firefox140: update to 140.11
Mozilla Foundation Security Advisory 2026-48
Security Vulnerabilities fixed in Firefox ESR 140.11
Announced
May 19, 2026
Impact
high
Products
Firefox ESR
Fixed in
Firefox ESR 140.11
#CVE-2026-8946: Incorrect boundary conditions in the Audio/Video: Web Codecs component
Reporter
zx
[221 lines not shown]
postfix: suggest sasl option
This only allows the cyrus-sasl functionality in postfix. It still
needs to be administratively enabled in postfix, with Cyrus SASL
mechanisms installed seperately.
toxic: update to 0.16.2
- Added network profiling support
- Notifications now have a configurable cooldown via the config file
- Some alerts are no longer double counted in the status bar
- Fix possible null pointer dereference during video call activation
- Fix memory leak after live config reload
- Fix possible pointer use after free if live config reload failed
- Live config changes to mplex auto-away now work as intended
- The chat window now stays scrolled to the bottom when the peer
list is enabled or disabled in groups/conferences
- File transfer status bar is no longer broken for the sending client
- Fatal error messages are now always printed to stderr even if
/dev/tty cannot be opened
- Fix bug causing audio/video calls to fail after shuffling the
internal friend list indices via deleting and adding friends
- Fixed nanosleep implementation which improves performance
drastically on some systems
py-uv py-uv-build: updated to 0.11.15
0.11.15
Security
Fix a TAR parser differential, see GHSA-3cv2-h65g-fgmm
Enforce that entry points cannot escape in the scripts directory, see GHSA-4gg8-gxpx-9rph
Enhancements
Add TOML v1.1 -> v1.0 backwards compatibility for source distributions
Add support for Azure request signing
Apply stricter validation to all wheel filename segments
Reject empty strings as an invalid package name
Use structured errors for signing authentication failures
Preview
[23 lines not shown]
(devel/R-rlang) Updated 1.1.6 to 1.2.0
# rlang 1.2.0
* rlang and tidyeval are now fully backed by official C APIs of R!
Thanks to the R core team for collaborating with us on this.
* `ns_registry_env()` is defunct in R >= 4.6.0 for compliance with the
C API of R.
* New type-checking functions exported from rlang: `check_bool()`,
`check_string()`, `check_name()`, `check_number_decimal()`,
`check_number_whole()`, and `check_data_frame()`. These were
previously only available via the `standalone-types-check.R`
standalone file. `stop_input_type()` is also now exported.
* Fixed a protection issue discovered by rchk (#1865).
[23 lines not shown]
(sysutils/R-later) Updated 1.4.1 to 1.4.8
(pkgsrc)
- Add patch to resolve undefined function backtrace_symbols
(in /usr/lib/libexecinfo)
(upstream)
# later 1.4.8
* Fixed #262: Internal update for compatibility with Rcpp
re. `Rf_error` handling (#263).
# later 1.4.7
* Fixed #256: compilation failure with glibc >= 2.43 and GCC >= 15,
caused by the C11 `once_flag` type now being defined in `<stdlib.h>`
under C23. Renamed internal tinycthread symbols to avoid the
namespace collision (#257).
# later 1.4.6
* Improved responsiveness when idle at the R console on POSIX systems
[28 lines not shown]