NetBSD/pkgsrc ykSodgvdoc CHANGES-2026

   doc: Updated math/R to 4.5.3
VersionDeltaFile
1.3007+2-1doc/CHANGES-2026
+2-11 files

NetBSD/pkgsrc 9PDztGJmath/R distinfo Makefile

   (math/R) Updated 4.5.2 to 4.5.3, another update may follow,:

   CHANGES IN R 4.5.3:

     UTILITIES:

       * tools/fetch-recommended can be used instead of
         tools/rsync-recommended to fetch recommended packages into R
         sources using curl on systems without rsync or behind firewalls.

     PACKAGE INSTALLATION:

       * C++ standard specifications (CXX_STD = in src/Makevars* and in
         the SystemRequirements field of the DESCRIPTION file) are now
         checked more thoroughly.  Invalid values are still ignored but
         now give a warning, as do contradictory specifications.

       * (Preliminary) support for C++26 has been extended to Windows.


    [51 lines not shown]
VersionDeltaFile
1.117+4-4math/R/distinfo
1.283+4-3math/R/Makefile
1.46+2-1math/R/PLIST
+10-83 files

NetBSD/pkgsrc Y1NX9GCmail/mu distinfo, mail/mu/patches patch-lib_utils_mu-sexp.cc patch-lib_utils_mu-html-to-text.cc

   mu: found another ctype(3) issue...
VersionDeltaFile
1.1+32-0mail/mu/patches/patch-lib_utils_mu-sexp.cc
1.2+11-2mail/mu/patches/patch-lib_utils_mu-html-to-text.cc
1.18+3-2mail/mu/distinfo
+46-43 files

NetBSD/pkgsrc mnYNtU3sysutils/gvfs hacks.mk distinfo

   sysutils/gvfs: fix broken gvfs binary (missing shared object)
VersionDeltaFile
1.2+6-1sysutils/gvfs/hacks.mk
1.29+2-2sysutils/gvfs/distinfo
1.144+2-1sysutils/gvfs/Makefile
+10-43 files

NetBSD/pkgsrc E0Bl6Qnmail/mu distinfo, mail/mu/patches patch-lib_message_mu-labels.cc patch-lib_message_mu-message-part.cc

   mu: found more ctype bugs
VersionDeltaFile
1.1+20-0mail/mu/patches/patch-lib_message_mu-labels.cc
1.1+15-0mail/mu/patches/patch-lib_message_mu-message-part.cc
1.1+15-0mail/mu/patches/patch-lib_mu-query-processor.cc
1.1+15-0mail/mu/patches/patch-lib_utils_mu-utils.cc
1.17+5-1mail/mu/distinfo
+70-15 files

NetBSD/pkgsrc VqNbhmwmail/mu distinfo, mail/mu/patches patch-lib_utils_mu-html-to-text.cc

   mu: fixed ctype(3) issue
VersionDeltaFile
1.1+24-0mail/mu/patches/patch-lib_utils_mu-html-to-text.cc
1.16+2-1mail/mu/distinfo
+26-12 files

NetBSD/pkgsrc bDF3szzdoc CHANGES-2026

   Updated www/py-django[5]
VersionDeltaFile
1.3006+3-1doc/CHANGES-2026
+3-11 files

NetBSD/pkgsrc xb698ABwww/py-django5 distinfo Makefile

   py-django5: updated to 5.2.14

   Django 5.2.14 fixes three security issues with severity “low” in 5.2.13.

   CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass¶

   ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

   As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.

   This issue has severity “low” according to the Django security policy.

   CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST¶

   Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user’s session after that user visits a cached public page.

   This issue has severity “low” according to the Django security policy.

   CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware¶

    [2 lines not shown]
VersionDeltaFile
1.2+4-4www/py-django5/distinfo
1.2+2-2www/py-django5/Makefile
+6-62 files

NetBSD/pkgsrc G2SDHLwwww/py-django distinfo Makefile

   py-django: updated to 6.0.5

   6.0.5

   Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.

   CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass

   ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

   As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.

   This issue has severity “low” according to the Django security policy.

   CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

   Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user’s session after that user visits a cached public page.

   This issue has severity “low” according to the Django security policy.

    [12 lines not shown]
VersionDeltaFile
1.127+4-4www/py-django/distinfo
1.155+2-2www/py-django/Makefile
+6-62 files

NetBSD/pkgsrc d4kx5jidoc CHANGES-2026

   Updated net/samba4, net/freeradius
VersionDeltaFile
1.3005+3-1doc/CHANGES-2026
+3-11 files

NetBSD/pkgsrc 0yFuwCfnet/freeradius PLIST Makefile, net/freeradius-freetds Makefile

   freeradius: updated to 3.2.8

   FreeRADIUS 3.2.8 Wed 20 Aug 2025 12:00:00 UTC urgency=low
   Configuration changes
   * Replace dictionary.infinera with the correct one.
   * Update dictionary.alteon

   Feature improvements
   * Add support for automated fuzzing.  This doesn't affect
     normal operations, but it does allow for testing of the
     RADIUS decoder.
   * Allow tagged attributes to use ":V" as a tag in some cases.
     The tag is then read from the value which is being assigned
     to the attribute.  This functionality is allowed in 'update'
     sections, including 'update' in module configurations.
     See mods-available/ldap for an example.
   * Add kafka module.  See mods-available/kafka.
   * Allow &control:Packet-SRC-IP-Address to be used when
     proxying needs a given source address.

    [47 lines not shown]
VersionDeltaFile
1.42+100-2net/freeradius/PLIST
1.132+2-9net/freeradius/Makefile
1.51+4-5net/freeradius/distinfo
1.17+3-3net/freeradius/Makefile.common
1.32+1-2net/freeradius-sqlite3/Makefile
1.35+1-2net/freeradius-freetds/Makefile
+111-234 files not shown
+115-3010 files

NetBSD/pkgsrc BGLeULSnet/samba4 distinfo Makefile

   samba4: updated to 4.24.2

   Changes since 4.24.1
   * BUG 16038: Samba 4.24 with cups can't get queue and shows errors about
     fetch_share_cache_time
   * BUG 16043: Fix a directory file descriptor leak in vfs_glusterfs that
     caused      unbounded memory growth on the GlusterFS brick with
     persistent SMB2      connections.
   * BUG 16030: Windows Offline Files fails with permission error when directory
     has the read‑only attribute set
   * BUG 15991: samba not triggering mount of zfs snapshot in dataset
     .zfs/snapshots/<snapname> directory
   * BUG 15999: net ads join still fails with multiple DCs
   * BUG 16076: samba-tool shows wrong format specifiers for timestamp
     attributes
   * BUG 14638: restrict anonymous = 2 breaks RODC functionality
   * BUG 15973: smbpasswd can crash winbindd on an AD DC
   * BUG 15995: smbd does not cleanup on disconnect of the transport connection
     on lease break errors

    [9 lines not shown]
VersionDeltaFile
1.125+4-4net/samba4/distinfo
1.215+2-2net/samba4/Makefile
+6-62 files

NetBSD/pkgsrc dTP9dx3doc CHANGES-2026 TODO

   Updated editors/qtcreator
VersionDeltaFile
1.3004+2-1doc/CHANGES-2026
1.27254+1-2doc/TODO
+3-32 files

NetBSD/pkgsrc yngoFUbeditors/qtcreator PLIST distinfo, editors/qtcreator/patches patch-src_app_CMakeLists.txt

   qtcreator: updated to 19.0.1

   Qt Creator version 19.0.1 contains bug fixes.

   General

   Fixed

   * That preferences for newly enabled plugins were only available after restart
   * Various issues with marking the `Preferences` as dirty
   * A possible crash when opening the `About Qt Creator` dialog multiple times
   * That using the keyboard shortcut for `Advanced Find` did not raise the search
     widget
   * Model Context Protocol
       * A crash when using the `quit` action

   Editing

   Fixed

    [16 lines not shown]
VersionDeltaFile
1.10+94-49editors/qtcreator/PLIST
1.16+5-5editors/qtcreator/distinfo
1.4+5-5editors/qtcreator/patches/patch-src_app_CMakeLists.txt
1.48+6-3editors/qtcreator/Makefile
+110-624 files

NetBSD/pkgsrc yGYVz36doc CHANGES-2026

   doc: Updated textproc/gsed to 4.10
VersionDeltaFile
1.3003+2-1doc/CHANGES-2026
+2-11 files

NetBSD/pkgsrc 0kdrbB3textproc/gsed distinfo Makefile, textproc/gsed/patches patch-Makefile.in patch-gnulib-tests_localename.c

   gsed: update to 4.10.

   * Noteworthy changes in release 4.10 (2026-04-21) [stable]

   ** Bug fixes

     sed 's/a/b/g' (and other global substitutions) now works on input
     lines longer than 2GB. Previously, matches beyond the 2^31 byte offset
     would evoke a "panic" (exit 4).
     [bug present since the beginning]

     'sed --follow-symlinks -i' no longer has a TOCTOU race that could let
     an attacker swap a symlink between resolution and open, causing sed to
     read attacker-chosen content and write it to the original target.
     [bug introduced in sed 4.1e]

     sed no longer falsely matches when back-references are combined with
     optional groups (.?) and the $ anchor.  For example, this no longer
     falsely matches the empty string at beginning of line:

    [49 lines not shown]
VersionDeltaFile
1.37+5-8textproc/gsed/distinfo
1.68+2-11textproc/gsed/Makefile
1.4+5-5textproc/gsed/patches/patch-Makefile.in
1.20+3-1textproc/gsed/PLIST
1.2+1-1textproc/gsed/patches/patch-gnulib-tests_localename.c
1.2+1-1textproc/gsed/patches/patch-gnulib-tests_vma-iter.c
+17-271 files not shown
+18-287 files

NetBSD/pkgsrc c2Iojskdoc CHANGES-2026

   Updated meta-pkgs/qt6
VersionDeltaFile
1.3002+36-1doc/CHANGES-2026
+36-11 files

NetBSD/pkgsrc Wi1M7Akmultimedia/qt6-qtmultimedia distinfo, multimedia/qt6-qtmultimedia/patches patch-src_plugins_multimedia_ffmpeg_CMakeLists.txt

   qt6: updated to 6.11.1

   6.11.1
   Bug fixes
VersionDeltaFile
1.3+10-10www/qt6-qtwebengine/PLIST
1.7+8-8www/qt6-qtwebengine/distinfo
1.2+8-8www/qt6-qtwebengine/patches/patch-src_core_CMakeLists.txt
1.3+7-7www/qt6-qtwebengine/patches/patch-src_3rdparty_chromium_third__party_angle_src_libANGLE_Display.cpp
1.3+6-6multimedia/qt6-qtmultimedia/patches/patch-src_plugins_multimedia_ffmpeg_CMakeLists.txt
1.26+5-5multimedia/qt6-qtmultimedia/distinfo
+44-4436 files not shown
+184-18142 files

NetBSD/pkgsrc Wf22WL2math/py-numpy distinfo

   math/py-numpy: Undo unintentional part of previous commit.

   PR pkg/60256: devel/py-numpy: log1pl workaround no longer works around
VersionDeltaFile
1.113+2-2math/py-numpy/distinfo
+2-21 files

NetBSD/pkgsrc rj6yIHSmath/py-numpy distinfo Makefile, math/py-numpy/patches patch-numpy___core_src_npymath_npy__math.c patch-numpy___core_src_common_mem__overlap.c

   math/py-numpy: Tweak workaround for missing log2l/log1pl/expm1l.

   1. Put it in npy_math.c as needed by _umath_linalg.so.

   2. Limit it to NetBSD<10, since NetBSD>=10 has at least stubs (just
      like this workaround implements, in terms of double functions) if
      not proper long double implementations (NetBSD>=11).

   Fixes:

   >>> import numpy
   ...
   ImportError: /home/riastradh/pkgsrc/current/pkg/lib/python3.11/site-packages/numpy/linalg/_umath_linalg.so: Undefined PLT symbol "log1pl" (symnum = 20)

   PR pkg/60256: devel/py-numpy: log1pl workaround no longer works around
VersionDeltaFile
1.1+28-0math/py-numpy/patches/patch-numpy___core_src_npymath_npy__math.c
1.112+3-3math/py-numpy/distinfo
1.150+2-1math/py-numpy/Makefile
1.2+1-1math/py-numpy/patches/patch-numpy___core_src_common_mem__overlap.c
+34-54 files

NetBSD/pkgsrc LaHDGKssecurity/py-cryptography Makefile

   py-cryptography reqires openssl3, make it so

   PR 60255 by riastradh
VersionDeltaFile
1.145+2-1security/py-cryptography/Makefile
+2-11 files

NetBSD/pkgsrc yNxjwiSdoc CHANGES-2026 TODO

   doc: Updated sysutils/lima to 2.1.1
VersionDeltaFile
1.3001+2-1doc/CHANGES-2026
1.27253+1-2doc/TODO
+3-32 files

NetBSD/pkgsrc pUWWdf0sysutils/lima distinfo go-modules.mk

   sysutils/lima: update to version 2.1.1

   The default docker template still does not boot on my NetBSD host, but
   the docker.lima wrapper worked for me just fine when using debian-13
   instead, and installing docker.io there.

   Tested on NetBSD/amd64.

   Changes since version 2.1.0:

   * Binary release:
     - Add Windows artifacts (#4789)
   * macOS guest:
     - Allow unusual range of UID (#4171, thanks to @balajiv113)
   * vz:
     - Honor audio.device=none (#4762, thanks to @BizerNotNull)
   * nerdctl:
     - Update from v2.2.1 to v2.2.2 (#4787)
       . This release of the nerdctl distribution updates BuildKit

    [59 lines not shown]
VersionDeltaFile
1.6+292-496sysutils/lima/distinfo
1.6+97-165sysutils/lima/go-modules.mk
1.4+38-4sysutils/lima/PLIST
1.12+2-3sysutils/lima/Makefile
+429-6684 files

NetBSD/pkgsrc cmzNGWOdoc CHANGES-pkgsrc-2026Q1

   Add a missing empty line
VersionDeltaFile
1.1.2.20+2-1doc/CHANGES-pkgsrc-2026Q1
+2-11 files

NetBSD/pkgsrc Wth0eDIdoc CHANGES-pkgsrc-2026Q1

   Pullup tickets #7110 and #7111
VersionDeltaFile
1.1.2.19+7-1doc/CHANGES-pkgsrc-2026Q1
+7-11 files

NetBSD/pkgsrc VSjc1gAeditors/vim-share distinfo version.mk, editors/vim-share/patches patch-popupwin.c patch-feature.h

   Pullup ticket #7111 - requested by morr
   editors/vim: security fix

   Revisions pulled up:
   - editors/vim-share/PLIST                                       1.88
   - editors/vim-share/distinfo                                    1.232-1.233
   - editors/vim-share/patches/patch-feature.h                     1.9
   - editors/vim-share/patches/patch-popupwin.c                    1.4
   - editors/vim-share/patches/patch-vim.h                         1.4
   - editors/vim-share/version.mk                                  1.168-1.169

   ---
      Module Name:    pkgsrc
      Committed By:   morr
      Date:           Wed May  6 20:26:50 UTC 2026

      Modified Files:
              pkgsrc/editors/vim-share: PLIST distinfo version.mk
              pkgsrc/editors/vim-share/patches: patch-feature.h patch-popupwin.c

    [124 lines not shown]
VersionDeltaFile
1.227.2.5+7-7editors/vim-share/distinfo
1.3.4.1+5-5editors/vim-share/patches/patch-popupwin.c
1.8.4.1+3-3editors/vim-share/patches/patch-feature.h
1.3.4.1+2-2editors/vim-share/patches/patch-vim.h
1.163.2.5+2-2editors/vim-share/version.mk
1.85.2.3+3-1editors/vim-share/PLIST
+22-206 files

NetBSD/pkgsrc EX2DuDMgraphics/lcms2 distinfo Makefile

   Pullup ticket #7110 - requested by taca
   graphics/lcms2: security fix

   Revisions pulled up:
   - graphics/lcms2/Makefile                                       1.24
   - graphics/lcms2/distinfo                                       1.17

   ---
      Module Name:      pkgsrc
      Committed By:     wiz
      Date:             Thu Apr 30 05:13:08 UTC 2026

      Modified Files:
        pkgsrc/graphics/lcms2: Makefile distinfo

      Log Message:
      lcms2: update to 2.19.

      All tests pass.

    [67 lines not shown]
VersionDeltaFile
1.16.20.1+4-4graphics/lcms2/distinfo
1.23.6.1+2-3graphics/lcms2/Makefile
+6-72 files

NetBSD/pkgsrc qQIbkRJdoc CHANGES-pkgsrc-2026Q1

   Pullup tickets up to #7109
VersionDeltaFile
1.1.2.18+22-1doc/CHANGES-pkgsrc-2026Q1
+22-11 files

NetBSD/pkgsrc bEPkTQIlang/ruby rubyversion.mk

   Pullup ticket #7104 - requested by taca
   lang/ruby34: security fix

   Revisions pulled up:
   - lang/ruby/rubyversion.mk                                      1.321
   - lang/ruby34/Makefile                                          1.8
   - lang/ruby34/distinfo                                          1.14
   - lang/ruby34/patches/patch-lib_erb.rb                          1.1
   - lang/ruby34/patches/patch-lib_erb_version.rb                  1.1
   - lang/ruby34/patches/patch-test_erb_test__erb.rb               1.1

   ---
      Module Name:      pkgsrc
      Committed By:     taca
      Date:             Wed May  6 05:15:35 UTC 2026

      Modified Files:
        pkgsrc/lang/ruby: rubyversion.mk
        pkgsrc/lang/ruby34: Makefile distinfo

    [10 lines not shown]
VersionDeltaFile
1.314.2.7+2-2lang/ruby/rubyversion.mk
+2-21 files

NetBSD/pkgsrc lapbVcNdoc CHANGES-2026

   doc: Updated textproc/p5-YAML-Syck to 1.45
VersionDeltaFile
1.3000+2-1doc/CHANGES-2026
+2-11 files