--- /home/brett/Downloads/oldplus.html Wed Jul 15 12:57:36 2026
+++ /home/brett/Downloads/plus.html Wed Jul 15 13:00:48 2026
@@ -106,6 +106,192 @@
+
+- Retired the cpp.sh script and install the cpp binary directly in /usr/bin.
+
+
- Improved Honor MagicBook Touchpad quirks.
+
+
- Validate routing socket replies in iked(8).
+
- Reworked how mbufs share references to external storage, to avoid global mutex.
+
+
- Added support for wakeup interrupts to bytgpio(4), fixes IdeaPad resuming from suspend.
+
+
- Made httpd(8) drain abort response via bufferevent to prevent errors being truncated.
+
+
- Prevent unnecessary PLT entries when LLVM emits calls to strlen(3) and wcslen(3).
+
- Fixed endless loop in ypldap(8), login_ldap(8), and ldap(1); check for evbuffer_add(3) errors.
+
- Properly check vnode identity after vget(9).
+
- Removed extraneous control socket objects in vmd(8).
+
+
- Fixed the priority_len bounds check in dhcpd(8).
+
- Prevent bus_dmamap_load(9) failures on a dmamap in acpi(4).
+
+
- Avoid download to server-controlled path when performing ssh(1) download via commandline.
+
- Avoid possible NULL deref in ssh(1); sanitise filenames received via remote glob.
+
+
- Restricted IMSG_CTL_PROCFD to parent and check process id/instance in iked(8), httpd8(), relayd(8), and snmpd(8).
+
- Switched the default TLS cipher in httpd.conf(5) set from 'compat' to 'secure.'
+
- Switched the default TLS cipher in relayd.conf(5) set from 'HIGH:!aNULL' to 'secure.'
+
- Updated libexpat to version 2.8.2, with many security fixes.
+
- Removed double fclose in a success path in rpki-client(8).
+
- Update link state after new port attached via trunk(4).
+
+
- tsort(1) will now print the file name when erroring out on invalid input.
+
- Made tsort(1) abort early if input lines contain NUL bytes.
+
- Added a coinflip to increase cycle-to-cycle jitter in rpki-client(8).
+
- Fixed OOB write in sysctl_ucominit with no ucom(4) devices.
+
- In uvm_swap, don't bounce unless we're doing encrypted writes.
+
- Added many new awk(1) tests, adapted from upstream.
+
- Merged nsd(8) 4.14.3.
+
- Fixes for CVE-2026-12244, CVE-2026-12245, CVE-2026-12246 and CVE-2026-12490 in nsd(8).
+
- Fixed a null dereference in radiusd(8) when authentication-filter configured and pap is used.
+
- Made resolver return statically built addresses (bot IPv4 and IPv6) when hostname == NULL.
+
- Sync get_crl_sk() in X509_verify(3) with BoringSSL and OpenSSL.
+
+
- Prevent authenticated RADIUS CP attribute mapping overflowing rr_cfg in iked(8).
+
- Made getaddrinfo(3) check hnok_lenient() earlier, for special handling for localhost names.
+
- Prevent OOB reads by vmd(8) in 32 and 64-bit elf(5) loaders with malformed elf(5) files.
+
- Stopped the resolver from silently truncate result of dname_expand.
+
- Prevent virtio scsi DoS from bad descriptor length passed by guest to vmd(8).
+
- Reject invalid PIT periods in vmd(8).
+
- Fixed fw_cfg leak of file directory buffer in vmd(8).
+
- Ensure ospfd(8) does not leak information on memory address layout from process.
+
- Reset ar_datalen and ar_data after free(3) like everywhere else.
+
- Major rework of tmux(1) prompts.
+
- Made mount(8) support DUIDs with -u; preserve DUID when updating file system
+
- Stop kernel pmap growing to its maximum and consuming all memory on small memory machines.
+
- Untrace traced children even when they're exiting to prevent triggering a KASSERT.
+
+
- Fixed broken -mfix-loongson2f-btb with Clang on loongson.
+
- Allow sparc64 Enterprise 4000 and similar with dead batteries to correctly attach clocks.
+
- Additional preparation for 52 disk partitions.
+
- Made divert-packet / divert(4) properly rdomain aware.
+
- Use midi_in() not midi_send() to generate sndiod(8) MIDI messages.
+
- Extended multicast router counter, made it MP-safe.
+
- Fixed FIFO handling to avoid overflowing sc_imess in ncr53c9x.c.
+
- Fixed kernel memory leaks in IPC_STAT and KERN_SYSVIPC_SHM_INFO.
+
- Attach aplmbox(4) early in RAMDISK kernels.
+
- Properly clear isakmpd(8) key material; clear sensitive data with freezero().
+
- In rpki-client(8), added a backoff retry mechanism for non-functional CAs.
+
- Stopped bgpd(8) leaking peer data to bgpctl(8).
+
+
- Made sndiod(8) ensure strings received from the network are 0-terminated.
+
- Cleanup write(1) and pledge(2) it on startup.
+
- Removed current directory from default pkg_add(1) search path.
+
- Made pstat(8) -d work for static kernel variables.
+
- Check for IPv6 scope truncation in getnameinfo(3).
+
- Removed IPv6 source routing from output path (deprecated by RFC 5095).
+
- For network interfaces, allocate mbufs in high memory if only 64 bit DMA interfaces exist.
+
- Stopped leaking transport in isakmpd(8) error paths of udp_encap_handle_message().
+
- Enforce per-type ID payload size in isakmpd(8) ipsec_validate_id_information().
+
- Avoid shift overflows in memmem(3) and strstr(3).
+
- Multiple additional bounds checks in isakmpd(8).
+
- Implemented ch_meta_locate() in bgpd(8).
+
- Mitigate CVE-2025-10263 (arm64).
+
- Properly check for DNS errors returned by ASN1_item_unpack(3) and ASN1_item_pack(3).
+
- Imported clang-scan-deps for clang(1).
+
- Made msg_copyout() check the remaining space within userland buffer to avoid overflows.
+
- Fixed EXFLAG_CRITICAL mishandling of unsupported asn1 extensions.
+
- Fixed tsort(1) heap buffer overread with embedded null bytes in input.
+
- Fixed drm(7) vmap_pfn() by using ptoa() to get the physical address.
+
+
- Reverted scatterlist dma_length changes from drm(7) which caused blank screen on meteor lake.
+
- cpp(1) no longer default to -traditional.
+
- Implemented bus DMA constraints from 'dma-ranges' properties in riscv device tree.
+
- llvm-readobj now recognises OpenBSD PAC mask notes in (arm64) coredumps.
+
- Discard vfs buffers after vclean error.
+
- Added bounds check for dhcpd(8) priority_len.
+
- Added server.thru control to sndiod(8) midithru/N ports.
+
- Implemented control of midithru ports with sndioctl(1).
+
- Fixed overflow in dhcpd(8) priority_list.
+
- Switch to timingsafe_memcmp(3) in iked(8) dsa_verify_final() and ikev2_msg_decrypt().
+
- Fixed mwx(4) panic on interface down.
+
- Made iked(8) reject all-zero curve25519 shared secrets.
+
- Limit iked(8) sa_eapmsk length.
+
- Avoid a 'Data modified on freelist' panic on boot with inteldrm(4) discrete cards (DG2).
+
- Harden mainbus(4) bus_dma_tag (no longer writable).
+
- Fixed leak of new SA on iked(8) rekey error; clear csa_rekey on error.
+
- No longer forward packets with a source ip of 0.0.0.0.
+
- Implemented support for HW crypto and wpakey in mwx(4).
+
- Enforce unique IKE spi in iked(8) rekeying.
+
- Reject empty CNAMEs in gethostbyname(3) / getaddrinfo(3).
+
- Rework non-functional CA statistics accounting in (8).
+
+
- No longer deactivate the whole usb device if umsm(4) attach can't find endpoints.
+
- When setting fuse_lowlevel_new(3) file attributes, set correct signal for invalid file handle.
+
- Raised the size of amd64 kernel virtual address space from 4G to 512G.
+
- Avoid access to uninitialised data in ip(4) at boot time.
+
- Skip aliases that are not valid hostnames in gethostbyname(3).
+
- Improved error check for timegm() and mktime() in touch(1) and date(1).
+
- Removed netlock dance in cad(4) ioctl.
+
+
- Avoid a NULL deref when radeon(4) wscons screen burner is enabled.
+
- Fixed incorrect path checking in ypbind(8) ypbindproc_domain_2x.
+
+
- Made httpd(8) and dhcpd(8) correctly error check timegm(3).
+
- Allocate a buffer for the vi(1) line cache instead of reaching into db data.
+
- Made ksh(1) restore source after interactive error recovery before continuing to prompt.
+
+
- Avoid stack exhaustion by unbounded recursion in iked(8).
+
- Fixed uvm amap lock order when disabling swap.
+
- Made snmpd(8) drop recvfd pledge; send data to peers immediately.
+
- Properly align receive buffers on vio(4).
+
- Drop incoming packets containing 16 MPLS labels with no BoS bit.
+
+
- Allow xen(4) to work with bounce buffers.
+
- Allow pppoe(4) to use 'mtu 1500' without requiring MTU manipulation on parent interface.
+
- Improved mwx(4) down/up recovery; made suspend/resume work.
+
- Kernel can support ports that talk directly to /dev/fuse0 rather than libfuse for fuse(4).
+
+
- Made the behaviour of the '(' command match the ')' command in vi(1).
+
- Fixed btrace(8) crash caused by incorrect refcounting in dt(4) backend.
+
- Fixed NULL dereference in isakmpd(8) message_validate_sa().
+
+
- In vi(1), fixed behaviour of ')' used in a range when sentence reaches EOF.
+
- Stop extra line being printed by ex(1) when the 'number' command is given the 'l flag.
+
- rpki-client(8) now rejects certs with duplicate extension OIDs.
+
- Prevent the dhcpleased(8) engine from sending us a negative amount of routes.
+
- Made dhcpleased(8) accept correct amount of routes from the engine process.
+
- Make sure dhcpleased(8) UDP header length field at least covers the UDP header.
+
- Let sparc64 accept ide nodes in IDE bootpaths for better interop with QEMU.
+
- Clear last_modified after each response on a persistent HTTP rpki-client(8) connection.
+
+
- Corrected ssl(8) secondary key share handling for HelloRetryRequests.
+
- Improved ssl(8) TLSv1.3 server handling of no shared groups.
+
- Send illegal parameter alerts for various HelloRetryRequest violations in ssl(8).
+
- Removed SSL_OP_LEGACY_SERVER_CONNECT from default options in ssl(8).
+
- Switched relayd(8) to new imsg API.
+
+
- Added experimental ssh(1) support for composite post-quantum mldsa44-ed25519 signature scheme.
+
- Provide a small SHA-1 implementation in hash(3).
+
- Fixed build without INET6 option set for ogx(4/octeon).
+
+
- In vfs, properly wake vclean after failed vnode lock attempts.
+
+
- Backed out sdmmc(4) arm64 hibernate fix, due to memory side effects.
+
- Fixed race condition during uipc_socket socket unsplicing.
+
- Preparation work for sdmmc(4) hibernation on arm64.
+
- Fixed LLVM crashes when using scalable TypeSizes (github issue 175868).
+
- Provide a separate executable file for syslogd(8) parent, for privilege separation.
+
- Implemented mwx(4) mwx_mac_tx_free() for MT7921. Allows MT7921 to connect to an open wifi.
+
- Fixed NULL dereference in isakmpd(8) message_alloc_reply() callers.
+
- Fixed possible unaligned 32 bit read by isakmpd(8).
+
- Validate isakmpd(8) DELETE payload SPI array size.
+
- Validate proposal and transform sizes in isakmpd(8).
+
+
- Added length checks for the Port-Message and State attributes in login_radius(8) Access-Challenge.
+
- Improved channel setup in mwx_preinit(); mark channels as passive in the DFS range.
+
+
- Fixed incorrect purpose check in the non-legacy x509_verify path in ssl(8).
+
- Fixed a vulnerability of integer overflow in amdgpu(4) kfd debugger.
+
- Removed the uvm buffer flipper, so the buffer cache has only one clean cache.
+
- Require lpd(8) data file path name to be in the spool dir.
+
- Ensure that buffer passed to mwx_mcu_send_firmware() does not overflow mwx(4) firmware image.
+
- Stopped incorrectly freeing a caller-owned buffer in PKCS7_verify().
+
- Added some missing bounds checks to ssl(8) ASN1_mbstring_copy().
+
- Avoid out-of-bounds read in ssl(8) CMS password-based decryption
+
- Avoid NULL dereference in ssl(8) password-based CMS decryption; fixes crash.
+
- Fixed intel(4) screen glitches when resuming from hibernate.
- Fixed tmux(1) cursor calculation when the status line is at the top.
- Added -H flag to tmux(1) capture-pane to show hyperlinks.