open-vm-tools: update to 12.0.5

From the release notes, resolved issues:

* glibc 2.35 and GCC 11 & 12 reporting possible array bounds overflow -
  bora/lib/asyncsocket/asyncksocket.c: AsyncTCPSocketPollWork()
* ContainerInfo Plugin: compilation warnings with a newer version of GCC

(khorben)

libnbcompat: sort the README file by most recent test first

While there, replace e-mail addresses of former developers by
pkgsrc-users@; otherwise NFCI.

Bumps PKGREVISION.

Tested on NetBSD/amd64.

(khorben)

Updated sysutils/ansible-lint, textproc/py-markdown2

(adam)

py-markdown2: updated to 2.4.8

python-markdown2 2.4.8

* Fix images not being procesed correctly

python-markdown2 2.4.7

* Fix hashing nested HTML blocks
* Fix backslash being unable to escape raw HTML tags
* Add support for telegram spoiler in extras
* mermaid support
* Fix escaping ampersands in hrefs
* Fix indented codeblocks inside fences
* Remove code-color extra

python-markdown2 2.4.6

* Feature wavedrom support
* Fix mixing ordered and un-ordered lists combining into single list type

python-markdown2 2.4.5

* Add optional dependencies to setup.py

python-markdown2 2.4.4

* Fix TypeError if html-classes extra is None
* Remove Python2 support
* Replace <strike> with <s> in strike extra
* Fix link patterns extra applying within links
* create proper entry point
* Codespans inside link text issue344
* Underline and HTML comments
* Links with brackets
* Fix emacs local variable one-liners
* Example of the current mixed-paragraph mode behavior in lists
* Fix code block indentation in lists
* Fix filter bypass leading to XSS
* Fix html-classes extra not applying to code spans
* Fix pygments block matching
* Fix pyshell blocks in blockquotes
* Fix multilevel lists
* Remove _uniform_outdent_limit function
* Add support for ordered lists that don't start at 1.
* Fix AssertionError with lazy numbered lists
* Add <ul> and <ol> tags to html-classes extra
* XSS test and fix

python-markdown2 2.4.3

* Fix meta indentation
* Fix code surrounded by blank lines inside blockquote fenced code blocks
* Fix inline code pipe symbol within tables
* Fix code block parsing error
* Fix hr block created when not supposed to
* Fix backslashes removed by adjacent code blocks
* Fix md5-* in resulting HTML when several code blocks follow one by one
* Fix excessive <br> tags in lists using break-on-newline extra
* Standardize key and value definitions for metadata extra
* Fix fenced code blocks breaking lists
* Fix catastrophic backtracking (Regex DoS) in pyshell blocks.
* Fix incorrect indentation of fenced code blocks within lists
* RST admonitions
* Improve error message if link_patterns forgotten
* fix compatibility with pygments 2.12

python-markdown2 2.4.2

* Fix for fenced code blocks issue
* Be more strict on auto linking urls, RE DOS fix

python-markdown2 2.4.1

* Tables extra: allow whitespace at the end of the underline row
* Pyshell extra: enable syntax highlighting if fenced-code-blocks is loaded.
* Regex DOS bandaid fix

python-markdown2 2.4.0

* Fixed bug breaking strings elements in metadata lists
* When rendering fenced code blocks, also add the language-LANG class
* Regex DoS fixes

(adam)

ansible-lint: updated to 6.13.1

v6.13.1
Bugfixes

Improve no-changed-when rule
Fix ignore file generation

(adam)

doc: Updated www/caddy to 2.6.4

(bsiegert)

caddy: update to 2.6.4

v2.6.4

This release contains a hotfix for a regression in v2.6.3 related to proxying
chunked requests. We recommend that all users who do so upgrade to v2.6.4.

v2.6.3

This release brings a number of bug fixes and minor features. We recommend that
all users check the release notes/commits, then test and upgrade.

Notable changes:

- New trusted_proxies global option (within servers) can be used to specify
  trusted proxy IP ranges globally. This is important if relying on headers for
  client IP addresses.
- Unix sockets on Windows now supported as proxy upstreams.
- Proxied WebSocket connections are now logged with correct status code and
  "size" (bytes read + bytes written).
- The quic-go package has received significant optimizations, so HTTP/3 should
  be more efficient now.

(bsiegert)

php81: revbump, upstream re-released the tarball.

https://news-web.php.net/php.announce/349
https://github.com/php/php-src/issues/10595

(nikita)

doc: Updated net/yt-dlp to 2023.2.17

(bsiegert)

yt-dlp: update to 2023.02.17

Merge youtube-dl
Fix --concat-playlist
Imply --no-progress when --print
Improve default subtitle language selection
Make title completely non-fatal
Sanitize formats before sorting
Support module level __bool__ and property

Bugfixes in various extractor modules

(bsiegert)

smake: use gm4

(nikita)

doc: Updated www/gotosocial to 0.7.0

(nikita)

gotosocial: update to version 0.7.0

ChangeLog (taken from https://github.com/superseriousbusiness/gotosocial/releases/tag/v0.7.0)

v0.7.0 Stormy Sloth

Hello everyone! After much testing and prodding and poking, we're ready to release v0.7.0 Stormy Sloth into the world!

This is the umpteenth alpha release of GoToSocial (we stopped counting), and it brings a massive amount of new stuff, fixes, and tweaks.

Thank you for your continued support, and enjoy the release!
Release Highlights

    Basic video support (mp4 only). You can finally upload videos, and view videos from remote instances too. Not all mp4 files work, currently -- this is something we'll investigate for next release most likely.
    Support for federating reports in and out of GoToSocial, and viewing reports via the admin settings panel (this feature was sponsored by NLnet).
    Support for webp attachments, avatars, and headers.
    Users can now create, remove, and view status bookmarks!
    Domain blocks now apply on a wildcard basis, so you can block a second level domain (like example.org) and it will apply to subdomains too (like poop.example.org etc).
    HTTP request throttling -- only a certain number of http requests are served at a time now. This should vastly improve responsiveness under load on small instances.
    Much better logic for pruning old avatars + headers, leading to gb of disk space savings.
    So many bug fixes and performance improvements.

Migration notes
Upgrading

To upgrade to 0.7.0 from a previous release:
Binary/tar

    Stop GoToSocial
    Untar the new release, including the web assets and html templates.
    Edit your config.yaml file as necessary (see below).
    Start GoToSocial

Docker

    Stop GoToSocial.
    Pull the new docker container (superseriousbusiness/gotosocial:0.7.0 or superseriousbusiness/gotosocial:latest)
    Start GoToSocial.

config.yaml

The configuration file has changed since the previous release. We recommend copying the new file from example/config.yaml and pasting values into it from your previous config.yaml. You can see a diff of the config file here: v0.6.0...v0.7.0#diff-c071e03510b2c57e193a44503fd9528a785f0f411497cc75841a9f8d0b1ac622
Database migrations

This release contains several database migrations which will run the first time you start up this new version. Be sure not to interrupt this migration process. It will take anywhere between a couple seconds and a couple minutes. Please be patient.
Sqlite format changes

0.7.0 now uses SQLite's WAL journal mode by default. This means there will be some new SQLite related files in your GoToSocial directory:

    sqlite.db-shm
    sqlite.db-wal

When you do SQLite backups, you should back these files up too (you do have backups, right?).

If you use Postgres rather than SQLite, you can ignore this.
Updating from 0.7.0-rc2

0.7.0-rc2 was slightly broken. If you're getting lots of 'not found' errors for avatars and headers, after running 0.7.0-rc2, see here for steps to fix it: #1505

If you skipped over rc2, ignore this :)
Detailed Changelog
Features

    83b522a [feature/Frogend] basic report admin interface (#1424)
    a59dc85 [feature/frogend] (Mastodon) domain block CSV import (#1390)
    382512a [feature] Implement /api/v2/instance endpoint (#1409)
    3283900 [feature] Federate reports to remote instance as Flag (if desired) (#1386)
    08f8fea [feature/frontend] filterable local emoji list (#1385)
    17eecfb [feature] Public list of suspended domains (#1362)
    993aae5 [feature] Accept incoming federated Flag activity (#1382)
    faeb7de [feature] Implement reports admin API so admins can view + close reports (#1378)
    e974724 [feature] Implement /api/v1/reports endpoints on client API (#1330)
    73be244 [feature] Add RSS autodiscovery on profiles that enable RSS (#1373)
    acc333c [feature] Inherit resource limits from cgroups (#1336)
    627b8ee [feature] Tune sqlite pragmas (#1349)
    3512325 [feature] Add local user and post count to nodeinfo responses (#1325)
    d648793 [feature] Implement Report database model and utility functions (#1310)
    90a14ab [feature] HTTP request throttling middleware (#1297)
    1659f75 [feature] For video attachments, store + return fps, bitrate, duration (#1282)
    2bbc64b [feature] Enable basic video support (mp4 only) (#1274)
    d10388c [feature] support Sec-Websocket-Protocol in streaming API (#1254)
    69dd5fe [feature] domain block wildcarding (#1178)
    58c87bd [feature] allow uncaching of other media types (#1234)
    4b8d7bd [feature/frogend] Emoji copy "Steal this look" (#1222)
    cb2b2fd [feature] support configuring database caches (#1246)
    5e060d0 [feature] Start implementing refetch of lost media files via /api/v1/admin/media_refetch (#1221)
    477ae50 [feature] Allow users to create + delete bookbarks, and view bookmarked statuses (#1168)
    199b685 [feature] overhaul the oidc system (#961)
    1a3f26f [feature] media: add webp support (#1155)

Bugfixes

    b599309 [bugfix] Set 'discoverable' properly on API accounts (#1511)
    6ee0dc8 [bugfix] Set cache-control max-age dynamically for s3 (#1510)
    40b584c [bugfix] Fix 410 Gone race on account deletes (#1507)
    b8e1ab3 [bugfix] use woff(2) fonts for Noto Sans (#1509)
    6c6f042 [bugfix] Return empty result rather than 500 error when searching for blocked domains (#1498)
    561ad71 [bugfix] Fix up error getting account avatar/header errors, other small fixes (#1496)
    c223c75 [bugfix] Set appropriate cache-control when using presigned s3 links (#1480)
    e5e257c [bugfix] Fix error on searching for account w/accountDomain by host (#1465)
    52fbb3e [bugfix] fix 'steal this look' form, uncheck entries after processing (#1454)
    4e4da19 [bugfix] Use SignatureCheck middleware for web profile endpoints too (#1451)
    ad6ab03 [bugfix] don't trash emoji in profile fields on edit (#1440)
    ac2bdbb [bugfix] fix file range length calculation being off by 1 (#1448)
    6a6647d [bugfix] Ignore missing files when cleaning up media (#1435)
    75e1b9c [bugfix] fix old password hash staying in cache (#1432)
    80c26d6 [bugfix] Allow instance thumbnail description to be set separately from image (#1417)
    04ac3f8 [bugfix] Fix password change keys (#1416)
    abe9447 [bugfix] fix cache startup (#1414)
    271da01 [bugfix] Read Bookwyrm Articles more thoroughly (#1410)
    d4cddf4 [bugfix] Parse video metadata more accurately; allow Range in fileserver (#1342)
    132c738 [bugfix] Mount bookmarks endpoint correctly (#1338)
    1bda6a2 [bugfix] return early in websocket upgrade handler (#1315)
    2bf9bfa [bugfix] fix panic during status delete loop by breaking out early on len(statuses) == 0 (#1317)
    de74cc6 [bugfix/frogend] replace ch units to prevent layout shift on page load (#1301)
    eabb906 [bugfix] fix media create error not being checked (#1283)
    6ebdc30 [bugfix] Close reader gracefully when streaming recache of remote media to fileserver api caller (#1281)
    2b0342b [bugfix] use match-sorter for filtering domain blocks (#1270)
    1d24c1c [bugfix] Use null for empty api status language (#1268)
    8703933 [bugfix] fix unordered favorites (#1245)
    04636a3 [bugfix] attach bookmarks module to api (#1238)
    199672e [bugfix] fix unordered favorites (#1236)

Performance

    acc9592 [performance] processing media and scheduled jobs improvements (#1482)
    40bc03e [chore/performance] Update media prune logic, add extra CLI command (#1474)
    70739d3 [performance] remove throttling timers (#1466)
    95715f9 [performance] Don't fetch avatar + header if uri hasn't changed (#1463)
    02767bf [performance] remove local copying of file for satisfying range headers (#1421)
    5318054 [performance] media processing improvements (#1288)

Chores

    4cba90c [chore] Split the bug template in two (#1500)
    700ed77 [chore] Webkit frontend fixes (#1492)
    041c8e6 [chore] Do cache-control in a less silly way to avoid writing header twice (#1481)
    efbc5da [chore]: Bump github.com/minio/minio-go/v7 from 7.0.47 to 7.0.48 (#1486)
    33b77b3 [chore]: Bump golang.org/x/image from 0.3.0 to 0.4.0 (#1485)
    7231752 [chore]: Bump modernc.org/sqlite from 1.20.3 to 1.20.4 (#1484)
    6ac1dda [chore] small changes missed in previous dereferencer.GetAccount() PRs (#1467)
    65b1941 [chore] Fix report username wrapping (#1464)
    27e95fd [chore/bugfix] Serve + throttle publickey separately from rest of ActivityPub API (#1461)
    0ed50c1 [chore/frogend] domain blocklist layout on smaller screens (#1436)
    b63b1b6 [chore] Update bug report template (#1437)
    47daddc [chore/frogend] Restructure form data default values / update from Query data (#1422)
    0a98743 [chore]: Bump codeberg.org/gruf/go-runners from 1.4.0 to 1.5.1 (#1428)
    1df25a3 [chore]: Bump github.com/yuin/goldmark from 1.5.3 to 1.5.4 (#1427)
    dae14cc [chore]: Bump github.com/ulule/limiter/v3 from 3.10.0 to 3.11.0 (#1429)
    7f32457 [chore] stub /api/v1/featured_tags endpoint (#1420)
    33aee1b [chore] reformat GetAccount() functionality, support updating accounts based on last_fetch (#1411)
    49beb17 [chore] Text formatting overhaul (#1406)
    4ee4cd2 [chore/performance] use only 1 sqlite db connection regardless of multiplier (#1408)
    b80be48 [chore] Use 'immediate' lock for sqlite transactions (#1404)
    eccb380 [chore] Silence maxprocs logging (#1402)
    356e238 [chore]: Bump github.com/go-playground/validator/v10 (#1400)
    7bcdf35 [chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.21 to 1.0.22 (#1399)
    782169d [chore] set max open / idle conns + conn max lifetime for both postgres and sqlite (#1369)
    27d4e36 [chore] Settings refactor fix4 (#1383)
    36f62d6 [chore] remove funky duplicate attachment in testrig (#1379)
    605dfca [chore] bump go version to 1.19.5 (#1377)
    98a09b5 [chore]: Bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#1375)
    3e4dc6b [chore]: Bump github.com/abema/go-mp4 from 0.9.0 to 0.10.0 (#1374)
    13ec15d [chore] extending maximumPasswordLength to 256 (#1372)
    0ceacd7 [chore] bump db dependencies (#1366)
    b375d3b [chore] Add name to instance field for autosuggestion (#1359)
    747683b [chore] Settings refactor fix 2 (#1357)
    13e3aaa [chore] Fix new emoji preview title/alt text (#1354)
    9b139b6 [chore/frogend] Settings refactor (#1318)
    974ec80 [chore] Change default sqlite busy timeout to 5m (#1352)
    a6c6bdb [chore]: Bump codeberg.org/gruf/go-errors/v2 from 2.0.2 to 2.1.1 (#1346)
    fe3e9ed [chore]: Bump github.com/minio/minio-go/v7 from 7.0.44 to 7.0.47 (#1348)
    2a46980 [chore]: Bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 (#1347)
    eafd73c [chore] Remove omitempty on account source; refactor tests to use prettyprint json (#1337)
    36aa685 [chore] Bump json5 from 1.0.1 to 1.0.2 in /web/source (#1308)
    ac562fa [chore]: Bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 (#1322)
    0ca6a9d [chore]: Bump golang.org/x/image from 0.2.0 to 0.3.0 (#1320)
    86ae0b1 [chore]: Bump golang.org/x/text from 0.5.0 to 0.6.0 (#1321)
    345b765 [chore]: Bump golang.org/x/net from 0.4.0 to 0.5.0 (#1319)
    6791920 [chore/frogend] update status blockquote css (#1302)
    adbc877 [chore] pull in latest go-cache, go-runners versions (#1306)
    0dbe6c5 [chore] Update/add license headers for 2023 (#1304)
    ff46dd4 [chore] Fix emoji notnull constraint on initial gtsmodel (#1303)
    71dfea7 [chore] shuffle middleware to split rate limitting into client/s2s/fileserver, share gzip middleware globally (#1290)
    941893a [chore] The Big Middleware and API Refactor (tm) (#1250)
    560ff12 [chore]: Bump github.com/abema/go-mp4 from 0.8.0 to 0.9.0 (#1287)
    b966d3b [chore]: Bump github.com/gin-gonic/gin from 1.8.1 to 1.8.2 (#1286)
    abd594b [chore]: Bump codeberg.org/gruf/go-bytesize from 1.0.0 to 1.0.2 (#1285)
    0871f5d [chore] note broken go v1.19.4 in contributing.md (#1278)
    0f38e7c [chore] fix some little config whoopsies (#1272)
    da751c0 update go-cache to v3.2.0 with support for ignoring errors (#1273)
    eb08529 [chore/bugfix] Switch markdown from blackfriday to goldmark (#1267)
    0f8d938 [chore] Add svg version of sloth logo as logo.svg (#1265)
    a7e71d7 [chore]: Bump golang.org/x/image from 0.1.0 to 0.2.0 (#1252)
    24b4f9b [chore] make single pull request template (#1239)
    e58d2d8 [chore] move caches to a separate State{} structure (#1078)
    dd1a4cd [chore] Remove deprecated linters (#1228)

Documentation

    674646b [docs] Update config.yaml (#1499)
    f3eb28a [docs] Suggest confirming host option in config (#1502)
    fd62847 [docs] Fix nginx fileserver caching example (#1506)
    76d1b48 [docs] move federating with gotosocial documentation into single file (#1494)
    eeca198 [docs] Update user/admin settings docs (#1491)
    dc766f9 [docs] Add an example on how to setup redirect with Traefik (#1395)
    43cbe3b [docs] Simplify Apache httpd proxy documentation (#1396)
    c59ec6f [docs] Add Flag documentation to federation docs (#1393)
    1fa574f [docs] Tidy up federation docs into 'federating with gotosocial' section (#1392)
    8d18888 [chore/docs] add instance-expose-suspended-web to instance docs (#1391)
    6b15b83 [docs] Remove videos from the list of missing features in the FAQ. (#1344)
    98edd75 [docs] Rewrite sponsorship + funding section, add NLnet (#1305)
    9859a43 [docs] Add s3 ssl variable to storage docs (#1294)
    2a1205a [docs] AWS S3 config details added (#1300)
    0b8eafe [docs] Fix documentation edit link (#1298)
    9ecb1c8 [docs] Add troubleshooting section for Apache (#1291)
    bae7398 [docs] Update Apache docs to use 127.0.0.1 instead of localhost (#1266)
    418bfbf [docs] Update nginx docs to use 127.0.0.1 instead of localhost (#1264)
    ce615b5 [docs] Serve static assets with nginx (#1251)
    d2a09c1 [docs] Caching webfinger with nginx (#1242)
    610c270 [docs] Update CONTRIBUTING.md, add pull request templates (#1216)
    aea16bb [docs] Update README.md (#1126)
    923d333 [docs] encourage using loopback bind address (#1166)

(nikita)

Updated lang/nodejs, lang/nodejs18, lang/nodejs16, lang/nodejs14

(adam)

nodejs14: updated to 14.21.3

Version 14.21.3 'Fermium' (LTS)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

* CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
* CVE-2023-23920: Node.js insecure loading of ICU data through ICU\_DATA environment variable (Low)

(adam)

nodejs16: updated to 16.19.1

Version 16.19.1 'Gallium' (LTS)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

* CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
* CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
* CVE-2023-23920: Node.js insecure loading of ICU data through ICU\_DATA environment variable (Low)

(adam)

nodejs18: updated to 18.14.1

Version 18.14.1 'Hydrogen' (LTS)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)

(adam)

nodejs: updated to 19.6.1

Version 19.6.1 (Current)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

CVE-2023-23919: OpenSSL errors not cleared in error stack (Medium)
CVE-2023-23918: Experimental Policies bypass via process.mainModule.require(High)
CVE-2023-23920: Insecure loading of ICU data through ICU_DATA environment variable (Low)

(adam)

Updated sysutils/py-ansible-compat, sysutils/ansible-lint

(adam)

ansible-lint: updated to 6.13.0

v6.13.0

Minor Changes

Removed experimental flag from multiple rules
Allow only use of quoted octals
Load rule ignores from external text file

Bugfixes

Improve jinja error line number identification
profiles: include all rules when listing all rules or tags
Improve documentation on var-naming
Improve loop-var-prefix checking
Ignore known problematic modules from args rule
Improve jinja2 rule error handling
Enable syntax-check on roles
Recognize role-name[path] also inside roles block
Allow {% in schema full-jinja check
Update ansible-compat
Recognize systemctl kill as a valid command
Mark syntax-check as unskippable
Fixes no-tabs issue with fqcn actions
Move empty-playbook to syntax-check
Ensure that rule import failures are not ignored
Increase the test coverage

(adam)

py-ansible-compat: updated to 3.0.1

v3.0.1

Bugfixes

Avoid double initialization of ansible runtime
Update README.md for 3.0.0 release

v3.0.0

Major Changes

Require ansible-core 2.12 or newer

Minor Changes

Address ansible 2.15 compatibility related to AnsibleCollectionConfig

Bugfixes

Required subprocess-tee>=0.4.1

(adam)

felix: add missing file to PLIST

(wiz)

doc: Added www/p5-Net-OAuth2-AuthorizationServer version 0.28

(nikita)

Import www/p5-Net-OAuth2-AuthorizationServer as p5-Net-OAuth2-AuthorizationServer version 0.28

Imported from wip/p5-Net-OAuth2-AuthorizationServer

This module is the gateway to the various OAuth2 grant flows, as
documented at https://tools.ietf.org/html/rfc6749. Each module
implements a specific grant flow and is designed to "just work"
with minimal detail and effort.

Please see Net::OAuth2::AuthorizationServer::Manual for more
information on how to use this module and the various grant types.
You should use the manual in conjunction with the grant type module
you are using to understand how to override the defaults if the
"just work" mode isn't good enough for you.

(nikita)

openafs: bring the ability to build & install to NetBSD/macppc 10.0_BETA.

I see fertile ground for similar fixes for other archs in this
package.  The 10.0-specific files were copied from the 9.0 files
and minimally modified (actually, the ppc_nbsd100 file was from
the ppc_nbsd20 file).  New ID assigned for NetBSD/macppc 10.0.

No functional testing done: "it builds; ship it!" :)

(he)

thunderbird-l10n: update to version 102.8.0 to sync with thunderbird.

(he)

thunderbird: also update PLIST...

(he)

smake: fix failure to build, add m4 dependency

(nikita)

mail/thunderbird: Update to version 102.8.0.

Pkgsrc changes:
* Checksum changes.
* Minor adjustment to patches.

Upstream changes:

102.8.0:

New:
- Added option to build RNP library with OpenSSL backend (use
  "--with-librnp-backend=openssl" configure option)

Changes:
- Thunderbird now warns user that OpenPGP is disabled if RNP
  library is outdated or missing

Fixes:
- "Get Messages" did not retrieve messages from Gmail accounts
  using a local folder as a deferred inbox
- Various visual and UX improvements

Security fixes:
CVE-2023-0616: User Interface lockup with messages combining S/MIME and OpenPGP
CVE-2023-25728: Content security policy leak in violation reports using iframes
CVE-2023-25730: Screen hijack via browser fullscreen mode
CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS
CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey
CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry
CVE-2023-25738: Printing on Windows could potentially crash Thunderbird with some device drivers
CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
CVE-2023-25729: Extensions could have opened external schemes withotu user knowledge
CVE-2023-25732: Out of bounds memory write from EncodeInputStream
CVE-2023-25734: Opening local.url files could cause unexpected network loads
CVE-2023-25742: Web Crypto ImportKey crashes tab
CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8

102.7.2:

Fixes:
- Various crash fixes

102.7.1:

Fixes:
- Microsoft Office 365 accounts were unable to authenticate
- Switching identities caused remote images in HTML signatures to
  not be shown
- Thunderbird failed to import vCards that contained "\r\r\n" line endings
- Contribution button for add-ons opened Contribution page in a
  Thunderbird tab, instead of the external browser
- XMPP did not respond to unrecognized IQ queries, causing some
  servers to close the connection
- Window titlebar buttons (minimize/maximize/close) were not
  displayed in Windows 10 "Dark" color mode

Security fixes:
CVE-2023-0430: Revocations tatus of S/Mime signature certificates was not checked

102.7.0:

New:
- Enterprise policies now support Thunderbird-specific preferences.

Fixes:
- Localized builds and langpacks now use "comm-l10n" repository;
  downstream builds using official langpacks should not need to make
  changes
- Having too many folders open at startup caused loss of MSF files
- Copying an email from one local folder to another local folder
  sometimes caused "Another Operation is using the folder" error on
  Windows 7
- Email address pill allowed for incorrectly formatted email addresses
- Creating security exceptions for messages sent using a self-signed
  certificate failed if hostname contained uppercase letters
- S/MIME certificate verification was prohibitively slow
- OpenPGP key import failed for key blocks with comments that
  contain Unicode characters
- Chat conversation sidebar was too wide under certain circumstances,
  making scrollbar unusable
- On Mac, deleting events from Today Pane with "Backspace" key
  deleted selected messages instead

Security fixes:
CVE-2022-46871: libusrsctp library out of date
CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
CVE-2023-23599: Malicious command could be hidden in devtools output on Windows
CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation
CVE-2023-23602: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
CVE-2022-46877: Fullscreen notification bypass
CVE-2023-23603: Calls to console.log allowed bypassing Content Security Policy via format directive
CVE-2023-23605: Memory safety bugs fixed in Thunderbird 102.7

Known issues:
- OAuth2 authentication not working for Microsoft 365 Enterprise
  accounts. See the Blog post
  (https://blog.thunderbird.net/2023/01/important-message-for-microsoft-office-365-enterprise-users/)
  for additional information. Bug 1810760

(he)

mpd: make this build on NetBSD/powerpc 10.0_BETA.

Seldom have I seen a program so crusty, e.g. wanting to declare
standard library functions on its own(!)  There are still *lots*
of warnings produced during the build.

"make test" has lots of tests failing for NetBSD/macppc, but at
least quite a few succeed as well.  That's at least something...

(he)

doc: Updated audio/openal-soft to 1.23.0

(wiz)

openal-soft: update to 1.23.0.

openal-soft-1.23.0:

    Fixed CoreAudio capture support.

    Fixed handling per-version EAX properties.

    Fixed interpolating changes to the Super Stereo width source property.

    Fixed detection of the update and buffer size from PipeWire.

    Fixed resuming playback devices with OpenSL.

    Fixed support for certain OpenAL implementations with the router.

    Improved reverb environment transitions.

    Improved performance of convolution reverb.

    Improved quality and performance of the pitch shifter effect slightly.

    Improved sub-sample precision for resampled sources.

    Improved blending spatialized multi-channel sources that use the source
    radius property.

    Improved mixing 2D ambisonic sources for higher-order 3D ambisonic mixing.

    Improved quadraphonic and 7.1 surround sound output slightly.

    Added config options for UHJ encoding/decoding quality. Including Super
    Stereo processing.

    Added a config option for specifying the speaker distance.

    Added a compatibility config option for specifying the NFC distance
    scaling.

    Added a config option for mixing on PipeWire's non-real-time thread.

    Added support for virtual source nodes with PipeWire capture.

    Added the ability for the WASAPI backend to use different playback rates.

    Added support for SOFA files that define per-response delays in makemhr.

    Changed the default fallback playback sample rate to 48khz. This doesn't
    affect most backends, which can detect a default rate from the system.

    Changed the default resampler to cubic.

    Changed the default HRTF size from 32 to 64 points.

(wiz)

doc: Updated devel/mob to 4.3.0

(schmonz)

Update to 4.3.0. From the changelog:

- Feature: Adds `MOB_START_COMMIT_MESSAGE` config property for changing
  the commit message on `mob start` empty commit introduced in 4.2.0.
  This should help overcome problems with pre-receive git hooks.

(schmonz)

Revbump all Go packages after go119 update

(bsiegert)

doc: Updated lang/go119 to 1.19.6

(bsiegert)

go119: update to 1.19.6 (security)

This minor release includes 4 security fixes following the security policy:

- path/filepath: path traversal in filepath.Clean on Windows

  On Windows, the filepath.Clean function could transform an invalid path such
  as a/../c:/b into the valid path c:\b. This transformation of a relative (if
  invalid) path into an absolute path could enable a directory traversal
  attack.  The filepath.Clean function will now transform this path into the
  relative (but still invalid) path .\c:\b.

  Thanks to RyotaK (https://ryotak.net) for reporting this issue.

  This is CVE-2022-41722 and Go issue https://go.dev/issue/57274.

- net/http, mime/multipart: denial of service from excessive resource
  consumption

  Multipart form parsing with mime/multipart.Reader.ReadForm can consume
  largely unlimited amounts of memory and disk files. This also affects form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm takes a maxMemory parameter, and is documented as storing "up to
  maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts
  which cannot be stored in memory are stored on disk in temporary files. The
  unconfigurable 10MB reserved for non-file parts is excessively large and can
  potentially open a denial of service vector on its own. However, ReadForm did
  not properly account for all memory consumed by a parsed form, such as map
  entry overhead, part names, and MIME headers, permitting a maliciously
  crafted form to consume well over 10MB. In addition, ReadForm contained no
  limit on the number of disk files created, permitting a relatively small
  request body to create a large number of disk temporary files.

  ReadForm now properly accounts for various forms of memory overhead, and
  should now stay within its documented limit of 10MB + maxMemory bytes of
  memory consumption. Users should still be aware that this limit is high and
  may still be hazardous.

  ReadForm now creates at most one on-disk temporary file, combining multiple
  form parts into a single temporary file. The mime/multipart.File interface
  type's documentation states, "If stored on disk, the File's underlying
  concrete type will be an *os.File.". This is no longer the case when a form
  contains more than one file part, due to this coalescing of parts into a
  single file. The previous behavior of using distinct files for each form part
  may be reenabled with the environment variable
  GODEBUG=multipartfiles=distinct.

  Users should be aware that multipart.ReadForm and the http.Request methods
  that call it do not limit the amount of disk consumed by temporary files.
  Callers can limit the size of form data with http.MaxBytesReader.

  Thanks to Arpad Ryszka and Jakob Ackermann (@das7pad) for reporting this
  issue.

  This is CVE-2022-41725 and Go issue https://go.dev/issue/58006.

- crypto/tls: large handshake records may cause panics

  Both clients and servers may send large TLS handshake records which cause
  servers and clients, respectively, to panic when attempting to construct
  responses.

  This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable
  session resumption (by setting Config.ClientSessionCache to a non-nil value),
  and TLS 1.3 servers which request client certificates (by setting
  Config.ClientAuth >= RequestClientCert).

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2022-41724 and Go issue https://go.dev/issue/58001.

- net/http: avoid quadratic complexity in HPACK decoding

  A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in
  the HPACK decoder, sufficient to cause a denial of service from a small
  number of small requests.

  This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
  configuring HTTP/2.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

(bsiegert)

doc: Updated net/bind918 to 9.18.12

(taca)

net/bind918: update to 9.18.12

--- 9.18.12 released ---

6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently
broken by change 6042. [GL #3827]

6082. [test] fuzz/dns_message_checksig leaked memory when shutting
down. [GL #3828]

6081. [bug] Handle primary server address lookup failures in
nsupdate more gracefully. [GL #3830]

6080. [bug] 'named -V' leaked memory. [GL #3829]

6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds'
command. [GL #3822]

6075. [bug] Add missing node lock when setting node->wild in
add_wildcard_magic. [GL #3799]

6074. [func] Refactor the isc_nm_xfr_allowed() function to return
isc_result_t instead of boolean. [GL #3808]

6073. [bug] Set RD=1 on DS requests to parental-agents. [GL #3783]

6072. [bug] Avoid the OpenSSL lock contention when initializing
Message Digest Contexts by using explicit algorithm
fetching, initializing static contexts for every
supported algorithms, and initializing the new context
by copying the static copy. [GL #3795]

6071. [func] The use of "port" when configuring query-source,
transfer-source, notify-source and parental-source
addresses has been deprecated, along with the
use-v[46]-udp-ports and avoid-v[46]-udp-ports
options. A warning will be logged when these
options are used. In a future release, they
will be removed. [GL #3781]

6069. [bug] Detach from the view in zone_shutdown() to
release the memory held by the dead view
early. [GL #3801]

6068. [bug] Downloading a zone via TLS from a server which does
not negotiate "dot" ALPN token could crash BIND
on shutdown. That has been fixed. [GL #3767]

(taca)

doc: Updated net/bind916 to 9.16.38

(taca)

net/bind916: update to 9.16.38

--- 9.16.38 released ---

6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently
broken by change 6042. [GL #3827]

6081. [bug] Handle primary server address lookup failures in
nsupdate more gracefully. [GL #3830]

6080. [bug] 'named -V' leaked memory. [GL #3829]

6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds'
command. [GL #3822]

6075. [bug] Add missing node lock when setting node->wild in
add_wildcard_magic. [GL #3799]

6072. [bug] Avoid the OpenSSL lock contention when initializing
Message Digest Contexts by using explicit algorithm
fetching, initializing static contexts for every
supported algorithms, and initializing the new context
by copying the static copy. [GL #3795]

6069. [bug] Detach from the view in zone_shutdown() to
release the memory held by the dead view
early. [GL #3801]

(taca)

doc: Added devel/fq version 0.3.0

(wiz)

devel/Makefile: + fq

(wiz)

devel/fq: import fq-0.3.0

Packaged by leot and myself in wip.

Tool, language and decoders for inspecting binary data.

In most cases fq works the same way as jq but instead of reading
JSON it reads binary data.  The result is a JSON compatible structures
where each value has a bit range, symbolic interpretations and know
how to be presented in a useful way.

(wiz)

doc: Add category prefix to latest intel-microcode-netbsd entry

Entries in CHANGES-* should be valid PKGPATHs.

Pointed out via www@ by the pkg-changes2html script.

(leot)

doc: Updated lang/go120 to 1.20.1

(bsiegert)

go120: update to 1.20.1 (security)

This minor release includes 4 security fixes following the security policy:

- path/filepath: path traversal in filepath.Clean on Windows

  On Windows, the filepath.Clean function could transform an invalid path such
  as a/../c:/b into the valid path c:\b. This transformation of a relative (if
  invalid) path into an absolute path could enable a directory traversal
  attack.  The filepath.Clean function will now transform this path into the
  relative (but still invalid) path .\c:\b.

  Thanks to RyotaK (https://ryotak.net) for reporting this issue.

  This is CVE-2022-41722 and Go issue https://go.dev/issue/57274.

- net/http, mime/multipart: denial of service from excessive resource
  consumption

  Multipart form parsing with mime/multipart.Reader.ReadForm can consume
  largely unlimited amounts of memory and disk files. This also affects form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm takes a maxMemory parameter, and is documented as storing "up to
  maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts
  which cannot be stored in memory are stored on disk in temporary files. The
  unconfigurable 10MB reserved for non-file parts is excessively large and can
  potentially open a denial of service vector on its own. However, ReadForm did
  not properly account for all memory consumed by a parsed form, such as map
  entry overhead, part names, and MIME headers, permitting a maliciously
  crafted form to consume well over 10MB. In addition, ReadForm contained no
  limit on the number of disk files created, permitting a relatively small
  request body to create a large number of disk temporary files.

  ReadForm now properly accounts for various forms of memory overhead, and
  should now stay within its documented limit of 10MB + maxMemory bytes of
  memory consumption. Users should still be aware that this limit is high and
  may still be hazardous.

  ReadForm now creates at most one on-disk temporary file, combining multiple
  form parts into a single temporary file. The mime/multipart.File interface
  type's documentation states, "If stored on disk, the File's underlying
  concrete type will be an *os.File.". This is no longer the case when a form
  contains more than one file part, due to this coalescing of parts into a
  single file. The previous behavior of using distinct files for each form part
  may be reenabled with the environment variable
  GODEBUG=multipartfiles=distinct.

  Users should be aware that multipart.ReadForm and the http.Request methods
  that call it do not limit the amount of disk consumed by temporary files.
  Callers can limit the size of form data with http.MaxBytesReader.

  Thanks to Arpad Ryszka and Jakob Ackermann (@das7pad) for reporting this
  issue.

  This is CVE-2022-41725 and Go issue https://go.dev/issue/58006.

- crypto/tls: large handshake records may cause panics

  Both clients and servers may send large TLS handshake records which cause
  servers and clients, respectively, to panic when attempting to construct
  responses.

  This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable
  session resumption (by setting Config.ClientSessionCache to a non-nil value),
  and TLS 1.3 servers which request client certificates (by setting
  Config.ClientAuth >= RequestClientCert).

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2022-41724 and Go issue https://go.dev/issue/58001.

- net/http: avoid quadratic complexity in HPACK decoding

  A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in
  the HPACK decoder, sufficient to cause a denial of service from a small
  number of small requests.

  This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
  configuring HTTP/2.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

(bsiegert)

jitsi-videobridge: fix distinfo

(khorben)

jitsi-videobridge: register dependency on jitsi-srtp

While there, ship jitsi-videobridge as a single JAR file.

Tested on NetBSD/amd64.

(khorben)

Adjust apache-ant wrapper to honour JAVA_HOME

Still use the pkgsrc ${PREFIX}/bin/java wrapper by default, but
allow overriding with either of JAVACMD or JAVA_HOME.  The latter
is particularly important for other pkgsrc packages which use ant
to build and may require a specific jdk (java-jna)

Drop setting of ANT_HOME (was in a non default branch anyway)

Bump PKGREVISION

(abs)

doc: Added chat/jitsi-srtp version 1.1

(khorben)

chat: add jitsi-srtp

(khorben)

jitsi-srtp: import version 1.1

Jitsi SRTP contains classes for encrypting and decrypting SRTP and SRTCP
packets. Jitsi SRTP contains native libraries to speed up encryption/decryption.

(khorben)

doc: Updated multimedia/dav1d to 1.1.0

(wiz)

dav1d: update to 1.1.0.

Changes for 1.1.0 'Arctic Peregrine Falcon':
-------------------------------------------

1.1.0 is an important release of dav1d, fixing numerous bugs, and adding SIMD

- New function dav1d_get_frame_delay to query the decoder frame delay
- Numerous fixes for strict conformity to the specs and samples
- NEON and AVX-512 misc fixes and improvements
- Partial AVX2 12bpc transform implementations
- AVX-512 high bit-depth cdef_filter, loopfilter, itx
- NEON z1/z3 optimization for 8bpc
- SSSE3 z1 optimization for 8bpc

"From VideoLAN with love"

(wiz)

doc: Updated print/poppler to 23.02.0

(wiz)

poppler*: update to 23.02.0

Release 23.02.0:
        core:
        * CairoOutputDev: Fix rendering of color type 3 fonts
        * CairoOutputDev: Add handling matte entry
        * Fix segfault on wrong nssdir
        * Fix "NSS could not shutdown"

        utils:
        * pdfsig: Point out supports PKCS#11 URIs as nickname

        qt6:
        *

(wiz)

doc: Updated x11/wxGTK32 to 3.2.2.1

(wiz)

wxGTK32: update to 3.2.2.1.

The very recent 3.2.2 release unfortunately contained a user-visible
regression in wxGenericTreeCtrl, which stopped showing icons, so
we had to make another release correcting this problem

(wiz)

doc: Added games/moonlight-qt version 4.3.1

(charlotte)

games/Makefile: + moonlight-qt

(charlotte)

games/moonlight-qt: Import package

(charlotte)

doc: Updated x11/wxGTK32 to 3.2.2

(wiz)

wxGTK32: update to 3.2.2.

pkgsrc change: Remove duplicate buildlink3.mk include.

News:

This release comes only a few months after the previous 3.2.1, but contains
an important number of bug fixes and enhancements, further improving high DPI
support, including:

- Better window resizing on DPI change in wxMSW.
- Fix using native icons returned by wxArtProvider.
- Fix menu items using custom font in high DPI.
- High resolution icons support in wxGenericTreeCtrl and wxGenericListCtrl.

and also improving locale-related code under Mac and Unix systems:

- wxUILocale::UseDefault() works for locales using different language and
region under Mac and fails when used for unsupported locale under Unix.
- New wxUILocale::GetSystemLocaleId() allows to retrieve such locales IDs.
- wxUILocale::GetCurrent() works currently for "C" locale under Mac.

Some other user-visible enhancements made in this release:

- Allow selecting and copying text in wxMessageDialog in wxGTK.
- Improve size and behaviour of in-place editor in wxGenericTreeCtrl.
- Fix sometimes missing overwrite prompt in "Save" file dialog in wxMSW.
- Fix glitch in drawing wxStaticBox with a control as label in wxMSW.

There are also some important bug fixes:

- Fix regression in saving TIFF images that could end up truncated.
- Fix long standing bug in parsing wxHTTP responses.
- Fix data race when processing events generated in a worker thread.
- Avoid appending extraneous NUL bytes to wxTextDataObject text in wxMSW.
- Fix handling of fonts with fractional sizes in wxOSX.
- Fix resizing wxGLCanvas with EGL and Wayland in wxGTK.
- Fix display artefacts when using AUI without compositor under X11.
- Work around crashes when using wxTextCtrl with MinGW TDM 64.
- Fix for a possible crash when handling menu events under Mac.
- Third-party libraries have been updated to the latest versions.

All in all, this release includes ~150 fixes from 27 unique contributors

(wiz)

mail/Makefile: + thunderbird78-l10n

(wiz)

fonts/Makefile: sort entries

(gutteridge)

doc: Added games/amnesia-tdd version 0.3.2

(charlotte)

doc: Updated textproc/py-cmudict to 1.0.12

(gutteridge)

py-cmudict: downgrade back to 1.0.12 to fix bulk build breakage

(gutteridge)

games/Makefile: + amnesia-tdd

(charlotte)

games/amnesia-tdd: Import package

Amnesia: The Dark Descent is a survival horror game by Frictional Games.
This is a port to Linux and BSD systems.

(charlotte)

doc: Updated devel/kdiff3 to 1.10.0

(gutteridge)

kdiff3: update to 1.10.0

Version 1.10 - 2023-
===========================
*Make DirectoryMergeWindow and DirecoryMergeInfo QDockWidgets.
*Use Qt native saveState/restoreState

(gutteridge)

libspatialite: add upstream bug report

(wiz)

qgis: bump for spatialite and libspatialindex updates

(wiz)

doc: Updated geography/libspatialite to 5.0.1

(wiz)

libspatialite: update to 5.0.1.

Changes: not found

(wiz)

doc: Updated geography/spatialindex to 1.9.3

(wiz)

spatialindex: update to 1.9.3.

Changes:

4 years of development, convert to CMake, no useful changelog found.

(wiz)

doc: Updated fonts/spleen to 1.9.2

(fcambus)

spleen: update to 1.9.2.

Spleen 1.9.2 (2023-02-15)

- Add Spleen ASCii logo header (Thanks H7!)
- Add SPDX short license identifier in sources and fonts
- Fix link to the Spleen package in AUR
- Use printf instead of echo for *BSD and Linux cross-compatibility
- Generate a specimen file for Spleen and include it in the repository
- Adjust trivias: the Haiku kernel debugger doesn't use Spleen anymore
- Update README to add a link to the MacPorts package
- Point the OpenBSD package link to openports.pl

(fcambus)

Updated databases/postgresql1[1-5]

(adam)

doc: Updated cross/mingw-w64*

(ryoon)

postgresql: updated to 15.2, 14.7, 13.10, 12.14, and 11.19

Security Issues

CVE-2022-41862: Client memory disclosure when connecting, with Kerberos, to modified server.

Versions Affected: 12 - 15.

A modified, unauthenticated server or an unauthenticated man-in-the-middle can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable option gssencmode, a server can cause libpq to over-read and report an error message containing uninitialized bytes from and following its receive buffer. If libpq's caller somehow makes that message accessible to the attacker, this achieves a disclosure of the over-read bytes. We have not confirmed or ruled out viability of attacks that arrange for a crash or for presence of notable, confidential information in disclosed bytes.

The PostgreSQL project thanks Jacob Champion for reporting this problem.

Bug Fixes and Improvements

This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 15. Some of these issues may also affect other supported versions of PostgreSQL.

Included in this release:

Fix for partitioned tables to correctly update GENERATED columns in child tables if the GENERATED column does not exist in the parent table or the child generated column has different dependencies than the parent.
Several fixes for the MERGE command.
Allow a WITH RECURSIVE ... CYCLE query to access its SET output column.
Fix an issue with bulk insertions on foreign tables that could lead to logical inconsistencies, for example, a BEFORE ROW trigger may not process rows that should be available.
Reject uses of undefined variables in jsonpath existence checks.
Fix for jsonb subscripting that come directly from a text column in a table.
Honor updated values of checkpoint_completion_target on reload.
Log the correct ending timestamp in recovery_target_xid mode.
Fix issue to allow column lists longer than 100 when using logical replication.
Prevent "wrong tuple length" failure at the end of VACUUM.
Avoid an immediate commit after ANALYZE when using query pipelining.
Several fixes to the query planner, including one that provides more opportunities for using memoization with partitionwise joins.
Fix for statistics collection to correctly handle when a relation changes type (e.g. a table is converted to a view).
Ensure full text search queries can be cancelled while performing phrase matches.
Fix deadlock between DROP DATABASE and logical replication worker process.
Fix small session-lifespan memory leak when CREATE SUBSCRIPTION fails its connection attempt.
Performance improvement for replicas with hot_standby enabled that are processing SELECT queries.
Several fixes for logical decoding that improve its stability and bloat handling.
Fix the default logical replication plug-in, pgoutput, to not send columns that are not listed in a table's replication column list.
Fix possible corruption of very large tablespace map files in pg_basebackup.
Remove a harmless warning from pg_dump in --if-exists mode when the public schema has a non-default owner.
Fix the psql commands \sf and \ef to handle SQL-language functions that have SQL-standard function bodies (i.e. BEGIN ATOMIC).
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA.
Update the pageinspect extension to mark its disk-accessing functions as PARALLEL RESTRICTED.
Fix the seg extension to not crash or print garbage if an input number has more than 127 digits.

(adam)

openldap: remove old patch

(adam)