14 files changed, 83 insertions, 66 deletions
diff --git a/security/Makefile b/security/Makefile
index 46547e92bf04..d8b14da244aa 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -282,6 +282,7 @@
     SUBDIR += lasso
     SUBDIR += lastpass-cli
     SUBDIR += lego
+    SUBDIR += lfacme
     SUBDIR += libaegis
     SUBDIR += libargon2
     SUBDIR += libassuan
diff --git a/security/botan3/Makefile b/security/botan3/Makefile
index a376d1c4fa7c..c5c0ff84d783 100644
--- a/security/botan3/Makefile
+++ b/security/botan3/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	botan
-DISTVERSION=	3.7.1
+DISTVERSION=	3.8.1
 CATEGORIES=	security
 MASTER_SITES=	http://botan.randombit.net/releases/
 PKGNAMESUFFIX=	${_BOTANMAJOR}
@@ -14,7 +14,8 @@ LICENSE_FILE=	${WRKSRC}/license.txt
 
 BUILD_DEPENDS=	${LOCALBASE}/include/boost/asio.hpp:devel/boost-libs
 
-USES=		compiler:c++20-lang cpe gmake llvm shebangfix tar:xz # llvm fixes build failure, see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279136
+USES=		compiler:c++20-lang cpe gmake shebangfix tar:xz
+
 CPE_VENDOR=	${PORTNAME}_project
 USE_LDCONFIG=	yes
 
@@ -37,7 +38,7 @@ LDFLAGS+=		-pthread
 
 DOCSDIR=	${LOCALBASE}/share/doc/${PORTNAME}-${PORTVERSION}
 
-_SOABIVER=	7
+_SOABIVER=	8
 _BOTANMAJOR=	${DISTVERSION:S/./ /g:[1]}
 _SHLIBVER=	${DISTVERSION:S/./ /g:[2]}
 _SHLIBVERPATCH=	${DISTVERSION:S/./ /g:[3]}
@@ -47,10 +48,12 @@ PLIST_SUB=	SHLIBVER=${_SHLIBVER} \
 		BOTANMAJOR=${_BOTANMAJOR}
 PORTDOCS=	*
 
-OPTIONS_DEFINE=			DOCS MANPAGES PYTHON SQLITE3
+OPTIONS_DEFINE=			DOCS LLVM_FROM_PORTS MANPAGES PYTHON SQLITE3
 OPTIONS_DEFAULT=		MANPAGES
 OPTIONS_SUB=			yes
 
+LLVM_FROM_PORTS_DESC=		Use LLVM from ports to build
+
 MANPAGES_BUILD_DEPENDS=		${PYTHON_PKGNAMEPREFIX}sphinx>=0:textproc/py-sphinx@${PY_FLAVOR} \
 				${PYTHON_PKGNAMEPREFIX}furo>=2022.6.21:textproc/py-furo@${PY_FLAVOR}
 MANPAGES_CONFIGURE_WITH=	sphinx
@@ -65,6 +68,15 @@ SQLITE3_CONFIGURE_WITH=	sqlite3
 
 .include <bsd.port.options.mk>
 
+# llvm from ports fixes build failure, see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279136
+.if ${OPSYS} == FreeBSD && \
+	((${OSVERSION} >= 1500000) || \
+	${PORT_OPTIONS:MLLVM_FROM_PORTS})
+USES+=	llvm
+USES:=	${USES:Ncompiler\:*} # XXX avoid warnings
+CHOSEN_COMPILER_TYPE=	clang
+.endif
+
 .if ${ARCH} == aarch64
 CONFIGURE_ARGS+=	--cc-abi="-march=armv8-a+crypto"
 .elif ${ARCH:Mpowerpc64*}
@@ -74,12 +86,6 @@ CONFIGURE_ARGS+=	--disable-powercrypto
 .endif
 .endif
 
-.if ${ARCH} == i386 || ${ARCH} == amd64
-PLIST_SUB+=	HAS_RDRAND_RNG=""
-.else
-PLIST_SUB+=	HAS_RDRAND_RNG="@comment "
-.endif
-
 .if ${ARCH} == i386 || ${ARCH} == amd64 || ${ARCH:Mpowerpc64*}
 PLIST_SUB+=	HAS_PROCESSOR_RNG=""
 .else
diff --git a/security/botan3/distinfo b/security/botan3/distinfo
index e90946f4ca79..e64fce607f4f 100644
--- a/security/botan3/distinfo
+++ b/security/botan3/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1738854685
-SHA256 (Botan-3.7.1.tar.xz) = fc0620463461caaea8e60f06711d7e437a3ad1eebd6de4ac29c14bbd901ccd1b
-SIZE (Botan-3.7.1.tar.xz) = 8659408
+TIMESTAMP = 1747422221
+SHA256 (Botan-3.8.1.tar.xz) = b039681d4b861a2f5853746d8ba806f553e23869ed72d89edbfa3c3dbfa17e68
+SIZE (Botan-3.8.1.tar.xz) = 8706304
diff --git a/security/krb5-devel/Makefile b/security/krb5-devel/Makefile
index 36aa57f35ae2..6745764fa63d 100644
--- a/security/krb5-devel/Makefile
+++ b/security/krb5-devel/Makefile
@@ -8,8 +8,8 @@ PKGNAME_X=		-${FLAVOR:S/default//}
 .endif
 PKGNAMESUFFIX=		${PKGNAME_X:S/--/-/:C/-$//}
 
-HASH=			61e92fe9a
-MIT_COMMIT_DATE=	2025.04.06
+HASH=			1113e746a
+MIT_COMMIT_DATE=	2025.06.17
 
 PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
 PATCH_DIST_STRIP=	-p2
diff --git a/security/krb5-devel/distinfo b/security/krb5-devel/distinfo
index addd917f9451..83e6497143e7 100644
--- a/security/krb5-devel/distinfo
+++ b/security/krb5-devel/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1747800263
-SHA256 (krb5-krb5-1.22.2025.04.06-61e92fe9a_GH0.tar.gz) = 2eae92b633a9c77a66fbcb6a5acba93bf5bc6eb75b95ded662c9c4509ba16255
-SIZE (krb5-krb5-1.22.2025.04.06-61e92fe9a_GH0.tar.gz) = 4679049
+TIMESTAMP = 1750876627
+SHA256 (krb5-krb5-1.22.2025.06.17-1113e746a_GH0.tar.gz) = 535c723d44a5fb50ffe3aeb8e1198e81bf1485d24d0f11aa62f56f80dd9c283f
+SIZE (krb5-krb5-1.22.2025.06.17-1113e746a_GH0.tar.gz) = 4683455
diff --git a/security/nuclei/Makefile b/security/nuclei/Makefile
index 3a2828d806b2..bf4fd87882ba 100644
--- a/security/nuclei/Makefile
+++ b/security/nuclei/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	nuclei
 DISTVERSIONPREFIX=	v
-DISTVERSION=	3.4.4
+DISTVERSION=	3.4.5
 CATEGORIES=	security
 
 MAINTAINER=	dutra@FreeBSD.org
diff --git a/security/nuclei/distinfo b/security/nuclei/distinfo
index a4c3ceade456..e4cf46444ae0 100644
--- a/security/nuclei/distinfo
+++ b/security/nuclei/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1749429917
-SHA256 (go/security_nuclei/nuclei-v3.4.4/v3.4.4.mod) = 9e805e04dec4da32e582d774928290dd9b337ec1fd9fe49b5a38dc4f2d8fa9f3
-SIZE (go/security_nuclei/nuclei-v3.4.4/v3.4.4.mod) = 17916
-SHA256 (go/security_nuclei/nuclei-v3.4.4/v3.4.4.zip) = c574a8583455d3faaa9e50d87d24a2b8b283f22fecc796e2a58478c7525dddbd
-SIZE (go/security_nuclei/nuclei-v3.4.4/v3.4.4.zip) = 12381056
+TIMESTAMP = 1750899492
+SHA256 (go/security_nuclei/nuclei-v3.4.5/v3.4.5.mod) = 5afbb1c8d97f83b0d2b11bd9bf677f5b88043b95241def65c6cdf11d290bbdbe
+SIZE (go/security_nuclei/nuclei-v3.4.5/v3.4.5.mod) = 17916
+SHA256 (go/security_nuclei/nuclei-v3.4.5/v3.4.5.zip) = d88771513264794e0f2acb6c03682492363addc36b92c80330fb25ff747462ac
+SIZE (go/security_nuclei/nuclei-v3.4.5/v3.4.5.zip) = 12383461
diff --git a/security/rnp/Makefile b/security/rnp/Makefile
index c8dc94c9cdac..77944be6a051 100644
--- a/security/rnp/Makefile
+++ b/security/rnp/Makefile
@@ -1,6 +1,7 @@
 PORTNAME=	rnp
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.18.0
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	https://github.com/rnpgp/${PORTNAME}/releases/download/${DISTVERSIONFULL}/
 
diff --git a/security/vuls/Makefile b/security/vuls/Makefile
index 9e88ccf86b2f..f2f41cbbf54c 100644
--- a/security/vuls/Makefile
+++ b/security/vuls/Makefile
@@ -1,7 +1,6 @@
 PORTNAME=	vuls
 DISTVERSIONPREFIX=v
-DISTVERSION=	0.32.0
-PORTREVISION=	2
+DISTVERSION=	0.33.1
 CATEGORIES=	security
 
 MAINTAINER=	girgen@FreeBSD.org
@@ -25,6 +24,9 @@ SUB_LIST=	PORTNAME=${PORTNAME} USERS=${USERS} GROUPS=${GROUPS}
 USERS=		vuls
 GROUPS=		vuls
 
+NOT_FOR_ARCHS=			i386
+NOT_FOR_ARCHS_REASON_i386=	https://gitlab.com/cznic/libc/-/issues/45
+
 post-patch:
 	@${REINPLACE_CMD} -e 's,%%ETCDIR%%,${ETCDIR},' \
 		${WRKSRC}/subcmds/configtest.go \
diff --git a/security/vuls/distinfo b/security/vuls/distinfo
index 171f6cc2ca7b..1524e85119a6 100644
--- a/security/vuls/distinfo
+++ b/security/vuls/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1747479508
-SHA256 (go/security_vuls/vuls-v0.32.0/v0.32.0.mod) = e3091e79324dcdd3e3c2959a3b9fa4ab03fc4d53a0ce41a76fc793a68b57302e
-SIZE (go/security_vuls/vuls-v0.32.0/v0.32.0.mod) = 20795
-SHA256 (go/security_vuls/vuls-v0.32.0/v0.32.0.zip) = 1eed06de6c88de618a25184d843010c76b30b77a8e554f028a2700a5e267266b
-SIZE (go/security_vuls/vuls-v0.32.0/v0.32.0.zip) = 1389053
+TIMESTAMP = 1750837237
+SHA256 (go/security_vuls/vuls-v0.33.1/v0.33.1.mod) = cffef0d92a21a68ae82e1eeb7dbf6504887496b042af76cb182e1e3fba9ece20
+SIZE (go/security_vuls/vuls-v0.33.1/v0.33.1.mod) = 20804
+SHA256 (go/security_vuls/vuls-v0.33.1/v0.33.1.zip) = 0bca1fe58726ef06e60e98d0849baff1c2aff6e1bd0de3722fe64314efec49c3
+SIZE (go/security_vuls/vuls-v0.33.1/v0.33.1.zip) = 1401641
diff --git a/security/vuls/files/patch-vendor_gorm.io_gorm_internal_stmt_store_stmt_store.go b/security/vuls/files/patch-vendor_gorm.io_gorm_internal_stmt_store_stmt_store.go
deleted file mode 100644
index a249bd5099ae..000000000000
--- a/security/vuls/files/patch-vendor_gorm.io_gorm_internal_stmt_store_stmt_store.go
+++ /dev/null
@@ -1,29 +0,0 @@
-commit 8c4e8e2d2a63ef019048bd988a2016948605920b
-Author: iTanken <23544702+iTanken@users.noreply.github.com>
-Date:   Sun Apr 27 14:05:16 2025 +0800
-
-    fix: int type variable defaultMaxSize overflows in 32-bit environment (#7439)
-    
-    Refs: #7435
-
-diff --git a/internal/stmt_store/stmt_store.go b/internal/stmt_store/stmt_store.go
-index 7068419..a82b2cf 100644
---- vendor/gorm.io/gorm/internal/stmt_store/stmt_store.go
-+++ vendor/gorm.io/gorm/internal/stmt_store/stmt_store.go
-@@ -3,6 +3,7 @@ package stmt_store
- import (
- 	"context"
- 	"database/sql"
-+	"math"
- 	"sync"
- 	"time"
- 
-@@ -73,7 +74,7 @@ type Store interface {
- // the cache can theoretically store as many elements as possible.
- // (1 << 63) - 1 is the maximum value that an int64 type can represent.
- const (
--	defaultMaxSize = (1 << 63) - 1
-+	defaultMaxSize = math.MaxInt
- 	// defaultTTL defines the default time-to-live (TTL) for each cache entry.
- 	// When the TTL for cache entries is not specified, each cache entry will expire after 24 hours.
- 	defaultTTL = time.Hour * 24
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 88ecf66a42a7..8ebba07bf8bd 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,40 @@
+  <vuln vid="d45dabd9-5232-11f0-9ca4-2cf05da270f3">
+    <topic>Gitlab -- Vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>gitlab-ce</name>
+	<name>gitlab-ee</name>
+	<range><ge>18.1.0</ge><lt>18.1.1</lt></range>
+	<range><ge>18.0.0</ge><lt>18.0.3</lt></range>
+	<range><ge>16.10.0</ge><lt>17.11.5</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Gitlab reports:</p>
+	<blockquote cite="https://about.gitlab.com/releases/2025/06/25/patch-release-gitlab-18-1-1-released/">
+	  <p>Denial of Service impacts GitLab CE/EE</p>
+	  <p>Missing Authentication issue impacts GitLab CE/EE</p>
+	  <p>Improper access control issue impacts GitLab CE/EE</p>
+	  <p>Elevation of Privilege impacts GitLab CE/EE</p>
+	  <p>Improper access control issue impacts GitLab EE</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-3279</cvename>
+      <cvename>CVE-2025-1754</cvename>
+      <cvename>CVE-2025-5315</cvename>
+      <cvename>CVE-2025-2938</cvename>
+      <cvename>CVE-2025-5846</cvename>
+      <url>https://about.gitlab.com/releases/2025/06/25/patch-release-gitlab-18-1-1-released/</url>
+    </references>
+    <dates>
+      <discovery>2025-06-25</discovery>
+      <entry>2025-06-26</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="03ba1cdd-4faf-11f0-af06-00a098b42aeb">
     <topic>cisco -- OpenH264 Decoding Functions Heap Overflow Vulnerability</topic>
     <affects>
diff --git a/security/wpa_supplicant-devel/Makefile b/security/wpa_supplicant-devel/Makefile
index f4456e429e42..5aee9e01aadb 100644
--- a/security/wpa_supplicant-devel/Makefile
+++ b/security/wpa_supplicant-devel/Makefile
@@ -1,6 +1,5 @@
 PORTNAME=	wpa_supplicant
 PORTVERSION=	${COMMIT_DATE}
-PORTREVISION=	1
 CATEGORIES=	security net
 PKGNAMESUFFIX=	-devel
 
@@ -11,8 +10,8 @@ WWW=		https://w1.fi/wpa_supplicant/
 USE_GITHUB=	yes
 GH_ACCOUNT=	cschuber
 GH_PROJECT=	hostap
-GH_TAGNAME=	54930b62b
-COMMIT_DATE=	2025.05.08
+GH_TAGNAME=	0b60826a6
+COMMIT_DATE=	2025.06.25
 
 LICENSE=	BSD3CLAUSE
 LICENSE_FILE=	${WRKSRC}/README
diff --git a/security/wpa_supplicant-devel/distinfo b/security/wpa_supplicant-devel/distinfo
index 4eabde753e8c..dcac53e1a70b 100644
--- a/security/wpa_supplicant-devel/distinfo
+++ b/security/wpa_supplicant-devel/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1747800845
-SHA256 (cschuber-hostap-2025.05.08-54930b62b_GH0.tar.gz) = 945b6a16ef7e6071309f1aa02168e05de26ec91b7e4cf8f6eb556fcd649012bb
-SIZE (cschuber-hostap-2025.05.08-54930b62b_GH0.tar.gz) = 5291910
+TIMESTAMP = 1750881106
+SHA256 (cschuber-hostap-2025.06.25-0b60826a6_GH0.tar.gz) = 308a2a3a1edf5154a6d44dfa6dc07d9cf61d6bef54be16cdd76683984c83bf7e
+SIZE (cschuber-hostap-2025.06.25-0b60826a6_GH0.tar.gz) = 5313294