www/ruby-rack: update to 3.2.6
3.2.6 (2026-04-01)
Security
* CVE-2026-34763 Root directory disclosure via unescaped regex interpolation
in Rack::Directory.
* CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding
which could lead to denial of service.
* CVE-2026-32762 Forwarded header semicolon injection enables Host and
Scheme spoofing.
* CVE-2026-26961 Raise error for multipart requests with multiple boundary
parameters.
* CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
[23 lines not shown]
ndiff nmap zenma: updated to 7.99
Nmap 7.99 [2026-03-26]
o Integrated many of the most-frequently-submitted IPv4 and IPv6 OS
fingerprints, as well as dozens of updated service fingerprints.
o Upgraded included libraries: OpenSSL 3.0.19, libpcap 1.10.6, libpcre2 10.47,
liblinear 2.50, zlib 1.3.2
o [Windows] Upgraded the included version of Npcap from 1.83 to 1.87, resolving
several crashes and stability-related issues. See https://npcap.com/changelog
o [Zenmap][GH-3182] Zenmap is now distributed as a universal wheel
(zenmap-7.99-py3-none-any.whl) instead of an RPM package so that it can be
installed on any system with Python 3. [Daniel Miller]
o [Ncat][Windows] Limited the number of handles inherited by subprocesses
launched with -e, preventing interference between clients when -e and
[75 lines not shown]
py-setuptools-gettext: added version 0.1.16
This plugin adds build_mo, clean_mo and install_mo subcommands for setup.py as
well as hooking those into standard commands.
py-sphobjinv: updated to 2.4
2.4
Merge v2.3.1.3 release branch back into main
Fix GitHub badge
Convert most remote inventory fetch tests to use a local server; bump Pythons and dev Sphinx
Lints config maintenance
Implement sphobjinv-textconv and remove CLI implementation section from docs
Update test infra & migrate http:// links to https://
py-vulture: updated to 2.16
2.16 (2026-03-25)
Fix false positives for dead code after while loops (Jendrik Seipp).
Use ty instead of pytype for testing type annotations (Jendrik Seipp).
py-pybind11: updated to 3.0.3
3.0.3
Bug fixes:
Fixed TSS key exhaustion in implicitly_convertible() when many implicit conversions are registered across large module sets.
Fixed heap-buffer-overflow in pythonbuf with undersized buffers by enforcing a minimum buffer size.
Fixed virtual-inheritance pointer offset crashes when dispatching inherited methods through virtual bases.
Fixed free(): invalid pointer crashes during interpreter shutdown with py::enum_<> by duplicating late-added def_property_static argument strings.
Fixed function_record heap-type deallocation to call PyObject_Free() and decref the type.
Hardened PYBIND11_MODULE_PYINIT and get_internals() against module-initialization crashes.
Fixed static_pointer_cast build failure with virtual inheritance in holder_caster_foreign_helpers.h.
Fixed ambiguous factory template specialization that caused compilation failures with nvcc + GCC 14.
Fixed crash in def_readwrite for non-smart-holder properties of smart-holder classes.
Fixed memory leak for py::dynamic_attr() objects on Python 3.13+ by clearing managed __dict__ contents during deallocation.
Fixed binding of noexcept and ref-qualified (&, &&) methods inherited from unregistered base classes.
Internal:
[8 lines not shown]
libfyaml: try to fix 32-bit build & bump
The prior update is very broken on 32 bit targets.
This patchset rolls up the 32-bit fixes that looked
most relevant in the upstream repo committed after the release.
lazygit: updated to 0.60.0
0.60.0
Enhancements
Rename "Copy commit hash to clipboard" to mention it's an abbreviated hash
Hide the "Fetching..." status of the auto-fetch when bottom line is hidden
Allow removing lines from patch directly
Filter file views rather than search
Show branch name and detached HEAD in worktrees tab
Add backward cycling support for log view (using <shift>-a on status page)
Show worktree name next to branch in branches list
Fixes
Fix matching of lazygit-edit URLs without line numbers
Fix 5302: Create .git/info directory before writing exclude file
Fix off-by-one error when calculating popup panel dimensions
[19 lines not shown]
graphviz: updated to 14.1.4
14.1.4 – 2026-03-20
Changed
Enable ascii plugin to be built using autotools.
Fixed
Processing concentrate=true graphs no longer crashes Graphviz. Processing of
concentrate=true graphs still often errors out.
gdk-pixbuf2: updated to 2.44.6
2.44.6
- build: Add a legacy_xpm option to build the old xpm loader
- xpm: Rename the old xpm loader to legacy-xpm, and use it
for gdk_pixbuf_new_from_xpm_data if it is available.
Note that the old loader will only be used for this purpose.
xpm files still get loaded with glycin
- jpeg: Reject data with an unsupported number of components
- Update contribution guidelines
- glycin: Fix an issue with looping animations
- Do not accidentally query loaders from the host
py-aiohttp: updated to 3.13.5
3.13.5 (2026-03-31)
Bug fixes
- Skipped the duplicate singleton header check in lax mode (the default for response
parsing). In strict mode (request parsing, or ``-X dev``), all RFC 9110 singletons
are still enforced
openvpn: updated to 2.7.1
2.7.1
Antonio Quartulli (1):
options: drop useless init_gc param for init_options()
Arne Schwabe (12):
Change stream_buf_read_setup_dowork parameter to struct steam_buf
DCO Linux: Fix setting DCO ifmode failing on big endian archs
Merge stream_buf_get_next and stream_buf_set_next
AWS-LC: Add missing return and cast in ssl_tls1_PRF
GHA: Install aws-lc under /opt/aws-lc
Show version and double check we use the right TLS library in Github Actions
Remove unnecessary OpenSSL init and cleanup commands in unit tests
GHA: Cache built crypto libraries
Use openssl_err_t typedef to deal with difference between TLS libraries
Do not support tls_ctx_set_cert_profile on AWS-LC
Use const specifices in extract_x509_field_ssl
[43 lines not shown]