libfm-qt: update to 2.3.1
libfm-qt-2.3.1 / 2025-11-27
============================
* Reverted the workaround for moving directory over directory.
* Removed redundant `hints` tags in ui files.
lxqt-panel: update to 2.3.1
pkgsrc-specific change: added path correction to a file missed in the
previous update to 2.3.0.
lxqt-panel-2.3.1 / 2025-11-25
==============================
* Fixed build failure with Qt < 6.8.
* Translation updates
I am giving up attempting to bend the kernel build machinery to my will
so that assym.h can be safely included by libkern assembly sources. So,
instead, redundantly define __HAVE_M68K_BROKEN_RMC in multiple places so
that all the things that need to key off of it can.
python314 py314-html-docs: updated to 3.14.1
Python 3.14.1
Windows
gh-139810: Installing with py install 3[.x]-dev will now select final versions as well as prereleases.
Tools/Demos
gh-141692: Each slice of an iOS XCframework now contains a lib folder that contains a symlink to the libpython dylib. This allows binary modules to be compiled for iOS using dynamic libreary linking, rather than Framework linking.
gh-141442: The iOS testbed now correctly handles test arguments that contain spaces.
gh-140702: The iOS testbed app will now expose the GITHUB_ACTIONS environment variable to iOS apps being tested.
gh-137484: Have Tools/wasm/wasi put the build Python into a directory named after the build triple instead of “build”.
gh-137248: Add a --logdir option to Tools/wasm/wasi for specifying where to write log files.
gh-137243: Have Tools/wasm/wasi detect a WASI SDK install in /opt when it was directly extracted from a release tarball.
Tests
gh-140482: Preserve and restore the state of stty echo as part of the test environment.
gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color.
[336 lines not shown]
python313 py313-html-docs: updated to 3.13.10
Python 3.13.10
Tools/Demos
gh-141442: The iOS testbed now correctly handles test arguments that contain spaces.
Tests
gh-140482: Preserve and restore the state of stty echo as part of the test environment.
gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color.
gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception
Security
gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible data” if there are no bytes prepended to the ZIP file.
gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser.
gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran.
gh-136065: Fix quadratic complexity in os.path.expandvars().
gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
Library
[88 lines not shown]
py-django: updated to 4.2.27
Django 4.2.27 fixes one security issue with severity “high”, one security issue with severity “moderate”, and one bug in 4.2.26.
CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL.
CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
XML Serialization was subject to a potential denial-of-service attack due to quadratic time complexity when deserializing crafted documents containing many nested invalid elements. The internal helper django.core.serializers.xml_serializer.getInnerText() previously accumulated inner text inefficiently during recursion. It now collects text per element, avoiding excessive resource usage.
Bugfixes
Fixed a regression in Django 4.2.26 where DisallowedRedirect was raised by HttpResponseRedirect and HttpResponsePermanentRedirect for URLs longer than 2048 characters. The limit is now 16384 characters.
py-django: updated to 5.2.9
Django 5.2.9 fixes one security issue with severity “high”, one security issue with severity “moderate”, and several bugs in 5.2.8.
CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL.
CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
XML Serialization was subject to a potential denial-of-service attack due to quadratic time complexity when deserializing crafted documents containing many nested invalid elements. The internal helper django.core.serializers.xml_serializer.getInnerText() previously accumulated inner text inefficiently during recursion. It now collects text per element, avoiding excessive resource usage.
Bugfixes
Fixed a bug in Django 5.2 where django.utils.feedgenerator.Stylesheet.__str__() did not escape the url, mimetype, and media attributes, potentially leading to invalid XML markup.
Fixed a bug in Django 5.2 on PostgreSQL where bulk_create() did not apply a field’s custom query placeholders.
Fixed a regression in Django 5.2.2 that caused a crash when using aggregate functions with an empty Q filter over a queryset with annotations.
[4 lines not shown]
go: update to 1.24.11 and 1.25.5 (security)
These releases include 2 security fixes following the security policy:
- crypto/x509: excessive resource consumption in printing error string for
host certificate validation
Within HostnameError.Error(), when constructing an error string, there is no
limit to the number of hosts that will be printed out.
Furthermore, the error string is constructed by repeated string
concatenation, leading to quadratic runtime.
Therefore, a certificate provided by a malicious actor can result in
excessive resource consumption.
HostnameError.Error() now limits the number of hosts and utilizes
strings.Builder when constructing an error string.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
[13 lines not shown]
