OpenBSD/src EWD8S8Qsys/kern sysv_sem.c

   Do sleeping malloc() and copyin() before checks within sys_semop().
   Otherwise the semaphore id referenced by `semaptr' could be destroyed
   or replaced during context switch.

   ok cludwig
VersionDeltaFile
1.67+36-22sys/kern/sysv_sem.c
+36-221 files

OpenBSD/src Kvk2UUddistrib/sets/lists/comp mi

   sync
VersionDeltaFile
1.1763+0-1distrib/sets/lists/comp/mi
+0-11 files

OpenBSD/src Drf4H7dusr.bin/tmux status.c tmux.h

   Do not cache format for status line because it stores various pointers
   that might be stale, instead cache the cmd_find_state and rebuild the
   formats every time they are needed. Reported by Marcel Partap in GitHub
   isue 5065.
VersionDeltaFile
1.263+35-20usr.bin/tmux/status.c
1.1312+2-2usr.bin/tmux/tmux.h
+37-222 files

OpenBSD/src QrIUaa8usr.bin/patch pch.c

   Solve an infinite loop on malformed ed script input

   OK kirill
VersionDeltaFile
1.67+8-1usr.bin/patch/pch.c
+8-11 files

OpenBSD/src 143pua1sys/net pf_lb.c

   pf(4): load balancer rpool->weight is never zero, state that
   explicitly in code to make future reviews more smooth.

   OK @deraadt
VersionDeltaFile
1.77+9-1sys/net/pf_lb.c
+9-11 files

OpenBSD/src AaJ3HDzusr.sbin/bgpd parse.y

   bgpd: switch last u_int8_t to uint8_t

   ok claudio
VersionDeltaFile
1.491+4-4usr.sbin/bgpd/parse.y
+4-41 files

OpenBSD/src yE48yAAusr.sbin/bgpd parse.y

   bgpd: switch two for loop index from u8 to u_int

   ok claudio
VersionDeltaFile
1.490+3-3usr.sbin/bgpd/parse.y
+3-31 files

OpenBSD/src 7A7WhnJlib/libcrypto/ripemd ripemd.h

   remove bogus ifdefs; ok tb@
VersionDeltaFile
1.21+1-8lib/libcrypto/ripemd/ripemd.h
+1-81 files

OpenBSD/src vmFWyKclib/libcrypto/x509 x509_purp.c

   x509_purp: fix doc comment for check_ca()

   This comment has gotten out of sync with reality. The "I don't know..."
   fallback was removed and a special case for netscape CAs was added.
   Sync from the manual and add some more details.

   Pointed out by Maximilian Radoy in
   https://github.com/libressl/portable/issues/1274

   ok kenjiro
VersionDeltaFile
1.45+7-3lib/libcrypto/x509/x509_purp.c
+7-31 files

OpenBSD/src dcLRPCZregress/lib/libc/asr regress.sh

   asr regress: workaround due to removal of . from the path

   Since . is no longer part of the default path, . regress.subr no longer
   works. Use ${PWD}.

   With this, the regress appears to mostly work except for what looks like
   ordering issues and of course it isn't using bsd.regress.mk. I leave the
   former to the DNS experts and the latter to the regress experts if they're
   interested.
VersionDeltaFile
1.8+2-2regress/lib/libc/asr/regress.sh
+2-21 files

OpenBSD/src Ne4H7nxregress/lib/libc/asr regress.subr

   asr regress: /etc/networks was removed in 2018
VersionDeltaFile
1.5+1-2regress/lib/libc/asr/regress.subr
+1-21 files

OpenBSD/src 4y6pFkUregress/lib/libc/asr/bin Makefile.inc

   asr regress: set -Wno-unused-but-set-variables in CFLAGS

   This allows building without modifying some debugging code.
VersionDeltaFile
1.3+2-1regress/lib/libc/asr/bin/Makefile.inc
+2-11 files

OpenBSD/src ZA7qqbDregress/lib/libc/asr/bin threads.c

   asr regress: extern three variables to fix build with -fcommon
VersionDeltaFile
1.2+4-4regress/lib/libc/asr/bin/threads.c
+4-41 files

OpenBSD/src JToRF5ksys/net trunklacp.c trunklacp.h

   remove unused trunklacp code

   trunklacp.c is not built since January's
   'remove lacp support from trunk(4)'

   ok dlg@
VersionDeltaFile
1.35+1-1sys/net/trunklacp.c
1.15+1-1sys/net/trunklacp.h
+2-22 files

OpenBSD/src SCYT7ghsbin/ifconfig ifconfig.c, sys/net if_trunk.h

   make ifconfig build without trunklacp.h

   The only used part of trunklacp.h in ifconfig is LACP_STATE_BITS.
   Add it to if_trunk.h so trunklacp.h can be removed.

   ok dlg@
VersionDeltaFile
1.34+12-1sys/net/if_trunk.h
1.481+1-2sbin/ifconfig/ifconfig.c
+13-32 files

OpenBSD/src taetC1Qregress/usr.sbin/bgpd/integrationtests Makefile

   Add forgotten addpath regress test.
VersionDeltaFile
1.28+2-2regress/usr.sbin/bgpd/integrationtests/Makefile
+2-21 files

OpenBSD/src 5sCH7Yyusr.sbin/bgpd rde_attr.c rde.c

   Use unsigned int for the length variable when traversing the others array.

   Doing this in all places now after fixing an overflow in attr_optadd().

   OK tb@ deraadt@
VersionDeltaFile
1.144+14-8usr.sbin/bgpd/rde_attr.c
1.697+3-3usr.sbin/bgpd/rde.c
1.135+3-2usr.sbin/bgpd/mrt.c
1.194+3-2usr.sbin/bgpd/rde_update.c
+23-154 files

OpenBSD/src dATIJ9Tusr.sbin/bgpd bgpd.h

   Convert grestart.timeout to uint16_t while the value can never be negative
   the compiler trips over this in a comparison with u_int.

   OK tb@
VersionDeltaFile
1.541+5-5usr.sbin/bgpd/bgpd.h
+5-51 files

OpenBSD/src lY1vYJsusr.sbin/bgpd parse.y

   Reduce maximum configurable stale time to CAPA_GR_TIMEMASK (4095) since
   that is the maximum anyway.

   OK tb@
VersionDeltaFile
1.489+5-5usr.sbin/bgpd/parse.y
+5-51 files

OpenBSD/src LUPAbwFlib/libc/gen getgrent.c

   A collection of AI-assisted reports come from Frank Denis, which says that
   the YP getgrent code when doing YP operations has a group of buffer
   mismanagement issues which in the reports are labelled 'high severity'.
   This fixes the buffer checks.
   The big question to ask is this: Is a malicious YP server going to
   send you messages that exercise a buffer overflow codepath, or are
   they going to send you perfectly correct messages containing wrong group members?
   The old-school ypserv model was that you run ypserv on a "trusted network"
   segment, which today is laughable but it matched operations in that era.
   (Our) new operational model is that ypbind is reached with a custom system call
   and provides trusted path to a an on-host ypserv, which is more likely to be
   the ypldap(8) LDAP schema to YP protocol converter.
   If a YP server is broken and sending bad messages, THIS code is the least
   of your worries.  High severity?  No.
   ok millert jmatthew
VersionDeltaFile
1.52+13-1lib/libc/gen/getgrent.c
+13-11 files

OpenBSD/src IQXSShjlib/libc/gen getpwent.c

   A collection of AI-assisted reports come from Frank Denis, which says that
   the YP getpwent code when doing YP operations has a group of buffer
   mismanagement issues which in the reports are labelled 'high severity'.
   This fixes the buffer checks.
   In reality, the memory being operated on is always a full page so the
   overflow onto unmanagement memory is hard to see as a risk.
   The big question to ask is this: Is a malicious YP server going to
   send you messages that exercise a buffer overflow codepath, or are
   they going to send you perfectly correct messages containing :0:0: ?
   The old-school ypserv model was that you run ypserv on a "trusted network"
   segment, which today is laughable but it matched operations in that era.
   (Our) new operational model is that ypbind is reached with a custom system call
   and provides trusted path to a an on-host ypserv, which is more likely to be
   the ypldap(8) LDAP schema to YP protocol converter.
   If a YP server is broken and sending bad messages, THIS code is the least
   of your worries.  High severity?  No.
   ok millert jmatthew
VersionDeltaFile
1.74+8-11lib/libc/gen/getpwent.c
+8-111 files

OpenBSD/src M1PBetalib/libc/gen getpwent.c

   In the yp_next() case, on error the key memory is leaked.
   Hiding in an unrelated diff from Frank Denis
   ok millert jmatthew
VersionDeltaFile
1.73+3-2lib/libc/gen/getpwent.c
+3-21 files

OpenBSD/src iyb0O37usr.sbin/bgpd session.c

   In session_graceful_restart() also arm the SessionDown timer

   session_graceful_restart() does more or less the same as session_down()
   and therefor needs to arm the SessionDown timer and on top of that
   update stats.last_updown. The interval for the SessionDown timer needs
   to depend on the graceful restart timer, since that one needs to fire
   first.

   OK tb@
VersionDeltaFile
1.533+10-2usr.sbin/bgpd/session.c
+10-21 files

OpenBSD/src WIJeJHjsbin/iked ikev2.c

   check address size; from markus via millert
   from deraadt@

   this is errata/7.7/042_iked.patch.sig
VersionDeltaFile
1.391.4.2+7-3sbin/iked/ikev2.c
+7-31 files

OpenBSD/src sDltN1qsbin/iked ikev2.c

   check address size; from markus via millert
   from deraadt@

   this is errata/7.8/036_iked.patch.sig
VersionDeltaFile
1.394.2.2+7-3sbin/iked/ikev2.c
+7-31 files

OpenBSD/src YSkUFCLsys/nfs nfs_serv.c

   Add checks for invalid dir count and max size for readdir/readdirplus.

   A zero count or max size value is now rejected early instead of
   relying on VOP_GETATTR to return an error.  Also verify that the
   max size after rounding up to a multiple of DIRBLKSIZ is positive.
   A negative value would turn into a large allocation, causing the
   malloc() to fail.

   From an LLM bug report.  With help from miod@ and kirill@.
   from millert@

   this is errata/7.7/041_nfs.patch.sig
VersionDeltaFile
1.131.4.2+34-23sys/nfs/nfs_serv.c
+34-231 files

OpenBSD/src gyENLM5sys/nfs nfs_serv.c

   Add checks for invalid dir count and max size for readdir/readdirplus.

   A zero count or max size value is now rejected early instead of
   relying on VOP_GETATTR to return an error.  Also verify that the
   max size after rounding up to a multiple of DIRBLKSIZ is positive.
   A negative value would turn into a large allocation, causing the
   malloc() to fail.

   From an LLM bug report.  With help from miod@ and kirill@.
   from millert@

   this is errata/7.8/035_nfs.patch.sig
VersionDeltaFile
1.132.2.1+34-23sys/nfs/nfs_serv.c
+34-231 files

OpenBSD/src 83mUMKtlib/libexpat Changes, lib/libexpat/lib xmlparse.c internal.h

   Backport fixes from libexpat version 2.8.0.

   Relevant for OpenBSD are security fixes #47 #1183.  Library bump
   is not necessary.  CVE-2026-41080

   OK tb@

   this is errata/7.7/040_expat.patch.sig
VersionDeltaFile
1.42.4.4+58-38lib/libexpat/lib/xmlparse.c
1.30.4.4+16-0lib/libexpat/Changes
1.13.4.2+2-0lib/libexpat/lib/internal.h
+76-383 files

OpenBSD/src 4aCTgaglib/libexpat Changes, lib/libexpat/lib xmlparse.c internal.h

   Backport fixes from libexpat version 2.8.0.

   Relevant for OpenBSD are security fixes #47 #1183.  Library bump
   is not necessary.  CVE-2026-41080

   OK tb@

   this is errata/7.8/034_expat.patch.sig
VersionDeltaFile
1.44.2.3+56-38lib/libexpat/lib/xmlparse.c
1.32.2.3+16-0lib/libexpat/Changes
1.15.2.1+2-0lib/libexpat/lib/internal.h
+74-383 files

OpenBSD/src HAYZFeGlib/libcrypto crypto_assembly.h, lib/libcrypto/sha sha256_amd64_shani.S sha256_aarch64_ce.S

   Use macros for global functions and objects within SHA assembly.

   This lets us remove some of the repetitive statements and allows for them
   to be adjusted for various platforms.

   ok kenjiro@ tb@
VersionDeltaFile
1.5+23-1lib/libcrypto/crypto_assembly.h
1.7+6-10lib/libcrypto/sha/sha256_amd64_shani.S
1.10+4-7lib/libcrypto/sha/sha256_aarch64_ce.S
1.7+4-7lib/libcrypto/sha/sha1_amd64_shani.S
1.9+4-7lib/libcrypto/sha/sha256_amd64_generic.S
1.7+4-7lib/libcrypto/sha/sha512_amd64_generic.S
+45-393 files not shown
+53-539 files