x509_vfy: sync get_crl_sk() with BoringSSL and OpenSSL
Among CRLs with the same score prefer the one with the most recent
lastUpdate (RFC 5280 thisUpdate). This pulls in OpenSSL commits
626aa248, e032117d, 8b7c51a0 from 2016, so before the license change.
This uses the annoying ASN1_TIME_diff() API, but there is no better
way, really. Every other ASN1_TIME API will be just as awkward.
This fixes the currently failing x509_crl test cases.
ok kenjiro
unbreak build on arm64 until the compiler is actually fixed
fatal error: error in backend: Cannot implicitly convert a scalable size to a fixed-width size in `TypeSize::operator ScalarTy()`
clang++: error: clang frontend command failed with exit code 70 (use -v to see invocation)
Make getaddrinfo(3) check hnok_lenient() earlier.
r1.60 added special handling for localhost names; this was done before the
hnok_lenient() check, ensure this validation applies to localhost names too.
ok florian
vmd(8): prevent OOB reads in 32 and 64-bit ELF loaders.
Malformed ELF files could cause reading past section-headers.
For ELF64 files, malformed section metadata could cause out of bound
reads of heap allocated buffers.
Reported by Frank Denis.
Discussed with and "go for it" from mlarkin@
Add nicer dark and light colour sets (themes) used on terminals with 256
or more colours. Currently based these on emacs but they could change.
Terminals with fewer colours use the ANSI colours. A new "theme" option
overrides the detected theme (set to "terminal" to go back to ANSI
colours).
Do not silently truncate result of dname_expand.
This can only happen if the caller provides a buffer that's too
small. All current callers provide a buffer of size MAXDNAME, which is
large enough in all cases, otherwise dname_check_label would error out.
Found by me and independently by Andrew Griffiths.
OK deraadt, tb
Backport the SDL3 gamecontroller backend from Godot 4.x to Godot 3
(godot/pack1). This replaces the thus far "homegrown" gamecontroller
backend code. Tested with PS4 controller and multiple games.
"makes a lot of sense" op@
net/curl: update to 8.21.0
Changes:
* curl: named globs in output filename for upload glob references
* HTTP/3: add proxy CONNECT and MASQUE CONNECT-UDP support (ngtcp2 QUIC)
* http2: remove stream dependency tracking
* lib: drop support for CURLAUTH_DIGEST_IE
Includes fixes for
CVE-2026-8286: wrong STARTTLS connection reuse
CVE-2026-8458: wrong reuse for different services
CVE-2026-8924: trailing dot domain super cookie
CVE-2026-8926: password leak with netrc and user in URL
CVE-2026-8927: env-set cross-proxy Digest auth state leak
CVE-2026-8932: incomplete mTLS config matching in conn reuse
CVE-2026-9079: stale proxy password leak
CVE-2026-9080: UAF after pause in socket callback
CVE-2026-9545: exposing HTTP/3 early data
CVE-2026-9546: sending old referer
[4 lines not shown]
vmd(8): prevent virtio scsi DoS from bad descriptor length.
A guest can construct a looping, zero-length descriptor chain that
spins forever when processing a READ_10 command. Check for zero
length scenario and abort the read with a warning.
Reported by Frank Denis.
Discussed with and "go for it" from mlarkin@
vmd(8): reject invalid PIT periods causing UB.
A guest can write values to Register A that results in a negative
shift exponent when computing the resulting timer rate. Detect and
ignore values to prevent UB from negative shift.
Reported by Frank Denis.
Discussed with and "go for it" from mlarkin@
vmd(8): fix fw_cfg leak of file directory buffer.
FW_CFG_FILE_DIR selector requests leak file directory buffers.
Repeated requests from guests can exhaust vmd process memory.
Reported by Frank Denis.
Discussed with and "go for it" from mlarkin@
