libcbor: update to 0.14.0.
0.14.0 (2026-04-07)
---------------------
- [Fix NULL dereference in `cbor_move`, `cbor_serialized_size`, and `cbor_serialize_tag` when a tag has no item set]
- [Document large-allocation risk in `cbor_load` and clarify test-only CMake flags]
- [Fix NULL dereference in `cbor_copy`/`cbor_copy_definite` on allocation failure]
- [Explicitly guard against `size * 2` overflow in `cbor_builder_map_start_callback`]
- [Only generate CMake coverage build targets when explicitly enabled]
- [Fix CMake feature macro names and ensure `_CBOR_NODISCARD` is defined with `[[nodiscard]]`]
- [Fix integer overflow in `cbor_copy_definite()` when accumulating indefinite bytestring/string chunk lengths]
- [Add bounds check in `cbor_array_get()` to return NULL on out-of-bounds access]
- BREAKING: [`cbor_tag_set_item` now releases the reference to the previous tagged item]
- Previously, replacing the tagged item would leak the old item's reference. If you were manually releasing the old item before calling `cbor_tag_set_item`, you should remove the extra `cbor_decref`.
- Potentially BREAKING: [`cbor_tag_item` now returns NULL if the tag has no item set]
- Previously, this would be undefined behavior (NULL pointer dereference), so no valid clients should be affected.
- Potentially BUILD BREAKING: [CPack Debian package architecture is now detected via `dpkg` instead of being hardcoded to `amd64`]
- BUILD BREAKING: [Remove deprecated `CBOR_CUSTOM_ALLOC` CMake option]
[17 lines not shown]
kdiff3: update to 1.12.5.
Version 1.12.5 - 2026
=========================
- 77444e89 Michael Reeves reeves.87 at gmail.com FIx crash when dealing with encoder errors.
- 7a2bb375 Ari Zulan git at zulan.net Fix paste crash while diff data is reinitialized
- 391cb01b Michael Reeves reeves.87 at gmail.com Remove unneeded '(' nd ')'
- 72523562 Michael Reeves reeves.87 at gmail.com Fix minor standard conformance issue.
- 28603631 Michael Reeves reeves.87 at gmail.com Update inline linting suppression
- 815b5c7c Michael Reeves reeves.87 at gmail.com Fix incorrect copy size in - DefaultFileAccessJobHandler::slotGetData
- 9c2f7ca7 Michael Reeves reeves.87 at gmail.com restore clang-analyzer-cplusplus.NewDeleteLeaks no longer trigering in Qt headers as of Qt6
- a6d86377 Michael Reeves reeves.87 at gmail.com Fix unintended narrowing cast
- 9aa5cc21 Igor Mironchik igor.mironchik at gmail.com Hide progress dialog during folders comparing before status message is shown.
- d708a466 Thomas Klausner wiz at gatalith.at Fix ctype(3) abuse. Avoids crashes on certain systems
fzf: update to 0.74.1.
0.74.1
------
- The default separator on the info line is no longer shown when the input section is already visually separated from the list section by a border line
```sh
# No separator shown below the header border
fzf --style full --input-border none --header foo
# Separator shown; no border separates the input section from the list section
fzf --style full --input-border none --header foo --no-header-border
# No separator below the border of the preview window at 'next' position
fzf --preview : --preview-window next
# Conversely, separator is now shown when the input border does not draw
# a line facing the list section
fzf --input-border bottom
```
[7 lines not shown]
strawberry: updated to 1.2.24
1.2.24 (2026.07.16):
Bugfixes:
* Fixed playback hanging with no error shown when trying to play a track whose file no longer exists on disk
* Fixed the tag fetcher dialog showing a generic message instead of the actual error when a Musicbrainz/AcoustID lookup fails
* Hardened Chromaprinter decoding against malformed or oversized files and capped its in-memory PCM usage
* Fixed the context menu using the wrong item when invoked via keyboard in the playlist and smart playlists views
* Fixed blurry star rating icons by enabling smooth pixmap scaling
* Added F64LE (64-bit float) sample format support for the spectrum analyzer
* Numerous stability, crash-safety and thread-safety fixes throughout the application
databases/mysql97: Fix build with llvm 21, directory ownership and cleanup
- Add upstream patches for missing #include <type_traits> and <cstdlib>,
fixing the build with clang/libc++ 21 [1] [2]
- Register MY_SECDIR and MY_TMPDIR with mysql:mysql 0750 in pkg-plist,
so mysqld no longer fails to start after package upgrades reset the
ownership to root [3]
- Fix CONFLICTS_INSTALL pattern in the client not matching
mysql80-client
and align it with the wildcard style used by the server
- Update pkg-message for 9.x: mysql_upgrade no longer exists, the server
performs upgrade tasks itself; fix version reference and quoting
- Drop duplicate -DWITH_LZ4=system, remove a stale line continuation,
whitespace fixes
- Rename patch-sql_server_component_mysql__file__imp.cc to follow the
patch naming convention
PR: 296439 [1], 296443 [2], 296758 [3]
Reported by: Trond Endrestøl [1] [2], Alexander Ushakov [3]
[2 lines not shown]
usr.sbin/httpd: fix suffix range handling
Calculate suffix ranges before clamping end offsets so requests at least
as large as the file return the complete representation. Reject zero
length and malformed ranges, retain 64 bit sizes throughout range
handling, and add regression coverage for boundaries and overflow.
Based on indea of Andrew Kloet
OK: rsadowski@