Build date: 1764284403 - Thu Nov 27 23:00:03 UTC 2025 Build cvs date: 1764280468 - Thu Nov 27 21:54:28 UTC 2025 Build id: 2025-11-28.1 Build tags: amd64-regress ports sysupgrade Applied the following diff(s): /home/anton/tmp/robsd/src-sys-em.diff /home/anton/tmp/robsd/src-sys-uhidev-sispm.diff /home/anton/tmp/robsd/src-sysupgrade.diff P regress/sys/arch/amd64/seves_mmio/seves_mmio.c P sys/arch/riscv64/riscv64/machdep.c M sys/dev/usb/uhidev.c P sys/net/if_mpe.c P sys/net/if_mpip.c P sys/net/if_mpw.c P sys/netinet6/nd6.c P sys/netmpls/mpls_input.c P usr.bin/login/login.c P usr.bin/make/Makefile P usr.bin/make/generate.c P usr.bin/make/make.1 P usr.bin/make/var.c P usr.bin/make/var_int.h P usr.bin/openssl/asn1pars.c P usr.bin/openssl/ca.c P usr.bin/openssl/cms.c P usr.bin/openssl/pkcs12.c P usr.bin/ssh/clientloop.c P usr.bin/ssh/packet.c P usr.bin/ssh/packet.h P usr.bin/ssh/ssh.1 M usr.sbin/bgpd/session.c P usr.sbin/httpd/httpd.h P usr.sbin/snmpd/application.c P usr.sbin/snmpd/application.h P usr.sbin/snmpd/application_agentx.c P usr.sbin/snmpd/application_internal.c P usr.sbin/snmpd/smi.c P usr.sbin/snmpd/smi.h P usr.sbin/snmpd/snmpd.c P usr.sbin/snmpd/snmpd.h P usr.sbin/snmpd/trap.c P usr.sbin/unbound/iterator/iter_scrub.c P usr.sbin/vmd/loadfile_elf.c commit 4esIFXQfk4ZT8uaL Author: bluhm Date: 2025/11/27 21:54:28 Ignore any iterator when traversing nd6 list. nd6_rtrequest() could crash with a NULL pointer dereference if an interator in nd6_list was inspected. Skip freeing neigbor discovery entries and optimization in this unlikely case and try again later. reported by Mischa and Anton Kasimov; OK mvs@ sys/netinet6/nd6.c commit NgnFcyUmRpBcpkhb Author: kettenis Date: 2025/11/27 19:15:51 If there is no /memory node in the device tree, use the EFI memory map to determine physmem. ok jca@ sys/arch/riscv64/riscv64/machdep.c commit c6nPYARRZ4yppDlw Author: jca Date: 2025/11/27 17:27:22 Use LOGIN_SETXDGENV in login(1) Makes XDG_TUNTIME_DIR usable from text consoles. "makes sense to me" landry@, ok matthieu@ robert@ usr.bin/login/login.c commit BgnK91wsAs9KhID8 Author: rsadowski Date: 2025/11/27 15:22:45 Add missing GZIP_STATIC flag to SRVFLAG_BITS macro GZIP_STATIC flag at position \\33 was missing from the debug string. Also correct the truncated PATH_REWRITE/NO_PATH_REWRITE flag names. The PATH_REWRITE and NO_PATH_REWRITE flag names were truncated to PATH and NO_PATH in the SRVFLAG_BITS string definition. OK kirill@ deraadt@ usr.sbin/httpd/httpd.h commit OZSn6EFJURoBxQAU Author: sthen Date: 2025/11/27 14:50:38 Fix incomplete mitigation of CVE-2025-11411 by applying the non-test part of https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411_2_wtests.diff This extends the previous fix by also scrubbing unsolicited NS RRSets (and their respective address records) for YXDOMAIN and nodata non-referral answers. usr.sbin/unbound/iterator/iter_scrub.c commit pRkez35PReelZo3W Author: hshoexer Date: 2025/11/27 11:55:08 Add license and rcs header. ok tb regress/sys/arch/amd64/seves_mmio/seves_mmio.c commit iia41eO1x9zAM3RM Author: hshoexer Date: 2025/11/27 11:11:27 vmd(8): Use 32-bit direct kernel launch for both amd64 and i386 When bootet by /boot (or EFI boot loaders) both amd64 and i386 kernel start in a 32-bit mode. When launching kernel directly (vmctl start -b ) vmd(8) configures a flat 64-bit register set as default register set. The GDT provides a 32-bit flat code segment. For the i386 kernel the default register set is reconfigured to 32-bit legacy mode; paging is enabled and uses 4 Mb pages. This is different to i386 being bootet by /boot. /boot launches the i386 kernel with paging disabled. The amd64 kernel uses the default register set, i.e. long mode is enabled in EFER. However, it uses the 32-bit code segment of the GDT. Thus ther kernel is effectively running in 32-bit compatibility mode. This has implications when using SEV-ES as #VC traps are delivered by 64-bit rules. Booting an amd64 kernel on Linux/KVM the kernel is actually running in 32-bit legacy mode, thus #VC traps are delivered by 32-bit rules. Therefore, we have two #VC trap handlers for locore0, a 32-bit and a 64-bit one. To simplify this, start both i386 and amd64 in 32-bit legacy mode with paging disabled. All in all with this diff the run time configuration is similar to what /boot provides for both amd64 and i386. In a later diff #VC trap handling in locore0 can be simplified. ok mlarkin usr.sbin/vmd/loadfile_elf.c commit xQvkCExRwPxr5ZbF Author: martijn Date: 2025/11/27 10:17:19 Implement appl_sysuptime() in favour of smi_getticks(). appl_sysuptime() uses CLOCK_MONOTONIC instead of gettimeofday(), works on a per context basis as per RFC2741, and puts it in a sane namespace. Makes sense to tb@ OK jmatthew@ usr.sbin/snmpd/application.c usr.sbin/snmpd/application.h usr.sbin/snmpd/application_agentx.c usr.sbin/snmpd/application_internal.c usr.sbin/snmpd/smi.c usr.sbin/snmpd/smi.h usr.sbin/snmpd/snmpd.c usr.sbin/snmpd/snmpd.h usr.sbin/snmpd/trap.c commit F26gqec1oGLtitPp Author: tb Date: 2025/11/27 09:08:49 tweak make "magic variables" handling The idea is that it's shorter to special-case ${@D} and the likes (two characters variables ending in D or F) instead of having a weird idx encoding. Cons: - this yields an extra "ext" parameter to classify_var Pros: - the weird index encoding vanishes - no need for special treatment if we add more similar variables. - drastically reduces the size of the switch (and the modulo shrinks from 82 to 36) - code will recognize constructs like ${?D} and ${?F}, which puts us in line with FreeBSD and NetBSD bmake, and also with gnu make. from espie usr.bin/make/Makefile usr.bin/make/generate.c usr.bin/make/make.1 usr.bin/make/var.c usr.bin/make/var_int.h commit DiERFrZFjH6TgXe7 Author: tb Date: 2025/11/27 08:27:31 openssl cms: switch to ASN1_STRING_get0_data() The deprecated ASN1_STRING_data() will be removed in a future release. This is one small step towards that. ok kenjiro usr.bin/openssl/cms.c commit g9UuA1jRYz17xoPS Author: tb Date: 2025/11/27 08:26:32 openssl pkcs12: stop reaching into ASN1_STRING Buy a t: rename hex_prin() to hex_print() and accept an ASN1_STRING so that we only need to use accessors once. Also avoid a printf %s NULL. ok kenjiro usr.bin/openssl/pkcs12.c commit MvsJhGcRJOVoJVLh Author: tb Date: 2025/11/27 08:24:30 openssl ca: mechanical change to stop reaching into ASN1_STRING ok kenjiro usr.bin/openssl/ca.c commit 62ZrDdZ7Sp8xoWqH Author: tb Date: 2025/11/27 08:22:32 openssl asn1pars: don't reach into ASN1_STRING ok kenjiro usr.bin/openssl/asn1pars.c commit qqCnah70Dx45IpdZ Author: dlg Date: 2025/11/27 03:06:59 refactor some mpls input processing for mpe/mpw/mpip. mpw, mpip, and mpe all add entries to the local mpls fib that points to themselves, and when these labels are "output" via these interfaces they then go and push the packets into their input processing. this is all boilerplate, so it can be factored out and better integrated into the larger network stack. in particular, we can pass struct netstack through to the input handlers. there's some small downsides to this. the main one is that using if_vinput to dispatch to their input handlers means the vinput handling has to cope with mpls encapsulated packets. this is easy except for mpw, where ether_ifattach does a lot of setup that has to be tweaked for mpls encapsualted ethernet packets. while here, this changes mpe output so it doesnt have to prepend the mbuf with the sockaddr it uses as the nexthop on the underlay. it only had to do that to carry the information across the ifq. if we just don't use ifq for output then this gets simplified a lot. the only downside is that you can't use altq on mpe interfaces after this. i dont think this is a huge loss. ok claudio@ sys/net/if_mpe.c sys/net/if_mpip.c sys/net/if_mpw.c sys/netmpls/mpls_input.c commit zyzGGZj3TvYUSHvn Author: dtucker Date: 2025/11/27 02:18:48 Add Escape option ~I that shows information about the current SSH connection. ok djm@, "I like/want" sthen@ florian@ usr.bin/ssh/clientloop.c usr.bin/ssh/packet.c usr.bin/ssh/packet.h usr.bin/ssh/ssh.1