www/chromium: update to 149.0.7827.200
* 149.0.7827.200
This update includes 3 security fixes. Please see the Chrome Security Pagefor more information.
[N/A][513138301] High CVE-2026-13281: Integer overflow in Mojo. Reported by Google on 2026-05-14
[N/A][517522620] High CVE-2026-13282: Use after free in Payments. Reported by Google on 2026-05-28
[N/A][522561151] High CVE-2026-13283: Use after free in AdFilter. Reported by Google on 2026-06-11
* 149.0.7827.196
This update includes 18 security fixes. Below, we highlight fixes
that were contributed by external researchers.
Please see the Chrome Security Page for more information.
[TBD][520656244] Critical CVE-2026-13028: Use after free in WebGL. Reported by anonymous on 2026-06-07
[N/A][523591974] Critical CVE-2026-13032: Use after free in WebGL. Reported by Google on 2026-06-13
[N/A][523677844] Critical CVE-2026-13033: Out of bounds read in Blink>InterestGroups. Reported by Google on 2026-06-13
[N/A][523740781] Critical CVE-2026-13038: Use after free in Autofill. Reported by Google on 2026-06-14
[14 lines not shown]
net/wireguard-tools: Drop workaround for Darwin bash
On macOS, system bash is no longer used as a tool, so there's no need
to undef it. (This workaround was specific to Darwin and cited bash 3.x.)
graphics/py-matplotlib: Fix build under NetBSD/amd64 11.99.6 at least
* C function abs() returns int value and it causes fingerprint mismatch
of std:clamp() C++ function. Use std:abs() for C++ instead.
offlineimap: update to 8.0.2.
Switch to the upstream Python 3 version that's been
developed in a different repository, but but by the same organization.
(previously in mail/offlineimap3)
py-scipy: updated to 1.18.0
SciPy 1.18.0 is the culmination of 6 months of hard work. It contains
many new features, numerous bug-fixes, improved test coverage and better
documentation. There have been a number of deprecations and API changes
in this release, which are documented below. All users are encouraged to
upgrade to this release, as there are a large number of bug-fixes and
optimizations. Before upgrading, we recommend that users check that
their own code does not use deprecated SciPy functionality (to do so,
run your code with ``python -Wd`` and check for ``DeprecationWarning`` s).
Our development attention will now shift to bug-fix releases on the
1.18.x branch, and on adding new features on the main branch.
p5-CSS-Minifier-XS: update to 0.14.
0.14 2026-06-28 16:30:59-07:00 America/Vancouver
- Fixes a memory leak in minify(), when the entire document is minified
away.
p5-JavaScript-Minifier-XS: update to 0.16.
0.16 2026-06-28 14:10:28-07:00 America/Vancouver
- Fixes CVE-2026-56017, which caused Perl to SEGFAULT when calling
minify(). Thanks to CPANSec for raising the issue, and providing a
prototype fix.
- Fixes CVE-2026-56018, caused by a memory leak in minify() where each
tokenized Node's "contents" buffer were not properly freed, resulting in a
memory leak on every call.
- Updated author tests for "does the JS still compile?", to use "node"
instead of "jsl".
gotosocial: Update to 0.22.0
Provided by m33 in wip.
This is a big feature release that contains support for relay
subscriptions and relay push connections, a new instance account
directory, better threading using tombstones for deleted statuses,,
and support for auto-cleanup of old remote statuses, among lots of
other things!
WARNING:
- Configuration changes and database schema changes.
- Before starting this new release, first adapt the configuration file,
then do not interrupt as a database migration will take some time.
See https://codeberg.org/superseriousbusiness/gotosocial/releases/tag/v0.22.0
for upgrade instructions.
py-cython: updated to 3.2.8
3.2.8 (2026-06-30)
Bugs fixed
* Assigning a Python 3.14+ ``.__annotate__`` function to a Cython compiled function no longer
evaluates annotations eagerly. Fixes a regression with ``@functools.wraps()`` in Cython 3.2.6.
Patch by Jelle Zijlstra. (Github issue :issue:`7767`)
* In freethreading Python, the necessary object keep-alive while executing user code in
``.__dealloc__()`` uses a safer scheme.
Patch by Yaxing Cai. (Github issue :issue:`7769`)
* The local function state used by ``sys.monitoring`` read from uninitialised memory.
(Github issue :issue:`7774`)
* The ``.ag_running`` flag attribute of async generators was always false on big-endian systems.
