www/freenginx-devel: update: 1.31.0 -> 1.31.1
Sponsored by: tipi.work
<ChangeLog>
*) Feature: the "off" parameter of the "index" directive.
Thanks to Fabiano Furtado.
*) Bugfix: a segmentation fault might occur in a worker process if the
"rewrite" directive was used to change request arguments and other
directives of the ngx_http_rewrite_module were executed afterwards.
*) Bugfix: in the "set" directive.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_charset_module was used to convert responses from UTF-8.
*) Bugfix: in the ngx_http_charset_module.
[12 lines not shown]
www/freenginx-devel: update njs 0.9.8 -> 0.9.9 (+)
Bump PORTREVISION.
<ChangeLog>
nginx modules:
*) Security: a heap buffer overflow might occur in a worker process
when the "js_fetch_proxy" directive value contains nginx
variables derived from the client request ($http_*, $arg_*,
$cookie_*, etc.) and the location's JS handler invokes
ngx.fetch(). The issue was introduced in dea83189 (0.9.4).
*) Feature: added js_access directive.
*) Feature: added r.readRequestText(), r.readRequestArrayBuffer(),
and r.readRequestJSON() - async methods that read the request
body, available in js_access and js_content directives.
[19 lines not shown]
www/nginx-devel: Update to 1.31.0
Changes with nginx 1.31.0 13 May
2026
*) Security: when using the "proxy_set_body" directive, an attacker
might inject data in the proxied request to an HTTP/2 backend
(CVE-2026-42926).
Thanks to Mufeed VH of Winfunc Research.
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_rewrite_module, potentially resulting in arbitrary code
execution (CVE-2026-42945).
Thanks to Leo Lin.
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially crafted response by
ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an
[69 lines not shown]
net/go-tcping: mark i386 as unsupported
The vendored modernc.org/libc dependency fails to compile on i386 due
to type mismatches in libc_freebsd.go.
Mark the port as unsupported on i386
Reported by: pkg-fallout
security/flawfinder: update to version 2.0.20
This update contains many improvements and some security fixes, see
the Changelog for details:
https://sourceforge.net/p/flawfinder/code/ci/2.0.20/tree/ChangeLog
The port does now support running the bundled tests, which still can
be installed with the EXAMPLES option. I'm not sure that installing
these files as examples is really useful. The EXAMPLES option might
therefore be removed in the next update to this port.
