PR/60362 (gdb can not insert breakpoints on aarch64)
Update aarch64-netbsd-tdep.c to use modern gdb initialisation method and
re-gen libgdb/arch/aarch64/init.c
py-cffi: updated to 2.1.0
2.1.0
Added the cffi-gen-src command-line tool (also invocable as python -m cffi.gen_src), which generates CFFI C extension source code, so that a build backend such as meson-python can build the extension. See Generating C Sources for CFFI Extensions for details. Integrated from the cffi-buildtool project by Rose Davidson.
Added support for arm64 iOS wheels.
Dropped support for Python 3.9.
Added support for Python 3.15 and support for C extensions generated by CFFI to target the new abi3t free-threaded ABI.
Avoid crashes inside of __delitem__.
Avoid “string too big” error under MSVC.
Fix mingw builds.
py-build: updated to 1.5.1
1.5.1 (2026-07-09)
Features
- Add ``--report=PATH`` to write a machine-readable JSON report of built artifacts; ``--metadata`` now also accepts
``.whl`` files - by :user:`gaborbernat` (:issue:`198`)
- The ``srcdir`` argument now accepts ``.tar.gz`` source distributions, extracting and building from them - by
:user:`gaborbernat` (:issue:`311`)
- The "Unmet dependencies" error from ``--no-isolation`` builds now shows the wanted version, found version, and
interpreter - by :user:`gaborbernat` (:issue:`504`)
- Add ``--sdist-extract-dir`` to extract the intermediate sdist into a persistent directory, enabling compiler cache reuse
across rebuilds - by :user:`gaborbernat` (:issue:`614`)
- Add ``--env-dir`` to place the isolated build environment at a fixed path, enabling compiler cache reuse across builds -
by :user:`gaborbernat` (:issue:`655`)
- Print a summary of resolved dependency versions (``name==version``) after installing them in isolated builds - by
:user:`gaborbernat` (:issue:`959`)
- On build failure, print a tip pointing to ``--env-dir`` and ``--sdist-extract-dir`` for debugging and link to the "Debug
[26 lines not shown]
memcached: updated to 1.6.45
1.6.45
Fixes
proxy: extra warning for user config error
proto: convert more strto calls
proto: meta preparse F flag fix
proxy: fix res:line() returning wrong response
proxy: fix overread of spaces for large gets
ascii: safely convert flag args to numerics
ascii: fix unlocked refcount-- on error path
proxy: key filter null byte written to wrong place
proxy: fix detail len clamp in request logging
proxy: enforce minimum rate limit
ascii: fix refcount leak on ms parse error
proxy: reserve enough log space for proxy BE_EVENT
network: fix segfault on OOM during net read
[16 lines not shown]
rclone: updated to 1.74.4
1.74.4
Bug Fixes
accounting
Fix goroutine leak in ResetCounters (Nick Craig-Wood)
Fix goroutine leak in NewStatsGroup for zero-transfer rc jobs (Sanjays2402)
archive extract: Fix path traversal letting archives escape the destination CVE-2026-59732 (Nick Craig-Wood)
build
Fix multiple CVEs by upgrading to go1.26.5 (Nick Craig-Wood)
CVE-2026-39822: os: Root escape via symlink plus trailing slash
CVE-2026-42505: crypto/tls: Encrypted Client Hello privacy leak
Update golang.org/x/image to v0.43.0 to fix image decoding vulnerabilities (Nick Craig-Wood)
CVE-2026-46604: panic decoding a TIFF image with an out-of-bounds strip offset
CVE-2026-46602: unbounded memory use from lack of a limit on TIFF tile sizes
CVE-2026-46601: panic on a WEBP VP8 alpha channel size mismatch
CVE-2026-33813: panic decoding a large WEBP image on 32-bit platforms
cmd/mount2
[43 lines not shown]
py-django5: updated to 5.2.16
Django 5.2.16 fixes three security issues with severity “low” in 5.2.15.
CVE-2026-48588: Potential exposure of private data via cached Set-Cookie response
CVE-2026-53877: Heap buffer over-read in GDALRaster
CVE-2026-53878: Header injection possibility since DomainNameValidator accepted newlines in input
py-django: updated to 6.0.7
6.0.7
Django 6.0.7 fixes three security issues with severity “low” and one bug in 6.0.6.
CVE-2026-48588: Potential exposure of private data via cached Set-Cookie response
CVE-2026-53877: Heap buffer over-read in GDALRaster
CVE-2026-53878: Header injection possibility since DomainNameValidator accepted newlines in input
Bugfixes
Fixed a regression in Django 6.0 where the PBKDF2 and MD5 password hashers
raised UnicodeDecodeError for bytes passwords that were not valid UTF-8.
Passwords supplied as str or as UTF-8 bytes are unaffected
py-stone: updated to 3.4.0
3.4.0
Breaking changes
Requires Python 3.11 or later. Python 2.7 and 3.5–3.10 are no longer supported
The six dependency has been removed; Stone is now pure Python 3
Highlights
Python 3 modernization — dropped six, removed Python 2 compatibility shims, fixed datetime.utcnow() deprecations, and set python_requires>=3.11 with CI coverage through Python 3.14
Output manifest mode — generate and validate a manifest of generated output paths, with outputs kept under the output root.
Recursive spec directories — spec directory arguments can now be expanded recursively.
Reproducible Obj-C output — Obj-C backend output is now stabilized/deterministic
Fixes
Fixed invalid except [list] syntax in HashRedactor that raised TypeError on redaction
PR bin/58577 - install(1) -d issues
Fix issues where "install -d" (with no directory) simply
exit(0)s. That one is kind of marginal, installing nothing
when nothing is needed could be treated as OK, but the man
page does indicate in the SYNOPSIS that with -d, at least
one directory is needed (it says nothing at all about that
in the text).
Second, after creating a directory, if a later operation
(chown, chmod) fails, that is not success, a warning was
issued (good), a bad metalog was being created (bad).
That is clearly a bug (though probably doesn't happen
very often).
And third, when install -d fails, and issues an error,
(warn()) the exit status from install(1) should not be zero.
This only applies after the (rare, I'd assume) errors
from the 2nd fix (which were not previously regarded as
[22 lines not shown]
py-peewee: updated to 4.1.2
4.1.2
* Ensure quotes escaped in SQLite introspection methods, thanks @greymoth-jp
for reporting and the initial patch.
* Allow TimestampField to accept an iso-formatted str.
* Add key-existence predicates (`has_key`, `has_keys`, `has_any_keys`) to the
core `JSONField` on SQLite, implemented with `json_type()`.
* Add containment predicates (`contains`, `contained_by`) to the core
`JSONField` on SQLite via a registered `_pw_json_contains` UDF that emulates
Postgres' `@>` semantics (structural, level-aligned). The core `JSONField`
now has full predicate parity across SQLite, Postgres, and MySQL/MariaDB.
netcdf: updated to 4.10.1
4.10.1 - July 6, 2026
* Fixed outstanding CVE issues.
* Added new functions `nc_set_meta_block_size()` and `nc_get_meta_block_size()`, to allow for runtime modification of downstream `libhdf5` block size.
* Use TARGETS to install plugins
* Have hdf4 tests include MFHDF_H_INCLUDE_DIR
* Testing a fix for libhdf4 + jpeg + cmake
* add big-endian CI run and fix endian issues in test and hdf5var.c
* documentation fixes
* Fix tst_h_files4.c compatibility with HDF5 API version defaulting
* Updated nc-config.cmake.in to extend functionality of --libs-ac-syntax
* Updated the man pages
* CI fix
* fix cmode bug
* CI: Switch from miniconda to micromamba
* fix docs in libhdf4, libhdf5, and libsrcp
* documentation fixes for liblib and examples
[35 lines not shown]
PR lib/59067 (wctrans got error member)
Patches from the OP (ru_j217) and from RVP - see the PR
This looks to be just correcting what appear to be simple
errors in the code.
XXX pullup -11
Properly fix the libc build
I had this change in early testing, but convinced myself it couldn't
possibly be required, so deleted it - and all worked. But that's
because I do update builds, and this extra dependency required after
the first build.
It shouldn't be required ever, it is insane, but there will shortly
be a PR about that! For now, this does no harm.
PR xsrc/59858 (locale fixes for xsrc)
From RVP - see the PR
Oversimplifying: this causes Mesa to use LC_NUMERIC=C when using
strtod() to parse stuff (ie: the radix char (decimal point) is '.',
regardless of the user's locale).
XXX pullup -11
PR xsrc/59858 (locale fixes for xsrc)
From RVP - see the PR
Oversimplifying: this causes Mesa to use LC_NUMERIC=C when using
strtod() to parse stuff (ie: the radix char (decimal point) is '.',
regardless of the user's locale).
XXX pullup -11