OpenBSD/src 2tAcTS4regress/lib/libcrypto/x509 Makefile

   With x509_vfy.c 1.153, the x509_crl regress passes
VersionDeltaFile
1.29+1-3regress/lib/libcrypto/x509/Makefile
+1-31 files

OpenBSD/src qvUatWrlib/libcrypto/x509 x509_vfy.c

   x509_vfy: sync get_crl_sk() with BoringSSL and OpenSSL

   Among CRLs with the same score prefer the one with the most recent
   lastUpdate (RFC 5280 thisUpdate). This pulls in OpenSSL commits
   626aa248, e032117d, 8b7c51a0 from 2016, so before the license change.
   This uses the annoying ASN1_TIME_diff() API, but there is no better
   way, really. Every other ASN1_TIME API will be just as awkward.

   This fixes the currently failing x509_crl test cases.

   ok kenjiro
VersionDeltaFile
1.153+18-6lib/libcrypto/x509/x509_vfy.c
+18-61 files

OpenBSD/src SaIW5tsregress/lib/libcrypto/x509 Makefile x509_crl.c

   x509_crl regress: enable the failing test and mark as XFAIL
VersionDeltaFile
1.28+3-1regress/lib/libcrypto/x509/Makefile
1.2+1-3regress/lib/libcrypto/x509/x509_crl.c
+4-42 files

OpenBSD/ports Bqn19n2www/chromium/patches patch-v8_src_objects_simd_cc, www/iridium/patches patch-v8_src_objects_simd_cc

   unbreak build on arm64 until the compiler is actually fixed

   fatal error: error in backend: Cannot implicitly convert a scalable size to a fixed-width size in `TypeSize::operator ScalarTy()`
   clang++: error: clang frontend command failed with exit code 70 (use -v to see invocation)
VersionDeltaFile
1.3+22-94www/chromium/patches/patch-v8_src_objects_simd_cc
1.1+28-0www/ungoogled-chromium/patches/patch-v8_src_objects_simd_cc
1.1+28-0www/iridium/patches/patch-v8_src_objects_simd_cc
+78-943 files

OpenBSD/src 1Aug5JBsbin/iked radius.c

   Prevent authenticated RADIUS CP attribute mapping overflowing rr_cfg.
   Reported by / the original diff from Andrew Griffiths

   ok markus
VersionDeltaFile
1.15+28-13sbin/iked/radius.c
+28-131 files

OpenBSD/ports WzKejamsecurity/rust-openssl-tests distinfo crates.inc

   Update to rust-openssl-tests 20260626
VersionDeltaFile
1.210+10-10security/rust-openssl-tests/distinfo
1.172+4-4security/rust-openssl-tests/crates.inc
1.218+2-2security/rust-openssl-tests/Makefile
+16-163 files

OpenBSD/ports UGOd1XJsecurity/openssl-ruby-tests Makefile distinfo

   Update to openssl-ruby-tests 20260625
VersionDeltaFile
1.168+2-2security/openssl-ruby-tests/Makefile
1.147+2-2security/openssl-ruby-tests/distinfo
+4-42 files

OpenBSD/ports 8HtycvOsecurity/wycheproof Makefile distinfo

   Update to wycheproof 20260625
VersionDeltaFile
1.9+2-2security/wycheproof/Makefile
1.9+2-2security/wycheproof/distinfo
+4-42 files

OpenBSD/src Qh039bBlib/libc/asr getaddrinfo_async.c

   Make getaddrinfo(3) check hnok_lenient() earlier.

   r1.60 added special handling for localhost names; this was done before the
   hnok_lenient() check, ensure this validation applies to localhost names too.

   ok florian
VersionDeltaFile
1.68+12-9lib/libc/asr/getaddrinfo_async.c
+12-91 files

OpenBSD/src GxvPzHEusr.sbin/vmd loadfile_elf.c

   vmd(8): prevent OOB reads in 32 and 64-bit ELF loaders.

   Malformed ELF files could cause reading past section-headers.

   For ELF64 files, malformed section metadata could cause out of bound
   reads of heap allocated buffers.

   Reported by Frank Denis.

   Discussed with and "go for it" from mlarkin@
VersionDeltaFile
1.55+17-3usr.sbin/vmd/loadfile_elf.c
+17-31 files

OpenBSD/src poHzJc5usr.bin/tmux options-table.c

   Make the default colours more conservative, its really the greys that
   matter.
VersionDeltaFile
1.222+11-11usr.bin/tmux/options-table.c
+11-111 files

OpenBSD/src AaYjnpiusr.bin/tmux options-table.c colour.c

   Add nicer dark and light colour sets (themes) used on terminals with 256
   or more colours. Currently based these on emacs but they could change.
   Terminals with fewer colours use the ANSI colours. A new "theme" option
   overrides the detected theme (set to "terminal" to go back to ANSI
   colours).
VersionDeltaFile
1.221+198-24usr.bin/tmux/options-table.c
1.33+94-2usr.bin/tmux/colour.c
1.480+65-1usr.bin/tmux/server-client.c
1.1104+52-1usr.bin/tmux/tmux.1
1.475+30-1usr.bin/tmux/tty.c
1.1372+22-1usr.bin/tmux/tmux.h
+461-302 files not shown
+486-378 files

OpenBSD/src R9DSAWqdistrib/i386/iso Makefile, etc/etc.i386 disktab

   grow i386 install media
VersionDeltaFile
1.37+4-4etc/etc.i386/disktab
1.39+2-2distrib/i386/iso/Makefile
+6-62 files

OpenBSD/src 3TzFaqalib/libc/asr asr_utils.c

   Do not silently truncate result of dname_expand.

   This can only happen if the caller provides a buffer that's too
   small. All current callers provide a buffer of size MAXDNAME, which is
   large enough in all cases, otherwise dname_check_label would error out.

   Found by me and independently by Andrew Griffiths.

   OK deraadt, tb
VersionDeltaFile
1.23+12-8lib/libc/asr/asr_utils.c
+12-81 files

OpenBSD/ports glGlIGBgames/godot/pack1/patches patch-platform_x11_joypad_linux_cpp patch-drivers_sdl_joypad_sdl_cpp

   Backport the SDL3 gamecontroller backend from Godot 4.x to Godot 3
   (godot/pack1). This replaces the thus far "homegrown" gamecontroller
   backend code. Tested with PS4 controller and multiple games.

   "makes a lot of sense" op@
VersionDeltaFile
1.1+602-0games/godot/pack1/patches/patch-platform_x11_joypad_linux_cpp
1.1+281-0games/godot/pack1/patches/patch-drivers_sdl_joypad_sdl_cpp
1.1+215-0games/godot/pack1/patches/patch-drivers_sdl_SCsub
1.1+137-0games/godot/pack1/patches/patch-drivers_sdl_SDL_build_config_private_h
1.1+132-0games/godot/pack1/patches/patch-platform_x11_joypad_linux_h
1.1+78-0games/godot/pack1/patches/patch-drivers_sdl_joypad_sdl_h
+1,445-012 files not shown
+1,665-2318 files

OpenBSD/ports Jsyvxyanet/curl Makefile distinfo

   net/curl: update to 8.21.0

   Changes:
   * curl: named globs in output filename for upload glob references
   * HTTP/3: add proxy CONNECT and MASQUE CONNECT-UDP support (ngtcp2 QUIC)
   * http2: remove stream dependency tracking
   * lib: drop support for CURLAUTH_DIGEST_IE

   Includes fixes for
   CVE-2026-8286: wrong STARTTLS connection reuse
   CVE-2026-8458: wrong reuse for different services
   CVE-2026-8924: trailing dot domain super cookie
   CVE-2026-8926: password leak with netrc and user in URL
   CVE-2026-8927: env-set cross-proxy Digest auth state leak
   CVE-2026-8932: incomplete mTLS config matching in conn reuse
   CVE-2026-9079: stale proxy password leak
   CVE-2026-9080: UAF after pause in socket callback
   CVE-2026-9545: exposing HTTP/3 early data
   CVE-2026-9546: sending old referer

    [4 lines not shown]
VersionDeltaFile
1.215+2-2net/curl/Makefile
1.147+2-2net/curl/distinfo
+4-42 files

OpenBSD/src Vp2C8l0usr.sbin/vmd vioscsi.c

   vmd(8): prevent virtio scsi DoS from bad descriptor length.

   A guest can construct a looping, zero-length descriptor chain that
   spins forever when processing a READ_10 command. Check for zero
   length scenario and abort the read with a warning.

   Reported by Frank Denis.

   Discussed with and "go for it" from mlarkin@
VersionDeltaFile
1.31+6-1usr.sbin/vmd/vioscsi.c
+6-11 files

OpenBSD/src xt3d1Jpusr.bin/tmux style.c

   Fix scrollbar with a format colour.
VersionDeltaFile
1.45+11-4usr.bin/tmux/style.c
+11-41 files

OpenBSD/ports B8yHPSPnet/dleyna distinfo Makefile

   Update to dleyna-0.8.4.
VersionDeltaFile
1.5+2-2net/dleyna/distinfo
1.12+1-2net/dleyna/Makefile
+3-42 files

OpenBSD/ports RTASb1inet/avahi Makefile distinfo, net/avahi/patches patch-avahi-core_socket_c

   Update to avahi-0.9rc5.
VersionDeltaFile
1.170+3-5net/avahi/Makefile
1.14+2-2net/avahi/distinfo
1.7+3-0net/avahi/pkg/PLIST-libs
1.9+0-0net/avahi/patches/patch-avahi-core_socket_c
+8-74 files

OpenBSD/ports 5X2ef52astro/stellarium Makefile distinfo, astro/stellarium/pkg PLIST

   Update to stellarium-26.2.
VersionDeltaFile
1.67+101-35astro/stellarium/pkg/PLIST
1.115+3-2astro/stellarium/Makefile
1.68+2-2astro/stellarium/distinfo
+106-393 files

OpenBSD/ports qbkqsvKsysutils/exoscale-cli distinfo Makefile

   Update to exoscale-cli-1.95.3.
VersionDeltaFile
1.150+2-2sysutils/exoscale-cli/distinfo
1.153+1-1sysutils/exoscale-cli/Makefile
+3-32 files

OpenBSD/ports Np63YL2sysutils/amazon-ssm-agent distinfo Makefile, sysutils/amazon-ssm-agent/patches patch-agent_ssm_service_go

   Update to amazon-ssm-agent-3.3.4793.0.
VersionDeltaFile
1.172+2-2sysutils/amazon-ssm-agent/distinfo
1.186+1-1sysutils/amazon-ssm-agent/Makefile
1.16+1-1sysutils/amazon-ssm-agent/patches/patch-agent_ssm_service_go
+4-43 files

OpenBSD/ports SG8lJujx11/gnome/control-center distinfo Makefile, x11/gnome/control-center/pkg PLIST

   Update to gnome-control-center-49.8.
VersionDeltaFile
1.82+2-2x11/gnome/control-center/distinfo
1.147+1-1x11/gnome/control-center/Makefile
1.38+1-0x11/gnome/control-center/pkg/PLIST
+4-33 files

OpenBSD/src 9z14CRnusr.sbin/vmd mc146818.c

   vmd(8): reject invalid PIT periods causing UB.

   A guest can write values to Register A that results in a negative
   shift exponent when computing the resulting timer rate. Detect and
   ignore values to prevent UB from negative shift.

   Reported by Frank Denis.

   Discussed with and "go for it" from mlarkin@
VersionDeltaFile
1.32+6-2usr.sbin/vmd/mc146818.c
+6-21 files

OpenBSD/src CqUKuU8usr.bin/tmux options.c options-table.c

   Expand colours as formats like styles.
VersionDeltaFile
1.82+26-10usr.bin/tmux/options.c
1.220+16-11usr.bin/tmux/options-table.c
1.44+24-1usr.bin/tmux/style.c
1.56+11-12usr.bin/tmux/cmd-display-panes.c
1.34+8-3usr.bin/tmux/window-clock.c
1.27+10-1usr.bin/tmux/window-customize.c
+95-383 files not shown
+110-479 files

OpenBSD/ports VTwMjPLdevel/qt-creator Makefile distinfo, devel/qt-creator/patches patch-src_tools_process_stub_main_cpp patch-cmake_QtCreatorAPIInternal_cmake

   Update qt-creator to 20.0.0
VersionDeltaFile
1.49+19-13devel/qt-creator/pkg/PLIST
1.122+14-9devel/qt-creator/Makefile
1.4+7-7devel/qt-creator/patches/patch-src_tools_process_stub_main_cpp
1.58+2-2devel/qt-creator/distinfo
1.6+1-1devel/qt-creator/patches/patch-cmake_QtCreatorAPIInternal_cmake
1.2+0-0devel/qt-creator/patches/patch-src_libs_utils_crashreporting_cpp
+43-326 files

OpenBSD/src VVqvVA9lib/libcrypto/objects obj_mac.num objects.txt

   Add OIDs for CCR, ErikIndex, ErikPartition, CommunityDefinition

   References:
        https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-ccr
        https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-erik-protocol
        https://datatracker.ietf.org/doc/html/draft-ietf-grow-yang-bgp-communities

   OK tb@
VersionDeltaFile
1.40+5-0lib/libcrypto/objects/obj_mac.num
1.46+5-0lib/libcrypto/objects/objects.txt
+10-02 files

OpenBSD/src JjME480usr.sbin/vmd fw_cfg.c

   vmd(8): fix fw_cfg leak of file directory buffer.

   FW_CFG_FILE_DIR selector requests leak file directory buffers.
   Repeated requests from guests can exhaust vmd process memory.

   Reported by Frank Denis.

   Discussed with and "go for it" from mlarkin@
VersionDeltaFile
1.15+2-1usr.sbin/vmd/fw_cfg.c
+2-11 files

OpenBSD/ports 05r5EIBsysutils/testdisk Makefile

   sysutils/testdisk: force-disable security/libewf detection

   reported by naddy@
VersionDeltaFile
1.26+1-1sysutils/testdisk/Makefile
+1-11 files