www/freenginx-devel: update from 1.31.2 to 1.31.3
Sponsored by: tipi.work
<ChangeLog>
*) Feature: additional checks are now used during variable substitution,
including during execution of the ngx_http_rewrite_module directives,
to prevent buffer overruns in case of errors in the code.
*) Bugfix: if the "auth_request_set" directive or regular expression
named captures were used to change prefix variables, such as
"$http_...", corresponding variables became empty in other parts of
the configuration.
*) Bugfix: changing the $limit_rate and $args variables with the
"auth_request_set" directive or regular expression named captures
worked incorrectly.
[23 lines not shown]
go: update to 1.26.5 and 1.25.12 (security)
These releases include 2 security fixes following the security policy:
- os: Root escape via symlink plus trailing slash
On Unix systems, opening a file in an os.Root improperly
followed symlinks to locations outside of the Root when
the final path component of the a path is a symbolic link
and the path ends in /.
For example, root.Open("symlink/") would open "symlink" even when
"symlink" is a symbolic link pointing outside of the root.
On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
in path when path ends in a /. Root failed to account for
this behavior, permitting paths with a trailing / to escape.
It now properly sanitizes the path parameter provided to openat.
[18 lines not shown]
py-mocket: updated to 3.14.2
3.14.2
tests: add tests for hexdump and hexload, including ValueError on invalid hex
Better can_handle_fun documentation
Raise an error when both can_handle_fun and match_querystring are used
carburetta: Update to 0.8.28
0.8.28 - 2026-01-11
- Will now emit #line so C/C++ compilation errors on generated code
will be located at the corresponding snippet code in the .cbrt input
file, where appropatiate. Use --nolinedir to disable.
- Can now emit a symbol_names[] table for all ordinal constants, this
can be useful when writing code that uses Carburetta's internal
structures more dynamically and you wish to emit debug information.
Only generated when --sym-names is specified.
- Instead of specifying a filename, you can now pass - (a dash) for
the filename and the grammar input will be read from stdin.
0.8.25 - 2025-04-14
- New 'visit' feature. When specifying either %visit or %visit_params
[87 lines not shown]
games/ajbsp: Update to 1.05
* support UDMF maps, creating XGL3 nodes
* better ability to embed as a library
* lots of code improvements, require C++11 now
* a facility for source ports: XWA files
import libevent-2.1.13 (previous was 2.1.12)
Changes in version 2.1.13-stable (01 July 2026)
This release contains several security fixes, affecting users of the
following modules: evbuffer, bufferevent, evtag, evrpc, evdns, evhttp.
If you have a program that uses one of those modules,
or if you distribute libevent, you should upgrade.
Additionally, this release backports some small modernizations to
the libevent codebase, to aid in compiling with the compilers
released over the last few years.
Security Fixes (evtag, evrpc):
- Fix an out-of-bounds read in decode_tag_internal.
(Found by @Brubbish. GHSA-fj29-64w6-73h6)
- Fix an integer overflow in evtag_unmarshal_header.
(Found by @Brubbish. GHSA-45c6-qx49-89m8)
[31 lines not shown]