BSD Commit Log Search

stable-diffusion.cpp: add new package

libwebm: add new package

crush: Update to v0.78.0

chromium: update to 149.0.7827.155

trivy: added version 0.71.2

*: update llama.cpp & friends to b9722

llama.cpp: include the (pre-built) web ui

TODO: + tor-browser-15.0.16.

bind920: update to BIND version 9.20.24.

Pkgsrc changes:
 * Version bump, checksums.

Upstream changes:

Removed Features
~~~~~~~~~~~~~~~~

- Remove ineffective TCP fallback after repeated UDP timeouts.

  When an authoritative server failed to respond to two consecutive UDP
  queries, :iscman:`named` marked the next retry as TCP but still sent
  it over UDP, producing misleading dnstap records. The ineffective
  retry path has been removed; a corrected TCP fallback will be restored
  in future BIND 9 versions. :gl:`#5529`

Feature Changes

    [87 lines not shown]

chromium: make wayland support optional

Fix build on NetBSD-10: disable wayland support with native X11_TYPE

../../ui/ozone/platform/wayland/host/drm_syncobj_ioctl_wrapper.cc:50:10: error: use of undeclared identifier 'drmSyncobjEventfd'
   50 |   return drmSyncobjEventfd(fd_.get(), handle, point, ev_fd, flags);
      |          ^~~~~~~~~~~~~~~~~

ipv6-toolkit: remove, imported to pkgsrc

nextvi: import of 5.3

sftpgo: update to 2.7.3

New features
    Added a configurable minimum-entropy check (common.secret_min_entropy, default 80) for data-at-rest encryption secrets (CryptFs passphrase, S3 SSE-C key), to reject trivially weak key material at submission time.
    Logs: added the virtual path to transfer/command logs and to event-log CSV exports.
    WebClient: replaced glightbox with a custom lightbox implementation for better CSP compatibility.

Bug fixes
    IP list: fixed matching when an IP is covered by multiple conflicting entries.
    Fixed comparison of unordered slices.
    Shares: enforce max_tokens atomically via a guarded conditional update, closing a check-then-write race that could let a usage-capped share be used more times than allowed under concurrent access.
    In-memory reset-code manager: check code expiry at retrieval time instead of relying only on the background cleanup.

Security fixes
    Fixed a path-confinement bypass in the public browsable-share partial ZIP download. CVE-2026-49244.
    Fixed a stored XSS where the inline parameter on browsable-share and authenticated user file downloads suppressed Content-Disposition: attachment, allowing an attacker-supplied HTML file to execute in SFTPGo's web origin. These endpoints now always respond with Content-Disposition: attachment and the inline parameter has been removed. CVE-2026-49245.

Hardening
    Neutralized CSV formula injection in the Event Manager and event-log CSV exports: cells starting with =, +, -, @, tab or CR are now prefixed with a single quote.

    [6 lines not shown]

Minor Makefile clear-up

Adjust Makefile to account for MASTER_SITE_CRATESIO

Ajust Makefile; update to 0.8.62

litehtml: Restore patch which provide .so instead .a libraries

py-whichllm: update to 0.5.11.

lsof: Upgrade to 4.99.7 but still waiting for another fix in runtine to be incorporated in upstream release

Makefile: sync, whitespace fixes

net/doggo - please pkglint

Import net/doggo - a command-line DNS client for humans

Initial import of devel/just - execute project-specific commands

py-trollius: removed; obsolete and unmaintained

qtile: updated to 0.36.0

py-xcffib: updated to 1.12.0

getssl: Add reference to CVE-2026-10303

getssl: Rename to just TODO

In pkgsrc-wip we usually maintains just TODO files, without any .md
suffix.

py-keras: Add reference to CVE-2026-11816

koha: Add references to recent CVEs