor/releases/tag/v1.27.0
VersionDeltaFile
1.6+34-32devel/zizmor/distinfo
1.5+16-15devel/zizmor/crates.inc
1.9+1-1devel/zizmor/Makefile
+51-483 files

OpenBSD/ports zjGUMmHdevel/mergiraf distinfo crates.inc

   Update to mergiraf 0.18.0

   https://codeberg.org/mergiraf/mergiraf/releases/tag/v0.18.0
VersionDeltaFile
1.5+182-186devel/mergiraf/distinfo
1.5+90-92devel/mergiraf/crates.inc
1.6+1-1devel/mergiraf/Makefile
+273-2793 files

OpenBSD/src tuWavxgusr.bin/tmux server-client.c tmux.h

   Add a mouse binding for empty areas of the window so C-Drag works on
   them as well.
VersionDeltaFile
1.492+38-38usr.bin/tmux/server-client.c
1.1405+4-1usr.bin/tmux/tmux.h
1.189+2-1usr.bin/tmux/key-bindings.c
1.1141+2-1usr.bin/tmux/tmux.1
+46-414 files

OpenBSD/ports e40Sycvwww/gitea Makefile distinfo, www/gitea/patches patch-custom_conf_app_example_ini

   Update gitea 1.26.4 - > 1.27.0
   Changelog: https://github.com/go-gitea/gitea/releases/tag/v1.27.0
VersionDeltaFile
1.70+302-300www/gitea/pkg/PLIST
1.34+46-50www/gitea/patches/patch-custom_conf_app_example_ini
1.141+7-7www/gitea/Makefile
1.122+2-2www/gitea/distinfo
+357-3594 files

OpenBSD/ports oMgj3Fcsysutils/ttyplot distinfo Makefile, sysutils/ttyplot/patches patch-Makefile patch-ttyplot_c

   Update ttyplot to 1.7.6.
VersionDeltaFile
1.17+2-2sysutils/ttyplot/distinfo
1.5+2-2sysutils/ttyplot/patches/patch-Makefile
1.7+2-2sysutils/ttyplot/patches/patch-ttyplot_c
1.21+1-1sysutils/ttyplot/Makefile
+7-74 files

OpenBSD/src VV8H6zzsys/net80211 ieee80211_crypto_tkip.c

   Fix an inversed if-condition in ieee80211_michael_mic_failure()

   Make the check for 60 seconds since the most recent previous MIC failure
   work as intended. The code was enabling TKIP countermeasures if 60 seconds
   have passed since the previous MIC failure. The intention is to enable
   countermeasures only if less than 60 seconds have passed.

   LLMS got very excited about this, even though nobody is expected to be
   running an access point with WPA1 enabled in 2026.
   TKIP is disabled by default. We keep it around just in case we need to
   connect to the world via a forgotten 802.11g era AP out in a desert.
VersionDeltaFile
1.34+2-2sys/net80211/ieee80211_crypto_tkip.c
+2-21 files

OpenBSD/src M5lCcn2usr.sbin/rpki-client output.c extern.h

   rpki-client: only output config files on successful run

   While the suggested cronjob is 'rpki-client -v && bgpctl reload' and thus
   only reloads bgpd if rpki-client completes successfully, the output logic
   creates a config file that might still be loaded by an operator by hand.

   If an error occurred in one of the subprocesses, only output ometrics (if
   requested) and do not generate bgpd, bird, csv, json, and ccr.

   ok claudio job
VersionDeltaFile
1.47+13-9usr.sbin/rpki-client/output.c
1.290+2-2usr.sbin/rpki-client/extern.h
1.312+2-2usr.sbin/rpki-client/main.c
+17-133 files

OpenBSD/ports cZ5exZksysutils/terragrunt distinfo modules.inc

   Update to terragrunt-1.1.1.
VersionDeltaFile
1.396+108-114sysutils/terragrunt/distinfo
1.113+33-36sysutils/terragrunt/modules.inc
1.403+1-1sysutils/terragrunt/Makefile
+142-1513 files