BSD Commit Log Search

   update to exim-4.99.2 in 7.8-stable (at this point in the release cycle
   -stable ports updates are mostly not possible as they'll interfere with
   updates to 7.9, however this has been removed in -current so that doesn't
   apply here).

   this brings recent cve fixes, plus other older ones from 4.99.1 that
   didn't get into -stable yet.

   also update MESSAGE to warn about removal in 7.9.

   ok phessler renaud

   remove BROKEN marker to try building on arm(v7).  the platform has changed
   a lot since 2019

   OK sthen@ naddy@

   security/nss: bugfix update to 3.123.1

   fixes #2033783: invalid DTLS CertificateVerify signature breaks Firefox WebRTC to pion and webrtc-rs servers
   see https://hg-edge.mozilla.org/projects/nss/raw-file/tip/doc/rst/releases/nss_3_123_1.rst
   ok naddy@

   SECURITY update to openvpn-2.7.2

   fix race condition in TLS handshake that could lead to leaking of packet
   data from a previous handshake under specific circumstances
   (CVE-2026-40215)

   fix server ASSERT() on receiving a suitably malformed packet with
   a valid tls-crypt-v2 key (CVE-2026-35058)

   Other changes: https://github.com/OpenVPN/openvpn/blob/v2.7.2/Changes.rst

   ok naddy@

   Fix ttypplot by moving pledge() call after open(/dev/tty).
   Add 'use pledge()' marker to Makefile while there.
   ok tb@, fcambus@, naddy@

   lang/gawk: do not pick up gettext-tools in configure

   configure picks up xgettext and it is then used during the build, but
   to no effect.

   Reported by jca@

   net/ejabberd: prevent linking agains wayland/libei instead erlang's libei.a

   Now that ports-gcc is gcc 15, this is no longer BROKEN on sparc64

   Remove BROKEN-sparc64

   ok naddy

   span.h is provided by GCC 15.

   Drop BROKEN-sparc64

   ok naddy

   bump REVISION after the fixes in the llvm ports
   ok sthen@

   Fix orc riscv64-specific code paths

   orc previously failed to build because of inconsistent #ifdefs that
   exposed Linux-only calls.  While here hook up call to
   (__builtin)__clear_cache and correct default assumptions (the 'V'
   extension can't be assumed, on any OS).

   Prompted by a report from matthieu@, maintainer timeout, ok sthen@

   add missing build dep.  it wouldn't build without the build dep being
   available, so no need for a REVISION bump.

   noticed by myself and naddy on arm64 and amd64 bulk package builds.

   OK sthen@

   SECURITY update to openvpn-2.6.20

   fix race condition in TLS handshake that could lead to leaking of packet
   data from a previous handshake under specific circumstances
   (CVE-2026-40215)

   fix server ASSERT() on receiving a suitably malformed packet with
   a valid tls-crypt-v2 key (CVE-2026-35058)

   Other changes: https://github.com/OpenVPN/openvpn/blob/v2.6.20/Changes.rst

   Tor Browser: update to 15.0.10

   Tor Browser: update to 15.0.10

   OK naddy@

   mail/mozilla-thunderbird: MFC update to 140.10.0

   see https://www.thunderbird.net/en-US/thunderbird/140.10.0esr/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-34/

   fix section merging for .srodata and .openbsd.randomdata

   there was a bad merge of changes and a comma was lost and with that
   section merging for .srodata and .openbsd.randomdata

   ok naddy@, sthen@

   mail/mozilla-thunderbird: update to 140.10.0.

   see https://www.thunderbird.net/en-US/thunderbird/140.10.0esr/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-34/

   ok naddy@

   MFC update to librenms-26.4.0

   update to librenms-26.4.0, ok naddy

   includes fix for cross-site scripting in alert template list, and adds
   missing escaping for a few cli commands etc

   https://github.com/librenms/librenms/releases/tag/26.4.0

   disable pipewire

   ok naddy@

   www/mozilla-firefox: MFC update to 150.0.

   see https://www.firefox.com/en-US/firefox/150.0/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/

   www/firefox-esr: MFC update to 140.10.0.

   see https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-32/

   www/firefox-esr: update to 140.10.0.

   see https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-32/

   ok naddy@

   www/mozilla-firefox: update to 150.0.

   see https://www.firefox.com/en-US/firefox/150.0/releasenotes/
   fixes https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/

   - disable PGO again, fixes wasm crashes seen with element-web (cf #2030583)
   - will need to move to llvm 21 or patch llvm 19 to reenable PGO
   - add workaround to avoid fetching some pip wheels during configure
     (#2026497), another workaround would be to move to ./mach configure ?

   ok naddy@

   avoid picking up doxygen during build, to avoid build failure with dpb junking
   requested by naddy

   Update to rclone-1.73.5

   CVE-2026-41176
   rc: add AuthRequired to options/set to prevent auth bypass
   rc: snapshot NoAuth at startup to prevent runtime auth bypass

   CVE-2026-41179
   operations: add AuthRequired to operations/fsinfo to prevent backend
   creation

   Changelog: https://rclone.org/changelog/#v1-73-5-2026-04-19

   OK sthen@

   graphics/lcms2: Update to 2.19rc2

   Fixes several issues, for reference see
   https://marc.info/?l=oss-security&m=177646929211758&w=2

   pointed out by and ok tb@, ok naddy@

   update to gelatod-1.7;  same fix as 029_v6daemons;  OK naddy

   geo/mapserver: security update to 8.6.2.

   see https://mapserver.org/development/changelog/changelog-8-6.html#changelog-8-6
   fixes https://github.com/MapServer/MapServer/security/advisories/GHSA-4g9f-ph64-hg2x

   ok naddy@