misc: import raspberrypi-usbboot version 1.0
This contains the Raspberry Pi USB device boot software known as rpiboot. The
rpiboot tool provides a file server for loading software into memory on a
Raspberry Pi for provisioning. By default, it boots the device with firmware
that makes it appear to the host as a USB mass-storage device. The host
operating system then treats it as a standard USB drive, allowing the filesystem
to be accessed. An operating system image can be written to the device using the
Raspberry Pi Imager.
On Compute Module 4 and newer devices, rpiboot is also used to update the
bootloader SPI flash EEPROM.
Tested on macOS/amd64 and NetBSD/amd64.
net/dnsdist: Update to version 2.0.3
Provided by Marcin Gondek in wip.
Improvements
Add a metric for the latency of the latest health-check
Export DNS flags via ProtoBuf
Add a histogram of health-check latencies for backends
Bug Fixes
CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI"
CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged into the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard
CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets
CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL
CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service
CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service
CVE-2026-27854: Denial of service when using "DNSQuestion:getEDNSOptions" method in custom Lua code
[8 lines not shown]
py-cairosvg: updated to 2.9.0
2.9.0
Version 2.9.0 released on 2026-03-13
WARNING: this is a security update.
Using a lot of recursively nested use tags could lead to long rendering times with relatively small inputs. CairoSVG now stops rendering when more than 100k use tags are rendered.
Using the --unsafe option allows to render larger documents.
Drop support of Python 3.9, add support of Python 3.14
ngtcp2: updated to 1.22.0
1.22.0
Consistent hex literals and integer suffixes
Add missing entries to .gitignore
Deprecate quictls
Introduce struct ngtcp2_stateless_reset_token
Fix assertion failure without get_new_connection_id
Migrate to new callbacks
Add ngtcp2_pkt_write_stateless_reset2
Add missing callbacks to callbacks test
Add ngtcp2_conn_get_active_dcid2 and ngtcp2_cid_token2
Prefer sizeof token instead of integer constant
Introduce struct ngtcp2_path_challenge_data
Store cid and token directly into frame
tests: Remove xcid_init in favor of make_xcid
tests: Inline initialization for transport parameters tests
tests: Make shared crypto objects static const
[59 lines not shown]
py-async-lru: updated to 2.3.0
2.3.0
Added cache_contains() for read-only key lookup.
Changed cross-loop cache access to auto-reset and rebind to the current event loop.
Added AlruCacheLoopResetWarning when an auto-reset happens due to event loop change.
Forwarded cache_close(wait=...) for bound methods.
py-pygit2: updated to 1.19.2
1.19.2 (2026-03-29)
- Fix refcount and error handling issues in `filter_register(...)`
- Fix config with valueless keys
- New `Repository.load_filter_list(...)` and `FilterList`
- New `Odb.read_header(...)` and now `Odb.read(...)` returns `enums.ObjectType` instead of int
- Build and CI fixes
py-numpy: updated to 2.4.4
2.4.4
MAINT: Prepare 2.4.x for further development
BUG: Add test to reproduce problem
BUG: fix FNV-1a 64-bit selection by using NPY_SIZEOF_UINTP
BUG: avoid warning on ufunc with where=True and no output
DOC: document caveats of ndarray.resize on 3.14 and newer
TST: fix POWER VSX feature mapping
MAINT: numpy.i: Replace deprecated ``sprintf`` with ``snprintf``...
print/qpdf: Drop confusing comment about NetBSD 9 build failure
- Sort USE_LANGUAGES and USE_CXX_FEATURES properly.
- Failing to build on NetBSD 9 with USE_CXX_FEATURES=c++17 was a
pkgsrc bug, not a problem in qpdf or NetBSD 9. Upstream documents
that c++20 is required, and now our Makefile says that. The
comment is (now) confusing; we generally just translate upstream
documented requirements to pkgsrc variables and leave it at that.
mame: update to 0.287.
It’s the end of another month, which means it’s time for another
MAME release! As you’d expect, MAME 0.287 includes a wide-ranging
array of emulation improvements to a multitude of systems. Interesting
changes this month include better Namco System 23 graphics, improved
lighting for Sega Model 3, and software-controlled volume
control/panning for Philips CD-i (along with improved stability).
The GRiD Compass family has received a keyboard overhaul as well
as an initial DAC sound output implementation. The Apple II family
now handles tricky raster effects more realistically, as well as
getting a substantial software list update (metadata for the MECC
collection is in much better shape). And speaking of software lists,
a couple of NES prototypes have been added.
supertux: updated to 0.7.0
0.7.0
Here are some of the most notable changes since the previous release:
Brand new sprites and abilities for Tux: slope sliding, strong buttjumping, rock rolling, and crawling
Revamped graphics for most backgrounds, tiles, objects, and badguys
Complete level design + story rework of the Story Mode, Revenge in Redmond, and Bonus Island I
Not only new NPCs (e.g: Granito) and enemies (e.g: DiveMine, Fish, and Corrupted Granito), but also revamps for numerous enemies such as: GoldBomb, Igel, Ghoul, and both bosses (Yeti and Ghost Tree)
New music
Level editor revamp
Local multiplayer mode
New gameplay mechanics such as glinted enemies, keys, the item pocket, and unlockable bonus islands via Tux Dolls
Many internal improves and code refactoring, such as moving to SimpleSquirrel
Improvements to compilation/porting, including CMake refactor, Android revival, and Flatpak builds
tex-tex-ini-files{,-doc}: update to 2026
- 2026-03-23 Add wrapper for `callback.register`
- Correct scope of `\everyjob` setting
- 2026-03-27 Remove one stray line
tex-tcolorbox{,-doc}: update to 6.9.0
6.7.0
- Libary `skins`:
- Option `tcb fill lower bicolor`. Actually, this option is available since years,
but was forgotten to be documented
- Options `set alt` and `use alt` for use with beamer
- Options `set temporal` and `use temporal` for use with beamer
- Documentation:
- Some beamer support examples rewritten for `set temporal` and `use temporal`
- Libary `skins`:
- Combination of `skin=enhancedlast jigsaw` or `skin=bicolorlast jigsaw`
with a `title` failed to have a hole for the box content
- Documentation:
- Add missing counter marks
- Drop unneeded tikz loading in doc examples
6.7.1
- Libary `skins`:
[49 lines not shown]