net/ipv6calc: Update to version 4.4.0
General:
internal databases: update
IP2Location 8.7.0 related (relates to https://github.com/chrislim2888/IP2Location-C-Library/releases/tag/8.7.0
which has unfortunatly incompatible API changes)
ipv6calcweb/ipv6calcweb.cgi.in: add support for new fields in DB26 with 8.7.0
add support for additional data in DB26 usable with IP2Location >= 8.7.0
check IP2Location > 8.6.1 related compatibility/fallback
Extensions:
add option --has-feature <NAME>
py-pip-audit: updated to 2.10.1
2.10.1
Fixed a KeyError crash when an OSV vulnerability record contains an
affected entry that omits the optional ranges field
py-bleach: updated to 6.4.0
Version 6.4.0 (June 5th, 2026)
**NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future
releases including for security issues.**
See issue: `<https://github.com/mozilla/bleach/issues/698>`__
**Backwards incompatible changes**
* Dropped support for pypy 3.10.
**Security fixes**
* Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.
Fix XSS issue with sanitize_uri_value where disallowed schemes with
Unicode invisible characters wouldn't be rejected.
[28 lines not shown]
py-daphne: updated to 4.2.2
4.2.2 (2026-06-03)
* Fixed a denial of service vulnerability via unbounded WebSocket message sizes.
Daphne previously passed no message or frame size limits to autobahn,
whose defaults are unbounded. This allowed an unauthenticated client
to exhaust server memory by sending a very large WebSocket
messages/frames (CVE-2026-44545).
Both limits now default to 1 MiB and can be configured via the new
``--websocket-max-message-size`` and ``--websocket-max-frame-size`` CLI
flags (or the matching ``Server`` constructor arguments). Pass ``0`` to
restore the previous unlimited behaviour.
Thanks to ParkHyunWoo for the report.
* Fixed a header injection vulnerability on the WebSocket upgrade path
(CVE-2026-44546).
[12 lines not shown]
ldns: updated to 1.9.2
1.9.2 2026-06-10
* Fix to set VERSION_INFO to create .so.3 instead of .so.11 which will
be reserved for a future 1.10.0 release
1.9.1 2026-06-10
* Bugfix: Insufficient verification that responses belong to a
query (CVE-2026-10846). Thanks Pablo Ruiz from 'codecome.ai'
python314 py314-html-docs: updated to 3.14.6
Python 3.14.6
Security
gh-151159: Update Android and iOS installers to use OpenSSL 3.5.7.
gh-150599: Fix a possible stack buffer overflow in bz2 when a bz2.BZ2Decompressor is reused after a decompression error. The decompressor now becomes unusable after libbz2 reports an error.
gh-149835: shutil.move() now resolves symlinks via os.path.realpath() when checking whether the destination is inside the source directory, preventing a symlink-based bypass of that guard.
gh-149698: Update bundled libexpat to version 2.8.1 for the fix for CVE 2026-45186.
gh-87451: The ftplib module’s undocumented ftpcp function no longer trusts the IPv4 address value returned from the source server in response to the PASV command by default, completing the fix for CVE-2021-4189. As with ftplib.FTP, the former behavior can be re-enabled by setting the trust_server_pasv_ipv4_address attribute on the source ftplib.FTP instance to True. Thanks to Qi Deng at Aurascape AI for the report.
gh-149486: tarfile.data_filter() now validates link targets using the same normalised value that is written to disk, strips trailing separators from the member name when resolving a symlink’s directory, and rejects link members that would replace the destination directory itself. This closes several path-traversal bypasses of the data extraction filter.
gh-149079: Fix a potential denial of service in unicodedata.normalize(). The canonical ordering step of Unicode normalization used a quadratic-time insertion sort for reordering combining characters, which could be exploited with crafted input containing many combining characters in non-canonical order. Replaced with a linear-time counting sort for long runs.
gh-149018: Improved protection against XML hash-flooding attacks in xml.parsers.expat and xml.etree.ElementTree when Python is compiled with libExpat 2.8.0 or later.
Core and Builtins
gh-151112: Fix a crash in the compiler that could occur when running out of memory.
gh-151126: Fix a crash, when there’s no memory left on a device, which happened in:
code compilation - _winapi.CreateProcess()
[85 lines not shown]
python313 py313-html-docs: updated to 3.13.14
Python 3.13.14
macOS
gh-124111: Update macOS installer to use Tcl/Tk 8.6.18.
gh-150644: When system logging is enabled (with config.use_system_logger, messages are now tagged as public. This allows the macOS 26 system logger to view messages without special configuration.
gh-115119: Update macOS installer to use libmpdecimal 4.0.1.
Windows
gh-151159: Updated bundled version of OpenSSL to 3.0.21.
gh-151159: Update macOS installer to use OpenSSL 3.0.21.
Tests
gh-151130: Add more tests for PyWeakref_* C API.
gh-149776: Fix test_socket on Linux kernel 7.1 and newer: skip UDP Lite tests if it’s not supported. Patch by Victor Stinner.
Security
gh-151159: Bumps the OpenSSL version to 3.0.21 on Android.
gh-150599: Fix a possible stack buffer overflow in bz2 when a bz2.BZ2Decompressor is reused after a decompression error. The decompressor now becomes unusable after libbz2 reports an error.
gh-149835: shutil.move() now resolves symlinks via os.path.realpath() when checking whether the destination is inside the source directory, preventing a symlink-based bypass of that guard.
gh-149698: Update bundled libexpat to version 2.8.1 for the fix for CVE 2026-45186.
[115 lines not shown]
py-beautifulsoup4: updated to 4.15.0
4.15.0 (20260607)
* This is the last Beautiful Soup release to officially support Python
3.7.
* This is also the last release to support the obsolete methods,
attributes and classes that were deprecated in 4.13.0. In a
subsequent point release, the DeprecationWarning issued when you use
these obsolete features will be replaced by NotImplementedError,
giving you a final chance to change your code before the
implementations are removed entirely. Once the features are removed,
code that tries to use them will start behaving strangely, since
Beautiful Soup will generally interpret the method and attribute
names as tag names.
* It is now possible to call new_tag() or new_string() directly on an
existing Tag or NavigableString object, rather than the associated
[45 lines not shown]
py-barman: updated to 3.19.1
3.19.1 (2026-05-26)
Bugfixes
- Fix `cloud-wal-restore` failing to find compressed WAL files
Fixed a bug where `barman-cloud-wal-restore` and `barman cloud-wal-restore` commands
would fail to locate a compressed WAL file when a backup file with the same prefix
existed in the cloud storage bucket.
For example, when requesting WAL `00000001000000030000001A` and the bucket
contained both `00000001000000030000001A.gz` and
`00000001000000030000001A.00000028.backup.gz`, Barman would only locate the backup
file and then write an error log like:
```
ERROR: WAL file 00000001000000030000001A for server pg does not exist
[4 lines not shown]
py-django-haystack: updated to 3.4.0
3.4.0
Remove obsolete ElasticSearch2 support and tests
Add Django v5.1 to the testing
GitHub Actions: Add Python 3.13 to the testing
Fix typo.
Fix RelatedSearchQueryset.load_all() truncating results
[FIXED] -- handle trailing slash in Solr index URL for core reload.
Bump the github-actions group with 2 updates
Update license field to use proper SPDX identifier
dev: Update Python dependencies
dev: Update django
fix: handle HEAD requests like GET in generic_views
feat: Add requires-python to pyproject.toml (PEP 621)
Add Python 3.14 and 3.14t to the testing
Fix race condition in ConnectionRouter.routers lazy initialization
add postgres backend to backend_support.rst
Actions: limit permissions for tests
ansilove: updated to 4.2.2
AnsiLove/C 4.2.2 (2026-06-10)
- Update README to add a link to the Nix package
- Fix "Amiga Topaz 1" font selection from SAUCE metadata
- Fix font table entry count to make topaz500+ reachable
