BSD Commit Log Search

   Add switch-mode a fast switcher with fuzzy searching, bound to Tab (for
   windows) or BTab (S-Tab, for sessions) by default.

   Drop mouse movement events rather than redrawing unnecessarily.

   Set IFXF_MBUF_64BIT so mbufs are allocated in high memory if only
   64 bit DMA interfaces exist.  Also pass BUS_DMA_64BIT to the
   bus_dmamem_alloc() for the kstat counter buffer (rge_ks_sc_seg).

   ok bluhm@

   Add a coinflip to increase cycle-to-cycle jitter

   with/OK tb@

   Use underscore for current in status line.

   message-command-style should be inverse of message-style.

   cal: drop obsolete parsemonth return value checks

   These became redundant since month range checks were implemented in parsemonth
   in revision 1.15.

   ok jca@

   Add tree-mode-selection-style to continue the process of moving away
   from mode-style.

   Some colour fixes and tweaks (marked pane, cursor colours now work).

   document "compile-with"
   from Nick Owens

   ucom: fix OOB write in sysctl_ucominit with no ucom devices

   cd_ndevs==0 makes ucomslen 0, so malloc(0) returns unzeroed storage
   (M_ZERO memsets osize==0 bytes). strlen(ucoms) then walks garbage and
   ucoms[strlen-1]=0 stores out of bounds (KASAN: __asan_store1, hw.ucomnames).
   Size the buffer for one extra slot so it is never zero-sized.

   KASAN#2, with a murmur of agreement in the hackroom

   Do not force theme colours to default when capturing.

   Add ability to float a tiled pane to break-pane, from Dane Jensen.

   Don't bounce unless we're doing encrypted writes.  Drivers for hardware
   that doesn't support 64-bit DMA will take care of bouncing now.

   ok deraadt@, jca@

   Do not count arguments starting - as optional arguments, makes old
   resize-pane syntax work. GitHub issue 5275, based on a changed from Dane
   Jensen.

   Bump style buffer to 1024, GitHub issue 5279 from Moritz Angermann.

   Add next batch of awk tests, adapted from upstream

   OK millert@

   merge NSD 4.14.3 (why they regenerated autoconf files with an older version,
   I do not know...)

   import NSD 4.14.3

   Fix CVE-2026-12244, CVE-2026-12245, CVE-2026-12246 and CVE-2026-12490

   - CVE-2026-12244: A specially crafted SVCB RR can cause a heap
     overflow of up to 65509 attacker controlled bytes.
   - CVE-2026-12245: If NSD is configured with DNS over TLS, a
     client that performs a TLS action, closing the connection early,
     causes a crash and restart of the server process. An attacker can
     keep all children in a crash-restart loop denying DoT service.
   - CVE-2026-12246: The RR type APL rdata address, if too large,
     causes out of bounds write on the stack, when the zonefile is written
     out.
   - CVE-2026-12490: Secondaries authenticated by a client
     certificate to transfer a zone over TLS, can bypass verification by
     transferring over TCP.

   OK sthen

   Another couple of bits look nicer in grey.

   Apply better colours to various builtin bits in modes.

   Some more #include consistency.

   Prompted by job

   nca.c: more missing includes

   sys/types.h for ssize_t, stdlib.h for *alloc/free and stdio.h for fprintf.

   ok job

   Fix includes for -portable

   OK tb@

   Fixed a null dereference when authentication-filter and configured and
   pap is used.   diff from iij.

   mention that ssh-keyscan output is only as trustworthy as the
   network between it and the SSH server; ok markus@

   Return statically built addresses when hostname == NULL  It always
   returns IPv4 and IPv6 addresses when hostname == NULL; previously, it
   returned only the address of the selected address family defined by
   "family" in resolv.conf.

   ok florian

   With x509_vfy.c 1.153, the x509_crl regress passes

   x509_vfy: sync get_crl_sk() with BoringSSL and OpenSSL

   Among CRLs with the same score prefer the one with the most recent
   lastUpdate (RFC 5280 thisUpdate). This pulls in OpenSSL commits
   626aa248, e032117d, 8b7c51a0 from 2016, so before the license change.
   This uses the annoying ASN1_TIME_diff() API, but there is no better
   way, really. Every other ASN1_TIME API will be just as awkward.

   This fixes the currently failing x509_crl test cases.

   ok kenjiro