From nobody Wed Jun 10 11:22:50 2026
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gb3Kk2xtNz6fw8t
	for <dev-commits-ports-all@mlmmj.nyi.freebsd.org>; Wed, 10 Jun 2026 11:22:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gb3Kk1ZF1z3s6s
	for <dev-commits-ports-all@FreeBSD.org>; Wed, 10 Jun 2026 11:22:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1781090570;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=kb++GXI8THMCEAbdrVos8Kry4TkfDOfTD4zPjd9smdw=;
	b=NnMFI+M8b6pX0l0b7t/zx9+PdsaUZrYQdOfM+jRlb8Z8Ogz+xK34IoSTblJG6EM/Mo7yS5
	Neopj4fSQVt9fnDjCmJOS/VcUEqlOewp10JgOxZw6PfEdg5s6zoetzK/GaZzpiwsA43dyu
	bqzUJqbCYpcHR2DYZrlfZYX3CWNP0ymH4IDXNUgk81qoNoObxioaiL6cVZ/W99S18QAEoq
	6W/nl0S4zRrv1usZiPhfUxRocAN3SeSSp74PcoUb0SrDJAgGVqtPQbb/uyPkBSOsSwcqbD
	n9kUaSPvlkHqBMKBYyvGnXMjuVRWonDF6aaPQknNp//c4BY2Q3YgUB00WMqPZQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781090570; a=rsa-sha256; cv=none;
	b=Dojd7WfjSsSvno27StML48x+6DCHGfXIyuBQdXU8TovlqZ0N7Ng7raPD1SeVsTgbri7/05
	85YVfulVAg2wYTQOZHcNXQ8YuV8B9vNoKLTMy4mmxwl3VCN9xSSdbnCD2ZDqxznodM9Sm9
	ucmMo7f73V13tqUODmxYUJ+NJmBnhkymM9qNGyAy4/iem+elB/Dkey4xvdeLQy1/DsitcA
	jb1GWVSdHcM7gJ1/Rm1vBdtzkDbFT+h1ZL379fyU7q3eGTIKP2Nn/Fr0q2tP1PkybaZtyn
	/PQPk1ahQkf6Kt9MTZE+Ui/a7pldhBiNKcwXyCfQNgfmjXXavJgcTs0Er0xkAw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1781090570;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=kb++GXI8THMCEAbdrVos8Kry4TkfDOfTD4zPjd9smdw=;
	b=Nn5zCbcaJztx48ycOQ62zWCzZelIjRxXPIMKqe8tnepjA6+neaFOxE2JnMRnKGRd8JzmnF
	+5G6vTHCMki4J5dMdXF47fJzHfI+r9/OmV0yEiIB+cEo7GdT1DhxLukmX/8aigE3DrdEL0
	BoQJtin0s0UOjrGhTQNqSgEWAmMFswm1Tor+HDx2HiJ1ZGc30QJtBlkBthUV6pYZvl/BVX
	TMw3do18VSD2aJQN39n86xBrXE+OhT3FhGN3drg/P7WcQVaLQdgCDdsvXIzuq2Xgr1kkmp
	o/SyI0BAb3mtSmfoL3r/LWf6DDBSxi3y5qt6XUmvLldynQylqFpSTb3Z1d8ELw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gb3Kk11LMz1J16
	for <dev-commits-ports-all@FreeBSD.org>; Wed, 10 Jun 2026 11:22:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 36fb1
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 10 Jun 2026 11:22:50 +0000
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
From: Piotr Smyrak <smyru@FreeBSD.org>
Subject: git: 27367635aaad - main - security/vuxml: document devel/tree-sitter-cli vulnerabilities
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-all@freebsd.org
Sender: owner-dev-commits-ports-all@FreeBSD.org
List-Id: <dev-commits-ports-all.FreeBSD.org>
List-Post: <mailto:dev-commits-ports-all@FreeBSD.org>
List-Help: <mailto:dev-commits-ports-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: smyru
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 27367635aaadde7d102c188e32f3867b6e7cd6ef
Auto-Submitted: auto-generated
Date: Wed, 10 Jun 2026 11:22:50 +0000
Message-Id: <6a29490a.36fb1.fe5557c@gitrepo.freebsd.org>

The branch main has been updated by smyru:

URL: https://cgit.FreeBSD.org/ports/commit/?id=27367635aaadde7d102c188e32f3867b6e7cd6ef

commit 27367635aaadde7d102c188e32f3867b6e7cd6ef
Author:     Piotr Smyrak <smyru@FreeBSD.org>
AuthorDate: 2026-06-08 13:56:25 +0000
Commit:     Piotr Smyrak <smyru@FreeBSD.org>
CommitDate: 2026-06-10 11:22:41 +0000

    security/vuxml: document devel/tree-sitter-cli vulnerabilities
    
    PR:             294982
    Approved by:    0mp
    Differential Revision:  https://reviews.freebsd.org/D57502
---
 security/vuxml/vuln/2026.xml | 45 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml
index d810b5da8c56..d7b938bf5bae 100644
--- a/security/vuxml/vuln/2026.xml
+++ b/security/vuxml/vuln/2026.xml
@@ -1,3 +1,48 @@
+  <vuln vid="36ec75da-633d-11f1-9dbc-28d2443e6cfa">
+    <topic>tree-sitter-cli -- Always-Incorrect Control Flow Implementation in wasmtime crate</topic>
+    <affects>
+    <package>
+	<name>tree-sitter-cli</name>
+	<range><lt>0.26.9</lt></range>
+    </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw reports:</p>
+	<blockquote cite="https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw">
+	  <p>Wasmtime is a runtime for WebAssembly.  From 25.0.0 to before 36.0.7,
+42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability
+where the compilation of the table.fill instruction can result in
+a host panic.  This means that a valid guest can be compiled with
+Winch, on any architecture, and cause the host to panic.  This
+represents a denial-of-service vulnerability in Wasmtime due to
+guests being able to trigger a panic.  The specific issue is that
+a historical refactoring changed how compiled code referenced tables
+within the table.* instructions.  This refactoring forgot to update
+the Winch code paths associated as well, meaning that Winch was
+using the wrong indexing scheme.  Due to the feature support of
+Winch the only problem that can result is tables being mixed up or
+nonexistent tables being used, meaning that the guest is limited
+to panicking the host (using a nonexistent table), or executing
+spec-incorrect behavior and modifying the wrong table. This
+vulnerability is fixed in crate versions: 36.0.7, 42.0.2, and 43.0.1.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>RUSTSEC-2026-0089</cvename>
+      <url>https://rustsec.org/advisories/RUSTSEC-2026-0089</url>
+      <cvename>CVE-2026-34946</cvename>
+      <url>https://cveawg.mitre.org/api/cve/CVE-2026-34946</url>
+      <cvename>GHSA-q49f-xg75-m9xw</cvename>
+      <url>https://github.com/advisories/GHSA-q49f-xg75-m9xw</url>
+    </references>
+    <dates>
+      <discovery>2026-04-09</discovery>
+      <entry>2026-06-08</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="259b562f-64ab-11f1-8607-8447094a420f">
     <topic>OpenSSL -- Multiple vulnerabilities</topic>
     <affects>