458,709 commits found in 50 milliseconds
remove duplicate includes; ok dtucker@
correct bounds check on number of memory segments
found with smatch, feedback and ok stsp@
update extern for renamed variable
EncapContentInfo_it was renamed to ContentInfo_it in ccr.c rev 1.31
ok claudio@
OpenBSD /ports BTuGds6 — productivity/khal Makefile distinfo, productivity/khal/patches patch-khal_ui_calendarwidget_py patch-khal_ui_editor_py update to khal-0.13.0, ok jung@
drop jung as maintainer as he requested
update p5-Net-DNS-SEC to 1.27
OpenBSD /ports bmXcI8Y — security/polarssl Makefile distinfo, security/polarssl/patches patch-library_timing_c patch-CMakeLists_txt MFC: SECURITY update to mbedtls-2.28.10
Update to the last release in the now unsupported 2.28 LTS branch.
- Buffer overread in TLS stream cipher suites
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/
- Timing side channel in private key RSA operations.
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
- Buffer overflow in mbedtls_x509_set_extension()
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
- Insecure handling of shared memory in PSA Crypto APIs
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md
- CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/
- Potential authentication bypass in TLS handshake
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/
- TLS clients may unwittingly skip server authentication
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
OpenBSD /ports MCjsnBJ — security/polarssl Makefile distinfo, security/polarssl/patches patch-library_timing_c patch-include_mbedtls_config_h SECURITY update to mbedtls-2.28.10
Update to the last release in the now unsupported 2.28 LTS branch.
- Buffer overread in TLS stream cipher suites
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/
- Timing side channel in private key RSA operations.
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
- Buffer overflow in mbedtls_x509_set_extension()
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
- Insecure handling of shared memory in PSA Crypto APIs
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md
- CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/
- Potential authentication bypass in TLS handshake
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/
- TLS clients may unwittingly skip server authentication
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
update p5-Net-DNS-1.54
misc/llama.cpp: update to b8067
OK: volker@
OpenBSD /ports p5Yyi8h — devel/libggml Makefile distinfo, devel/libggml/patches patch-src_ggml-backend-reg_cpp patch-CMakeLists_txt devel/libggml: update to 0.9.7
OK: volker@
Update zpaqfranz to 64.5
From maintainer tux0r, thanks!
textproc/pastel: Update to 0.12.0
textproc/hexyl: Update to 0.17.0
OpenBSD /ports cPRhwJB — x11/kde-applications/audiocd-kio Makefile, x11/kde-applications/audiocd-kio/pkg PLIST Regen PLIST to unbreak.
Move MODCMAKE_POLICY_VERSION_OVERRIDE where it belongs.
security/nss: update to 3.120.1
Bug 2009552 - avoid integer overflow in platform-independent ghash
OpenBSD /ports lvLy66Z — wayland/wf-recorder distinfo Makefile, wayland/wf-recorder/patches patch-src_main_cpp patch-src_frame-writer_cpp wayland/wf-recorder: update to 0.6.0
see https://github.com/ammen99/wf-recorder/releases/tag/v0.6.0
devel/visualvm: remove deployed with precompiled rubbish
noticed by ian@
+gemini-cli
OpenBSD /ports iV9JAGH — sysutils/gemini-cli Makefile distinfo, sysutils/gemini-cli/pkg PLIST DESCR Initial revision
Handle VMMCALL in vctrap()
When SEV guest userland issues a vmmcall instruction, a #VC exception
with code SVM_VMEXIT_VMMCALL will be raised in the guest kernel.
For now we do not allow vmmcalls from guest userland, thus terminate
the userland process with SIGILL.
This is similar to the non-SEV case.
ok mlarkin@
vmm(4) : Ignore VMGEXIT request and inject #UD
SEV guest userland processes are allowed to issue the vmgexit
instruction. However, guest userland has no access to the GHCB.
VMEXITs with exit reason SVM_VMEXIT_VMGEXIT initiated by the guest
kernel will always provide a valid GHCB request.
Moreover, as the guest kernel makes sure, that the GHCB contains
no request when guest userland is running, a rouge guest userland
process can only force repeated VMEXITs with an empty GHCB.
Therefore, in vmm(4) 's vmgexit handler inject #UD when the exit
reason is not updated with data from the GHCB and stays on
SVM_VMEXIT_VMGEXIT.
ok mlarkin@
OpenBSD /src JrRbDu1 — sys/arch/amd64/amd64 ghcb.c vmm_machdep.c, sys/arch/amd64/include ghcb.h vmm(4) : Check for and allow empty GHCB; only clear valid bitmap
The GHCB valid bitmap indicates wether the GHCB contains a request
or not. When no bits are set, ignore the GHCB and do not sync with
vCPU state.
To clear/invalidate the GHCB just zero out the valid bitmap instead
of the full GHCB.
ok mlarkin@
mail/mozilla-thunderbird: MFC security update to 140.7.2.
see https://www.thunderbird.net/en-US/thunderbird/140.7.2esr/releasenotes/
fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
CVE-2026-2447 : Heap buffer overflow in libvpx
www/mozilla-firefox: security update to 147.0.4
see https://www.firefox.com/en-US/firefox/147.0.4/releasenotes/
fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
CVE-2026-2447 : Heap buffer overflow in libvpx
OpenBSD /ports FdIGYeN — www/firefox-i18n distinfo Makefile.inc, www/mozilla-firefox distinfo Makefile www/mozilla-firefox: security update to 147.0.4.
see https://www.firefox.com/en-US/firefox/147.0.4/releasenotes/
fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
CVE-2026-2447 : Heap buffer overflow in libvpx
OpenBSD /ports gGpBhja — mail/mozilla-thunderbird distinfo Makefile, mail/thunderbird-i18n distinfo Makefile.inc mail/mozilla-thunderbird: security update to 140.7.2.
see https://www.thunderbird.net/en-US/thunderbird/140.7.2esr/releasenotes/
fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
CVE-2026-2447 : Heap buffer overflow in libvpx
www/firefox-esr: MFC security update to 140.7.1
see https://www.firefox.com/en-US/firefox/140.7.1/releasenotes/
fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
CVE-2026-2447 : Heap buffer overflow in libvpx
OpenBSD /ports CyfGrHY — www/firefox-esr distinfo Makefile, www/firefox-esr-i18n distinfo Makefile.inc www/firefox-esr: security update to 140.7.1
see https://www.firefox.com/en-US/firefox/140.7.1/releasenotes/
fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
CVE-2026-2447 : Heap buffer overflow in libvpx
Make sure that the filterset passed along with other objects is present.
For communication with the parent the missing presence of a filter_set
is cause for a panic. This should just never happen. For messages from
bgpctl that are forwarded by the session engine things are more complex.
Make sure the filter_set was sent and only execute the command that
wraps this filter_set is present. If it is not there it may have been
filtered out because it is invalid and then the command depending on
this data should not be executed.
OK tb@
