sysutils/uutils-coreutils: update to 0.9.0
Rust Coreutils 0.9.0 Release:
We are excited to announce the release of Rust Coreutils 0.9.0 - a release focused on safety and security.
This cycle was shaped by a third-party security audit, driving extensive TOCTOU hardening and a sustained,
project-wide effort to shrink the amount of unsafe code by removing it outright and migrating low-level
syscalls from nix/libc to rustix.
On top of that, we landed major zero-copy I/O performance work (splice/tee/pipe), broadened WebAssembly,
Cygwin and Windows support, and continued contributing tests and bug reports upstream to GNU coreutils.
Highlights:
GNU Compatibility & Upstream Contributions
629 passing tests (+7 from 0.6.0), with 19 new tests added from the GNU 9.10 update
Updated GNU test reference from 9.9 to 9.10
Contributed numerous patches upstream to GNU coreutils, benefiting both projects
New GNU compatibility fixes across date, fmt, kill, ptx, numfmt, cksum, and more
Took over maintenance of num-prime, the primality testing library used by factor
[105 lines not shown]
p5-Net-CIDR-Set: update to 0.21.
0.21 2026-06-02 17:45:44+01:00 Europe/London
[Security]
- Improved strictness of IP address (CVE-2026-49940) and netmask parsing (CVE-2026-49942).
- Removed potential infinite loops when attempting to parse IP addresses (CVE-2026-49941).
[Documentation]
- Removed CONTRIBUTING.md until policies about AI are updated.
[Tests]
- Changed tests to use Test::Exception.
[Toolchain]
- Added doap.xml to the distibution.
- Added automation-policy.json to the distribution.
[92 lines not shown]
filesystems/fuse{,3}: Drop explicit dependency on filesystems/perfused
On NetBSD 6+, it's in base, so this is just noise. Both packages
still build, and fuse-ntfs-3g still builds against fuse. As explained
on pkgsrc-users@.
No change except for building on NetBSD 5.
filesystems/ltfs: Adjust requirement for NetBSD 8
For reasons I don't understand, this package is said not to work with
perfused(8) from NetBSD <=7. Demote that to a comment, to be
revisited if/when this is brought up to date with upstream.
filesystems/fuse-ntfs-3gz: Drop perfused dependency
Not needed on netbsd-6+. Implied by filesystems/fuse. Not
referenced in sources.
Does not change binary package on NetBSD 6+, because builtin was used.
lang/algol68g: update to 3.12.2
Version 3.12.0-2, April/May 2026
* Move from domain xs4all.nl to new domain algol68genie.nl.
* Minor fixes.
Version 3.11.0-3, March/April 2026
* Improves STRING handling.
* Minor fixes.
* Documentation updates.
* Adds environment enquiry "eof char".
* Adds operators CEIL, FIX, FLOOR, FRAC and TRUNC.
tk: updated to 8.6.18
8.6.18
Aqua: Non-menubar menu invisible if toplevel is on another display (chavez).
(bug) [a91b24] Correct macOSVersion on future macOS for older SDK builds (chavez)
(bug) [d93d96] Pointer arithmetic with NULL in ImgGetPhoto() (chavez)
(bug) [6c4795] leak in XCreateBitmapFromData() in ImgGetPhoto() (chavez)
(new) [04e173] Add support for Copy/Cut/Paste keys in X11 (nijtmans)
(bug) [95da0f] tkpWinRopModes[GXnoop] is R2_NOT, should be R2_NOP (chavez)
(bug) [2c240b] Install pkg-config file (oscarfv)
(bug) [816739] Install man pages (oscarfv)
[40 lines not shown]
py-django5: updated to 5.2.15
Django 5.2.15 fixes five security issues with severity “low” in 5.2.14.
CVE-2026-6873: Signed cookie salt namespace collision
get_signed_cookie() derived the signing salt by concatenating the cookie name (key) and salt arguments. When distinct name and salt pairs produced the same concatenation, cookies could be accepted in a context different from the one where they were signed.
Cookies are now signed with an unambiguous salt derivation. For backwards compatibility, cookies signed by older Django versions are accepted until Django 7.0. Projects affected by the above ambiguity should set SIGNED_COOKIE_LEGACY_SALT_FALLBACK to False to reject older cookies immediately.
This issue has severity “low” according to the Django security policy.
CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a partially-initialized connection that would subsequently be reused for sending email without encryption. This can occur with fail_silently=True, as used by send_mail() and BrokenLinkEmailsMiddleware, among others. Connections configured with EMAIL_USE_SSL are not affected.
This issue has severity “low” according to the Django security policy.
CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives
[18 lines not shown]
py-django: updated to 6.0.6
Django 6.0.6 fixes five security issues with severity “low” and one bug in 6.0.5.
CVE-2026-6873: Signed cookie salt namespace collision
get_signed_cookie() derived the signing salt by concatenating the cookie name (key) and salt arguments. When distinct name and salt pairs produced the same concatenation, cookies could be accepted in a context different from the one where they were signed.
Cookies are now signed with an unambiguous salt derivation. For backwards compatibility, cookies signed by older Django versions are accepted until Django 7.0. Projects affected by the above ambiguity should set SIGNED_COOKIE_LEGACY_SALT_FALLBACK to False to reject older cookies immediately.
This issue has severity “low” according to the Django security policy.
CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a partially-initialized connection that would subsequently be reused for sending email without encryption. This can occur with fail_silently=True, as used by send_mail() and BrokenLinkEmailsMiddleware, among others. Connections configured with EMAIL_USE_SSL are not affected.
This issue has severity “low” according to the Django security policy.
CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives
[22 lines not shown]
Update to version 2.1.1
2026/03/04: Version 2.1.1
Patch release.
Updated external libraries: JPEG 10.0, PNG 1.6.48, TIFF 4.7.1, ZLIB 1.3.2.
Fixed FLIR and RAW parser to work correctly on big-endian systems.
2025/06/22: Version 2.1.0
Maintenance release.
Updated external libraries: PNG 1.6.48.
Improved RAW image handler to handle all data types correctly.
Fixed bug compiling with MSYS2/Clang64.
joker: update to 1.8.1
General improvements
- Add joker.mail namespace
Linter improvements
- Implement more thorough type checking
- Fix redundant do linter warning in joker.better-cond/cond
filesystems/fuse{,3}: Tidy, NFCI
- Align DESCR to each other, taking the text that describes what the
package is, vs marketing copy about FUSE. Explain fuse2 vs 3, and
add a NetBSD-only see-also to perfused(8).
- trim duplicate bsd.prefs.mk
- align whitespace between versions to reduce diffs
- reorder some lines to reduce diffs
Likely more diff-reduction could be done, but this is what I felt
confident would not cause even any binary change in the package.
filesystems/perfuse: Explain why this is ~never built
perfuse is part of the NetBSD base system since 6, so while packages
depend on this to ensure perfuse, the package is ~never built.
