Mastodawn

New disclosure: CL.TE HTTP request smuggling in OpenBSD relayd.
Latent in relay_http.c since 2012 (OpenBSD 5.2). The body was parsed as chunked but a co-present Content-Length header wasn't stripped before forwarding to backend, contrary to RFC 9112 §6.1.
Found by a targeted source-review pass against the RFC framing rules. Fixed in -current 2026-06-03 in a single commit.
https://stuart-thomas.com/research/relayd-cl-te-smuggling/
#infosec #OpenBSD #vulndisclosure

RELAYD-001 — OpenBSD relayd: CL.TE HTTP Request Smuggling

relayd parses the body as chunked but does not remove a co-present Content-Length header before passing the message to the backend, contrary to RFC 9112 §6.1. CL.TE request smuggling. Latent since 5.2; fixed 2026-06-03.

Ethical Hacker May 26

New methodology paper: The Calculator Discipline.

A four-class taxonomy of AI-assisted disclosure hallucinations, a pre-send filter that catches the mechanical ones, and two real withdrawals from my own OpenBSD work — including the one Theo de Raadt asked the right question about.

Honest case studies from the sender's end of a problem the field has only described from the receiving end.

DOI: 10.5281/zenodo.20393083
Read: https://stuart-thomas.com/research/calculator-discipline/

#infosec #OpenBSD #vulndisclosure #methodology

The Calculator Discipline — AI-Assisted Disclosure Hallucinations

A four-class taxonomy, a pre-send filter, and two real withdrawals from the author's own OpenBSD work.

Research	https://stuart-thomas.com
Research	https://triageforge.co.uk