BSD Commit Log Search

   ccid: updated to 1.8.2

   1.8.2
   - Fix initialisation of composite devices (like Yubico tokens)
   - Correctly close the slots of a multi-slots reader (serial

   Updated lang/nodejs, lang/nodejs24, lang/nodejs22

   nodejs22: updated to 22.23.0

   22.23.0 'Jod' (LTS)

   Notable Changes

   (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
   (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
   (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
   (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
   (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
   (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
   (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
   (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
   (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
   (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
   (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

   nodejs24: updated to 24.17.0

   24.17.0 'Krypton' (LTS)

   Notable Changes

   (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
   (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
   (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
   (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
   (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
   (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
   (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
   (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
   (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
   (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
   (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

   nodejs: updated to 26.3.1

   26.3.1 (Current)

   Notable Changes

   (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
   (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
   (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
   (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
   (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
   (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
   (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
   (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
   (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
   (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
   (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) – Low

[mlir][tosa] Check same input/output types in pooling ops verifier (#203565)

Adds a missing check to make sure the input and output types of pooling
ops have the same element type.

review

   Update fuse to 1.9.0.

[AArch64][GISel] Remove hard-coded operand index from FCVT renderers (#204118)

[clang][NFC] Add LLVM_PREFERRED_TYPE to EvaluatedStmt bitfields (#205026)

gitignore: Add emacs lock files

[AMDGPU] Remove stale declarations. NFC. (#205047)

Remove declarations of functions that are never defined. Also remove
unused field AMDGPUInstructionSelector::TM.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply at anthropic.com>

   Reject empty CNAMEs in gethostbyname(3) / getaddrinfo(3).

   An empty string is arguably not a correct hostname (even though
   res_hnok accepts it). More worrisome though is software not expecting
   this and making mistakes. In practice this cannot happen unless the
   resolver lies to us.

   OK deraadt, jca

clang/AMDGPU: Use effective triple instead of raw toolchain triple

Start using the effective triple instead of the raw toolchain triple.
For the moment this is NFC, but will change when new uses of the subarch
field are introduced.

   doc: Updated graphics/glslang to 1.4.350.1

   glslang: update to vulkan-sdk-1.4.350.1

   No changelog

   doc: Updated parallel/spirv-tools to 1.4.350.1

   spirv-tools: update to vulkan-sdk-1.4.350.1

   No changelog

   doc: Updated parallel/spirv-headers to 1.4.350.1

   spirv-headers: update to vulkan-sdk-1.4.350.1

   No changelog

   doc: Updated graphics/vulkan-tools to 1.4.350.1

   vulkan-tools: update to vulkan-sdk-1.4.350.1

   No changelog

   yubico/yubikey-manager: remove upper bound for py-cryptography

[LV] Allow scalable VFs in `-force-vector-width` (and use in tests) (#204953)

This updates `-force-vector-width=VF` to accept scalable VFs. If a
scalable width is specified it is assumed the target supports scalable
vectors.

So for example, `-force-vector-width="vscale x 4"` works as a shorthand
for `-scalable-vectorization=always -force-target-supports-scalable-vectors=true -force-vector-width=4`.

sysutils/bottom: Update to 0.14.1

   net/snowflake_proxy: update to 2.14.0

   and change email address to my openbsd.org email address while there.

   doc: Updated graphics/vulkan-loader to 1.4.350.1

   vulkan-loader: update to vulkan-sdk-1.4.350.1

   No changelog

   Place floating cells meaningfully into the layouts, from Dane Jensen.

   doc: Updated graphics/vulkan-headers to 1.4.350.1