www/apache24: update to 2.4.67
Changes with Apache 2.4.67 (2026-05-04)
* SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap
Over-Read and memory disclosure in ajp_parse_data() (cve.mitre.org)
Buffer Over-read vulnerability in Apache HTTP Server. This issue affects
Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to
version 2.4.67, which fixes the issue. Credits: Elhanan Haenel
* SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer
Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)
(cve.mitre.org) Improper Null Termination, Out-of-bounds Read
vulnerability in Apache HTTP Server. This issue affects Apache HTTP
Server: through 2.4.66. Users are recommended to upgrade to version
2.4.67, which fixes the issue. Credits: Tianshuo Han
(<hantianshuo233 at gmail.com>)
* SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP
[102 lines not shown]
[RFC][IR] Support vector splats in `ConstantPointerNull` (#195486)
This PR allows `ConstantPointerNull` to represent both scalar pointer
nulls and fixed or scalable vector splats of pointer nulls. This change
first aligns with the native splat behavior of `ConstantInt` and
`ConstantFP`, and second, makes it easier to eventually change the
semantics of `ConstantPointerNull` to represent a semantic null pointer
instead of a zero value, which is what it represents today.
[asan] Add HINT prefix to poison_history_size suggestions (#195733)
Consistency update to prefix poison tracking suggestions with "HINT:"
to match other ASan diagnostic hints.
nfs_nfsdserv.c: Clip number of callback slots
The client tells the server how many callback slots
it can handle in the callback session. However, the
NFSv4.1/4.2 server can only handle a maximum of
NFSV4_SLOTS slots. This patch clips the client's
value to that, to avoid using too high a slot#
for a callback.
Fortunately, I do not know of an extant client that
specifies a value greater than NFSV4_SLOTS, so this
patch is not really needed, as yet. Also, the client
rarely uses a slot# above 0 when doing callbacks.
MFC after: 2 weeks
mail/postfix: update to 3.11.2
Postfix 3.11.2 (2026-05-03)
Fixed in Postfix 3.11:
* Bugfix (defect introduced: Postfix 3.11): the proxymap(8) daemon
dereferenced an uninitialized pointer after a request protocol
error. This daemon is not exposed to local or remote users.
Found by Claude Opus 4.6.
* Bugfix (defect introduced: 20260309) a change, to set the
service_name default value to "amnesiac", violated a test that
parameter names in postconf output must match 1:1 with parameter
names in the postlink script.
Fixed in Postfix 3.8, 3.9, 3.10. 3.11:
* Portability: support for recent FreeBSD, NetBSD, and OpenBSD
[25 lines not shown]
[asan] Only suggest increasing poison_history_size if the buffer is full (#195732)
I unlikely but possible to setup shadow state, e.g unpoison heap red
zone just after partial granule.
If buffer is not full, increasing it will not help.
[NFC][asan] Re-use ErrorGeneric::shadow_val (#195684)
It's done to reduce code size, as additional load on reporting is
negligible.
This requires change in ErrorGeneric constructor, to now we skip partial
shadow only if next one has a better value.
Before shadow_val was either `0x[a-f].` or 0.
Now it may be partial granule as well.
However it's NFC as `0 < shadow_val < ASAN_SHADOW_GRANULARITY` does not
affect reporting outside of `CheckPoisonRecords`.
geography/pdal-lib: Update to 2.10.1
Upstream does not publish NEWS. Their release notes contain the
following particularly NEWS-worthy items, plus many bug fixes and
minor improvements.
* 2.10.0
* readers.spz and writers.spz are now plugins by @ibell13 in #4755
* 2.9.0
* support for GDAL VSI
* support for FileSpec
* remove nlohmann public API (from PDAL API)
* Multi-thread support, where query, and new options for pdal tindex
[libc][semaphore] Zero-initialize rand_bytes to fix GCC warning (#195757)
GCC 15 warns about `rand_bytes` being maybe uninitialized when passed to
`getrandom`. Since `getrandom` writes to it, it doesn't strictly need
initialization, but zero-initializing it satisfies the compiler and
avoids the `-Werror=maybe-uninitialized` error.
Fix for https://github.com/llvm/llvm-project/pull/192278
Assisted by Gemini
[RFC][IR] Support vector splats in `ConstantPointerNull`
This PR allows `ConstantPointerNull` to represent both scalar pointer nulls and
fixed or scalable vector splats of pointer nulls. This change first aligns with
the native splat behavior of `ConstantInt` and `ConstantFP`, and second, makes
it easier to eventually change the semantics of `ConstantPointerNull` to
represent a semantic null pointer instead of a zero value, which is what it
represents today.
Two issues:
- Always include vmparams.h via <machine/vmparams.h>, because redirection
logic elsewhere relies on this.
- But akshually, isn't not even needed here because the code that would
use it is #if 0'd out anyway.
So, collect the garbage and ramble on.
devel/llvm{15-22}: move all .so files to -libs subpackages
Expand -libs ports to ship every shared library (.so) produced by
the LLVM build, not just libLLVM/libLTO/libRemarks. Comment out all
.so entries in the parent ports to avoid file conflicts. This fixes
poudriere failures where ports using USES=llvm:lib (e.g. qt6-tools)
could not find libclang-cpp.so at runtime.
-libs Makefile: add PLIST_SUB for CONFIGURE_TARGET/LLVM_RELEASE,
add option comment-out block, replace post-install with find-based
.so filter.
Parent pkg-plist: comment out all .so entries with pointer to -libs.
