BSD Commit Log Search

security/vuxml: Add Mozilla vulnerabilities

 * CVE-2026-5732:       NVD assessment not yet provided
 * CVE-2026-5733:       NVD assessment not yet provided
 * CVE-2026-5734:       Base Score:  9.8 CRITICAL
                        Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 * CVE-2026-5734:       Base Score:  9.8 CRITICAL
                        Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

net-im/gajim: update to 2.4.5; sort depends

security/wolfssl: Fix 32-bit builds.

Add upstream patch for the fix, until changes are merged and
a new release is made.

PR:             294287
Reported by:    Robert Clausecker <fuz at FreeBSD.org>
Reviewed by:    Robert Clausecker <fuz at FreeBSD.org>
Tested by:      Robert Clausecker <fuz at FreeBSD.org>

sysutils/grub2-bhyve: Add support for additional EXT4 incompatible features

Handle the following EXT4 incompatible features:

EXT4_FEATURE_INCOMPAT_MMP (Multi-Mount Protection)
Prevents multiple read-write mounts of the same filesystem.
Since grub2-bhyve mounts filesystems read-only, it is safe to ignore.

EXT4_FEATURE_INCOMPAT_CSUM_SEED
Allows tools such as tune2fs to change the UUID on a mounted
metadata-checksummed filesystem. Safe to ignore because the
driver does not perform checksum verification.

EXT4_FEATURE_INCOMPAT_LARGEDIR
Enables directories larger than 2GB and 3-level htrees.
Safe to ignore because the GRUB ext2 driver does not implement
DIR_INDEX.

This patch mirrors upstream behavior. It unblocks booting from

    [5 lines not shown]

databases/py-sqlmodel: Update to 0.0.38

Changelog: https://github.com/fastapi/sqlmodel/blob/0.0.38/docs/release-notes.md

Reported by:    portscout

www/py-google-api-python-client: Update to 2.194.0

ChangeLog:      https://github.com/googleapis/google-api-python-client/releases/tag/v2.194.0
Reported by:    "release-please[bot]" <notifications at github.com>

Mk/bsd.default-versions.mk: stick to OpenJDK 11 on powerpc too

Newer versions require too big stack to build natively.

sysutils/beats*: Mark as not for arch i386

MFH:    2026Q2
(cherry picked from commit 3d572ac39d0f36d654c2d5e6f1db8ac7077331ec)

java/java3d: split combined patches

Redo make makepatch to have "modern" port patches.
No functional change intended.

Approved-by:    no maintainer

lang/python313: update to 3.13.13

Changelog: https://docs.python.org/3.13/whatsnew/changelog.html#python-3-13-13-final

net-mgmt/kf6-networkmanager-qt: Clean up port

- Drop License block, kf6 ports share LICENSE via Uses/kde.mk
- Add missing dependencies
- Remove unused dependencies

devel/lfcbase,databases/cego: 1.23.3 -> 1.23.5, 2.54.16 -> 2.54.23

lfcbase:
- Improved error message for File::open with strerror details added
- In File::operator = and File:operator +=, after file copy operation,
  source file descriptor was not closed.
  This might lead to file descriptor leaks.

cego:
- Many fixes for crash recovery and startup, write logs, etc.

www/deno: proper fix for llvm22 binding problem

This was fixed with bindgen > 0.70.1 (I don't kwown the exact version)

PR:             293587
Tested by:      Philippe Michel, Oleg Sidorkin
Fixes:          e330aefa238248ff5ab18671061c4f8221f9f188

textproc/oyo: Update to 0.1.30

ChangeLog:

  - https://github.com/ahkohd/oyo/releases/tag/v0.1.25
  - https://github.com/ahkohd/oyo/releases/tag/v0.1.26
  - https://github.com/ahkohd/oyo/releases/tag/v0.1.27
  - https://github.com/ahkohd/oyo/releases/tag/v0.1.28
  - https://github.com/ahkohd/oyo/releases/tag/v0.1.29
  - https://github.com/ahkohd/oyo/releases/tag/v0.1.30

Reported by:    portscout!

audio/pt2-clone: Update to 1.87

security/vuxml: Update URL in latest OpenSSL vulns

java/jcalendar: unpin openjdk8

Builds fine with modern JDK.

Approved-by:    no maintainer

java/jgraphx: unpin openjdk8

Builds fine with modern JDK.
Dependency math/scilab uses openjdk8 so this needs to generate
Java 8 compatible class files.

Approved-by:    no maintainer

www/gitlab: security and patch update to 18.10.3

Changes:        https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
Security:       099d4998-33cc-11f1-a7d1-2cf05da270f3

sysutils/go-ntfy: Update to 2.21.0

ChangeLogs:

- https://github.com/binwiederhier/ntfy/releases/tag/v2.20.1
- https://github.com/binwiederhier/ntfy/releases/tag/v2.21.0

audio/ft2-clone: Update to 2.14

net/krakend-ce: Update 2.13.3 => 2.13.4

Approved by:            db@, yuri@ (Mentors, implicit)

security/vuxml: document gitlab vulnerabilities

filesystems/ltfs: Update to 2.4.8.3

databases/timescaledb: Update to 2.26.2

sysutils/screen-devel: Update distfile

When unpacking the tarballs there is no material difference between the
old and the new files. Additionally, there is no difference when
comparing the two tarballs after unzipping the .gz files. One must
conclude the files are compressed differently as the new .gz file is 4K
smaller then the previous file.

(cherry picked from commit 7fd033436f0ef341f70e8592fa741d5b92b27fd9)

x11/cde*: Work around bus errors and looping CDE apps

-O2 optimization is too aggressive for CDE. Scaling it back to -O
eliminates bus errors on some systems and dtcalc looping with the
error, *** M .LE. T IN CALL TO MPCHK.

Reported by:    Jeremy Doolin <jrdoolin at pm.me>

(cherry picked from commit fa43a93555ef08544bc2139af3411e00797c70dd)

sysutils/screen-devel: Update distfile

When unpacking the tarballs there is no material difference between the
old and the new files. Additionally, there is no difference when
comparing the two tarballs after unzipping the .gz files. One must
conclude the files are compressed differently as the new .gz file is 4K
smaller then the previous file.

MFH:    2026Q2

games/veloren-weekly: update to s20260408

Changes:        https://gitlab.com/veloren/veloren/-/compare/1c0a37f006...308212a458
(cherry picked from commit d2205e2f43af61c3c16a911da92e69728a089ec9)

devel/xdg-dbus-proxy: update to 0.1.7

Changes:        https://github.com/flatpak/xdg-dbus-proxy/releases/tag/0.1.7
Reported by:    GitHub (watch releases)

(cherry picked from commit db7a86a296ae21881efff528f8a62d3fc8d123be)