BSD Commit Log Search

   update to 1.28.3; from Mark Patruck

   - buffer overflow vulnerability in the ngx_http_dav_module
      (CVE-2026-27654)

   - buffer overflow vulnerabilities in the ngx_http_mp4_module
      (CVE-2026-27784, CVE-2026-32647)

   - mail session authentication vulnerabilities
      (CVE-2026-27651, CVE-2026-28753)

   - OCSP result bypass vulnerability in stream
      (CVE-2026-28755)

   Update libopenmpt to 0.8.6.

   Update to gemini-cli-0.35.0.

   Update to epson-inkjet-printer-escpr-1.8.8.

   Update to epiphany-49.7.

   Update to google-cloud-sdk-562.0.0.

   Use \- for hyphens in tmux.1 to cause newer groff versions to render
   them correctly (ASCII hyphen rather than Unicode) which aids copy and
   paste. From Keith Thompson in GitHub issue 4948.

   Update to gegl04-0.4.70.

   www/hugo: update to 0.159.0

   Changes:
    - https://github.com/gohugoio/hugo/releases/tag/v0.159.0

   missed bump

   ruby 4.0 FFI also fails on aarch64 BTI machines without USE_NOBTCFI
   pointed out by gkoehler/tb

   update to tomcat-10.1.53

   MFC: build ruby 3.x with USE_NOBTCFI on aarch64 due to crashes at runtime
   when using FFI on machines which enforce BTI. (4.0 seems ok).

   ok tb jca kn

   (I left this as just 3.3/3.4 since we didn't provide a ruby32-ffi
   package)

   build ruby 3.x with USE_NOBTCFI on aarch64 due to crashes at runtime
   when using FFI on machines which enforce BTI. (4.0 seems ok).

   ok tb jeremy kn

   mail/mozilla-thunderbird: MFC update to 140.9.0.

   see https://www.thunderbird.net/en-US/thunderbird/140.9.0esr/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/

   mail/mozilla-thunderbird: update to 140.9.0.

   see https://www.thunderbird.net/en-US/thunderbird/140.9.0esr/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/

   Add www/py-cookies removal to quirks

   Remove www/py-cookies.

   No consumers and was marked broken with the python 3.11 transition two
   years ago.

   ok tb

   Unhook www/py-cookies from the build as I garbage collect it.

   treewm: pass -Wno-error=implicit-int in CFLAGS to fix build on sparc64

   breakage pointed out by kmos

   In the namei callback for __pledge_open() invert the logic of checking
   pledge/namei modes and then checking for the path.  Now, first
   identify the path with array bsearch then check the pledge/namei modes.
   Since this is __pledge_open(), if the path is not known, terminate with
   an EACCES abort.  If the path is known but the pledge/namei modes don't
   suggest an unveil bypass, allow the code to fallthrough to the rpath/wpath
   checks, and then back into namei for unveil validation.
   ok dgl

   Wrap the pledge-related sysctl code in SMALL_KERNEL, because it is big
   and the ramdisk does not need it
   ok mlarkin, discussed with dgl

   fix build by not trying to statically link sdl3

   libSDL3.a does not exist but meson still tries to statically link
   everything in the Requires.private part of the sdl3.pc pkgconfig file.
   In the case of gbm libgbm.a had unresolved symbols.

   build failure reported by tb@ who tracked this back to a change in the
   devel/sdl3 port to build with -DSDL_DEPS_SHARED=OFF

   ok tb@

   update to telemt 3.3.31

   Fix llvm-config --libs. ok robert@

   graphics/vtk: drop build dependency on devel/cli11

   This dependency is not needed since we disabled building tests.

   devel/cli11: update to 2.6.2

   ok tb@

   Update to sniproxy-0.11.1

   Changes: https://github.com/renaudallard/sniproxy/releases/tag/0.11.1

   From Renaud Allard (MAINTAINER)

   sysutils/docker-compose: update to 5.1.1

   Update worker to 5.4.0.