firefox140: update to 140.12
Update during freeze approved by maya@.
Mozilla Foundation Security Advisory 2026-58
Security Vulnerabilities fixed in Firefox ESR 140.12
Announced
June 16, 2026
Impact
high
Products
Firefox ESR
Fixed in
Firefox ESR 140.12
#CVE-2026-12289: Privilege escalation in the Graphics: WebRender component
[322 lines not shown]
devel/ruby-redmine60: update to 6.0.10
Redmine 6.0.10 (2026-06-15)
This release addresss multiple security vulnerabilities along with various
bug fixes and improvements.
Code cleanup/refactoring
* Defect #43985: Flaky IssuesSystemTest caused by `!page.has_css?`
* Defect #44010: Too much INFO log of asset paths when starting Rails
Documentation
* Defect #43906: Wiki help does not display localized content for locales
with a region subtag
* Patch #43896: Remove obsolete db:migrate:upgrade_plugin_migrations step
from doc/UPGRADING
* Patch #43930: Add blockquote formatting in CommonMark wiki help pages
[36 lines not shown]
devel/ruby-redmine61: update to 6.1.3
This release addresss multiple security vulnerabilities along with various
bug fixes and improvements.
Code cleanup/refactoring
* Defect #43985: Flaky IssuesSystemTest caused by `!page.has_css?`
* Defect #44010: Too much INFO log of asset paths when starting Rails
* Defect #44072:
OauthProviderSystemTest#test_application_creation_and_authorization fails
randomly
* Patch #44073: TimeEntryTest#test_should_not_accept_closed_issue fails
randomly depending on locale
Documentation
* Defect #43906: Wiki help does not display localized content for locales
with a region subtag
[65 lines not shown]
libopensync: Various build fixes.
Improve the handling of non-POSIX iconv, detect a GNU libiconv,
and fix an implicit function declaration. This is important for
NetBSD with newer GCC.
Verified to build on FreeBSD, macOS, Linux, NetBSD, OpenBSD.
plotutils: Fix build with GCC 15.
This defines its own bool type, which is incompatible
with C23 having it as a built-in keyword.
gnu99 is chosen for being the minimum bootstrap requirement
and safety against APIs being hidden in standards mode.
gsasl: update to 2.2.4.
Security fix release.
* Noteworthy changes in release 2.2.4 (2026-06-15) [stable]
** NTLM: Avoid use-of-uninitialized-value in libntlm.
The code is in the client side, and can be triggered by a malicious
server. Report and fix by zhangph <zhangph12138 at 163.com> in
<https://lists.gnu.org/archive/html/help-gsasl/2026-06/msg00000.html>.
** i18n: Updated translations.
(geography/R-osmdata) Updated 0.2.5 to 0.3.0, fix build against R 4.6.0
# osmdata 0.3.0
## Breaking changes
- Remove `magrittr` from imports. User code relaying on reexported pipe `%>%`
from `osmdata` must explicitly load it with `library(magrittr)`.
Code examples, tests and vignettes now use the pipe from base (`|>`) available since R 4.1 (#361)
- `getbb(..., format_out = "polygon")` return polygons following [https://www.ogc.org/standards/sfa/].
Polygons are defined by a list of matrices of coordinates. The first ring defines the exterior boundary, and the following rings define holes if present.
Also fix `getbb(..., format_out = "sf_polygon")` returning each (multi)polygon as a row in an `sf` object.
Before, every ring was an independent polygon, even for holes or multipolygons,
and for `format_out = "sf_polygon"`, the features were split in a list with polygons in one item and multipolygons in another (#378).
## Major changes
- Implemented `c.osmdata_sc` method to join `osmdata_sc` objects (#333)
- Depends on R >= 4.1 to use the base pipe (`|>`) in examples and vignettes (#371)
[22 lines not shown]
devel/cmocka: Don't use newfangled attribute access on gcc < 12
The usage is guarded on __has_attribute(access), but that apparently
doesn't distinguish having access none. Fix inspired by an upstream
bug report (which has a huge hex string intstead of a number in the
brave new world of gitlab), avoid attribute access on gcc <= 12.
Upstream has not acted on or commented on the bug report, file on
April 10.
Resolves failure to build on NetBSD 10, probably resolves problems on
other gcc 10 hosts, and shouldn't affect systems with gcc >= 12.
(math/R-forecast) Updated 8.23.0 to 9.0.2, Fix build against R 4.6.0
# forecast 9.0.2
* `checkresiduals()` correctly handles the `test` argument again (#1100)
* `mstl()` now correctly accesses the `lambda` attribute on mstl matrix objects (#1097)
# forecast 9.0.1
* Performance improvements for ARFIMA model search
* `forecast.mlm()` now finds `newdata` when passed as an argument from another function (#880)
* `residuals.tslm()` now allows `type = "working"` as per CRAN request
* Code modernization and performance improvements
# forecast 9.0.0
* `ets()` now allows missing values in the time series (#952)
* Added `mean_model()` and `forecast.mean_model()`
* Added `rw_model()` and `forecast.rw_model()` (m-muecke, #969)
* Added `spline_model()` and `forecast.spline_model()` (#1013)
[12 lines not shown]
(math/R-igraph) Updated 2.1.4 to 2.3.2, Fix Build against R-4.6.0
# igraph 2.3.2
--------------
## Bug fixes
- Fix obsolete Fortran syntax (#2644).
# igraph 2.3.1
--------------
## Bug fixes
- Fix mismatches between C function signatures and function
calls. This only affects private functions that are defined but not
yet used (#2620).
# igraph 2.3.0
[321 lines not shown]
p5-Crypt-DSA: update to 1.21.
Security update. Please note that this package is deprecated.
1.21 -- Sun Jun 14 16:52:15 ADT 2026
- This module is now makred as deprecated. Crypt-DSA-GMP is a possible replacement.
- Fixed CVE-2026-12205 key material reuse for multiple signing events
- SECURITY (CWE-323): sign() reused the DSA nonce k across signatures
(r and k^-1 were cached on the key and not regenerated), allowing
private-key recovery from two signatures over different messages. Now
generates a fresh nonce per signature. Keys used to sign more than
once with an affected version should be considered compromised.
liba52: Build fixes for GCC 15.
Update configure test for return type of signal(2).
Restrict to C99. Uses "old-style function definitions", but also
restrict keyword.
