BSD Commit Log Search

sftpgo: update to 2.7.3

New features
    Added a configurable minimum-entropy check (common.secret_min_entropy, default 80) for data-at-rest encryption secrets (CryptFs passphrase, S3 SSE-C key), to reject trivially weak key material at submission time.
    Logs: added the virtual path to transfer/command logs and to event-log CSV exports.
    WebClient: replaced glightbox with a custom lightbox implementation for better CSP compatibility.

Bug fixes
    IP list: fixed matching when an IP is covered by multiple conflicting entries.
    Fixed comparison of unordered slices.
    Shares: enforce max_tokens atomically via a guarded conditional update, closing a check-then-write race that could let a usage-capped share be used more times than allowed under concurrent access.
    In-memory reset-code manager: check code expiry at retrieval time instead of relying only on the background cleanup.

Security fixes
    Fixed a path-confinement bypass in the public browsable-share partial ZIP download. CVE-2026-49244.
    Fixed a stored XSS where the inline parameter on browsable-share and authenticated user file downloads suppressed Content-Disposition: attachment, allowing an attacker-supplied HTML file to execute in SFTPGo's web origin. These endpoints now always respond with Content-Disposition: attachment and the inline parameter has been removed. CVE-2026-49245.

Hardening
    Neutralized CSV formula injection in the Event Manager and event-log CSV exports: cells starting with =, +, -, @, tab or CR are now prefixed with a single quote.

    [6 lines not shown]

Minor Makefile clear-up

Adjust Makefile to account for MASTER_SITE_CRATESIO

Ajust Makefile; update to 0.8.62

litehtml: Restore patch which provide .so instead .a libraries

py-whichllm: update to 0.5.11.

lsof: Upgrade to 4.99.7 but still waiting for another fix in runtine to be incorporated in upstream release

Makefile: sync, whitespace fixes

net/doggo - please pkglint

Import net/doggo - a command-line DNS client for humans

Initial import of devel/just - execute project-specific commands

py-trollius: removed; obsolete and unmaintained

qtile: updated to 0.36.0

py-xcffib: updated to 1.12.0

getssl: Add reference to CVE-2026-10303

getssl: Rename to just TODO

In pkgsrc-wip we usually maintains just TODO files, without any .md
suffix.

py-keras: Add reference to CVE-2026-11816

koha: Add references to recent CVEs

freeswitch-core: Add recent CVEs

knot-resolver: it's compile and able to start once conf file created ;-)

llvm: updated to 22.1.8

resterm: Make proper patch files to cover all required changes, also remove go tidy used for debug

resterm: haking with cz.nic library which support NetBSD -> modernc.org/sqlite v1.52.1-0.20260614085003-e62c32f2abc6

crush: Update to v0.77.0

reuse-tool: Update commit message

libcanlock: Import release candidate 3.3.2rc1

3.3.2rc1   2026-06-14
           Bugfix: Modified declaration of RFC5869HkdfResult() in header
            to match the function definition
           Bugfix: Modified definition of RFC2104HmacResult() to match
            the function declaration in header
           Add support for C23 memset_explicit() to cl_clear_secret()
           Document that canlock-hp subpackage requires an US-ASCII
            based POSIX locale (EBCDIC is not supported)
           Add SPDX copyright and license identifiers for all files of
            the source tree. Note that the license terms are unchanged
            for all files that already contained such identifiers
           Some documentation files (like "README" and "ChangeLog")
            formerly had neither copyrights nor licenses assigned.
            No copyright and CC0-1.0 license are declared now
           Package is REUSE 3.3 conformant (according to "reuse lint"):
            <https://reuse.software/spec-3.3/>

ipv6-toolkit: another small fixes

ipv6-toolkit: clean-up

ipv6-toolkit: Update my email for monitoring purposes

import of freeultima-c