yt-dlp: update to 2026.3.17.
2026.03.17
Extractor changes
youtube
Always respect webpage_client extractor-arg (#16250) by bashonly
Fix --live-from-start support (#16254) by bashonly
Update ejs to 0.8.0 (#16269) by bashonly, Grub4K
Misc. changes
build: Use PyInstaller v6.19.0 for Windows (#16265) by bashonly
ci: Bump actions pins (#16252) by bashonly
docs: Fix player_client extractor-arg documentation (#16235) by bashonly
test: networking: Mark all CurlCFFIRH tests as flaky for any OS (#16266) by bashonly
expat: update to 2.7.5.
Ok maya@
Release 2.7.5 Tue March 17 2026
Security fixes:
#1158 CVE-2026-32776 -- Fix NULL function pointer dereference for
empty external parameter entities; it takes use of both
functions XML_ExternalEntityParserCreate and
XML_SetParamEntityParsing for an application to be
vulnerable.
#1161 #1162 CVE-2026-32777 -- Protect from XML_TOK_INSTANCE_START
infinite loop in function entityValueProcessor; it takes
use of both functions XML_ExternalEntityParserCreate and
XML_SetParamEntityParsing for an application to be
vulnerable.
#1163 CVE-2026-32778 -- Fix NULL dereference in function setContext
on retry after an earlier ouf-of-memory condition; it takes
use of function XML_ParserCreateNS or XML_ParserCreate_MM
[31 lines not shown]
Update xenkernel418 and xentools418 to 20260317
Changes since 20250701: mostly bug fixes and small improvements on
some hardware, including security fixes up to XSA481
pkg-vulnerabilities: mark libssh vulns as fixed and adjust versions.
We package libssh-0.11.4 as 0.114, for historical reasons, as mentioned
in the package Makefile. Thus, 'libssh<0.11.2' never fires, so adjust
all the 0.11.x vulnerabilities accordingly.
libssh: update to 0.11.4
This is a stable release in the 0.11 series. There is also 0.12.0
available, but this has less potential for breakage, I assume.
version 0.11.4 (released 2026-02-10)
* Security:
* CVE-2025-14821: libssh loads configuration files from the C:\etc directory
on Windows
* CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
* CVE-2026-0965: Possible Denial of Service when parsing unexpected
configuration files
* CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
* CVE-2026-0967: Specially crafted patterns could cause DoS
* CVE-2026-0968: OOB Read in sftp_parse_longname()
* libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP
extensions
* Stability and compatibility improvements of ProxyJump
[31 lines not shown]
libhidapi: reduce diffs from ustream implementation.
Tested with ch32fun and UIAPduino on NetBSD/i386 10.1 with
both ohci and xhci.
Also sync DESCR with the latest version.
Update xenkernel420, xentools420 and xenstoretools to 20260317.
Changes since 20251113: mostly bug fixes and small improvements on
some hardware, including security fixes up to XSA481
