OpenBSD/src RRat9wwusr.bin/tmux sort.c

   Fix NULL dereference in sort.c, from Dane Jensen.
VersionDeltaFile
1.4+2-1usr.bin/tmux/sort.c
+2-11 files

OpenBSD/ports RBMPAY5graphics/jpeg distinfo Makefile, graphics/jpeg/patches patch-CMakeLists_txt

   update to jpeg-3.1.4.1

   thanks to matthieu@ for armv7 and macppc tests (and Jan Stary who started
   on this too but matthieu beat him to it)
VersionDeltaFile
1.36+2-2graphics/jpeg/distinfo
1.89+1-1graphics/jpeg/Makefile
1.18+1-1graphics/jpeg/patches/patch-CMakeLists_txt
+4-43 files

OpenBSD/src ctTky5fregress/usr.bin/ssh percent.sh

   adapt to username validity check change
VersionDeltaFile
1.23+3-3regress/usr.bin/ssh/percent.sh
+3-31 files

OpenBSD/src 8kBgXMRusr.bin/ssh version.h

   openssh-10.3
VersionDeltaFile
1.108+2-2usr.bin/ssh/version.h
+2-21 files

OpenBSD/src tQF0BsWusr.bin/ssh ssh.c

   move username validity check for usernames specified on the
   commandline to earlier in main(), specifically before some
   contexts where a username with shell characters might be
   expanded by a %u directive in ssh_config.

   We continue to recommend against using untrusted input on
   the SSH commandline. Mitigations like this are not 100%
   guarantees of safety because we can't control every
   combination of user shell and configuration where they are
   used.

   Reported by Florian Kohnhäuser
VersionDeltaFile
1.630+8-1usr.bin/ssh/ssh.c
+8-11 files

OpenBSD/src DEXSQKzusr.bin/ssh sshconnect2.c auth2-pubkeyfile.c

   correctly match ECDSA signature algorithms against algorithm
   allowlists: HostKeyAlgorithms, PubkeyAcceptedAlgorithms and
   HostbasedAcceptedAlgorithms.

   Previously, if any ECDSA type (say "ecdsa-sha2-nistp521") was
   present in one of these lists, then all ECDSA algorithms would
   be permitted.

   Reported by Christos Papakonstantinou of Cantina and Spearbit.
VersionDeltaFile
1.385+18-10usr.bin/ssh/sshconnect2.c
1.8+15-11usr.bin/ssh/auth2-pubkeyfile.c
1.126+5-4usr.bin/ssh/auth2-pubkey.c
1.57+5-4usr.bin/ssh/auth2-hostbased.c
+43-294 files

OpenBSD/src 04OjIgrusr.bin/ssh scp.c

   when downloading files as root in legacy (-O) mode and without the
   -p (preserve modes) flag set, clear setuid/setgid bits from
   downloaded files as one might expect.

   AFAIK this bug dates back to the original Berkeley rcp program.

   Reported by Christos Papakonstantinou of Cantina and Spearbit.
VersionDeltaFile
1.273+4-2usr.bin/ssh/scp.c
+4-21 files

OpenBSD/src i4JTEwsusr.bin/ssh mux.c

   add missing askpass check when using ControlMaster=ask/autoask
   and "ssh -O proxy ..."; reported by Michalis Vasileiadis
VersionDeltaFile
1.113+11-1usr.bin/ssh/mux.c
+11-11 files

OpenBSD/src gJLVbnVusr.bin/ssh servconf.c

   Fix possible sshd crash when sshd_config set MaxStartups to a
   value <10 using the single-argument form of MaxStartups (e.g.
   MaxStartups=3). This doesn't affect the three-argument form
   of the directive (e.g. MaxStartups 3:20:5).

   Patch from Peter Kaestle via bz3941
VersionDeltaFile
1.446+3-3usr.bin/ssh/servconf.c
+3-31 files

OpenBSD/src 9e7vmUZsys/dev/pci azalia.c

   match recent Intel parts
   ok deraadt@ mlarkin@
VersionDeltaFile
1.291+9-1sys/dev/pci/azalia.c
+9-11 files

OpenBSD/src 1N5CR24sys/dev/pci dwiic_pci.c

   match on Panther Lake
   ok deraadt@ mlarkin@
VersionDeltaFile
1.34+13-1sys/dev/pci/dwiic_pci.c
+13-11 files

OpenBSD/ports dLr2IT9sysutils/gemini-cli Makefile distinfo, sysutils/gemini-cli/patches patch-lib_node_modules_@google_gemini-cli_bundle_gemini_js patch-lib_node_modules_@google_gemini-cli_dist_index_js

   Update to gemini-cli-0.36.0.
VersionDeltaFile
1.15+430-49,751sysutils/gemini-cli/pkg/PLIST
1.18+6-7sysutils/gemini-cli/Makefile
1.1+11-0sysutils/gemini-cli/patches/patch-lib_node_modules_@google_gemini-cli_bundle_gemini_js
1.17+2-2sysutils/gemini-cli/distinfo
1.2+0-0sysutils/gemini-cli/patches/patch-lib_node_modules_@google_gemini-cli_dist_index_js
+449-49,7605 files

OpenBSD/src N3oz10psys/dev/pci pcidevs_data.h pcidevs.h

   regen
VersionDeltaFile
1.2118+601-1sys/dev/pci/pcidevs_data.h
1.2123+151-1sys/dev/pci/pcidevs.h
+752-22 files

OpenBSD/src kgCU5uMsys/dev/pci pcidevs

   add Intel Panther Lake ids

   from Mesa and:
   Intel Core Ultra Processors (Series 3)
   Datasheet, Volume 1 of 2, Doc. No.: 872188, Rev.: 001

   ok deraadt@ mlarkin@
VersionDeltaFile
1.2130+151-1sys/dev/pci/pcidevs
+151-11 files

OpenBSD/ports GRENWENsysutils/p5-Sys-Virt distinfo Makefile

   Update to p5-Sys-Virt-12.2.0.
VersionDeltaFile
1.66+2-2sysutils/p5-Sys-Virt/distinfo
1.80+1-1sysutils/p5-Sys-Virt/Makefile
+3-32 files

OpenBSD/ports CRZTKIpsysutils/libvirt-python distinfo Makefile

   Update to py3-libvirt-12.2.0.
VersionDeltaFile
1.84+2-2sysutils/libvirt-python/distinfo
1.103+1-1sysutils/libvirt-python/Makefile
+3-32 files

OpenBSD/ports hzRlHgDsysutils/libvirt Makefile distinfo, sysutils/libvirt/pkg PLIST

   Update to libvirt-12.2.0.
VersionDeltaFile
1.147+5-5sysutils/libvirt/Makefile
1.96+2-2sysutils/libvirt/distinfo
1.73+0-3sysutils/libvirt/pkg/PLIST
+7-103 files

OpenBSD/ports 2WkezQGdevel/harfbuzz Makefile distinfo, devel/harfbuzz/pkg PLIST-main

   Update to harfbuzz-14.0.0.
VersionDeltaFile
1.207+13-10devel/harfbuzz/Makefile
1.171+2-2devel/harfbuzz/distinfo
1.48+4-0devel/harfbuzz/pkg/PLIST-main
+19-123 files

OpenBSD/ports HO3p1x8www/ungoogled-chromium distinfo, www/ungoogled-chromium/patches patch-chrome_browser_about_flags_cc patch-third_party_blink_renderer_platform_runtime_enabled_features_json5

   update to 146.0.7680.177
VersionDeltaFile
1.56+55-55www/ungoogled-chromium/patches/patch-chrome_browser_about_flags_cc
1.55+10-10www/ungoogled-chromium/patches/patch-third_party_blink_renderer_platform_runtime_enabled_features_json5
1.143+6-6www/ungoogled-chromium/distinfo
1.6+3-3www/ungoogled-chromium/patches/patch-chrome_browser_ui_tabs_public_tab_features_h
1.51+3-3www/ungoogled-chromium/patches/patch-chrome_common_chrome_features_cc
1.7+2-2www/ungoogled-chromium/patches/patch-chrome_browser_renderer_context_menu_render_view_context_menu_cc
+79-7910 files not shown
+93-9516 files

OpenBSD/ports pdFlibgdevel/jujutsu distinfo crates.inc, devel/jujutsu/patches patch-cli_src_commands_bisect_run_rs

   Update to jujutsu 0.40.0

   https://github.com/jj-vcs/jj/releases/tag/v0.40.0
VersionDeltaFile
1.23+172-148devel/jujutsu/distinfo
1.24+85-73devel/jujutsu/crates.inc
1.5+3-3devel/jujutsu/patches/patch-cli_src_commands_bisect_run_rs
1.30+1-1devel/jujutsu/Makefile
+261-2254 files

OpenBSD/ports 5y3UYjYgames/cataclysm-dda Makefile

   Mark cataclysm-dda BROKEN-sparc64

   /usr/obj/ports/cataclysm-dda-0.H-no_x11/Cataclysm-DDA-0.H-RELEASE/src/third-party/flatbuffers_int/util.h:267:12: error: 'strtoll_l' was not declared in this scope; did you mean 'strcoll_l'?
     267 |     *val = __strtoll_impl(str, endptr, base);
         |            ^~~~~~~~~~~~~~

   'strtoull_l' 'strtod_l' 'strtof_l' all also not declared in scopr
VersionDeltaFile
1.34+2-0games/cataclysm-dda/Makefile
+2-01 files

OpenBSD/ports w9kNj27audio/csound Makefile, audio/csound/pkg PLIST

   csound: hidden dep on audio/liblo

   regen PLIST for libosc.so plugin and static libcsound64.a
VersionDeltaFile
1.4+4-2audio/csound/Makefile
1.3+2-0audio/csound/pkg/PLIST
+6-22 files

OpenBSD/ports cRNx5Ngsysutils/u-boot-asahi Makefile

   u-boot-asahi needs C11

   Move to ports-gcc on base-gcc arches to fix build on sparc64
VersionDeltaFile
1.18+4-0sysutils/u-boot-asahi/Makefile
+4-01 files

OpenBSD/src GHWWFBpdistrib/sets/lists/man mi

   sync
VersionDeltaFile
1.1762+8-0distrib/sets/lists/man/mi
+8-01 files

OpenBSD/ports I0LmH07www/hugo distinfo Makefile

   www/hugo: update to 0.159.2

   Changes:
    - https://github.com/gohugoio/hugo/releases/tag/v0.159.2
VersionDeltaFile
1.92+2-2www/hugo/distinfo
1.100+1-1www/hugo/Makefile
+3-32 files

OpenBSD/src PFEhMDVgnu/usr.bin/perl class.c, gnu/usr.bin/perl/cpan/Compress-Raw-Zlib/zlib-src zlib.h

   Update to perl 5.42.2

   The two main changes are both from 5.42.1, a timezone fix and a
   corner case for auto-vivification.

   The CVE from 5.42.1 we had already patched and the zlib update in
   5.42.2 is in code we don't use because we link against the system
   zlib.

   https://metacpan.org/release/SHAY/perl-5.42.1/view/pod/perldelta.pod
   https://metacpan.org/release/SHAY/perl-5.42.2/view/pod/perldelta.pod

   I'm not concerned -- sthen@
   I think you can just commit this -- naddy@
   good timing -- deraadt@
   OK -- blumh@
VersionDeltaFile
1.2+1,383-683gnu/usr.bin/perl/cpan/Compress-Raw-Zlib/zlib-src/zlib.h
1.1+1,556-0gnu/usr.bin/perl/pod/perl5420delta.pod
1.33+789-749gnu/usr.bin/perl/pod/perlhist.pod
1.30+51-1,481gnu/usr.bin/perl/pod/perldelta.pod
1.19+1,287-1gnu/usr.bin/perl/dist/Module-CoreList/lib/Module/CoreList.pm
1.2+523-194gnu/usr.bin/perl/class.c
+5,589-3,10871 files not shown
+8,030-4,34277 files

OpenBSD/ports pU630qqnet/p5-NetAddr-MAC Makefile distinfo

   update p5-NetAddr-MAC to 1.00
   from maintainer Mikolaj Kucharski
VersionDeltaFile
1.10+4-1net/p5-NetAddr-MAC/Makefile
1.6+2-2net/p5-NetAddr-MAC/distinfo
+6-32 files

OpenBSD/ports wdknkLYaudio/schismtracker Makefile distinfo, audio/schismtracker/patches patch-configure_ac

   schismtracker: switch to upstream provided tarball.

   This removes the need to run autoconf and makes the version number patch
   unnecessary.
VersionDeltaFile
1.65+10-7audio/schismtracker/Makefile
1.47+2-2audio/schismtracker/distinfo
1.47+0-0audio/schismtracker/patches/patch-configure_ac
+12-93 files

OpenBSD/src zTBaiTNregress/sbin/iked/parser common.c, sbin/iked ikev2_pld.c ikev2.c

   Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
   for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
   results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
   successfully completed the IKE_AUTH exchange for the SA.

   Independently found by Dirk Loss and Daniel Polak (SYS.nl)
   from tobhe@; ok and discussed with markus@ stsp@

   Add ikev2_validate_ef() to validate fragment payload header size field
   as we do for other IKEv2 payloads.

   Reported by Dirk Loss
   from tobhe@; ok markus@

   iked only ever handles one exchange at a time so we can drop the
   entire fragment queue instead of doing a lookup based on the msgid

   Found by Dirk Loss
   from tobhe@; ok markus@ hshoexer@

    [11 lines not shown]
VersionDeltaFile
1.136.6.1+23-6sbin/iked/ikev2_pld.c
1.391.4.1+8-2sbin/iked/ikev2.c
1.13.12.1+2-3regress/sbin/iked/parser/common.c
+33-113 files

OpenBSD/src hrar06sregress/sbin/iked/parser common.c, sbin/iked ikev2_pld.c ikev2.c

   Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
   for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
   results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
   successfully completed the IKE_AUTH exchange for the SA.

   Independently found by Dirk Loss and Daniel Polak (SYS.nl)
   from tobhe@; ok and discussed with markus@ stsp@

   Add ikev2_validate_ef() to validate fragment payload header size field
   as we do for other IKEv2 payloads.

   Reported by Dirk Loss
   from tobhe@; ok markus@

   iked only ever handles one exchange at a time so we can drop the
   entire fragment queue instead of doing a lookup based on the msgid

   Found by Dirk Loss
   from tobhe@; ok markus@ hshoexer@

    [11 lines not shown]
VersionDeltaFile
1.136.4.1+23-6sbin/iked/ikev2_pld.c
1.394.2.1+8-2sbin/iked/ikev2.c
1.13.10.1+2-3regress/sbin/iked/parser/common.c
+33-113 files