ffmpeg4 ffplay4: updated to 4.4.7
4.4.7:
avcodec/av1dec: check that primary_ref_frame is within range
configure: bump CONFIG_THIS_YEAR to 2026
avcodec/alsdec: do not set nbits invalidly
swscale/swscale_unscaled: adjust last line copy
avformat/avidec: check LIST size in avi_load_index()
avformat/avidec: validate INFO list size before parsing
libavformat/xwma: fix overflow in seek position
avfilter/vf_kerndeint: Check for minimum height
avcodec/ralf: Add the missing return statement after the error log
avcodec/zmbv: reject XOR data that overruns the decompression buffer
avcodec/rasc: fix heap use-after-free in decode_move()
avformat/rtpdec_mpeg4: reject zero-length AU header sections
fftools/ffmpeg_opt: validate stream index in negative map handling
avformat/rtmpproto: prevent integer overflow accumulating FLV buffer size
avformat/rtmpproto: validate compressed SWF header length
avformat/rtsp: Fix out-of-bounds read in SDP parser when control_url is empty
[199 lines not shown]
ffmpeg5 ffplay5: updated to 5.1.9
5.1.9:
avcodec/av1dec: check that primary_ref_frame is within range
configure: bump CONFIG_THIS_YEAR to 2026
avcodec/dfpwmdec: Check nb_samples
avcodec/alsdec: do not set nbits invalidly
swscale/swscale_unscaled: adjust last line copy
avformat/avidec: check LIST size in avi_load_index()
avformat/avidec: validate INFO list size before parsing
libavformat/xwma: fix overflow in seek position
avformat/pcm: Use 64bit for byte_rate
avfilter/vf_kerndeint: Check for minimum height
avcodec/ralf: Add the missing return statement after the error log
avfilter/vf_codecview: Clamp block to the visible frame region
avcodec/zmbv: reject XOR data that overruns the decompression buffer
avcodec/rasc: fix heap use-after-free in decode_move()
avformat/rtpdec_mpeg4: reject zero-length AU header sections
fftools/ffmpeg_opt: validate stream index in negative map handling
[139 lines not shown]
ffmpeg6 ffplay6: updated to 6.1.5
6.1.5
avcodec/dfpwmdec: Check nb_samples
avcodec/alsdec: do not set nbits invalidly
swscale/swscale_unscaled: adjust last line copy
avformat/avidec: check LIST size in avi_load_index()
avformat/avidec: validate INFO list size before parsing
avformat/matroskadec: Check audio.sub_packet_h * audio.frame_size
libavformat/xwma: fix overflow in seek position
avformat/pcm: Use 64bit for byte_rate
avfilter/vf_kerndeint: Check for minimum height
avcodec/ralf: Add the missing return statement after the error log
avfilter/vf_codecview: Clamp block to the visible frame region
avcodec/zmbv: reject XOR data that overruns the decompression buffer
avcodec/rasc: fix heap use-after-free in decode_move()
avformat/rtpdec_mpeg4: reject zero-length AU header sections
fftools/ffmpeg_opt: validate stream index in negative map handling
avformat/rtmpproto: prevent integer overflow accumulating FLV buffer size
[162 lines not shown]
ffmpeg7 ffplay7: updated to 7.1.4
7.1.4:
avcodec/dfpwmdec: Check nb_samples
avcodec/alsdec: do not set nbits invalidly
swscale/swscale_unscaled: adjust last line copy
avformat/avidec: check LIST size in avi_load_index()
avformat/avidec: validate INFO list size before parsing
avformat/matroskadec: Check audio.sub_packet_h * audio.frame_size
libavformat/xwma: fix overflow in seek position
avformat/pcm: Use 64bit for byte_rate
avcodec/hevc/ps: validate rep_format dimensions in multi-layer SPS
avfilter/vf_kerndeint: Check for minimum height
avcodec/ralf: Add the missing return statement after the error log
avfilter/vf_codecview: Clamp block to the visible frame region
avcodec/zmbv: reject XOR data that overruns the decompression buffer
avcodec/rasc: fix heap use-after-free in decode_move()
avformat/rtpdec_mpeg4: reject zero-length AU header sections
avcodec/hevc/refs: Check multiplication in alloc_frame()
[223 lines not shown]
Updated sysutils/rdfind to 1.8.0 (also fixes build with latest nettle)
pkgsrc patches appear to have been included upstream
2026-02-22 Paul Dreik <rdfind at pauldreik.se>
* release 1.8.0
* check that the resultsfile can be written to, before starting work
* fix bug when using minfilesize and ignoreempty at the same time
* control first and last byte size: -firstbytessize and -lastbytessize
* hash 4096 first/last bytes instead of comparing 64 during the first/last
bytes step.
* optionally disable first/last byte reading
* optionally disable checksumming
* fix minor bug in dryrun output
* support building with nettle 4.0
* add progress option -progress
* polish the man page slightly
* building with cmake now runs the existing tests and newly written
unit tests
[8 lines not shown]
R-curl: update to 7.1.0.
Fixes build on -current.
7.1.0
- Everything now works out of the box under emscripten (webR) by automatically
bootstrapping a ws gateway.
- Increase max size of string returned by ie_proxy_info() to 65536
- Fix a unit test for libcurl 8.20
7.0.0
- Major cleanup: packge now requires libcurl >= 7.73. Removed all conditioning
and fallbacks for older libcurl versions (#413).
- Removed the fallback ADA parser and unconditinoally use the curl URL parser.
- Removed the legacy type-checking code as we can unconditionally use the easy-
option API.
- Support option('netrc') to match base R >= 4.6.0.
- Setting any value in curl_modify_url() to NA or "" will now unset it.
[27 lines not shown]
boost: updated to 1.91.0
1.91.0
General Notes
StaticAssert has been merged into Config. This includes code, tests and
documentation. For backward compatibility git submodule, CMake and b2 targets
of StaticAssert are still available; the targets simply introduce a dependency
on Config. Eventually, the submodule and targets will be removed. Users are
recommended to update their dependencies on StaticAssert to replace it with
Config. No C++ code modifications are necessary. Most Boost libraries have been
updated accordingly.
Read more https://www.boost.org/releases/latest/
postgresql1*: updated to 18.4, 17.10, 16.14, 15.18, 14.23
PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23
This release fixes 11 security vulnerabilities and over 60 bugs reported over the last several months.
Security Issues
CVE-2026-6472: PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege
CVSS v3.1 Base Score: 5.4
Supported, Vulnerable Versions: 14 - 18.
Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.
CVE-2026-6473: PostgreSQL server undersizes allocations, via integer wraparound
[127 lines not shown]
