tk: updated to 8.6.18
8.6.18
Aqua: Non-menubar menu invisible if toplevel is on another display (chavez).
(bug) [a91b24] Correct macOSVersion on future macOS for older SDK builds (chavez)
(bug) [d93d96] Pointer arithmetic with NULL in ImgGetPhoto() (chavez)
(bug) [6c4795] leak in XCreateBitmapFromData() in ImgGetPhoto() (chavez)
(new) [04e173] Add support for Copy/Cut/Paste keys in X11 (nijtmans)
(bug) [95da0f] tkpWinRopModes[GXnoop] is R2_NOT, should be R2_NOP (chavez)
(bug) [2c240b] Install pkg-config file (oscarfv)
(bug) [816739] Install man pages (oscarfv)
[40 lines not shown]
py-django5: updated to 5.2.15
Django 5.2.15 fixes five security issues with severity “low” in 5.2.14.
CVE-2026-6873: Signed cookie salt namespace collision
get_signed_cookie() derived the signing salt by concatenating the cookie name (key) and salt arguments. When distinct name and salt pairs produced the same concatenation, cookies could be accepted in a context different from the one where they were signed.
Cookies are now signed with an unambiguous salt derivation. For backwards compatibility, cookies signed by older Django versions are accepted until Django 7.0. Projects affected by the above ambiguity should set SIGNED_COOKIE_LEGACY_SALT_FALLBACK to False to reject older cookies immediately.
This issue has severity “low” according to the Django security policy.
CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a partially-initialized connection that would subsequently be reused for sending email without encryption. This can occur with fail_silently=True, as used by send_mail() and BrokenLinkEmailsMiddleware, among others. Connections configured with EMAIL_USE_SSL are not affected.
This issue has severity “low” according to the Django security policy.
CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives
[18 lines not shown]
py-django: updated to 6.0.6
Django 6.0.6 fixes five security issues with severity “low” and one bug in 6.0.5.
CVE-2026-6873: Signed cookie salt namespace collision
get_signed_cookie() derived the signing salt by concatenating the cookie name (key) and salt arguments. When distinct name and salt pairs produced the same concatenation, cookies could be accepted in a context different from the one where they were signed.
Cookies are now signed with an unambiguous salt derivation. For backwards compatibility, cookies signed by older Django versions are accepted until Django 7.0. Projects affected by the above ambiguity should set SIGNED_COOKIE_LEGACY_SALT_FALLBACK to False to reject older cookies immediately.
This issue has severity “low” according to the Django security policy.
CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a partially-initialized connection that would subsequently be reused for sending email without encryption. This can occur with fail_silently=True, as used by send_mail() and BrokenLinkEmailsMiddleware, among others. Connections configured with EMAIL_USE_SSL are not affected.
This issue has severity “low” according to the Django security policy.
CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives
[22 lines not shown]
Update to version 2.1.1
2026/03/04: Version 2.1.1
Patch release.
Updated external libraries: JPEG 10.0, PNG 1.6.48, TIFF 4.7.1, ZLIB 1.3.2.
Fixed FLIR and RAW parser to work correctly on big-endian systems.
2025/06/22: Version 2.1.0
Maintenance release.
Updated external libraries: PNG 1.6.48.
Improved RAW image handler to handle all data types correctly.
Fixed bug compiling with MSYS2/Clang64.
joker: update to 1.8.1
General improvements
- Add joker.mail namespace
Linter improvements
- Implement more thorough type checking
- Fix redundant do linter warning in joker.better-cond/cond
filesystems/fuse{,3}: Tidy, NFCI
- Align DESCR to each other, taking the text that describes what the
package is, vs marketing copy about FUSE. Explain fuse2 vs 3, and
add a NetBSD-only see-also to perfused(8).
- trim duplicate bsd.prefs.mk
- align whitespace between versions to reduce diffs
- reorder some lines to reduce diffs
Likely more diff-reduction could be done, but this is what I felt
confident would not cause even any binary change in the package.
filesystems/perfuse: Explain why this is ~never built
perfuse is part of the NetBSD base system since 6, so while packages
depend on this to ensure perfuse, the package is ~never built.
Update to version 9.2.0593.
Changes:
- patch 9.2.0593: :wqall ignores term_setkill() on running terminal buffers
- patch 9.2.0592: Error when restoring session with terminal window
- patch 9.2.0591: 'scrolljump' ignored when scrolling up
- patch 9.2.0590: GTK4: drawing area loses focus shape on popup menu open
- patch 9.2.0589: filetype: xinitrc files are not recognized
- runtime(doc): Update mapping descriptions
- runtime(kitty): Fix regex for kittyMapSeq region
- patch 9.2.0588: GTK4: drawing area loses focus after closing a menubar popover
- patch 9.2.0587: GTK4: left scrollbar overlaps drawarea
- runtime(doc): fix a typo in :write-plugin
- runtime(doc): Tweak documentation style
- runtime(cpp): recognize C++23 stdfloat types
- patch 9.2.0586: Crash with TextPut autocmd when pasting in terminal buffer
- runtime(c): classify type qualifiers, function specifiers and C23 attributes
- patch 9.2.0585: line number wrong after undoing a deletion in quickfix buffer
- runtime(sgf): Include sgf syntax script
[28 lines not shown]
pkgtools/pkglint: update to 23.21.0
Changes since 23.20.0 from 2026-01-31:
Warn about removed files that are still in CVS.
Allow the note about the "!=" assignment operator to be suppressed using
the standard rationale. Previously, the comment needed to be on the same
line, the line above didn't work.
Only allow ${RUN} at the beginning of a shell execution line, as that
variable expands to a "@".
Explain how to suppress diagnostics.
Allow the error about omf-scrollkeeper.mk to be suppressed.
pcsc-tools: updated to 1.7.5
1.7.5
po/PACKAGE: add Georgian
pcsc_scan: handle the case of an error during SCardGetStatusChange
If SCardGetStatusChange() returns in error then stop the spinner thread
before exiting.
vcmi: updated to 1.7.4
1.7.4
Added in-game Wiki that can be opened via F1 or from adventure map options menu
Weblate integrated for translations. Czech, German, Polish, Spanish, Swedish, Turkish and Ukrainian are now fully translated
Tutorial map is now correctly imported from gog.com installer
Discord integration is now available on all desktop systems
Stability
Fixed crash when high-level hero is defeated by neutrals in combat
Fixed crash on attempt to load save game with dot in its file name
Fixed crash on attempt to start a campaign with game set to Japanese language
Fixed crash on loading campaign in VCMI format located in .zip archive
Fixed crash on accessing battle-only mode after disabling mod that provides skill used by preconfigured hero
Fixed crash on winning scenario by building specified structure when there is enemy player with owned town on a map
Fixed crash on macOS when scenario finishes during AI turn
Fixed crash on iOS on connecting external display
[3 lines not shown]
www/freenginx: update: 1.30.0 -> 1.30.1
Sponsored by: tipi.work
<ChangeLog>
*) Change: the logging level of the "invalid ccs message", "not on
record boundary", "required compression algorithm missing", and some
"record layer failure" SSL errors has been lowered from "crit" to
"info".
*) Bugfix: a segmentation fault might occur in a worker process if the
"rewrite" directive was used to change request arguments and other
directives of the ngx_http_rewrite_module were executed afterwards.
*) Bugfix: a segmentation fault might occur in a worker process if
nested captures were used in the "rewrite" directive.
*) Bugfix: a segmentation fault might occur in a worker process if the
[11 lines not shown]
