From: "Brett Mahar" Subject: plus.html for June 8th to July 5th To: , Date: Wed, 15 Jul 2026 13:08:31 +1000 Hi tech@, Attached is the diff for changelog for June 8th to July 5th. benno@ is away so sending to tech@. Can somebody please ok and commit? (I don't have commit access). Thanks! Brett. --- /home/brett/Downloads/oldplus.html Wed Jul 15 12:57:36 2026 +++ /home/brett/Downloads/plus.html Wed Jul 15 13:00:48 2026 @@ -106,6 +106,192 @@

    + +
  • Retired the cpp.sh script and install the cpp binary directly in /usr/bin. + +
  • Improved Honor MagicBook Touchpad quirks. + +
  • Validate routing socket replies in iked(8). +
  • Reworked how mbufs share references to external storage, to avoid global mutex. + +
  • Added support for wakeup interrupts to bytgpio(4), fixes IdeaPad resuming from suspend. + +
  • Made httpd(8) drain abort response via bufferevent to prevent errors being truncated. + +
  • Prevent unnecessary PLT entries when LLVM emits calls to strlen(3) and wcslen(3). +
  • Fixed endless loop in ypldap(8), login_ldap(8), and ldap(1); check for evbuffer_add(3) errors. +
  • Properly check vnode identity after vget(9). +
  • Removed extraneous control socket objects in vmd(8). + +
  • Fixed the priority_len bounds check in dhcpd(8). +
  • Prevent bus_dmamap_load(9) failures on a dmamap in acpi(4). + +
  • Avoid download to server-controlled path when performing ssh(1) download via commandline. +
  • Avoid possible NULL deref in ssh(1); sanitise filenames received via remote glob. + +
  • Restricted IMSG_CTL_PROCFD to parent and check process id/instance in iked(8), httpd8(), relayd(8), and snmpd(8). +
  • Switched the default TLS cipher in httpd.conf(5) set from 'compat' to 'secure.' +
  • Switched the default TLS cipher in relayd.conf(5) set from 'HIGH:!aNULL' to 'secure.' +
  • Updated libexpat to version 2.8.2, with many security fixes. +
  • Removed double fclose in a success path in rpki-client(8). +
  • Update link state after new port attached via trunk(4). + +
  • tsort(1) will now print the file name when erroring out on invalid input. +
  • Made tsort(1) abort early if input lines contain NUL bytes. +
  • Added a coinflip to increase cycle-to-cycle jitter in rpki-client(8). +
  • Fixed OOB write in sysctl_ucominit with no ucom(4) devices. +
  • In uvm_swap, don't bounce unless we're doing encrypted writes. +
  • Added many new awk(1) tests, adapted from upstream. +
  • Merged nsd(8) 4.14.3. +
  • Fixes for CVE-2026-12244, CVE-2026-12245, CVE-2026-12246 and CVE-2026-12490 in nsd(8). +
  • Fixed a null dereference in radiusd(8) when authentication-filter configured and pap is used. +
  • Made resolver return statically built addresses (bot IPv4 and IPv6) when hostname == NULL. +
  • Sync get_crl_sk() in X509_verify(3) with BoringSSL and OpenSSL. + +
  • Prevent authenticated RADIUS CP attribute mapping overflowing rr_cfg in iked(8). +
  • Made getaddrinfo(3) check hnok_lenient() earlier, for special handling for localhost names. +
  • Prevent OOB reads by vmd(8) in 32 and 64-bit elf(5) loaders with malformed elf(5) files. +
  • Stopped the resolver from silently truncate result of dname_expand. +
  • Prevent virtio scsi DoS from bad descriptor length passed by guest to vmd(8). +
  • Reject invalid PIT periods in vmd(8). +
  • Fixed fw_cfg leak of file directory buffer in vmd(8). +
  • Ensure ospfd(8) does not leak information on memory address layout from process. +
  • Reset ar_datalen and ar_data after free(3) like everywhere else. +
  • Major rework of tmux(1) prompts. +
  • Made mount(8) support DUIDs with -u; preserve DUID when updating file system +
  • Stop kernel pmap growing to its maximum and consuming all memory on small memory machines. +
  • Untrace traced children even when they're exiting to prevent triggering a KASSERT. + +
  • Fixed broken -mfix-loongson2f-btb with Clang on loongson. +
  • Allow sparc64 Enterprise 4000 and similar with dead batteries to correctly attach clocks. +
  • Additional preparation for 52 disk partitions. +
  • Made divert-packet / divert(4) properly rdomain aware. +
  • Use midi_in() not midi_send() to generate sndiod(8) MIDI messages. +
  • Extended multicast router counter, made it MP-safe. +
  • Fixed FIFO handling to avoid overflowing sc_imess in ncr53c9x.c. +
  • Fixed kernel memory leaks in IPC_STAT and KERN_SYSVIPC_SHM_INFO. +
  • Attach aplmbox(4) early in RAMDISK kernels. +
  • Properly clear isakmpd(8) key material; clear sensitive data with freezero(). +
  • In rpki-client(8), added a backoff retry mechanism for non-functional CAs. +
  • Stopped bgpd(8) leaking peer data to bgpctl(8). + +
  • Made sndiod(8) ensure strings received from the network are 0-terminated. +
  • Cleanup write(1) and pledge(2) it on startup. +
  • Removed current directory from default pkg_add(1) search path. +
  • Made pstat(8) -d work for static kernel variables. +
  • Check for IPv6 scope truncation in getnameinfo(3). +
  • Removed IPv6 source routing from output path (deprecated by RFC 5095). +
  • For network interfaces, allocate mbufs in high memory if only 64 bit DMA interfaces exist. +
  • Stopped leaking transport in isakmpd(8) error paths of udp_encap_handle_message(). +
  • Enforce per-type ID payload size in isakmpd(8) ipsec_validate_id_information(). +
  • Avoid shift overflows in memmem(3) and strstr(3). +
  • Multiple additional bounds checks in isakmpd(8). +
  • Implemented ch_meta_locate() in bgpd(8). +
  • Mitigate CVE-2025-10263 (arm64). +
  • Properly check for DNS errors returned by ASN1_item_unpack(3) and ASN1_item_pack(3). +
  • Imported clang-scan-deps for clang(1). +
  • Made msg_copyout() check the remaining space within userland buffer to avoid overflows. +
  • Fixed EXFLAG_CRITICAL mishandling of unsupported asn1 extensions. +
  • Fixed tsort(1) heap buffer overread with embedded null bytes in input. +
  • Fixed drm(7) vmap_pfn() by using ptoa() to get the physical address. + +
  • Reverted scatterlist dma_length changes from drm(7) which caused blank screen on meteor lake. +
  • cpp(1) no longer default to -traditional. +
  • Implemented bus DMA constraints from 'dma-ranges' properties in riscv device tree. +
  • llvm-readobj now recognises OpenBSD PAC mask notes in (arm64) coredumps. +
  • Discard vfs buffers after vclean error. +
  • Added bounds check for dhcpd(8) priority_len. +
  • Added server.thru control to sndiod(8) midithru/N ports. +
  • Implemented control of midithru ports with sndioctl(1). +
  • Fixed overflow in dhcpd(8) priority_list. +
  • Switch to timingsafe_memcmp(3) in iked(8) dsa_verify_final() and ikev2_msg_decrypt(). +
  • Fixed mwx(4) panic on interface down. +
  • Made iked(8) reject all-zero curve25519 shared secrets. +
  • Limit iked(8) sa_eapmsk length. +
  • Avoid a 'Data modified on freelist' panic on boot with inteldrm(4) discrete cards (DG2). +
  • Harden mainbus(4) bus_dma_tag (no longer writable). +
  • Fixed leak of new SA on iked(8) rekey error; clear csa_rekey on error. +
  • No longer forward packets with a source ip of 0.0.0.0. +
  • Implemented support for HW crypto and wpakey in mwx(4). +
  • Enforce unique IKE spi in iked(8) rekeying. +
  • Reject empty CNAMEs in gethostbyname(3) / getaddrinfo(3). +
  • Rework non-functional CA statistics accounting in (8). + +
  • No longer deactivate the whole usb device if umsm(4) attach can't find endpoints. +
  • When setting fuse_lowlevel_new(3) file attributes, set correct signal for invalid file handle. +
  • Raised the size of amd64 kernel virtual address space from 4G to 512G. +
  • Avoid access to uninitialised data in ip(4) at boot time. +
  • Skip aliases that are not valid hostnames in gethostbyname(3). +
  • Improved error check for timegm() and mktime() in touch(1) and date(1). +
  • Removed netlock dance in cad(4) ioctl. + +
  • Avoid a NULL deref when radeon(4) wscons screen burner is enabled. +
  • Fixed incorrect path checking in ypbind(8) ypbindproc_domain_2x. + +
  • Made httpd(8) and dhcpd(8) correctly error check timegm(3). +
  • Allocate a buffer for the vi(1) line cache instead of reaching into db data. +
  • Made ksh(1) restore source after interactive error recovery before continuing to prompt. + +
  • Avoid stack exhaustion by unbounded recursion in iked(8). +
  • Fixed uvm amap lock order when disabling swap. +
  • Made snmpd(8) drop recvfd pledge; send data to peers immediately. +
  • Properly align receive buffers on vio(4). +
  • Drop incoming packets containing 16 MPLS labels with no BoS bit. + +
  • Allow xen(4) to work with bounce buffers. +
  • Allow pppoe(4) to use 'mtu 1500' without requiring MTU manipulation on parent interface. +
  • Improved mwx(4) down/up recovery; made suspend/resume work. +
  • Kernel can support ports that talk directly to /dev/fuse0 rather than libfuse for fuse(4). + +
  • Made the behaviour of the '(' command match the ')' command in vi(1). +
  • Fixed btrace(8) crash caused by incorrect refcounting in dt(4) backend. +
  • Fixed NULL dereference in isakmpd(8) message_validate_sa(). + +
  • In vi(1), fixed behaviour of ')' used in a range when sentence reaches EOF. +
  • Stop extra line being printed by ex(1) when the 'number' command is given the 'l flag. +
  • rpki-client(8) now rejects certs with duplicate extension OIDs. +
  • Prevent the dhcpleased(8) engine from sending us a negative amount of routes. +
  • Made dhcpleased(8) accept correct amount of routes from the engine process. +
  • Make sure dhcpleased(8) UDP header length field at least covers the UDP header. +
  • Let sparc64 accept ide nodes in IDE bootpaths for better interop with QEMU. +
  • Clear last_modified after each response on a persistent HTTP rpki-client(8) connection. + +
  • Corrected ssl(8) secondary key share handling for HelloRetryRequests. +
  • Improved ssl(8) TLSv1.3 server handling of no shared groups. +
  • Send illegal parameter alerts for various HelloRetryRequest violations in ssl(8). +
  • Removed SSL_OP_LEGACY_SERVER_CONNECT from default options in ssl(8). +
  • Switched relayd(8) to new imsg API. + +
  • Added experimental ssh(1) support for composite post-quantum mldsa44-ed25519 signature scheme. +
  • Provide a small SHA-1 implementation in hash(3). +
  • Fixed build without INET6 option set for ogx(4/octeon). + +
  • In vfs, properly wake vclean after failed vnode lock attempts. + +
  • Backed out sdmmc(4) arm64 hibernate fix, due to memory side effects. +
  • Fixed race condition during uipc_socket socket unsplicing. +
  • Preparation work for sdmmc(4) hibernation on arm64. +
  • Fixed LLVM crashes when using scalable TypeSizes (github issue 175868). +
  • Provide a separate executable file for syslogd(8) parent, for privilege separation. +
  • Implemented mwx(4) mwx_mac_tx_free() for MT7921. Allows MT7921 to connect to an open wifi. +
  • Fixed NULL dereference in isakmpd(8) message_alloc_reply() callers. +
  • Fixed possible unaligned 32 bit read by isakmpd(8). +
  • Validate isakmpd(8) DELETE payload SPI array size. +
  • Validate proposal and transform sizes in isakmpd(8). + +
  • Added length checks for the Port-Message and State attributes in login_radius(8) Access-Challenge. +
  • Improved channel setup in mwx_preinit(); mark channels as passive in the DFS range. + +
  • Fixed incorrect purpose check in the non-legacy x509_verify path in ssl(8). +
  • Fixed a vulnerability of integer overflow in amdgpu(4) kfd debugger. +
  • Removed the uvm buffer flipper, so the buffer cache has only one clean cache. +
  • Require lpd(8) data file path name to be in the spool dir. +
  • Ensure that buffer passed to mwx_mcu_send_firmware() does not overflow mwx(4) firmware image. +
  • Stopped incorrectly freeing a caller-owned buffer in PKCS7_verify(). +
  • Added some missing bounds checks to ssl(8) ASN1_mbstring_copy(). +
  • Avoid out-of-bounds read in ssl(8) CMS password-based decryption +
  • Avoid NULL dereference in ssl(8) password-based CMS decryption; fixes crash. +
  • Fixed intel(4) screen glitches when resuming from hibernate.
  • Fixed tmux(1) cursor calculation when the status line is at the top.
  • Added -H flag to tmux(1) capture-pane to show hyperlinks.