OpenBSD/ports T3E0f4edevel/codex distinfo Makefile, devel/codex/patches patch-codex-rs_Cargo_toml patch-codex-rs_core_src_config_mod_rs

   devel/codex: update to 0.129.0
VersionDeltaFile
1.7+0-7devel/codex/pkg/PLIST
1.15+3-3devel/codex/patches/patch-codex-rs_Cargo_toml
1.17+2-2devel/codex/distinfo
1.17+1-1devel/codex/patches/patch-codex-rs_core_src_config_mod_rs
1.17+1-1devel/codex/Makefile
+7-145 files

OpenBSD/ports w1q6kNHsysutils/psftools distinfo Makefile, sysutils/psftools/pkg PLIST

   Update psftools to 1.1.3.
VersionDeltaFile
1.7+6-0sysutils/psftools/pkg/PLIST
1.9+2-2sysutils/psftools/distinfo
1.17+1-1sysutils/psftools/Makefile
+9-33 files

OpenBSD/ports uk59HtPlang/wabt distinfo, lang/wabt/patches patch-src_tools_wasm2c_cc patch-src_tools_wasm2wat_cc

   Update wabt to 1.0.41.
VersionDeltaFile
1.15+2-2lang/wabt/distinfo
1.10+1-1lang/wabt/patches/patch-src_tools_wasm2c_cc
1.6+1-1lang/wabt/patches/patch-src_tools_wasm2wat_cc
1.6+1-1lang/wabt/patches/patch-src_tools_wast2json_cc
1.6+1-1lang/wabt/patches/patch-src_tools_wat2wasm_cc
1.5+1-1lang/wabt/patches/patch-src_tools_wat-desugar_cc
+7-73 files not shown
+10-109 files

OpenBSD/src taetC1Qregress/usr.sbin/bgpd/integrationtests Makefile

   Add forgotten addpath regress test.
VersionDeltaFile
1.28+2-2regress/usr.sbin/bgpd/integrationtests/Makefile
+2-21 files

OpenBSD/src 5sCH7Yyusr.sbin/bgpd rde_attr.c rde.c

   Use unsigned int for the length variable when traversing the others array.

   Doing this in all places now after fixing an overflow in attr_optadd().

   OK tb@ deraadt@
VersionDeltaFile
1.144+14-8usr.sbin/bgpd/rde_attr.c
1.697+3-3usr.sbin/bgpd/rde.c
1.135+3-2usr.sbin/bgpd/mrt.c
1.194+3-2usr.sbin/bgpd/rde_update.c
+23-154 files

OpenBSD/ports KTMm552meta/tor-browser Makefile, www/tor-browser Makefile.inc

   Tor Browser: update to 15.0.12
VersionDeltaFile
1.120+6-6www/tor-browser/browser/distinfo
1.126+2-2meta/tor-browser/Makefile
1.123+1-1www/tor-browser/Makefile.inc
1.199+1-1www/tor-browser/browser/Makefile
+10-104 files

OpenBSD/ports RrUYEr1productivity/gnucash/patches patch-CMakeLists_txt

   gnucash: pull in upstream fix for required libs for boost >=1.90

   ok aja (maintainer)
VersionDeltaFile
1.12+16-0productivity/gnucash/patches/patch-CMakeLists_txt
+16-01 files

OpenBSD/ports hpeoptqdevel/robsd distinfo Makefile

   update to robsd-21.1.0
VersionDeltaFile
1.17+2-2devel/robsd/distinfo
1.20+1-1devel/robsd/Makefile
+3-32 files

OpenBSD/ports cdp1PgPdevel/kf6/purpose Makefile

   More new QML dependencies

   ecm_find_qmlmodule(org.kde.prison REQUIRED)
   ecm_find_qmlmodule(org.kde.kitemmodels REQUIRED)
   ecm_find_qmlmodule(org.kde.kcmutils REQUIRED)

   Spotted by tb (again), thanks
VersionDeltaFile
1.11+6-1devel/kf6/purpose/Makefile
+6-11 files

OpenBSD/ports xAIw6o4devel/knfmt distinfo Makefile

   update to knfmt-5.3.0
VersionDeltaFile
1.25+2-2devel/knfmt/distinfo
1.30+1-1devel/knfmt/Makefile
+3-32 files

OpenBSD/ports BzMLjgEmail/mdsort distinfo Makefile

   update to mdsort-11.6.1
VersionDeltaFile
1.35+2-2mail/mdsort/distinfo
1.38+1-1mail/mdsort/Makefile
+3-32 files

OpenBSD/ports oLIfrDBtextproc/xan distinfo crates.inc

   Update to xan 0.57.1.
VersionDeltaFile
1.5+4-4textproc/xan/distinfo
1.5+1-1textproc/xan/crates.inc
1.6+1-1textproc/xan/Makefile
+6-63 files

OpenBSD/ports 1eGE0oXtextproc/luceneplusplus Makefile, textproc/luceneplusplus/patches patch-src_core_util_BitSet_cpp patch-include_lucene++_BitSet_h

   luceneplusplus: unbreak build with boost 1.90
VersionDeltaFile
1.1+255-0textproc/luceneplusplus/patches/patch-src_core_util_BitSet_cpp
1.1+29-0textproc/luceneplusplus/patches/patch-include_lucene++_BitSet_h
1.11+1-1textproc/luceneplusplus/Makefile
+285-13 files

OpenBSD/ports tfZVzr3net/kea Makefile, net/kea/patches patch-src_lib_log_logger_level_impl_cc

   kea: fix build with Boost 1.90 by adding a missing include
VersionDeltaFile
1.1+13-0net/kea/patches/patch-src_lib_log_logger_level_impl_cc
1.52+1-1net/kea/Makefile
+14-12 files

OpenBSD/src dATIJ9Tusr.sbin/bgpd bgpd.h

   Convert grestart.timeout to uint16_t while the value can never be negative
   the compiler trips over this in a comparison with u_int.

   OK tb@
VersionDeltaFile
1.541+5-5usr.sbin/bgpd/bgpd.h
+5-51 files

OpenBSD/src lY1vYJsusr.sbin/bgpd parse.y

   Reduce maximum configurable stale time to CAPA_GR_TIMEMASK (4095) since
   that is the maximum anyway.

   OK tb@
VersionDeltaFile
1.489+5-5usr.sbin/bgpd/parse.y
+5-51 files

OpenBSD/ports gDfK2Rbeditors/neovim Makefile distinfo, editors/neovim/pkg PLIST

   editors/neovim: update to v0.12.2.

   Diff from Laurent Cheylus, thanks!
VersionDeltaFile
1.32+6-5editors/neovim/pkg/PLIST
1.67+3-1editors/neovim/Makefile
1.41+2-2editors/neovim/distinfo
+11-83 files

OpenBSD/src LUPAbwFlib/libc/gen getgrent.c

   A collection of AI-assisted reports come from Frank Denis, which says that
   the YP getgrent code when doing YP operations has a group of buffer
   mismanagement issues which in the reports are labelled 'high severity'.
   This fixes the buffer checks.
   The big question to ask is this: Is a malicious YP server going to
   send you messages that exercise a buffer overflow codepath, or are
   they going to send you perfectly correct messages containing wrong group members?
   The old-school ypserv model was that you run ypserv on a "trusted network"
   segment, which today is laughable but it matched operations in that era.
   (Our) new operational model is that ypbind is reached with a custom system call
   and provides trusted path to a an on-host ypserv, which is more likely to be
   the ypldap(8) LDAP schema to YP protocol converter.
   If a YP server is broken and sending bad messages, THIS code is the least
   of your worries.  High severity?  No.
   ok millert jmatthew
VersionDeltaFile
1.52+13-1lib/libc/gen/getgrent.c
+13-11 files

OpenBSD/src IQXSShjlib/libc/gen getpwent.c

   A collection of AI-assisted reports come from Frank Denis, which says that
   the YP getpwent code when doing YP operations has a group of buffer
   mismanagement issues which in the reports are labelled 'high severity'.
   This fixes the buffer checks.
   In reality, the memory being operated on is always a full page so the
   overflow onto unmanagement memory is hard to see as a risk.
   The big question to ask is this: Is a malicious YP server going to
   send you messages that exercise a buffer overflow codepath, or are
   they going to send you perfectly correct messages containing :0:0: ?
   The old-school ypserv model was that you run ypserv on a "trusted network"
   segment, which today is laughable but it matched operations in that era.
   (Our) new operational model is that ypbind is reached with a custom system call
   and provides trusted path to a an on-host ypserv, which is more likely to be
   the ypldap(8) LDAP schema to YP protocol converter.
   If a YP server is broken and sending bad messages, THIS code is the least
   of your worries.  High severity?  No.
   ok millert jmatthew
VersionDeltaFile
1.74+8-11lib/libc/gen/getpwent.c
+8-111 files

OpenBSD/ports li62mCtx11/mplayer Makefile

   mplayer: sync ffmpeg version; from kirill
VersionDeltaFile
1.340+2-1x11/mplayer/Makefile
+2-11 files

OpenBSD/ports SrhIGuytextproc/cookcli crates.inc distinfo

   Update to CookCLI 0.29.1.

   Same diff from bket@
VersionDeltaFile
1.11+507-505textproc/cookcli/crates.inc
1.11+12-6textproc/cookcli/distinfo
1.12+1-4textproc/cookcli/Makefile
+520-5153 files

OpenBSD/src M1PBetalib/libc/gen getpwent.c

   In the yp_next() case, on error the key memory is leaked.
   Hiding in an unrelated diff from Frank Denis
   ok millert jmatthew
VersionDeltaFile
1.73+3-2lib/libc/gen/getpwent.c
+3-21 files

OpenBSD/src iyb0O37usr.sbin/bgpd session.c

   In session_graceful_restart() also arm the SessionDown timer

   session_graceful_restart() does more or less the same as session_down()
   and therefor needs to arm the SessionDown timer and on top of that
   update stats.last_updown. The interval for the SessionDown timer needs
   to depend on the graceful restart timer, since that one needs to fire
   first.

   OK tb@
VersionDeltaFile
1.533+10-2usr.sbin/bgpd/session.c
+10-21 files

OpenBSD/ports 8O0fjSVnet/wormhole-william distinfo modules.inc

   net/wormhole-willian: update to version 1.0.8.

   Apparently this fixes the riscv64 build also.

   Diff from "mischief <mischief at offblast.org>". OK sthen@.

   Thanks both.
VersionDeltaFile
1.6+92-216net/wormhole-william/distinfo
1.3+33-68net/wormhole-william/modules.inc
1.8+1-1net/wormhole-william/Makefile
+126-2853 files

OpenBSD/src WIJeJHjsbin/iked ikev2.c

   check address size; from markus via millert
   from deraadt@

   this is errata/7.7/042_iked.patch.sig
VersionDeltaFile
1.391.4.2+7-3sbin/iked/ikev2.c
+7-31 files

OpenBSD/ports ME7w0BLsysutils/nomad distinfo Makefile

   Update to nomad-2.0.0.
VersionDeltaFile
1.94+2-2sysutils/nomad/distinfo
1.108+1-1sysutils/nomad/Makefile
+3-32 files

OpenBSD/src sDltN1qsbin/iked ikev2.c

   check address size; from markus via millert
   from deraadt@

   this is errata/7.8/036_iked.patch.sig
VersionDeltaFile
1.394.2.2+7-3sbin/iked/ikev2.c
+7-31 files

OpenBSD/ports 7Fk33Ymwayland/fnott/pkg DESCR

   wayland/fnott: Tweak description
   The project homepage advertises that fnott works for *wlroots-based*
   Wayland compositors, however it works with others as well
VersionDeltaFile
1.2+1-1wayland/fnott/pkg/DESCR
+1-11 files

OpenBSD/ports 9EP3Wt3sysutils/terraform distinfo Makefile

   Update to terraform-1.15.1.
VersionDeltaFile
1.137+2-2sysutils/terraform/distinfo
1.152+1-1sysutils/terraform/Makefile
+3-32 files

OpenBSD/src YSkUFCLsys/nfs nfs_serv.c

   Add checks for invalid dir count and max size for readdir/readdirplus.

   A zero count or max size value is now rejected early instead of
   relying on VOP_GETATTR to return an error.  Also verify that the
   max size after rounding up to a multiple of DIRBLKSIZ is positive.
   A negative value would turn into a large allocation, causing the
   malloc() to fail.

   From an LLM bug report.  With help from miod@ and kirill@.
   from millert@

   this is errata/7.7/041_nfs.patch.sig
VersionDeltaFile
1.131.4.2+34-23sys/nfs/nfs_serv.c
+34-231 files