doc: Fix warnings pkglint points out about CHANGES-2026
To the best of my understanding:
- sqlite3 3.52.0 was withdrawn so the changes were a downgrade,
- remove duplicate lines
- correct committer
- fix some malformed lines / version numbers
nodejs*: updated to 25.8.2, 24.14.1, 22.22.2, 20.20.2
Notable Changes
(CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
(CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
(CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
(CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
(CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
(CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
(CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
(CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
net/bind918: update to 9.18.47
This is security release and from release announce:
Our March 2026 maintenance releases of BIND 9 are available and can be downloaded from the links below. Packages and container images provided by ISC will be updated later today.
In addition to bug fixes and feature improvements, these releases also contain fixes for security vulnerabilities. More information can be found in the following Security Advisories:
https://kb.isc.org/docs/cve-2026-1519https://kb.isc.org/docs/cve-2026-3104https://kb.isc.org/docs/cve-2026-3119https://kb.isc.org/docs/cve-2026-3591
A link to each newly-released version follows. Each release directory includes a complete source tarball, cryptographic signature, and release notes. The release notes provide a summary of significant changes, and should be reviewed before upgrading.
- Current supported stable branches:
- 9.18.47 - https://downloads.isc.org/isc/bind9/9.18.47/
[5 lines not shown]
squid6: security fixes
Backport fixes for:
SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526)
SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748)
SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515)
www/chromium: update to 146.0.7680.164
* 146.0.7680.164
This update includes 8 security fixes. Please see the
Chrome Security Page for more information.
[$7000][485397284] High CVE-2026-4673: Heap buffer overflow in WebAudio.
Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
[TBD][488188166] High CVE-2026-4674: Out of bounds read in CSS.
Reported by Syn4pse on 2026-02-27
[TBD][488270257] High CVE-2026-4675: Heap buffer overflow in WebGL.
Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-02-27
[TBD][488613135] High CVE-2026-4676: Use after free in Dawn.
Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-01
[TBD][490533968] High CVE-2026-4677: Out of bounds read in WebAudio.
Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-07
[TBD][491164019] High CVE-2026-4678: Use after free in WebGPU.
Reported by Google on 2026-03-10
[TBD][491516670] High CVE-2026-4679: Integer overflow in Fonts.
Reported by GF, Un3xploitable Of DeadSec on 2026-03-11
[2 lines not shown]
R: fix install-time error on Darwin builds by restoring patch lost in update
There seem to be more missing hunks plus some weird lines ending with a
vertical bar in patch-configure.ac, but I'm doing minimal changes to fix
an issue at the moment.
libfyaml: disable optimizations on i386, fixes build for NetBSD.
This includes code that seems to be written for x86-64.
Switching to the "portable" version is a quick working way to avoid that
code.
Note that the meaning of "portable" here means "compiling with some Windows
compiler that doesn't like the syntax". This package does appear to do
run-time detection of features before it is used, and most users wouldn't
want to use the portable flag.
pkgtools/depgraph: update to 20260320 - fail gracefully when the package name is
not recognised
fix some pkglint in the Makefile - thanks to rillig for the advice
swapctl(8): do not assume PGSHIFT is available
PGSHIFT might not be available in userland. eg. sparc
use sysconf(_SC_PAGESIZE) to query the kernel instead.
Re-do the way the news1700's external cache vs. 68030 cache burst mode
issue is dealt with.
Rather than completely re-defining the high-level cache operation macros
to exclude the *_BE bits (which actually penalized systems without an EC
because the *_BE bits set in the CACR initiallly would be lost on the first
cache operation), instead we provide a "platform has dynamic CACR values"
hook.
For NEWS, the values default to the with-*_BE variant, but if an external
cache is discovered, the values are patched up with the non-*_BE variants.
Only one shared assembly language routine needs to be adjusted for this,
the rest of the scenarios where these values are used are handled by the
compiler via constraints.
For all other platforms that don't define __HAVE_M68K_DYNAMIC_CACR,
the values remain compile-time constants, as before.
Group 68020/68030 CACR bits into "the actual bits that do stuff" and
"higher level operations", along with some helper macros that compute
the latter in terms of the former.
NFCI, but sets the stage for some future cleanup in this area.
liblfds: add new package
This is liblfds, a portable, license-free, lock-free data structure
library written in C.
Lock-free data structures are process, thread and interrupt safe
(i.e. the same data structure instance can be safely used concurrently
and simultaneously across cores, processes, threads and both inside
and outside of interrupt handlers), never sleep (and so are safe
for kernel use when sleeping is not permitted), operate without
context switches, cannot fail (no need to handle error cases, as
there are none), perform and scale literally orders of magnitude
better than locking data structures, and liblfds itself (as of
release 7.0.0) is implemented such that it performs no allocations
(and so works with NUMA, stack, heap and shared memory) and compiles
not just on a freestanding C89 implementation, but on a bare C89
implementation.
The library is completely documented (every API, function, macro,
[2 lines not shown]
Revert "config_attach_pseudo/config_attach_pseudo: assert kernel lock"
it turned out that we have too many drivers which would trigger
these assertions. although my impression is that they are actually
not mpsafe, let's revert the assertions for now.
PR/60123https://gnats.netbsd.org/60123