tex-transparent{,-doc}: update to 1.6
* Fix clash with pgfutil-common #3
* Update test for PDF management
* adapt to l3kernel changes (l3opacity is now included)
xz: update to 5.8.3.
5.8.3 (2026-03-31)
IMPORTANT: This includes a fix for CVE-2026-34743 which affects all
XZ Utils versions since 5.0.0. No new 5.2.x, 5.4.x, or 5.6.x
releases will be made, but the fix is in the v5.2, v5.4, and v5.6
branches in the xz Git repository.
* liblzma:
- Fix a buffer overflow in lzma_index_append(): If
lzma_index_decoder() was used to decode an Index that
contained no Records, the resulting lzma_index was left in
a state where where a subsequent lzma_index_append() would
allocate too little memory, and a buffer overflow would occur.
The lzma_index functions are rarely used by applications
directly. In the few applications that do use these functions,
[35 lines not shown]
sbcl: update to 2.6.3
* minor incompatible change: (MAKE-ARRAY X :ELEMENT-TYPE 'UNDEFINED)
now signals an error, consistent with (UPGRADED-ARRAY-ELEMENT-TYPE
'UNDEFINED).
* platform support:
** fix disassembler on ppc for the MFLR and ISEL instructions
** the Lisp Return Address object (as part of the Lisp calling
convention) is no longer needed or supported on PPC, SPARC,
MIPS or ARM.
** remove sensitivity to SBCL init files when building
embedcore-sbcl.
** add support for the ADCX and ADOX instructions on x86-64.
** on PPC64, indicate the number of return values through flags,
making function calls four times faster.
** fix FFI involving int128 arguments on x86-64
** fix build on OpenIndiana/x86-64
** fix build on Haiku/x86-64
* bug fix: improved stability of (particularly) the mark-region
[32 lines not shown]
ncdu: update to 2.9.2.
2.9.2 - 2025-10-24
- Still requires Zig 0.14 or 0.15
- Fix hang on loading config file when compiled with Zig 0.15.2
2.9.1 - 2025-08-21
- Add support for building with Zig 0.15
- Zig 0.14 is still supported
2.9 - 2025-08-16
- Still requires Zig 0.14
- Add --delete-command option to replace the built-in file deletion
- Move term cursor to selected option in delete confirmation window
- Support binary import on older Linux kernels lacking statx() (may break
again in the future, Zig does not officially support such old kernels)
misc: import raspberrypi-usbboot version 1.0
This contains the Raspberry Pi USB device boot software known as rpiboot. The
rpiboot tool provides a file server for loading software into memory on a
Raspberry Pi for provisioning. By default, it boots the device with firmware
that makes it appear to the host as a USB mass-storage device. The host
operating system then treats it as a standard USB drive, allowing the filesystem
to be accessed. An operating system image can be written to the device using the
Raspberry Pi Imager.
On Compute Module 4 and newer devices, rpiboot is also used to update the
bootloader SPI flash EEPROM.
Tested on macOS/amd64 and NetBSD/amd64.
net/dnsdist: Update to version 2.0.3
Provided by Marcin Gondek in wip.
Improvements
Add a metric for the latency of the latest health-check
Export DNS flags via ProtoBuf
Add a histogram of health-check latencies for backends
Bug Fixes
CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI"
CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged into the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard
CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets
CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL
CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service
CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service
CVE-2026-27854: Denial of service when using "DNSQuestion:getEDNSOptions" method in custom Lua code
[8 lines not shown]
py-cairosvg: updated to 2.9.0
2.9.0
Version 2.9.0 released on 2026-03-13
WARNING: this is a security update.
Using a lot of recursively nested use tags could lead to long rendering times with relatively small inputs. CairoSVG now stops rendering when more than 100k use tags are rendered.
Using the --unsafe option allows to render larger documents.
Drop support of Python 3.9, add support of Python 3.14
