libffi: updated to 3.7.0
3.7.0 adds three new public interfaces (ffi_call_plan_alloc,
ffi_call_plan_invoke, ffi_call_plan_free) additively, with no
existing interface removed or changed. Per the libtool rules:
increment current, reset revision, increment age (11:1:3 -> 12:0:4).
This keeps the change ABI backward-compatible; the soname stays
libffi.so.8 (current - age = 8).
py-testfixtures: updated to 12.3.0
12.3.0 (8 Jul 2026)
- Added :doc:`pydantic <pydantic>` support: a :func:`comparer <testfixtures.pydantic.compare_basemodel>`
for :class:`~pydantic.BaseModel` is automatically registered, and the ``testfixtures[pydantic]``
extra installs a compatible version.
- Added :class:`ReprComparison` and :func:`repr_like` for asserting an object's type along with its
:func:`repr`.
- Added :class:`StrComparison` and :func:`str_like` for asserting an object's type along with its
:class:`str`.
- Added :func:`mapping`, the typed helper for :class:`MappingComparison`.
- :func:`like` now accepts a regular expression, as a string or a compiled :class:`re.Pattern`,
returning a :class:`TextComparison` typed as a :class:`str`. :class:`TextComparison` can also
now be built directly from a compiled :class:`re.Pattern`.
[9 lines not shown]
py-flask-caching: updated to 2.4.1
2.4.1
- Use ``pallets_sphinx_themes`` for the documentation.
- Type ``CachedResponse.__init__`` so it doesn't trigger mypy ``[no-untyped-call]``
in strict downstream codebases. :issue:`628`
- Docs: clarify that ``@memoize`` uses ``repr(obj)``
(or ``__caching_id__``) for the ``self``/``cls`` identity, not Python's
:func:`id`. :issue:`555`
- Fix test failure with pytest 9.1. :issue:`651`
py-asn1: updated to 0.6.4
0.6.4, released 08-07-2026
- CVE-2026-59885 (GHSA-8ppf-4f7h-5ppj): Fixed quadratic time
complexity in the OBJECT IDENTIFIER and RELATIVE-OID decoders.
A small crafted substrate encoding many arcs could consume
excessive CPU. Arcs are now accumulated in linear time; decoded
values are unchanged (thanks for reporting, tynus2)
- CVE-2026-59884 (GHSA-m4p7-r5rc-7g4j): Limited BER long-form tag
IDs to 20 octets (140 bits), matching the OID arc limit introduced
in 0.6.2. Unbounded tag IDs allowed a crafted substrate to consume
excessive CPU and memory; longer tag IDs are now rejected with
PyAsn1Error. Also fixed Tag and TagSet repr() failing on huge tag
(thanks for reporting, mikeappsec)
IDs due to the integer-to-string conversion limit (Python 3.11+)
- CVE-2026-59886 (GHSA-hm4w-wwcw-mr6r): Fixed excessive memory and
CPU consumption in Real.__float__() for values with large base-10
exponents. Conversion no longer materializes huge intermediate
[7 lines not shown]
p5-ack: update to 3.10.0.
v3.10.0 Sun Jun 7 11:50:37 CDT 2026
========================================
[SECURITY]
CVE-2026-49147: filename ANSI escape sequences
CVE-2026-49146: project .ackrc -A -B -C memory exhaustion
CVE-2026-49145: project .ackrc --follow / --files-from file exfiltration
[FIXES]
Fixed a bug where types set in the .ackrc could not be overridden from the
command line. Thanks, Dmitri Vereshchagin. (GH #393)
v3.9.0 Mon May 26 15:02:57 CDT 2025
========================================
The --not option can be used with either --and or --or.
The -g option can now use any of the boolean options, --and, --or or --not.
[39 lines not shown]
p5-YAML-PP: update to 0.41.0.
v0.41.0 2026-06-17 22:01:34+02:00
- tests: replace Test::Warn with Test::Warnings (PR #59, @haarg)
- Fix test suite tag data
v0.40.0 2026-04-24 16:51:28+02:00
- Security: Limit default allowed maximum nesting level.
Set it via new option 'max_depth'.
v0.39.0 2025-02-10 00:01:45+01:00
- Allow unknown tags again, reverting the previous change in v0.38.1 which
only was supposed to be a dev release
- Add new option require_footer
v0.38.1 2025-01-25 00:30:13+01:00
[17 lines not shown]
www/freenginx-devel: update from 1.31.2 to 1.31.3
Sponsored by: tipi.work
<ChangeLog>
*) Feature: additional checks are now used during variable substitution,
including during execution of the ngx_http_rewrite_module directives,
to prevent buffer overruns in case of errors in the code.
*) Bugfix: if the "auth_request_set" directive or regular expression
named captures were used to change prefix variables, such as
"$http_...", corresponding variables became empty in other parts of
the configuration.
*) Bugfix: changing the $limit_rate and $args variables with the
"auth_request_set" directive or regular expression named captures
worked incorrectly.
[23 lines not shown]
go: update to 1.26.5 and 1.25.12 (security)
These releases include 2 security fixes following the security policy:
- os: Root escape via symlink plus trailing slash
On Unix systems, opening a file in an os.Root improperly
followed symlinks to locations outside of the Root when
the final path component of the a path is a symbolic link
and the path ends in /.
For example, root.Open("symlink/") would open "symlink" even when
"symlink" is a symbolic link pointing outside of the root.
On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
in path when path ends in a /. Root failed to account for
this behavior, permitting paths with a trailing / to escape.
It now properly sanitizes the path parameter provided to openat.
[18 lines not shown]
py-mocket: updated to 3.14.2
3.14.2
tests: add tests for hexdump and hexload, including ValueError on invalid hex
Better can_handle_fun documentation
Raise an error when both can_handle_fun and match_querystring are used