vim - Debian Package Tracker

general

source: vim (main)
version: 2:9.2.0355-1
maintainer: Debian Vim Maintainers (DMD)
uploaders: James McCoy [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2:8.2.2434-3+deb11u1
o-o-sec: 2:8.2.2434-3+deb11u3
oldstable: 2:9.0.1378-2+deb12u2
stable: 2:9.1.1230-2
testing: 2:9.2.0355-1
unstable: 2:9.2.0355-1

versioned links

2:8.2.2434-3+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:8.2.2434-3+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:9.0.1378-2+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:9.1.1230-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:9.2.0355-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

vim (40 bugs: 0, 19, 21, 0)
vim-common (6 bugs: 0, 2, 4, 0)
vim-doc (1 bugs: 0, 0, 1, 0)
vim-gtk3 (3 bugs: 0, 1, 2, 0)
vim-gui-common
vim-motif
vim-nox (1 bugs: 0, 0, 1, 0)
vim-runtime (32 bugs: 0, 14, 18, 0)
vim-tiny (1 bugs: 0, 1, 0, 0)
xxd (3 bugs: 0, 0, 3, 0)

action needed

A new upstream version is available: 9.2.0407 high

A new upstream version 9.2.0407 is available, you should consider packaging it.

Created: 2026-04-16 Last update: 2026-04-29 16:30

14 security issues in trixie high

There are 14 open security issues in trixie.

10 important issues:

CVE-2026-28417: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
CVE-2026-28418: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
CVE-2026-28419: Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.
CVE-2026-28420: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
CVE-2026-28421: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
CVE-2026-33412: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
CVE-2026-34982: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
CVE-2026-35177: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
CVE-2026-39881: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.

4 issues left for the package maintainer to handle:

CVE-2025-53905: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
CVE-2025-53906: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
CVE-2026-25749: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
CVE-2026-26269: (needs triaging) Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-07-16 Last update: 2026-04-28 19:02

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.

Created: 2026-04-25 Last update: 2026-04-28 19:02

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.

Created: 2026-04-25 Last update: 2026-04-28 19:02

14 security issues in bullseye high

There are 14 open security issues in bullseye.

10 important issues:

CVE-2026-28417: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
CVE-2026-28418: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
CVE-2026-28419: Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.
CVE-2026-28420: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
CVE-2026-28421: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
CVE-2026-33412: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
CVE-2026-34982: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
CVE-2026-35177: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
CVE-2026-39881: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.

4 issues postponed or untriaged:

CVE-2025-53905: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
CVE-2025-53906: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
CVE-2026-25749: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
CVE-2026-26269: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

Created: 2026-02-28 Last update: 2026-04-28 19:02

15 security issues in bookworm high

There are 15 open security issues in bookworm.

10 important issues:

CVE-2026-28417: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
CVE-2026-28418: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
CVE-2026-28419: Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.
CVE-2026-28420: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
CVE-2026-28421: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
CVE-2026-33412: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
CVE-2026-34982: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
CVE-2026-35177: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
CVE-2026-39881: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.

5 issues left for the package maintainer to handle:

CVE-2025-29768: (needs triaging) Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198.
CVE-2025-53905: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
CVE-2025-53906: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
CVE-2026-25749: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
CVE-2026-26269: (needs triaging) Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-03-03 Last update: 2026-04-28 19:02

17 bugs tagged patch in the BTS normal

The BTS contains patches fixing 17 bugs, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-04-29 22:00

Depends on packages which need a new maintainer normal

The packages that vim depends on which need a new maintainer are:

docbook-xml (#802368)
- Build-Depends-Indep: docbook-xml

Created: 2022-10-24 Last update: 2026-04-29 20:32

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2024-01-19 Last update: 2026-04-29 19:03

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2:9.2.0413-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 9cbb645731e6456140d34dbbeb1d42a6745eef15
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 29 11:00:52 2026 -0400

    Remove xdg-shell.xml and primary-selection-unstable-v1.xml entries from d/copyright
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 5b79de609151af7a2033cb754a7306dc24f0c63a
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 29 09:04:12 2026 -0400

    Start changelog for 9.2.0413
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit a14fe7c199e679385670b6ddb175654b1a6404bf
Merge: 067a592e8 bd0f3e6da
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 29 08:54:11 2026 -0400

    Merge tag 'v9.2.0413' into debian/sid
    
    v9.2.0413

commit 067a592e8d765bd6aec9648df621909b06376bc8
Author: James McCoy <jamessan@debian.org>
Date:   Thu Apr 16 09:11:30 2026 -0400

    release package vim version 2:9.2.0355-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit d24ece80f2a15e7c5a57daf94ab1542a966f4e1f
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 15 23:13:32 2026 -0400

    Remove "set nomodeline" from debian.vim
    
    Now that upstream has added the "modelinestrict" option, the default behavior is equivalent to the prior recommendation of "set nomodeline" + using the securemodelines plugin.
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 19ca005df85ca9c7c83ad939a866d4d4ed12d84b
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 15 23:11:23 2026 -0400

    Remove documentation patch about Debian disabling modeline option
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 52f9aabd1694f632dfd9ccd24fa9f59d461647c5
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 15 23:08:58 2026 -0400

    Start changelog for v9.2.0355
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 06fc273cc89f2794b4f52361219da83b2e51c56a
Merge: 78b9fcbbb 490b737f3
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 15 23:02:59 2026 -0400

    Merge tag 'v9.2.0355' into debian/sid
    
    v9.2.0355

commit 78b9fcbbbcdfad6707b649d05b8c883d2f58772d
Author: James McCoy <jamessan@debian.org>
Date:   Sat Apr 11 20:46:16 2026 -0400

    release package vim version 2:9.2.0338-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 2d8c5159a5284a2d23ad8c95b13363c1a0c8fc90
Author: James McCoy <jamessan@debian.org>
Date:   Sat Apr 11 20:44:08 2026 -0400

    Change libgpmg1-dev Build-Depends to libgpm-dev
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 0da646afaa65e999ee284ccc075ec25c0e755df8
Author: James McCoy <jamessan@debian.org>
Date:   Sat Apr 11 20:41:17 2026 -0400

    Change libselinux1-dev Build-Depends to libselinux-dev
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 46749710b6123f72f2cce7ef459c919bf6ec2880
Author: James McCoy <jamessan@debian.org>
Date:   Sat Apr 11 14:42:12 2026 -0400

    Add debian/.editorconfig file to override top-level file
    
    Gbp-Dch: ignore
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 97434889324c84fc8106d350e07249af76e4208d
Author: James McCoy <jamessan@debian.org>
Date:   Sat Apr 11 14:41:38 2026 -0400

    Start changelog for 9.2.0338
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 419ecfc82fa4cf983d633a48f7e3f6a01ffc95b4
Merge: 04168610f 0802e00f2
Author: James McCoy <jamessan@debian.org>
Date:   Sat Apr 11 14:37:03 2026 -0400

    Merge tag 'v9.2.0338' into debian/sid
    
    v9.2.0338

commit 04168610fa291171a5fb97fb43a923436f037039
Author: James McCoy <jamessan@debian.org>
Date:   Tue Apr 7 07:53:13 2026 -0400

    release package vim version 2:9.2.0315-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 112cdeb8a56f1d7c2f11dbfa4e1f583ad820000c
Author: James McCoy <jamessan@debian.org>
Date:   Tue Apr 7 06:31:22 2026 -0400

    Declare compliance with Policy 4.7.4, no changes needed
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 7ef45917964ff54ab0532af53b9f34cacd93ab48
Author: James McCoy <jamessan@debian.org>
Date:   Mon Apr 6 23:04:36 2026 -0400

    Refresh patches.
    
    Gbp-Dch: Ignore
    Signed-off-by: James McCoy <jamessan@debian.org>

commit c73427888b331a7af6adbf07f2ae99d04d97768f
Author: James McCoy <jamessan@debian.org>
Date:   Mon Apr 6 23:04:06 2026 -0400

    Bump changelog to 9.2.0315
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit e41247d14388ff2c7b0279acec3dea1d9a82f79e
Merge: abd564053 8d23fcb60
Author: James McCoy <jamessan@debian.org>
Date:   Mon Apr 6 23:01:23 2026 -0400

    Merge tag 'v9.2.0315' into debian/sid
    
    v9.2.0315

commit abd5640537b5a8dfbe0fc79ad90d77bffb8d9426
Author: James McCoy <jamessan@debian.org>
Date:   Thu Apr 2 07:06:57 2026 -0400

    Remove revert of v9.1.0949, since the popup positioning has been fixed
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit e366af9e0d7adfad06dddfb7c3da8ea98247b914
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 1 22:48:24 2026 -0400

    Refresh patches.
    
    Gbp-Dch: Ignore
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 2fa072435893a04e07ab9cad0bc750fdf2ce9c3a
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 1 22:47:56 2026 -0400

    Start changelog for v9.2.0280
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 2f0887a97c7fcccd90d4f4cb017edee652df1cb2
Merge: 83a86139a 708892631
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 1 22:43:29 2026 -0400

    Merge tag 'v9.2.0280' into debian/sid
    
    v9.2.0280

commit 7088926316d8d4a7572a242d0765e99adfc8b083
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Apr 1 16:23:49 2026 +0000

    patch 9.2.0280: [security]: path traversal issue in zip.vim
    
    Problem:  [security]: path traversal issue in zip.vim
              (Michał Majchrowicz)
    Solution: Detect more such attacks and warn the user.
    
    Github Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit fe05143f5d70c89e4a14cbf61fee091dc6ba791c
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Apr 1 15:27:51 2026 +0000

    patch 9.2.0279: terminal: out-of-bounds write with overlong CSI argument list
    
    Problem:  libvterm CSI parser does not bounds-check argi against
              CSI_ARGS_MAX, allowing excess ';'-separated arguments to
              write past the end of the args array (sentinel404).
    Solution: Drop excess arguments.
    
    Supported by AI
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b2e55ed1d6c9d9af0e1afa6deedf0fec7a49c8c8
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Apr 1 15:03:58 2026 +0000

    patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file
    
    Problem:  Reading a crafted viminfo file can cause a heap buffer
              overflow because the length value from getdigits() is cast to
              int, truncating large size_t values
    Solution: Remove the (int) cast when calling alloc() (sentinel404)
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3e60f03d942d6bb0f7eac61b149e83615518cec0
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Apr 1 14:28:53 2026 +0000

    runtime(netrw): use fnameescape() with FileUrlEdit()
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2c976d0de48db4ee56769669edbc8875564d3453
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Apr 1 10:33:42 2026 +0000

    SECURITY.md: clarify the use of AI
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 82ebaa79b03f0f9d66eeba51570c62a83096108f
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Apr 1 08:10:15 2026 +0000

    runtime(racket): Make visual K mapping more robust for shell injection
    
    fyi @benknoble
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 8c8772c6b321d4955c8f09926e3eda2b4cd83680
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Wed Apr 1 07:33:46 2026 +0000

    patch 9.2.0277: tests: test_modeline.vim fails
    
    Problem:  tests: test_modeline.vim fails (after v9.2.0276)
    Solution: Rewrite the tests to use the existing s:modeline_fails()
              function, update documentation (zeertzjq).
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 52169dbc285724cf2ba5956426fa08d26c6f4672
Author: Eisuke Kawashima <e-kwsm@users.noreply.github.com>
Date:   Tue Mar 31 19:12:36 2026 +0000

    translation(cleanup): squeeze successive empty lines and remove stray comments
    
    closes: #19860
    
    Signed-off-by: Eisuke Kawashima <e-kwsm@users.noreply.github.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 75661a66a1db1e1f3f1245c615f13a7de44c0587
Author: Christian Brabandt <cb@256bit.org>
Date:   Tue Mar 31 18:29:00 2026 +0000

    patch 9.2.0276: [security]: modeline security bypass
    
    Problem:  [security]: modeline security bypass
    Solution: disallow mapset() from secure mode, set the P_MLE flag for the
              'complete', 'guitabtooltip' and 'printheader' options.
    
    Github Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 4cc3ab7401357ac7784fe519d62cca6860d98339
Author: Christian Brabandt <cb@256bit.org>
Date:   Tue Mar 31 17:44:00 2026 +0000

    patch 9.2.0275: tests: test_options.vim fails
    
    Problem:  tests: test_options.vim fails
              (after v9.2.0273)
    Solution: allow column value of 0
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 309332a32e02d934540c1d35e38779c1b3570d48
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Tue Mar 31 16:34:23 2026 +0000

    patch 9.2.0274: BSU/ESU are output directly to the terminal
    
    Problem:  BSU/ESU are output directly to the terminal
    Solution: Route them through out_buf() and flush the output directly,
              increase the OUT_SIZE terminal buffer (Yasuhiro Matsumoto)
    
    Route synchronized-output control sequences through out_buf and flush
    explicitly at protocol boundaries, instead of forcing BSU/ESU through
    ui_write() directly.
    
    Also increase the terminal output buffer from 2047 to 8191 bytes so
    large redraws are emitted in fewer writes.
    
    The important guarantee here is terminal-visible ordering: BSU must
    reach the terminal before the batched redraw bytes, ESU must reach the
    terminal after them, and FLUSH must emit ESU and BSU together, then
    flush immediately.
    
    Benchmark: PTY redraw workload with TERM=xterm-256color, long wrapped
    lines, cursorline, listchars, horizontal scrolling, and repeated redraw!.
    
    write syscalls: 8514 -> 5094 (-40.2%)
    wall time: 0.568s -> 0.495s (-12.9%) on valid runs in this environment
    
    closes: #19862
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ac18dff65aa055dfdfb5b7c36870c84f742e7ead
Author: Christian Brabandt <cb@256bit.org>
Date:   Tue Mar 31 16:13:25 2026 +0000

    patch 9.2.0273: tabpanel: undefined behaviour with large tabpanelop columns
    
    Problem:  tabpanel: undefined behaviour with large tabpanelop columns
              (Michał Majchrowicz)
    Solution: Error out for too large column values
    
    Co-authored-by: Michał Majchrowicz <mmajchrowicz@afine.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e4502b6037eb9e8d2c9f666b97b17147d7b07507
Author: RestorerZ <restorer@mail2k.ru>
Date:   Tue Mar 31 15:51:32 2026 +0000

    translation(ru): updated lang/README.ru.txt
    
    closes: #19865
    
    Signed-off-by: RestorerZ <restorer@mail2k.ru>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit f4f175332c151b51f8097e3db45bfea2751011a4
Author: RestorerZ <restorer@mail2k.ru>
Date:   Tue Mar 31 15:49:44 2026 +0000

    translation(ru): updated the Russian man page the xxd
    
    closes: #19867
    
    Signed-off-by: RestorerZ <restorer@mail2k.ru>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 12c641758753bf143b50fb94039e2b0305681c9e
Author: Thomas Braun <thomas.braun@byte-physics.de>
Date:   Tue Mar 31 15:45:02 2026 +0000

    runtime(sshconfig): Add missing kex algorithm
    
    These are available already with openssh 10.2p1.
    
    closes: #19864
    
    Signed-off-by: Thomas Braun <thomas.braun@byte-physics.de>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 374f06ffd8b890809289911334d8f0b0b15603bc
Author: Christian Brabandt <cb@256bit.org>
Date:   Tue Mar 31 15:38:30 2026 +0000

    runtime(racket): Use shellescape() to harden the K mapping
    
    fyi: @benknoble
    
    Co-authored-by: Michał Majchrowicz <mmajchrowicz@afine.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b5efce0765713c3a7f3ecf3beead22ee4d120c78
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Tue Mar 31 15:20:08 2026 +0000

    Fix a few typos in tests
    
    closes: #19871
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e551e71d7e47c233d55272162bc3e9160bc9d102
Author: Christian Brabandt <cb@256bit.org>
Date:   Tue Mar 31 15:04:48 2026 +0000

    runtime(tera): use fnameescape() when loading separate syntax files
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 70afdfc12738cea3b6b6832811e88ef9344e88a8
Author: RestorerZ <restorer@mail2k.ru>
Date:   Mon Mar 30 10:32:10 2026 +0000

    translation(ru): updated translations
    
    closes: #19868
    
    Signed-off-by: RestorerZ <restorer@mail2k.ru>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 068c0604c95e76f0f98984f908747deba94ed155
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Mar 30 10:18:35 2026 +0000

    runtime(rustfmt): not correctly escaping directory names
    
    Problem:  runtime(rustfmt): not correctly escaping directory names
    Solution: Use fnamescape() (Michał Majchrowicz)
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 91900b9a5cd3b6a933a868f4d0db3c8c01fa272f
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Mar 30 10:15:19 2026 +0000

    runtime(vimgoto): Not correctly escaping the filanems
    
    Problem:  runtime(vimgoto): not correctly escaping the filenames
    Solution: Use fnamescape() (Michał Majchrowicz)
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit aa5c9310f51400643c82f5ce41b1070f362a44f1
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Mar 30 10:12:03 2026 +0000

    runtime(typeset): Use fnameescape() for the :lcd command
    
    Problem:  runtime(typeset) does not escape the detected directory
    Solution: Use fnameescape() (Michał Majchrowicz)
    
    fyi @lifepillar
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 84a8ee4353142f0eb9b66f70773cad886f5b97a8
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Mar 30 09:58:07 2026 +0000

    runtime(context): use fnameescape() for the Log command
    
    Problem:  runtime(context) does not escape the detected log file
    Solution: Use fnameescape() (Michał Majchrowicz)
    
    fyi @lifepillar
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 664701eb7576edb7c7c7d9f2d600815ec1f43459
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Mar 30 08:20:43 2026 +0000

    patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline
    
    Problem:  'tabpanel' can be set in a modeline
    Solution: Set the P_MLE flag for the 'tabpanel' option, disable
              autocmd_add()/autocomd_delete() functions in restricted/secure
              mode.
    
    Github Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3c0f8000e152ceb02619249f5ebf06d6ffe9c8d8
Author: Koda Reef <kodareef5@gmail.com>
Date:   Sun Mar 29 15:19:49 2026 +0000

    patch 9.2.0271: buffer underflow in vim_fgets()
    
    Problem:  buffer underflow in vim_fgets()
    Solution: Ensure size is always greater than 1
              (Koda Reef)
    
    Signed-off-by: Koda Reef <kodareef5@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 211ceea602f30b2c075737a36cccc4eea5967349
Author: Paul Ollis <paul@cleversheep.org>
Date:   Sun Mar 29 14:21:11 2026 +0000

    patch 9.2.0270: test: trailing spaces used in tests
    
    Problem:  test: trailing spaces used in tests
    Solution: Rewrite tests to avoid trailing spaces (Paul Ollis).
    
    Some tests currently rely on trailing whitespace at the end of lines,
    escaped with '\'. I have demonstrated in another PR, such spaces can be
    inadvertently removed and this is difficult to spot.
    
    Note: there are more trailing spaces in a few more test files, see
    testdir/test_codestyle.vim. Those are not yet removed.
    
    closes: #19838
    
    Signed-off-by: Paul Ollis <paul@cleversheep.org>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b8a653a377337637cc63927b0d168f94d19fd787
Author: Christian Brabandt <cb@256bit.org>
Date:   Sun Mar 29 14:00:51 2026 +0000

    patch 9.2.0269: configure: Link error on Solaris
    
    Problem:  configure: Link error on Solaris
              (idgn23, after v9.2.0153)
    Solution: Move the check for the nsl library a bit earlier,
              regenerate configure
    
    fixes: #19803
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 83a86139af5252df8d2c6d3b491fb9ead6500d1a
Author: James McCoy <jamessan@debian.org>
Date:   Sat Mar 21 11:04:24 2026 -0400

    Add changelog entry for 'mammempattern' / E363 error with Python highlighting
    
    Signed-off-by: James McCoy <jamessan@debian.org>
    
    #1127816 was closed in 9.2.0218-1, but I forgot to add the corresponding changelog entry.

commit f29aee195a9d839db91d53daf66d6d5a176b888f
Author: James McCoy <jamessan@debian.org>
Date:   Sat Mar 21 07:38:45 2026 -0400

    release package vim version 2:9.2.0218-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 03b39a8da4238d0db57aa242a9c936c5da9e2f81
Author: James McCoy <jamessan@debian.org>
Date:   Fri Mar 20 19:57:04 2026 -0400

    Bump version to 9.2.0218
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit e8bfe5d2601a087c02f47d1da72fd2372934d801
Merge: 5c38cf220 60edf94c4
Author: James McCoy <jamessan@debian.org>
Date:   Fri Mar 20 19:53:20 2026 -0400

    Merge tag 'v9.2.0218' into debian/sid
    
    v9.2.0218

commit 60edf94c4e6b1c6359c52b45278c24ed709a8273
Author: Shane Harper <shane@shaneharper.net>
Date:   Fri Mar 20 23:12:33 2026 +0000

    patch 9.2.0218: visual selection highlighting in X11 GUI is wrong.
    
    Problem:  The check for whether an X connection was opened was incorrect
              (after v9.2.0158).
    Solution: Use X_DISPLAY instead of xterm_dpy (Shane Harper)
    
    Note: xterm_dpy would be NULL if Vim was started in GUI mode.
    
    Previously, starting two instances of gvim that use GTK3 with:
    GDK_BACKEND=x11 gvim and making a visual selection in both would leave
    both selections highlighted with the Visual highlight group. Now, when
    the second selection is made the first selection will be highlighted
    with VisualNOS.
    
    closes: #19752
    
    Signed-off-by: Shane Harper <shane@shaneharper.net>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 68f9dedba46b4e6625459d94342a2e2c7f5b17b7
Author: Jamie Shorten <jamie@jamieshorten.com>
Date:   Fri Mar 20 23:03:10 2026 +0000

    patch 9.2.0217: filetype: cto files are not recognized
    
    Problem:  filetype: cto files are not recognized
    Solution: Detect *.cto as concerto filetype (Jamie Shorten)
    
    Add filetype detection for the Concerto Modelling Language. Concerto
    is a schema language by the Accord Project for defining data models
    used in smart legal contracts and business networks.
    
    Reference:
    Language spec: https://concerto.accordproject.org
    Tree-sitter grammar: https://github.com/accordproject/concerto-tree-sitter
    
    closes: #19760
    
    Signed-off-by: Jamie Shorten <jamie@jamieshorten.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b3d8a0f34908c4c4fbcea7703019079ed767ebbd
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri Mar 20 22:51:30 2026 +0000

    patch 9.2.0216: MS-Windows: Rendering artifacts with DirectX
    
    Problem:  MS-Windows: Rendering artifacts with DirectX
              (Alexander Zhura)
    Solution: Force redraw (Yasuhiro Matsumoto)
    
    DirectWrite subpixel rendering (especially with CFF/OTF fonts) can
    extend glyph pixels beyond cell boundaries.  Vim already handles the
    forward direction (redraw the next character when the current one
    changes) for MS-Windows antialiasing, but the backward direction was
    missing.
    
    Add gui.directx_enabled flag accessible from screen.c and extend the
    existing spill-over handling to:
    - Redraw the current character when the previous one changed (backward)
    - Force redraw of the next character in screen_puts_len() and
      screen_fill() paths
    
    fixes:  #19586
    closes: #19761
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 890d5fd1387ef6223c2894676f95bf800bca0d65
Author: Muraoka Taro <koron.kaoriya@gmail.com>
Date:   Fri Mar 20 22:42:02 2026 +0000

    patch 9.2.0215: MS-Windows: several tests fail in the Windows CUI.
    
    Problem:  The Windows CUI actively buffers transmissions to terms. Patch
              0200 changed the timing of DECRQM transmissions, and
              out_flush() is no longer called after transmission. Therefore,
              actual term initialization does not occur until the buffer is
              flushed, causing the following tests to fail:
                - test_autocmd.vim - Test_Changed_FirstTime()
                - test_mapping.vim - Test_error_in_map_expr()
                - test_messages.vim - Test_mode_message_at_leaving_insert_with_esc_mapped()
                - test_search.vim - Test_search_cmdline_incsearch_highlight_attr()
    
                The failures since version 200 can be confirmed in the following CI jobs.
                - 9.2.0200 https://github.com/vim/vim/actions/runs/23312934497
                    - https://github.com/vim/vim/actions/runs/23312934497/job/67804736843
                    - https://github.com/vim/vim/actions/runs/23312934497/job/67804736752
                    - https://github.com/vim/vim/actions/runs/23312934497/job/67804736735
                - 9.2.0199 https://github.com/vim/vim/actions/runs/23311871938
                    - The above test can be confirmed to be successful.
    Solution: After sending DECRQM in send_decrqm_modes(), explicitly call
              out_flush() to ensure terminal initialization (Muraoka Taro).
    
    closes: #19764
    
    Signed-off-by: Muraoka Taro <koron.kaoriya@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2b7b745bb5bc16c189e21003315bc5525e339ae3
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri Mar 20 22:34:11 2026 +0000

    patch 9.2.0214: tests: Test_gui_system_term_scroll() is flaky
    
    Problem:  tests: Test_gui_system_term_scroll() is flaky
              (after: v9.2.0208)
    Solution: Fix test (Yasuhiro Matsumoto)
    
    Remove timer-based screen check and use a simple command instead
    of ping.  The timer could fire before ConPTY initialization was
    complete, causing screenstring() to return an empty string.
    
    Check screenstring() directly after the command finishes instead.
    
    related: #19735
    closes:  #19765
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b1a247d659f4e1049771f2735bc0b0a36cb19323
Author: Shane Harper <shane@shaneharper.net>
Date:   Fri Mar 20 22:26:59 2026 +0000

    patch 9.2.0213: Crash when using a partial or lambda as a clipboard provider
    
    Problem:  Crash when using a partial or lambda as a clipboard provider
    Solution: Don't call free_callback() from clip_provider_get_callback()
              (Shane Harper).
    
    closes: #19766
    
    Signed-off-by: Shane Harper <shane@shaneharper.net>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3ee2b76ba1c4f263a5f161da740cedbd3747a35a
Author: Mao-Yining <mao.yining@outlook.com>
Date:   Fri Mar 20 22:06:58 2026 +0000

    patch 9.2.0212: MS-Windows: version packing may overflow
    
    Problem:  MS-Windows: version packing may overflow (after v9.2.0206)
    Solution: Explicitly clamp the version components using min()
              (Mao-Yining).
    
    The version components (major, minor, build) from RtlGetVersion are now
    clamped to their maximum bit widths (8 bits, 8 bits, 15 bits) before
    being packed into a 32-bit integer. This prevents overflow when storing
    unexpectedly large values.
    
    This fixes a regression introduced in patch 9.2.0206 where the previous
    clamping logic was accidentally removed.
    
    The MAKE_VER macro is simplified by removing bit masks, as clamping is
    now done at the call site, making the macro clearer and reducing
    redundant masking.
    
    closes: #19769
    
    Signed-off-by: Mao-Yining <mao.yining@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit c4d2fa018c96975380c705b585c6fe88c2ccf442
Author: Mao-Yining <mao.yining@outlook.com>
Date:   Fri Mar 20 22:00:08 2026 +0000

    translation(zh): Update the Simplify Chinese translation
    
    closes: #19771
    
    Signed-off-by: Mao-Yining <mao.yining@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b3dba929cbf088873a252c9ab508a6e3c46834e7
Author: Mao-Yining <mao.yining@outlook.com>
Date:   Fri Mar 20 21:59:11 2026 +0000

    translation: align sponsor menu string spacing
    
    Normalize white space in the "menu Help->Sponsor" message across all
    translation files and the version.c intro handler. This ensures
    consistent column alignment when displayed in the user interface.
    
    related: #19771
    
    Signed-off-by: Mao-Yining <mao.yining@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 88cded7ac007981dcab8505d9271c8e9048ab411
Author: Foxe Chen <chen.foxe@gmail.com>
Date:   Fri Mar 20 21:45:13 2026 +0000

    patch 9.2.0211: possible crash when setting 'winhighlight'
    
    Problem:  possible crash when setting 'winhighlight'
    Solution: Validate the option value more carefully (Foxe Chen)
    
    closes: #19774
    
    Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ce4fbda99285c991df3c1f26e248c88bc938ba9e
Author: Phạm Bình An <phambinhanctb2004@gmail.com>
Date:   Fri Mar 20 21:29:57 2026 +0000

    runtime(fish): Add matchit support to filetype plugin
    
    closes: #19701
    
    Co-authored-by: Doug Kearns <dougkearns@gmail.com>
    Signed-off-by: Phạm Bình An <phambinhanctb2004@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 076404ae41c61c7a34ee56a12c9d2dc0c059e959
Author: Muraoka Taro <koron.kaoriya@gmail.com>
Date:   Fri Mar 20 21:19:03 2026 +0000

    patch 9.2.0210: tests: Test_xxd tests are failing
    
    Problem:  tests: Test_xxd tests are failing, after changing the xxd
              manpage (after v9.2.0205)
    Solution: Update the manpage, shorten the date and update the example,
              regenerate the expected test output, skip the first 30 bytes
              for the one of the xxd tests (Muraoka Taro)
    
    Some of the Test_xxd tests depend on the contents of xxd.1. The patch
    9.2.0205 changed xxd.1, but the test fixes were insufficient. The test
    that dumps the beginning of xxd.1 and the test that reads 13 bytes
    starting from byte 0x33 from the beginning were failing.
    
    closes: #19763
    
    Co-authored-by: James McCoy <jamessan@debian.org>
    Signed-off-by: Muraoka Taro <koron.kaoriya@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 5c38cf22042b33fd6cd41e7022ab528ca4584b61
Author: James McCoy <jamessan@debian.org>
Date:   Fri Mar 20 06:57:23 2026 -0400

    Bump version to 9.2.0209
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 2898e24e1c5f43c3f6d7377b4eee2afeaee6991e
Merge: f0fde1ba0 332dd22ed
Author: James McCoy <jamessan@debian.org>
Date:   Fri Mar 20 06:54:18 2026 -0400

    Merge tag 'v9.2.0209' into debian/sid
    
    v9.2.0209

commit c9e5aeff354439e1bd01f13c1629635580de516d
Author: Antonio Giovanni Colombo <azc100@gmail.com>
Date:   Thu Mar 19 22:12:44 2026 +0000

    runtime(doc): Update Italian xxd manpage
    
    Signed-off-by: Antonio Giovanni Colombo <azc100@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 332dd22ed48244d67524933453049c6c866bcabf
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Thu Mar 19 21:59:45 2026 +0000

    patch 9.2.0209: freeze during wildmenu completion
    
    Problem:  Vim may freeze if setcmdline() is called while the wildmenu or
              cmdline popup menu is active (rendcrx)
    Solution: Cleanup completion state if cmdbuff_replaced flag has been set
              (Yasuhiro Matsumoto)
    
    fixes:  #19742
    closes: #19744
    
    Co-authored-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 67ae763557122ad957d68e8dca2a1b12688e2572
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Thu Mar 19 21:48:57 2026 +0000

    patch 9.2.0208: MS-Windows: excessive scroll-behaviour with go+=!
    
    Problem:  MS-Windows: excessive scroll-behaviour with go+=! after
              switching to ConPTY as default (after v9.2.0048).
    Solution: Use tl_cursor_pos to determine the number of lines to scroll
              (Yasuhiro Matsumoto).
    
    Since patch 9.2.0048 (71cc1b12) made ConPTY the default on Windows 11,
    running :!cmd with guioptions+=! scrolls up the entire window height
    instead of only the output lines.
    
    ConPTY damages all terminal rows on initialization even when they are
    empty, which causes tl_dirty_row_end to equal Rows.  The scroll-up loop
    in update_system_term() then scrolls the full screen because
    (Rows - tl_toprow) < tl_dirty_row_end is always true until tl_toprow
    reaches 0.
    
    Use the cursor position instead of tl_dirty_row_end for the scroll
    calculation, since it reflects where actual content has been written.
    
    The scroll bug only occurs with ConPTY.  With winpty the terminal
    finishes too quickly for the timer-based screen check to work.
    
    closes: #19735
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 6391a38e5e88ac97f2d39fdcb35392b8eed67bc4
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Thu Mar 19 21:40:25 2026 +0000

    patch 9.2.0207: MS-Windows: freeze on second :hardcopy
    
    Problem:  MS-Windows: freeze on second :hardcopy
              (antoniopaolini)
    Solution: Enable PrintHookProc in GUI mode to ensure the print dialog is
              brought to the foreground (Yasuhiro Matsumoto).
    
    Enable PrintHookProc for GUI mode so that the print dialog is brought
    to the foreground via BringWindowToTop/SetForegroundWindow.  Without
    the hook, the second PrintDlgW() modal dialog appears behind gvim due
    to Windows foreground lock timeout, making gvim unresponsive.
    
    Also add NULL checks for hDlgPrint in SendMessage calls.
    
    fixes:  #19715
    closes: #19754
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit f445ed0d56389d6f2ace5af9df73a3b8070e87a4
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Thu Mar 19 21:31:34 2026 +0000

    patch 9.2.0206: MS-Window: stripping all CSI sequences
    
    Problem:  MS-Window: stripping all CSI sequences
              (Ke Mao, after v9.2.0184)
    Solution: Restore vtp_printf() to pass-through DECSUSR codes
              (Yasuhiro Matsumoto).
    
    Patch 9.2.0184 discards all CSI sequences in mch_write() when VTP is
    active to prevent unwanted DECRQM responses.  However, this also
    removed the existing DECSCUSR pass-through, breaking cursor shape
    changes (t_SI/t_SR/t_EI) on Windows Terminal.
    
    Restore vtp_printf() pass-through for DECSCUSR (final byte 'q') while
    continuing to discard other CSI sequences.
    
    related: #19694
    related: #11532
    fixes:   #19750
    closes:  #19755
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit a907a7f73be9091708a5192a005f365a160856c4
Author: Christian Brabandt <cb@256bit.org>
Date:   Thu Mar 19 21:26:50 2026 +0000

    runtime(doc): disable color codes when generating ascii man pages in Makefile
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 4d262b4952754f9e14ccf699e26a27dd37435e1a
Author: Lukáš Jiřiště <kyci@ljiriste.work>
Date:   Thu Mar 19 20:33:18 2026 +0000

    patch 9.2.0205: xxd: Cannot NUL terminate the C include file style
    
    Problem:  xxd: Cannot NUL terminate the C include file style
    Solution: Add option -t to end output with terminating null
              (Lukáš Jiřiště).
    
    fixes:  #14409
    closes: #19745
    
    Signed-off-by: Lukáš Jiřiště <kyci@ljiriste.work>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 53884ba7a8fb22de006689a6feb88fb8f0bd7db9
Author: Guillaume Barbier <barbier.guillaume60@gmail.com>
Date:   Thu Mar 19 20:24:40 2026 +0000

    patch 9.2.0204: filetype: cps files are not recognized
    
    Problem:  filetype: cps files are not recognized
    Solution: Detect *.cps files as json filetype (Guillaume Barbier).
    
    Reference:
    https://github.com/cps-org/cps
    https://cps-org.github.io/cps/
    
    closes: #19758
    
    Signed-off-by: Guillaume Barbier <barbier.guillaume60@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit d2dc9a4f37b0a828b2d044fb8e5dddb70efdd57a
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Thu Mar 19 20:19:07 2026 +0000

    patch 9.2.0203: Patch v9.2.0185 was wrong
    
    Problem:  Patch v9.2.0185 was wrong
    Solution: Revert patch v9.2.0185, root cause fixed in v9.2.0197
              (Hirohito Higashi).
    
    related: #19730
    related: #19734
    closes:  #19749
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 645ed6597d1ea896c712cd7ddbb6edee79577e9a
Author: pyllyukko <pyllyukko@maimed.org>
Date:   Thu Mar 19 19:58:05 2026 +0000

    patch 9.2.0202: [security]: command injection via newline in glob()
    
    Problem:  The glob() function on Unix-like systems does not escape
              newline characters when expanding wildcards. A maliciously
              crafted string containing '\n' can be used as a command
              separator to execute arbitrary shell commands via
              mch_expand_wildcards(). This depends on the user's 'shell'
              setting.
    Solution: Add the newline character ('\n') to the SHELL_SPECIAL
              definition to ensure it is properly escaped before being
              passed to the shell (pyllyukko).
    
    closes: #19746
    
    Github Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
    
    Signed-off-by: pyllyukko <pyllyukko@maimed.org>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit cc8798e71982de485cf00b2630d01285ca045008
Author: Furkan Sahin <furkan-dev@proton.me>
Date:   Thu Mar 19 19:28:39 2026 +0000

    patch 9.2.0201: filetype: Wireguard config files not recognized
    
    Problem:  filetype: Wireguard config files not recognized
    Solution: Detect /etc/wireguard/*.conf files as dosini filetype
              (Furkan Sahin).
    
    closes: #19751
    
    Signed-off-by: Furkan Sahin <furkan-dev@proton.me>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 1da42ee2710c7d3413e0656cbbc9067f23390615
Author: Foxe Chen <chen.foxe@gmail.com>
Date:   Thu Mar 19 19:10:32 2026 +0000

    patch 9.2.0200: term: DECRQM codes are sent too early
    
    Problem:  term: DECRQM codes are sent too early, the resulting DECRPM
              responses can arrive after Vim has already exited, leaking
              into the shell's input buffer (Christian Brabandt).
    Solution: Only send DECRQM codes once termcap_active is set
              (Foxe Chen).
    
    related: #19660
    fixes:   #19660#issuecomment-4085448070
    closes:  #19748
    
    Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ecf90b92f1175c6185d135847bd0959fe2ff8f97
Author: ichizok <gclient.gaap@gmail.com>
Date:   Thu Mar 19 19:03:40 2026 +0000

    CI: make dependabot monitor `.github/actions` directory
    
    and also set `cooldown`, `groups`
    
    related: #19747
    closes:  #19756
    
    Signed-off-by: Ozaki Kiichi <gclient.gaap@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7aca0e14de61b4d62b2a7f847964acdbf405bdae
Author: Christian Brabandt <cb@256bit.org>
Date:   Thu Mar 19 18:54:09 2026 +0000

    patch 9.2.0199: tests: test_startup.vim fails
    
    Problem:  tests: test_startup.vim fails, because the command line is
              getting too long so that the shell prompt line get shifted by one
              additional screen line down (after v9.2.0194).
    Solution: Partly revert Patch v9.2.0194 and do not set termresize and
              termsync options.
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2f5fe8827e38eae8f5289a164afae442454893f6
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Mar 18 21:27:38 2026 +0000

    patch 9.2.0198: cscope: can escape from restricted mode
    
    Problem:  cscope: can escape from restricted mode (pyllyukko)
    Solution: Disallow :cscope in restricted mode (like :grep),
              add a tests for restricted mode using :grep and :cscope
    
    closes: #19731
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit faad250544dc372f5def36f33072cea9f26248bd
Author: Barrett Ruth <br.barrettruth@gmail.com>
Date:   Wed Mar 18 21:22:46 2026 +0000

    runtime(doc): Fix typo in if_pyth.txt
    
    closes: #19733
    
    Signed-off-by: Barrett Ruth <br.barrettruth@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit a4cf8124628342ef4dd09db894823ff907542695
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Wed Mar 18 21:16:14 2026 +0000

    patch 9.2.0197: tabpanel: frame width not updated for existing tab pages
    
    Problem:  When 'showtabpanel' is set before any window exists (e.g. via
              --cmd) and multiple tab pages are opened with -p, the tabpanel
              appears when the second tab page is created.  At that point
              shell_new_columns() only updates the current (new) tab page's
              frame width; existing tab pages retain the wrong width.
    Solution: After calling shell_new_columns() in win_new_tabpage(), iterate
              all other tab pages and update their frame widths with
              frame_new_width() (Hirohito Higashi).
    
    related: #19730
    closes:  #19734
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 39ee7d17b9dec0a83eaa500f8a6f9c9d1b076bcf
Author: Thomas Dupuy <thom4s.d@gmail.com>
Date:   Wed Mar 18 21:13:12 2026 +0000

    runtime(yara): add ftplugin for yara filetype
    
    Add a minimal ftplugin `runtime/ftplugin/yara.vim` that sets:
    - `commentstring` for YARA line comments (`//`)
    - `comments` for YARA block comment (`/* */`)
    - `formatoptions` to wrap comment lines and continue comment after newlines
    This was heavily inspired from `runtime/ftplugin/c.vim`
    
    closes: #19736
    
    Signed-off-by: Thomas Dupuy <thom4s.d@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 0c109e4e6083df328f5fa8511ef0a936e934d310
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Wed Mar 18 21:03:17 2026 +0000

    patch 9.2.0196: textprop: negative IDs and can cause a crash
    
    Problem:  textprop: negative IDs and can cause a crash without "text"
              (Paul Ollis)
    Solution: Strictly reserve negative IDs for virtual text, ignore "id"
              when "text" is provided in prop_add() (Hirohito Higashi).
    
    When prop_add() was called with a negative id and no "text", the
    property was stored with a negative tp_id.  A subsequent call to
    prop_list() or screen redraw would then treat it as a virtual text
    property and dereference b_textprop_text.ga_data, which is NULL when
    no virtual text properties exist.
    
    Negative ids are reserved for virtual text properties, so always
    reject them with E1293 regardless of whether virtual text properties
    exist.  Also, when "text" is specified any user-provided id is now
    silently ignored and an internal negative id is assigned.
    
    Remove the now-unnecessary did_use_negative_pop_id flag and E1339.
    Update E1293's message and the documentation accordingly.
    
    related: #19684
    closes:  #19741
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2b70de167e3d2e14a5a0b03cfd61c6c8bfb9a7c1
Author: ichizok <gclient.gaap@gmail.com>
Date:   Wed Mar 18 20:57:15 2026 +0000

    CI: bump actions/upload-artifact to v7
    
    closes: #19747
    
    Signed-off-by: Ozaki Kiichi <gclient.gaap@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e5df6e8d422a751c237f84767c3f3bab2527791c
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Mar 18 20:47:45 2026 +0000

    patch 9.2.0195: CI: test-suite gets killed for taking too long
    
    Problem:  test_codestyle.vim takes too much time and takes more than
              90s, this contributes to the overall time for all runners and
    Solution: Create a dedicated 'make codestyle' target in the testdir
              Makefiles. Remove test_codestyle from the main test list.
              Update GitHub CI to run this check as a separate step
              in the 'normal' features build.
              Increase CI timeout to 45 minutes.
    
    fixes: #19740
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 32e453d3395803cb9aa1643f272061e101fdc990
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Mar 18 20:42:22 2026 +0000

    patch 9.2.0194: tests: test_startup.vim leaves temp.txt around
    
    Problem:  tests: test_startup.vim leaves temp.txt around
    Solution: Disable termresize and termsync explicitly to stop outputting
              DEC mode chars, delete all chars before the rm command
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit f0fde1ba06b87760076609117239ed300c65c304
Author: James McCoy <jamessan@debian.org>
Date:   Tue Mar 17 21:41:36 2026 -0400

    Refresh patches
    
    Gbp-Dch: ignore
    Signed-off-by: James McCoy <jamessan@debian.org>

commit c6d86f109906805a0303800e57351052e621d83f
Author: James McCoy <jamessan@debian.org>
Date:   Tue Mar 17 21:40:14 2026 -0400

    Start changelog for v9.2.0192
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 28dd976c86bf9a235aa53cb44a6261a272038d3c
Merge: 748fe30d3 c4d212257
Author: James McCoy <jamessan@debian.org>
Date:   Tue Mar 17 21:35:23 2026 -0400

    Merge tag 'v9.2.0192' into debian/sid
    
    v9.2.0192

commit c4d212257d61f5c2a9cd919486288c747aaaa05d
Author: AstroSnail <astrosnail@protonmail.com>
Date:   Tue Mar 17 21:24:43 2026 +0000

    patch 9.2.0192: not correctly recognizing raw key codes
    
    Problem:  When "k" is excluded from cpoptions, vim should be able to
              recognize raw key codes in mappings and replace them with
              builtin codes (e.g. ^[OA is replaced with <Up>) so that
              changing the builtin code also changes the mapping to match.
              Currently, this only works properly if the builtin code does
              not contain modifiers (e.g. @;*).
    Solution: Teach find_term_bykeys how to recognize keys with modifiers
              (AstroSnail).
    
    fixes:  #19182
    closes: #19643
    
    Signed-off-by: AstroSnail <astrosnail@protonmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit d41cd5dce46d822ebd911eca6bcc333e0da388d8
Author: TomIO <tom@termux.dev>
Date:   Tue Mar 17 21:08:44 2026 +0000

    patch 9.2.0191: Not possible to know if Vim was compiled with Android support
    
    Problem:  The "android" and "termux" feature flags have been shipped in
              Termux's downstream vim / vim-gtk package for 5+ years but were
              never properly documented in the downstream patch.
    Solution: Upstream the "android" and "termux" feature flags into Vim as
              decoupled feature flags, this enables the "android" feature in
              particular to be available independently of the "termux"
              feature for builds of Vim against the Android NDK, but not
              including the Termux NDK patchset.
    
    closes: #19623
    
    Co-authored-by: Lethal Lisa <43791059+lethal-lisa@users.noreply.github.com>
    Co-authored-by: shadmansaleh <13149513+shadmansaleh@users.noreply.github.com>
    Signed-off-by: TomIO <tom@termux.dev>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 1f4cd5fb52c5f07b2e6bc329f9a5f743e648c7b3
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Tue Mar 17 21:00:45 2026 +0000

    patch 9.2.0190: Status line height mismatch in vertical splits
    
    Problem:  When 'laststatus' changes, the status line can become
              misaligned.
    Solution: Update last_status_rec() to calculate the maximum status line
              height required across all windows in a vertical row.
    
    closes: #19688
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 019c53b37f1b2cf16825cc6f1fa38c25a6f7a9bd
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Tue Mar 17 20:51:22 2026 +0000

    patch 9.2.0189: MS-Windows: opacity popups flicker during redraw in the console
    
    Problem:  When using transparent popups in the Win32 console, redrawing
              background windows causes flickering. This happens because
              the background is drawn opaquely before the popup blends
              and draws on top.
    Solution: Implement a Z-index mask  to suppress screen_char() output for
              cells covered by an opacity popup. Disable the Clear-to-EOL
              (T_CE) optimization for lines overlapping these popups to
              prevent accidental erasure (Yasuhiro Matsumoto).
    
    closes: #19697
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 15a96a04ad283eee883b5629208d1e73d37a1ca4
Author: pyllyukko <pyllyukko@maimed.org>
Date:   Tue Mar 17 20:15:44 2026 +0000

    patch 9.2.0188: Can set environment variables in restricted mode
    
    Problem:  Can set environment variables in restricted mode
    Solution: Disallow setting environment variables using legacy Vim script
              (pyllyukko).
    
    related: #13394
    related: #19705
    closes:  #19704
    
    Signed-off-by: pyllyukko <pyllyukko@maimed.org>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 6238ee9f8945b9f62733ca050e99c1ce1cd18666
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Tue Mar 17 19:37:02 2026 +0000

    patch 9.2.0187: MS-Windows: rendering artifacts with DirectX renderer
    
    Problem:  MS-Windows: rendering artifacts with DirectX renderer
    Solution: Enable ETO_CLIPPED for DirectWrite rendering in
              gui_mch_draw_string() to ensure glyphs stay within their
              cell boundaries (Yasuhiro Matsumoto).
    
    closes: #19711
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit f9bed026acb6e9222d93098f4cb96b2595fadbbe
Author: Kaixuan Li <kaixuanli0131@gmail.com>
Date:   Tue Mar 17 19:07:53 2026 +0000

    patch 9.2.0186: heap buffer overflow with long generic function name
    
    Problem:   Using a long generic function name may cause a heap buffer
               overflow in common_function().
    Solution:  Allocate memory for the full name instead of using IObuff
               (Kaixuan Li).
    
    closes: #19727
    
    Signed-off-by: Kaixuan Li <kaixuanli0131@gmail.com>
    Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

Created: 2026-04-29 Last update: 2026-04-29 15:31

lintian reports 11 warnings normal

Lintian reports 11 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-17 Last update: 2026-04-17 03:01

AppStream hints: 2 warnings normal

AppStream found metadata issues for packages:

vim-common: 1 warning
vim-gui-common: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2020-06-01 Last update: 2020-06-01 01:13

debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 2:9.2.0355-1 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-16 18:03

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2023-09-13 08:27

testing migrations

This package is part of the ongoing testing transition known as auto-libsodium. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-perl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-04-22] vim 2:9.2.0355-1 MIGRATED to testing (Debian testing watch)
[2026-04-16] Accepted vim 2:9.2.0355-1 (source) into unstable (James McCoy)
[2026-04-12] Accepted vim 2:9.2.0338-1 (source) into unstable (James McCoy)
[2026-04-07] Accepted vim 2:9.2.0315-1 (source) into unstable (James McCoy)
[2026-03-26] vim 2:9.2.0218-1 MIGRATED to testing (Debian testing watch)
[2026-03-21] Accepted vim 2:9.2.0218-1 (source) into unstable (James McCoy)
[2026-03-11] Accepted vim 2:9.2.0136-1 (source) into unstable (James McCoy)
[2026-03-09] Accepted vim 2:9.2.0119-1 (source) into unstable (James McCoy)
[2026-02-20] vim 2:9.1.2141-1 MIGRATED to testing (Debian testing watch)
[2026-02-09] Accepted vim 2:9.1.2141-1 (source) into unstable (James McCoy)
[2026-01-25] vim 2:9.1.2103-1 MIGRATED to testing (Debian testing watch)
[2026-01-23] Accepted vim 2:9.1.2103-1 (source) into unstable (James McCoy)
[2025-11-11] vim 2:9.1.1882-1 MIGRATED to testing (Debian testing watch)
[2025-10-28] Accepted vim 2:9.1.1882-1 (source) into unstable (James McCoy)
[2025-10-10] Accepted vim 2:9.1.1846-1 (source) into unstable (James McCoy)
[2025-10-06] Accepted vim 2:9.1.1829-1 (source) into unstable (James McCoy)
[2025-09-24] Accepted vim 2:9.1.1766-1 (source) into experimental (James McCoy)
[2025-05-28] vim 2:9.1.1230-2 MIGRATED to testing (Debian testing watch)
[2025-05-23] Accepted vim 2:9.1.1230-2 (source) into unstable (James McCoy)
[2025-05-16] Accepted vim 2:9.1.1385-1 (source) into experimental (James McCoy)
[2025-03-30] Accepted vim 2:8.2.2434-3+deb11u3 (source) into oldstable-security (Sean Whitton)
[2025-03-30] Accepted vim 2:8.2.2434-3+deb11u2 (source) into oldstable-security (Sean Whitton)
[2025-03-27] vim 2:9.1.1230-1 MIGRATED to testing (Debian testing watch)
[2025-03-25] Accepted vim 2:9.1.1230-1 (source) into unstable (James McCoy)
[2025-02-18] vim 2:9.1.1113-1 MIGRATED to testing (Debian testing watch)
[2025-02-16] Accepted vim 2:9.0.1378-2+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Sean Whitton)
[2025-02-16] Accepted vim 2:9.1.1113-1 (source) into unstable (James McCoy)
[2025-02-01] Accepted vim 2:9.0.1378-2+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sean Whitton)
[2025-01-13] vim 2:9.1.0967-2 MIGRATED to testing (Debian testing watch)
[2025-01-10] Accepted vim 2:9.1.0967-2 (source) into unstable (James McCoy)

bugs [bug history graph]

all: 103
RC: 0
I&N: 49
M&W: 54
F&P: 0
patch: 17

links

homepage
lintian (0, 11)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
l10n (-, 100)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2:9.1.2141-1ubuntu4
144 bugs (5 patches)
patches for 2:9.1.2141-1ubuntu4