gdu (5.36.1-1) unstable; urgency=medium
 .
   * New upstream release

golang-github-gdamore-tcell.v2 (2.13.10-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 2.13.10
   * d/gbp.conf:
     -  Add upstream-vcs-tag
golang-github-gdamore-tcell.v2 (2.13.9-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 2.13.8
golang-github-gdamore-tcell.v2 (2.13.8-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 2.13.8
   * d/control:
     - Declare compliance with Debian Policy 4.7.4
     - Refresh (build) dependencies
     - Drop Priority: optional (default)
     - Drop Rules-Requires-Root: no (default)
   * d/copyright:
     - Bump years of Debian copyright
   * d/examples:
     - Install demos outside of source path
   * d/gbp.conf:
     - Disable pristine-tar
   * d/watch:
     - Update to version 5 watch file format

golang-github-pquerna-otp (1.5.0+really1.5.0-1) unstable; urgency=medium
 .
   * Team Upload.
   * New upstream version 1.5.0+really1.5.0.
     - requires by golang-github-gopasspw-gopass.
   * debian/control: drop Priority: optional (now the default).
   * debian/control: Drop Rules-Requires-Root: no (now the default).
   * debian/control: bump to Standards-version to 4.7.4.

gomuks (0.3.1+ds-2) unstable; urgency=medium
 .
   * Bump standards version to 4.7.4.
   * d/control:
     - drop RRR.
     - drop myself, add Maytham Alsudany to Uploaders.
   * d/watch: update to version 5.

jq (1.8.1-8) unstable; urgency=high
 .
   * Cherry-pick upstream fix for the following:
     * GHSA-ggc9-rpv2-xgpm
     * GHSA-gvwx-xj9r-3frq
     * CVE-2026-49839

lf (41+ds-1) unstable; urgency=medium
 .
   * New upstream version 41+ds
   * d/control:
     - Declare compliance with Debian Policy 4.7.4
     - Refresh build dependencies
     - Drop unnecessary Priority and Rules-Requires-Root fields
   * d/copyright:
     - Refresh years of Debian copyright
   * d/lintian-overrides:
     - Drop unmatched overrides
   * d/rules:
     - Ensure embedded ruler.default is available at build time
   * d/watch:
     - Update to version 5 watch file format

mozjs140 (140.12.0-1) unstable; urgency=high
 .
   * New upstream release
     - CVE-2026-13237: Memory safety bugs fixed in Firefox ESR 140.12
     - CVE-2026-13238: Memory safety bugs fixed in Firefox ESR 140.12
   * Update debhelper compat to 14

python-aiohttp (3.14.1-1) unstable; urgency=medium
 .
   * New upstream release.
python-aiohttp (3.14.0-1) unstable; urgency=medium
 .
   * New upstream release.
       * Fix CVE-2026-47265 (Closes: #1138780)
       * Fix CVE-2026-34993 (Closes: #1138781)
   * Upstream added sphinxcontrib-mermaid, myst-parser and
     pytest-timeout dependencies.
   * Rebase patches.
   * Skip another test failing during autopkgtest.

ruby-bullet (8.1.3-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Lucas Nussbaum ]
   * debian/gbp.conf: Add for DEP-14
   * debian/gbp.conf: remove trailing empty lines
   * debian/.gitattributes: remove
   * debian/salsa-ci.yml: use team-specific include
 .
   [ Simon Quigley ]
   * Upgrade the watch file to version 5.
   * New upstream release.
   * Refresh the upstream metadata.
   * Refresh the copyright file.
   * Update Standards-Version to 4.7.4.
   * Bump debhelper-compat to 14, dropping ${misc:Depends},
     ${shlibs:Depends}, and ${ruby:Depends} from runtime dependencies.
   * Update build dependencies.

ruby-mixlib-log (3.2.15-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Lucas Nussbaum ]
   * debian/gbp.conf: Add for DEP-14
   * debian/.gitattributes: remove
   * debian/salsa-ci.yml: use team-specific include
 .
   [ Simon Quigley ]
   * Upgrade the watch file to version 5.
   * New upstream release.
   * Drop {XS,XB}-Ruby-Versions from control.
   * Update Standards-Version to 4.7.4.
   * Bump debhelper-compat to 14, dropping ${misc:Depends},
     ${shlibs:Depends}, and ${ruby:Depends} from runtime dependencies.
   * Drop old Breaks.

ruby-rouge (5.0.0-1) unstable; urgency=medium
 .
   * Team upload.
   * Upgrade the watch file to version 5.
   * New upstream release.
   * Update Standards-Version to 4.7.4.
   * Bump debhelper-compat to 14, dropping ${misc:Depends},
     ${shlibs:Depends}, and ${ruby:Depends} from runtime dependencies.
   * Relax the dependency on strscan via relax-strscan.patch.
   * Remove dependency via drop-rubocop-minitest-assert_offense.patch.

thunderbird (1:140.12.0esr-1) unstable; urgency=medium
 .
   * [8715b04] New upstream version 140.12.0esr
     Fixed CVE issues in upstream version 140.12 (MFSA 2026-61):
     CVE-2026-12289: Privilege escalation in the Graphics: WebRender component
     CVE-2026-12290: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12291: Use-after-free in the Networking: HTTP component
     CVE-2026-12292: Incorrect boundary conditions in the Web Audio component
     CVE-2026-12294: Sandbox escape in the DOM: Workers component
     CVE-2026-12295: Sandbox escape in the DOM: Navigation component
     CVE-2026-12298: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12296: Sandbox escape in the Security: Process Sandboxing
                     component
     CVE-2026-12297: Sandbox escape due to incorrect boundary conditions in the
                     Networking component
     CVE-2026-12299: JIT miscompilation in the DOM: Core & HTML component
     CVE-2026-12329: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12302: Mitigation bypass in the DOM: Security component
     CVE-2026-12304: Same-origin policy bypass in the Networking: Cookies
                     component
     CVE-2026-12305: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12306: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12307: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12308: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12309: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12310: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12311: Information disclosure, sandbox escape in the Security:
                     Process Sandboxing component
     CVE-2026-12312: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12313: Information disclosure, sandbox escape in the Security:
                     Process Sandboxing component
     CVE-2026-12314: Memory safety bug fixed in Thunderbird ESR 140.12
     CVE-2026-12315: Mitigation bypass in the DOM: Security component
     CVE-2026-12330: Incorrect boundary conditions in the Internationalization
                     component
     CVE-2026-12324: Incorrect boundary conditions in the Graphics: CanvasWebGL
                     component
     CVE-2026-12325: Denial-of-service in the Graphics: ImageLib component
     CVE-2026-12327: Memory safety bugs fixed in Firefox ESR 140.12,
                     Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152
     CVE-2026-12328: Memory safety bugs fixed in Firefox ESR 115.37, Firefox
                     ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and
                     Thunderbird 152