OpenBSD/src 9dg8qwZusr.bin/ssh ssh-agent.c ssh.c

   remove duplicate includes; ok dtucker@
VersionDeltaFile
1.319+1-2usr.bin/ssh/ssh-agent.c
1.626+1-2usr.bin/ssh/ssh.c
1.37+1-2usr.bin/ssh/sshlogin.c
+3-63 files

OpenBSD/src eUSxWeRsys/dev/ic qwx.c

   correct bounds check on number of memory segments
   found with smatch, feedback and ok stsp@
VersionDeltaFile
1.99+2-3sys/dev/ic/qwx.c
+2-31 files

OpenBSD/src FdTMiGiusr.sbin/rpki-client rpki-asn1.h

   update extern for renamed variable

   EncapContentInfo_it was renamed to ContentInfo_it in ccr.c rev 1.31
   ok claudio@
VersionDeltaFile
1.13+2-2usr.sbin/rpki-client/rpki-asn1.h
+2-21 files

OpenBSD/ports BTuGds6productivity/khal Makefile distinfo, productivity/khal/patches patch-khal_ui_calendarwidget_py patch-khal_ui_editor_py

   update to khal-0.13.0, ok jung@
   drop jung as maintainer as he requested
VersionDeltaFile
1.11+15-2productivity/khal/pkg/PLIST
1.27+3-7productivity/khal/Makefile
1.10+2-2productivity/khal/distinfo
1.2+0-0productivity/khal/patches/patch-khal_ui_calendarwidget_py
1.2+0-0productivity/khal/patches/patch-khal_ui_editor_py
1.2+0-0productivity/khal/patches/patch-khal_ui_widgets_py
+20-116 files

OpenBSD/ports 3IC8TVKnet/p5-Net-DNS-SEC distinfo Makefile

   update p5-Net-DNS-SEC to 1.27
VersionDeltaFile
1.35+4-4net/p5-Net-DNS-SEC/distinfo
1.49+1-1net/p5-Net-DNS-SEC/Makefile
+5-52 files

OpenBSD/ports bmXcI8Ysecurity/polarssl Makefile distinfo, security/polarssl/patches patch-library_timing_c patch-CMakeLists_txt

   MFC: SECURITY update to mbedtls-2.28.10

   Update to the last release in the now unsupported 2.28 LTS branch.

   - Buffer overread in TLS stream cipher suites
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/
   - Timing side channel in private key RSA operations.
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
   - Buffer overflow in mbedtls_x509_set_extension()
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
   - Insecure handling of shared memory in PSA Crypto APIs
   https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md
   - CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/
   - Potential authentication bypass in TLS handshake
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/
   - TLS clients may unwittingly skip server authentication
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
VersionDeltaFile
1.1.16.1+16-10security/polarssl/patches/patch-library_timing_c
1.20.16.1+24-0security/polarssl/pkg/PLIST
1.50.4.1+7-8security/polarssl/Makefile
1.12.16.1+3-3security/polarssl/patches/patch-CMakeLists_txt
1.16.16.1+3-3security/polarssl/patches/patch-include_mbedtls_config_h
1.32.16.1+2-2security/polarssl/distinfo
+55-266 files

OpenBSD/ports MCjsnBJsecurity/polarssl Makefile distinfo, security/polarssl/patches patch-library_timing_c patch-include_mbedtls_config_h

   SECURITY update to mbedtls-2.28.10

   Update to the last release in the now unsupported 2.28 LTS branch.

   - Buffer overread in TLS stream cipher suites
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/
   - Timing side channel in private key RSA operations.
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
   - Buffer overflow in mbedtls_x509_set_extension()
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
   - Insecure handling of shared memory in PSA Crypto APIs
   https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md
   - CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/
   - Potential authentication bypass in TLS handshake
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/
   - TLS clients may unwittingly skip server authentication
   https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
VersionDeltaFile
1.2+16-10security/polarssl/patches/patch-library_timing_c
1.21+24-0security/polarssl/pkg/PLIST
1.53+5-6security/polarssl/Makefile
1.17+3-3security/polarssl/patches/patch-include_mbedtls_config_h
1.13+3-3security/polarssl/patches/patch-CMakeLists_txt
1.33+2-2security/polarssl/distinfo
+53-246 files

OpenBSD/ports LwvpIbXnet/p5-Net-DNS distinfo Makefile, net/p5-Net-DNS/pkg PLIST

   update p5-Net-DNS-1.54
VersionDeltaFile
1.90+4-4net/p5-Net-DNS/distinfo
1.116+1-1net/p5-Net-DNS/Makefile
1.39+2-0net/p5-Net-DNS/pkg/PLIST
+7-53 files

OpenBSD/ports KPSTI1umisc/llama.cpp Makefile distinfo

   misc/llama.cpp: update to b8067

   OK: volker@
VersionDeltaFile
1.16+5-3misc/llama.cpp/Makefile
1.9+2-2misc/llama.cpp/distinfo
+7-52 files

OpenBSD/ports p5Yyi8hdevel/libggml Makefile distinfo, devel/libggml/patches patch-src_ggml-backend-reg_cpp patch-CMakeLists_txt

   devel/libggml: update to 0.9.7

   OK: volker@
VersionDeltaFile
1.8+3-4devel/libggml/Makefile
1.6+2-2devel/libggml/distinfo
1.4+1-1devel/libggml/patches/patch-src_ggml-backend-reg_cpp
1.3+1-1devel/libggml/patches/patch-CMakeLists_txt
+7-84 files

OpenBSD/ports PEIKf6Oarchivers/zpaqfranz distinfo Makefile

   Update zpaqfranz to 64.5

   From maintainer tux0r, thanks!
VersionDeltaFile
1.37+2-2archivers/zpaqfranz/distinfo
1.40+1-1archivers/zpaqfranz/Makefile
+3-32 files

OpenBSD/ports cWwykoitextproc/pastel distinfo crates.inc

   textproc/pastel: Update to 0.12.0
VersionDeltaFile
1.4+16-22textproc/pastel/distinfo
1.4+7-10textproc/pastel/crates.inc
1.5+1-1textproc/pastel/Makefile
+24-333 files

OpenBSD/ports 6g101ivtextproc/hexyl distinfo crates.inc

   textproc/hexyl: Update to 0.17.0
VersionDeltaFile
1.6+6-6textproc/hexyl/distinfo
1.5+2-2textproc/hexyl/crates.inc
1.7+1-2textproc/hexyl/Makefile
+9-103 files

OpenBSD/ports cPRhwJBx11/kde-applications/audiocd-kio Makefile, x11/kde-applications/audiocd-kio/pkg PLIST

   Regen PLIST to unbreak.
VersionDeltaFile
1.25+14-13x11/kde-applications/audiocd-kio/pkg/PLIST
1.26+1-0x11/kde-applications/audiocd-kio/Makefile
+15-132 files

OpenBSD/ports wl9wfUrmath/kst Makefile

   Move MODCMAKE_POLICY_VERSION_OVERRIDE where it belongs.
VersionDeltaFile
1.47+3-5math/kst/Makefile
+3-51 files

OpenBSD/ports zGTFrWssecurity/nss distinfo Makefile

   security/nss: update to 3.120.1

   Bug 2009552 - avoid integer overflow in platform-independent ghash
VersionDeltaFile
1.167+2-2security/nss/distinfo
1.208+1-1security/nss/Makefile
+3-32 files

OpenBSD/ports lvLy66Zwayland/wf-recorder distinfo Makefile, wayland/wf-recorder/patches patch-src_main_cpp patch-src_frame-writer_cpp

   wayland/wf-recorder: update to 0.6.0

   see https://github.com/ammen99/wf-recorder/releases/tag/v0.6.0
VersionDeltaFile
1.2+0-28wayland/wf-recorder/patches/patch-src_main_cpp
1.2+4-0wayland/wf-recorder/pkg/PLIST
1.2+2-2wayland/wf-recorder/distinfo
1.4+1-1wayland/wf-recorder/Makefile
1.2+0-0wayland/wf-recorder/patches/patch-src_frame-writer_cpp
+7-315 files

OpenBSD/ports JysLx9Mdevel/visualvm Makefile, devel/visualvm/pkg PLIST

   devel/visualvm: remove deployed with precompiled rubbish

   noticed by ian@
VersionDeltaFile
1.5+0-45devel/visualvm/pkg/PLIST
1.6+2-0devel/visualvm/Makefile
+2-452 files

OpenBSD/ports Q2mjcJUsysutils Makefile

   +gemini-cli
VersionDeltaFile
1.774+1-0sysutils/Makefile
+1-01 files

OpenBSD/ports iV9JAGHsysutils/gemini-cli Makefile distinfo, sysutils/gemini-cli/pkg PLIST DESCR

   Initial revision
VersionDeltaFile
1.1+29,699-0sysutils/gemini-cli/pkg/PLIST
1.1+70-0sysutils/gemini-cli/Makefile
1.1+9-0sysutils/gemini-cli/pkg/DESCR
1.1+2-0sysutils/gemini-cli/distinfo
1.1.1.1+0-0sysutils/gemini-cli/Makefile
1.1.1.1+0-0sysutils/gemini-cli/distinfo
+29,780-02 files not shown
+29,780-08 files

OpenBSD/src ZAZ3NiRsys/arch/amd64/amd64 trap.c

   Handle VMMCALL in vctrap()

   When SEV guest userland issues a vmmcall instruction, a #VC exception
   with code SVM_VMEXIT_VMMCALL will be raised in the guest kernel.
   For now we do not allow vmmcalls from guest userland, thus terminate
   the userland process with SIGILL.

   This is similar to the non-SEV case.

   ok mlarkin@
VersionDeltaFile
1.117+9-1sys/arch/amd64/amd64/trap.c
+9-11 files

OpenBSD/src WqdEGxnsys/arch/amd64/amd64 vmm_machdep.c

   vmm(4): Ignore VMGEXIT request and inject #UD

   SEV guest userland processes are allowed to issue the vmgexit
   instruction.  However, guest userland has no access to the GHCB.

   VMEXITs with exit reason SVM_VMEXIT_VMGEXIT initiated by the guest
   kernel will always provide a valid GHCB request.

   Moreover, as the guest kernel makes sure, that the GHCB contains
   no request when guest userland is running, a rouge guest userland
   process can only force repeated VMEXITs with an empty GHCB.

   Therefore, in vmm(4)'s vmgexit handler inject #UD when the exit
   reason is not updated with data from the GHCB and stays on
   SVM_VMEXIT_VMGEXIT.

   ok mlarkin@
VersionDeltaFile
1.72+4-1sys/arch/amd64/amd64/vmm_machdep.c
+4-11 files

OpenBSD/src JrRbDu1sys/arch/amd64/amd64 ghcb.c vmm_machdep.c, sys/arch/amd64/include ghcb.h

   vmm(4): Check for and allow empty GHCB; only clear valid bitmap

   The GHCB valid bitmap indicates wether the GHCB contains a request
   or not.  When no bits are set, ignore the GHCB and do not sync with
   vCPU state.

   To clear/invalidate the GHCB just zero out the valid bitmap instead
   of the full GHCB.

   ok mlarkin@
VersionDeltaFile
1.8+19-3sys/arch/amd64/amd64/ghcb.c
1.71+3-1sys/arch/amd64/amd64/vmm_machdep.c
1.7+2-1sys/arch/amd64/include/ghcb.h
+24-53 files

OpenBSD/ports riVWv9jmail/mozilla-thunderbird distinfo Makefile

   mail/mozilla-thunderbird: MFC security update to 140.7.2.

   see https://www.thunderbird.net/en-US/thunderbird/140.7.2esr/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.301.2.6+2-2mail/mozilla-thunderbird/distinfo
1.513.2.6+1-1mail/mozilla-thunderbird/Makefile
+3-32 files

OpenBSD/ports CkrktfQwww/mozilla-firefox distinfo Makefile

   www/mozilla-firefox: security update to 147.0.4

   see https://www.firefox.com/en-US/firefox/147.0.4/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.378.2.12+2-2www/mozilla-firefox/distinfo
1.651.2.14+1-1www/mozilla-firefox/Makefile
+3-32 files

OpenBSD/ports FdIGYeNwww/firefox-i18n distinfo Makefile.inc, www/mozilla-firefox distinfo Makefile

   www/mozilla-firefox: security update to 147.0.4.

   see https://www.firefox.com/en-US/firefox/147.0.4/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.379+164-164www/firefox-i18n/distinfo
1.392+4-4www/mozilla-firefox/distinfo
1.671+2-2www/mozilla-firefox/Makefile
1.334+1-1www/firefox-i18n/Makefile.inc
+171-1714 files

OpenBSD/ports gGpBhjamail/mozilla-thunderbird distinfo Makefile, mail/thunderbird-i18n distinfo Makefile.inc

   mail/mozilla-thunderbird: security update to 140.7.2.

   see https://www.thunderbird.net/en-US/thunderbird/140.7.2esr/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.291+132-132mail/thunderbird-i18n/distinfo
1.307+2-2mail/mozilla-thunderbird/distinfo
1.519+1-1mail/mozilla-thunderbird/Makefile
1.265+1-1mail/thunderbird-i18n/Makefile.inc
+136-1364 files

OpenBSD/ports Tv7TVbQwww/firefox-esr distinfo Makefile

   www/firefox-esr: MFC security update to 140.7.1

   see https://www.firefox.com/en-US/firefox/140.7.1/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.171.2.5+2-2www/firefox-esr/distinfo
1.258.2.5+1-1www/firefox-esr/Makefile
+3-32 files

OpenBSD/ports CyfGrHYwww/firefox-esr distinfo Makefile, www/firefox-esr-i18n distinfo Makefile.inc

   www/firefox-esr: security update to 140.7.1

   see https://www.firefox.com/en-US/firefox/140.7.1/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
   CVE-2026-2447: Heap buffer overflow in libvpx
VersionDeltaFile
1.173+162-162www/firefox-esr-i18n/distinfo
1.176+4-4www/firefox-esr/distinfo
1.263+2-2www/firefox-esr/Makefile
1.185+1-1www/firefox-esr-i18n/Makefile.inc
+169-1694 files

OpenBSD/src G1ilw5dusr.sbin/bgpd rde.c

   Make sure that the filterset passed along with other objects is present.

   For communication with the parent the missing presence of a filter_set
   is cause for a panic. This should just never happen. For messages from
   bgpctl that are forwarded by the session engine things are more complex.
   Make sure the filter_set was sent and only execute the command that
   wraps this filter_set is present. If it is not there it may have been
   filtered out because it is invalid and then the command depending on
   this data should not be executed.

   OK tb@
VersionDeltaFile
1.684+38-17usr.sbin/bgpd/rde.c
+38-171 files