BSD Commit Log Search

   restrict IMSG_CTL_PROCFD to parent and check process id/instance

   IMSG_CTL_PROCFD messages contain a destination process id and instance
   number that were used to index internal arrays before being checked.
   A child sending bad imsgs could cause out-of-bounds reads or
   writes.

   Check for a missing fd, a bad process id, or an out-of-range instance
   before any array is indexed.  Also reject IMSG_CTL_PROCFD that does not
   come from the parent.

   from Andrew Griffiths, diff by martijn@ and myself, ok martijn@

   Switch the default TLS cipher set from "compat" to "secure"

   The "secure" keyword only allows TLSv1.3 and the TLSv1.2 AEAD ciphers
   that have forward secrecy (ECDHE/DHE).  See tls_config_set_ciphers(3)
   for details.  This is stricter than "HIGH:!aNULL" and drops older
   ciphers without AEAD or forward secrecy.

   Also update the ciphers text in httpd.conf.5 with the clearer wording
   from smtpd.conf.5.

   Old peers that need these older ciphers may no longer connect.

   idea from Mischa, ok kirill@ ok tb@

   Switch the default TLS cipher set from "HIGH:!aNULL" to "secure"

   The "secure" keyword only allows TLSv1.3 and the TLSv1.2 AEAD ciphers
   that have forward secrecy (ECDHE/DHE).  See tls_config_set_ciphers(3)
   for details.  This is stricter than "HIGH:!aNULL" and drops older
   ciphers without AEAD or forward secrecy.

   Also update the ciphers text in relayd.conf.5 with the clearer wording
   from smtpd.conf.5.

   Old peers that need these older ciphers may no longer connect.

   idea from Mischa, ok kirill@ ok tb@

   Revert the -fno-omit-frame-pointer change (including the clang only
   -mno-omit-leaf-frame-pointer). Committed by accident.
   Noticed because of commit from miod@

   Update libexpat to version 2.8.2.

   Relevant for OpenBSD are security fixes #1246 #1267 #1272 #1229
   #1232 #1249 #1251 #1255 #1262 #565 #1278, other changes #1283 #565
   #1220 #1221 #1222 #1224 #1226 #1228 #1230 #1238 #1239 #1240 #1241
   #1242 #1243 #1243 #1247 #1248 #1256 #1258 #1261 #1275.
   Library bump is not necessary.
   CVE-2026-50219 CVE-2026-56131 CVE-2026-56132 CVE-2026-56403
   CVE-2026-56404 CVE-2026-56405 CVE-2026-56406 CVE-2026-56407
   CVE-2026-56408 CVE-2026-56409 CVE-2026-56410 CVE-2026-56411
   CVE-2026-56412

   OK tb@

   Trivial check for freeaddrinfo(NULL)

   Ansify usage()

   While here drop pointless declaration for main()

   K&R -> ANSI

   Revert rev 1.68 as it breaks resolution of literal IP addresses

   Reported by matthieu@

   rpki-client: avoid double fclose in a success path

   CID 647170

   ok job

   Set view name immediately when entering mode.

   Clear lines before writing in copy mode to avoid leaving stray text when
   new line is shorter than old.

   -mno-omit-leaf-frame-pointer should only be used when the compiler is clang.

   Make split-window create a new floating pane if used in a floating pane,
   rather than just complaining. Also improve documentation. From Dane
   Jensen.

   Pulled code out of layout_split_pane for reuse and added
   layout_insert_tile. From Dane Jensen.

   Add a helper to swap a node into the place of a leaf, from Dane Jensen.

   Invalidate scene when changing window Z index, from Dane Jensen.

   Preseve prompt flags across line clear, from Aung Myo Kyaw.

   trunk(4): update link state after new port attached

   Without this fix, the linkstate is unknown via snmpd till its changed.

   yeah, looks good. go for it. dlg@
   Seems right to me. deraadt@

   Use linked sessions not active.

   Remove a info line that doesn't really make sense.

   Print the file name when erroring out on invalid input

   Suggested by tb and espie

   Make tsort(1) abort early if input lines contain NUL bytes

   tsort works on text files with data separated by whitespace, there is no
   need or reason to support NUL as an additional word delimiter. It's
   easier to just detect invalid input early, in the two functions which
   read data.

   Similar diff from espie, ok tb@ renaud@

   Add info modes to tree mode like for clients.

   Add ML-DSA-44 / Ed25519 hybrid SSH host keys

   These files are auto-generated by ssh-keygen -A and need to be tracked

   OK sthen@

   Add switch-mode a fast switcher with fuzzy searching, bound to Tab (for
   windows) or BTab (S-Tab, for sessions) by default.

   Drop mouse movement events rather than redrawing unnecessarily.

   Set IFXF_MBUF_64BIT so mbufs are allocated in high memory if only
   64 bit DMA interfaces exist.  Also pass BUS_DMA_64BIT to the
   bus_dmamem_alloc() for the kstat counter buffer (rge_ks_sc_seg).

   ok bluhm@

   Add a coinflip to increase cycle-to-cycle jitter

   with/OK tb@

   Use underscore for current in status line.