dropbear: updated to 2026.91
2026.91 - 10 May 2026
- scp: Fix test for disallowing -r with existing target directory. The logic
introduced in 2026.90 was incorrect, could also disallow non-recursive
transfers.
- scp: Fix regression in 2026.90 building on older glibc or other libc.
reallocarray() was required, it is no longer needed.
- Compression is now disabled by default for dbclient. A new -o compression option
can enable it. DROPBEAR_CLI_COMPRESSION in localoptions.h can change the default.
Enabling compression can be a security weakness in some
circumstances, as the size of network traffic may leak information
about the encrypted data.
- Added '-Q' argument for dbclient and dropbear to query supported algorithms,
kex sig cipher mac compress
pcsc-lite: updated to 2.5.0
2.5.0: Ludovic Rousseau
27 May 2026
- Do not limit to 16 readers only
- Remove support of autotools
- Fix a crash when rescanning serial configs
- Fix a memory leak in Polkit
- tokenparser: avoid a crash with corrupted Info.plist files
- Some other minor improvements
py-google-auth-oauthlib: updated to 1.4.0
1.4.0 (2026-05-06)
Bug Fixes
Drop support for Python 3.9
replace deprecated utcfromtimestamp in google-auth-oauthlib
py-myst-parser: updated to 5.1.0
5.1.0 - 2026-05-13
New Features
- Add `"alert"` syntax extension for [GFM alerts](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#alerts) (e.g. `> [!NOTE]`), see [](syntax/alerts)
- Add `"gfm_autolink"` syntax extension for [GFM autolinks](https://github.github.com/gfm/#autolinks-extension-), see [](syntax/gfm-autolink)
- Add `myst_strikethrough_single_tilde` [config option](sphinx/config-options) to allow single tilde (`~`) for strikethrough
- Add `myst_colon_fence_exact_match` [config option](sphinx/config-options) to require the closing colon fence to have exactly the same number of colons as the opening, see [](syntax/colon_fence)
Improvements
- Update [`myst_gfm_only`](sphinx/config-options) mode to use the unified `gfm_plugin`, which now includes GFM autolinks, alerts, and improved strikethrough/tasklist handling
- Improve MathJax 4 compatibility for Sphinx 9
- Stop directive-option parsing at colon fences, fixing nested colon fence directives
Bug Fixes
[4 lines not shown]
py-sphinx-issues: updated to 6.0.0
6.0.0 (2026-03-13)
Backwards-incompatible: Remove implicit extraction of group/project from GitHub URLs in issues_uri. If you relied on setting _only_ issues_uri (e.g. https://github.com/myuser/myproject/issues/{issue}) without also setting issues_github_path or issues_default_group_project, you must now explicitly set one of those options in your conf.py:
Before:
issues_uri = "https://github.com/myuser/myproject/issues/{issue}"
After:
issues_github_path = "myuser/myproject"
Support Python 3.10-3.14. 3.9 is no longer supported, as it is EOL.
Pin lower bound of Sphinx to 8.1.0 (see "Sphinx version support policy above").
py-tornado: updated to 6.5.6
6.5.6
Security fixes
SimpleAsyncHTTPClient now strips the Authorization and Cookie headers from the request when following a redirect to a different origin. This matches the default behavior of CurlAsyncHTTPClient. Applications that need different behavior here can set follow_redirects=False and handle redirects manually. Thanks to [Yannick Wang](https://github.com/noobone123) for being first to report this issue, as well as additional reporters [Kai Aizen](https://github.com/SnailSploit), [HunSec](https://github.com/0xHunSec), and [Thai Son Dinh](https://github.com/sondt99).
SimpleAsyncHTTPClient now enforces max_body_size on the decompressed size of the response, rather than the compressed size. This prevents a denial-of-service attack via a very large compressed response. Thanks to [Yuichiro Kedashiro](https://github.com/yuui25) for reporting this issue.
Fixed a bug in the C extension that could have read up to three bytes past the end of an input array. Thanks to [Thai Son Dinh](https://github.com/sondt99) for reporting this issue.
OpenIDMixin has improved parsing for the check_authentication response. Thanks to [Yannick Wang](https://github.com/noobone123) for reporting this issue.
Bug fixes
CurlAsyncHTTPClient has been updated to use non-deprecated APIs, avoiding deprecation warnings with recent versions of pycurl.
py-apache-libcloud: updated to 3.9.1
Changes in Apache Libcloud 3.9.1
Compute
- [VSphere] Add verify_ssl option
Add verify_ssl option, to enable the user to avoid SSL verification explicitly.
- [OpenStack] Initial Blazar support
This is an initial implementation of Blazar support in Libcloud. It currently
supports listing the available leases and hosts.
- [Azure ARM] Update US GovCloud AD endpoint for AZURE_ARM provider.
- [OpenStack] Add hypervisor_hostname attribute to OpenStack node.
- [GCP] Use the fully-qualified name for the GCP IMDS endpoint.
- [Azure ARM, Amazon S3] Add signed upload to azure and s3.
- [RcodeZero]: Fix issue when adding a record where a record with a different type already exists
DNS
[8 lines not shown]
py-sphinx-autodoc-typehints: updated to 3.10.3
3.10.3
Show version in error tracebacks
Support PEP 695 type statement and python 3.12+ TypeAliasType
Fix typehints_formatter cache warning
fix(stubs): resolve type hints for PyO3 native submodules
py-test_socket: updated to 0.8.0
0.8.0
Enhancements:
Block DNS resolution (getaddrinfo, gethostbyname) when sockets are disabled
Support CIDR network ranges in allow_hosts
Warn before raising on a blocked socket call
Cache hostname resolutions during a test run
Changes:
Removed support for Python 3.8 and 3.9. Python 3.10 is now the minimum.
Test against Python 3.13, 3.14, and free-threaded 3.13t/3.14t
Replaced Poetry with uv
Added type hints
Swapped pytest-httpbin for a local test fixture
Dependency, CI, and development updates
cargo-deny: added version 0.19.8
cargo-deny is a cargo plugin that lets you lint your project's dependency graph
to ensure all your dependencies conform to your expectations and requirements.
PR bin/58609 - enable locale var internal manipulation
sh now recognises the (standard) set of locale variables, and in addition
to setting up the locale environment to match those in the environment at
startup (which it has done for ages), now also causes alterations to those
variables while the shell is running to take immediate effect inside sh,
which can affect how the shell operates in some limited aspects - previously
such updates would be passed to exec'd child processes (not subshells)
if the variables are exported, and not affect the running shell at all.
See the PR, and the updated sh(1) man page, for details.
This is a feature enhancement, no pullups (not even to -11) are planned.
eqos: Various performance improvements.
- Use BUS_DMA_COHERENT for ring descriptors, allowing us to remove
the descriptor padding (which increased memory usage and bandwidth).
Be very careful to avoid unnecessary reads and writes of uncached
memory!
- Defer TX/RX to a workqueue. This is mostly to help the scheduler, which
doesn't seem to understand that a CPU busy processing interrupts is
maybe not the best place to run a process on an otherwise idle system.
www/freenginx-devel: update from 1.31.1 to 1.31.2
Sponsored by: tipi.work
<ChangeLog>
*) Bugfix: a segmentation fault might occur in a worker process if
nested captures were used in the "rewrite" directive.
*) Bugfix: the "if" directive incorrectly handled relative paths when
checking files.
</ChangeLog>
libde265: updated to 1.1.0
1.1.0
Added de265_security_limits parameters to limit the maximum image size and memory that libde265 will use during decoding.
Security fixes
CVE TBD (GHSA-g2rg-wj66-w594) - Out-of-bounds write in process_reference_picture_set via predicted short-term RPS
CVE TBD (GHSA-vv8h-932h-7r86) - Heap buffer overflow in de265_image_get_buffer via SPS dimension integer overflow
CVE TBD (GHSA-g5hj-rf9f-7vxm) - Unbounded memory accumulation via orphaned slice headers in read_slice_NAL
(GHSA-x27c-jp65-g395) - Quadratic CPU consumption in NAL parser (remove_stuffing_bytes, resize)
