OpenBSD/src w91V28Husr.sbin/smtpd enqueue.c

   reject CR and LF in argv-derived fields before starting the SMTP dialogue

   enqueue interpolates the sender, recipients and DSN options straight into
   MAIL FROM / RCPT TO command lines.  an embedded CR or LF split the command
   boundary and injected additional SMTP commands over the local session, so
   refuse any such field up front.

   from Andrew Griffiths (fixed by me), ok op@
VersionDeltaFile
1.127+21-1usr.sbin/smtpd/enqueue.c
+21-11 files

OpenBSD/src ZfAqP4husr.sbin/smtpd mta.c

   free the copied envelope on the smarthost lookup failure path

   mta_on_smarthost() frees the malloc'd envelope on success, but the
   smarthost == NULL branch tempfailed the message and returned without
   freeing it, leaking a struct envelope per failed lookup.

   from Andrew Griffiths, ok op@
VersionDeltaFile
1.249+2-1usr.sbin/smtpd/mta.c
+2-11 files

OpenBSD/src CZZ66B2usr.sbin/smtpd mda.c

   free mda_subaddress in mda_envelope_free()

   mda_envelope() duplicates the subaddress with xstrdup() when present but
   mda_envelope_free() never released it, leaking one bounded string per
   subaddressed local delivery.

   from Andrew Griffiths, ok op@
VersionDeltaFile
1.148+2-1usr.sbin/smtpd/mda.c
+2-11 files

OpenBSD/src fg8haRjusr.sbin/smtpd compress_gzip.c

   use inflateEnd() to tear down the inflate stream in uncompress_gzip_chunk()

   the decompression path sets up the stream with inflateInit2() but the
   cleanup block called deflateEnd(), mismatching the zlib inflate/deflate
   APIs and leaking the stream state on every gzip queue read.

   from Andrew Griffiths, ok op@
VersionDeltaFile
1.14+2-2usr.sbin/smtpd/compress_gzip.c
+2-21 files

OpenBSD/src QkDm6zrusr.sbin/smtpd dns.c spfwalk.c

   stop parsing DNS answers once unpack_rr() reports failure

   the MX, MX-preference and spf walkers looped on the attacker-controlled
   ancount calling unpack_rr() without checking its return, processing stale
   or uninitialized rr contents on malformed or truncated replies.  break out
   of the loop as soon as unpack_rr() fails.

   from Andrew Griffiths, ok op@
VersionDeltaFile
1.93+5-3usr.sbin/smtpd/dns.c
1.21+2-2usr.sbin/smtpd/spfwalk.c
+7-52 files

OpenBSD/src kfkkzkUsys/kern sysv_msg.c

   sysv: Recheck message queue limit after malloc

   que_create() allocates with M_WAIT and may sleep after sys_msgget()
   checks num_ques against msgmni. The kernel lock is released while the
   thread sleeps, allowing concurrent creators to pass the same check and
   exceed the queue limit.

   OK: mvs@
VersionDeltaFile
1.51+2-2sys/kern/sysv_msg.c
+2-21 files

OpenBSD/src jOTQCxWsys/kern sysv_msg.c

   sysv: Use zero-based message queue indices

   que_ix starts at one, while KERN_SYSVIPC_MSG_INFO allocates msgmni
   entries and uses que_ix directly as an array index. The last permitted
   queue therefore makes sysctl_sysvmsg() copy one struct msqid_ds past the
   allocation, which KASAN detects.

   OK: mvs@
VersionDeltaFile
1.50+2-2sys/kern/sysv_msg.c
+2-21 files

OpenBSD/src YJxKMzdsys/crypto cryptosoft.c

   IPComp decompression must not overflow mbuf cluster.

   Check after decompressing an IPComp packet, that the content fits
   into a mbuf cluster.  m_copyback() assumes that it can allocate a
   single mbuf cluster to enlarge the mbuf chain.  That means the
   decompressed data must not exceed MAXMCLBYTES.  Prevent panic:
   m_clget: request for 67948 byte cluster.

   reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
VersionDeltaFile
1.92+7-1sys/crypto/cryptosoft.c
+7-11 files

OpenBSD/src DNpDofusys/netinet ip_ah.c

   IPsec AH must contain replay counter.

   Before reading the replay counter from packet header in ah_input(),
   make sure that the mbuf is long enough.  Prevents panic: m_copydata:
   null mbuf.

   reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
VersionDeltaFile
1.180+5-1sys/netinet/ip_ah.c
+5-11 files

OpenBSD/src 1IQnLfuusr.bin/tmux job.c cmd.c

   Use _exit in child after fork, from Yayo Razo in GitHub issue 5376.
VersionDeltaFile
1.75+9-9usr.bin/tmux/job.c
1.186+8-3usr.bin/tmux/cmd.c
+17-122 files

OpenBSD/src aVT0Gdzusr.bin/tmux xmalloc.c

   Add missing calloc check and use fatal. Prompted by a similar change
   from Yayo Razo.
VersionDeltaFile
1.15+11-20usr.bin/tmux/xmalloc.c
+11-201 files

OpenBSD/src eOpR6LUsys/kern kern_sysctl.c sysv_shm.c, sys/sys sem.h shm.h

   Move SysV sysctl(2) handlers out of sysctl_vslock(). They don't need to
   wire userland pages, but have sleeping malloc() calls which could block
   the locked sysctl(2) paths. Introduce rwlocks to serialize access to
   `seminfo' and `shminfo' respectively. The whole SysV IPC layer relies on
   kernel lock, but sysctl_sysvsem() and sysctl_sysvshm() paths have
   context switch requires the extra serialization.

   Joint work with and OK from kirill.
VersionDeltaFile
1.495+115-108sys/kern/kern_sysctl.c
1.86+34-7sys/kern/sysv_shm.c
1.70+23-5sys/kern/sysv_sem.c
1.49+3-1sys/kern/sysv_msg.c
1.30+2-1sys/sys/sem.h
1.32+2-1sys/sys/shm.h
+179-1236 files

OpenBSD/src Ap3GSVrregress/usr.bin/ssh sshfp-connect.sh ecdsa521_openssh.prv

   Add tests for ecdsa 256, 384 and 521 keys in DNS fingerprints.
   Dynamically generate the required zone file.
VersionDeltaFile
1.8+72-34regress/usr.bin/ssh/sshfp-connect.sh
1.1+12-0regress/usr.bin/ssh/ecdsa521_openssh.prv
1.1+10-0regress/usr.bin/ssh/ecdsa384_openssh.prv
1.1+8-0regress/usr.bin/ssh/ecdsa256_openssh.prv
1.1+1-0regress/usr.bin/ssh/ecdsa256_openssh.pub
1.1+1-0regress/usr.bin/ssh/ecdsa384_openssh.pub
+104-341 files not shown
+105-347 files

OpenBSD/src 26VFYtMregress/usr.bin/ssh cfgparse.sh

   check sshd_config output case insensitively
VersionDeltaFile
1.10+7-7regress/usr.bin/ssh/cfgparse.sh
+7-71 files

OpenBSD/src ICHgTyAregress/usr.bin/ssh sshfp-connect.sh

   Add SSHFP tests for ed25519 key type.
VersionDeltaFile
1.7+56-15regress/usr.bin/ssh/sshfp-connect.sh
+56-151 files

OpenBSD/src WYKE8l2gnu/usr.bin/perl/cpan/HTTP-Tiny/corpus redirect-15.txt redirect-16.txt, gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP Tiny.pm

   Update HTTP::Tiny to 0.096

   This is mostly to pick up the fix for CVE-2026-7017 since we already
   had the fixes for the earlier bugs.  However, applying the patches
   just for the fix was being painful so instead pull in the full update.
VersionDeltaFile
1.11+136-38gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
1.1+57-0gnu/usr.bin/perl/cpan/HTTP-Tiny/corpus/redirect-15.txt
1.4+55-0gnu/usr.bin/perl/cpan/HTTP-Tiny/t/020_headers.t
1.1+47-0gnu/usr.bin/perl/cpan/HTTP-Tiny/corpus/redirect-16.txt
1.1+41-0gnu/usr.bin/perl/cpan/HTTP-Tiny/corpus/redirect-20.txt
1.1+40-0gnu/usr.bin/perl/cpan/HTTP-Tiny/corpus/redirect-19.txt
+376-3814 files not shown
+778-5020 files

OpenBSD/src oMmHkS0usr.sbin/vmd vioqcow2.c

   vmd(8): fix qcow2 refcounts on lazy allocated refcnt blocks.

   Lazy-allocated refcount blocks, such as those created when growing the
   disk past 2 GiB, should have refcount initialized to 1. While the disk
   is functional, operations on the metadata (such as resizing) fail as
   the reference counting is corrupt.

   From Chris Cunningham.

   "looks right to me" from @ori (original author of vioqcow2.c)
VersionDeltaFile
1.28+2-1usr.sbin/vmd/vioqcow2.c
+2-11 files

OpenBSD/src RUVRF0Rlib/libc/arch/sparc64/gen sigsetjmp.S

   Use ENTRY_NB() for sig{set,long}jmp

   Like on arm, the END_WEAK() trigger "changed binding to STB_WEAK"
   warnings on sparc64 when compiled with clang.

   ok kettenis
VersionDeltaFile
1.6+3-3lib/libc/arch/sparc64/gen/sigsetjmp.S
+3-31 files

OpenBSD/src d0VhKnnlib/libc/arch/sparc64/gen fpsetround.c fpsetsticky.c

   Convert libc/arch/sparc64/gen to ANSI-style function definitions

   ok jsg kettenis, lgtm jca
VersionDeltaFile
1.2+2-3lib/libc/arch/sparc64/gen/fpsetround.c
1.2+2-3lib/libc/arch/sparc64/gen/fpsetsticky.c
1.2+2-3lib/libc/arch/sparc64/gen/fpsetmask.c
+6-93 files

OpenBSD/src eNKLr0Alib/libc/arch/sparc64/fpu fpu_explode.c fpu_implode.c

   Convert libc/arch/sparc64/fpu to ANSI-style function definitions

   ok jsg kettenis, lgtm jca
VersionDeltaFile
1.13+9-26lib/libc/arch/sparc64/fpu/fpu_explode.c
1.9+7-24lib/libc/arch/sparc64/fpu/fpu_implode.c
1.5+2-3lib/libc/arch/sparc64/fpu/fpu_mul.c
1.6+2-3lib/libc/arch/sparc64/fpu/fpu_add.c
1.6+2-3lib/libc/arch/sparc64/fpu/fpu_div.c
1.8+2-3lib/libc/arch/sparc64/fpu/fpu_sqrt.c
+24-626 files

OpenBSD/src pAj9j05sys/uvm uvm_swap.c uvm_pager.c

   Encrypt swap pages "inline" instead of going through a bounce buffer.  This
   means we no longer need to reserve bounce pages for the pagdaemon.  Instead
   we can use the complete set of psegs to swap out pages.  Note that there is
   another important consequence of this diff.  Before the old page remaines
   unencrypted and on the inactive queue, where it will sit until the
   pagedaemon runs again and kills it.  With this diff, pages will be freed
   as soon as the I/O completes.  This is probably an improvement in itself.

   This is simplified version of a diff posted by mpi@ earlier this year.
   These simplifications were possible because we no longer bounce pages to
   meet DMA constraints in the swap code.

   ok deraadt@
VersionDeltaFile
1.183+95-210sys/uvm/uvm_swap.c
1.99+55-36sys/uvm/uvm_pager.c
1.160+12-9sys/uvm/uvm_pdaemon.c
1.23+8-2sys/uvm/uvm_swap.h
1.190+2-2sys/uvm/uvm_page.c
1.74+2-2sys/uvm/uvm_page.h
+174-2616 files

OpenBSD/src nohd3Hmusr.bin/ssh servconf.c

   in sshd config dump mode, write all directives in mixed case
   for consistency

   ok djm@
VersionDeltaFile
1.452+16-16usr.bin/ssh/servconf.c
+16-161 files

OpenBSD/src GFf8s9Jusr.bin/ssh ssh.1 ssh-add.1

   read ~/.ssh/id_mldsa44_ed25519 private key files by default

   ok djm@
VersionDeltaFile
1.452+11-4usr.bin/ssh/ssh.1
1.90+8-5usr.bin/ssh/ssh-add.1
1.239+5-5usr.bin/ssh/ssh-keygen.1
1.428+5-4usr.bin/ssh/ssh_config.5
1.330+3-2usr.bin/ssh/sshd.8
1.414+3-1usr.bin/ssh/readconf.c
+35-211 files not shown
+37-227 files

OpenBSD/src AwAoGHRregress/usr.bin/ssh sshfp-connect.sh

   Restructure the SSHFP test in preparation for adding other key types:
    - change the DNS names to be rsa.* for the existing RSA fingerprints.
    - verify that all required SSHFP records exist in DNS.
    - only run the RSA tests if the build supports RSA.
VersionDeltaFile
1.6+55-31regress/usr.bin/ssh/sshfp-connect.sh
+55-311 files

OpenBSD/src VOhMVQdusr.bin/ssh sshd_config.5 ssh_config.5

   document mldsa44-ed25519 host key and public key algorithm
VersionDeltaFile
1.400+15-7usr.bin/ssh/sshd_config.5
1.427+13-6usr.bin/ssh/ssh_config.5
1.329+8-3usr.bin/ssh/sshd.8
1.19+4-2usr.bin/ssh/ssh-keysign.8
1.451+3-2usr.bin/ssh/ssh.1
1.106+2-1usr.bin/ssh/sshd_config
+45-216 files

OpenBSD/src IbRBo3tusr.bin/tmux control.c client.c

   Do not make pty fds blocking again until all the data has been consumed
   or control mode clients can get stuck, GitHub issue 5356 from Ben Maurer.
VersionDeltaFile
1.61+50-1usr.bin/tmux/control.c
1.166+11-18usr.bin/tmux/client.c
1.1396+2-1usr.bin/tmux/tmux.h
+63-203 files

OpenBSD/src oX7V4JFusr.bin/tmux format.c input.c

   Add formats and events for OSC 133 commmands, as well as a -T flag to
   set-hook -B to only fire when the format is true.
VersionDeltaFile
1.403+122-1usr.bin/tmux/format.c
1.266+79-8usr.bin/tmux/input.c
1.1132+28-3usr.bin/tmux/tmux.1
1.1395+11-3usr.bin/tmux/tmux.h
1.6+8-5usr.bin/tmux/monitor.c
1.146+7-5usr.bin/tmux/cmd-set-option.c
+255-253 files not shown
+264-309 files

OpenBSD/src rVuK4Iqsys/miscfs/fuse fuse_vnops.c fuse_ihash.c

   Change the fusefs_node i_ump member name to i_fmp to better reflect
   that it is a struct fusefs_mount pointer and not a struct ufsmount
   pointer. There is also no need to cast it each time.

   OK claudio@
VersionDeltaFile
1.79+21-21sys/miscfs/fuse/fuse_vnops.c
1.4+4-4sys/miscfs/fuse/fuse_ihash.c
1.27+2-2sys/miscfs/fuse/fuse_lookup.c
1.53+2-2sys/miscfs/fuse/fuse_vfsops.c
1.9+2-2sys/miscfs/fuse/fusefs_node.h
+31-315 files

OpenBSD/src OwH5fdwusr.bin/tmux events-payload.c hooks.c

   Replace the notification system with events. Events can carry a payload of
   additional payload (to reduce problems with lifetime of objects) and are
   delivered to one or more event sinks. This is more powerful and reduces the
   complex dependencies between control mode and hooks. Events are now used for
   hooks, control mode notifications and for monitors (set-hook -B).

   wait-for can now wait for an event to fire (-E flag, with -F to for filter),
   with -v to print the payload, as well as listing (-l) waiting clients on an
   event and forcing one to wake (-w).

   A few additional hooks are also now available (pane-created, pane-resized, etc)
   and some of the existing ones have additional format variables available.
VersionDeltaFile
1.1+672-0usr.bin/tmux/events-payload.c
1.12+383-95usr.bin/tmux/hooks.c
1.23+254-7usr.bin/tmux/cmd-wait-for.c
1.37+162-60usr.bin/tmux/control-notify.c
1.1+199-0usr.bin/tmux/events.c
1.359+135-23usr.bin/tmux/window.c
+1,805-18534 files not shown
+2,362-43240 files

OpenBSD/src GtVMJvBusr.bin/tmux control.c control-notify.c

   Don't bother to send notifications to clients with CLIENT_EXIT, GitHub
   issue 5357 from Ben Maurer.
VersionDeltaFile
1.60+2-2usr.bin/tmux/control.c
1.36+2-1usr.bin/tmux/control-notify.c
+4-32 files