dpbox: update to 6.1.2
Fixes two stack buffer overflows caught on Linux/glibc with FORTIFY:
- dp_vnr_sub was declared char[4] but holds a 6-character version
suffix, overflowing at startup in init_box().
- gen_sftest() declared STR7[100] but passed 255 as the snprintf bound.
A MYBBS command carrying a hierarchical address overran the buffer.
On platforms whose libc does not fortify, this presented as an
intermittent, optimization-dependent crash.
Also adds unconditional <time.h> includes (they were reachable only
inside an #ifdef __macos__ branch) and bounds two strcpy calls into
calltype.
py-tree-sitter: updated to 0.26.0
0.26.0
Additions:
Point.edit()
Point.__repr__()
QueryCursor.set_containing_byte_range()
QueryCursor.set_containing_point_range()
Range.edit()
tree_sitter.__version__
Removals:
Language.version: use Language.abi_version !
Language.query(source): use Query(language, source) !
Parser.timeout_micros: use the progress_callback in parse() !
QueryCursor.timeout_micros: use the progress_callback in matches() or captures() !
[4 lines not shown]
radsecproxy: updated to 1.11.3
1.11.3
Bug Fixes:
- Fix Message-Authenticator validation for Accounting-Request
- Fix DtlsVersion config
- Fix Request-/Response Authenticator for recognized but unsupported types
- Fix fail if outgoing radius message is too big
- Fix Status-Server might not work when using RequireMessageAuthenticator
- Fix crash on startup when log file is not writable
- Fix DTLS reconnect loop
Misc:
- Improve message decode/verification error logging
- Don't fail startup when config include glob finds 0 files
- Maintain compatibility with nettle-4
- Maintain compatibility with OpenSSL 4
adguardhome: updated to 0.107.78
0.107.78
Security
AdGuard Home is now more resistant to JIGGLE attacks.
This is GHSA-p5f5-3p5g-rfjw. We thank @Nora-Qiu for reporting this security issue.
AdGuard Home now validates responses from DoH upstreams more strictly.
This is GHSA-4qjf-2hgm-92q6. We thank @wallace0409 for reporting this security issue.
QUIC connections are now protected from unbounded reads.
This is GHSA-qr92-rwvw-mhgh and GHSA-cccx-2r6r-m9r4. We thank @wallace0409 for reporting this security issue.
AdGuard Home now validates responses from DNSCrypt upstreams more strictly.
[27 lines not shown]
zxing-cpp: update to 3.1.0.
(libreoffice still builds.)
Changes:
New/Improved Symbologies
Added decoder support for Telepen symbology
Added decoder support for MicroPDF417 (sponsored by Allied Vision Konstanz GmbH)
Greatly improved Aztec detector for large, non-flat symbols by evaluating internal timing patterns
Greatly improved DataMatrix detector for large, non-flat symbols by evaluating internal alignment patterns
Major improvement in QRCode detection of many small symbols in a single image
New/Improved wrappers
Added a Go wrapper
Switched from pybind11 to nanobind in Python wrapper code (enhanced IDE support, faster build times, smaller binaries, free-threaded Python support)
[33 lines not shown]
Apply changes between 2026b and 2026c
Release 2026c - 2026-07-08 10:23:58 -0700
Briefly:
Alberta moved to permanent -06 on 2026-06-18.
Morocco moves to permanent +00 on 2026-09-20.
More integer overflow bugs have been fixed in zic.
Changes to future timestamps
Alberta's 2026-03-08 spring forward was its last foreseeable clock
change, as it moved to permanent -06 thereafter. (Thanks to Roozbeh
Pournader and others.) Model this with its traditional abbreviation
CST. Although the change to permanent -06 legally took place on
2026-06-18, temporarily model the change to occur on 2026-11-01 at
02:00 instead, for the same reason we introduced a similarly
temporary hack for British Columbia in 2026b.
[45 lines not shown]
lame: drop patches/patch-libmp3lame_lame.c, obsoleted upstream
I got direct communication from upstream that the underlying issue is
handled in a more robust manner elsewhere already. Dropping the old
patch.