OpenBSD/src qUCIkOklib/libagentx ax.c, usr.sbin/snmpd ax.c

by martijn on ⎇
   Implement a better fix. The previous fix allowed to overflow in a
   different spot. This would still only lead to a crash, and would only be
   reachable by arbitrary users if the admin enabled the agentx socket, and
   set custom permissions.

   OK deraadt@, mvs@
VersionDeltaFile
1.9+6-9usr.sbin/snmpd/ax.c
1.13+6-9lib/libagentx/ax.c
+12-182 files

OpenBSD/ports 7RlCD53x11/motif Makefile, x11/motif/patches patch-lib_Xm_EditresCom_c

by tb on ⎇
   motif: switch from unsigned long * to CARD64 * to prepare for llvm22

   matthieu agrees with the approach
VersionDeltaFile
1.1+12-0x11/motif/patches/patch-lib_Xm_EditresCom_c
1.13+1-1x11/motif/Makefile
+13-12 files

OpenBSD/ports yuZ3T79graphics/GraphicsMagick Makefile distinfo, graphics/GraphicsMagick/patches patch-configure

by tb on ⎇
   Update to GraphicsMagick 1.3.47 to fix build with llvm22, ok Brad

   http://www.graphicsmagick.org/NEWS.html#may-13-2026
VersionDeltaFile
1.79+4-5graphics/GraphicsMagick/Makefile
1.37+2-2graphics/GraphicsMagick/distinfo
1.26+2-2graphics/GraphicsMagick/patches/patch-configure
1.32+3-0graphics/GraphicsMagick/pkg/PLIST
+11-94 files

OpenBSD/src iyyVaDbusr.bin/ssh sshd_config.5 ssh_config.5

by djm on ⎇
   mention that compression could potentially leak information about session
   contents (cf. the CRIME attack on TLS) if a connection allows attacker-
   controlled traffic over it alongside trused traffic. This might occur
   in some forwarding scenarios.

   with deraadt@
VersionDeltaFile
1.398+9-2usr.bin/ssh/sshd_config.5
1.424+9-2usr.bin/ssh/ssh_config.5
+18-42 files

OpenBSD/src wJGiFVZusr.bin/ssh sftp-server.8

by djm on ⎇
   mention usefulness of request type allow/denylisting for servers
   accepting untrusted clients
VersionDeltaFile
1.32+13-2usr.bin/ssh/sftp-server.8
+13-21 files

OpenBSD/src rUiyE8alib/libc/sys open.2

by deraadt on ⎇
   document EACESS if __pledge_open() in /usr/share/zoneinfo terminates
   on a non-regular file
   ok dgl
VersionDeltaFile
1.62+7-1lib/libc/sys/open.2
+7-11 files

OpenBSD/src P230JeHsys/kern vfs_lookup.c

by deraadt on ⎇
   only allow __pledge_open(2) to open regular files in the /usr/share/zoneinfo
   directory.  other file types return EACCES.
   ok dgl
VersionDeltaFile
1.93+6-1sys/kern/vfs_lookup.c
+6-11 files

OpenBSD/ports 7aDToYFnet/curl Makefile distinfo, net/curl/patches patch-m4_curl-compilers_m4

by naddy on ⎇
   net/curl: update to 8.20.0

   Includes fixes for
   CVE-2026-4873: connection reuse ignores TLS requirement
   CVE-2026-5545: wrong reuse of HTTP Negotiate connection
   CVE-2026-5773: wrong reuse of SMB connection
   CVE-2026-6253: proxy credentials leak over redirect-to proxy
   CVE-2026-6276: stale custom cookie host causes cookie leak
   CVE-2026-6429: netrc credential leak with reused proxy connection
   CVE-2026-7168: cross-proxy Digest auth state leak
VersionDeltaFile
1.213.2.1+4-2net/curl/Makefile
1.14.2.1+2-2net/curl/patches/patch-m4_curl-compilers_m4
1.145.2.1+2-2net/curl/distinfo
1.89.2.1+3-0net/curl/pkg/PLIST
+11-64 files

OpenBSD/ports 9VPtR2Wcomms/lrzsz Makefile, comms/lrzsz/patches patch-src_tcp_c

by tb on ⎇
   lrsz: fix incompatible pointer types (socklen_t * vs size_t *) for llvm22
VersionDeltaFile
1.1+21-0comms/lrzsz/patches/patch-src_tcp_c
1.33+1-1comms/lrzsz/Makefile
+22-12 files

OpenBSD/ports eMGti0pmisc/magicpoint Makefile, misc/magicpoint/patches patch-draw_c

by tb on ⎇
   magicpoint: passing int * to size_t * makes llvm22 unhappy
VersionDeltaFile
1.4+14-20misc/magicpoint/patches/patch-draw_c
1.71+1-0misc/magicpoint/Makefile
+15-202 files

OpenBSD/ports eqbnu7gcomms/x3270 Makefile, comms/x3270/patches patch-macros_c

by tb on ⎇
   comms/x3270: fix -Wincompatible-pointer-types (socklen_t vs size_t)
VersionDeltaFile
1.1+14-0comms/x3270/patches/patch-macros_c
1.18+1-1comms/x3270/Makefile
+15-12 files

OpenBSD/src ADzWxhRusr.sbin/iscsid vscsi.c

by claudio on ⎇
   In the vscsi_callback() handle ISCSI_SCSI_STAT_CHCK_COND more carefully.

   Especially the embedded sense data needs to be extracted respecting the
   real buffer length. Make sure at least 2 bytes are availabe for the lenght
   and also check that the resulting len is not bigger then the buffer
   itself.

   Reported by Frank Denis
   OK deraadt@
VersionDeltaFile
1.19+6-3usr.sbin/iscsid/vscsi.c
+6-31 files

OpenBSD/ports wVPbrxPnet/upterm distinfo modules.inc

by pascal on ⎇
   Update to upterm 0.24.0.
VersionDeltaFile
1.4+266-170net/upterm/distinfo
1.4+100-53net/upterm/modules.inc
1.4+1-1net/upterm/Makefile
+367-2243 files

OpenBSD/ports dqG0qplsysutils/unbound_exporter distinfo modules.inc

by pascal on ⎇
   Update to unbound_exporter 0.6.0.
VersionDeltaFile
1.3+50-42sysutils/unbound_exporter/distinfo
1.3+15-13sysutils/unbound_exporter/modules.inc
1.3+1-1sysutils/unbound_exporter/Makefile
+66-563 files

OpenBSD/ports 2EZCqGXwww/ungoogled-chromium distinfo Makefile, www/ungoogled-chromium/patches patch-content_browser_renderer_host_render_process_host_impl_cc patch-content_public_common_content_features_cc

by robert on ⎇
   update to 148.0.7778.178
VersionDeltaFile
1.149+6-6www/ungoogled-chromium/distinfo
1.47+3-3www/ungoogled-chromium/patches/patch-content_browser_renderer_host_render_process_host_impl_cc
1.44+2-2www/ungoogled-chromium/patches/patch-content_public_common_content_features_cc
1.231+1-2www/ungoogled-chromium/Makefile
+12-134 files

OpenBSD/ports lefVYCvnet/tor distinfo Makefile

by pascal on ⎇
   Update to tor 0.4.9.8

   ok sthen@
VersionDeltaFile
1.143.2.1+2-2net/tor/distinfo
1.178.2.1+1-1net/tor/Makefile
+3-32 files

OpenBSD/src JP4fusRusr.sbin/bgpd rde_rib.c

by claudio on ⎇
   Also copy aspa_state and aspa_generation in path_copy() this way
   the linked db copy of the path gets the right ASPA cache data.

   OK tb@
VersionDeltaFile
1.295+4-1usr.sbin/bgpd/rde_rib.c
+4-11 files

OpenBSD/ports cpZnoFCmultimedia/libheif Makefile distinfo, multimedia/libheif/pkg PLIST

by volker on ⎇
   multimedia/libheif: Update to 1.22.0

   From Brad, thanks
VersionDeltaFile
1.24+3-3multimedia/libheif/Makefile
1.16+2-2multimedia/libheif/distinfo
1.11+2-0multimedia/libheif/pkg/PLIST
+7-53 files

OpenBSD/ports 0fMawaHwww/nextcloud/33 distinfo Makefile, www/nextcloud/33/pkg PLIST

by rsadowski on ⎇
   Update nextcloud to 33.0.3
VersionDeltaFile
1.3+755-1,093www/nextcloud/33/pkg/PLIST
1.3+2-2www/nextcloud/33/distinfo
1.3+1-1www/nextcloud/33/Makefile
+758-1,0963 files

OpenBSD/ports 7ISFpK5www/nextcloud/32 distinfo Makefile, www/nextcloud/32/pkg PLIST

by rsadowski on ⎇
   Update nextcloud to 32.0.9
VersionDeltaFile
1.8+517-1,050www/nextcloud/32/pkg/PLIST
1.8+2-2www/nextcloud/32/distinfo
1.10+1-1www/nextcloud/32/Makefile
+520-1,0533 files

OpenBSD/src 6Sx8ztqdistrib/sets/lists/man mi

by deraadt on ⎇
   sync
VersionDeltaFile
1.1770+0-4distrib/sets/lists/man/mi
+0-41 files

OpenBSD/src VD3p1mQusr.sbin/bgpd rde_update.c rde.h

by claudio on ⎇
   Introduce a force_update flag to force pend_prefix_add() calls
   in adjout_prefix_update().

   peer_dump() can be called with a preloaded Adj-RIB-Out and in that case
   the code needs to force updates out. This is done instead of walking the
   table twice -- once with peer_dump() and then with peer_blast().
   Using the force_update flag there ensures that all entries are properly
   sent to the peer.

   OK tb@
VersionDeltaFile
1.196+17-12usr.sbin/bgpd/rde_update.c
1.350+10-11usr.sbin/bgpd/rde.h
1.73+10-9usr.sbin/bgpd/rde_peer.c
1.19+5-2usr.sbin/bgpd/rde_adjout.c
+42-344 files

OpenBSD/ports 1mLACfNdevel/codex distinfo Makefile, devel/codex/patches patch-codex-rs_Cargo_toml patch-codex-rs_core_src_config_mod_rs

by kirill on ⎇
   devel/codex: update to 0.132.0
VersionDeltaFile
1.18+3-3devel/codex/patches/patch-codex-rs_Cargo_toml
1.20+2-2devel/codex/distinfo
1.20+1-1devel/codex/Makefile
1.20+1-1devel/codex/patches/patch-codex-rs_core_src_config_mod_rs
+7-74 files

OpenBSD/ports WHaSRhTnet/rabbitmq Makefile distinfo, net/rabbitmq/pkg PLIST

by volker on ⎇
   net/rabbitmq: Update to 4.3.1
VersionDeltaFile
1.88+5-5net/rabbitmq/Makefile
1.41+2-2net/rabbitmq/distinfo
1.43+1-1net/rabbitmq/pkg/PLIST
+8-83 files

OpenBSD/ports PzgM8jPsecurity/vaultwarden distinfo crates.inc, security/vaultwarden/patches patch-modcargo-crates_webauthn-rs-core-0_5_4_src_internals_rs patch-modcargo-crates_webauthn-attestation-ca-0_5_4_build_rs

by bket on ⎇
   Security update to vaultwarden-1.36.0

   Contains security fixes for:
   - SSO Login CSRF
   - User/Organization Enumeration
   - SSO existing-user binding
   - SSRF via Icon Endpoint
   - Some crate's updated and other minor security enhancements

   Changes:
   https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.8
   https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0
VersionDeltaFile
1.35.2.1+162-122security/vaultwarden/distinfo
1.32.2.1+80-60security/vaultwarden/crates.inc
1.55.2.1+5-5security/vaultwarden/Makefile
1.1.4.1+0-0security/vaultwarden/patches/patch-modcargo-crates_webauthn-rs-core-0_5_4_src_internals_rs
1.1.4.1+0-0security/vaultwarden/patches/patch-modcargo-crates_webauthn-attestation-ca-0_5_4_build_rs
1.1.2.1+0-0security/vaultwarden/patches/patch-modcargo-crates_webauthn-attestation-ca-0_5_5_build_rs
+247-1877 files not shown
+247-18713 files

OpenBSD/ports JqgDYeGwww/vaultwarden-web distinfo Makefile, www/vaultwarden-web/pkg PLIST

by bket on ⎇
   Update to vaultwarden-web-2026.4.1

   Changes:
   https://github.com/dani-garcia/bw_web_builds/releases/tag/v2026.3.1
   https://github.com/dani-garcia/bw_web_builds/releases/tag/v2026.4.1
VersionDeltaFile
1.23.2.1+54-71www/vaultwarden-web/pkg/PLIST
1.23.2.1+2-2www/vaultwarden-web/distinfo
1.25.2.1+1-1www/vaultwarden-web/Makefile
+57-743 files

OpenBSD/ports YXM8Qunnet/samba Makefile distinfo

by bket on ⎇
   Update to samba-4.24.2

   Changes: https://www.samba.org/samba/history/samba-4.24.2.html
VersionDeltaFile
1.372.2.1+3-3net/samba/Makefile
1.138.2.1+2-2net/samba/distinfo
+5-52 files

OpenBSD/ports Rd1x2wMwww/py-flask-caching Makefile

by sthen on ⎇
   add a note about long delays in some tests if redis is already running
VersionDeltaFile
1.8+1-0www/py-flask-caching/Makefile
+1-01 files

OpenBSD/ports cMoucY2mail/neomutt Makefile

by sthen on ⎇
   neomutt docs are generated with, in order of preference, w3m / lynx / elinks.
   change the BDEP to w3m so that builds are consistent.
VersionDeltaFile
1.112+4-3mail/neomutt/Makefile
+4-31 files

OpenBSD/ports dpnfUF6net/libunbound distinfo Makefile

by sthen on ⎇
   update to libunbound-1.25.1
VersionDeltaFile
1.35.2.1+2-2net/libunbound/distinfo
1.42.2.1+1-1net/libunbound/Makefile
+3-32 files