ghostscript-agpl: updated to 10.07.1
Version 10.07.1 (2026-05-19)
Highlights in this release include:
The 10.07.1 release is a maintenance release:
This release addresses a number of potential security issues.
The wider adoption of "C99" and later features has reached the point where we must ease our policy on this area. The Ghostscript/GhostPDL codebase will remain "C89" plus widely supported extensions but, as of the 10.08.0 release, our included third party libraries will be permitted to use "C99" and potentially later features.
The 10.07.1 removes the non-standard operator ".tempfile", and removes the "temp" directory from the default file permission lists. By default, such access is now only available internally, not from "user level" PostScript
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental improvements.
py-zipp: updated to 4.1.0
v4.1.0
Features
- Path.iterdir now raises NotADirectoryError (formerly ValueError) when call on something that's not a directory.
v4.0.0
Deprecations and Removals
- Drop workaround for stacklevel bug on older PyPy releases.
py-yarl: updated to 1.24.2
v1.24.2
Contributor-facing changes
- Switched the aarch64 and armv7l wheel builds to GitHub's native ARM
runners. The aarch64 wheels now build without QEMU emulation, and
armv7l runs on aarch64 hosts so its 32-bit ARM execution is far
cheaper than the previous aarch64-on-x86_64 path
- Restored per-runner native arches in the Windows wheel matrix on tag
releases. The previous ``CIBW_ARCHS_WINDOWS=AMD64 ARM64`` setting made
both ``windows-latest`` and ``windows-11-arm`` cross-compile the other
arch, producing two artifacts with identically-named wheels whose
bytes differed; the deploy job's ``download-artifact ... merge-multiple``
step tore those writes together, yielding a wheel that PyPI rejected
with ``400 Invalid distribution file. ZIP archive not accepted:
Mis-matched data size`` during the 1.24.0 and 1.24.1 releases
wireshark: updated to 4.6.6
4.6.6
The following vulnerabilities have been fixed:
wnpa-sec-2026-51 ROHC protocol dissector crash. Issue 21243.
The following bugs have been fixed:
Wireshark crashes when run under Visual Studio on Windows. Work item 24787.
Welcome page slide preferences are now available in the preferences window.
vwr: Read of uninitialized memory in pntoh16. Issue 16460.
vwr: Read of uninitialized memory in find_signature. Issue 16461.
Upgrades on Windows do not retain existing optional features unless explicitly requested, resulting in accidental removal of features. Issue 18925.
Wireshark.exe version 4.6.5 is twice as large as version 4.6.4. Issue 21233.
MACsec dissector global-buffer-overflow. Issue 21235.
Wireshark 4.6.5 does not run on Windows 10 version 1809 (including Server 2019 and some LTSC versions) Issue 21237.
Fuzz job issue: fuzz-2026-05-02-14184750352.pcap. Issue 21240.
[2 lines not shown]
memcached: updated to 1.6.42
1.6.42
This is a major security focused release. Nearly all of the fixes are security
related for issues that can cause memory corruption, crashes, and so on.
Fixes
vendor: Instructively warn if vendor blob missing
proxy: fix write length in extstore miss
Fix timing side-channel in SASL password database authentication
proto: fix signed overflow in bodylen for binprot
proxy: fix underflow with 0 length values
auth: fix data race during reload
auth: fix crash when given huge token
proto: fix crash in binary protocol
core: fix crashes from slabs reassign
proxy: check result of buffer parse in match_res
[2 lines not shown]
py-sphinx-gallery: updated to 0.21.0
v0.21.0
Support for Sphinx 5 dropped in this release. Requirement is now Sphinx >= 6.
Implemented enhancements:
- Add support for dynamic filtering by tag
Fixed bugs:
- Fix subsection header sanitization when ``nested_sections=False``
- Fix ``generate_gallery_rst`` when ``nested_sections=False`` user provides own ``index.rst``
Documentation
- DOC Add v0.20.0 to CHANGES.rst
- DOC Note sphinx bump in changes
[3 lines not shown]
mdbook: updated to 0.5.3
mdBook 0.5.3
Changed
- Improve spacing in sidebar section headings.
- Updated cargo dependencies.
Fixed
- The "current" page highlighting in the sidebar now handles servers that redirect and strip the `.html` extension.
- Remove `?highlight=` from URL when highlights are dismissed via clicking.
- Fix global keypresses triggering when other elements are in focus.
- Fix download URL format for mdBook in CI guide.
- Improve error message for invalid Font Awesome icons.
- Fix nested admonitions that use wrong header colors.
(devel/R-lazyeval) Updated 0.2.2 to 0.2.3
# lazyeval 0.2.3 (Time stamp of NEWS.md is 2026/04/03)
* Fixes for CRAN checks. The new implementation is now compliant with
the public C API of R and might differ from the historical one in
subtle ways.
PR bin/60275 discard some arriving signals
The PR is only peripherally relevant to this, but it is all much
the same problem, over a fork() trapped signals are maintained,
and sh does not really want that.
In this case, when there is a vfork() a signal arriving for a
child (whether or not it should arrive and be processed) can be
treated as if it arrived for the parent, and cause a trap action
to be executed by the parent. (Never observed to have happened,
as best I am aware, but certainly looks as if it could.)
Avoid that, by making sure that the child process never records
a signal as having occurred, when it is being a vfork child
(while the parent is sharing memory with it).
Doing this meant making one variable that was previously local
to eval.c globally visible (exposing it in eval.h), and then
because the same name is used as a parameter in many other
[17 lines not shown]
membar_ops(3): Clarify language about membar_datadep_consumer.
I must have deleted a sentence about the temptation to pair it with
membar_producer in some earlier revision; let's write a new such
sentence.
(converters/R-base64enc) Updated 0.1.3 to 0.1.6, make test not passed yet
0.1-6 2026-02-02
o updated URL in dataURI documentation
0.1-5 2026-02-01
o remove SETLENGTH in R 4.5.0+ to be API-compliant
o add strict decoding mode, enabled with strict=TRUE (#5)
0.1-4 2022-03-16
o add support for long vectors. Note that R does not
support strings longer than 2^31-1 bytes, so when
encoding long vectors a line limit has to be specified.
o add compatibility for R versions without XLENGTH()
[3 lines not shown]
devel/bacon: update to 3.23.0
- scroll_anchor decides whether the scroll initially sticks with the first item (most common setting),
with the last one, or to show most recent output lines unless there are errors in which case it show
first items (by default in run jobs with auto) - Fix #384
If you're using an old bacon.toml file, you may want to add scroll_anchor="auto" to jobs running
the compiled executable.
- show_command_error_code job parameter, which is true in default cargo run job - Fix #435
When calling a lint or compilation tool, the exit status is usually not interesting: many tools report
an error (i.e. a non zero code) as soon as there's an error, or even a warning (eg miri).
That's why the error code isn't shown in bacon when there are also warnings, errors or test failures.
But sometimes you do want to see such error, eg when running not just the compiler/linter but the program
you're writing as in bacon run. In such case, you should set show_command_error_code=true.
- fix a log message from the rodio library leaking to the interface - Fix #437 - Thanks @c-git
When a user requires the ignoring of some/folder, they usually wants to ignore the content of that folder.
So now we also generate a pattern with added /** when it seems relevant. - Fix #438
crypto(4): Nix spurious mutex_exit; add missing bounds checks.
Consistently use `foo = kmem_alloc(n * sizeof(*foo), ...)' instead of
`sizeof(struct whatever_foo_is)'. Makes it easier for a reader to
notice a discrepancy this way.
Move CRYPTODEV_OPS_MAX to cryptodev_internal.h so it can be used by
the compat ocryptodev.c shims too. I think this is waaaaaaaaaaaaay
too high, by the way. For example, it looks like qat(4) puts a limit
of 16384 on the number of sessions. Other devices like hifn(4) look
like they're limited to numbers of sessions ranging from 2 to around
256.
PR kern/60281: crypto(4): bugs in reference counting and test
