OpenBSD/src KI851vasys/net if_bridge.c

   Skip SPD lookups for short packets on IPsec-enabled bridge

   When short packets are sent to the bridge with IPsec enabled,
   an incorrect error path can be taken which leads to a lookup
   of an SPD entry using an uninitialized SPI. Most of the time
   this will fail, however there's a chance that an existing SPD
   entry corresponds to the provided SPI which leads to use of
   another uninitialized variable used to offset the IP or IPv6
   header in order to get to the security protocol header.

   ESP performs packet length checks and will fail when such
   packets will reach it, but AH and IPComp don't have similar
   checks and are affected the most.

   CID 1452946, 1452957; Severity: Major

   OK millert, visa, bluhm
VersionDeltaFile
1.298+3-3sys/net/if_bridge.c
+3-31 files

OpenBSD/ports dg2wmvedevel/meson meson.port.mk Makefile, devel/meson/pkg PLIST

   Update to meson-0.42.0.

OpenBSD/ports H3GSdLjnet/mldonkey Makefile distinfo, net/mldonkey/patches patch-config_configure patch-src_utils_lib_stubs_c_c

   Update to mldonkey-3.1.6

OpenBSD/ports neEyajodevel/harfbuzz Makefile distinfo

   Update to harfbuzz-1.4.8.
VersionDeltaFile
1.68+5-7devel/harfbuzz/Makefile
1.53+2-2devel/harfbuzz/distinfo
+7-92 files

OpenBSD/ports HYH9anMdevel/appstream-glib Makefile distinfo, devel/appstream-glib/patches patch-libappstream-glib_meson_build

   Update to appstream-glib-0.7.1.

OpenBSD/ports pIJdLmOx11/gnome/tracker Makefile distinfo

   Update to meta-tracker-1.12.2.

OpenBSD/ports xVVykNidevel/libsoup Makefile, devel/libsoup/patches patch-libsoup_soup-filter-input-stream_c patch-libsoup_soup-filter-input-stream_c

   Merge a patch from upstream for CVE-2017-2885:
   Fixed a chunked decoding buffer overrun that could be exploited against
   either clients or servers.

OpenBSD/ports iJ3jZ85devel/libsoup distinfo Makefile

   SECURITY update to libsoup-2.58.2.
   CVE-2017-2885: Fixed a chunked decoding buffer overrun that could be exploited
   against either clients or servers.
VersionDeltaFile
1.64+2-2devel/libsoup/distinfo
1.107+2-2devel/libsoup/Makefile
+4-42 files

OpenBSD/ports 6V29n0ix11/gnome/online-miners Makefile distinfo

   Update to gnome-online-miners-3.24.0.

OpenBSD/ports N73NLEFmail/evolution-ews Makefile distinfo

   Update to evolution-ews-3.24.5.

OpenBSD/ports XL5G5Lcmail/evolution Makefile distinfo

   Update to evolution-3.24.5.
VersionDeltaFile
1.282+3-3mail/evolution/Makefile
1.100+2-2mail/evolution/distinfo
+5-52 files

OpenBSD/ports 9ISC22Adatabases/evolution-data-server Makefile distinfo

   Update to evolution-data-server-3.24.5.

OpenBSD/ports 6UhhrYhx11/gnome/nautilus-sendto Makefile distinfo

   Update to nautilus-sendto-3.8.6.

OpenBSD/ports wgrKJWXx11/gnome gnome.port.mk

   Only link appstream-util to true(1) if we don't explicitely BDEP on
   devel/appstream-glib.
VersionDeltaFile
1.107+5-2x11/gnome/gnome.port.mk
+5-21 files

OpenBSD/ports rWdc0Xqprint/cups Makefile, print/cups/pkg README-main

   Make it obvious that CUPS lp commands are not compatible with base system
   ones, so use the full path when needed.

   prodded by a mail from Anthony Campbell
VersionDeltaFile
1.18+7-1print/cups/pkg/README-main
1.225+2-2print/cups/Makefile
+9-32 files

OpenBSD/src iXSWXJ2usr.bin/tmux tmux.1 alerts.c

   Add monitor-bell window option to match the activity and silence
   options, from Brad Town.

OpenBSD/ports M8CxUhetextproc/gtk-doc Makefile

   Forgot to remove that line; just committed, so no bump.
VersionDeltaFile
1.51+1-2textproc/gtk-doc/Makefile
+1-21 files

OpenBSD/ports D0w8TzUtextproc/gtk-doc Makefile distinfo, textproc/gtk-doc/pkg PLIST

   Update to gtk-doc-1.26.

OpenBSD/ports 13Wt1l0databases/hs-hedis Makefile distinfo

   Update to hedis-0.9.9

OpenBSD/src Xr3xnWSusr.sbin/syspatch syspatch.sh

   Honor TMPDIR if it is set to prevent erroring in some setup.

   reported by Igor Falcomata
VersionDeltaFile
1.121+2-2usr.sbin/syspatch/syspatch.sh
+2-21 files

OpenBSD/src Hyzy3kYusr.sbin/sysmerge sysmerge.sh

   We're a shell script, so honor TMPDIR.
   While here, use consistent variable substitution.
VersionDeltaFile
1.231+5-5usr.sbin/sysmerge/sysmerge.sh
+5-51 files

OpenBSD/src s76iypzsys/kern subr_hibernate.c

   print why the signature block check of an unhibernate attempt failed, to
   let people know what changed.

   ok kettenis, phessler
VersionDeltaFile
1.123+5-5sys/kern/subr_hibernate.c
+5-51 files

OpenBSD/ports pSBEqkhx11/gnome/grilo-plugins Makefile

   Regen WANTLIB.
VersionDeltaFile
1.66+4-3x11/gnome/grilo-plugins/Makefile
+4-31 files

OpenBSD/ports 8b5Q8L4x11/gnome/libmediaart Makefile distinfo, x11/gnome/libmediaart/pkg PLIST

   Update to libmediaart-1.9.4.

OpenBSD/src Mvash3psys/net80211 ieee80211_pae_input.c ieee80211_node.h

   Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
   group keys are being reused. OpenBSD wireless clients will now leave a
   trail of such events in their message log.

   There has been increased public scrutiny of WPA's security recently, so
   I am curious to see if anyone is attempting replay attacks in the wild.

   ok deraadt

OpenBSD/ports 7HaEYPBmail/cyrus-imapd Makefile

   Cyrus switched to an odd-even release cycle, set PORTROACH marker
   accordingly.
VersionDeltaFile
1.108+3-1mail/cyrus-imapd/Makefile
+3-11 files

OpenBSD/src zTVZFS9distrib/alpha/bsd.rd Makefile, distrib/alpha/common Makefile.inc

   add two more strips

OpenBSD/src zi9UXMvsys/dev/acpi acpi.c dwiic.c

   Make dwiic(4) attach its ACPI parent dependencies.
   This change makes the Asus E200HA keyboard work.

   Original analysis and patch by Cesare Gargano
   ok kettenis@

OpenBSD/src 9G8QnNtbin/expr expr.1

   Explicitly say that expr(1) handles decimal integers only, as mandated
   by POSIX and as implemented in our utility; triggered by a question from
   Alessandro DE LAURENZIS <just22 at atlantide dot t28 dot net> on misc@.
   OK millert@
VersionDeltaFile
1.24+8-7bin/expr/expr.1
+8-71 files

OpenBSD/src d1zBULLlibexec/ld.so/i386 ldasm.S

   remove accidentally duplicated cpp chunks
   ok kettenis
VersionDeltaFile
1.31+10-32libexec/ld.so/i386/ldasm.S
+10-321 files

OpenBSD/ports rgE9Xq2sysutils/tarsnapper Makefile

   update maintainer's email address per his request
VersionDeltaFile
1.2+3-2sysutils/tarsnapper/Makefile
+3-21 files

OpenBSD/src zV3Y723regress/sys/kern/noexec testfly.S

   ENTRY() requires END()
VersionDeltaFile
1.4+4-1regress/sys/kern/noexec/testfly.S
+4-11 files

OpenBSD/src 77fSrz1libexec/ld.so strtol.c

   Adapt the commit in libc that changes how a string like "0xy" is
   parsed.  OK deraadt@
VersionDeltaFile
1.3+4-3libexec/ld.so/strtol.c
+4-31 files

OpenBSD/ports yXNNeHLwww/chromium distinfo Makefile

   update to 60.0.3112.101
VersionDeltaFile
1.163+2-2www/chromium/distinfo
1.336+2-2www/chromium/Makefile
+4-42 files

OpenBSD/src EyI8csXsys/arch/amd64/amd64 vm_machdep.c, sys/arch/i386/i386 vm_machdep.c

   Randomly bias downwards from the top of each kernel stack, thereby
   introducing more entropy into stack locations.
   TODO: consider if we should fill that space with something specific?
   discussed with mlarkin, mortimer, guenther, kettenis, etc etc etc

OpenBSD/src S8goLiyetc/etc.loongson login.conf, etc/etc.octeon login.conf

   crank memory limits

OpenBSD/src ND65mK7sys/kern kern_bufq.c

   Correct the check when selecting an elevator

   Coverity CID 1453358; Severity: unlikely, not user-visible

   ok millert, visa
VersionDeltaFile
1.32+2-2sys/kern/kern_bufq.c
+2-21 files

OpenBSD/ports rduDA3Edevel/gtest Makefile

   Fix GOT overflow on mips64.

   OK jasper@
VersionDeltaFile
1.18+5-1devel/gtest/Makefile
+5-11 files

OpenBSD/ports bUP88jIsysutils/virt-manager Makefile distinfo, sysutils/virt-manager/patches patch-setup_py patch-virtinst_capabilities_py

   update to virt-manager-1.4.2

OpenBSD/ports xJZz29nnet/py-netaddr Makefile distinfo, net/py-netaddr/patches patch-setup_py

   update to py-netaddr-0.7.19

   ok abieber@ (MAINTAINER)

OpenBSD/ports OBMhMlBgraphics/shotwell Makefile distinfo, graphics/shotwell/pkg PLIST

   update to shotwell-0.26.3

OpenBSD/ports N3WH1hDgraphics/potrace distinfo Makefile

   update to potrace-1.15

OpenBSD/ports HpAVaT7devel/spice-protocol Makefile distinfo

   update to spice-protocol-0.12.13

OpenBSD/ports kgPPM48devel/apache-ant Makefile distinfo, devel/apache-ant/pkg PLIST

   update to apache-ant-1.10.1

OpenBSD/src klwxgKYdistrib/sparc64/ramdisk Makefile, distrib/sparc64/ramdiskB Makefile

   additional strip -R .SUNW_ctf needed

OpenBSD/ports sxlhCSasecurity/opensc Makefile, security/opensc/files libopensc.pc

   Update to OpenSC-0.17.0

OpenBSD/src THVFahssys/net pf_table.c

   Validate pfra_type after copyin before using it to index an array

   Don't trust the value of pfra_type blindly since it's coming from
   userland and sanitize it in pfr_validate_addr that is called after
   every copyin and also perform the check in pfr_create_kentry before
   we attempt to use the value not after.

   Coverity CID 1452909, 1453097, 1453384; Severity: Minor
   It can be triggered only by root by default or anyone with write
   access to /dev/pf if such access is provided.

   ok visa, bcook, sashan, jsg
VersionDeltaFile
1.127+6-4sys/net/pf_table.c
+6-41 files

OpenBSD/src ZPduM5bregress/lib/libc/locale/uselocale uselocale.c

   test locale priorities and overrides

OpenBSD/ports Em2rC0Ydatabases/postgresql Makefile distinfo, databases/postgresql/pkg PLIST-docs

   Security update to 9.6.4

   ok pirofti@

OpenBSD/ports OG1sUaJdatabases/postgresql distinfo Makefile, databases/postgresql/pkg PLIST-docs PLIST-server

   Security update to 9.5.8

   ok pirofti@