start moving some global pf counters to per cpu counters.
this moves the pfctl_status.fcounters, which includes the state
search counter which is bumped every time the state table is searched.
the places that get a copy of these counters now have to read the
per cpu counters and fold them into a struct pf_status rather than
just copy the global now.
ok sashan@
add support for loading files (kernels) from the efi system partition.
this means you can put the openbsd boot loader and bsd.rd on the
efi boot partition and run the installer that way. this is a port
of the same code i got working on arm64.
ok jmatthew@
Ignore any iterator when traversing nd6 list.
nd6_rtrequest() could crash with a NULL pointer dereference if an
interator in nd6_list was inspected. Skip freeing neigbor discovery
entries and optimization in this unlikely case and try again later.
reported by Mischa and Anton Kasimov; OK mvs@
this is errata/7.8/011_nd6.patch.sig
Fix incomplete mitigation of CVE-2025-11411 in unbound and unwind.
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411_2_wtests.diff
This extends the previous fix by also scrubbing unsolicited NS RRSets (and
their respective address records) for YXDOMAIN and nodata non-referral answers.
from sthen@ florian@
this is errata/7.8/010_unbound.patch.sig
Fix incomplete mitigation of CVE-2025-11411 in unbound and unwind.
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411_2_wtests.diff
This extends the previous fix by also scrubbing unsolicited NS RRSets (and
their respective address records) for YXDOMAIN and nodata non-referral answers.
from sthen@ florian@
this is errata/7.7/017_unbound.patch.sig
Fix drm code to avoid spurious tsleep errors leading to crashes
__set_current_state() reimplements parts of sleep_finish() but forgot
to clear P_SINTR. Later another tsleep->sleep_finish() call could
pick up the flag and erroneously return ERESTART early, leading to
crashes in unsuspecting code using tsleep(0, INFSLP).
Issue experienced by Piotr Isajew using iridium on 7.8 and myself
using firefox.
from jca; ok claudio@ mpi@ and most likely kettenis@
this is errata/7.8/007_drm.patch.sig
Fix drm code to avoid spurious tsleep errors leading to crashes
__set_current_state() reimplements parts of sleep_finish() but forgot
to clear P_SINTR. Later another tsleep->sleep_finish() call could
pick up the flag and erroneously return ERESTART early, leading to
crashes in unsuspecting code using tsleep(0, INFSLP).
Issue experienced by Piotr Isajew using iridium on 7.8 and myself
using firefox.
from jca; ok claudio@ mpi@ and most likely kettenis@
this is errata/7.7/015_drm.patch.sig
update to fcgi-2.4.7, CVE-2025-23016, fixes integer overflow (and
resultant heap-based buffer overflow) via crafted nameLen or valueLen
values in data to the IPC socket, in fcgiapp.c:ReadParams()
actually previous COMPILER setting was ok, so revert to that, if
COMPILER is set _before_ bsd.port.mk is included, COMPILER_LANGS is set
to c c++, and 3/python.port.mk doesn't override it.
Add "no banner" option to suppress Server header
Introduces a global and per-server "[no] banner" directive that prevents httpd
from sending the Server HTTP response header and removes server identification
from error documents. The SERVER_SOFTWARE CGI environment variable remains set
as required by RFC 3875.
Diff by Lloyd (thanks), ok kirill@
