devel/ruby-getopt: update to 1.7.1
1.7.0 (2026-02-13)
* Added the NEGATABLE option so you can do --no-whatever.
* A few warnings were cleaned up, along with rubocop updates.
* Some administrative stuff, updated Rakefile, Gemfile, etc.
1.7.1 (2026-05-20)
* Fixed short option parsing so aliases like -? work again. Thanks go to
swabianeagle for the spot.
devel/ruby-console: update to 1.35.1
1.35.0 (2026-05-19)
* Align decimals in elapsed time display. (#84)
* Fix handling of Errno::ENODEV errors when calculating the width of a
terminal that was been re-opened to File::NULL
1.35.1 (2026-05-19)
* Add missing context files to gemspec.
* Fix gem metadata.
doc: Updated mail/roundcube and related packages to 1.6.16
mail/roundcube
mail/roundcube-plugin-enigma
mail/roundcube-plugin-password
mail/roundcube-plugin-zipdownload
mail/roundcube: update to 1.6.16
1.6.16 (2026-05-14)
This is a security update to the LTS version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
* Fix stored XSS/HTML/CSS injection in subject field of the draft restore
dialog, reported by zazy
* Fix CSS injection bypass in HTML sanitizer via SVG <animate
attributeName="style">, reported by wooseokdotkim
* Fix pre-auth SQL injection in virtuser_query plugin via preg_replace
backslash escape bypass, reported by skull
* Fix SSRF bypass via specific local address URLs
* Fix local/private URL fetch bypass when remote resources were not allowed,
reported by Orange Cyberdefense Vulnerability Disclosure Team
* Fix bypass of remote image blocking via CSS var(), reported by Geame
* Fix pre-auth arbitrary file delete via redis/memcache session poisoning
bypass, reported by valent1
[24 lines not shown]
p5-Crypt-DSA: update to 1.20.
1.20 -- Fri May 15 19:00:36 ADT 2026
- This module is now makred as deprecated. Crypt-DSA-GMP is a possible replacement.
- Improve the call to IPC::Open3::open3
- Security Fix CVE-2026-8704: replace two arg open
- Security Fix CVE-2026-8700: replace rand()
- Add a security policy
- Add use warnings
- Fixes #86424: typo fix
p5-HTTP-Tiny: update to 0.094.
0.094 2026-05-17 10:31:00+02:00 Europe/Brussels
- No changes from 0.093-TRIAL
0.093 2026-05-11 17:18:12+02:00 Europe/Brussels (TRIAL RELEASE)
- fix to prevent invalid characters in all headers, and prevent header
smuggling (CVE-2026-7010)
py-paramiko: updated to 5.0.0
5.0.0
[Feature]: Added a new, optional file_format keyword argument to PKey.write_private_key and PKey.write_private_key_file to allow writing out OpenSSH-style private key files in addition to the legacy PEM format.
Warning
While the default format remains PEM in Paramiko 5, future major releases are likely to change that default to the OpenSSH format. We recommend updating any key-writing code you have to be explicit now, to insulate yourself from such an update.
[Bug]: Added a password kwarg to PKey.from_type_string so it can handle encrypted keys like most other PKey constructors already could.
[Bug]: Fix Ed25519Key’s internals such that it no longer throws AttributeError during calls to __repr__ when only partly initialized. This isn’t a normal runtime problem (it only happens inside error handling for fatal errors like “not a valid private key”) but was perennially complicating test failure diagnosis and similar scenarios.
[Support]: Removed the demos/ folder; they’ve become too big a support burden and we’ve wanted to remove them for years.
Users who enjoyed the client-side demos should look at our wrapper library, Fabric.
We suspect the most-used demo was demos/demo-server.py and may consider adding a variant of it to the actual Python package in future.
[Support]: Renamed PKey.from_path’s passphrase argument to password so it’s consistent with all the other methods of instantiating PKey objects.
[24 lines not shown]
fabric: updated to 3.2.3
3.2.2
[Bug]: fabric.runners.Remote failed to properly deregister its SIGWINCH signal handler on shutdown; in rare situations this could cause tracebacks when the Python process receives SIGWINCH while no remote session is active. This has been fixed.
[Bug] 2204: The signal handling functionality added in Fabric 2.6 caused unrecoverable tracebacks when invoked from inside a thread (such as the use of fabric.group.ThreadingGroup) under certain interpreter versions. This has been fixed by simply refusing to register signal handlers when not in the main thread. Thanks to Francesco Giordano and others for the reports.
py-bumpver: updated to 2026.1132
2026.1132
- Add `allowed_branches` config option to restrict which branches can be released from. Accepts a comma-separated list of glob patterns (e.g. `master,main,release-*`). Empty (the default) allows any branch.