musicpd: update to 0.24.12.
ver 0.24.12 (2026/05/15)
* protocol
- allow empty URI in "lsinfo", "add" etc. (0.24.11 regression)
ver 0.24.11 (2026/05/15)
* protocol
- fix path traversal bug
* playlist: do not allow newlines in song URIs
* input
- curl: require version 7.85.0
* decoder
- pcm: fix stack buffer overflow
- sidplay: fall back to SIDLiteBuilder if ReSIDfpBuilder is unavailable
ver 0.24.10 (2026/05/06)
* input
- cache: fix deadlock bug
[16 lines not shown]
py-jwcrypto: updated to 1.5.8
1.5.8
Fix list iteration in claim format validation
fix: bump minimum cryptography dependency to >= 39.0.0
Wrap JWKSet parsing errors in InvalidJWKValue
jwt: add opt-in strict_serialization to enforce compact form
py-click: updated to 8.4.2
8.4.2
Fix Fish shell completion broken in 8.4.0 by {pr}3126. Newlines and tabs in option help text are now escaped, keeping the original completion format while still supporting multi-line help. {issue}3502 {issue}3043 {pr}3504 {pr}3508
Deprecated commands and options with empty or missing help text no longer render a stray leading space before the (DEPRECATED) label. {pr}3509
A {class}Group with invoke_without_command=True marks its subcommand as optional in the usage help, showing [COMMAND] instead of COMMAND. {issue}3059 {pr}3507
echo_via_pager flushes after each write, so passing a generator streams output to the pager incrementally instead of staying hidden until the pipe buffer fills. {issue}3242 {issue}2542 {pr}3534
echo_via_pager and get_pager_file no longer close a borrowed stdout stream when no external pager runs, completing the partial I/O operation on closed file fix from {pr}3482. {issue}3449 {pr}3533
py-cython: updated to 3.2.6
3.2.6 (2026-06-24)
Bugs fixed
* ``@functools.wraps()`` was broken in Py3.14+ for Cython compiled functions.
* A double-free in the t-string code was fixed.
* The ``-`` operator declarations for iterators in ``libcpp.vector`` we corrected.
* The shared utility code module no longer uses a temporary file path that
changed the C code on each generation.
* On 32 bit platforms, cached constants are no longer made immortal during module import.
net/libslirp: update to version 4.9.3
This is a security update for CVE-2026-9539: libslirp TCP URG OOB Read
Information Leak.
Changes in 4.9.3:
* Fix migration break on incorrect vmstate retcode
Changes in 4.9.2:
* Security:
- oob: cap urgent data count to what is actually available
* Fixed:
- Honor dns server port number on macos
- Cope with SO_ERROR possibly failing
- vmstate: pass on read/write errors for state
- Fix port conflict
- tcp_sockclosed: Set linger timer on remaining closing states
[62 lines not shown]
ld.elf_so(1): Run concurrent dlopen/dlclose test a few more seconds.
More likely to provoke the problem this way. Still not 100% reliable
because the problem is a race condition, but better than having the
test unexpectedly pass half the time.
Also set a timeout of 20sec, since I've seen the test get into an
infinite loop sometimes and it's now supposed to complete in 5sec +
epsilon.
PR lib/59751: dlclose is not MT-safe depending on the libraries unloaded
gspell: forward icu dependency in bl3.mk
Seems it's needed:
meson.build:66:13: ERROR: Dependency lookup for gspell-1 with method 'pkg-config' failed: Could not generate cflags for gspell-1:
