(math/R) Updated 4.5.2 to 4.5.3, another update may follow,:
CHANGES IN R 4.5.3:
UTILITIES:
* tools/fetch-recommended can be used instead of
tools/rsync-recommended to fetch recommended packages into R
sources using curl on systems without rsync or behind firewalls.
PACKAGE INSTALLATION:
* C++ standard specifications (CXX_STD = in src/Makevars* and in
the SystemRequirements field of the DESCRIPTION file) are now
checked more thoroughly. Invalid values are still ignored but
now give a warning, as do contradictory specifications.
* (Preliminary) support for C++26 has been extended to Windows.
[51 lines not shown]
Restore line whose content vanished in previous
Somehow in the previous version, the content of one line was
removed, leaving just the indentation tabs... restore that line.
While here, and inspired by that line remnant, check for trailing
whitespace, and obliterate all of it that is unintentional (there
is one space in an EDIT_ME in a here-doc which is intended).
Also, in the rarely used "zones added"/"zones removed" commit message,
for the set lists, add some vertical white space before the listings
of any zones added or removed (happens so rarely, I'm not sure that
code has ever been used).
Remove unif{8,9}
They both have serious CVEs and are no longer supported.
unifi10 is supported, wip & pkgsrc has been updated to a version with the
(known) security issues fixed, and it should be supported on any platform
which can run unifi8 or 9
Pull up following revision(s) (requested by christos in ticket #285):
external/ibm-public/postfix/dist/conf/main.cf: revision 1.13
fix so that it works out of the box (from RVP)
Pull up following revision(s) (requested by skrll in ticket #284):
sys/arch/riscv/include/vmparam.h: revision 1.16
risc-v: bump some parameter values on riscv64
Match all other 64bit platforms for
- PAGER_MAP_DEFAULT_SIZE
- UBC_WINSHIFT
- UBC_NWINS
Spotted by thorpej
PR misc/60253 (conditionally) remove CRYPTO using example
This completes the previous (2026-03-03) change, by removing an
example from the EXAMPLES section, which would only work if nc
was built with the CRYPTO option.
Like the previous, changing the definition of the number register C
in the man page source from 0 to 1 will reinstate the example, along
with all of the CRYPTO options, but makes no sense unless someone
does the required work to be able to build nc with CRYPTO defined.
No pullups required, the previous changes weren't pulled up either.
py-django5: updated to 5.2.14
Django 5.2.14 fixes three security issues with severity “low” in 5.2.13.
CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass¶
ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
This issue has severity “low” according to the Django security policy.
CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST¶
Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user’s session after that user visits a cached public page.
This issue has severity “low” according to the Django security policy.
CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware¶
[2 lines not shown]
py-django: updated to 6.0.5
6.0.5
Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.
CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
This issue has severity “low” according to the Django security policy.
CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user’s session after that user visits a cached public page.
This issue has severity “low” according to the Django security policy.
[12 lines not shown]
freeradius: updated to 3.2.8
FreeRADIUS 3.2.8 Wed 20 Aug 2025 12:00:00 UTC urgency=low
Configuration changes
* Replace dictionary.infinera with the correct one.
* Update dictionary.alteon
Feature improvements
* Add support for automated fuzzing. This doesn't affect
normal operations, but it does allow for testing of the
RADIUS decoder.
* Allow tagged attributes to use ":V" as a tag in some cases.
The tag is then read from the value which is being assigned
to the attribute. This functionality is allowed in 'update'
sections, including 'update' in module configurations.
See mods-available/ldap for an example.
* Add kafka module. See mods-available/kafka.
* Allow &control:Packet-SRC-IP-Address to be used when
proxying needs a given source address.
[47 lines not shown]
