import libevent-2.1.13 (previous was 2.1.12)
Changes in version 2.1.13-stable (01 July 2026)
This release contains several security fixes, affecting users of the
following modules: evbuffer, bufferevent, evtag, evrpc, evdns, evhttp.
If you have a program that uses one of those modules,
or if you distribute libevent, you should upgrade.
Additionally, this release backports some small modernizations to
the libevent codebase, to aid in compiling with the compilers
released over the last few years.
Security Fixes (evtag, evrpc):
- Fix an out-of-bounds read in decode_tag_internal.
(Found by @Brubbish. GHSA-fj29-64w6-73h6)
- Fix an integer overflow in evtag_unmarshal_header.
(Found by @Brubbish. GHSA-45c6-qx49-89m8)
[31 lines not shown]
PR lib/60324 - isolate descent into lib
Since no-one seems interested in implementing a better fix
than this for the issue in the PR which (sometimes) breaks
the builds, simply do the easiest possible thing which will
avoid the observed symptoms.
Don't allow builds in lib and external to happen in parallel
by simply isolating the descent into lib (there is a LOT to
do in there). Don't start anything else until that is done.
If anyone would like to find a different workable solution than
this one, please go ahead.
sbin/efi - avoid generating invalid UTF-8
Strings in UEFI are all made up of 16 bit chars, which are defined in the
UEFI standard to be UCS-2 (despite that format having been deprecated for
decades - replaced by UTF-16).
UCS-2 allowed for just 65536 code points (hence 16 bit storage). UTF-16
defines a block of 8192 of the available code-points to be surrogates, 4096
of them high surrogates, the other 4096 low surrogates, always to be used
as a pair, high then low.
Each surrogate of a pair provides 10 data bits, combining them together gives
a 20 bit value, which is used by UTF-16 to represent the code point values
from 0x10000 -> 0x10FFFF. By doing that they (for all time) reserved the
8192 surrogate code points (those with values from 0xD800 to 0xDFFF (incl)),
regardless of the format in which they're encoded, as being invalid, except
when used as part of a surrogate pair in UTF-16.
So, since UCS-2 had no surrogates (not really) and is (was) defined to
[16 lines not shown]
Pull up following revision(s) (requested by riastradh in ticket #376):
libexec/ld.elf_so/load.c: revision 1.52
rtld, ldd: Fix bad assertion.
(*needed)->obj may legitimately be null here, as the next line shows,
so don't check (*needed)->obj->refcount in that case.
PR bin/60422: ldd, rtld: crash inside assertion if needed object not
found
Pull up the following revisions(s) (requested by msaitoh in ticket #1310):
usr.sbin/syslogd/extern.h: revision 1.5
usr.sbin/syslogd/sign.c: revision 1.10
usr.sbin/syslogd/sign.h: revision 1.4
usr.sbin/syslogd/syslogd.c: revision 1.141,1.145,1.148,1.151-1.155 via patch
usr.sbin/syslogd/syslogd.h: revision 1.10-1.11 via patch
usr.sbin/syslogd/tls.c: revision 1.26-1.27
usr.sbin/syslogd/tls.h: revision 1.4
Some improvements for syslogd(8):
- Retry sendto() if it raises EBUSY, too.
- Add missing SLIST_INIT() in main(). This is not a real bug because
the tls_opt is in BSS and SLIST_INIT() assign NULL.
- Cleanups (KNF, fix typos and G.C.).