p5-HTTP-Tiny: update to 0.096.
0.096 2026-06-08 11:21:49+02:00 Europe/Brussels
- No changes from 0.095-TRIAL
0.095 2026-06-03 13:10:05+02:00 Europe/Brussels (TRIAL RELEASE)
[!!! SECURITY !!!]
- Caller-supplied C<Authorization>, C<Cookie>, and C<Proxy-Authorization>
headers are now stripped on cross-origin redirects by default. Use
allow_credentialed_redirects to opt out.
- Redirects are no longer automatically followed when going from https to http.
Use allow_downgrade to revert to the original behaviour.
tnt-ham: fix build with GCC 14, correct doc paths in PLIST
GCC 14 turns implicit-int and implicit-function-declaration into
hard errors by default, which breaks this K&R-era codebase. Demote
them back to warnings via CFLAGS until the code is fixed properly.
Correct PLIST doc file locations: the build installs documentation
under share/tnt/doc/, not share/doc/tnt/.
Update misc/CodeWhale to v.0.87
rquickjs-sys pre-generated bindings for NetBSD targets are identical to
those for Linux, so just copy them. One might bindgen them one of these days
dpbox: update to 6.1.1
Upstream rolled the version-string change (patch-bj) and the fixes
for the optimization-triggered crash into the v6.1.1 tag, so both
patches are removed. patch-ba (-O0 workaround) is no longer needed:
the crash root cause was undefined behavior in format specifiers,
fixed upstream, and the package now builds at the stock -O2/-O3.
Update nsd to version 4.15.0.
Pkgsrc changes:
* Version & checksum changes.
Upstream changes:
4.15.0
================
FEATURES:
- Merge #483 from ruuda: Improve Prometheus metrics: Move zonestats from
metric name to label
BUG FIXES:
- Fix #478: Feature request: reduce syslog noise from frequent
read-only control commands (e.g. stats_noreset). It logs the
verbosity command always, and others at 2 and higher.
- Fix XDP cleanup code being executed even if xdp is not configured
- Merge #481 from jaredmauch: Fix pedantic/CodeQL warning in sources
- Merge #484 from orlitzky: OpenRC: fix network deps and support both
[62 lines not shown]
Update to version 2.43
- accommodate sox to sox_ns pkgsrc change
- in 'pthai-mp3-play, use new variable 'pthai-audio-command, preferring "play_ng" over "play"
- add 'pthai-lookup-all to return all matches for word lookup
Pull up following revision(s) (requested by riastradh in ticket #376):
libexec/ld.elf_so/load.c: revision 1.52
rtld, ldd: Fix bad assertion.
(*needed)->obj may legitimately be null here, as the next line shows,
so don't check (*needed)->obj->refcount in that case.
PR bin/60422: ldd, rtld: crash inside assertion if needed object not
found
Pull up the following revisions(s) (requested by msaitoh in ticket #1310):
usr.sbin/syslogd/extern.h: revision 1.5
usr.sbin/syslogd/sign.c: revision 1.10
usr.sbin/syslogd/sign.h: revision 1.4
usr.sbin/syslogd/syslogd.c: revision 1.141,1.145,1.148,1.151-1.155 via patch
usr.sbin/syslogd/syslogd.h: revision 1.10-1.11 via patch
usr.sbin/syslogd/tls.c: revision 1.26-1.27
usr.sbin/syslogd/tls.h: revision 1.4
Some improvements for syslogd(8):
- Retry sendto() if it raises EBUSY, too.
- Add missing SLIST_INIT() in main(). This is not a real bug because
the tls_opt is in BSS and SLIST_INIT() assign NULL.
- Cleanups (KNF, fix typos and G.C.).
Pull up the following revisions(s) (requested by riastradh in ticket #374):
sys/dev/acpi/acpi_mcfg.c: revision 1.33
x86: Fix crash at boot on some machines with options PCI_RESOURCE,
in case something goes wrong traversing the MCFG table and no
segments are found.
Addresses:
PR kern/60411: x86 PCI_RESOURCE: null pointer dereference at boot
py-dulwich: updated to 1.2.10
1.2.10 2026-07-07
* Fix regression in 1.2.9 where loose objects whose content inflates to
more than 8192 bytes failed to parse with ``zlib.error: object header
exceeds maximum size``. (Jelmer Vernooij)
1.2.9 2026-07-06
* Bound the running length when decoding EWAH bitmaps, so a corrupt or
malformed ``.bitmap`` index raises ``ValueError`` instead of hanging in
an unbounded loop that exhausts memory. (Jelmer Vernooij)
* web: Reject smart HTTP ``git-upload-pack`` / ``git-receive-pack`` POSTs
whose ``Content-Type`` is not the exact ``application/x-<service>-request``
value, matching ``git http-backend``. Real git clients (and dulwich's own
client) already send this header, so there is no interop cost; the check
is defense in depth against cross-origin POSTs for deployments that wrap
[33 lines not shown]