OpenBSD/src yYvdBrcusr.sbin/bgpd rde_adjout.c rde_peer.c

   Remove adjout_prefix_free() and its use in adjout_prefix_unlink() instead
   use tombstones in the adjout array for empty/unlinked entries and collect
   them later via adjout_prefix_collect().

   adjout_prefix_first() and adjout_prefix_next() return direct pointers
   into the adjout prefix array and adjout_prefix_free() reshuffles entries
   so the pointers returned by first/next are no longer valid. By using
   tombstones the array pointers remain intact and it is possible to walk
   the array.

   Once done with the pt_entry adjout_prefix_collect() is called and it will
   collect all tombstones. Again after calling adjout_prefix_collect() any
   pointer into the adjout array is most probably invalid.

   While this solves the problem with prefix withdraw it does not solve
   addition of new entries. The good thing is that there is no code path
   that would require such an operation.

   On top of this the adjout_prefix_dump_r() has to walk all prefixes since

    [3 lines not shown]
VersionDeltaFile
1.21+34-29usr.sbin/bgpd/rde_adjout.c
1.79+4-1usr.sbin/bgpd/rde_peer.c
1.200+2-1usr.sbin/bgpd/rde_update.c
1.357+2-1usr.sbin/bgpd/rde.h
+42-324 files

OpenBSD/ports f7pbh8zwww/iridium distinfo crates.inc, www/iridium/patches patch-chrome_browser_about_flags_cc patch-chrome_browser_policy_configuration_policy_handler_list_factory_cc

   update to 2026.07.150.1
VersionDeltaFile
1.126+346-270www/iridium/distinfo
1.2+171-133www/iridium/crates.inc
1.80+67-103www/iridium/patches/patch-chrome_browser_about_flags_cc
1.48+49-31www/iridium/patches/patch-chrome_browser_policy_configuration_policy_handler_list_factory_cc
1.67+11-47www/iridium/patches/patch-build_config_compiler_BUILD_gn
1.49+26-31www/iridium/patches/patch-chrome_browser_profiles_chrome_browser_main_extra_parts_profiles_cc
+670-615429 files not shown
+2,308-1,804435 files

OpenBSD/src MU4jD20usr.sbin/rpki-client cert.c

   rpki-client: simplify absence of SIA handling for BRK and RSC

   While RFC 6487, 4.8.8.2 clearly mandates the presence of the SIA extension
   for all EE certificates, there are two exceptions. BGPsec router keys are
   known to be special for no good rason, and they uphold this tradition and
   the EE cert of RSCs doesn't have a SIA since that makes sense for things
   that aren't distributed via the RPKI repository system.

   The logic allowing these special snowflakes is currently quite contorted.
   Simplify the comment to omit unnecesary fluff and implement the logic to
   match the comment precisely, also suppressing a duplicated warnx(). This
   does not really change anything but is much easier to follow.

   ok claudio
VersionDeltaFile
1.244+10-12usr.sbin/rpki-client/cert.c
+10-121 files

OpenBSD/src m4S856Yusr.bin/tmux prompt.c tmux.h

   Work out a single layout for the entire prompt so it can all be drawn
   together, fixes centered prompts. GitHub issue 5328.
VersionDeltaFile
1.5+217-88usr.bin/tmux/prompt.c
1.1398+3-1usr.bin/tmux/tmux.h
+220-892 files

OpenBSD/src gV3N4oDusr.bin/tmux window-copy.c

   Allow drag on a selection to modify it, from Michael Grant.
VersionDeltaFile
1.414+151-8usr.bin/tmux/window-copy.c
+151-81 files

OpenBSD/src OKy8AbPusr.bin/tmux layout.c cmd-split-window.c

   Make split-window inside a floating pane work more nicely and not
   immediately create an overlapping pane, from Dane Jensen.
VersionDeltaFile
1.94+142-16usr.bin/tmux/layout.c
1.142+20-15usr.bin/tmux/cmd-split-window.c
1.1133+16-1usr.bin/tmux/tmux.1
1.1397+7-2usr.bin/tmux/tmux.h
1.70+8-1usr.bin/tmux/cmd-join-pane.c
+193-355 files

OpenBSD/src vchfCj6usr.bin/tmux layout-set.c

   Set other cell when creating layout set, from Dane Jensen.
VersionDeltaFile
1.40+25-1usr.bin/tmux/layout-set.c
+25-11 files

OpenBSD/src demJtYrusr.bin/tmux cmd.c

   Size comparison should be >= not >, from Yayo Razo.
VersionDeltaFile
1.187+2-2usr.bin/tmux/cmd.c
+2-21 files

OpenBSD/ports z65pcOpmisc/screen Makefile distinfo, misc/screen/patches patch-doc_screen_1 patch-tests_mallocmock_c

   update to screen-5.0.2
VersionDeltaFile
1.86+4-11misc/screen/Makefile
1.13+7-7misc/screen/patches/patch-doc_screen_1
1.20+2-2misc/screen/distinfo
1.2+1-1misc/screen/patches/patch-tests_mallocmock_c
1.6+0-0misc/screen/patches/patch-doc_screen_texinfo
+14-215 files

OpenBSD/ports SotgI5Fsysutils/conky Makefile distinfo, sysutils/conky/patches patch-src_data_os_bsdcommon_h patch-src_data_hardware_bsdapm_cc

   update to conky-1.24.2
VersionDeltaFile
1.1+13-0sysutils/conky/patches/patch-src_data_os_bsdcommon_h
1.2+3-3sysutils/conky/patches/patch-src_data_hardware_bsdapm_cc
1.77+3-3sysutils/conky/Makefile
1.11+2-2sysutils/conky/distinfo
1.2+2-2sysutils/conky/patches/patch-src_core_cc
1.2+1-1sysutils/conky/patches/patch-CMakeLists_txt
+24-111 files not shown
+25-127 files

OpenBSD/ports ktFyD1Qnet/coredns Makefile

   NOT_FOR_ARCHS on 32-bit; builds fails on github.com/!data!dog/dd-trace-go/v2
VersionDeltaFile
1.41+3-0net/coredns/Makefile
+3-01 files

OpenBSD/src P7I1vnlsys/dev/pci/drm drm_drv.c, sys/dev/pci/drm/amd/amdgpu amdgpu_drv.c

   more cleanup on close to avoid a use after free

   In Linux, some driver specific cleanup is handled with the release
   function pointer in struct file_operations.

   For amdgpu, this was changed in Linux 6.16 from drm_release() to
   amdgpu_drm_release().  Add a file_close function pointer to
   struct drm_driver so we can call a function that does the same cleanup.

   found by gnezdo@ with KASAN
   ok gnezdo@
VersionDeltaFile
1.74+18-0sys/dev/pci/drm/amd/amdgpu/amdgpu_drv.c
1.205+3-0sys/dev/pci/drm/drm_drv.c
1.15+2-0sys/dev/pci/drm/include/drm/drm_drv.h
+23-03 files

OpenBSD/src aYj9MoWsys/net if_veb.c

   return ENOMEM when mallocarray() fails in veb_rule_list_get()
   ok jan@ dlg@
VersionDeltaFile
1.72+2-1sys/net/if_veb.c
+2-11 files

OpenBSD/src ePInh3msbin/ifconfig ifconfig.c

   fix "ifconfig vebX -tagged ifX"

   it was wired up in the code to expect an extra argument, which isn't
   needed or expected as it is meant to clear all the tags on the
   interface.

   found by and fix identified by scott colby on bugs@
   thanks scott
VersionDeltaFile
1.482+2-2sbin/ifconfig/ifconfig.c
+2-21 files

OpenBSD/src oanfoKrusr.sbin/smtpd queue_backend.c

   unlink the transformed temporary file on every commit failure

   queue_message_commit() left the .comp/.enc temporary behind on an ENOSPC
   rename failure and on the shared err path, so repeatedly triggering
   transform or out-of-space failures accumulated orphaned files.  unlink
   tmppath on all of those paths.

   from Andrew Griffiths, ok op@
VersionDeltaFile
1.71+6-7usr.sbin/smtpd/queue_backend.c
+6-71 files

OpenBSD/src 3NoI08kusr.sbin/smtpd mda_mbox.c

   reject empty or slash-bearing usernames before building the mbox path

   mda_mbox_init() builds _PATH_MAILDIR/username and creates and chowns it as
   root.  the username comes from K_USERINFO table data, which is not checked
   for slashes, so a dynamic userbase returning a slashed username could make
   root create a path outside the mailbox namespace. in practice, it does not
   affect default userbase which goes through getpwnam(), and it requires the
   admin to voluntarily create a badly crafted username in the userbase.

   from Andrew Griffiths (fixed by me), ok op@
VersionDeltaFile
1.4+7-2usr.sbin/smtpd/mda_mbox.c
+7-21 files

OpenBSD/src w91V28Husr.sbin/smtpd enqueue.c

   reject CR and LF in argv-derived fields before starting the SMTP dialogue

   enqueue interpolates the sender, recipients and DSN options straight into
   MAIL FROM / RCPT TO command lines.  an embedded CR or LF split the command
   boundary and injected additional SMTP commands over the local session, so
   refuse any such field up front.

   from Andrew Griffiths (fixed by me), ok op@
VersionDeltaFile
1.127+21-1usr.sbin/smtpd/enqueue.c
+21-11 files

OpenBSD/src ZfAqP4husr.sbin/smtpd mta.c

   free the copied envelope on the smarthost lookup failure path

   mta_on_smarthost() frees the malloc'd envelope on success, but the
   smarthost == NULL branch tempfailed the message and returned without
   freeing it, leaking a struct envelope per failed lookup.

   from Andrew Griffiths, ok op@
VersionDeltaFile
1.249+2-1usr.sbin/smtpd/mta.c
+2-11 files

OpenBSD/src CZZ66B2usr.sbin/smtpd mda.c

   free mda_subaddress in mda_envelope_free()

   mda_envelope() duplicates the subaddress with xstrdup() when present but
   mda_envelope_free() never released it, leaking one bounded string per
   subaddressed local delivery.

   from Andrew Griffiths, ok op@
VersionDeltaFile
1.148+2-1usr.sbin/smtpd/mda.c
+2-11 files

OpenBSD/src fg8haRjusr.sbin/smtpd compress_gzip.c

   use inflateEnd() to tear down the inflate stream in uncompress_gzip_chunk()

   the decompression path sets up the stream with inflateInit2() but the
   cleanup block called deflateEnd(), mismatching the zlib inflate/deflate
   APIs and leaking the stream state on every gzip queue read.

   from Andrew Griffiths, ok op@
VersionDeltaFile
1.14+2-2usr.sbin/smtpd/compress_gzip.c
+2-21 files

OpenBSD/src QkDm6zrusr.sbin/smtpd dns.c spfwalk.c

   stop parsing DNS answers once unpack_rr() reports failure

   the MX, MX-preference and spf walkers looped on the attacker-controlled
   ancount calling unpack_rr() without checking its return, processing stale
   or uninitialized rr contents on malformed or truncated replies.  break out
   of the loop as soon as unpack_rr() fails.

   from Andrew Griffiths, ok op@
VersionDeltaFile
1.93+5-3usr.sbin/smtpd/dns.c
1.21+2-2usr.sbin/smtpd/spfwalk.c
+7-52 files

OpenBSD/ports aNU5G6Hgames/nethack/5.0 Makefile, games/nethack/5.0/files x-config

   Enable X11 flavour for nethack/5.0.
   From espie
VersionDeltaFile
1.2+12-2games/nethack/5.0/Makefile
1.1+11-0games/nethack/5.0/files/x-config
1.2+9-0games/nethack/5.0/patches/patch-sys_unix_Makefile_src
1.1+5-0games/nethack/5.0/pkg/PFRAG.no-no_x11
1.2+1-0games/nethack/5.0/pkg/PLIST
+38-25 files

OpenBSD/src kfkkzkUsys/kern sysv_msg.c

   sysv: Recheck message queue limit after malloc

   que_create() allocates with M_WAIT and may sleep after sys_msgget()
   checks num_ques against msgmni. The kernel lock is released while the
   thread sleeps, allowing concurrent creators to pass the same check and
   exceed the queue limit.

   OK: mvs@
VersionDeltaFile
1.51+2-2sys/kern/sysv_msg.c
+2-21 files

OpenBSD/src jOTQCxWsys/kern sysv_msg.c

   sysv: Use zero-based message queue indices

   que_ix starts at one, while KERN_SYSVIPC_MSG_INFO allocates msgmni
   entries and uses que_ix directly as an array index. The last permitted
   queue therefore makes sysctl_sysvmsg() copy one struct msqid_ds past the
   allocation, which KASAN detects.

   OK: mvs@
VersionDeltaFile
1.50+2-2sys/kern/sysv_msg.c
+2-21 files

OpenBSD/src YJxKMzdsys/crypto cryptosoft.c

   IPComp decompression must not overflow mbuf cluster.

   Check after decompressing an IPComp packet, that the content fits
   into a mbuf cluster.  m_copyback() assumes that it can allocate a
   single mbuf cluster to enlarge the mbuf chain.  That means the
   decompressed data must not exceed MAXMCLBYTES.  Prevent panic:
   m_clget: request for 67948 byte cluster.

   reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
VersionDeltaFile
1.92+7-1sys/crypto/cryptosoft.c
+7-11 files

OpenBSD/src DNpDofusys/netinet ip_ah.c

   IPsec AH must contain replay counter.

   Before reading the replay counter from packet header in ah_input(),
   make sure that the mbuf is long enough.  Prevents panic: m_copydata:
   null mbuf.

   reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
VersionDeltaFile
1.180+5-1sys/netinet/ip_ah.c
+5-11 files

OpenBSD/ports CNnbSbCdevel/yyjson Makefile distinfo

   Update yyjson to 0.12.0.
VersionDeltaFile
1.3+2-3devel/yyjson/Makefile
1.2+2-2devel/yyjson/distinfo
+4-52 files

OpenBSD/src 1IQnLfuusr.bin/tmux job.c cmd.c

   Use _exit in child after fork, from Yayo Razo in GitHub issue 5376.
VersionDeltaFile
1.75+9-9usr.bin/tmux/job.c
1.186+8-3usr.bin/tmux/cmd.c
+17-122 files

OpenBSD/src aVT0Gdzusr.bin/tmux xmalloc.c

   Add missing calloc check and use fatal. Prompted by a similar change
   from Yayo Razo.
VersionDeltaFile
1.15+11-20usr.bin/tmux/xmalloc.c
+11-201 files

OpenBSD/ports U5TcdeLwayland/mango Makefile distinfo, wayland/mango/patches patch-src_dispatch_bind_define_h patch-src_mango_c

   wayland/mango: Update to 0.15.2
VersionDeltaFile
1.10+6-3wayland/mango/Makefile
1.9+2-2wayland/mango/distinfo
1.7+2-2wayland/mango/patches/patch-src_dispatch_bind_define_h
1.3+1-1wayland/mango/patches/patch-src_mango_c
+11-84 files