BSD Commit Log Search

   update to py3-peewee-4.0.9

   merge NSD 4.14.3 (why they regenerated autoconf files with an older version,
   I do not know...)

   Update ktextaddons to 2.1.0

   import NSD 4.14.3

   update p5-Crypt-OpenSSL-X509 to 2.1.2

   Fix CVE-2026-12244, CVE-2026-12245, CVE-2026-12246 and CVE-2026-12490

   - CVE-2026-12244: A specially crafted SVCB RR can cause a heap
     overflow of up to 65509 attacker controlled bytes.
   - CVE-2026-12245: If NSD is configured with DNS over TLS, a
     client that performs a TLS action, closing the connection early,
     causes a crash and restart of the server process. An attacker can
     keep all children in a crash-restart loop denying DoT service.
   - CVE-2026-12246: The RR type APL rdata address, if too large,
     causes out of bounds write on the stack, when the zonefile is written
     out.
   - CVE-2026-12490: Secondaries authenticated by a client
     certificate to transfer a zone over TLS, can bypass verification by
     transferring over TCP.

   OK sthen

   update p5-HTTP-Date to 6.07

   Another couple of bits look nicer in grey.

   Apply better colours to various builtin bits in modes.

   Some more #include consistency.

   Prompted by job

   nca.c: more missing includes

   sys/types.h for ssize_t, stdlib.h for *alloc/free and stdio.h for fprintf.

   ok job

   update p5-List-SomeUtils-XS to 0.59
   CVE-2026-12844

   Fix includes for -portable

   OK tb@

   databases/sqlcipher: add column metadata and unlock notify extensions

   as discussed with and ok tb@ to enable future net/flare-messenger updates

   Update qbs to 3.3.0

   Fixed a null dereference when authentication-filter and configured and
   pap is used.   diff from iij.

   fix some boost 1.91 update fallout, to allow dependent ports to build

   OK tb@

   Update KDE Plasma to 6.7.1

   Upstream has meraged almost all of our OpenBSD-related PRs.

   https://kde.org/announcements/plasma/6/6.7.0/

   mention that ssh-keyscan output is only as trustworthy as the
   network between it and the SSH server; ok markus@

   Update libhidapi to 0.15.0

   Return statically built addresses when hostname == NULL  It always
   returns IPv4 and IPv6 addresses when hostname == NULL; previously, it
   returned only the address of the selected address family defined by
   "family" in resolv.conf.

   ok florian

   With x509_vfy.c 1.153, the x509_crl regress passes

   x509_vfy: sync get_crl_sk() with BoringSSL and OpenSSL

   Among CRLs with the same score prefer the one with the most recent
   lastUpdate (RFC 5280 thisUpdate). This pulls in OpenSSL commits
   626aa248, e032117d, 8b7c51a0 from 2016, so before the license change.
   This uses the annoying ASN1_TIME_diff() API, but there is no better
   way, really. Every other ASN1_TIME API will be just as awkward.

   This fixes the currently failing x509_crl test cases.

   ok kenjiro

   x509_crl regress: enable the failing test and mark as XFAIL

   unbreak build on arm64 until the compiler is actually fixed

   fatal error: error in backend: Cannot implicitly convert a scalable size to a fixed-width size in `TypeSize::operator ScalarTy()`
   clang++: error: clang frontend command failed with exit code 70 (use -v to see invocation)

   Prevent authenticated RADIUS CP attribute mapping overflowing rr_cfg.
   Reported by / the original diff from Andrew Griffiths

   ok markus

   Update to rust-openssl-tests 20260626

   Update to openssl-ruby-tests 20260625

   Update to wycheproof 20260625

   Make getaddrinfo(3) check hnok_lenient() earlier.

   r1.60 added special handling for localhost names; this was done before the
   hnok_lenient() check, ensure this validation applies to localhost names too.

   ok florian