OpenBSD/ports PEIKf6Oarchivers/zpaqfranz distinfo Makefile

   Update zpaqfranz to 64.5

   From maintainer tux0r, thanks!
VersionDeltaFile
1.37+2-2archivers/zpaqfranz/distinfo
1.40+1-1archivers/zpaqfranz/Makefile
+3-32 files

OpenBSD/ports cWwykoitextproc/pastel distinfo crates.inc

   textproc/pastel: Update to 0.12.0
VersionDeltaFile
1.4+16-22textproc/pastel/distinfo
1.4+7-10textproc/pastel/crates.inc
1.5+1-1textproc/pastel/Makefile
+24-333 files

OpenBSD/ports 6g101ivtextproc/hexyl distinfo crates.inc

   textproc/hexyl: Update to 0.17.0
VersionDeltaFile
1.6+6-6textproc/hexyl/distinfo
1.5+2-2textproc/hexyl/crates.inc
1.7+1-2textproc/hexyl/Makefile
+9-103 files

OpenBSD/ports cPRhwJBx11/kde-applications/audiocd-kio Makefile, x11/kde-applications/audiocd-kio/pkg PLIST

   Regen PLIST to unbreak.
VersionDeltaFile
1.25+14-13x11/kde-applications/audiocd-kio/pkg/PLIST
1.26+1-0x11/kde-applications/audiocd-kio/Makefile
+15-132 files

OpenBSD/ports wl9wfUrmath/kst Makefile

   Move MODCMAKE_POLICY_VERSION_OVERRIDE where it belongs.
VersionDeltaFile
1.47+3-5math/kst/Makefile
+3-51 files

OpenBSD/ports zGTFrWssecurity/nss distinfo Makefile

   security/nss: update to 3.120.1

   Bug 2009552 - avoid integer overflow in platform-independent ghash
VersionDeltaFile
1.167+2-2security/nss/distinfo
1.208+1-1security/nss/Makefile
+3-32 files

OpenBSD/ports lvLy66Zwayland/wf-recorder distinfo Makefile, wayland/wf-recorder/patches patch-src_main_cpp patch-src_frame-writer_cpp

   wayland/wf-recorder: update to 0.6.0

   see https://github.com/ammen99/wf-recorder/releases/tag/v0.6.0
VersionDeltaFile
1.2+0-28wayland/wf-recorder/patches/patch-src_main_cpp
1.2+4-0wayland/wf-recorder/pkg/PLIST
1.2+2-2wayland/wf-recorder/distinfo
1.4+1-1wayland/wf-recorder/Makefile
1.2+0-0wayland/wf-recorder/patches/patch-src_frame-writer_cpp
+7-315 files

OpenBSD/ports JysLx9Mdevel/visualvm Makefile, devel/visualvm/pkg PLIST

   devel/visualvm: remove deployed with precompiled rubbish

   noticed by ian@
VersionDeltaFile
1.5+0-45devel/visualvm/pkg/PLIST
1.6+2-0devel/visualvm/Makefile
+2-452 files

OpenBSD/ports Q2mjcJUsysutils Makefile

   +gemini-cli
VersionDeltaFile
1.774+1-0sysutils/Makefile
+1-01 files

OpenBSD/ports iV9JAGHsysutils/gemini-cli Makefile distinfo, sysutils/gemini-cli/pkg PLIST DESCR

   Initial revision
VersionDeltaFile
1.1+29,699-0sysutils/gemini-cli/pkg/PLIST
1.1+70-0sysutils/gemini-cli/Makefile
1.1+9-0sysutils/gemini-cli/pkg/DESCR
1.1+2-0sysutils/gemini-cli/distinfo
1.1.1.1+0-0sysutils/gemini-cli/Makefile
1.1.1.1+0-0sysutils/gemini-cli/distinfo
+29,780-02 files not shown
+29,780-08 files

OpenBSD/src ZAZ3NiRsys/arch/amd64/amd64 trap.c

   Handle VMMCALL in vctrap()

   When SEV guest userland issues a vmmcall instruction, a #VC exception
   with code SVM_VMEXIT_VMMCALL will be raised in the guest kernel.
   For now we do not allow vmmcalls from guest userland, thus terminate
   the userland process with SIGILL.

   This is similar to the non-SEV case.

   ok mlarkin@
VersionDeltaFile
1.117+9-1sys/arch/amd64/amd64/trap.c
+9-11 files

OpenBSD/src WqdEGxnsys/arch/amd64/amd64 vmm_machdep.c

   vmm(4): Ignore VMGEXIT request and inject #UD

   SEV guest userland processes are allowed to issue the vmgexit
   instruction.  However, guest userland has no access to the GHCB.

   VMEXITs with exit reason SVM_VMEXIT_VMGEXIT initiated by the guest
   kernel will always provide a valid GHCB request.

   Moreover, as the guest kernel makes sure, that the GHCB contains
   no request when guest userland is running, a rouge guest userland
   process can only force repeated VMEXITs with an empty GHCB.

   Therefore, in vmm(4)'s vmgexit handler inject #UD when the exit
   reason is not updated with data from the GHCB and stays on
   SVM_VMEXIT_VMGEXIT.

   ok mlarkin@
VersionDeltaFile
1.72+4-1sys/arch/amd64/amd64/vmm_machdep.c
+4-11 files

OpenBSD/src JrRbDu1sys/arch/amd64/amd64 ghcb.c vmm_machdep.c, sys/arch/amd64/include ghcb.h

   vmm(4): Check for and allow empty GHCB; only clear valid bitmap

   The GHCB valid bitmap indicates wether the GHCB contains a request
   or not.  When no bits are set, ignore the GHCB and do not sync with
   vCPU state.

   To clear/invalidate the GHCB just zero out the valid bitmap instead
   of the full GHCB.

   ok mlarkin@
VersionDeltaFile
1.8+19-3sys/arch/amd64/amd64/ghcb.c
1.71+3-1sys/arch/amd64/amd64/vmm_machdep.c
1.7+2-1sys/arch/amd64/include/ghcb.h
+24-53 files

OpenBSD/ports riVWv9jmail/mozilla-thunderbird distinfo Makefile

   mail/mozilla-thunderbird: MFC security update to 140.7.2.

   see https://www.thunderbird.net/en-US/thunderbird/140.7.2esr/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.301.2.6+2-2mail/mozilla-thunderbird/distinfo
1.513.2.6+1-1mail/mozilla-thunderbird/Makefile
+3-32 files

OpenBSD/ports CkrktfQwww/mozilla-firefox distinfo Makefile

   www/mozilla-firefox: security update to 147.0.4

   see https://www.firefox.com/en-US/firefox/147.0.4/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.378.2.12+2-2www/mozilla-firefox/distinfo
1.651.2.14+1-1www/mozilla-firefox/Makefile
+3-32 files

OpenBSD/ports FdIGYeNwww/firefox-i18n distinfo Makefile.inc, www/mozilla-firefox distinfo Makefile

   www/mozilla-firefox: security update to 147.0.4.

   see https://www.firefox.com/en-US/firefox/147.0.4/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.379+164-164www/firefox-i18n/distinfo
1.392+4-4www/mozilla-firefox/distinfo
1.671+2-2www/mozilla-firefox/Makefile
1.334+1-1www/firefox-i18n/Makefile.inc
+171-1714 files

OpenBSD/ports gGpBhjamail/mozilla-thunderbird distinfo Makefile, mail/thunderbird-i18n distinfo Makefile.inc

   mail/mozilla-thunderbird: security update to 140.7.2.

   see https://www.thunderbird.net/en-US/thunderbird/140.7.2esr/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.291+132-132mail/thunderbird-i18n/distinfo
1.307+2-2mail/mozilla-thunderbird/distinfo
1.519+1-1mail/mozilla-thunderbird/Makefile
1.265+1-1mail/thunderbird-i18n/Makefile.inc
+136-1364 files

OpenBSD/ports Tv7TVbQwww/firefox-esr distinfo Makefile

   www/firefox-esr: MFC security update to 140.7.1

   see https://www.firefox.com/en-US/firefox/140.7.1/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.171.2.5+2-2www/firefox-esr/distinfo
1.258.2.5+1-1www/firefox-esr/Makefile
+3-32 files

OpenBSD/ports CyfGrHYwww/firefox-esr distinfo Makefile, www/firefox-esr-i18n distinfo Makefile.inc

   www/firefox-esr: security update to 140.7.1

   see https://www.firefox.com/en-US/firefox/140.7.1/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.173+162-162www/firefox-esr-i18n/distinfo
1.176+4-4www/firefox-esr/distinfo
1.263+2-2www/firefox-esr/Makefile
1.185+1-1www/firefox-esr-i18n/Makefile.inc
+169-1694 files

OpenBSD/src G1ilw5dusr.sbin/bgpd rde.c

   Make sure that the filterset passed along with other objects is present.

   For communication with the parent the missing presence of a filter_set
   is cause for a panic. This should just never happen. For messages from
   bgpctl that are forwarded by the session engine things are more complex.
   Make sure the filter_set was sent and only execute the command that
   wraps this filter_set is present. If it is not there it may have been
   filtered out because it is invalid and then the command depending on
   this data should not be executed.

   OK tb@
VersionDeltaFile
1.684+38-17usr.sbin/bgpd/rde.c
+38-171 files

OpenBSD/src 6d3iHaBusr.sbin/bgpd rde_filter.c

   Make sure rde_filterset_unref() can be called with a NULL pointer.
   OK tb@
VersionDeltaFile
1.146+3-1usr.sbin/bgpd/rde_filter.c
+3-11 files

OpenBSD/ports IDUYwxWinfrastructure/db user.list

   reserve uids for hylafax and iaxmodem, which were using "uucp" that was
   removed from base some years ago.
VersionDeltaFile
1.482+3-1infrastructure/db/user.list
+3-11 files

OpenBSD/src F2hSPWFusr.sbin/traceroute traceroute.c

   Make sure that internal counters do not go out of bounds if the '-n' or
   '-A' options are specified more than once. From Petre Rodan, ok florian@
VersionDeltaFile
1.171+9-5usr.sbin/traceroute/traceroute.c
+9-51 files

OpenBSD/src JpcJsubregress/sys/arch/amd64 Makefile, regress/sys/arch/amd64/vmmcall vmmcall.c Makefile

   regress: Test vmmcall raises #UD

   On AMD/SVM the hypervisor will inject #UD when userland tries to
   execute the vmmcall instruction.  Same holds for vmgexit which is
   encode as "rep vmmcall".

   On Intel/VMX vmmcall and vmgexit are invalid instructions, so the
   CPU will raise #UD.

   ok mlarkin@
VersionDeltaFile
1.1+80-0regress/sys/arch/amd64/vmmcall/vmmcall.c
1.1+29-0regress/sys/arch/amd64/vmmcall/Makefile
1.6+2-1regress/sys/arch/amd64/Makefile
+111-13 files

OpenBSD/src xgIqwqaregress/sys/arch/amd64 Makefile, regress/sys/arch/amd64/vmcall vmcall.c Makefile

   regress: Test vmcall raises #UD

   On Intel/VMX the hypervisor will inject #UD when userland tries to
   execute the vmcall instruction.

   On AMD/SVM vmcall is an invalid instruction, so the CPU will raise

   ok mlarkin@
VersionDeltaFile
1.1+63-0regress/sys/arch/amd64/vmcall/vmcall.c
1.1+28-0regress/sys/arch/amd64/vmcall/Makefile
1.5+2-1regress/sys/arch/amd64/Makefile
+93-13 files

OpenBSD/ports dGiluURgames/warzone2100 Makefile

   more cmake 4 whack-a-mole
VersionDeltaFile
1.60+1-0games/warzone2100/Makefile
+1-01 files

OpenBSD/src goVnX7dsys/arch/amd64/amd64 vmm_machdep.c

   vmm(4): inject #UD for VMs running on SVM/VMX

   While there fix typo in a debug printf.

   ok mlarkin@
VersionDeltaFile
1.70+10-2sys/arch/amd64/amd64/vmm_machdep.c
+10-21 files

OpenBSD/src wevq1k3sys/dev/ic psp.c

   psp(4): add another firmware file

   ok mlarkin@
VersionDeltaFile
1.23+2-1sys/dev/ic/psp.c
+2-11 files

OpenBSD/ports 5YuKKSegames/openmw Makefile

   Use MODCMAKE_POLICY_VERSION_OVERRIDE as intended by the MODULE.
VersionDeltaFile
1.43+3-3games/openmw/Makefile
+3-31 files

OpenBSD/src QcRByHYsys/dev/pci if_bnxt.c

   On newer hardware generations, no async events are enabled by default,
   so explicitly enable the ones we're interested in.

   tested by stsp@ as part of a larger diff
   ok dlg@
VersionDeltaFile
1.66+24-2sys/dev/pci/if_bnxt.c
+24-21 files