Tighten up the introduction a little:
Mention Match as a conditional directive (previously it only
mentioned Host)
Try to use consistent language in the introduction to refer to
configuration directives (previously it used "parameters" and
"keywords" interchangeably).
Mention that comments may appear at the end of the line too, and that
whitespace at the beginning/end of lines is not significant.
LLVM now emits calls to strlen(3) and wcslen(3). Redirect those calls to
our hidden aliases to prevent unnecessary PLT entries (like we already do
for memmove(3), memcpy(4) and memset(3)).
ok deraadt@
login_ldap(8)/ldap(1): fix endless loop
Goto fail on closed socket and check for evbuffer_add(3) errors, too.
Original bug was reported by Matthias Pitzl.
On Tue, Jun 30, 2026 at 11:35:32AM +0200, Martijn van Duren wrote:
> Could you also make sure other aldap.c users get the fix?
OK martijn@
partially revert previous to return to 64-byte submission queue
entries by default, only applying 128-byte entries on APPLE_NVME3
(T2) where we know it's needed
the previous change broke APPLE_NVME2 which advertises 128 bytes but
needs 64
ok dlg
Yet another AI assisted report has triggered on the belief that
kill(2) against 0 (for pgrp) should not be permitted by pledge "proc".
Nothing validates this premise. Blocking process group kills would
break substantial amounts of software in dangeous ways, as it creates
fragile invarient conditions. We previously tried to block this belief
with kern_pledge.c:1.357 by subtly adding "/pgrp" in a comment, but that
was not effective so try adding "kill(2) may still operate on the
process group with pid 0." to the manual page. This is annoying
because the pledge manual page usually describes what is blocked
(resulting in process killing) rather than specifically listing
what allowed.
Discussed with Ivan Arce
sys: check vnode identity after vget
Several vnode lookup paths keep a vnode pointer from a filesystem hash,
node tree, or alias list, then call vget() after dropping or lacking the
lookup side protection. If the vnode is recycled while vget() waits, the
pointer can still name a valid struct vnode, but no longer the object
found by the lookup.
Record v_id before vget() and retry the lookup if the id changes after
the vnode is locked. This matches the existing namecache pattern and
turns stale vnode hits into lookup retries instead of returning the
wrong object.
OK: claudio@
ssherr-libcrypto: avoid use of deprecated ERR_load_crypto_strings()
Follow regress and use unchecked OPENSSL_init_crypto() because
ERR_load_crypto_strings() has been deprecated in OpenSSL 1.1.0.
This call can in principle fail, in which case there's a fallback
to generic error strings.
There is still use of OpenSSL 3.x-deprecated API in here. That's
a problem for someone else to solve.
ok djm
change Venezuelan Bolivar ISO 4217 code from VEF to VES
VES was used for the 2018 redenomination. VED was used as part of the 2021
redenomination process. VES remains the official code after the 2021
redenomination according to ISO 4217 amendment number 170.
set FD_CLOEXEC on the fds between sftp and its ssh process,
avoids risk of subcommands that write on odd fds breaking the
connection. GHPR693 from Manuel Einfalt;
feedback deraadt@ ok dtucker@
check key and IV length received in privsep state transfer
exactly match the expected sizes for the selected cipher;
partially redundant to similar checks in cipher_init(), but
nice to be more exact.
GHPR from jmestwa-coder; ok dtucker@