The percentage heuristic has failed for me on 40% of the machines
I run, so it is clear it is going to fail for many more people when
the next release comes out. It is wrong, back it out.
Ignore TCP SACK packets with invalid sequence numbers.
Due to an integer overflow, sequence numbers in selective ACK packets
were accepted. Such packets caused a NULL pointer dereference in
the TCP stack, resulting in a kernel crash.
Reported by Nicholas Carlini at anthropic dot com
with deraadt@; OK markus@
this is errata/7.7/031_sack.patch.sig
Ignore TCP SACK packets with invalid sequence numbers.
Due to an integer overflow, sequence numbers in selective ACK packets
were accepted. Such packets caused a NULL pointer dereference in
the TCP stack, resulting in a kernel crash.
Reported by Nicholas Carlini at anthropic dot com
with deraadt@; OK markus@
this is errata/7.8/025_sack.patch.sig
Ignore TCP SACK packets with invalid sequence numbers.
Due to an integer overflow, sequence numbers in selective ACK packets
were accepted. Such packets caused a NULL pointer dereference in
the TCP stack, resulting in a kernel crash.
Reported by Nicholas Carlini at anthropic dot com
with deraadt@; OK markus@
Backport fixes from libexpat version 2.7.5.
Relevant for OpenBSD are security fixes #1158 #1161 #1162 #1163,
other changes #1156 #1153. Library bump is not necessary.
CVE-2026-32776CVE-2026-32777CVE-2026-32778
OK tb@
this is errata/7.7/030_expat.patch.sig
Backport fixes from libexpat version 2.7.5.
Relevant for OpenBSD are security fixes #1158 #1161 #1162 #1163,
other changes #1156 #1153. Library bump is not necessary.
CVE-2026-32776CVE-2026-32777CVE-2026-32778
this is errata/7.8/024_expat.patch.sig