security/vuxml: Add www/grafana vulnerabilities
- XSS in Grafana Explore stack trace (CVE-2025-41117)
- Public Dashboards time range restriction on annotations can be bypassed (CVE-2026-21722)
- RCE on Grafana via sqlExpressions (CVE-2026-27876)
- Public dashboards discloses all direct mode datasources (CVE-2026-27877)
- Query resampling can cause unbounded memory allocations (CVE-2026-27879)
- OpenFeature evaluation API reads input data with no bounds (CVE-2026-27880)
- Grafana Testdata datasource can issue unbounded memory allocations (CVE-2026-28375)
- Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS (CVE-2026-33375)
PR: 294105
Reported by: Boris Korzun <drtr0jan at yandex.ru>
security/vuxml: Add PORTEPOCH validation
This adds a check if portepoch has been forgotten
in affected version range specifications, which leads
to pkg audit not reporting a vulnerability.
Usage:
make check-portepoch
This is also invoked when running `make validate`.
Approved by: fernape (ports-secteam)
Differential Revision: https://reviews.freebsd.org/D57193
www/py-django42: Extend EXPIRATION_DATE after 74ee429290da
* Updating www/seahub and, above all, net-mgmt/seafile-server is more
difficult than originally anticipated. Since the current version of
www/seahub still relies on Django 4.2, extend the EXPIRATION_DATE by
three months.
PR: 291707
With hat: python
net-mgmt/seafile-server,www/seahub: Deprecate
Updating www/seahub, and especially net-mgmt/seafile-server, is more
difficult than originally anticipated. The current version of www/seahub
also only runs with Django 4.2, which has been end-of-life since April.
Before www/seahub and net-mgmt/seafile-server are marked as BROKEN after
the migration of the affected ports to Django 5.2 [1], and then vanish
from the ports tree at the end of 2026Q2 - which would also break POLA
due the short time period - do the following to buy some time for a
possible update:
* Create required py-dj42-* ports and switch www/seahub to them. These
py-dj42-* ports were copied from their original counterparts, are
bound to Django 4.2, and have also been adapted for the PEP517 build
framework to make them future-proof. Also adjust related entries in
MOVED.
* Add CONFLICTS_INSTALL entries to the original counterparts as well
[11 lines not shown]
deskutils/mate-notification-daemon: switch to GitHub source
Switch from MATE mirror to GitHub tarball using USE_GITHUB and
GH_ACCOUNT=mate-desktop, add autoreconf, remove tar:xz, and bump
PORTREVISION.
deskutils/mate-indicator-applet: switch to GitHub source
Switch from MATE mirror to GitHub tarball using USE_GITHUB and
GH_ACCOUNT=mate-desktop, add autoreconf, remove tar:xz, and bump
PORTREVISION.
snd_hda: Reassign duplicate HDMI/DP pin sequences instead of disabling
Some firmware (e.g. Apple EFI on Sandy Bridge Mac hardware) programs all
HDMI/DP output pins in an association with identical sequence numbers.
The existing code disables the entire association on the first
duplicate, leaving HDMI/DP audio non-functional.
For digital output pins (HDMI/DP) with seq=0 duplicates, search for the
next free sequence slot and reassign the duplicate rather than
disabling.
The seq=0 restriction targets the known Apple firmware pattern; any
other duplicate sequence is more likely a genuine firmware error and the
association is still disabled.
Update first after reassignment so that hpredir is not left pointing at
a stale sequence. Non-digital and input associations retain the existing
disable behaviour.
[6 lines not shown]
devel/librashader: Update 0.10.1 => 0.11.0
Port changes:
* Improve readability by putting USE_GITHUB and its related variables
into its own block. Also put the CARGO_FEATURES on separate lines.
* Remove "stable" from CARGO_FEATURES. This has become the default
upstream and is a no-op to ensure backwards-compatibility.
* Remove obsolete patch for big-endian architectures. This fix is
included in the updated spirv-cross2 crate.
Changelog:
https://github.com/SnowflakePowered/librashader/releases/tag/librashader-v0.11.0
PR: 295606
Reported by: Stefan Schlosser <bsdcode at disroot.org> (maintainer)
Approved by: osa, vvd (Mentors, implicit)
snmp_pf: fix refresh
Some refresh functions had two layers of 'do we need to refresh now?'
checks, leading to inconsistent refreshes.
Consolidate them.
PR: 291725
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit a862e4b5a27c356e2584ee74fd9e211c18b1b125)
snmp_pf: fix refresh
Some refresh functions had two layers of 'do we need to refresh now?'
checks, leading to inconsistent refreshes.
Consolidate them.
PR: 291725
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit a862e4b5a27c356e2584ee74fd9e211c18b1b125)
graphics/ImageMagick7: update to 7.1.2-23
Tested with `make test` on FreeBSD/amd64 as well as a few dependendent ports.
PR: ports/295599
Approved by: maintainer (arrowd)
