net/libslirp: update to version 4.9.3
This is a security update for CVE-2026-9539: libslirp TCP URG OOB Read
Information Leak.
Changes in 4.9.3:
* Fix migration break on incorrect vmstate retcode
Changes in 4.9.2:
* Security:
- oob: cap urgent data count to what is actually available
* Fixed:
- Honor dns server port number on macos
- Cope with SO_ERROR possibly failing
- vmstate: pass on read/write errors for state
- Fix port conflict
- tcp_sockclosed: Set linger timer on remaining closing states
[62 lines not shown]
gspell: forward icu dependency in bl3.mk
Seems it's needed:
meson.build:66:13: ERROR: Dependency lookup for gspell-1 with method 'pkg-config' failed: Could not generate cflags for gspell-1:
Update devel/objfw to 1.5.6
Changes from ObjFW 1.5.5:
* Unpaired UTF-16 surrogates are now converted to WTF-8
* Collections now refuse to be inserted into themselves
* Fixes OFMutableData dropping the itemSize in one convenience initializer
* Fixes OFFileIRIHandler setting the UID to the GID
* Fixes handling of BOM in -[OFUTF8String initWithUTF8StringNoCopy:length:freeWhenDone:]
* OFMutableIndexSet now correctly inserts / removes from self
* OFMutableUTF8String now correctly appends and replaces self
* Fixes handling of TLS close notifications
* Fixes relocking the mutex in OFCondition on Windows
* Fixes searching for a handler after a cleanup in the runtime
* Fixes parsing JSON containing an exponent without a decimal point
* Call va_end() after va_copy() everywhere
* Default depth limit of all parsers increased from 32 to 128
* -[OFIRI fileSystemRepresentation] now rejects IRIs with a non-empty host, except on Windows where it is used for UNC
* Fixes setting a nil extraField in OFMutableZIPArchiveEntry
* Fixes setting a nil Amiga comment in OFMutableTarArchiveEntry
[4 lines not shown]
py-WebOb: updated to 1.8.10
1.8.10 (2026-06-02)
Security Fix
- The fix for CVE-2024-42353 was incomplete: a Location value containing
ASCII tab, carriage return, or line feed characters between consecutive
slashes could still be interpreted as a protocol-relative URL by
``urllib.parse.urljoin`` on Python 3.10+, allowing an open redirect.
tor: updated to 0.4.9.10
Changes in version 0.4.9.10 - 2026-06-23
Another release with an important security fix and major bugfixes. We
strongly recommend upgrading as soon as possible.
o Major bugfixes (conflux, security, TROVE):
- Reject a CONFLUX_LINK cell that arrives on a circuit which already
has attached streams. A malicious client could send a
RELAY_COMMAND_BEGIN before the CONFLUX_LINK on the same circuit,
attaching an exit stream that would later end up orphan leaving a
dangling circuit back-pointer and a use-after-free (UAF) when the
circuit is freed. TROVE-2026-025. Fixes bug 41258; bugfix
on 0.4.8.1-alpha.
o Major bugfixes (client):
- Resume warning about unsafe socks protocols (socks4 or
socks5-not-hostname) when SafeSocks is not set. Also resume
warning every time when TestSocks is set. Fixes bug 41290; bugfix
[37 lines not shown]
misc/py-libtmux: Update to 0.58.1
## libtmux 0.58.1 (2026-06-16)
libtmux 0.58.1 restores compatibility with pytest 9.1. The bundled
pytest plugin no longer aborts at import time, so projects that rely on
libtmux's fixtures can move to the latest pytest without their test
suite failing before collection.
## libtmux 0.58.0 (2026-05-23)
libtmux 0.58.0 fixes subprocess output decoding on non-UTF-8 locales.
Both {class}`~libtmux.common.tmux_cmd` and
{class}`~libtmux._internal.control_mode.ControlMode` now enforce UTF-8
when reading tmux output, matching tmux's own encoding contract.
## libtmux 0.57.1 (2026-05-18)
Restores the "lenient-by-default" behavior for
[68 lines not shown]
libtorrent rtorrent: updated to 0.16.15
0.16.15
Cleanup of old unused/unneeded code and commands continues, and the deprecated commands should no longer be used.
libass: updated to 0.17.5
libass (0.17.5)
* Fix limited OOB read and write in wrap_lines_measure (GHSA-pjjp-65r7-ppgm; CVE pending)
* Fix OOB bit clears for negative Matroska ReadOrder fields (GHSA-5gf7-wjfm-vmvm; CVE pending)
* Fix \fay with glyph clusters
* Fix small alpha changes not always splitting runs when combined with fade
* Fix compilation with MSVC-mode clang
* Fades are now applied to BorderStyle=4 boxes too
* Fonts using legacy arabic Windows charmaps are now supported
* ass_render_frame no longer returns fully transparent images
* Avoid MSVC’s subpar code generation for isnan to bring performance closer to other compilers
* Avoid SSE instructions if compiler baseline already includes AVX
bfs: update to 4.1.3. Changes:
## Bug fixes
- Fixed a segfault when binaries built on macOS 26.4+ were run on older macOS
versions (#229)
- Fixed a potential hang in the test suite
- Fixed `./configure`-time detection of `sysctlbyname()` on FreeBSD (#219)
- Bumped the default version number, which was missed in 4.1.1
- Fixed `./configure CFLAGS=...` being overridden by auto-detected flags
- Fixed the build for WASIX
- Fixed the build on Android < 11 (#215)
- `bfs` now takes system-wide open file limits into account.
Previously, a handful of concurrent `bfs` instances could overwhelm a system
with a low global limit, particularly macOS.
- Fixed an invalid optimization that transformed
$ bfs -user you -or -user me
[350 lines not shown]
