nickle: fix build on Linux

(tnn)

doc/TODO: + krita-5.2.9, mozilla-rootcerts-1.1.20250416.

(wiz)

libtheora: Avoid UB with ctype functions.

Patch was upstreamed.

bump PKGREVISION.

(nia)

doc: Updated devel/got to 0.111

(vins)

devel/got: update to 0.111

* got 0.111; 2025-04-22
- introduce gotsysd: configure gotd servers by committing to gotsys.git repo
- make gotd run 'gotsys check' on gotsys.conf commits before accepting them
- make gotd run 'gotsys apply' when the gotsys.git repo receives changes
- add a missing malloc failure check to gotd's repo_write process
- make got clone/fetch work against Git servers which do not speak English
- stop processing more messages upon error in gotd repo_write process
- close file descriptors passed to gotd_imsg_compose_event() on failure
- potential fix for use-after-free in lib/repository.c's match_packed_object()
- make gotd return an informative error when the connection limit is exceeded
- in gotctl info, display the time when a client connection was created
- add reload support to gotd, triggered via 'gotctl reload', not via SIGHUP!
- test S_ISREG in parse_ref_file() explicitly rather than via getline(3)
- release ref-file lock when fstat fails in parse_ref_file()
- do not treat unhandled signals as a fatal error in gotwebd
- fix an edge case of tog spinning when 'B' is pressed in log view
- stop using got_repo_map_path() in gotwebd to fix spurious realpath(3) errors
- avoid creation of pack_fds array when not needed, saving file descriptors
- gotwebd now runs as the _gotwebd user by default, rather than "www"
- gotwebd can now serve repositories outside the /var/www chroot directory
- the gotwebd.conf repos_path directive is no longer relative to the chroot
- get rid of the gotwebd-specific libexec helpers in /var/www/bin/gotwebd
- improve gotwebd behaviour when sending data to already disconnected clients
- plug some memory leaks in got-send-pack and got-fetch-pack
- fix got-fetch-http performance when server sends chunked HTTP responses

(vins)

doc: Updated sysutils/fastfetch to 2.42.0

(vins)

sysutils/fastfetch: update to 2.42.0

# upstream changes (since 2.40.4)

# 2.42.0

Changes:
* Normalize the module name `Bios` to `BIOS` (#1721)
    * No configuration file changes are required because fastfetch parses module names case-insensitively.

Bugfixes:
* Disable disk type detection for virtual disks (PhysicalDisk, Linux, #1669)
* Fix incorrect CPU temperature reporting (CPU, OpenBSD)
* Fix setting `logo.chafa.symbols` in JSON configuration (Logo, #1709)
* Fix non-normalized time display (Uptime, #1720)
* Miscellaneous minor fixes

Features:
* Add CPU temperature detection support (CPU, SunOS)
* Improve CPU frequency detection (CPU, NetBSD)
* Add Wi-Fi detection support (Wifi, NetBSD)
* Add Webcam detection support (Camera, OpenBSD)
    * Requires root privileges

Logos:
* Remove GoralixOS logo (#1699)
* Add Aurora logo (#1700)
* Add Codex Linux logo (#1701)

# 2.41.0

Changes:
* Due to [the deprecation](https://github.com/actions/runner-images/issues/11101), Linux x86_64 binaries are now built with Ubuntu 22.04 (Glibc 2.35, Debian 12)
    * You can always build fastfetch yourself on your own. Please don't report bugs related to this change.

Features:
* Support physical core count detection on non-x86 platforms (CPU, Linux / FreeBSD)
* Support CPU frequency detection on PPC64 (CPU, FreeBSD)
* Support soar packages count detection (Packages, Linux)
* Support `~` path expanding on Windows (Logo, Windows)
* Support retrieving full user name (Title)
    * Exposed with `--title-format '{full-user-name}'`
* Improve CPU (thermal zone) temperature detection on Windows (CPU, Windows)
    * Administrator privileges are no longer needed
* Support base Wifi info detection on OpenBSD (Wifi, OpenBSD)
    * To be tested
* Support GPU temperature detection for Intel dGPU on Linux (GPU, Linux)
    * To be tested
* Add new ARM CPU part numbers (CPU, Linux)
* Add base implementation of Bluetooth device detection (Bluetooth, NetBSD, #1690)
* Some small improvements

Logo:
* Add anduinos
* Add 2 more Alpine logos

(vins)

doc: Updated sysutils/xfile to 20250430

(vins)

xfile: add options.mk (missing in previous commit)

(vins)

sysutils/xfile: update to 20250430

# pkgsrc changes
* The beta 1.0 release is not actually a fixed release, but a rolling
  distribution which is kept in sync with the most recent upstream commit.
  The package uses now a different versioning scheme based on commit date.
  This is a temporary solution until an official 1.0 release is out.

* DBus support is now optional (disabled by default).

# upstream changes
* Added more icons and types
* Support primary selection copy/move
* Updated mount/progress dialogs
* Minor bug fixes.

(vins)

arcticfox: Install icu dat file for big endian.

(nia)

libxfce4windowing: fix issue with job dependency ordering

(gutteridge)

Updated lang/jttb to 0.6.

(thorpej)

Update Jason's Tiny-ish BASIC to version 0.6.

Upstream changes: Support for multi-character (up to 8; characters
after 8 are ignored) variable identifiers.

(thorpej)

Make version number more compatible.

(hauke)

defaults/mk.conf: document emacs30 & emacs30nox

(gutteridge)

emulators/xace: "make cce" got the version wrong

(hauke)

libxml2: fix Tiger build.

(schmonz)

doc: Added emulators/xace version 30

(hauke)

xAce is an emulator for the Jupiter ACE computer.

The Jupiter ACE is the real outsider micro from the 1980s.

Instead of BASIC as the programming language, it had FORTH. It was
designed by two guys who had worked at Sinclair Research Ltd and were
responsible for the famous Sinclair ZX81 and ZX Spectrum.

See also <http://www.jupiter-ace.co.uk/emulators_unix.html>

(hauke)

editline: create the pkgconfig directory before installing builtin pc file

(tnn)

mk: add target "debug-barrier"

(rillig)

inkscape: C++ build fix, from upstream

(tnn)

doc: Updated security/ca-certificates to 20250419

(kim)

ca-certificates: Update to 20250419

ca-certificates (20250419) unstable; urgency=medium

  [ Alexander Kanavin ]
  * update-ca-certificates: add a --sysroot option

  [ Julien Cristau ]
  * Update Mozilla certificate authority bundle to version 2.74.
    The following certificate authorities were added (+):
    + D-TRUST BR Root CA 2 2023
    + D-TRUST EV Root CA 2 2023
    The following certificate authorities were removed (-):
    - Entrust Root Certification Authority - G4
    - SecureSign RootCA11
    - Security Communication RootCA3
    - SwissSign Silver CA - G2

-- Julien Cristau <jcristau@debian.org>  Sat, 19 Apr 2025 09:25:37 +0200

ca-certificates (20241223) unstable; urgency=medium

  * Update Mozilla certificate authority bundle to version 2.70.
    The following certificate authorities were added (+):
    + Telekom Security TLS ECC Root 2020
    + Telekom Security TLS RSA Root 2023
    + FIRMAPROFESIONAL CA ROOT-A WEB
    + TWCA CYBER Root CA
    + SecureSign Root CA12
    + SecureSign Root CA14
    + SecureSign Root CA15
    The following certificate authorities were removed (-):
    - Security Communication Root CA (closes: #1063093)
  * Add Romanian debconf translation, thanks to Remus-Gabriel Chelu.
    Closes: #1067042, #1031490.

-- Julien Cristau <jcristau@debian.org>  Mon, 23 Dec 2024 12:53:45 +0100

(kim)

doc: Updated net/dnsdist to 1.9.9

(wiz)

dnsdist: update to 1.9.9.

Provided by Marcin Gondek in wip.

1.9.9 Released: 29th of April 2025

Improvements
Handle Quiche >= 0.23.0 since the API changed
Fix compatibility with boost::lockfree >= 1.87.0�
Update Rust to 1.84.1 for our packages

Bug Fixes
Fix a crash when processing timeouts for incoming DoH queries
Gracefully handle timeout/response for a closed HTTP stream

(wiz)

doc: add dnsdist vulnerability

(wiz)

doc: Updated net/megatools to 1.11.4.20250411

(wiz)

net/megatools: update to 1.11.4.20250411

Provided by Robert Bagdan in wip.

megatools 1.11.3 - 2025-02-03
=============================

This release changes the location of the project website, and email address
of the maintainer across documentation.

megatools 1.11.1 - 2023-02-12
=============================

This is just a bugfix release.

Fixes:

- fix folder downloads
- fix handling of = in mega URLs

(wiz)

doc: Updated emulators/mame to 0.277

(wiz)

mame: update to 0.277.

Have you been wondering what MAME 0.277 will bring? Well, now you
can find out! First of all, we've added support for compiling on
64-bit ARM-based systems running Windows 11 using the MSYS2 CLANGARM64
environment. Updates to included third-party libraries should
resolve some issues people were having with new compilers and
development environments.

In improvements that you can see, Konami GX blending effects are
now looking much nicer, Sega Model 2 3D geometry is behaving better,
and some remaining issues with Philips CD-i graphics decoding have
been fixed. You may be able to hear improved sound emulation in
some Famicom, WonderSwan, and Game Boy games, too. If that's too
subtle, you should be able to hear the difference in the DMX and
LinnDrum percussion synthesisers.

There's a big update for the Apple II and Macintosh floppy disk
software lists this month. A lot of Macintosh NuBus cards have been
overhauled as well, so let us know if we've inadvertently broken
your virtual Macintosh setup. There are plenty of other software
list additions, including a batch of tapes for Sinclair computers.

(wiz)

doc: Updated databases/p5-App-Sqitch to 1.5.2

(schmonz)

p5-App-Sqitch: update to 1.5.2. Changes:

- Added missing German translations, thanks to @0xflotus for the PR
  (#873)!
- Fixed bug where the location of reworked script files did not respect
  the `deploy_dir`, `revert_dir`, or `verify_dir` options. Thanks to Neil
  Freeman for the report (#875)!
- Updated the MySQL engine's installation of the `checkit()` function so
  that it no longer depends on permission-checking, since the current
  user may not have such permission. It instead attempts to create the
  function and ignores a failure due to a lack of permission. Thanks to
  Alastair Douglas for the report and solution (#874)!
- Added missing CockroachDB templates. Thanks to @Peterbyte for the
  report (#878)!
- Removed support for the `SNOWSQL_PORT` environment variable, which has
  long been deprecated by Snowflake and likely never did anything.
- Fixed the quoting of the role and schema names on connecting to
  Snowflake, which was silently failing and thus not properly using the
  registry schema, which lead to a failure to find the registry. Broken
  in v1.5.1.
- Added redaction of passwords from Snowflake URL query parameters in the
  display URL. Any query parameter matching `pwd` will now appear as
  "REDACTED".
- Expanded the documentation of Snowflake key pair authentication in
`sqitch-authentication.pod` to recommend setting sensitive ODBC
  parameters in an `odbc.ini` file rather than connection URL query
  parameters.
- Switched to key pair authentication in the Snowflake CI workflows.
- Fixed another test failure with some Firebird configurations and
  improved diagnostic output when an engine cannot be integration-tested.

(schmonz)

py-hg-fastimport: adapt for setuptools 78

Bump PKGREVISION.

(wiz)

Host at NetBSD until I can find a new home

(roy)

graphite2: add missing include

(tnn)

libLLVM: add missing includes

(tnn)

doc: Updated emulators/nono to 1.4.1

(jun)

nono: update to 1.4.1.

1.4.1 (2025/04/30)

m88k: "Fix several exception priorities."
m88k: "Implement the illegal instruction exception."
m88k: "Fix several DMx registers upon a data access exception."
m88k: "Fix the behavior of the ld.d instruction when an exception occurred on the second word."
m88k: "Fix that PID and SXIP registers were writeable."
m88k: "Revert the search method inside the BATC/PATC to that of ver 0.6.1."
vm: "Implement an interrupt handler in the builtin emulated PROM on LUNA-88K. This fixes the issue where the hexdump command on the OpenBSD/luna88k boot loader was hanging when accessing the bus error region."
vm: "Modify and adjust the memory map on LUNA-88K."
vm: "Implement the SCSI bus transition from the selection phase to the message out phase. This fixes the abnormal termination while booting UniOS Mach. (But it doesn't work yet.)"
vm: "Change the handling of write-protected SCSI image files."
vm: "Support the LUNA-88K software keyboard(?). As a result of this, several internal keycodes on LUNA-I and X68030 are also moved."
debugger: "The breakpoint monitor now supports m88k."
debugger: "The breakpoint monitor now supports 1-byte instructions like HD64180."
debugger: "Fix the abnormal termination when a breakpoint has an invalid CPU name."
debugger: "The vector table now supports LUNA-88K."
debugger: "Change the syntax of the bv command."
debugger: "The bi command supports some mnemonics."
debugger: "Implement --bi and --bv options."
util/nvramedit: "Fix the file size of NVRAM.DAT."

(jun)

Upstream took some of our patches -- thanks!

(hauke)

inputmethod/skk: Add emacs30 support

(ryoon)

editors/emacs30: Some modules require buildlink3.mk for emacs

(ryoon)

editors/emacs: Support modules for emacs30

(ryoon)

editors/emacs30: editors/emacs/modules.mk requires version.mk

(ryoon)

editline: more quoting

(wiz)

tcp_wrappers: include <stdio.h> in tcpd.h for FILE

Fixes net-snmp on macOS that became broken by the previous change. Bump.

(tnn)

editors/xnedit: Build fix for Darwin

Undefined symbols for architecture arm64:
  "_CFRelease", referenced from:
  ...

- Link against CoreFoundation framework on Darwin
- Add missing phtread dependency (for all OS)
- Bump PKGREVISION

(micha)

doc: Updated math/nickle to 2.103

(wiz)

nickle: update to 2.103.

New in 2.103:

    Switch 'bool' in %union to 'boolean' for C23 compatibility

(wiz)

editline: when using builtin editline, also provide pkg-config file

If the installation has one (like on NetBSD-current), use it, otherwise
create it.

TODO: the version number is currently fixed to 3.1, this should be
extracted from the header/library files somehow

(wiz)

imk: fix revert to use libjpeg-turbo

(wiz)

mk: revert previous

Please don't touch this again without discussion first.

(wiz)

mk: revert previous, don't use libjpeg-turbo as default everywhere

(nia)

mk: accidentally dropped powerpc from conditional

(nia)

redis: fix typo in comment, and add link to new license

(wiz)

doc: Updated devel/alex to 3.5.3.0

(wiz)

devel/alex: update to alex-3.5.3.0

## Changes in 3.5.3.0

* Fix critical bug in automaton minimizer
  ([PR #270](https://github.com/haskell/alex/pull/270)),
  thanks Antoine Leblanc!
* Tested with GHC 8.0 - 9.12.2.

(wiz)

doc: Updated x11/fltk to 1.4.3

(micha)

x11/fltk: Update to 1.4.3

This is a maintenance release with bug fixes and improvements.
Its ABI and API are 100% backwards compatible with FLTK 1.4.0.

Changes in FLTK 1.4.3                                Released: Apr 29 2025

  FLTK 1.4.3 is a maintenance release with improvements and fixes
  backported from the current development branch 1.5 (master).

  Bug Fixes

  - Fix "Windows: Clipboard gets stuck when text is copied while window is
    hidden" (#1233)
  - Fix "Minor drawing artifact at scale 200% under X11 session" (#1243)
  - Fix a comparison that's always true
  - Fix handling of menu windows taller than their screen
  - Fix potential buffer overflow on Windows when loading fonts (#1221)
  - Windows: fix "heap-use-after-free" in home_directory_name()
  - Fix out-of-bounds access in test/checkers.cxx
  - macOS: Fix error "two consecutive '[' tokens on g++ with objcpp
    files" (#1246)

  Other Improvements

  - Update man pages of games (demo programs), add glpuzzle man page

  CMake And Other Build Procedure Improvements

  - options.cmake: Check Threads_FOUND, not CMAKE_HAVE_THREADS_LIBRARY
  - Check CMake version for some properties in fl_debug_target()
  - Use CMake's built-in timestamp formatting (#1242)
  - Simplify fluid build
  - CI for Wayland: update required development packages for Wayland builds
  - Update fltk-config.in (minor comment changes only)
  - Fully support using own shared libraries internally (#1238)
  - macOS: disable automatic code signing when using Xcode
  - Update version numbers to 1.4.3

  ABI changes (FL_ABI_VERSION >= 10403)

  - Allow FL_ABI_VERSION = FL_API_VERSION + 1
  - Fl_Tree_Item: Changed two connector methods to virtual
  - Fix "Windows: dotted lines may be drawn solid when GUI is
  rescaled" (#1214)

(micha)

Fix build on 32 bit ARM.

(jklos)

Updated print/ghostscript-agpl, fonts/ghostscript-cidfonts-ryumin

(adam)

ghostscript-agpl fonts/ghostscript-cidfonts-ryumin: updated to 10.05.1

Version 10.05.1 (2025-04-29)

Highlights in this release include:

The 10.05.1 patch release addresses:

An overflow issue in Freetype on platforms where long is a 4 byte (rather than 8 byte) type (Microsoft Windows, for example) causing corrupted glyph rendering at higher resolutions
An issue with embedded files, affecting Zugferd format PDF creation.
Broken logic in PDF Optional Content processing
Potential slow down due to searching for identifiable font files
A small number of extreme edge case segmentation faults.

This release addresses CVEs: CVE-2025-27835, CVE-2025-27832, CVE-2025-27831, CVE-2025-27836, CVE-2025-27830, CVE-2025-27833, CVE-2025-27837, CVE-2025-27834, CVE-2025-46646
The 10.05.1 release deprecates the non-standard operator "selectdevice", all code should now be using the standard "setpagedevice" operator. "selectdevice" will be removed in the 10.06.0 release.
We now support production of PDF/X-1a and PDF/X-4a in addition to the existing support for PDF/X-3
IMPORTANT: In the 10.04.0 release we added protection for device selection from PostScript input. This will mean that, by default, only the device specified on the command line will be permitted. Similar to the file permissions, there will be a "--permit-devices=" allowing a comma separation list of allowed devices. This will also take a single wildcard "*" allowing any device.

Any application which relies on allowing PostScript to change devices during a job will have to be aware, and take action to deal with this change.

The exception is "nulldevice", switching to that requires no special action.

Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental improvements.
(9.53.0) We have added the capability to build with the Tesseract OCR engine. In such a build, new devices are available (pdfocr8/pdfocr24/pdfocr32) which render the output file to an image, OCR that image, and output the image "wrapped" up as a PDF file, with the OCR generated text information included as "invisible" text (in PDF terms, text rendering mode 3).

(adam)

doc: Updated x11/pixman to 0.46.0

(wiz)

pixman: update to 0.46.0.

This release notably adds fast paths for RISC-V using the "V" vector
extension, contributed by developers at Samsung.

(wiz)

doc: Remove moji from TODO

Packaging Mozilla Firefox add-on is not recommended.

(ryoon)

doc: Updated mail/thunderbird-l10n to 137.0.2

(ryoon)

mail/thunderbird-l10n: Update to 137.0.2

* Sync with mail/thunderbird-137.0.2.

(ryoon)

doc: Updated mail/thunderbird to 137.0.2

(ryoon)

mail/thunderbird: Update to 137.0.2

Changelog:
137.0.2:
What's Fixed

fixed
Thunderbird could crash on startup when creating Linux system tray icon

fixed
Security fixes

Security fixes:
Mozilla Foundation Security Advisory 2025-26
#CVE-2025-3522: Leak of hashed Window credentials via crafted attachment URL
#CVE-2025-2830: Information Disclosure of /tmp directory listing
#CVE-2025-3523: User Interface (UI) Misrepresentation of attachment URL

137.0.1:
What's Fixed
fixed
Added delay to built-in notifications when new profile is created in offline
mode

137.0:
What's Changed
changed
File names are now used when storing mail folders (Windows only).

changed
Disable Linux system tray icon until it gains functionality

What's Fixed
fixed
In-app notifications did not display correctly in high contrast mode.

fixed
Repair folder did not fix mbox files produced on MacOS before Thunderbird 1.0.

fixed
Edit menu entries missing when group header selected in "Grouped by sort" view.

fixed
IMAP folder "Undelete" performed "Delete" when mixed messages were selected.

fixed
In RSS feeds, the space bar did not scroll the message like it did in emails.

fixed
Slow performance opening an .eml file in a profile with many folders.

fixed
Threaded search view was not updated correctly when sorted by date received.

fixed
Line spacing changed unexpectedly in the message list with the default font
size.

fixed
Saved message list selection was discarded when user made a new selection.

fixed
Replying from local or unified folders failed when the message pane was hidden.

fixed
Message security panel strings were used in the wrong places.

fixed
Importing an OpenPGP public key with whitespace failed.

fixed
Unable to open attached signed OpenPGP .eml message.

fixed
Right-clicking "Decrypt and Save As..." on an attachment file failed.

fixed
Searching during shutdown could cause crash.

fixed
Failed news message sending could close the compose window unexpectedly.

fixed
Having a corrupt address book database prevented sending mail.

fixed
Forwarding messages as attachments could use the wrong MIME type.

fixed
Two-factor auth via text or email did not work with Office 365 using Oauth2.

fixed
Account settings menu could be loaded twice.

fixed
No gap existed between Back and Forward buttons in the Feed Account Wizard
dialog.

fixed
Thunderbird could crash when importing mail

fixed
Unable to auto-discover Address Book on Radicale server.

fixed
Mark-Of-The-Web was not applied to attachments saved via drag and drop.

fixed
Some messages could not be scrolled due to hidden overflows in inline styles.

fixed
Clicking a 'mid:' link could clear the thread pane and cause errors.

fixed
Performance regressed when moving/copying messages on Windows.

fixed
Automatic compact did not attempt to compact all folders when error
encountered.

fixed
Slow performance when moving bulk messages from IMAP to local.

fixed
Crossposting news article was not possible if newsgroups on different servers.

fixed
IRC channel was not visible after restart.

fixed
Unable to view full certificate chain from the "View Signature" button.

fixed
Visual and UX improvements

fixed
Security fixes

Security fixes:
Mozilla Foundation Security Advisory 2025-23
#CVE-2025-3028: Use-after-free triggered by XSLTProcessor
#CVE-2025-3031: JIT optimization bug with different stack slot sizes
#CVE-2025-3032: Leaking file descriptors from the fork server
#CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters
#CVE-2025-3033: Opening local .url files could lead to another file being
opened
#CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird 137,
Firefox ESR 128.9, and Thunderbird 128.9
#CVE-2025-3034: Memory safety bugs fixed in Firefox 137 and Thunderbird 137

136.0.1:
What's Fixed

fixed
Thunderbird could crash during shutdown if a search was still active

fixed
Failed news message send could close the compose window unexpectedly

136.0:
What's New

new
Messages are automatically adapted to dark mode with a quick toggle in the
header.

new
New "Appearance" Settings UI to globally control message threading/sorting
order.

What's Changed

changed
Criteria for closing idle message databases.

What's Fixed

fixed
Thunderbird Release channel was not displayed in "About Thunderbird".

fixed
Crash could occur when shutting down during MAPI send.

fixed
The error message for compacting a corrupted local folder was not useful.

fixed
Deleting or detaching attachments in a saved .eml file appeared to work but
failed.

fixed
On HiDPI screens, clicking addresses in the header could show popup off-screen.

fixed
Opening an .EML file in profiles with many folders could take a long time.

fixed
Some messages may have been threaded incorrectly in unified folders.

fixed
Unified folders could become unusable instead of being automatically rebuilt.

fixed
Folders at level 3+ were not auto-discovered when IMAP subscriptions were
ignored.

fixed
New subfolder did not inherit parent view, sort order, sort type, or columns.

fixed
With "Fetch headers only" enabled, messages could not be sorted by size.

fixed
Selecting starred messages did not update immediately.

fixed
Marking a unified folder as favorite did not show it in favorite folders.

fixed
Users with many folders experienced poor performance when resizing message
panes.

fixed
The UI could falsely report a message as encrypted when a null cipher was used.

fixed
Search messages dialog list could not be sorted by clicking the header icon.

fixed
Sending to multiple SMTPs could fail silently due to missing address book.

fixed
"Replace" button in compose window was overwritten when the window was narrow.

fixed
Changing the UI font size did not apply to some dialogs.

fixed
Deleted Gmail messages stayed visible until compact/expunge, despite settings.

fixed
Export to mobile did not work when "Use default server" was selected.

fixed
Account settings menu could be loaded twice.

fixed
Account Settings updated font size were not reflected in the content frame.

fixed
Add-ons: Context menu entries were incorrectly aligned.

fixed
Middle-click autoscroll cursor appeared without arrows instead of expected
design.

fixed
Some functionality was missing for newsgroup messages opened from a file or
URI.

fixed
Notifications for new mail were not showing for IMAP.

fixed
Message and folder lists could display incorrect line spacing after restart.

fixed
Clicking a 'mid:' link could clear the thread pane and cause errors.

fixed
Release channel incorrectly showed What's New page after update.

fixed
"Save Link As" was not working in feed web content.

fixed
Sort indicators were missing on the calendar events list.

fixed
Visual and UX improvements

fixed
Security fixes

Security fixes:
Mozilla Foundation Security Advisory 2025-17
#CVE-2025-26696: Crafted email message incorrectly shown as being encrypted
#CVE-2025-26695: Downloading of OpenPGP keys from WKD used incorrect padding
#CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in the
Browser process
#CVE-2025-1931: Use-after-free in WebTransportChild
#CVE-2025-1932: Inconsistent comparator in XSLT sorting led to out-of-bounds
access
#CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
#CVE-2025-1934: Unexpected GC during RegExp bailout processing
#CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase() causes
string to get longer
#CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
#CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed the
interpretation of the contents
#CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird 136,
Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
#CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird 136,
Firefox ESR 128.8, and Thunderbird 128.8
#CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird 136

(ryoon)

mk: Close parentheses

(ryoon)

doc: Updated www/firefox-l10n to 137.0.2

(ryoon)

www/firefox-l10n: Update to 137.0.2

* Sync with www/firefox-137.0.2.

(ryoon)

doc: Updated www/firefox to 137.0.2

(ryoon)

www/firefox: Update to 137.0.2

Changelog:
137.0.2:
Fixed

  * Fixed file picker not being displayed when exporting passwords on macOS in
    about:logins for some users. (Bug 1956266)

  * Fixed accessibility issues with the new PDF signature feature. (Bug 1956110
    and Bug 1952571)

  * Fixed an issue where using the context menu to paste in the Style Editor
    would insert the code twice. (Bug 1955854)

  * Fixed functional regressions in our XSLT support introduced in 137. (Bug
    1954841)

  * Fixed a tooltip flickering issue on Windows that affected some users when
    hovering. (Bug 1958631)

  * Fixed an issue where Firefox would not respond to clicks in some HTML5
    video players. (Bug 1959251)

  * Fixed an issue where radio inputs behaved incorrectly when preventDefault()
    was called on the click event. (Bug 1957956)

  * Fixed an issue that caused some Firefox users to restart their browser
    multiple times to complete an update. (Bug 1959492)

  * Security fix.

Changed

  * Fixed an issue with DRM video playback on some sites caused by the general
    availability rollout of Microsoft's PlayReady hardware decryption DRM
    support in Firefox 137. PlayReady support is now limited to specific sites
    while broader compatibility continues to be tested. (Bug 1959827)

Security fixes:
Mozilla Foundation Security Advisory 2025-25
#CVE-2025-3608: Race condition in nsHttpTransaction could lead to memory
corruption

137.0.1:
Fixed

  * Fixed an issue where folder shortcuts on Windows were incorrectly treated
    as files during file uploads, preventing selecting files within the target
    folder. (Bug 1958222)

  * Fixed a crash experienced by Windows users when downloading files with
    Qihoo 360 Total Security Antivirus software installed. (Bug 1958112)

  * Fixed an occasional startup crash. (Bug 1958293)

137.0:
New

  * Tab groups begin rolling out today! Stay productive and organized with less
    effort by grouping related tabs together. One simple way to create a group
    is to drag a tab onto another, pause until you see a highlight, then drop
    to create the group. Groups can be named, color-coded, and are always
    saved. You can close a group and reopen it later.

  * Firefox Address Bar Refresh 2025 - new ways to search for things new,
    previously viewed, and more - all from the address bar:

    Features

    Unified Search Button: A new, easy-to-access button in the address bar
    helps you switch between search engines and search modes with ease. This
    feature brings the simplicity of mobile Firefox to your desktop experience.

    Search Term Persistence: Now when you refine a search in the address bar,
    the original term sticks around, making it easier to adjust your queries
    and find exactly what you're looking for.

    Secondary Action Buttons: Suggestions for common Firefox features.

    Contextual Search Mode: Firefox detects if you are on a page that has
    search capability and offers that option for you to directly search with
    the page engine from the address bar. Use this option at least 2 times and
    Firefox will suggest adding the search engine to your Firefox.

    Contextual Search Engine Options: Use a Contextual Search mode option at
    least 2 times and Firefox will suggest adding the search engine to your
    Firefox so that it??s always available to you.

    Intuitive Search Keywords: You can access various address bar search modes
    with convenient and descriptive keywords (e.g. @bookmarks,@tabs,@history,
    @actions).

  * Firefox now identifies all links in PDFs and turns them into hyperlinks.

  * Support HEVC playback on Linux.

  * Now you can sign PDFs without leaving Firefox. Save your signatures to
    re-use later.

  * You can now use the Firefox address bar as a calculator. Simply type an
    arithmetic expression and view the result in the address bar drop-down.
    Clicking on this result will copy it to your clipboard.

Fixed

  * Various security fixes.

Security fixes:
Mozilla Foundation Security Advisory 2025-20
#CVE-2025-3028: Use-after-free triggered by XSLTProcessor
#CVE-2025-3031: JIT optimization bug with different stack slot sizes
#CVE-2025-3032: Leaking file descriptors from the fork server
#CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters
#CVE-2025-3035: Tab title disclosure across pages when using AI chatbot
#CVE-2025-3033: Opening local .url files could lead to another file being
opened
#CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird 137,
Firefox ESR 128.9, and Thunderbird 128.9
#CVE-2025-3034: Memory safety bugs fixed in Firefox 137 and Thunderbird 137

(ryoon)

doc: Updated www/firefox to 136.0.4

(ryoon)

www/firefox: Update to 136.0.4

Changelog:
136.0.4:
Fixed

  * Security fix.

Security fixes:
Mozilla Foundation Security Advisory 2025-19
#CVE-2025-2857: Incorrect handle could lead to sandbox escapes

136.0.3:
Fixed

  * Significantly improved responsiveness on TikTok by improving the speed of
    date formatting. (Bug 1954323)

136.0.2:
Fixed

  * Fixed a bug where "Cookies and site data" and "Temporary cached files and
    pages" were unexpectedly enabled after updating to Firefox 136 for users
    with "History" and/or "Site settings" set to clear on shutdown in previous
    versions. (Bug 1952564)

    Affected users already on Firefox 136 can disable these settings in
    "Privacy & Security".

  * Fixed an issue where the Primary Password prompt appeared in unexpected
    situations. (Bug 1946121)

  * Fixed visibility issues with radio buttons on dark backgrounds. (Bug
    1951930)

  * Fixed high CPU usage on Windows when the screen was locked or the laptop
    lid was closed. (Bug 1924932)

136.0.1:
Fixed

  * Fixed an issue where a cookie size limit caused problems with website
    cookie management when using the CookieStore API. This could cause login
    and other state-related issues. (Bug 1950565)

  * Fixed an issue where Control/Command+L did not focus the address bar in new
    windows. (Bug 1947723)

136.0:
New

  * You can now enable the updated Firefox sidebar in Settings > General >
    Browser Layout to quickly access multiple tools in one click, without
    leaving your main view. Sidebar tools include an AI chatbot of your choice,
    bookmarks, history, and tabs from devices you sync with your Mozilla
    account.

  * Keep a lot of tabs open? Try our new vertical tabs layout to quickly scan
    your list of tabs. With vertical tabs, your open and pinned tabs appear in
    the sidebar instead of along the top of the browser. To turn on vertical
    tabs, right-click on the toolbar near the top of the browser and select
    Turn on Vertical Tabs. If you??ve enabled the updated sidebar, you can also
    go to Customize sidebar and check Vertical tabs. Early testers report
    feeling more organized after using vertical tabs for a few days.

  * The Clear browsing data and cookies dialog now allows clearing saved form
    info separately from browsing history.

  * Smartblock Embeds allows users to selectively unblock certain social media
    embeds that are blocked in ETP Strict and Private Browsing modes.
    Currently, support is limited to a few embed types, with more to be added
    in future updates.

  * Firefox now upgrades page loads to HTTPS by default and gracefully falls
    back to HTTP if the secure connection fails. This behavior is known as
    HTTPS-First.

  * On macOS, some background tabs will be moved to lower power cores, reducing
    energy usage.

  * Hardware-accelerated playback of HEVC video content is now supported on
    macOS.

  * Hardware video decoding is now enabled for AMD GPUs on Linux.

  * On Linux, Firefox is now available on ARM64 (AArch64), with installation
    options via APT and tarballs. Flatpak support is coming soon.

  * The Weather forecast on the New Tab page is expanding to additional
    regions, including Mexico, Brazil, Argentina, and Chile, as part of an
    ongoing regional rollout.

  * Address autofill enabled for users in the United Kingdom.

Fixed

  * Firefox will now prefer the PNG format when copying images out of Firefox,
    allowing the preservation of transparency.

  * Various security fixes.

#

Changed

  * For New Tab stories, the Save to Pocket action was moved from a button to
    the context menu along with other actions, such as Bookmark.

  * The macOS DMG installer packages now use LZMA for compression, reducing
    download size and installation time.

  * Due to recent changes in macOS Sequoia, the shortcut for completing search
    strings to .com addresses has been changed from Ctrl+Enter to Cmd+Enter.

Security fixes:
Mozilla Foundation Security Advisory 2025-14
#CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in the
Browser process
#CVE-2025-1939: Tapjacking in Android Custom Tabs using transition animations
#CVE-2025-1931: Use-after-free in WebTransportChild
#CVE-2025-1932: Inconsistent comparator in XSLT sorting led to out-of-bounds
access
#CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
#CVE-2025-1940: Android Intent confirmation prompt tapjacking using Select
options
#CVE-2024-9956: Passkey phishing within Bluetooth range
#CVE-2025-1934: Unexpected GC during RegExp bailout processing
#CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
#CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase() causes
string to get longer
#CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
#CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed the
interpretation of the contents
#CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird 136,
Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
#CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird 136,
Firefox ESR 128.8, and Thunderbird 128.8
#CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird 136

(ryoon)

doc: Updated www/firefox115-l10n to 115.23.0

(gutteridge)

firefox115-l10n: update to 115.23

(gutteridge)

doc: Updated www/firefox115 to 115.23.0

(gutteridge)

firefox115: update to 115.23

Mozilla Foundation Security Advisory 2025-30
Security Vulnerabilities fixed in Firefox ESR 115.23

Announced
    April 29, 2025
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 115.23

#CVE-2025-2817: Privilege escalation in Firefox Updater

Reporter
    Dong-uk Kim (@justlikebono)
Impact
    high

Description

Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.
References

    Bug 1917536

#CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS

Reporter
    un3xploitable & GF
Impact
    high

Description

Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.
This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.
References

    Bug 1937097

#CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames

Reporter
    Nika Layzell
Impact
    high

Description

A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape.
References

    Bug 1958350

#CVE-2025-4084: Potential local code execution in "copy as cURL" command

Reporter
    Ameen Basha M K
Impact
    moderate

Description

Due to insufficient escaping of the ampersand character in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.
References

    Bug 1949994, 1960198

(gutteridge)

doc: Updated www/firefox128-l10n to 128.10.0

(gutteridge)

firefox128-l10n: update to 128.10

(gutteridge)