Mk/Uses/meson.mk: Silence warning during do-configure stage
Add setup to CONFIGURE_ARGS to silence following warning:
"WARNING: Running the setup command as `meson [options]` instead of
`meson setup [options]` is ambiguous and deprecated."
PR: 294808
Reviewed by: desktop (arrowd)
tuntap: add SIOCGIFCAP and SIOCSIFCAP ioctls
Add SIOCGIFCAP ioctl-command for tun/tap character device to be used
by bhyve for offloading in the future.
Add SIOCSIFCAP for symmetry.
Reviewed by: markj, pouria, tuexen
MFC after: 1 week
Event: Wiesbaden Hackathon 2026
Differential Revision: https://reviews.freebsd.org/D51289
vtnet: remove loader tunable fixup_needs_csum
Removes the deprecated loader tunable fixup_needs_csum. Removes also
the sysctl counter rx_csum_bad_offset that is no longer in use.
Reviewed by: tuexen
Event: Wiesbaden Hackathon 2026
Differential Revision: https://reviews.freebsd.org/D55588
devel/task: update to 3.50.0
* Added enum.ref support in requires: enum constraints can now reference
variables or template pipelines (e.g., ref: .ALLOWED_ENVS) instead of
duplicating static lists. Combined with sh: variables, this enables fully
dynamic enum validation.
* Fixed Fish completion using hardcoded task binary name instead of
$GO_TASK_PROGNAME for experiments cache.
* Fixed watch mode ignoring SIGHUP signal, causing the watcher to exit
instead of restarting.
* Fixed a long time bug where the task wouldn't re-run as it should when
using method: timestamp and the files listed on generates: were
deleted. This makes method: timestamp behaves the same as method:
checksum.
kubectl: update to 1.36.0
Changes by Kind
Deprecation
* Renamed: AllowlistEntry.Name to AllowlistEntry.Command in the credential
plugin allowlist. [SIG API Machinery, Auth, CLI and Testing]
API Change
* Added SchedulingConstraints to express topology-aware scheduling (TAS)
constraints for PodGroup scheduling behind the
TopologyAwareWorkloadScheduling feature gate. Added the TopologyPlacement
plugin implementing the PlacementGenerate extension point to take
constraints into consideration during PodGroup scheduling. [SIG API
Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and
Testing]
* Added DisruptionMode, PriorityClassName, and Priority fields to the
[176 lines not shown]
py-OpenSSL: updated to 26.1.0
26.1.0 (2026-04-24)
Changes:
- Maximum supported ``cryptography`` version is now 47.x.
- Fixed ``X509Name`` field setters to correctly pass the value length to OpenSSL. Previously, values containing NUL bytes would be silently truncated, causing a divergence between the stored ASN.1 value and the value visible from Python. Credit to **BudongJW** for reporting the issue. **CVE-2026-40475**
py-cryptography py-cryptography_vectors: updated to 47.0.0
47.0.0 - 2026-04-24
Support for Python 3.8 is deprecated and will be removed in the next cryptography release.
BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable.
BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported.
BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of ValueError. This change affects :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`, :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`, :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`, :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`, and :meth:`~cryptography.x509.Certificate.public_key` when called on certificates with unsupported public key algorithms.
BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject keys that incorrectly encode a private key of the wrong length because such keys are impossible to process in a constant-time manner. We do not believe keys with this problem are in wide use, however we may revert this change based on the feedback we receive.
Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES`. In a future release, only 192-bit (24-byte) keys will be accepted. Users should expand shorter keys themselves (e.g., for single DES: key + key + key, for two-key: key + key[:8]).
Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0.
Support for x86_64 macOS (including publishing wheels) is deprecated and will be removed in the next release. We will switch to publishing an arm64 only wheel for macOS.
Support for 32-bit Windows (including publishing wheels) is deprecated and will be removed in the next release. Users should move to a 64-bit Python installation.
public_bytes and private_bytes methods on keys now raise TypeError (instead of ValueError) if an invalid encoding is provided for the given format.
Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`, :class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into :doc:`/hazmat/decrepit/index` and deprecated them in the modes module. They will be removed from the modes module in 49.0.0.
Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Camellia` into :doc:`/hazmat/decrepit/index` and deprecated it in the cipher module. It will be removed from the cipher module in 49.0.0.
Added :meth:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF.extract` to :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`. The previous private implementation will be removed in 49.0.0.
Added support for loading elliptic curve keys that contain explicit encodings of the curves secp256r1, secp384r1, and secp521r1.
[13 lines not shown]
mpg123: updated to 1.33.5
1.33.5
- mpg123: Fix generic control mode for largefile-sensitive builds, where 32 bit
off_t was used with mpg123 API calls expecting 64 bit off_t.
I am appalled that it took a user on 32 bit ARM and a specific https stream
to notice this (bug 385, regression since 1.32.0).
The security impact of this could be serious, with memory corruption including
segfault being observed.
- mpg123-id3dump, out123: Enable 64 bit offset usage on largefile-sensitive
platforms (regression since 1.32.0).
- libmpg123:
-- Announce support for shadow stack / IBT in x86-64 assembly.
-- Also announce PAC/BTI for non-accurate neon64 (aarch64) synth.
- libout123: Add a safeguard to ensure variable-length records from buffer
communication are always zero-terminated.
- libsyn123: Use union work buffer to avoid casts that may look like breaking
strict aliasing.
