BSD Commit Log Search

ports-mgmt/poudriere-dsh2dsh: Update 3.4.99.20260304 => 3.4.99.20260415

Upstream changes:
- Pkg 2.7.0 support
- write_atomic: Add a C implementation
- Hooks: Remove example.org
- Fix build on older releases

PR:             294575
Sponsored by:   UNIS Labs

lang/python314: Fix incomplete mitigation of webbrowser.open()

Cherry-pick fix to resolve
Incomplete mitigation of CVE-2026-4519,
%action expansion for command injection to webbrowser.open()

Obtained from:  GitHub repo
                https://github.com/python/cpython/pull/148516
Security:       CVE-2026-4786
                cf75f572-378a-11f1-a119-e36228bfe7d4

lang/python314: Security update + other fixes

Fix critical use-after-free bug in LZMA/BZ2/ZLib decompressor routines
when reusing decompressor instances after a MemoryError was raised from
one.

While here:

- fix DEBUG build/package (several %%ABI%% were in the wrong place
  in pkg-plist that caused failed installs)
- switch to using system textproc/expat2 library
- issue warnings in pre-test that IPV6, PYMALLOC are required and
  DEBUG also breaks one self-test
- bump PORTREVISION
- drop LTOFULL again and make LTO use =full

References:
https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3
https://www.cve.org/CVERecord?id=CVE-2026-6100

    [6 lines not shown]

security/vuxml: Add entry for Python CVE-2026-6100

Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor
and gzip.GzipFile

Obtained from:  GitHub repo
Security:       b8e9f33c-375d-11f1-a119-e36228bfe7d4
                CVE-2026-6100

security/vuxml: Add entry for Python CVE-2026-4786

Incomplete mitigation of CVE-2026-4519,
%action expansion for command injection to webbrowser.open()

Obtained from:  GitHub repo
Security:       CVE-2026-4786
                cf75f572-378a-11f1-a119-e36228bfe7d4

www/sogo: Update to 5.12.7

5.12.7 is a major release as it fixes 2 major vulnerabilities, 5.12.6
addresses another vulnerability.

While at it:
o pet portlint,
o make the installed configuration file for sysutils/logrotate useable
  out of the box by replacing sogo:sogo with sogod:sogod,
o make the installed sogo-backup.sh useable out of the box by:
  - correcting the path to sogo-tool,
  - changing the function definitions to match sh(1) syntax, saving a
    dependency on shells/bash, and
  - installing it as executable.

Approved by:    acm (maintainer)
Security:       https://www.sogo.nu/news/2026/sogo-v5126-released.html
Security:       https://www.sogo.nu/news/2026/sogo-v5127-released.html
Differential Revision:  https://reviews.freebsd.org/D56426

devel/sope: Update to 5.12.7

This is a minor update, fixing contact searches containing 2 dots.
While at it, pet portlint.

Approved by:    acm (maintainer)
Differential Revision:  https://reviews.freebsd.org/D56425

devel/cargo-readme: Update to 3.3.2

emulators/emu64: Remove from tree

Broken for months in tree and unmaintained

PR:             289037

multimedia/lebiniou*: Remove from tree

Broken for months and last activity upstream in 2024

PR:             289066

audio/soundtouch: Update to 4.0.1

* Add USES= pathfix to fix install location of pkgconfig file and
  make build logs consistent
* Change CFLAGS to CXXFLAGS for i386

PR:             294149
Approved by:    maintainer timeout, 2+ weeks

multimedia/dvdstyler: Remove from tree

Broken in tree for months and last upstream activity in 2024

PR:             289482

www/libmicrohttpd: Update to 1.0.4

Backport upstream commits 4f049186bfe22ba12c07279f2eef99293798a710 and
a083613d8405fa3ad7f6bc5bbbb635d0f50799e0

References:
https://git.gnunet.org/gnunet/libmicrohttpd/commit/4f049186bfe22ba12c07279f2eef99293798a710.html
https://git.gnunet.org/gnunet/libmicrohttpd/commit/a083613d8405fa3ad7f6bc5bbbb635d0f50799e0.html

Changelog: https://github.com/Karlson2k/libmicrohttpd/blob/d30316fda936111ad5d4f8b1fde7747c289468b6/ChangeLog

PR:             294534
Reviewed by:    Hung-Yi Chen <gaod at hychen.org> (maintainer)

net-im/vesktop: Improve port

* Don't extract into WRKDIR
* Extract the files we want by using pipe instead of writing tarball
  to disk and then extracting it

PR:             294489
Reviewed by:    Céleste Ornato <celeste at ornato.com>

games/suika3: Update to 26.04.9

PR:             294504
Approved by:    arrowd (co-mentor)

devel/aws-crt-cpp: Update to 0.38.5

ChangeLog: https://github.com/awslabs/aws-crt-cpp/releases/tag/v0.38.5

archivers/unadf: Update to 0.10.7

ChangeLog: https://github.com/adflib/ADFlib/releases/tag/v0.10.7

editors/zile: Fix build after 852c6720

852c6720: "devel/libgnuregex: Fix building after gnulib update"

KDE: Update KDE Gear to 26.04.0

Announcement: https://kde.org/announcements/gear/26.04.0/

Ports changes:

audio/libkcompactdisc:
 - Remove port, no longer shipped with KDE Gear

deskutils/kdeconnect-kde:
 - Add dependency on libei

misc/minuet:
 - Add missing dependencies
 - Add patch to restore parity with Linux

net/krdc:
 - Update dependencies


    [2 lines not shown]

MOVED: Record removal of audio/libkcompactdisc

devel/umbrello: Fix PLIST_SUB abuse

MOVED: Record graphics/libkdcraw unflavorization

editors/calligra: Fix PLIST_SUB abuse

graphics/libkdcraw: remove Qt5 flavor in preparation for Gear 26.04 update

Qt5 is not supported anymore.

graphics/Makefile: connect libkdcraw-qt5

graphics/krita: switch to libkdcraw-qt5

Mk/Uses/kde.mk: libkdcraw is Qt6 only now

graphics/libkdcraw-qt5: copy from graphics/libkdcraw at qt5

and stick to the last release with Qt5 support.

Uses/kde.mk: Update comment

mail/mailpit: Update to 1.29.7