py-tornado: updated to 6.5.5
What's new in Tornado 6.5.5
Security fixes
- ``multipart/form-data`` requests are now limited to 100 parts by default, to prevent a
denial-of-service attack via very large requests with many parts. This limit is configurable
via `tornado.httputil.ParseMultipartConfig`. Multipart parsing can also be disabled completely
if not required for the application. Thanks to [0x-Apollyon](https://github.com/0x-Apollyon) and
[bekkaze](https://github.com/bekkaze) for reporting this issue.
- The ``domain``, ``path``, and ``samesite`` arguments to `.RequestHandler.set_cookie` are now
validated for illegal characters, which could be abused to inject other attributes on the cookie.
Thanks to Dhiral Vyas (Praetorian) for reporting this issue.
- Carriage return characters are no longer accepted in ``multipart/form-data`` headers. Thanks to
[sergeykochanov](https://github.com/sergeykochanov) for reporting this issue.
py-setuptools: updated to 82.0.1
82.0.1
Bugfixes
Fix the loading of launcher manifest.xml file.
Replaced deprecated json.__version__ with fixture in tests.
Improved Documentation
Add advice about how to improve predictability when installing sdists.
py-acme py-certbot*: updated to 5.4.0
5.4.0 - 2026-03-10
Added
- The webroot plugin now supports IP address issuance.
Changed
- certbot-nginx now requires pyparsing>=3.0.0.
nginx-devel: updated to 1.29.6
Changes with nginx 1.29.6 10 Mar 2026
*) Feature: session affinity support; the "sticky" directive in the
"upstream" block of the "http" module; the "server" directive
supports the "route" and "drain" parameters.
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: "[crit] cache file ... contains invalid header" messages
might appear in logs when sending a cached HTTP/2 response.
*) Bugfix: proxying to scgi backends might not work when using chunked
transfer encoding and the "scgi_request_buffering" directive.
[9 lines not shown]
ppsspp ppsspp-qt libretro-ppsspp: updated to 1.20.2
What's new in 1.20.2
Improved server list for ad hoc multiplayer, dynamically updated and you can now add/remove entries
Fix broken multitouch on iOS with OpenGL
Ad hoc relay connection improvements
Fix a lot of minor UI issues
Fix background image selection on Android and iOS
Fix file permission issue on iOS
Add a "hold" version of axis swap toggle
Fix regression in Gripshift
Fix crash on audio device switch on Windows
Fix timing glitches in gamepad input on Windows
And other assorted fixes.
curl: update to 8.19.0.
curl and libcurl 8.19.0
Public curl releases: 273
Command line options: 273
curl_easy_setopt() options: 308
Public functions in libcurl: 100
Contributors: 3619
This release includes the following changes:
o we stopped the bug bounty [23]
o cmake: add `CURL_BUILD_EVERYTHING` option [51]
o initial support for MQTTS [81]
o tool: support fractions for --limit-rate and --max-filesize [79]
o tool_cb_hdr: with -J, use the redirect name as a backup [147]
o vquic: drop support for OpenSSL-QUIC [80]
o windows: add build option to use the native CA store [82]
[268 lines not shown]
adguardhome: updated to 0.107.73
0.107.73
Security
Authentication is now applied to requests that have been upgraded from HTTP/2 Cleartext (H2C) requests to public resources.
giflib*: update to 6.1.2
Version 6.1.2
=============
Code Fixes
----------
* Fix for low-severity CVE-2026-23868 affecting gifponge, giftool, and gifbuild,
but not the core library - library clients need not be alarned.
Version 6.1.1
=============
This release bumps the major version, but only one entry point -
EGifSpew() - has changed signature and behavior (in order to be able
to pass out a detailed error code). The internal error
codes in the E_GIF_ERR series have changed value so none of them
collides with GIF_ERROR.
[66 lines not shown]
shells/oh-my-posh: update to 29.8.0
Bug Fixes
spotify: use correct D-Bus interface name on Linux (3c44733), closes #7365
theme: align socials icons and add bluesky instead of at (8857a5c)
zsh: prevent stream process from inheriting parent stdin (40164ef)
Features
lint markfown with vale (57df69a)
net/xfr: update to 0.9.3
Added
- Server --bind flag (#38) — xfr serve --bind <IP> binds TCP, QUIC, and UDP data listeners to a specific address.
Validates against -4/-6 flags and rejects unspecified addresses (::, 0.0.0.0).
Changed
- Server sends random payloads (#34) — server-side TCP and UDP send paths now use random bytes by default in
reverse and bidirectional modes, matching the client's default-on behavior.
Fixed
- QUIC dual-stack on Windows (#39) — QUIC server endpoint now creates its UDP socket via socket2 with explicit
IPV6_V6ONLY handling instead of relying on Quinn's Endpoint::server(). On Windows/macOS where IPV6_V6ONLY defaults
to true, binding to [::] would only accept IPv6 connections.
- Server random payload on single-port TCP reverse (#34) — the single-port TCP handler (DataHello path used by all
modern clients) was missing random_payload = true, causing reverse-mode downloads to still send zeros.
[4 lines not shown]
