CVSROOT: /cvs Module name: ports Changes by: tb@cvs.openbsd.org 2024/03/10 01:05:58 Modified files: lang/go : go.port.mk Log message: Bump _MODGO_SYSTEM_VERSION after go update CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/10 06:23:57 Modified files: devel/rebar3 : Makefile Log message: bump REVISION, hopefully pkgpath will now be consistent CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2024/03/10 07:25:10 Modified files: sys/conf : GENERIC Log message: disable POOL_DEBUG for release ok deraadt@ CVSROOT: /cvs Module name: ports Changes by: kn@cvs.openbsd.org 2024/03/10 08:58:31 Modified files: textproc/goldendict-ng: Makefile Log message: USE_NOBTCFI=Yes due to Qt6 WebEngine; OK sthen Otherwise searching Wictionary results in SIGILL without core dump. CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/10 09:37:54 Modified files: sys/arch/armv7/stand/efiboot: conf.c exec.c Log message: Invalidating the D-cache after disabling it turned out to be a bad idea and broke Allwinner SoCs with Cortex-A7 cores. So skip that and also invalidate the I-cache before disabling it. This seems to work better on a wide range of boards. ok deraadt@, jmatthew@ CVSROOT: /cvs Module name: www Changes by: tj@cvs.openbsd.org 2024/03/10 12:46:16 Modified files: . : plus.html plus20.html plus21.html plus22.html plus23.html plus24.html plus25.html plus26.html plus27.html plus28.html plus29.html plus30.html plus31.html plus32.html plus33.html plus34.html plus35.html plus36.html plus37.html plus38.html plus39.html plus40.html plus41.html plus42.html plus43.html plus44.html plus45.html plus46.html plus47.html plus48.html plus49.html plus50.html plus51.html plus52.html plus53.html plus54.html plus55.html plus56.html plus57.html plus58.html plus59.html plus60.html plus61.html plus62.html plus63.html plus64.html plus65.html plus66.html plus67.html plus68.html plus69.html plus70.html plus71.html plus72.html plus73.html Log message: reroll plus pages for 7.5 CVSROOT: /cvs Module name: www Changes by: tj@cvs.openbsd.org 2024/03/10 12:46:50 Modified files: . : errata.html errata20.html errata21.html errata22.html errata23.html errata24.html errata25.html errata26.html errata27.html errata28.html errata29.html errata30.html errata31.html errata32.html errata33.html errata34.html errata35.html errata36.html errata37.html errata38.html errata39.html errata40.html errata41.html errata42.html errata43.html errata44.html errata45.html errata46.html errata47.html errata48.html errata49.html errata50.html errata51.html errata52.html errata53.html errata54.html errata55.html errata56.html errata57.html errata58.html errata59.html errata60.html errata61.html errata62.html errata63.html errata64.html errata65.html errata66.html errata67.html errata68.html errata69.html errata70.html errata71.html errata72.html errata73.html errata74.html Added files: . : errata75.html Log message: add 7.5 errata page CVSROOT: /cvs Module name: www Changes by: kmos@cvs.openbsd.org 2024/03/10 22:07:54 Modified files: . : plus.html Log message: Plus through 2024-03-08 From pamela CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2024/03/10 22:59:47 Modified files: usr.bin/ssh : version.h Log message: openssh-9.7 CVSROOT: /cvs Module name: ports Changes by: stsp@cvs.openbsd.org 2024/03/11 02:22:32 Modified files: devel/got : Makefile distinfo Log message: update to got 0.97 see git repository history for per-change authorship information - improve error messages shown upon execv failure - fix 'gotadmin pack' crash upon Ctrl-C due to invalid imsg_free() - significantly speed up deltification of large files - improve error handling in got_privsep_recv_imsg() CVSROOT: /cvs Module name: ports Changes by: semarie@cvs.openbsd.org 2024/03/11 03:07:30 Modified files: sysutils/sysclean: Makefile distinfo Log message: sysutils/sysclean: update to 3.8 - accounting files are expected to be present by default now ok sthen@ CVSROOT: /cvs Module name: www Changes by: djm@cvs.openbsd.org 2024/03/11 04:36:58 Added files: openssh/txt : release-9.7 Log message: release notes for OpenSSH 9.7 CVSROOT: /cvs Module name: www Changes by: djm@cvs.openbsd.org 2024/03/11 04:39:58 Modified files: build : Makefile build/mirrors : openssh-ftp.html.head openssh : ftp.html index.html openbsd.html releasenotes.html openssh/txt : release-9.7 Log message: openssh-9.7 CVSROOT: /cvs Module name: www Changes by: dlg@cvs.openbsd.org 2024/03/11 04:57:38 Modified files: . : want.html Log message: i've got an r6c now, thank you CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2024/03/11 08:25:50 Modified files: telephony/baresip/baresip: Makefile Removed files: telephony/baresip/baresip/patches: patch-cmake_modules_cmake Log message: telephony/baresip/baresip: make sure pipewire isnt picked up drop patch and use -DCMAKE_DISABLE_FIND_PACKAGE_ trick instead (from kn@) build failure reported by ajacoutot@ ok sthen@ kn@ CVSROOT: /cvs Module name: src Changes by: sthen@cvs.openbsd.org 2024/03/11 10:35:48 Modified files: usr.sbin/unbound/util/data: msgencode.c Log message: apply https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-1931.diff to unbound, fixing an indefinite loop that could be triggered by a client against an unbound server where the (non-default) configuration "ede: yes" is used. https://nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt ok florian@ CVSROOT: /cvs Module name: ports Changes by: gnezdo@cvs.openbsd.org 2024/03/11 12:31:49 Modified files: textproc/pandoc: Makefile distinfo Log message: Update to pandoc 3.1.12.2 by maintainer from Evan Silberman ok naddy@ CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2024/03/11 19:20:30 Modified files: sys/conf : newvers.sh Log message: moving on to 7.5-current CVSROOT: /cvs Module name: src Changes by: guenther@cvs.openbsd.org 2024/03/11 20:31:15 Modified files: sys/arch/amd64/amd64: vmm_machdep.c Log message: Correct handling of cpuid(0xd) subleaves, carefully hiding bits and sizes that the host does not intend to expose, but do expose xsaveopt and xgetbv(1). ok dv@ CVSROOT: /cvs Module name: ports Changes by: aisha@cvs.openbsd.org 2024/03/11 20:31:43 Modified files: security/lego : Makefile distinfo modules.inc Log message: update to 4.16.1 from Horia Racoviceanu maintainer CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2024/03/11 23:40:37 Modified files: sys/dev/pci/drm/amd/pm/legacy-dpm: amdgpu_si_dpm.c Log message: Revert "drm/amd/pm: resolve reboot exception for si oland" From Alex Deucher baac292852c0e347626fb5436916947188e5838f in linux-6.6.y/6.6.21 955558030954b9637b41c97b730f9b38c92ac488 in mainline linux CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2024/03/11 23:42:37 Modified files: sys/dev/pci/drm: drm_buddy.c Log message: drm/buddy: fix range bias From Matthew Auld 5e476625fa8a36d7483ec3396a2bd124c2c02066 in linux-6.6.y/6.6.21 f41900e4a6ef019d64a70394b0e0c3bd048d4ec8 in mainline linux CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2024/03/11 23:46:09 Modified files: sys/dev/pci/drm/amd/display/amdgpu_dm: amdgpu_dm_helpers.c Log message: drm/amd/display: Add monitor patch for specific eDP From Ryan Lin 82dacc26e15cbac7f64a30ad4bc2c414f78eaa8f in linux-6.6.y/6.6.21 b7cdccc6a849568775f738b1e233f751a8fed013 in mainline linux CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/12 07:32:53 Modified files: sys/arch/arm64/arm64: db_trace.c exception.S Log message: Fix the "fake" frame that we create alongside the trapframe. This fixes backtraces through trap franes. Adjust the code that prints backtraces in ddb as the old code now tries to access a userland address. ok mpi@ CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2024/03/12 10:02:30 Modified files: usr.sbin/rpki-client: http.c Log message: Enforce same-origin policy for HTTP redirects Isolate resources from different RRDP servers to avoid inappropriately increasing resource consumption for both RRDP clients and the referenced server. OK claudio@ tb@ CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2024/03/12 10:03:56 Modified files: regress/usr.sbin/rpki-client: test-http.c regress/usr.sbin/rpki-client/libressl: Makefile Log message: Add regress for cross-origin HTTP redirection CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/12 10:26:46 Modified files: sys/dev/mii : ytphy.c Log message: Configure the signal on the CLKOUT pin of the YT8531 PHY when we're instructed to do so by the device tree. ok patrick@ CVSROOT: /cvs Module name: src Changes by: cheloha@cvs.openbsd.org 2024/03/12 11:22:24 Modified files: usr.sbin/btrace: ksyms.c Log message: btrace(8): cache ELF .symtab, .strtab entries in sorted array Currently, every kelf_snprintsym() call performs a linear search through the .symtab for a matching symbol. The search is very costly and causes btrace(8) to drop a lot of profiling events. Storing the STT_FUNC .symtab entries and their corresponding .strtab entries in a sorted array cuts the lookup cost from O(n) to O(lg n). Lower overhead reduces the drop rate for profiling events. With tweaks from mpi@. Thread: https://marc.info/?l=openbsd-tech&m=170830125132105&w=2 probably ok mpi@ CVSROOT: /cvs Module name: ports Changes by: robert@cvs.openbsd.org 2024/03/12 15:30:09 Modified files: net/zabbix : Makefile distinfo net/zabbix/patches: patch-include_zbx_dbversion_constants_h Log message: update to 6.4.11; fixes compatibility with timescaledb from Mark Patruck; ok naddy@ CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2024/03/12 15:31:29 Modified files: regress/sys/netinet6/frag6: LICENSE Makefile Added files: regress/sys/netinet6/frag6: frag6_oversize.py frag6_unfragsize.py Log message: Add regress test showing that OpenBSD IPv6 fragment reassembly is not affected by FreeBSD-SA-23:06.ipv6 security advisory. Scapy test frag6_oversize.py reassembles fragments of a packet too big to fit. Test frag6_unfragsize.py also plays games with ECN bits and hop-by-hop extension header to check overflow protection. ICMP6 parameter problem responses are expected. As pf does not generate such ICMP6 error packets, these tests are only run with frag6_input() in the IPv6 stack. CVSROOT: /cvs Module name: ports Changes by: jsg@cvs.openbsd.org 2024/03/12 18:22:15 Modified files: sysutils/firmware/intel: Makefile distinfo sysutils/firmware/intel/pkg: PLIST Log message: update intel microcode to 20240312 release notes: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 ok sthen@ CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2024/03/13 04:02:37 Modified files: etc/root : root.mail Log message: mail(1) is very sensitive to spacing in the header, and sometimes when we manually edit this file we forget that. noticed by naddy CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/13 05:18:42 Modified files: regress/usr.bin/lastcomm: gadget.S Log message: Add endbr64/bti instruction at the start of the gadget, otherwise we'll get a SIGILL when the gadget gets call. Fix the instruction that sets the syscall number on arm64. ok anton@, deraadt@ CVSROOT: /cvs Module name: src Changes by: nicm@cvs.openbsd.org 2024/03/13 05:25:50 Modified files: usr.bin/tmux : tmux.1 Log message: Make the attach-session description clearer - do not mention creating a client which is not important, explicitly say the session must exist, and mention new-session and new-session -A. Prompted by Theo. CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2024/03/13 07:13:57 Modified files: sys/dev/dt : dt_prov_profile.c Log message: Fix potential NULL pointer dereference in dt(4). When initializing the profiling probes, check if we sucessfully allocated the probe, before registering it. This avoids a NULL pointer dereference when probe allocation has failed. from Christian Ludwig CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2024/03/13 08:43:31 Modified files: sys/conf : GENERIC Log message: enable POOL_DEBUG after 7.5 release OK deraadt@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/13 08:57:08 Modified files: sys/arch/arm64/arm64: machdep.c Log message: Expose BTI support to userland. ok deraadt@ CVSROOT: /cvs Module name: ports Changes by: robert@cvs.openbsd.org 2024/03/13 12:48:29 Modified files: www/chromium : Makefile www/iridium : Makefile www/ungoogled-chromium: Makefile Added files: www/chromium/patches: patch-media_base_libaom_thread_wrapper_cc www/ungoogled-chromium/patches: patch-media_base_libaom_thread_wrapper_cc Log message: switch over the chromium ports to use multimedia/aom to pick up endbr64 fixes iridium does not need the thread wrapper patch as it does not include that code yet tested by sthen@ and me, ok naddy@ CVSROOT: /cvs Module name: www Changes by: op@cvs.openbsd.org 2024/03/13 13:58:20 Modified files: . : 75.html Log message: smtpd changes CVSROOT: /cvs Module name: src Changes by: cheloha@cvs.openbsd.org 2024/03/13 18:54:54 Modified files: usr.sbin/btrace: ksyms.c Log message: Revert "btrace(8): cache ELF .symtab, .strtab entries in sorted array" "No it's not okay." mpi@ CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2024/03/14 00:23:14 Modified files: usr.bin/ssh : ssh.1 Log message: Clarify how literal IPv6 addresses can be used in -J mode OK djm@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/14 08:29:03 Modified files: regress/sys : Makefile Log message: Hook up the btcfi test. CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2024/03/14 11:35:37 Modified files: lib/libexpat/lib: xmlparse.c Log message: Cerry-pick fix for CVE-2024-28757 from libexpat. Detect billion laughs attack with isolated external parser. github commit 1d50b80cf31de87750103656f6eb693746854aa8 OK deraadt@ CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2024/03/14 13:37:40 Modified files: lib/libexpat : Changes lib/libexpat/tests: acc_tests.c Log message: Change log and regress test for expat billion laughs attack. CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/14 16:09:40 Modified files: lib/libcrypto/man: CRYPTO_lock.3 Log message: Add back a .Pp CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/14 16:19:12 Modified files: lib/libcrypto/man: X509_STORE_set1_param.3 Log message: Mark up X509_STORE_get1_objects() CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/14 17:54:55 Modified files: lib/libcrypto/man: EVP_CIPHER_do_all.3 Log message: Add missing Nm entries for OBJ_NAME_do_all* CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2024/03/14 21:38:59 Modified files: usr.sbin/rpki-client: constraints.c Log message: Log which of the constraints files triggered a violation Requested by Ties de Kock (RIPE NCC) OK tb@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/14 23:14:16 Modified files: usr.sbin/rpki-client: constraints.c Log message: whitespace CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/15 07:26:09 Modified files: sys/arch/arm64/arm64: cpu.c trampoline.S Log message: According to errata AC03_CPU_12, AmpereOne needs the loopy branches with a loop count of 11 to mitigate Spectre-BHB. And it seems Cortex-A57 was missed when Spectre-BHB mitigation support was added, so add it here as well. ok jsg@ CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2024/03/15 10:29:32 Modified files: distrib/miniroot: install.sub Log message: Move code into new stop_watchdog() We have {reset,start}_watchdog() which are only used in unattended upgrade code, but stopping the background timer is done inline for all upgrades, incl. interactive ones. Relocate it out of the very end of do_upgrade() right after its only caller and limit it to unattended upgrades to match where/how the timer is started. OK afresh1 CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2024/03/15 11:31:21 Modified files: distrib/miniroot: install.sub Log message: Backout "Move code into new stop_watchdog()" An upgrade stalled on me, either my testing was flawed or my diff is... Having stop_watchdog() is fine, but calling it in a different place has is apparently too subtle for me to get right. CVSROOT: /cvs Module name: src Changes by: stsp@cvs.openbsd.org 2024/03/15 11:45:36 Modified files: sys/net80211 : ieee80211_input.c Log message: Ignore ADDBA requests if we are not ready to receive data frames. This prevents potential firmware errors in Intel wifi drivers when APs send an ADDBA request before the driver's state machine has settled into RUN state. The driver's addba task would race the driver's newstate task, and the hardware would see an incorrect sequence of commands. Ignoring an early ADDBA request is harmless. The AP will retry later. Reported by zxystd from the OpenIntelWireless project, thanks! ok phessler@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/15 15:32:21 Modified files: lib/libz : deflate.c gzguts.h gzlib.c Log message: zlib: sync with upstream More Windows #ifdef shuffling. Only one change relevant for OpenBSD: Make deflateBound() more conservative and handle Z_STREAM_END. CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/15 15:32:54 Modified files: sys/lib/libz : deflate.c Log message: zlib: sync with src CVSROOT: /cvs Module name: src Changes by: op@cvs.openbsd.org 2024/03/15 15:52:20 Modified files: usr.sbin/smtpd : mda_unpriv.c Log message: set ORIGINAL_RECIPIENT in the environment of mda scripts mostly for compatibility with postfix since some mdas (like public-inbox) make use of it. diff from Philipp (philipp+openbsd [at] bureaucracy [dot] de) ok gilles@ CVSROOT: /cvs Module name: src Changes by: op@cvs.openbsd.org 2024/03/15 15:56:22 Modified files: usr.sbin/smtpd : smtpd.conf.5 Log message: add some initial documentation regarding MDAs this adds some initial commentary for how MDAs should behave and in what environment they are executed. diff from Philipp (philipp+openbsd [at] bureaucracy [dot] de) with some tweaks from Richard Toohey and me. ok gilles@ CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2024/03/15 20:00:31 Modified files: usr.bin/whois : whois.1 whois.c Log message: whois: trim output after ">>> Last update of WHOIS database:" Currently, whois(1) displays the full output it receives from the server. With this change, any text after a line starting with ">>> Last update of WHOIS database:" is dropped. This trims a lot of useless text that would otherwise cause the data you care about to scroll off the screen. From FreeBSD. OK deraadt@ CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2024/03/15 23:18:01 Modified files: distrib/sets/lists/base: mi distrib/sets/lists/etc: mi Log message: Move RPKI Trust Anchor constraints from etc set to base The cadence of updates being applied to the RPKI Trust Anchor constraints seems sufficiently low, while the required understanding of context to make educated decisions quite high, so centralized coordination of updates through tech@openbsd.org is more appropriate. requested by & OK deraadt@, OK tb@ CVSROOT: /cvs Module name: src Changes by: jmc@cvs.openbsd.org 2024/03/16 00:29:36 Modified files: usr.bin/whois : whois.c Log message: add -S to usage(); CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2024/03/16 03:15:04 Modified files: sys/arch/arm64/arm64: cpu.c Log message: recognise Cortex-A520AE (Hayes AE), Cortex-A720AE (Hunter AE) CVSROOT: /cvs Module name: src Changes by: cheloha@cvs.openbsd.org 2024/03/16 11:42:37 Modified files: usr.sbin/btrace: ksyms.c Log message: btrace(8): cache ELF symbols in sorted array Currently, every kelf_snprintsym() call performs a linear search through the .symtab for a symbol matching the given PC. The search is expensive and seems to be a major source of dropped profiling events. Storing all STT_FUNC .symtab entries and their names in a sorted array cuts search time from O(n) to O(lg n). In practice, the faster lookups seem to dramatically reduce the profiling drop rate. With tweaks from mpi@. Thread: https://marc.info/?l=openbsd-tech&m=170830125132105&w=2 ok mpi@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/16 14:42:33 Modified files: lib/libcrypto/bn: bn_rand.c Log message: Fix signed integer overflow in bnrand() If more bits than INT_MAX - 7 are requested, the calculation of number of bytes required to store the bignum triggers undefined behavior due to signed integer overflow. This will typically result in bytes becoming negative which will then make malloc() fail. If the ulimit should be high enough to make malloc() succeed, there is a bad out of bounds write in case bottom is set (an odd number was requested). On jsing's request this does not deal with another bug which we could catch with a similar check due to BN_bn2bin() failing later on as the number of words in a BIGNUM is some fraction of INT_MAX. ok jsing CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/16 14:46:28 Modified files: sys/arch/arm64/arm64: locore.S sys/arch/arm64/include: hypervisor.h Log message: Set the HCR_API and HCR_APK bits in the HCR_EL2 when CPUs boot in EL2. Otherwise using PAC instructions in EL1 will trigger a trap into EL2 that we don't handle. ok jsg@, deraadt@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/16 15:42:20 Modified files: lib/libcrypto : cversion.c Log message: Remove ugly parens and thereby fix KNF CVSROOT: /cvs Module name: src Changes by: patrick@cvs.openbsd.org 2024/03/16 18:06:43 Modified files: sys/dev/mii : eephy.c Log message: Some PHYs need board-specific initializations, e.g. to correctly configure LED settings, which might be stored in the marvell,reg-init property. With these applied, the LEDs on the SolidRun ClearFog CN9130 Base work correctly. ok kettenis@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/16 19:44:59 Modified files: usr.sbin/rpki-client: extern.h Log message: Remove unused enum rsc_resourceblock_tag This was used in rsc.c prior to the switch to ASN.1 templates. ok job CVSROOT: /cvs Module name: src Changes by: guenther@cvs.openbsd.org 2024/03/16 23:49:41 Modified files: sys/arch/amd64/amd64: cpu.c identcpu.c locore.S vmm_support.S sys/arch/amd64/include: specialreg.h Log message: Use VERW to mitigate the RFDS (Register File Data Sampling) vulnerability present in Intel Atom CPUs, reordering some ASM in return-to-userspace and start/resume-vmx-guest to reduce the number of kernel values still live in registers when VERW is used. This mitigation requires updated firmware which has affected CPUs report RFDS_CLEAR in dmesg. Firmware packaging by jsg@ and sthen@ Logic for interpreting intel's flags by jsg@ after lots of discussion between him, deraadt@, and I ok deraadt@ CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/17 01:10:00 Modified files: lib/libcrypto/rsa: rsa_ameth.c Log message: Annotate RSA-PSS SHA parameter encoding as wrong A historic blunderfest in the ASN.1 module for RSA-PSS led to very confusing text in various RFCs. davidben and my current reading of this is that parameters for SHA-* should be encoded as an ASN.1 NULL rather than omitted. The use of X509_ALGOR_set_evp_md() leads to them being omitted, and is therefore counter to the specification (but allowed. We should fix this. For now, leave a reminder. See https://boringssl-review.googlesource.com/c/boringssl/+/67088 for a lot more details. ok davidben CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/17 07:05:40 Modified files: sys/arch/arm64/arm64: cpu.c machdep.c sys/arch/arm64/include: armreg.h Log message: The feature is called SSBS instead of SBSS. CVSROOT: /cvs Module name: www Changes by: naddy@cvs.openbsd.org 2024/03/17 13:30:47 Modified files: . : 75.html Log message: 12309 amd64 packages CVSROOT: /cvs Module name: src Changes by: mvs@cvs.openbsd.org 2024/03/17 13:47:08 Modified files: sys/kern : uipc_usrreq.c Log message: Do UNP_CONNECTING and UNP_BINDING flags check in uipc_listen() and return EINVAL if set. This prevents concurrent solisten() thread to make this socket listening while socket is unlocked. Reported-by: syzbot+4acfcd73d15382a3e7cf@syzkaller.appspotmail.com ok mpi CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2024/03/17 14:06:28 Modified files: security/nss : Makefile distinfo Log message: security/nss: update to 3.99, required by gecko 125 see https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html bump minor for some func additions in libsmime3 CVSROOT: /cvs Module name: ports Changes by: kn@cvs.openbsd.org 2024/03/17 14:16:52 Modified files: net/tdesktop : Makefile Log message: complete and sort bundle license markers, tidy up a bit CVSROOT: /cvs Module name: ports Changes by: kn@cvs.openbsd.org 2024/03/17 14:19:07 Modified files: devel/abseil-cpp: Makefile distinfo Log message: update to abseil-cpp 20240116.1 (one macOS change, pure maintainer chore) CVSROOT: /cvs Module name: ports Changes by: landry@cvs.openbsd.org 2024/03/17 14:20:33 Modified files: x11/x2goclient : Makefile distinfo x11/x2goclient/patches: patch-Makefile patch-x2goclient_pro x11/x2goclient/pkg: PLIST Log message: x11/x2goclient: update to 4.1.2.3. ok rsadowski@ (MAINTAINER) CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:25:35 Modified files: x11/icewm : Makefile distinfo x11/icewm/patches: patch-src_default_h Log message: update to icewm-3.4.6 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:25:38 Modified files: mail/dovecot-fts-flatcurve: Makefile distinfo Log message: update to dovecot-fts-flatcurve-1.0.2 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:25:41 Modified files: x11/evilwm : Makefile distinfo x11/evilwm/pkg : DESCR Log message: update to evilwm-1.4.3 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:25:50 Modified files: telephony/pjsua: Makefile distinfo Log message: update to pjsip-2.14.1 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:25:53 Modified files: sysutils/borgmatic: Makefile distinfo sysutils/borgmatic/pkg: PLIST Log message: update to borgmatic-1.8.9 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:25:56 Modified files: net/libunbound : Makefile distinfo Log message: update to libunbound-1.19.3 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:27:11 Modified files: net/eduvpn/vpn-user-portal: Makefile distinfo net/eduvpn/vpn-user-portal/pkg: PLIST Log message: update to vpn-user-portal-3.5.7 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:27:16 Modified files: lang/php/8.3 : Makefile distinfo Log message: update to php-8.3.4 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:27:18 Modified files: lang/php/8.2 : Makefile distinfo Log message: update to php-8.2.17 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:27:59 Modified files: www/tomcat/v9 : Makefile distinfo Log message: update to tomcat-9.0.87 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:28:40 Modified files: www/tomcat : Makefile Removed files: www/tomcat/v8 : Makefile distinfo www/tomcat/v8/patches: patch-conf_server_xml www/tomcat/v8/pkg: DESCR-examples DESCR-main PLIST-examples PLIST-main README-main tomcat.rc Log message: remove nearly EoL tomcat v8 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:29:37 Modified files: www/libsass : Makefile distinfo www/libsass/pkg: DESCR Log message: update to libsass-3.6.6 CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/17 14:29:40 Modified files: www/py-urllib3 : Makefile distinfo www/py-urllib3/pkg: PLIST Log message: update to py3-urllib3-1.26.18 CVSROOT: /cvs Module name: ports Changes by: tb@cvs.openbsd.org 2024/03/17 14:43:28 Modified files: security/rust-openssl-tests: Makefile crates.inc distinfo security/rust-openssl-tests/patches: patch-openssl-sys_build_main_rs security/rust-openssl-tests/pkg: PLIST Log message: Update to rust-openssl-tests 20240318 CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/17 17:02:36 Modified files: devel/ipython : Makefile distinfo Removed files: devel/ipython/patches: patch-examples_IPython_Kernel_ipython_desktop Log message: update ipython to 8.22.2 CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/17 17:11:31 Modified files: devel/py-jupyter_client: Makefile distinfo devel/py-jupyter_client/patches: patch-jupyter_client_connect_py Log message: update jupyter_client to 8.6.1 CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/17 17:14:01 Modified files: devel/py-jupyter_core: Makefile distinfo Log message: update jupyter_core to 5.7.2 CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/17 17:52:15 Modified files: sysutils/py-watchdog: Makefile distinfo sysutils/py-watchdog/pkg: PLIST Log message: update watchdog to 2.3.1; needed to update werkzeug CVSROOT: /cvs Module name: xenocara Changes by: kettenis@cvs.openbsd.org 2024/03/17 18:15:10 Modified files: lib/mesa/src/gallium/auxiliary/gallivm: lp_bld_init.c lp_bld_misc.cpp lp_bld_misc.h Log message: Tell LLVM to generate code with BTI instructions. "looks ok" jsg@, ok deraadt@ CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/17 21:58:01 Modified files: devel/py-ipykernel: Makefile distinfo devel/py-ipykernel/pkg: PLIST Log message: update ipykernel to 6.29.3 CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/17 22:00:40 Modified files: devel/spyder/py-spyder-kernels: Makefile distinfo Log message: update spyder-kernels to 2.5.1 CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/17 22:04:33 Modified files: devel/spyder/spyder: Makefile distinfo Log message: update spyder to 5.5.3 CVSROOT: /cvs Module name: ports Changes by: bket@cvs.openbsd.org 2024/03/17 22:15:30 Modified files: sysutils/rclone: Makefile distinfo Log message: Update to rclone-1.66.0 Changes: https://rclone.org/changelog/#v1-66-0-2024-03-10 CVSROOT: /cvs Module name: ports Changes by: bket@cvs.openbsd.org 2024/03/17 22:15:45 Modified files: net/ocserv : Makefile distinfo net/ocserv/patches: patch-doc_sample_config patch-src_main-ban_c patch-src_occtl_occtl_c patch-src_occtl_time_c patch-src_ocpasswd_ocpasswd_c Log message: Update to ocserve-1.2.4 Changes: https://ocserv.openconnect-vpn.net/changelog.html CVSROOT: /cvs Module name: ports Changes by: bket@cvs.openbsd.org 2024/03/17 22:16:11 Modified files: mail/notmuch : Makefile.inc mail/notmuch/notmuch: distinfo mail/notmuch/py-notmuch: distinfo Log message: Update to notmuch-0.38.3 Fixes a bug in configuration code that caused the notmuch command to erroneously report "Error: could not locate database" under some circumstances. CVSROOT: /cvs Module name: ports Changes by: bket@cvs.openbsd.org 2024/03/17 22:16:34 Modified files: news/sabnzbd : Makefile distinfo Log message: Update to sabnzbd-4.2.3 Changes: https://github.com/sabnzbd/sabnzbd/releases/tag/4.2.3 CVSROOT: /cvs Module name: ports Changes by: bket@cvs.openbsd.org 2024/03/17 22:16:51 Modified files: devel/git-cola : Makefile distinfo devel/git-cola/patches: patch-cola_app_py Log message: Update to git-cola-4.6.1 Changes: https://github.com/git-cola/git-cola/blob/v4.6.1/CHANGES.rst CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/17 22:31:44 Modified files: devel/py-python-lsp-server: Makefile distinfo Log message: update python-lsp-server to 1.10.1 CVSROOT: /cvs Module name: ports Changes by: tb@cvs.openbsd.org 2024/03/18 00:01:15 Modified files: security/openssl-ruby-tests: Makefile distinfo Log message: Update to openssl-ruby-tests 20240318 CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2024/03/18 00:05:23 Modified files: sys/net : if_aggr.c Log message: use high bits from the mbuf flowid to pick a port to transmit on. a port here is a physical interface used by an aggr. this leaves the low bits for a physical interface to use to pick a tx ring. without this, aggr used low bits for port selection, which takes bits away from the ring selection, which can lead to uneven distribution of packets over tx rings. ive been running this in production for well over a year now. CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2024/03/18 00:14:50 Modified files: sys/net : if_aggr.c Log message: expose per port information via kstats. the most interesting information exposed here is the number of times a port changes state according to the lacp state machine. if a port is flapping, it's hard to see if you only look at the current state. getting a count of changes over time makes problems a lot more visible and therefore fixable. this also exposes counters around how the lacp protocol packets. all of these can be useful when trying to line up behaviors with another system (eg, a switch). ok jmatthew@ CVSROOT: /cvs Module name: ports Changes by: otto@cvs.openbsd.org 2024/03/18 00:46:18 Modified files: net/quiche : Makefile distinfo Log message: Update to quiche 0.20.1 This fixes a potential DOS. See https://github.com/cloudflare/quiche/releases/tag/0.20.1 CVSROOT: /cvs Module name: ports Changes by: otto@cvs.openbsd.org 2024/03/18 00:47:53 Modified files: net/dnsdist : Makefile distinfo Log message: Update to dnsdist 1.9.1 CVSROOT: /cvs Module name: ports Changes by: otto@cvs.openbsd.org 2024/03/18 00:50:45 Modified files: net/powerdns : Makefile distinfo Log message: Update to PowerDNS Authoritative Server 4.9.0 CVSROOT: /cvs Module name: src Changes by: op@cvs.openbsd.org 2024/03/18 02:48:50 Modified files: usr.sbin/smtpd : smtpd.conf.5 Log message: improve the MDA documentation - add a pointer to the section when documenting the `mda' keyword - rename the section to MDA COMMANDS - document also what happens when the MDA doesn't exit with status 0 - add the missing environment variables - sort the variables - minor other tweaks to the text with several improvements from jmc, ok jmc CVSROOT: /cvs Module name: src Changes by: op@cvs.openbsd.org 2024/03/18 02:50:54 Modified files: lib/libc/gen : login_cap.3 Log message: fix markup of _PATH_DEFPATH (Li -> Dv); ok jmc CVSROOT: /cvs Module name: ports Changes by: op@cvs.openbsd.org 2024/03/18 03:08:54 Modified files: lang/clojure : Makefile distinfo Log message: update lang/clojure to 1.11.2.1446 CVSROOT: /cvs Module name: ports Changes by: op@cvs.openbsd.org 2024/03/18 03:36:49 Modified files: devel/luarocks : Makefile distinfo devel/luarocks/pkg: PLIST Log message: update devel/luarocks to 3.11.0 changelog: https://github.com/luarocks/luarocks/blob/master/CHANGELOG.md This "skips" over 3.10.0. CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2024/03/18 04:16:50 Modified files: usr.sbin/bgpd : bgpd.conf.5 Log message: Use same markup for origin-set arguments as for roa-set. The maxlen argument is optional. OK tb@ CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2024/03/18 04:49:24 Modified files: usr.sbin/bgpd : bgpd.h Log message: Double PEER_DESCR_LEN to 64 characters since 32 is a bit on the short side. OK sthen@, deraadt@, dlg@, tb@ CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2024/03/18 05:02:25 Modified files: lib/libexpat : Tag: OPENBSD_7_4 Changes lib/libexpat/lib: Tag: OPENBSD_7_4 xmlparse.c Log message: Cherry-pick fix for CVE-2024-28757 from libexpat. Detect billion laughs attack with isolated external parser. github commit 1d50b80cf31de87750103656f6eb693746854aa8 OK deraadt@ this is errata/7.4/015_expat.patch.sig CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2024/03/18 05:03:04 Modified files: lib/libexpat : Tag: OPENBSD_7_3 Changes lib/libexpat/lib: Tag: OPENBSD_7_3 xmlparse.c Log message: Cherry-pick fix for CVE-2024-28757 from libexpat. Detect billion laughs attack with isolated external parser. github commit 1d50b80cf31de87750103656f6eb693746854aa8 OK deraadt@ this is errata/7.3/027_expat.patch.sig CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/18 06:53:55 Modified files: graphics/ImageMagick: Makefile Log message: remove LIB_DEPENDS on aom, dav1d, libde265, x265 - they're pulled in via libheif and not used directly. from Brad. CVSROOT: /cvs Module name: www Changes by: sthen@cvs.openbsd.org 2024/03/18 08:13:01 Modified files: . : 75.html Log message: i386: 10830 pkgs, aarch64: 12145 pkgs CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/18 08:33:13 Modified files: lang/python : python.port.mk Log message: add python to TEST_DEPENDS if MODPY_PYTEST is set to 'no'. CVSROOT: /cvs Module name: www Changes by: bluhm@cvs.openbsd.org 2024/03/18 08:39:10 Modified files: . : errata73.html errata74.html Log message: Release libexpat errata. CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2024/03/18 08:54:53 Modified files: usr.sbin/bgpd : parse.y Log message: Typecast char argument to isxdigit() to unsigned char since isxdigit() only works that way correctly. OK deraadt@ CVSROOT: /cvs Module name: ports Changes by: sthen@cvs.openbsd.org 2024/03/18 08:59:46 Modified files: net/bird/2 : Makefile distinfo Log message: update to bird-2.15 CVSROOT: /cvs Module name: ports Changes by: fcambus@cvs.openbsd.org 2024/03/18 10:43:39 Modified files: audio/schismtracker: Makefile distinfo audio/schismtracker/patches: patch-configure_ac Log message: Update schismtracker to 20240308. CVSROOT: /cvs Module name: ports Changes by: fcambus@cvs.openbsd.org 2024/03/18 11:23:20 Modified files: graphics/p5-Image-ExifTool: Makefile distinfo graphics/p5-Image-ExifTool/pkg: PLIST Log message: Update p5-Image-ExifTool to 12.79. CVSROOT: /cvs Module name: ports Changes by: jeremy@cvs.openbsd.org 2024/03/18 11:46:37 Modified files: security/suricata: Makefile Added files: security/suricata/patches: patch-src_suricata_c patch-src_util-privs_c patch-src_util-privs_h Log message: Readd privdrop patches "probably automatically removed" by gonzalo@ in the 7.0.2 update OK gonzalo@ CVSROOT: /cvs Module name: ports Changes by: jca@cvs.openbsd.org 2024/03/18 11:50:18 Modified files: graphics/pqiv : Makefile distinfo Removed files: graphics/pqiv/patches: patch-pqiv_c Log message: Update to pqiv-2.13.1 time_t patch addressed upstream. CVSROOT: /cvs Module name: ports Changes by: jca@cvs.openbsd.org 2024/03/18 11:56:00 Modified files: security/libksba: Makefile distinfo Log message: Bugfix update to libksba-1.6.6 CVSROOT: /cvs Module name: ports Changes by: fcambus@cvs.openbsd.org 2024/03/18 12:00:09 Modified files: sysutils/broot : Makefile crates.inc distinfo Log message: Update broot to 1.36.1. CVSROOT: /cvs Module name: ports Changes by: fcambus@cvs.openbsd.org 2024/03/18 12:08:10 Modified files: misc/dialog : Makefile distinfo Log message: Update dialog to 1.3-20240307. CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/18 12:35:21 Modified files: sys/arch/arm64/arm64: cpu.c sys/arch/arm64/include: armreg.h Log message: Add support for the new layout of the CCSIDR_EL1 register that was introduced in Armv8.3 when the CCIDX feature is advertised. This makes us properly detect the cache size on newer CPU cores like Neoverse N2, at least when emulated by QEMU. ok jsg@ CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/18 15:20:46 Modified files: sys/dev/pci : pci.c Log message: Reduce dmesg spam and only print about resource conflicts for resources that are actually enabled. ok dlg@, deraadt@ CVSROOT: /cvs Module name: src Changes by: patrick@cvs.openbsd.org 2024/03/18 15:37:44 Modified files: sys/dev/fdt : if_mvpp.c Log message: Pass PHY OF node to the MII layer for use by PHY drivers. CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/03/18 15:57:22 Modified files: sys/arch/arm64/arm64: cpu.c sys/dev/fdt : psci.c pscivar.h Log message: Implement Spectre-V4 mitigations. The only real effect of this change is that we now make a firmware call to enable the mitigations if the firmware tells us mitigations are implemented and needed. But according to the specification these mitigations should be enabled by default. The open source TF-A implementation only implements mitigations for older Cortex-A76 cores. Newer Cortex-A76 revisions are not vulnerable and as far as I can tell we only support SoCs with the newer cores. ok patrick@ CVSROOT: /cvs Module name: ports Changes by: lraab@cvs.openbsd.org 2024/03/18 16:36:23 Modified files: sysutils/telegraf: Makefile distinfo modules.inc Log message: sysutils/telegraf: update to 1.30.0 ok landry@ CVSROOT: /cvs Module name: ports Changes by: lraab@cvs.openbsd.org 2024/03/18 16:37:45 Modified files: sysutils/grafana: Makefile distinfo sysutils/grafana/patches: patch-conf_sample_ini sysutils/grafana/pkg: PLIST Log message: sysutils/grafana: update to 10.4.0 CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/18 19:44:14 Modified files: net/py-zmq : Makefile distinfo Log message: update py-zmq to 25.1.1 for Python 3.12 support CVSROOT: /cvs Module name: ports Changes by: daniel@cvs.openbsd.org 2024/03/18 20:18:44 Modified files: devel/py-nbconvert: Makefile distinfo devel/py-nbconvert/pkg: DESCR PLIST textproc/py-mistune: Makefile distinfo textproc/py-mistune/pkg: PLIST Log message: update nbconvert to 7.16.2 and mistune to 2.0.5 CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2024/03/18 21:49:11 Modified files: sys/net : if_sec.c Log message: count if_enqueue/ifq_enqueue errors as oqdrops. this helps narrow down where some "output failures" on sec interfaces occur. based on discussion with jason tubnor CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2024/03/18 23:04:13 Modified files: usr.sbin/rpki-client: cert.c extern.h filemode.c ip.c parser.c validate.c x509.c Log message: Rename parent to issuer in struct auth Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'. discussed with beck and job ok job