gnupg2: updated to 2.5.20
Noteworthy changes in version 2.5.20 (2026-05-13)
* New and extended features:
- gpgsm: Implement GCM encryption. Note that decryption works
since version 2.3.2.
- gpgsm: New option --attribute and server command SETATTR to
include arbitrary signed or unsigned attributes into a signature.
Enable only with libksba 1.7.0 or later.
- gpgsm: Introduce system attribute _signingCertificateV2.
* Bug fixes:
- gpg: Fix wrong assertion failure which could very rarely occur
during key signature checking.
- gpg: Consider certify-only keys for revocation signature check.
- gpgsm: Fix possible double free in the CMS parser.
[13 lines not shown]
libksba: updated to 1.8.0
Noteworthy changes in version 1.8.0 (2026-05-13) [C24/A16/R0]
* New function ksba_cms_get_attribute.
* Support building of unsigned attributes with
ksba_cms_add_attribute.
openimageio: updated to 3.1.13.1
Release 3.1.13.1 and 3.1.13.0 (May 3, 2026) -- compared to 3.1.12.0
IBA: Add FLIP perceptual image difference metric as an experimental feature, including ImageBufAlgo::experimental::FLIP_diff() C++ API, Python ImageBufAlgo.FLIP_diff(), and oiiotool --flipdiff command (requires --experimental flag). Also introduces oiiotool --experimental flag to enable features not yet part of the stable API.
fmath.h: degrees() and radians() are now constexpr.
ImageSpec: get_string_attribute() now correctly converts non-string attributes to string
bmp: Correctly handle the combination of greyscale + RLE compression
dds: Corruption protection: validate resolution and guard against integer overflow
dpx: Several safety fixes for corrupt DPX files: integer overflow protection in buffer size calculations, span-based pointer safety, and use of check_open() for resolution/channel validation
heif: Fix incorrect tracking of current subimage
iinfo: Better error handling and propagation, especially from --hash; fix return code when a file could not be read
jpeg: Be more flexible with corrupt IPTC blocks; use "imageinput:strict" to control whether a bad block is skipped silently or fails the whole file
jpeg2000: Guard against integer overflow in buffer size computation
rla: Harden against corrupted files: guard against RLE buffer overruns and improve seek robustness
sgi: Better detection of corrupt RLE info that could overflow
softimage: Multiple hardening fixes against corrupted input: prevent RLE buffer overruns
targa: Protection against corrupt, mis-sized palette; fix misunderstanding of non-zero palette start index
tiff: Care with missing rowsperstrip
[8 lines not shown]
opencolorio: updated to 2.5.2
2.5.2
This is a bug-fix and security release that addresses CVE-2026-42450 and the other issues described below. It is ABI compatible with 2.5.1.
CVE-2026-42450 affects all prior OCIO 1.x and 2.x versions.
Update sysutils/intel-microcode-netbsd to 20260512
### Purpose
- Security updates for INTEL-SA-01420
- Update for functional issues. Refer to 4th Gen Intel Xeon Scalable Processors Specification Update for details.
- Update for functional issues. Refer to 5th Gen Intel Xeon Scalable Processors Specification Update for details.
- Update for functional issues. Refer to Intel Core Ultra 200 V Series Processor for details.
- Update for functional issues. Refer to Intel Core Ultra Processors (Series 2) for details.
- Update for functional issues. Refer to Intel Core Ultra Processors (Series 3) for details.
- Update for functional issues. Refer to Intel Xeon 6700 Series Processors with E-cores for details.
- Update for functional issues. Refer to Intel Xeon 6900/6700/6500 Series Processors with P-cores for details.
- Update for functional issues. Refer to Intel Xeon 6700P-B/6500P-B-Series SoC with P-Cores for details.
### New Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| PTL 404 | A1 | 06-cc-03/90 | | 0000011b | Intel Core Ultra Processor (Series 3)
[16 lines not shown]
(math/R) Updated 4.5.2 to 4.5.3, another update may follow,:
CHANGES IN R 4.5.3:
UTILITIES:
* tools/fetch-recommended can be used instead of
tools/rsync-recommended to fetch recommended packages into R
sources using curl on systems without rsync or behind firewalls.
PACKAGE INSTALLATION:
* C++ standard specifications (CXX_STD = in src/Makevars* and in
the SystemRequirements field of the DESCRIPTION file) are now
checked more thoroughly. Invalid values are still ignored but
now give a warning, as do contradictory specifications.
* (Preliminary) support for C++26 has been extended to Windows.
[51 lines not shown]
py-django5: updated to 5.2.14
Django 5.2.14 fixes three security issues with severity “low” in 5.2.13.
CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass¶
ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
This issue has severity “low” according to the Django security policy.
CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST¶
Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user’s session after that user visits a cached public page.
This issue has severity “low” according to the Django security policy.
CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware¶
[2 lines not shown]
py-django: updated to 6.0.5
6.0.5
Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.
CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
This issue has severity “low” according to the Django security policy.
CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user’s session after that user visits a cached public page.
This issue has severity “low” according to the Django security policy.
[12 lines not shown]
freeradius: updated to 3.2.8
FreeRADIUS 3.2.8 Wed 20 Aug 2025 12:00:00 UTC urgency=low
Configuration changes
* Replace dictionary.infinera with the correct one.
* Update dictionary.alteon
Feature improvements
* Add support for automated fuzzing. This doesn't affect
normal operations, but it does allow for testing of the
RADIUS decoder.
* Allow tagged attributes to use ":V" as a tag in some cases.
The tag is then read from the value which is being assigned
to the attribute. This functionality is allowed in 'update'
sections, including 'update' in module configurations.
See mods-available/ldap for an example.
* Add kafka module. See mods-available/kafka.
* Allow &control:Packet-SRC-IP-Address to be used when
proxying needs a given source address.
[47 lines not shown]
samba4: updated to 4.24.2
Changes since 4.24.1
* BUG 16038: Samba 4.24 with cups can't get queue and shows errors about
fetch_share_cache_time
* BUG 16043: Fix a directory file descriptor leak in vfs_glusterfs that
caused unbounded memory growth on the GlusterFS brick with
persistent SMB2 connections.
* BUG 16030: Windows Offline Files fails with permission error when directory
has the readâonly attribute set
* BUG 15991: samba not triggering mount of zfs snapshot in dataset
.zfs/snapshots/<snapname> directory
* BUG 15999: net ads join still fails with multiple DCs
* BUG 16076: samba-tool shows wrong format specifiers for timestamp
attributes
* BUG 14638: restrict anonymous = 2 breaks RODC functionality
* BUG 15973: smbpasswd can crash winbindd on an AD DC
* BUG 15995: smbd does not cleanup on disconnect of the transport connection
on lease break errors
[9 lines not shown]
qtcreator: updated to 19.0.1
Qt Creator version 19.0.1 contains bug fixes.
General
Fixed
* That preferences for newly enabled plugins were only available after restart
* Various issues with marking the `Preferences` as dirty
* A possible crash when opening the `About Qt Creator` dialog multiple times
* That using the keyboard shortcut for `Advanced Find` did not raise the search
widget
* Model Context Protocol
* A crash when using the `quit` action
Editing
Fixed
[16 lines not shown]
