py-jwcrypto: updated to 1.5.8
1.5.8
Fix list iteration in claim format validation
fix: bump minimum cryptography dependency to >= 39.0.0
Wrap JWKSet parsing errors in InvalidJWKValue
jwt: add opt-in strict_serialization to enforce compact form
py-click: updated to 8.4.2
8.4.2
Fix Fish shell completion broken in 8.4.0 by {pr}3126. Newlines and tabs in option help text are now escaped, keeping the original completion format while still supporting multi-line help. {issue}3502 {issue}3043 {pr}3504 {pr}3508
Deprecated commands and options with empty or missing help text no longer render a stray leading space before the (DEPRECATED) label. {pr}3509
A {class}Group with invoke_without_command=True marks its subcommand as optional in the usage help, showing [COMMAND] instead of COMMAND. {issue}3059 {pr}3507
echo_via_pager flushes after each write, so passing a generator streams output to the pager incrementally instead of staying hidden until the pipe buffer fills. {issue}3242 {issue}2542 {pr}3534
echo_via_pager and get_pager_file no longer close a borrowed stdout stream when no external pager runs, completing the partial I/O operation on closed file fix from {pr}3482. {issue}3449 {pr}3533
py-cython: updated to 3.2.6
3.2.6 (2026-06-24)
Bugs fixed
* ``@functools.wraps()`` was broken in Py3.14+ for Cython compiled functions.
* A double-free in the t-string code was fixed.
* The ``-`` operator declarations for iterators in ``libcpp.vector`` we corrected.
* The shared utility code module no longer uses a temporary file path that
changed the C code on each generation.
* On 32 bit platforms, cached constants are no longer made immortal during module import.
net/libslirp: update to version 4.9.3
This is a security update for CVE-2026-9539: libslirp TCP URG OOB Read
Information Leak.
Changes in 4.9.3:
* Fix migration break on incorrect vmstate retcode
Changes in 4.9.2:
* Security:
- oob: cap urgent data count to what is actually available
* Fixed:
- Honor dns server port number on macos
- Cope with SO_ERROR possibly failing
- vmstate: pass on read/write errors for state
- Fix port conflict
- tcp_sockclosed: Set linger timer on remaining closing states
[62 lines not shown]
gspell: forward icu dependency in bl3.mk
Seems it's needed:
meson.build:66:13: ERROR: Dependency lookup for gspell-1 with method 'pkg-config' failed: Could not generate cflags for gspell-1:
Update devel/objfw to 1.5.6
Changes from ObjFW 1.5.5:
* Unpaired UTF-16 surrogates are now converted to WTF-8
* Collections now refuse to be inserted into themselves
* Fixes OFMutableData dropping the itemSize in one convenience initializer
* Fixes OFFileIRIHandler setting the UID to the GID
* Fixes handling of BOM in -[OFUTF8String initWithUTF8StringNoCopy:length:freeWhenDone:]
* OFMutableIndexSet now correctly inserts / removes from self
* OFMutableUTF8String now correctly appends and replaces self
* Fixes handling of TLS close notifications
* Fixes relocking the mutex in OFCondition on Windows
* Fixes searching for a handler after a cleanup in the runtime
* Fixes parsing JSON containing an exponent without a decimal point
* Call va_end() after va_copy() everywhere
* Default depth limit of all parsers increased from 32 to 128
* -[OFIRI fileSystemRepresentation] now rejects IRIs with a non-empty host, except on Windows where it is used for UNC
* Fixes setting a nil extraField in OFMutableZIPArchiveEntry
* Fixes setting a nil Amiga comment in OFMutableTarArchiveEntry
[4 lines not shown]
py-WebOb: updated to 1.8.10
1.8.10 (2026-06-02)
Security Fix
- The fix for CVE-2024-42353 was incomplete: a Location value containing
ASCII tab, carriage return, or line feed characters between consecutive
slashes could still be interpreted as a protocol-relative URL by
``urllib.parse.urljoin`` on Python 3.10+, allowing an open redirect.
tor: updated to 0.4.9.10
Changes in version 0.4.9.10 - 2026-06-23
Another release with an important security fix and major bugfixes. We
strongly recommend upgrading as soon as possible.
o Major bugfixes (conflux, security, TROVE):
- Reject a CONFLUX_LINK cell that arrives on a circuit which already
has attached streams. A malicious client could send a
RELAY_COMMAND_BEGIN before the CONFLUX_LINK on the same circuit,
attaching an exit stream that would later end up orphan leaving a
dangling circuit back-pointer and a use-after-free (UAF) when the
circuit is freed. TROVE-2026-025. Fixes bug 41258; bugfix
on 0.4.8.1-alpha.
o Major bugfixes (client):
- Resume warning about unsafe socks protocols (socks4 or
socks5-not-hostname) when SafeSocks is not set. Also resume
warning every time when TestSocks is set. Fixes bug 41290; bugfix
[37 lines not shown]
