foot (1.27.0-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #1128543)
   * debian/control:
    + Bump Standards-Version to 4.7.4 (no changes required)

fortran-fpm (0.13.0-6) unstable; urgency=medium
 .
   * Fix for lfortran builds: opt flag (fixes fortran-julienne)
fortran-fpm (0.13.0-5) unstable; urgency=medium
 .
   * Build full fpm, statically linked
fortran-fpm (0.13.0-4) unstable; urgency=medium
 .
   * Do a stage1 rebuild of fpm stack for rework of dh-fortran
fortran-fpm (0.13.0-3) unstable; urgency=medium
 .
   * Rebuild for updated fortran-toml, etc
   * Standards-Version: 4.7.4
   * d/rules: FLIBDIR now $libdir/fortran/gnu

liblocale-gettext-perl (1.07-10) unstable; urgency=medium
 .
   * Set LANGUAGE as well for tests during build and autopkgtests.
     Thanks to Helmut Grohne for the bug report.
     (Closes: #1136442)
liblocale-gettext-perl (1.07-9) unstable; urgency=medium
 .
   * Drop Priority field.
     Thanks to Gioele Barabucci for the bug report.
     (Closes: #1134756)
   * Declare compliance with Debian Policy 4.7.4.

libnginx-mod-http-modsecurity (1.0.4-1) unstable; urgency=medium
 .
   * New upstream version 1.0.4
   * remove d/patches/stdioh.patch, upstream contains it

libnginx-mod-js (0.9.9-1) unstable; urgency=medium
 .
   * New upstream version 0.9.9
     CVE-2026-8711: Heap buffer overflow in a worker process when the
     js_fetch_proxy directive value contains nginx variables derived from
     the client request and the location's JS handler invokes ngx.fetch().
     Closes: #1137215.
 .
   [ Miao Wang ]
   * Separate the build directory for the njs CLI tool, to prevent the
     compiled modules from being linked with the .a files of the CLI tool,
     which causes the njs JS engine fails to load.
libnginx-mod-js (0.9.8-1) unstable; urgency=medium
 .
   * New upstream version 0.9.8
libnginx-mod-js (0.9.6-1) experimental; urgency=medium
 .
   * New upstream version 0.9.6
   * Drop all patches (unneeded)
   * B-D libqjs-dev instead of libquickjs-dev

linux (7.0.9-1) unstable; urgency=medium
 .
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v7.x/ChangeLog-7.0.8
     https://www.kernel.org/pub/linux/kernel/v7.x/ChangeLog-7.0.9
     - HID: playstation: Clamp num_touch_reports
     - HID: pidff: Fix integer overflow in pidff_rescale
     - media: uvcvideo: Enable VB2_DMABUF for metadata stream
     - [arm64] drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames
     - [amd64] media: i2c: ov8856: free control handler on error in
       ov8856_init_controls()
     - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for
       RK35{76,88}
     - media: dt-bindings: rockchip,vdec: Mark reg-names required for RK35{76,88}
     - drm/gpusvm: Allow device pages to be mapped in mixed mappings after system
       pages
     - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages
     - [arm64] dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux
     - [arm64] regulator: mt6357: fix OF node reference imbalance
     - [arm64,armhf] regulator: rk808: fix OF node reference imbalance
     - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
     - [amd64] media: intel/ipu6: fix error pointer dereference
     - [arm64] dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO
     - [amd64] media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS
       13 9340 and XPS 14 9440
     - drm/colorop: Preserve bypass value in duplicate_state()
     - drm/atomic: Add affected colorops with affected planes
     - [amd64] platform/x86: hp-wmi: Ignore backlight and FnLock events
     - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to
       copy
     - [arm64] dts: broadcom: bcm2712-d-rpi-5-b: add fixes for
       pinctrl/pinctrl_aon
     - [arm64] dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt
     - [arm64] media: qcom: camss: Fix csid clock configuration for sa8775p
     - [arm64] media: qcom: camss: Fix csid IRQ offset for sa8775p
     - [arm64] media: qcom: camss: Add missing clocks for VFE lite on sa8775p
     - drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
     - [arm64] drm/msm/gem: fix error handling in
       msm_ioctl_gem_info_get_metadata()
     - drm/colorop: Fix blob property reference tracking in state lifecycle
     - [armhf] drm/imx: parallel-display: Prefer bus format set via legacy
       "interface-pix-fmt" DT property
     - [arm64] drm/msm: always recover the gpu
     - drm/v3d: Reject empty multisync extension to prevent infinite loop
     - [amd64] drm/i915/psr: Init variable to avoid early exit from et alignment
       loop
     - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
     - drm/amd/display: fix math_mod() using arg1 instead of arg2
     - drm/amd: Add missing firmware declaration for PSP v15.0.0
     - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0 .
     - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.
     - drm/amdgpu: gate VM CPU HDP flush on reset lock
     - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x
     - drm/amdkfd: Add upper bound check for num_of_nodes
     - drm/amdgpu: Add bounds checking to ib_{get,set}_value
     - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
     - drm/amdgpu/vce: Prevent partial address patches
     - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
     - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
     - drm/amd/display: Change dither policy for 10 bpc output back to dithering
     - drm/gem: Fix inconsistent plane dimension calculation in
       drm_gem_fb_init_with_funcs()
     - drm/appletbdrm: Use kvzalloc for big allocations
     - drm/amdkfd: validate SVM ioctl nattr against buffer size
     - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and
       higher.
     - drm/udl: Increase GET_URB_TIMEOUT
     - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure
     - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()
     - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
     - drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked()
     - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise
     - drm: Set old handle to NULL before prime swap in change_handle
     - drm/radeon: add missing revision check for CI
     - drm/amdgpu: zero-initialize GART table on allocation
     - drm/amdgpu/userq: fix access to stale wptr mapping
     - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds
     - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
     - drm/bridge: tda998x: Use __be32 for audio port OF property pointer
     - drm/sti: remove bridge when sti_hda component_add fails
     - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds
     - drm/amdkfd: Make all TLB-flushes heavy-weight
     - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
     - drm/amdgpu/pm: add missing revision check for CI
     - drm/amdgpu/pm: align Hawaii mclk workaround with radeon
     - [arm64] dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22
     - [arm64] dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO
     - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
     - batman-adv: fix integer overflow on buff_pos
     - batman-adv: reject new tp_meter sessions during teardown
     - batman-adv: stop tp_meter sessions during mesh teardown
     - batman-adv: stop caching unowned originator pointers in BAT IV
     - batman-adv: tp_meter: fix tp_num leak on kmalloc failure
     - batman-adv: bla: prevent use-after-free when deleting claims
     - batman-adv: bla: only purge non-released claims
     - batman-adv: bla: put backbone reference on failed claim hash insert
     - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation
     - usb: typec: tcpm: reset internal port states on soft reset AMS
     - io_uring/zcrx: use guards for locking
     - io_uring/zcrx: warn on freelist violations
     - kho: fix error handling in kho_add_subtree()
     - cgroup: Increment nr_dying_subsys_* from rmdir context
     - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated
     - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()
     - perf build: fix "argument list too long" in second location
     - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()
     - vsock: fix buffer size clamping order
     - vsock/virtio: fix length and offset in tap skb for split packets
     - vsock/virtio: fix empty payload in tap skb for non-linear buffers
     - vsock/virtio: fix accept queue count leak on transport mismatch
     - drm/amdgpu/vcn3: Avoid overflow on msg bound check
     - drm/amdgpu/vcn4: Avoid overflow on msg bound check
 .
   [ Marco Nenciarini ]
   * [amd64] drivers/usb/misc: Enable USB_USBIO as module
   * [amd64] drivers/gpio: Enable GPIO_USBIO as module
   * [amd64] drivers/i2c/busses: Enable I2C_USBIO as module (Closes: #1130114)
 .
   [ Salvatore Bonaccorso ]
   * [amd64] Enable INTEL_MEI_LB as module (Closes: #1136132)
   * Bluetooth: btmtk: accept too short WMT FUNC_CTRL events (Closes: #1136790)
   * net: skbuff: preserve shared-frag marker during coalescing (CVE-2026-46300)
   * net: skbuff: propagate shared-frag marker through frag-transfer helpers
   * parport: Fix race between port and client registration (Closes: #1130365)
 .
   [ Yunseong Kim ]
   * Enable SND_SOC_SDCA_CLASS as modules SND_SOC_SDCA_FDL, SND_SOC_SDCA_HID,
     SND_SOC_SDCA_IRQ as built-in for Panther Lake audio support.
     (Closes: #1135359)

nginx (1.30.1-3) unstable; urgency=medium
 .
   * backport fix for buffer overflow vulnerability in the
     ngx_http_rewrite_module (CVE-2026-9256) from upstream 1.30.2 nginx.
     * d/p/CVE-2026-9256.patch add (Closes: 1137339)
nginx (1.30.1-2) unstable; urgency=medium
 .
   * Upload to unstable
   * d/copyright: update Nginx Inc. and my copyright year
 .
 nginx (1.30.1-1) experimental; urgency=medium
 .
   * New upstream version 1.30.1
   * d/p/{cve,CVE}-* remove, fixed in upstream
   * d/libnginx-mod.abisubstvars: update ABI to nginx-abi-1.30.1-1
nginx (1.30.1-1) experimental; urgency=medium
 .
   * New upstream version 1.30.1
   * d/p/{cve,CVE}-* remove, fixed in upstream
   * d/libnginx-mod.abisubstvars: update ABI to nginx-abi-1.30.1-1
nginx (1.30.0-4) unstable; urgency=medium
 .
   * backport changes from upstream nginx, HTTP/3 address spoofing
     (CVE-2026-40460), buffer overread in the ngx_http_scgi_module and
     ngx_http_uwsgi_module (CVE-2026-42946), resolver use-after-free in OCSP
     (CVE-2026-40701), buffer overread in the ngx_http_charset_module
     (CVE-2026-42934), HTTP/2 request injection in the ngx_http_proxy_module
     (CVE-2026-42926)
     * d/p/CVE-2026-40460.patch add
     * d/p/CVE-2026-42946.patch add
     * d/p/CVE-2026-40701.patch add
     * d/p/CVE-2026-42934.patch add
     * d/p/CVE-2026-42926.patch add
nginx (1.30.0-3) unstable; urgency=medium
 .
   * SECURITY UPDATE: buffer overrun in ngx_http_rewrite_module
     - d/patches/cve-2026-42945.patch: Apply upstream commit/fix for CVE
     - CVE-2026-42945

pg-statviz (1.0-2) unstable; urgency=medium
 .
   * Add Suggests: python3-anthropic, python3-ollama.

timescaledb (2.27.1+dfsg-1) unstable; urgency=medium
 .
   * New upstream version 2.27.1+dfsg.