xz: update to 5.8.3.
5.8.3 (2026-03-31)
IMPORTANT: This includes a fix for CVE-2026-34743 which affects all
XZ Utils versions since 5.0.0. No new 5.2.x, 5.4.x, or 5.6.x
releases will be made, but the fix is in the v5.2, v5.4, and v5.6
branches in the xz Git repository.
* liblzma:
- Fix a buffer overflow in lzma_index_append(): If
lzma_index_decoder() was used to decode an Index that
contained no Records, the resulting lzma_index was left in
a state where where a subsequent lzma_index_append() would
allocate too little memory, and a buffer overflow would occur.
The lzma_index functions are rarely used by applications
directly. In the few applications that do use these functions,
[35 lines not shown]
sbcl: update to 2.6.3
* minor incompatible change: (MAKE-ARRAY X :ELEMENT-TYPE 'UNDEFINED)
now signals an error, consistent with (UPGRADED-ARRAY-ELEMENT-TYPE
'UNDEFINED).
* platform support:
** fix disassembler on ppc for the MFLR and ISEL instructions
** the Lisp Return Address object (as part of the Lisp calling
convention) is no longer needed or supported on PPC, SPARC,
MIPS or ARM.
** remove sensitivity to SBCL init files when building
embedcore-sbcl.
** add support for the ADCX and ADOX instructions on x86-64.
** on PPC64, indicate the number of return values through flags,
making function calls four times faster.
** fix FFI involving int128 arguments on x86-64
** fix build on OpenIndiana/x86-64
** fix build on Haiku/x86-64
* bug fix: improved stability of (particularly) the mark-region
[32 lines not shown]
ncdu: update to 2.9.2.
2.9.2 - 2025-10-24
- Still requires Zig 0.14 or 0.15
- Fix hang on loading config file when compiled with Zig 0.15.2
2.9.1 - 2025-08-21
- Add support for building with Zig 0.15
- Zig 0.14 is still supported
2.9 - 2025-08-16
- Still requires Zig 0.14
- Add --delete-command option to replace the built-in file deletion
- Move term cursor to selected option in delete confirmation window
- Support binary import on older Linux kernels lacking statx() (may break
again in the future, Zig does not officially support such old kernels)
misc: import raspberrypi-usbboot version 1.0
This contains the Raspberry Pi USB device boot software known as rpiboot. The
rpiboot tool provides a file server for loading software into memory on a
Raspberry Pi for provisioning. By default, it boots the device with firmware
that makes it appear to the host as a USB mass-storage device. The host
operating system then treats it as a standard USB drive, allowing the filesystem
to be accessed. An operating system image can be written to the device using the
Raspberry Pi Imager.
On Compute Module 4 and newer devices, rpiboot is also used to update the
bootloader SPI flash EEPROM.
Tested on macOS/amd64 and NetBSD/amd64.
net/dnsdist: Update to version 2.0.3
Provided by Marcin Gondek in wip.
Improvements
Add a metric for the latency of the latest health-check
Export DNS flags via ProtoBuf
Add a histogram of health-check latencies for backends
Bug Fixes
CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI"
CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged into the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard
CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets
CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL
CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service
CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service
CVE-2026-27854: Denial of service when using "DNSQuestion:getEDNSOptions" method in custom Lua code
[8 lines not shown]
py-cairosvg: updated to 2.9.0
2.9.0
Version 2.9.0 released on 2026-03-13
WARNING: this is a security update.
Using a lot of recursively nested use tags could lead to long rendering times with relatively small inputs. CairoSVG now stops rendering when more than 100k use tags are rendered.
Using the --unsafe option allows to render larger documents.
Drop support of Python 3.9, add support of Python 3.14
ngtcp2: updated to 1.22.0
1.22.0
Consistent hex literals and integer suffixes
Add missing entries to .gitignore
Deprecate quictls
Introduce struct ngtcp2_stateless_reset_token
Fix assertion failure without get_new_connection_id
Migrate to new callbacks
Add ngtcp2_pkt_write_stateless_reset2
Add missing callbacks to callbacks test
Add ngtcp2_conn_get_active_dcid2 and ngtcp2_cid_token2
Prefer sizeof token instead of integer constant
Introduce struct ngtcp2_path_challenge_data
Store cid and token directly into frame
tests: Remove xcid_init in favor of make_xcid
tests: Inline initialization for transport parameters tests
tests: Make shared crypto objects static const
[59 lines not shown]
py-async-lru: updated to 2.3.0
2.3.0
Added cache_contains() for read-only key lookup.
Changed cross-loop cache access to auto-reset and rebind to the current event loop.
Added AlruCacheLoopResetWarning when an auto-reset happens due to event loop change.
Forwarded cache_close(wait=...) for bound methods.
py-pygit2: updated to 1.19.2
1.19.2 (2026-03-29)
- Fix refcount and error handling issues in `filter_register(...)`
- Fix config with valueless keys
- New `Repository.load_filter_list(...)` and `FilterList`
- New `Odb.read_header(...)` and now `Odb.read(...)` returns `enums.ObjectType` instead of int
- Build and CI fixes
py-numpy: updated to 2.4.4
2.4.4
MAINT: Prepare 2.4.x for further development
BUG: Add test to reproduce problem
BUG: fix FNV-1a 64-bit selection by using NPY_SIZEOF_UINTP
BUG: avoid warning on ufunc with where=True and no output
DOC: document caveats of ndarray.resize on 3.14 and newer
TST: fix POWER VSX feature mapping
MAINT: numpy.i: Replace deprecated ``sprintf`` with ``snprintf``...
