py-octoprint: updated to 1.11.8
1.11.8
Security fixes
XSS in Suppressed Command Notifications, severity Moderate (4.6): OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer.
An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.
See also the GitHub Security Advisory and CVE-2026-35163.
File exfiltration possible via further parameter injection on upload endpoints, severity High (7.0): OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability was already reported as GHSA-m9jh-jf9h-x3h2/CVE-2025-48067 but the fix provided in OctoPrint 1.11.2 turned out to be incomplete.
The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint's config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host after an attempted server restart. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.
See also the GitHub Security Advisory and CVE-2026-54134.
Bug fixes
[2 lines not shown]
icinga2: updated to 2.16.3
2.16.3 (2026-07-01)
This is a hotfix release that fixes a regression with the `Json.decode()` DSL function that was introduced in v2.16.2:
The addition of a second argument to the internal `JsonDecode()` function unintentionally leaked into the DSL as a
required argument. This version restores the old and intended behavior of `Json.decode()`.
Changes
* Restore single-argument `Json.decode()` in the DSL
* Add the upgrading documentation for v2.15.1 again, which went missing with the v2.16.0 release
SDL3: updated to 3.4.12
3.4.12
This is a stable bugfix release, with the following changes:
Fixed an assert on Windows in SDL_SetWindowOpacity()
Improved support for external surfaces under Wayland
Fixed visual artifacts when switching render targets with the Vulkan renderer
Fixed crash rendering YUV textures on NVIDIA drivers with the Vulkan renderer
Added SDL_HINT_ENABLE_STEAM_SCREEN_KEYBOARD to customize behavior on Steam Deck and Steam Machine
Improved support for gamepads under Emscripten
Added hotplug detection support when using libusb for HIDAPI controllers
Fixed flipped Xbox 360 controller axes on macOS
Fixed truncated long text input sequences when using sdl2-compat
py-croniter: updated to 6.2.3
6.2.3 (2026-07-02)
Features and Improvements
- Fix quadratic expansion of comma-separated range lists for a large speed-up on expressions with many ranges.
Bugfixes
- Reject a zero step (e.g. ``5-5/0``) in equal and reversed cron ranges instead of silently accepting it.
- Fix ``expand_from_start_time`` month low-bound off-by-one so stepped month ranges start on the correct month.
py-coverage: updated to 7.15.0
Version 7.15.0 — 2026-07-02
- Since 7.14.0, reporting commands implicitly combine parallel data files. Now
those commands have a new option ``--keep-combined`` to retain the data files
after combining them instead of the default, which is to delete them.
Finishes `issue 2198`_.
- Fix: the LCOV report would incorrectly count excluded functions as uncovered,
as described in `issue 2205`_. This is now fixed thanks to `Martin Kuntz
Jacobsen <pull 2206_>`_.
- When running your program, coverage now correctly sets
``yourmodule.__spec__.loader`` as `strongly recommended <--loader--_>`_,
avoiding the deprecation warning described in `issue 2208`_. Thanks, `A5rocks
<pull 2209_>`_.
- Fix: with Python 3.10, running with the ``-I`` (isolated mode) option didn't
[3 lines not shown]
py-argcomplete: updated to 3.7.0
Changes for v3.7.0 (2026-06-30)
- Escape glob and brace metacharacters in quote_completions
- Quote prefix passed to compgen in FilesCompleter
- Remove deprecated easy_install script detection
- Type hinting improvements
py-apsw: updated to 3.53.3.0
3.53.3.0
pyodide (web assembly) builds are now published to pypi, thanks to version 4 of cibuildwheel.
Async breaking changes: This SQLite release requires the database mutex for some APIs that it did not before. The following were direct values, but now must be awaited: Connection.changes() Connection.get_autocommit() Connection.in_transaction Connection.last_insert_rowid() Connection.total_changes()
The closure extension was removed from SQLite extra by SQLite. Common table expressions are a better approach.
Remove the logger on module unload (APSW issue 620)
libva: updated to 2.24.0
2.24.0 - 02.Jul.2026
* va: Add VA_PICTURE_H264_NON_EXISTING flag
* va: use secure_getenv instead of getenv in va_x11.c
* doc: fix libva av1 link for doxygen
* trace: dump input/output data in va_TraceProtectedSessionExecute
* trace: Add ProtectedSession Related Log in Trace
Initial import of math/cvc5 version 1.3.4.
An efficient open-source automatic theorem prover for Satisfiability
Modulo Theories (SMT) problems. It can be used to prove the
satisfiability (or, dually, the validity) of first-order formulas
with respect to (combinations of) a variety of useful background
theories.
Initial import of math/libpoly version 0.2.1.
SRI LibPoly is a C library for manipulating polynomials. The target
applications are symbolic reasoning engines, such as SMT solvers,
that need to reason about polynomial constraints. It is research
software under development, so the features and the API might change
rapidly.
Initial import of math/symfpu version 1.2.0.
SymFPU is an implementation of the SMT-LIB theory of (IEEE-754)
floating-point in terms of bit-vector operations. It is templated
in terms of the bit-vectors, propositions, floating-point formats
and rounding mode types used.
joker: update to 1.9.0
## General improvements
- Updated dependencies.
## Linter improvements
- Added support for union types in return values.
- Added linter return tags for core functions and expanded type
tagging coverage.
## Fixes
- Fixed type inference for stubs.
- Fixed linter deref return types for volatile and other core
functions.
kew: update to 4.1.6
4.1.0:
- Added custom layouts.
- Added AutoResume (persists playback state; enabled by default).
- Added experimental crossfade with new commands/settings.
- Added/improved visualizer modes (including Party Mode and others).
- Added new theme pack and improved themes/color behavior.
- Added scrolling lyrics behavior and more UX improvements.
- Included many bug fixes and internal refactors.
4.1.1:
- Fixed an issue affecting Homebrew tests.
4.1.2:
- Fixed an installation issue on FreeBSD.
4.1.3:
- Changed Discord integration to opt-in (off by default).
[13 lines not shown]