p5-String-Util: update to 1.36.
Changes not available, but:
String::Util versions before 1.36 for Perl are susceptible to a regular
expression denial of service.
py-uvicorn: updated to 0.50.2
0.50.2 (July 6, 2026)
Fixed
Require websockets>=13.0, which the default websockets-sansio implementation needs
0.50.1 (July 6, 2026)
Fixed
Split comma-separated Sec-WebSocket-Protocol values in the websockets-sansio implementation
0.50.0 (July 4, 2026)
If you use WebSockets, note that --ws auto now picks the websockets-sansio implementation. You shouldn't need it, but you can pin --ws websockets to get the deprecated legacy one back.
Changed
[14 lines not shown]
py-charset-normalizer: updated to 3.4.9
3.4.9
Fixed
- Regression in our fallback path leading to a decode error.
We've yanked 3.4.8 as a result of that bug.
py-ijson: updated to 3.5.1
3.5.1
* The internal `ijson.common.ObjectBuilder` no longer creates internal reference
cycles, so discarded builders are freed by reference counting instead
of waiting for a cyclic garbage collection pass. This lowers peak
memory usage for code that builds and discards one large object at a
time. As a side effect, `builder.value` is now `None` before any
event is processed (previously accessing it raised `AttributeError`),
and the undocumented `containers` attribute holds the in-progress
containers rather than setter closures.
p5-DBI: update to 1.650.
1.650 - 2026-07-06, H.Merijn Brand & Robert Rothenberg
* Set a hard limit of 99999 on '?' placeholders (CVE-2026-14739)
* Fix out-of-bounds read in preparse of SQL that starts with a comment (CVE-2026-14740)
* Fix code injection via Profile DSN attribute or DBI_PROFILE variable (CVE-2026-14380)
* Update dbipport.h to Devel::PPPort-3.73
* Require Test::More 0.96 (tests will otherwise fail on pristine perl-5.12)
modular-xorg-server: update to 21.1.24.
This release contains the fixes for the issues reported in today's
security advisory:
https://lists.x.org/archives/xorg-announce/2026-July/003716.html
- CVE-2026-55999: glamor Font Atlas Heap Buffer Overflow
- CVE-2026-56000: GLX contextTags Use-After-Free in CommonMakeCurrent()
As noted in the security advisory, CVE-2026-56000 seems to depend on a
commit not previously in a 21.1.x release (but is present in this
release). As far as we can tell, 21.1.23 and earlier are not vulnerable
to CVE-2026-56000.
On top of those we have few cleanup fixes backported to the 21.1 releases.
libXfont2: update to 2.0.8.
This release contains the fixes for the issues reported in today's
security advisory:
https://lists.x.org/archives/xorg-announce/2026-July/003714.html
- CVE-2026-56001: BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow
- CVE-2026-56002: PCF Font Parsing Heap Buffer Overflow
- CVE-2026-56003: computeProps Property Buffer Heap Buffer Overflow
Additionally it contains a number of minor cleanup patches and the
removal of a decades-obsolete compat API.
wxGTK32: updated to 3.2.11
3.2.11 includes an unusually huge amount of bug fixes for possible security
problems, probably prompted by the increasing use of LLMs for finding them and
also helped by the addition of extra fuzzers. Upgrading to this version is
strongly recommended if you use any of the functions or classes mentioned below
in untrusted contexts:
Fix multiple buffer overflows in wxBMPHandler: when loading malformed BMP files with invalid RLE data
Fix multiple buffer overflows in wxXPMDecoder
Fix multiple problems in wxGIFHandler: reject more invalid GIFs and do it without leaking memory
Fix buffer overflow in wxTarInputStream
Fix out-of-bounds read in wxFileType::ExpandCommand()
Fix buffer overflow in wxVsnprintf()
Fix out-of-bounds read in wxRegEx::Replace()
Fix out-of-bounds read in wxUString
Fix wxDateTime::Format() handling of invalid format
Fix buffer overflow in wxGethostby{addr,name}_r()
Fix multiple buffer overflows in wxIFFDecoder: out-of-bounds palette write
[8 lines not shown]
xlsfonts: update to 1.0.9.
Alan Coopersmith (9):
Simplify qsort() comparision function to just call strcmp()
Add --help and --version options
Improve man page formatting
man page: fix warnings from `mandoc -T lint` and `groff -rCHECKSTYLE=10`
Strip trailing whitespace from source files
IgnoreError: tell the compiler the arguments are intentionally unused
gitlab CI: drop the ci-fairy check-mr job
meson: Add option to build with meson
xlsfonts 1.0.9
xlsatoms: update to 1.1.5.
Alan Coopersmith (8):
add -help option
Accept --help & --version as aliases to -help & -version
man page: fix warnings from `mandoc -T lint`
Strip trailing whitespace from source files
gitlab CI: drop the ci-fairy check-mr job
COPYING: Add missing Open Text copyright notice to file
meson: Add option to build with meson
xlsatoms 1.1.5
xkbutils: update to 1.0.7.
Alan Coopersmith (11):
Assume target platforms have strcasecmp now
Use _stricmp() instead of strcasecmp() on Windows
xkbbell, xkbvleds, xkbwatch: Print usage message for unknown arguments
xkbwatch: add -help option
Accept --help & --version as aliases to -help & -version
Improve man page formatting
man page: fix warnings from `mandoc -T lint`
Strip trailing whitespace from source files
gitlab CI: drop the ci-fairy check-mr job
meson: Add option to build with meson
xkbutils 1.0.7
Alexander Ziaee (1):
documentation: improve utility descriptions
Bjarni Ingi Gislason (1):
xkbvleds.man: Fix WARNING: skipping paragraph macro: PP empty