py-uv py-uv-build: updated to 0.11.25
0.11.25
Security
This release updates our tar library, astral-tokio-tar, to v0.6.3, which includes over 20 changes that harden our tar handling against parser differentials. uv may reject source distributions with malformed or ambiguous content that were previously accepted.
See the upstream commits for a full list of changes.
Enhancements
Add a full "lockfile" to tool receipts
Allow scoped overrides to add dependencies
Avoid writing redundant lockfile markers with tool.uv.environments
Factor supported environments out of lockfile markers
Recommend our own build backend in the build frontend
Reject wheels with multiple .dist-info directories
Simplify dependency markers under parent reachability
[17 lines not shown]
Pull up following revision(s) (requested by riastradh in ticket #2026):
sys/dev/mm.c: revision 1.26
mm(4): Only grant kva exposure if user opens /dev/kmem.
Don't apply the same to /dev/null, /dev/zero, or anything else.
PR kern/60374: opening /dev/null exposes kva
Pull up following revision(s) (requested by riastradh in ticket #1296):
sys/dev/mm.c: revision 1.26
mm(4): Only grant kva exposure if user opens /dev/kmem.
Don't apply the same to /dev/null, /dev/zero, or anything else.
PR kern/60374: opening /dev/null exposes kva
Pull up following revision(s) (requested by riastradh in ticket #352):
sys/dev/mm.c: revision 1.26
mm(4): Only grant kva exposure if user opens /dev/kmem.
Don't apply the same to /dev/null, /dev/zero, or anything else.
PR kern/60374: opening /dev/null exposes kva
Pull up following revision(s) (requested by riastradh in ticket #2025):
sys/compat/netbsd32/netbsd32_socket.c: revision 1.57
compat32: Fix accidental use of error branch in recvmsg(2).
Avoids use-after-free / double-free.
PR kern/60373: compat32: kernel use-after-free in recvmsg
Pull up following revision(s) (requested by riastradh in ticket #1295):
sys/compat/netbsd32/netbsd32_socket.c: revision 1.57
compat32: Fix accidental use of error branch in recvmsg(2).
Avoids use-after-free / double-free.
PR kern/60373: compat32: kernel use-after-free in recvmsg
Pull up following revision(s) (requested by riastradh in ticket #351):
sys/compat/netbsd32/netbsd32_socket.c: revision 1.57
compat32: Fix accidental use of error branch in recvmsg(2).
Avoids use-after-free / double-free.
PR kern/60373: compat32: kernel use-after-free in recvmsg
Pull up following revision(s) (requested by riastradh in ticket #2024):
sys/modules/lua/lua.c: revision 1.29
distrib/sets/lists/tests/mi: revision 1.1422
tests/kernel/t_lua.c: revision 1.1
etc/MAKEDEV.tmpl: revision 1.239
distrib/sets/lists/debug/mi: revision 1.514
tests/kernel/Makefile: revision 1.97
sys/sys/lua.h: revision 1.10
MAKEDEV: Set default perms on /dev/lua to 0600.
Otherwise unprivileged users can submit Lua code into the kernel, if
lua.kmod is loaded (which doesn't happen by default, not even
autoloaded on demand).
PR misc/60375: lua.kmod enables local privilege escalation
lua(4): Fix and test some issues.
[16 lines not shown]
Pull up following revision(s) (requested by riastradh in ticket #1294):
sys/modules/lua/lua.c: revision 1.29
distrib/sets/lists/tests/mi: revision 1.1422
tests/kernel/t_lua.c: revision 1.1
etc/MAKEDEV.tmpl: revision 1.239
distrib/sets/lists/debug/mi: revision 1.514
tests/kernel/Makefile: revision 1.97
sys/sys/lua.h: revision 1.10
MAKEDEV: Set default perms on /dev/lua to 0600.
Otherwise unprivileged users can submit Lua code into the kernel, if
lua.kmod is loaded (which doesn't happen by default, not even
autoloaded on demand).
PR misc/60375: lua.kmod enables local privilege escalation
lua(4): Fix and test some issues.
[16 lines not shown]
Pull up following revision(s) (requested by riastradh in ticket #350):
sys/modules/lua/lua.c: revision 1.29
distrib/sets/lists/tests/mi: revision 1.1422
tests/kernel/t_lua.c: revision 1.1
etc/MAKEDEV.tmpl: revision 1.239
distrib/sets/lists/debug/mi: revision 1.514
tests/kernel/Makefile: revision 1.97
sys/sys/lua.h: revision 1.10
MAKEDEV: Set default perms on /dev/lua to 0600.
Otherwise unprivileged users can submit Lua code into the kernel, if
lua.kmod is loaded (which doesn't happen by default, not even
autoloaded on demand).
PR misc/60375: lua.kmod enables local privilege escalation
lua(4): Fix and test some issues.
[16 lines not shown]
postgresql-timescaledb: updated to 2.28.1
2.28.1
This release contains performance improvements and bug fixes since the 2.28.0 release. We recommend that you upgrade at the next available opportunity.
2.28.0
Highlighted features in TimescaleDB v2.28.0
Faster first() and last() queries on compressed data. TimescaleDB derives first(value, time) and last(value, time) aggregates straight from the columnstore's batch metadata, skipping batch decompression entirely. For the "latest reading per series" lookups that time-series workloads run constantly, that means meaningfully faster recency queries with no changes to your SQL queries.
Lighter, less disruptive continuous aggregate refreshes. refresh_continuous_aggregate() can now run incrementally in batches — the same behavior refresh policies already use — enabling breaking large manual refreshes into smaller chunks (tunable via buckets_per_batch, max_batches_per_execution, and refresh_newest_first) instead of one heavy operation. Refreshes also now take a lighter lock while processing the invalidation log, so they no longer block unrelated concurrent operations on the same continuous aggregate, improving behavior for concurrent workloads.
Vectorized execution now covers CASE expressions. TimescaleDB's columnar executor can now evaluate CASE ... WHEN expressions directly on compressed data, so queries using conditional logic stay on the fast vectorized path instead of falling back to slower row-by-row decompression. This speeds up a common pattern — conditional aggregations and computed columns over compressed history — with no query changes needed.
Add new aggregations to a continuous aggregate without rebuilding it. You can now run ALTER MATERIALIZED VIEW <cagg> ADD COLUMN <name> <type> GENERATED ALWAYS AS (<aggregate>) STORED to add a new computed aggregate to an existing continuous aggregate in place — no more dropping and recreating the whole aggregate just to track one more metric. New data populates the column going forward, letting your rollups evolve alongside your application. (Existing rows start as NULL; a forced refresh backfills them when you need historical values.)
icinga2: updated to 2.16.2
2.16.2 (2026-06-29)
This release fixes some critical security vulnerabilities in Icinga 2. Users are advised to upgrade immediately, as two
of them allow an unauthenticated attacker to take over or crash the Icinga 2 process over the network. The other
security fixes only affect authenticated API users.
In addition, a new permission named `filter-expression` is introduced, which allows specifying if individual API users
are allowed to use DSL filter expressions in API queries. This allows further restricting some API users that don't need
this capability, for example, those only submitting individual check results. Due to the incompatibility of this change,
enforcement of this permission is opt-in until v2.17; see the
[upgrading docs](https://icinga.com/docs/icinga-2/latest/doc/16-upgrading-icinga-2/#upgrading-to-2-16-2) for details.
* Verify that certificate update requests come from an authorized endpoint ([GHSA-vj39-ww8j-vvx5](https://github.com/Icinga/icinga2/security/advisories/GHSA-vj39-ww8j-vvx5))
* Fix stack overflow due to deeply nested data structures ([GHSA-wh38-wg57-5w7g](https://github.com/Icinga/icinga2/security/advisories/GHSA-wh38-wg57-5w7g))
* Prevent arbitrary config injection on object creation via the API ([GHSA-jgqj-x5j9-vgcm](https://github.com/Icinga/icinga2/security/advisories/GHSA-jgqj-x5j9-vgcm))
* Fix that `/v1/config/files` could send uninitialized memory in case of file I/O errors
* Add `filter-expression` permission to make it possible to prevent API users from using DSL filter expressions
* Windows: Update bundled OpenSSL to v3.5.7
Update to version 9.2.0747.
Changes:
- patch 9.2.0747: cscope: connection leak when growing the array fails
- patch 9.2.0746: NULL pointer dereference in gui_photon
- patch 9.2.0745: Crash with truncated spellfile
- patch 9.2.0744: popup_atcursor() closes immediately on white space
- runtime(odin): Update indent script, add indent tests
- CI: MS-Windows: Run gvim/vim tests in parallel
- patch 9.2.0743: string macros silently accept a size of the wrong type
- runtime(vim): Fix heredoc triggering misidentifcation of Vim9 script
- patch 9.2.0742: filetype: SSH keys and related filetypes not recognized
- runtime(css): add more missing CSS properties
- patch 9.2.0741: complete_check() does not return TRUE for mapped input
- patch 9.2.0740: GTK4: scrollbar wrongly displayed
- patch 9.2.0739: completion: 'autocompletedelay' blocks the main loop and drops autocommands
- runtime: guard recommended style settings consistently
- patch 9.2.0738: ml_recover() may write beyond block buffer
- CI: Bump actions/checkout in the github-actions group across 1 directory
[35 lines not shown]
resterm: Update to version 0.44.4
v0.44.4
What's Changed
Refreshed status bar icons - replaced the editor icon, which rendered as broken on some fonts.
Status hints now clear when an action is confirmed or focus changes, instead of staying as stale text.
Pull up following revision(s) (requested by nia in ticket #349):
crypto/external/bsd/openssh/dist/sshd-auth.c: revision 1.7
sshd(8): Restore rlimit sandbox from portable openssh.
This is used as an alternative to pledge sandboxing.
PR security/60367
go-transifex-cli: Import go-transifex-cli-1.6.17 as wip/go-transifex-cli
The Transifex Command-line Client (APIv3) which should replace old
devel/transifex-client.
pmap(9): Clarify obligations around pmap_update.
Note: pmap_kenter_pa does not specify for now, because there is still
some disagreement over what the rule SHOULD be, and current usage is to
use pmap_update.
Prompted by:
PR kern/60377: x86 cpu_uarea_alloc: pmap_update before freeing
redzone pages
games/Zork-III: import Zork-III-1.0
Zork III: The Dungeon Master
This is Zork, the famous text adventure game from 1977.
Through a number of subsidiaries, it is now owned by Microsoft and
they have chosen to re-release it under the MIT license.
This package is the third installment of the multi-part version,
which was released in 1982.
