py-tornado: updated to 6.5.7
What's new in Tornado 6.5.7
Security fixes
- ``CurlAsyncHTTPClient`` now fully resets the curl object before reusing it. This prevents
incorrectly reusing options from a previous request, specifically including client SSL and
credentials used for accessing proxies. Thanks to `Koh Jun Sheng <https://github.com/seankohjs>`_
for reporting this issue.
openssl: updated to 3.6.3
OpenSSL 3.6.3 is a security patch release. The most severe CVE fixed
in this release is High.
This release incorporates the following bug fixes and mitigations:
Fixed heap use-after-free in PKCS7_verify().
(CVE-2026-45447)
Fixed CMS AuthEnvelopedData processing may accept forged messages.
(CVE-2026-34182)
Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.
(CVE-2026-34183)
Fixed double-free when checking OCSP stapled response.
(CVE-2026-35188)
[41 lines not shown]
(devel/R-BH) Updated 1.87.1 to 1.90.0.1
Changes in version 1.90.0-1 (2025-12-13):
* Upgrade to 'Boost' 1.90.0, patched as usual to comment-out
diagnostic suppression messages per the request of CRAN
* Minor upgrades to continuous integration
devel/php-xdebug: update to 3.5.3
It looks like 3.5 2 was skipped.
3.5.3 (2026-06-08)
Fixed bugs:
* Fixed issue #2404: Xdebug outputs a message to stderr when path mapping is
enabled, and a directory is present
* Fixed issue #2405: Handle minimum path in .xdebug directory discovery
* Fixed issue #2411: Native Path Mapping is not applied to the initial
fileuri in the init packet
* Fixed issue #2421: Crash with wrong option letter in DBGP and socket commands
* Fixed issue #2422: No limit on DBGP read buffer
* Fixed issue #2423: Don't follow symlinks with file creation
* Fixed issue #2424: Control-socket buffer crashes
* Fixed issue #2426: xdebug_get_tracefile_name incorrectly throws notice
* Fixed issue #2427: Crash when file_link_format setting is wrong
[7 lines not shown]
net/ruby-ruby_smb: update to 3.3.21
3.3.21 (2026-06-08)
* Merge pull request #297 from zeroSteiner/feat/smb1/symlink
Add #set_unix_link to the SMB1 tree
devel/ruby-msgpack: update to 1.8.2
2026-06-09 1.8.2
* Fix Buffer#clear to properly reset memory chunks before adding them back
to the pool. This could have caused data to leak across buffers when
using the MessagePack::Buffer API directly. [CVE-PENDING].
www/typo3-13: update to 13.4.31
13.4.28 (2026-04-14)
This version is a bugfix and maintenance release.
13.4.29 (2026-05-12)
This version is a bugfix and maintenance release.
13.4.30 (2026-05-26)
This version is a bugfix and maintenance release.
13.4.31 (2026-06-09)
This release is a combined bug fix and security release.
Find more details in the security bulletins:
[14 lines not shown]
(textproc/R-xml2) Updated 1.3.6 to 1.5.2
# xml2 1.5.2
* Enable the myExternalEntityLoader also on libxml 2.14.4 for MacOS
# xml2 1.5.1
* Avoid shared libxml2 on MacOS because this reveals bugs in R.app (#471)
# xml2 1.5.0
* Experimental custom myExternalEntityLoader on libxml2 2.15 and up.
# xml2 1.4.1
* Remove a test that broke with libxml2 2.15
# xml2 1.4.0
[22 lines not shown]
forgejo-cli: Import forgejo-cli-0.5.0 as wip/forgejo-cli
fj, a CLI client for Forgejo akin to gh, glab, or tea!
You can...
- Open, edit, comment on, close issues
- Create and merge pull requests
- Easily create AGit pull requests, no need to fork!
- Create, star, watch, and edit repositories
- Manage organizations and teams
- Publish new releases
...all from the command line!
fj doesn't try to replace your usage of git, it's meant to work
alongside it. It handles all the Forgejo-specific things that git
doesn't.
databases/postgresql-postgis2: Accept pgsql 18
PostgreSQL 18 is ok, per upstream's README.postgis ("and above") (and
if it didn't work I'd be hearing about it on postgis-devel@).
In PR pkg/60316, Jim Spath reports that adding 18 and testing with
qgis was successful (and also that pgsql 14 is still ok, not related
to this commit but good to know).
