This is a placeholder PR for the upcoming OpenEXR 3.4.9 security update. The word is out, and the VuXML update is in 294196. https://lists.aswf.io/g/openexr-dev/message/5436 https://github.com/AcademySoftwareFoundation/openexr/blob/v3.4.9-rc/CHANGES.md#version-349-april--3-2026
The v3.4.9-rc git checkout builds and tests fine (outside the ports framework) on FreeBSD 15.0-RELEASE amd64. Note OpenEXR v3.4.9-rc is not compatible with C++26 and triggers deprecation warnings with C++17, C++20, C++23 about wstring conversion through codecvt, upstream bug reports are https://github.com/AcademySoftwareFoundation/openexr/issues/2335 (mine) https://github.com/AcademySoftwareFoundation/openexr/issues/1785 (Apple)
Preview update here: https://github.com/freebsd/freebsd-ports/commit/0137ac40759f62ec485e83d15115fb83618432ae or https://gitlab.com/mandree/freebsd-ports/-/commit/0137ac40759f62ec485e83d15115fb83618432ae
For Github, the correct link is https://github.com/mandree/freebsd-ports/commit/0137ac40759f62ec485e83d15115fb83618432ae (note it may change if I need to rebase, in which case see https://github.com/mandree/freebsd-ports/commits/main/ or https://gitlab.com/mandree/freebsd-ports/-/commits/main?ref_type=HEADS
Created attachment 269354 [details] update to v3.4.9 security release of openexr and update accompanying -website-docs
^Triage: Maintainer-feedback flag (+) not required unless requested (?) first
(In reply to Matthias Andree from comment #4) Applied this patch with git am fails in poudriere in build phase here: [00:00:15] FAILED: [code=1] src/lib/OpenEXRCore/CMakeFiles/OpenEXRCore.dir/compression.c.o [00:00:15] /ccache/libexec/ccache/cc -DLIBDEFLATE_DLL -DOPENEXRCORE_EXPORTS -DOpenEXRCore_EXPORTS -D_FILE_OFFSET_BITS=64 -I/wrkdirs/usr/ports/graphics/openexr/work/.build/src/lib/OpenEXRCore -I/wrkdirs/usr/ports/graphics/openexr/work/openexr-3.4.9/src/lib/OpenEXRCore -I/wrkdirs/usr/ports/graphics/openexr/work/.build/cmake -isystem /usr/local/include/Imath -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -DNDEBUG -fPIC -fvisibility=hidden -MD -MT src/lib/OpenEXRCore/CMakeFiles/OpenEXRCore.dir/compression.c.o -MF src/lib/OpenEXRCore/CMakeFiles/OpenEXRCore.dir/compression.c.o.d -o src/lib/OpenEXRCore/CMakeFiles/OpenEXRCore.dir/compression.c.o -c /wrkdirs/usr/ports/graphics/openexr/work/openexr-3.4.9/src/lib/OpenEXRCore/compression.c [00:00:15] /wrkdirs/usr/ports/graphics/openexr/work/openexr-3.4.9/src/lib/OpenEXRCore/compression.c:32:14: fatal error: 'libdeflate.h' file not found [00:00:15] 32 | # include <libdeflate.h> [00:00:15] | ^~~~~~~~~~~~~~ [00:00:15] 1 error generated.
Created attachment 269388 [details] poudriere build log full build log
Created attachment 269391 [details] openexr 13.5 RELEASE amd64 build log (successful) I don't see such issues on my computer with FreeBSD 13.5. libdeflate is listed in LIB_DEPENDS -- but something's up with your poudriere - it does not attempt to install libdeflate (which it should) -- I am attaching my log to compare, but to me it looks like a local problem on your system. Besides that, FreeBSD 13.5 is only supported for some three weeks, so this isn't a showstopper anyhow.
Sorry, void@f-m.fm's poudriere did install libdeflate, but still... from void@'s log: [00:00:01] =======================<phase: extract >============================ [00:00:01] ===== env: NO_DEPENDS=yes USER=root UID=0 GID=0 What's NO_DEPENDS? I have STRICT_DEPENDS there. At any rate, even disabling DOCS and EXAMPLES, my poudriere build for a 13.5 jail on a 15-RELEASE (not -STABLE) host passes, including self tests.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ff3b84dc9b80acb9e6a7a86b837898d4e7687580 commit ff3b84dc9b80acb9e6a7a86b837898d4e7687580 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2026-04-02 09:27:40 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2026-04-05 19:50:36 +0000 graphics/openexr*: Security update to 3.4.9 Addresses several security vulnerabilities Changelog: https://github.com/AcademySoftwareFoundation/openexr/blob/v3.4.9/CHANGES.md#version-349-april--3-2026 PR: 294197 Security: CVE-2026-34589, CVE-2026-34588, CVE-2026-34380, CVE-2026-34379, CVE-2026-34378, adb096d4-2e72-11f1-acc1-339a1a6999b0 graphics/openexr-website-docs/Makefile | 6 +++--- graphics/openexr-website-docs/distinfo | 6 +++--- graphics/openexr/Makefile | 11 ++++++----- graphics/openexr/distinfo | 6 +++--- 4 files changed, 15 insertions(+), 14 deletions(-)
(In reply to Matthias Andree from comment #9) > What's NO_DEPENDS? I have STRICT_DEPENDS there. That's a function of DEVELOPER_MODE. Normal users don't have that enabled. Try compiling with it turned off. (I have not tried the converse - turning it on to see if it compiles) The issue only appears, from what I can see, in 13.x openexr builds fine in 14.x
(In reply to void from comment #11) I cannot reproduce this, not with DEVELOPER not without, not on main nor on quarterly. @ports-secteam: please MFH.
(In reply to Matthias Andree from comment #12) I'm not sure why this PR is assigned to ports-secteam@ and why the MFH is set to ? With ports-secteam@ hat, yes, I think this should be merged. But why ports-secteam@ if you can do it yourself? Even more, why not the committer who actually resolved the issue? Just looking for clarification here.
A commit in branch 2026Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8c267bd7d6375784450aa099e7de2e73f4e14b93 commit 8c267bd7d6375784450aa099e7de2e73f4e14b93 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2026-04-02 09:27:40 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2026-04-09 17:13:11 +0000 graphics/openexr*: Security update to 3.4.9 Addresses several security vulnerabilities Changelog: https://github.com/AcademySoftwareFoundation/openexr/blob/v3.4.9/CHANGES.md#version-349-april--3-2026 PR: 294197 Security: CVE-2026-34589, CVE-2026-34588, CVE-2026-34380, CVE-2026-34379, CVE-2026-34378, adb096d4-2e72-11f1-acc1-339a1a6999b0 (cherry picked from commit ff3b84dc9b80acb9e6a7a86b837898d4e7687580) graphics/openexr-website-docs/Makefile | 6 +++--- graphics/openexr-website-docs/distinfo | 6 +++--- graphics/openexr/Makefile | 11 ++++++----- graphics/openexr/distinfo | 6 +++--- 4 files changed, 15 insertions(+), 14 deletions(-)
Done. MFH'ed to 2026Q2