Use the (no YP, non-threaded) cleaned up copy of getpwent.c placed into
usr.bin/chpass instead of reaching around into libc and using crazy cpp
options.
In the near future the libc version will have more substantial changes
(intersecting with pledge and unveil) which are much more difficult to
manage using cpp features, so we stop this reacharound into libc subtree.
zlib: avoid double assignment to strm->msg
harmless merge error from
commit 4480ad49db70b6d2b90da94cc0d4755aace8a632
Author: tb <tb at openbsd.org>
Date: Sun Jun 30 05:16:17 2024 +0000
cast string literals with z_const char *
from upstream 2ba25b2ddab9aa939c321d087fcfca573a9cca55
zlib: fix heap info leak in deflateCopy (ZLB-01-005)
commit 84045903ee415efbfaf6d3d443224c2f3a1daea0
Author: Mark Adler <git at madler.net>
Date: Sat Jan 10 21:34:20 2026 -0800
Copy only the initialized deflate state in deflateCopy.
To avoid the propagation and possible disclosure of uninitialized
memory contents.
Properly export the bitmap count and size.
I decided to not pull in rdemem into bitmap.c so instead create
bitmap_get_stats() which is called in the IMSG_CTL_SHOW_RIB_MEM
handler to update the rdemem stats before the exporting them.
OK tb@
mlkem: use timingsafe_memcmp() in decapsulation
Replace memcmp() with timingsafe_memcmp() when comparing the
re-encrypted ciphertext.
FIPS 203 Section 6.3 defines this comparison result as a secret piece
of intermediate data that must not be revealed in any form.
ok tb
Do not use recallocarray because the stored size may have changed during
reflow so may not match what it expects, fixes crash reported by Caspar
Schutijser.
zlib: zero out allocation to avoid info leak (part of ZLB-01-003)
commit ecbaf031f81ddfcff200dcfd052df48c9047f3cf
Author: Mark Adler <git at madler.net>
Date: Sun Jan 11 09:46:29 2026 -0800
Zero inflate state on allocation.
To further guard against the propagation of uninitialized memory.
inflateCopy: fix a heap info leak (part of ZLB-01-003)
commit 3509ab515f29002f64455d6e34e19df0c16b1707
Author: Mark Adler <git at madler.net>
Date: Sun Dec 21 18:34:14 2025 -0800
Copy only the initialized window contents in inflateCopy.
To avoid the propagation and possible disclosure of uninitialized
memory contents.
On 2026-03-09 British Columbia will go from daylight to standard
time, without a UT offset change. That is, its 2026-03-08 spring
forward will be its last foreseeable clock change, as it will move
to permanent -07 thereafter. (Thanks to Arthur David Olson.)
Update to 2026agtz from https://github.com/JodaOrg/global-tz
o Moldova has used EU transition times since 2022.
o Remove Europe/Chisinau from zonenow.tab, as it now agrees with
Europe/Athens for future timestamps.
Add some stats for the use of bitmaps.
Only account for the extended bitmaps that allocate extra memory.
The count is much lower since up to 127 bits the map uses the struct
bitmap itself for storage but tracking those is more complicated.
OK tb@
Fix relayd reload race crash
Instead of terminating with fatalx() when a private key hash cannot be
found, log a warning and send an error back to the relay worker.
This prevents a race condition during "reload" where a request might
reach the CA process while keys are being repopulated.
Reported by Nick Owens; thanks!
OK tb@
ssh-agent supports a "query" extension that allows a client to request
a list of extensions it support. This makes this capability available
to ssh-add via the -Q flag.
ok markus@
