Update devel/objfw to 1.5.6
Changes from ObjFW 1.5.5:
* Unpaired UTF-16 surrogates are now converted to WTF-8
* Collections now refuse to be inserted into themselves
* Fixes OFMutableData dropping the itemSize in one convenience initializer
* Fixes OFFileIRIHandler setting the UID to the GID
* Fixes handling of BOM in -[OFUTF8String initWithUTF8StringNoCopy:length:freeWhenDone:]
* OFMutableIndexSet now correctly inserts / removes from self
* OFMutableUTF8String now correctly appends and replaces self
* Fixes handling of TLS close notifications
* Fixes relocking the mutex in OFCondition on Windows
* Fixes searching for a handler after a cleanup in the runtime
* Fixes parsing JSON containing an exponent without a decimal point
* Call va_end() after va_copy() everywhere
* Default depth limit of all parsers increased from 32 to 128
* -[OFIRI fileSystemRepresentation] now rejects IRIs with a non-empty host, except on Windows where it is used for UNC
* Fixes setting a nil extraField in OFMutableZIPArchiveEntry
* Fixes setting a nil Amiga comment in OFMutableTarArchiveEntry
[4 lines not shown]
py-WebOb: updated to 1.8.10
1.8.10 (2026-06-02)
Security Fix
- The fix for CVE-2024-42353 was incomplete: a Location value containing
ASCII tab, carriage return, or line feed characters between consecutive
slashes could still be interpreted as a protocol-relative URL by
``urllib.parse.urljoin`` on Python 3.10+, allowing an open redirect.
tor: updated to 0.4.9.10
Changes in version 0.4.9.10 - 2026-06-23
Another release with an important security fix and major bugfixes. We
strongly recommend upgrading as soon as possible.
o Major bugfixes (conflux, security, TROVE):
- Reject a CONFLUX_LINK cell that arrives on a circuit which already
has attached streams. A malicious client could send a
RELAY_COMMAND_BEGIN before the CONFLUX_LINK on the same circuit,
attaching an exit stream that would later end up orphan leaving a
dangling circuit back-pointer and a use-after-free (UAF) when the
circuit is freed. TROVE-2026-025. Fixes bug 41258; bugfix
on 0.4.8.1-alpha.
o Major bugfixes (client):
- Resume warning about unsafe socks protocols (socks4 or
socks5-not-hostname) when SafeSocks is not set. Also resume
warning every time when TestSocks is set. Fixes bug 41290; bugfix
[37 lines not shown]
misc/py-libtmux: Update to 0.58.1
## libtmux 0.58.1 (2026-06-16)
libtmux 0.58.1 restores compatibility with pytest 9.1. The bundled
pytest plugin no longer aborts at import time, so projects that rely on
libtmux's fixtures can move to the latest pytest without their test
suite failing before collection.
## libtmux 0.58.0 (2026-05-23)
libtmux 0.58.0 fixes subprocess output decoding on non-UTF-8 locales.
Both {class}`~libtmux.common.tmux_cmd` and
{class}`~libtmux._internal.control_mode.ControlMode` now enforce UTF-8
when reading tmux output, matching tmux's own encoding contract.
## libtmux 0.57.1 (2026-05-18)
Restores the "lenient-by-default" behavior for
[68 lines not shown]
libtorrent rtorrent: updated to 0.16.15
0.16.15
Cleanup of old unused/unneeded code and commands continues, and the deprecated commands should no longer be used.
libass: updated to 0.17.5
libass (0.17.5)
* Fix limited OOB read and write in wrap_lines_measure (GHSA-pjjp-65r7-ppgm; CVE pending)
* Fix OOB bit clears for negative Matroska ReadOrder fields (GHSA-5gf7-wjfm-vmvm; CVE pending)
* Fix \fay with glyph clusters
* Fix small alpha changes not always splitting runs when combined with fade
* Fix compilation with MSVC-mode clang
* Fades are now applied to BorderStyle=4 boxes too
* Fonts using legacy arabic Windows charmaps are now supported
* ass_render_frame no longer returns fully transparent images
* Avoid MSVC’s subpar code generation for isnan to bring performance closer to other compilers
* Avoid SSE instructions if compiler baseline already includes AVX
bfs: update to 4.1.3. Changes:
## Bug fixes
- Fixed a segfault when binaries built on macOS 26.4+ were run on older macOS
versions (#229)
- Fixed a potential hang in the test suite
- Fixed `./configure`-time detection of `sysctlbyname()` on FreeBSD (#219)
- Bumped the default version number, which was missed in 4.1.1
- Fixed `./configure CFLAGS=...` being overridden by auto-detected flags
- Fixed the build for WASIX
- Fixed the build on Android < 11 (#215)
- `bfs` now takes system-wide open file limits into account.
Previously, a handful of concurrent `bfs` instances could overwhelm a system
with a low global limit, particularly macOS.
- Fixed an invalid optimization that transformed
$ bfs -user you -or -user me
[350 lines not shown]
nodejs22: updated to 22.23.1
22.23.1 'Jod' (LTS)
This release includes a fix for an unexpected behavior introduced
by the recent security release (22.23.0).
amule: updated to 3.0.0
3.0.0
Highlights
Throughput rewrite. Disk I/O moved off the main thread, ASIO/EPOLLET races fixed, throttlers replaced with proper token-bucket limiters. Peer-to-peer download on the same hardware sees ~100–380× speedups across macOS / Linux / Windows over 2.3.3, plus aMule 3.0.0 sustains ~4.8× the upload throughput of eMule 0.70b on Windows. See Performance for the full matrix and per-PR breakdown.
Both throttlers (MaxUpload, MaxDownload) were also broken pre-fix — MaxUpload=0 capped at "current rate + 5 KB/s", MaxDownload was a ratio controller rather than a literal cap. Both rewritten. Important user-facing bug fixes, but secondary to the headline numbers.
Big-library / big-shareset scaling. Follow-up wave targeting nodes with 100 k+ shared files: per-file EC payload caches, skip-unchanged EC updates, local-peer ZLIB bypass, and a string of O(N²) → O(N log N) / O(1) algorithmic fixes across SharedFileList, SharedFilesCtrl, KnownFileList, wxListCtrl, ExternalConn, and amuleweb — the WebUI / amulegui stay responsive even on libraries where the previous GUI took minutes to redraw.
CMake replaces autotools. Single build system, modern toolchain — minimum CMake 3.10, minimum wxWidgets 3.2.0.
Native binaries for every major desktop. AppImage (x86_64 + aarch64), Flatpak (x86_64 + aarch64), macOS Universal2 .dmg (now bundling aMuleGUI.app alongside aMule.app), Windows portable .zip and NSIS installer (x64 + ARM64). First-run desktop integration prompt for AppImage; cross-platform autostart-on-login toggle.
Auto-rescan of shared folders. wxFileSystemWatcher-driven, with recursive vs explicit-share intent split and coverage of Incoming + per-category Incoming dirs.
HTTPS works again. CHTTPDownloadThread rewritten on top of wxWebRequest; the hand-rolled stack had silently stopped working against modern TLS.
Kad parallel searches with alpha-frontier widening.
MaxMindDB replaces deprecated GeoIP for IP→country.
graphics/geeqie: Update to 2.8
pkgsrc changes:
drop patch that is now upstream
Upstream NEWS:
Geeqie 2.8
============
- Extensive bug fixes and code improvements
- More progress in GTK4 migration
geography/py-gnssutils: Update to 1.2.5
Upstream NEWS:
## What's Changed
1. Further enhancements and bug fixes to RINEX conversion routines.
1. Add support for SBAS L1CA, QZSS LNAV/CNAV, IRNSS (NAVIC) LNAV.
**NB:** Rinex Conversion remains an experimental Alpha feature and contributions (including wider area testing and bug reports) and feedback are welcomed.
mimsc/libreoffice: Update to 26.2.4.2
* Fix build with GCC 14 in NetBSD 11.99.6 base.
Changelog:
26.2.4.2:
List of fixed bugs
Bugs fixed compared to 26.2.4 RC1:
ofz#513047070 return early before unnecessary dereference [Caolán McNamara]
ofz#513256641 null-dereference READ [Caolán McNamara]
tdf#170420 LibreOffice Base hangs if I convert a text box to a list box in a form. [Dan Williams]
tdf#172008 Blank Black Window in LibreOffice in Windows 11, skia Vulkan rendering (Intel Iris Xe Graphics) [Julien Nabet]
26.2.4.1:
List of fixed bugs
Bugs fixed compared to 26.2.3 RC2:
[45 lines not shown]
py-tibs: updated to 0.10.0
0.10.0
Backwardly incompatible changes
* Removed `__hash__` method from `Tibs`. Because `Tibs` can compare equal to
other types (for example `Tibs('0xf') == '0b1111'`), the hash should not have
been available. The new recommendation is to use the `encode` method to
convert to `bytes` objects to use as keys.
Fixes
* Fixed LSB0 field extraction and assignment ordering for combined bit-order and
byte-order views. LSB0 labels now identify the physical bits while extracted
fields are returned in field-value order instead of being bit-reversed.
* Fixed dtype length validation for `bin`, `oct` and `hex` values passed to
`from_value` and `from_values`.
