BSD Commit Log Search

   Updated www/freenginx-devel to 1.31.1nb1
   Updated www/freenginx to 1.30.0nb4

   www/freenginx*: update third-party nchan module to 1.3.8

   Bump PKGREVISIONs.

   ChangeLog:   https://github.com/slact/nchan/compare/v1.3.7...v1.3.8

   Sponsored by:        tipi.work

   Updated www/freenginx to 1.30.0nb3

   www/freenginx: update njs 0.9.8 -> 0.9.9

   Bump PKGREVISION.

   Sponsored by:        tipi.work

   <ChangeLog>

   nginx modules:

   *) Security: a heap buffer overflow might occur in a worker process
      when the "js_fetch_proxy" directive value contains nginx
      variables derived from the client request ($http_*, $arg_*,
      $cookie_*, etc.) and the location's JS handler invokes
      ngx.fetch(). The issue was introduced in dea83189 (0.9.4).

   *) Feature: added js_access directive.

   *) Feature: added r.readRequestText(), r.readRequestArrayBuffer(),

    [21 lines not shown]

   Updated www/freenginx-devel to 1.31.1

   www/freenginx-devel: update from 1.31.0 to 1.31.1

   Sponsored by:        tipi.work

   <ChangeLog>

   *) Feature: the "off" parameter of the "index" directive.
      Thanks to Fabiano Furtado.

   *) Bugfix: a segmentation fault might occur in a worker process if the
      "rewrite" directive was used to change request arguments and other
      directives of the ngx_http_rewrite_module were executed afterwards.

   *) Bugfix: in the "set" directive.

   *) Bugfix: a segmentation fault might occur in a worker process if the
      ngx_http_charset_module was used to convert responses from UTF-8.

   *) Bugfix: in the ngx_http_charset_module.

    [12 lines not shown]

   Updated www/freenginx-devel to 1.31.0nb2

   www/freenginx-devel: update njs 0.9.8 -> 0.9.9

   Bump PKGREVISION.

   Sponsored by:        tipi.work

   <ChangeLog>

   nginx modules:

   *) Security: a heap buffer overflow might occur in a worker process
      when the "js_fetch_proxy" directive value contains nginx
      variables derived from the client request ($http_*, $arg_*,
      $cookie_*, etc.) and the location's JS handler invokes
      ngx.fetch(). The issue was introduced in dea83189 (0.9.4).

   *) Feature: added js_access directive.

   *) Feature: added r.readRequestText(), r.readRequestArrayBuffer(),

    [21 lines not shown]

   Updated net/unbound, net/rsync

   rsync: updated to 3.4.3

   rsync 3.4.3 (20 May 2026)

   Changes in this version:

   SECURITY FIXES:

   Six CVEs are fixed in this release.  All six are assigned by
   VulnCheck as CNA.  Affected versions are 3.4.2 and earlier in every
   case.  Three of the six (CVE-2026-29518, CVE-2026-43617,
   CVE-2026-43619) require non-default daemon configuration to reach:
   the first and third need `use chroot = no` for a module, the second
   needs `daemon chroot = ...` set in rsyncd.conf.  Two (CVE-2026-43618,
   CVE-2026-43620) are reachable from a normal pull or a normal
   authenticated daemon connection.  The sixth (CVE-2026-45232) is
   reachable only when `RSYNC_PROXY` is set and the proxy (or a MITM)
   returns a pathological response.  Many thanks to the external
   researchers who reported these issues.

    [128 lines not shown]

   doc: Updated devel/R-Rcpp to 1.1.1.1.1

   (devel/R-Rcpp) Updated 1.0.14 to 1.1.1.1.1

   (pkgsrc)
          - Three patches dropped
          - Added  patch for src/Makevars (by looking at devel/R-fs)
         to take care the issue of not finding the function backtrace_symbol
            (Atsushi Toyokura helped me a lot on this modification)
          - Tested only on NetBSD (9.4), Linux and SunOS are not tested, sorry

   (upstream)
   Changes in Rcpp non-release version 1.1.1-1.1 (2026-04-19):

           * Please see pr #1466 addressing #1465 for context (plus change
             from #1460, and R_getRegisteredNamespace from #1469)

           * This is an unplanned, unscheduled and uncalled for
             non-release made solely to unplug CRAN from late-breaking
             changes in R 4.6.0


    [165 lines not shown]

   unbound: updated to 1.25.1

   1.25.1

   Bug Fixes
   Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report.
   Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report.
   Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report.
   Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

   KDE Frameworks update

   KDE Frameworks - update to 6.26.0

   8 months worth of updates

   nn: regen distinfo

   doc/TODO: + powerdns-5.0.5, rsync-3.4.3, unbound-1.25.1.

   Updated textproc/utf8-cpp, misc/py-trove-classifiers

   py-trove-classifiers: updated to 2026.5.20.19

   2026.5.20.19
   Add classifier for Django 6.1

   utf8-cpp: updated to 4.1.1

   4.1.1
   Fix for 141, introduced in 4.1.0

   lang/ruby40: remove a unused patch file

   doc: update for tickets 7119-7124

   Pullup ticket #7123 - requested by taca
   net/bind918: Security fix

   Revisions pulled up:
   - net/bind918/Makefile                                          1.68
   - net/bind918/distinfo                                          1.40

   ---
      Module Name:      pkgsrc
      Committed By:     taca
      Date:             Wed May 20 13:07:16 UTC 2026

      Modified Files:
        pkgsrc/net/bind918: Makefile distinfo

      Log Message:
      net/bind918: update to 9.18.49

      BIND 9.18.49 (2026-05-20)

    [88 lines not shown]

   Pullup ticket #7124 - requested by taca
   lang/ruby40: Security fix

   Revisions pulled up:
   - lang/ruby/rubyversion.mk                                      1.323-1.324
   - lang/ruby40/Makefile                                          1.3
   - lang/ruby40/PLIST                                             1.3
   - lang/ruby40/distinfo                                          1.6-1.9
   - lang/ruby40/patches/patch-.bundle_gems_rdoc-7.0.3_lib_rdoc_generator_template_aliki___header.rhtml deleted
   - lang/ruby40/patches/patch-.bundle_gems_rdoc-7.0.3_lib_rdoc_parser_c.rb deleted
   - lang/ruby40/patches/patch-.bundle_gems_rdoc-7.0.4_lib_rdoc_encoding.rb 1.1
   - lang/ruby40/patches/patch-template_Makefile.in                1.3-1.4

   ---
      Module Name:      pkgsrc
      Committed By:     wiz
      Date:             Fri May 15 16:56:19 UTC 2026

      Modified Files:

    [96 lines not shown]

   Pullup ticket #7122 - requested by taca
   graphics/png: Security fix

   Revisions pulled up:
   - graphics/png/Makefile                                         1.224
   - graphics/png/distinfo                                         1.170
   - graphics/png/options.mk                                       1.5

   ---
      Module Name:      pkgsrc
      Committed By:     tnn
      Date:             Sun May 17 13:45:31 UTC 2026

      Modified Files:
        pkgsrc/graphics/png: distinfo options.mk

      Log Message:
      png: update apng patch


    [12 lines not shown]

   Pullup ticket #7121 - requested by nia
   www/palemoon: Build fix

   Revisions pulled up:
   - www/palemoon/distinfo                                         1.43
   - www/palemoon/patches/patch-platform_media_libvpx_config_linux_arm64_vpx__config.h 1.3

   ---
      Module Name:      pkgsrc
      Committed By:     nia
      Date:             Tue May 19 07:31:59 UTC 2026

      Modified Files:
        pkgsrc/www/palemoon: distinfo
      Added Files:
        pkgsrc/www/palemoon/patches:
            patch-platform_media_libvpx_config_linux_arm64_vpx__config.h

      Log Message:

    [3 lines not shown]

   Pullup ticket #7120 - requested by taca
   net/rsync: Security fix

   Revisions pulled up:
   - net/rsync/Makefile                                            1.132
   - net/rsync/distinfo                                            1.65
   - net/rsync/patches/patch-sender.c                              deleted

   ---
      Module Name:      pkgsrc
      Committed By:     adam
      Date:             Mon May 11 06:21:51 UTC 2026

      Modified Files:
        pkgsrc/net/rsync: Makefile distinfo
      Removed Files:
        pkgsrc/net/rsync/patches: patch-sender.c

      Log Message:

    [79 lines not shown]

   Pullup ticket #7119 - requested by morr
   editors/vim-share: Security fix

   Revisions pulled up:
   - editors/vim-share/PLIST                                       1.89
   - editors/vim-share/distinfo                                    1.234-1.235
   - editors/vim-share/version.mk                                  1.170-1.171

   ---
      Module Name:    pkgsrc
      Committed By:   morr
      Date:           Sun May 17 17:23:38 UTC 2026

      Modified Files:
              pkgsrc/editors/vim-share: PLIST distinfo version.mk

      Log Message:
      Update to version 9.2.0491.


    [77 lines not shown]

   sysutils: +seednaut

   doc: Added sysutils/seednaut version 0.1.1