BSD Commit Log Search

   Update keycloak 26.5.1 -> 26.5.2
   Changelogs: https://github.com/keycloak/keycloak/releases
   Release notes: https://www.keycloak.org/docs/latest/release_notes/index.html
   Upgrading guide: https://www.keycloak.org/docs/26.5.2/upgrading
   Port changes:
    update pexp in rc script

   productivity/grisbi: update to 3.90.1.

   migrated to meson.

   rpki-client: explain why we do what we do in ta_check_pubkey()

   The base64-encoded SPKI blob in the TAL should really be matched against
   the corresponding part of the cert's DER. Unfortunately, libcrypto only
   stores internal representations in the X509's cert_info field, so what it
   hands back via the X509_* and X509_PUBKEY_* API is at best re-encoded and
   therefore unsuitable for this purpose. Document this so when I will have
   forgotten this the day after tomorrow, I still have a chance of not wasting
   as much time for a third or fourth time next time I revisit this.

   ok claudio

   rpki-client regress: adjust for ta_parse() -> ta_validate() rename

   rpki-client: rename ta_parse() to ta_validate() and document it

   ta_parse() only parses the TAL's SPKI, so it is misnamed. What it really
   does is it compares the TA's SPKI to the TAL's SPKI and checks that it is
   a curently valid, self-signed cert.

   ok claudio

   Update to openssl-ruby-tests 20260126

   Update to wycheproof 20260127

   Two more configure scripts that need proper main functions.
   ports-gcc use -Wimplicit-int by default and so those basic test fail.
   OK tb@

   Support up to three CPU clusters.

   ok patrick@

   Update to check-jsonschema 0.36.1

   mail/mozilla-thunderbird: MFC update to 140.7.1.

   see https://www.thunderbird.net/en-US/thunderbird/140.7.1esr/releasenotes/

   mail/mozilla-thunderbird: update to 140.7.1.

   see https://www.thunderbird.net/en-US/thunderbird/140.7.1esr/releasenotes/

   Drop base-gcc from COMPILER and use a common CXXFLAGS for -std=c++14.
   OK tb@

   Update oxipng to 10.1.0.

   Update p5-Image-ExifTool to 13.46.

   This needs ports-gcc to build.
   OK rsadowski@ tb@

   ports-gcc is modern enough to compile this now, so switch back to it.
   OK rsadowski@ tb@

   Add CXXFLAGS_ports-gcc = -fdelete-null-pointer-checks to these ports which
   needs it. qtgrpc needs it because it uses protobuf and abseil-cpp.
   qtdeclarative is yet another C++ monster that needs it because of traits.
   OK rsadowski@ tb@

   update to py3-yamllint-1.38.0

   postfix-stable, sslscan, borgbackup/2.0: bump after openssl update
   (static link)

   postfix-stable, sslscan, borgbackup/2.0: bump after openssl update
   (static link)

   MFC: Update to openssl 3.5.5

   Update to openssl 3.6.1

   This fixes a gazillion of CVEs. Far too many to name and list and most of
   which can be safely ignored by everyone except those who make their living
   off CVE busywork. Unless you use CMS AuthEnvelopedData you're good. If you
   don't use PKCS#12 either you're in excellent position to ignore all this.

   Update to openssl 3.5.5

   This fixes a gazillion of CVEs. Far too many to name and list and most of
   which can be safely ignored by everyone except those who make their living
   off CVE busywork. Unless you use CMS AuthEnvelopedData you're good. If you
   don't use PKCS#12 either you're in excellent position to ignore all this.

   www/mozilla-firefox: MFC update to 147.0.2.

   see https://www.firefox.com/en-US/firefox/147.0.2/releasenotes/
   fixes https://www.mozilla.org/fr/security/advisories/mfsa2026-06/

   www/mozilla-firefox: update to 147.0.2.

   see https://www.firefox.com/en-US/firefox/147.0.2/releasenotes/
   fixes https://www.mozilla.org/fr/security/advisories/mfsa2026-06/

   Avoid type confusion in the timestamp response parsing

   A malformed v2 signing cert can lead to a type confusion, and the result
   is a read from an invalid memory address or NULL, so a crash. Unlike for
   OpenSSL, v1 signing certs aren't affected since miod fixed this in '14.

   Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-69420.

   ok jsing

   Avoid type confusion in PKCS#12 parsing

   A type confusion can lead to a 1-byte read at address 0x00-0xff, so a
   crash.

   Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-22795

   ok jsing

   Use ${SETENV} ${MAKE_ENV} in do-configure to get the right path setup.
   With this lumina builds on sparc64. Bump REVISION to be sure.
   OK tb@

   This needs CXXFLAGS_ports-gcc = -fdelete-null-pointer-checks because
   this is a C++ monster.
   OK aja