doc: Updated www/firefox-l10n to 109.0

(ryoon)

firefox-l10n: Update to 109.0

* Sync with www/firefox-109.0.

(ryoon)

doc: Updated www/firefox to 109.0

(ryoon)

firefox: Update to 109.0

Changelog:
109.0

New
  * Manifest Version 3 (MV3) extension support is now enabled by default (MV2
    remains enabled/supported). This major update also ushers an exciting user
    interface change in the form of the new extensions button.

  * The Arbitrary Code Guard exploit protection has been enabled in the media
    playback utility processes, improving security for Windows users.

  * The native HTML date picker for date and datetime inputs can now be used
    with a keyboard alone, improving its accessibility for screen reader users.
    Users with limited mobility can also now use common keyboard shortcuts to
    navigate the calendar grid and month selection spinners.

  * Firefox builds in the Spanish from Spain (es-ES) and Spanish from Argentina
    (es-AR) locales now come with a built-in dictionary for the Firefox
    spellchecker.

Fixed
  * Various security fixes.

Changed
  * Effective on January 16, Colorways will no longer be in Firefox. Users will
    still be able to access saved and active Colorways from the Add-ons and
    themes menu option.

  * On macOS, Ctrl or Cmd + trackpad or mouse wheel now scrolls the page
    instead of zooming. This avoids accidental zooming and matches the behavior
    of other web browsers on macOS.

  * The Recently Closed section of Firefox View now equips users with the
    ability to manually close/remove url links from the list.

  * The empty state messages and graphic components surfaced in Firefox View
    for the Tab Pickup and Recently Closed sections have been updated for an
    improved user experience.

Developer
  * The ability to automatically break when code on the page hits an events
    handler has been available since Firefox 69. Firefox 109 now adds new
    support for the scrollend event. To use this new event breakpoint, open the
    JS debugger and find and expand the Event Listener Breakpoints section in
    the right hand column (learn more).

Web Platform
  * The scrollend event is now enabled by default. The event is fired when a
    scroll has completed.

  * Firefox now permanently partitions Storage in third-party contexts
    independent of Storage Access to align with other browsers and provide
    better Web compatibility.

Security fixes:
#CVE-2023-23597: Logic bug in process allocation allowed to read arbitrary
files
#CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
#CVE-2023-23599: Malicious command could be hidden in devtools output on
Windows
#CVE-2023-23600: Notification permissions persisted between Normal and Private
Browsing on Android
#CVE-2023-23601: URL being dragged from cross-origin iframe into same tab
triggers navigation
#CVE-2023-23602: Content Security Policy wasn't being correctly applied to
WebSockets in WebWorkers
#CVE-2023-23603: Calls to <code>console.log</code> allowed bypasing Content
Security Policy via format directive
#CVE-2023-23604: Creation of duplicate <code>SystemPrincipal</code> from less
secure contexts
#CVE-2023-23605: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
#CVE-2023-23606: Memory safety bugs fixed in Firefox 109

(ryoon)

doc: remove ncdu-2.2.1

ncdu version 2 is a replacement written in zig that will be developed
in parallel; in wip/ncdu2 is a start for it

(wiz)

pull over / convert to upstream fixes for newer binutils

https://gitlab.freedesktop.org/xorg/util/cf/-/commit/90b66dc73deb9ef303690370395cf831425547c7

also apply to a couple of other ArCmd uses.  thanks tnn@ for pointing
me to the above change.

bump pkg revision.

(mrg)

Added cross/z80asm version 1.8

(thorpej)

Add a package for z80asm, a Z80 assembler.

This is distinct from the other z80-asm package.  Why do we have it, then?
Because this Z80 assebler has some features that the z80-asm assembler
does not.

(thorpej)

pidgin: Revert conditional for Darwin

pkgsrc changes:
---------------
  * Building fails on Darwin when x11 option is enabled and x11/gtk2 is
    built with quartz option. It successes otherwise. Without any option
    customization, x11/gtk2 is built with quartz (and then without x11). It
    seems safe to simply disable x11 for ${OPSYS} == "Drawin".

(triaxx)

doc: Updated devel/mold to 1.10.0

(fcambus)

mold: update to 1.10.0.

New features:

- mold now officially supports the --print-dependencies option to print
  out dependency information between input files. Here is a truncated
  example output when linking mold itself with the option. There are many
  use cases of the option; for example, if you want to eliminate the
  dependency to some library from your program, you can use this option
  to find out all the functions that use the library's function to fix
  them.
- [x86-64][s390x] mold now optimizes thread-local variable accesses in
  shared libraries if the library is linked with -z nodlopen. If your
  shared library is not intended to be used via dlopen(2) and your library
  frequently accesses thread-local variables, you might want to pass that
  option when linking your library.
- [arm64] mold is now able to optimize GOT load by rewriting an ADDR+LDR
  instruction pair with an ADDR+ADD if the loaded GOT value is known at
  link-time.

Bug fixes and compatibility improvements:

- mold 1.9.0 was up to 10% slower than 1.8.0 on some multicore machines.
  We fixed the performance regression and made it even faster than 1.8.0.
- Previously, mold failed to report an undefined symbol error if there's
  a weak undefined symbol of the same name. That bug resulted in producing
  a non-working executable instead of reporting a link failure. Now, mold
  correctly reports such link errors.
- mold 1.9.0 might crash with SIGSEGV if --emit-relocs is used with object
  files containing debug info. That bug has been fixed.

(fcambus)

doc: Updated devel/swagger-codegen to 3.0.37

(schmonz)

Update to 3.0.37. From the changelog:

- Updated Swagger Core and Parser to latest release

(schmonz)

math/R: also add atomic64.mk to buildlink3.mk

This is so that other R modules pick up this library,
as is apparently needed.

(he)

Fix converters/wkhtmltopdf build

Package checks choked on missing -R/usr/X11R7/lib

(manu)

Fix converters/wkhtmltopdf build

The package checks choked on missing -R/usr/X11R7/lib

(manu)

pidgin: Remove duplicated include

(triaxx)

pidgin: Replace conditional

pkgsrc changes:
---------------
  * Actually, the build fails on Darwin is x11/gtk2 has been built with
    quartz option (suggested option) instead of x11. But the x11 option
    should not be excluded on Darwin since x11/gtk2 could be built with
    x11.

(triaxx)

pidgin: Add forgotten mk/bsd.prefs.mk

Oops, sorry, pkglint said me it looked fine...

(triaxx)

pidgin: Fix build on Darwin

pkgsrc changes:
---------------
  * Remove x11 option for Darwin OPSYS since there is no guarantee that
    x11/gtk2 has been built with x11 option on this OPSYS.
  * Remove vv PLIST variable which seems useless since farstream option
    has been removed (options.mk:1.16).

(triaxx)

Updated www/apache24, devel/py-cpplint

(adam)

py-cpplint: updated to 1.6.1

1.6.1 (2022-08-20)

Fix 195 Fix post increment/decrement operator causing a false positive.
Fix 202 .hh files should not be considered sytem headers
Fix 207 Python2 incompatibility for loading CPPLINT.cfg file
Fix 184 NOLINT(clang-analyzer) comments should not cause warnings

1.6.0 (2022-02-19)

Fix 188: "Include the directory when naming header files" also for header files with other names like "*.hpp"

(adam)

apache24: updated to 2.4.55

Changes with Apache 2.4.55

  *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
    2.4.55 allows a backend to trigger HTTP response splitting
    (cve.mitre.org)
    Prior to Apache HTTP Server 2.4.55, a malicious backend can
    cause the response headers to be truncated early, resulting in
    some headers being incorporated into the response body. If the
    later headers have any security purpose, they will not be
    interpreted by the client.
    Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)

  *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
    Possible request smuggling (cve.mitre.org)
    Inconsistent Interpretation of HTTP Requests ('HTTP Request
    Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
    allows an attacker to smuggle requests to the AJP server it
    forwards requests to.  This issue affects Apache HTTP Server
    Apache HTTP Server 2.4 version 2.4.54 and prior versions.
    Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
    at Qi'anxin Group

  *) SECURITY: CVE-2006-20001: mod_dav out of  bounds read, or write
    of zero byte (cve.mitre.org)
    A carefully crafted If: request header can cause a memory read,
    or write of a single zero byte, in a pool (heap) memory location
    beyond the header value sent. This could cause the process to
    crash.
    This issue affects Apache HTTP Server 2.4.54 and earlier.

  *) mod_dav: Open the lock database read-only when possible.

  *) mod_proxy_http2: apply the standard httpd content type handling
    to responses from the backend, as other proxy modules do.

  *) mod_dav: mod_dav overrides dav_fs response on PUT failure.

  *) mod_proxy_hcheck: Honor worker timeout settings.  [Yann Ylavic]

  *) mod_http2: version 2.0.10 of the module, synchronizing changes
    with the gitgub version. This is a partial rewrite of how connections
    and streams are handled.
    - an APR pollset and pipes (where supported) are used to monitor
      the main connection and react to IO for request/response handling.
      This replaces the stuttered timed waits of earlier versions.
    - H2SerializeHeaders directive still exists, but has no longer an effect.
    - Clients that seemingly misbehave still get less resources allocated,
      but ongoing requests are no longer disrupted.
    - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
      were overwritten instead of preserved.
    - A regression in v1.15.24 was fixed that could lead to httpd child
      processes not being terminated on a graceful reload or when reaching
      MaxConnectionsPerChild. When unprocessed h2 requests were queued at
      the time, these could stall.
    - Improved information displayed in 'server-status' for H2 connections when
      Extended Status is enabled. Now one can see the last request that IO
      operations happened on and transferred IO stats are updated as well.
    - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
      send a GOAWAY frame much too early on new connections, leading to invalid
      protocol state and a client failing the request.
      The module now initializes the HTTP/2 protocol correctly and allows the
      client to submit one request before the shutdown via a GOAWAY frame
      is being announced.
    - :scheme pseudo-header values, not matching the
      connection scheme, are forwarded via absolute uris to the
      http protocol processing to preserve semantics of the request.
      Checks on combinations of pseudo-headers values/absence
      have been added as described in RFC 7540. Fixes #230.
    - A bug that prevented trailers (e.g. HEADER frame at the end) to be
      generated in certain cases was fixed. See #233 where it prevented
      gRPC responses to be properly generated.
    - Request and response header values are automatically stripped of leading
      and trialing space/tab characters. This is equivalent behaviour to what
      Apache httpd's http/1.1 parser does.
      The checks for this in nghttp2 v1.50.0+ are disabled.
    - Extensive testing in production done by Alessandro Bianchi (@alexskynet)
      on the v2.0.x versions for stability. Many thanks!
  *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
    request ':authority' is known. Improved test case that did not catch that
    the previous 'fix' was incorrect.

  *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
    using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]

  *) mod_proxy: The AH03408 warning for a forcibly closed backend
    connection is now logged at INFO level.  [Yann Ylavic]

  *) mod_ssl: When dumping the configuration, the existence of
    certificate/key files is no longer tested.  [Joe Orton]

  *) mod_authn_core: Add expression support to AuthName and AuthType.
    [Graham Leggett]

  *) mod_ssl: when a proxy connection had handled a request using SSL, an
    error was logged when "SSLProxyEngine" was only configured in the
    location/proxy section and not the overall server. The connection
    continued to work, the error log was in error.

  *) mod_proxy_hcheck: Re-enable workers in standard ERROR state.

  *) mod_proxy_hcheck: Detect AJP/CPING support correctly.

  *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]

  *) mod_md: a new directive `MDStoreLocks` can be used on cluster
    setups with a shared file system for `MDStoreDir` to order
    activation of renewed certificates when several cluster nodes are
    restarted at the same time. Store locks are not enabled by default.
    Restored curl_easy cleanup behaviour from v2.4.14 and refactored
    the use of curl_multi for OCSP requests to work with that.
    Fixes <https://github.com/icing/mod_md/issues/293>.

  *) core: Avoid an overflow on large inputs in ap_is_matchexp.

  *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
    storage instead of slotmem. Needed after setting
    HeartbeatMaxServers default to the documented value 10 in 2.4.54.

  *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
    This is a game changer for performances if client use PROPFIND a lot.

(adam)

py-numpy: add test status

(wiz)

Updated games/wesnoth, devel/py-gitpython

(adam)

py-gitpython: updated to 3.1.30

3.1.30
- Make injections of command-invocations harder or impossible for clone and others.
  See https://github.com/gitpython-developers/GitPython/pull/1518 for details.
  Note that this might constitute a breaking change for some users, and if so please
  let us know and we add an opt-out to this.
- Prohibit insecure options and protocols by default, which is potentially a breaking change,
  but a necessary fix for https://github.com/gitpython-developers/GitPython/issues/1515.
  Please take a look at the PR for more information and how to bypass these protections
  in case they cause breakage: https://github.com/gitpython-developers/GitPython/pull/1521.

(adam)

wesnoth: updated to 1.16.7

Version 1.16.7
Translations
  * Updated translations: Arabic, British English, Czech, Finnish, French, Italian, Japanese, Polish, Portuguese (Brazil), Turkish
Miscellaneous and Bug Fixes
  * wmllint now validates `rank=` values in `[campaign]`
  * Add disconnect check to alert users when they lose connection to the multiplayer server
  * Fixed a crash when checking if abilities are active during game initialisation after loading a saved game.
  * Fix a crash when an out-of-bounds side number is used in Lua窶冱 `sync.evaluate_multiple`
  * Fixed special notes being duplicated when storing units

(adam)

doc: Updated fonts/fontconfig to 2.14.1

(wiz)

fontconfig: update to 2.14.1.

Changes not found.

(wiz)

Updated devel/cmake, net/wireshark

(adam)

wireshark: updated to 4.0.3

Wireshark 4.0.3 Release Notes

What’s New

  We do not ship official 32-bit Windows packages for Wireshark 4.0 and
  later. If you need to use Wireshark on that platform, we recommend
  using the latest 3.6 release. Issue 17779[1]

  Bug Fixes

  The following vulnerabilities have been fixed:

    • wnpa-sec-2023-01[2] EAP dissector crash. Issue 18622[3].

    • wnpa-sec-2023-02[4] NFS dissector memory leak. Issue 18628[5].

    • wnpa-sec-2023-03[6] Dissection engine crash. Issue 18766[7].

    • wnpa-sec-2023-04[8] GNW dissector crash. Issue 18779[9].

    • wnpa-sec-2023-05[10] iSCSI dissector crash. Issue 18796[11].

    • wnpa-sec-2023-06[12] Multiple dissector excessive loops. Issue
      18711[13]. Issue 18720[14], Issue 18737[15].

    • wnpa-sec-2023-07[16] TIPC dissector crash. Issue 18770[17].

  The following bugs have been fixed:

    • Qt: After modifying coloring rules, the coloring rule applied to
      the first packet reflects the coloring rules previously in
      effect. Issue 12475[18].

    • Help file doesn’t display for extcap interfaces. Issue 15592[19].

    • For USB traffic on XHC20 interface destination is always given as
      Host. Issue 16768[20].

    • Wireshark Expert Info - cannot deselect the limit to display
      filter tick box. Issue 18461[21].

    • Wrong pointer conversion in get_data_source_tvb_by_name() Issue
      18517[22].

    • Wrong number of bits skipped while decoding an empty UTF8String
      on UPER packet. Issue 18702[23].

    • Crash when analyzing protobuf packets. Issue 18730[24].

    • Uninitialized values in various dissectors. Issue 18742[25].

    • String (GeoIP country/city) ordering doesn’t work in Endpoints.
      Issue 18749[26].

    • Wireshark crashes with an assertion failure on stray minus in
      filter. Issue 18750[27].

    • IO Graph: Add new graph only works until the 10th graph. Issue
      18762[28].

    • Fuzz job crash output: fuzz-2022-12-30-11007.pcap. Issue
      18770[29].

    • Q.850 - error in label for cause 0x7F. Issue 18780[30].

    • Uninitialized values in CoAP and RTPS dissectors. Issue
      18785[31].

    • Screenshots in AppStream metainfo.xml file not available. Issue
      18801[32].

  Updated Protocol Support

  ASTERIX, BEEP, BGP, BPv6, CoAP, EAP, GNW, GSM A-bis P-GSL, iSCSI,
  ISUP, LwM2M-TLV, MBIM, NBAP, NFS, OBD-II, OPUS, ProtoBuf, RLC, ROHC,
  RTPS, Telnet, TIPC, and USB

(adam)

cmake: updated to 3.25.2

CMake 3.25.2
* CheckSymbolExists: Restore newline at end of test source
* Utilities/Release: Use explicit digest for Win7-compatible signature
* Help: Clarify SYSTEM property default for imported targets
* gitlab-ci: replace '$os' tags with '$os-x86_64' on 3.25 release branch
* gitlab-ci: drop unnecessary linux kernel version tag on 3.25 release branch
* ccmake: Restore compilation with AIX curses.h
* ASM_MASM: Populate MSVC debug information format abstraction table
* VS: Do not enable ASM_MASM debug information unless requested
* gitlab-ci: update macOS jobs to use Xcode 14.2
* Tests: Fix CTest.UpdateGIT under repo-local defaultBranch config
* try_run: Avoid crash in keyword-dispatched signature when cross-compiling
* Restore implicit include directory extraction for adaptive relative paths
* IntelLLVM: Avoid unnecessary -Qstd=c++11 flag on Windows
* Help: Restore cmake-buildsystem(7) header-only library example
* FetchContent: Don't pass SYSTEM through to sub-build
* Help: Clarify and update SYSTEM-related docs
* Code comments: Fix trivial typos
* Help: Add version information for SYSTEM option of add_subdirectory
* Help: string(JSON): avoid duplicate labels
* IntelLLVM: Avoid finding not-yet-supported icpx on Windows
* Help: Clarify compiler id distinction between Intel Classic and IntelLLVM
* CUDA: Add support for cuda_std_20 for nvcc 12.0+
* FindCUDAToolkit: Handle CUDA::nvToolsExt not existing
* zlib: Fix typo in mangling the crc32() function
* FindBoost: Add Boost 1.81 support

(adam)

doc/TODO: update

+ pandoc-3.0, tor-browser-12.0.2.
- qt6-6.3.1

(wiz)

Updated www/py-test-httpx, textproc/py-precis-i18n

(adam)

py-precis-i18n: updated to 1.0.5

1.0.5
-  Update internal tables for Unicode 15.0.
-  Small type hint fix to one ``.pyi`` file.
-  Add Python 3.11 and 3.12 to CI build environment.
-  Update copyright year (2023).

(adam)

py-test-httpx: updated to 0.21.3

0.21.3

Fixed

Update version specifiers for pytest dependency to support packaging 23.
Add explicit support for python 3.11.

(adam)

doc/pkgsrc.*: regen

(wiz)

guide: update documentation for cmake/build.mk

(wiz)

ckmame: convert to cmake/build.mk

(wiz)

libzip: convert to cmake/build.mk

(wiz)

treesitter: use libtool for generating grammars

Hopefully fixes use on macOS

(wiz)

Updated emulators/qemu, net/haproxy

(adam)

haproxy: updated to 2.7.2

2023/01/20 : 2.7.2
- OPTIM: pool: split the read_mostly from read_write parts in pool_head
- REGTESTS: ssl: enable the ssl_reuse.vtc test for WolfSSL
- BUG/MEDIUM: mux-quic: fix double delete from qcc.opening_list
- BUG/MEDIUM: quic: properly take shards into account on bind lines
- BUG/MINOR: quic: do not allocate more rxbufs than necessary
- BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
- BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats
- MINOR: httpclient: don't add body when istlen is empty
- MEDIUM: mux-quic: implement shutw
- MINOR: mux-quic: do not count stream flow-control if already closed
- MINOR: mux-quic: handle RESET_STREAM reception
- MEDIUM: mux-quic: implement STOP_SENDING emission
- MINOR: h3: use stream error when needed instead of connection
- CI: github: enable github api authentication for OpenSSL tags read
- BUG/MINOR: mux-quic: ignore remote unidirectional stream close
- CI: github: use the GITHUB_TOKEN instead of a manually generated token
- BUILD: makefile: build the features list dynamically
- BUILD: makefile: sort the features list
- BUILD: makefile: clean the wolfssl include and lib generation rules
- BUILD: makefile: make sure to also ignore SSL_INC when using wolfssl
- BUG/MINOR: debug: don't mask the TH_FL_STUCK flag before dumping threads
- MINOR: cfgparse-ssl: avoid a possible crash on OOM in ssl_bind_parse_npn()
- BUG/MINOR: stick-table: report the correct action name in error message
- CI: Improve headline in matrix.py
- CI: Add in-memory cache for the latest OpenSSL/LibreSSL
- CI: Use proper `if` blocks instead of conditional expressions in matrix.py
- CI: Unify the `GITHUB_TOKEN` name across matrix.py and vtest.yml
- CI: Explicitly check environment variable against `None` in matrix.py
- CI: Reformat `matrix.py` using `black`
- MINOR: config: add environment variables for default log format
- BUG/MINOR: http-fetch: Only fill txn status during prefetch if not already set
- BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
- DOC: config: fix alphabetical ordering of http-after-response rules
- DOC: config: remove duplicated "http-response sc-set-gpt0" directive
- BUG/MINOR: proxy: free orgto_hdr_name in free_proxy()
- REGTEST: fix the race conditions in json_query.vtc
- REGTEST: fix the race conditions in add_item.vtc
- REGTEST: fix the race conditions in digest.vtc
- REGTEST: fix the race conditions in hmac.vtc
- BUG/MINOR: fd: avoid bad tgid assertion in fd_delete() from deinit()
- BUG/MINOR: http: Memory leak of http redirect rules' format string
- CLEANUP: htx: fix a typo in an error message of http_str_to_htx
- DOC: config: added optional rst-ttl argument to silent-drop in action lists
- DOC: management: add details on "Used" status
- DOC: management: add details about @system-ca in "show ssl ca-file"
- BUG/MINOR: mux-quic: fix transfer of empty HTTP response
- MINOR: mux-quic: add traces for flow-control limit reach
- MAJOR: mux-quic: rework stream sending priorization
- MEDIUM: h3: send SETTINGS before STREAM frames
- MINOR: mux-quic: use send-list for STOP_SENDING/RESET_STREAM emission
- MINOR: mux-quic: use send-list for immediate sending retry
- BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 responses
- BUG/MINOR: hlua: Fix Channel.line and Channel.data behavior regarding the doc
- BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
- DEV: tcploop: add minimal support for unix sockets
- BUG/MEDIUM: peers: make "show peers" more careful about partial initialization
- BUG/MINOR: promex: Don't forget to consume the request on error
- BUG/MINOR: http-ana: Report SF_FINST_R flag on error waiting the request body
- BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state
- BUG/MEDIUM: mux-h2: Don't send CANCEL on shutw when response length is unkown
- BUG/MINOR: http-ana: make set-status also update txn->status
- BUG/MINOR: listeners: fix suspend/resume of inherited FDs
- DOC: config: fix wrong section number for "protocol prefixes"
- DOC: config: fix aliases for protocol prefixes "udp4@" and "udp6@"
- DOC: config: mention the missing "quic4@" and "quic6@" in protocol prefixes
- MINOR: listener: also support "quic+" as an address prefix
- CLEANUP: stconn: always use se_fl_set_error() to set the pending error
- BUG/MEDIUM: stconn: also consider SE_FL_EOI to switch to SE_FL_ERROR
- MINOR: quic: Useless test about datagram destination addresses
- MINOR: quic: Disable the active connection migrations
- MINOR: quic: Add "no-quic" global option
- MINOR: sample: Add "quic_enabled" sample fetch
- MINOR: quic: Replace v2 draft definitions by those of the final 2 version
- BUG/MINOR: mux-fcgi: Correctly set pathinfo
- DOC: config: fix "Address formats" chapter syntax
- BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params)
- BUG/MINOR: ssl: Fix compilation with OpenSSL 1.0.2 (missing ECDSA_SIG_set0)
- BUG/MINOR: listener: close tiny race between resume_listener() and stopping
- BUG/MEDIUM: fd/threads: fix again incorrect thread selection in wakeup broadcast
- BUG/MINOR: thread: always reload threads_enabled in loops
- MINOR: threads: add a thread_harmless_end() version that doesn't wait
- BUG/MEDIUM: debug/thread: make the debug handler not wait for !rdv_requests
- BUG/MINOR: bwlim: Check scope for period expr for set-bandwitdh-limit actions
- BUG/MINOR: bwlim: Fix parameters check for set-bandwidth-limit actions
- BUG/MINOR: h3: properly handle connection headers
- MINOR: h3: extend function for QUIC varint encoding
- MINOR: h3: implement TRAILERS encoding
- MINOR: h3: implement TRAILERS decoding
- BUG/MINOR: mux-h2: make sure to produce a log on invalid requests
- BUG/MINOR: mux-h2: add missing traces on failed headers decoding
- BUILD: hpack: include global.h for the trash that is needed in debug mode

(adam)

qemu: updated to 7.2.0

https://wiki.qemu.org/ChangeLog/7.2

(adam)

doc: Updated devel/goredo to 1.30.0

(schmonz)

Update to 1.30.0. From the changelog:

* Fixed wrong OOD-cache value of source file dependency.  Targets
  could be rebuilt without any reason.

(schmonz)

zig: application.mk: allow buildoptions to be set.

(nikita)

doc: Updated lang/gleam to 0.26.0

(nikita)

gleam: update to version 0.26

ChangeLog taken from https://gleam.run/news/v0.26-incremental-compilation-and-deno/
Incremental compilation, and hello Deno!

Gleam v0.26 released

Incremental compilation

A Gleam project is made of packages, typically a top level package and several
dependency packages fetched by the package manager, and each package contains
a collection of modules of Gleam code.

In the very early days of Gleam when the compiler was run it would compile from
scratch every module in every package in the project. This was highly wasteful,
especially for the dependency packages which are would not have changed at all.
To tackle this inefficiency when the Gleam build tool was created it was made
to compile dependency packages only once and reuse the compiled code for every
following build, resulting in only the top level package being recompiled.

This has worked well for the last couple years, but now as more people are
using Gleam it was time for an upgrade. Large projects such as those with a
large amount of generated gRPC code were starting to take an irksome amount of
time to compile. Gleam is all about fun and productivity, so this just won't do!

There are numerous ways we want to improve the performance of the (already
very nimble) Gleam compiler, but the majority of the time is spent in the Erlang
compiler, which we use to generate BEAM bytecode, so these improvements will not
be very impactful here. Instead we need to improve the build tool such that it
only compiles modules when it has to, rather than the entire package.

To benchmark the impact of this change I created a Gleam package with 300,000
lines of code and 370,000 lines of documentation comments across 1400 modules,
and test recompiling the package without any changes. The old version of the
compiler will recompile every module, while the new version will instead only
read and verify the caches.
Erlang

Benchmark 1: v0.25
  Time (mean ± σ):    18.443 s ±  0.949 s    [User: 18.458 s, System: 2.995 s]
  Range (min … max):  17.102 s … 19.968 s    10 runs

Benchmark 2: v0.26
  Time (mean ± σ):    140.8 ms ±  3.9 ms    [User: 92.5 ms, System: 46.4 ms]
  Range (min … max):  138.0 ms … 156.1 ms    20 runs

Summary
  'v0.26' ran
  130.99 ± 7.67 times faster than 'v0.25'

When targeting Erlang rebuilding now 130 times faster than before for a
project this size!
JavaScript

Benchmark 1: v0.25
  Time (mean ± σ):      1.861 s ±  0.026 s    [User: 1.543 s, System: 0.299 s]
  Range (min … max):    1.833 s …  1.927 s    10 runs

Benchmark 2: v0.26
  Time (mean ± σ):    145.3 ms ±  2.9 ms    [User: 92.9 ms, System: 50.8 ms]
  Range (min … max):  141.4 ms … 154.3 ms    20 runs

Summary
  'v0.26' ran
  12.81 ± 0.31 times faster than 'v0.25'

When targeting JavaScript the change is less impactful, running just under 13
times faster. This is because on this target we don't need to run the Erlang
compiler to generate bytecode, the outputted JavaScript code can be loaded
directly into a JavaScript runtime.

These benchmarks were performed with the excellent Hypefine command line
benchmarking tool.
How does it work?

When the compiler runs for each module it emits a set of reusable artefacts:

    Erlang bytecode in a .beam file.
    Erlang record definitions in .hrl files for use by any native Erlang modules.
    Information on the types and values in the module in a .cache file.
    Information the compilation of the module in a .cache_meta file.

If the module doesn't need to be compiled again then we can load the .beam
bytecode into the virtual machine, load the module information from the .cache
file so we can compile other modules that depend on it, and move on to the next
module.

How do we tell if a module needs to be recomplied? There are two checks we need
to make, both using information stored in the .cache_meta file.

The first is to check the modification time of the source file against the
compile time stored in the .cache_meta file. If the source file modification
time is newer then it has been changed and we need to recompile it.

The second is to look at the modules dependencies. The .cache_meta file stores
a list of the modules the the module imports, and using this we can tell if any
of modules upstream in the dependency tree are going to be recompiled. If so
then we need to recompile the module as a change in a dependency may mean that
this module needs to be compiled differently than last time.

What's next?

These changes have made a huge difference to compilation speed, but there's
still a lot more easy wins we can apply in future here if the need arises such
as improvements to the efficiency of the compiler's IRs, more precise cache
invalidation, and multithreaded compilation.

Developer experience is a top priority for Gleam. You need your feedback as
quickly as possible when writing Gleam code, so we're committed to keeping the
compiler super speedy.

Running on Deno

Gleam can run on JavaScript as well as the Erlang virtual machine. Until now
when you run gleam run or gleam test with a Gleam project targeting JavaScript
it'll run your code using the NodeJS runtime. With v0.26 the Deno runtime can
be used instead!

Deno is similar to NodeJS in many ways, but it boasts better compliance with
web-standard APIs, much better security, and a very slick developer experience.

To use Deno instead of NodeJS you can either add the --runtime=deno flag to
commands like gleam run, or you can add the javascript.runtime property to your
gleam.toml file.

name = "my_project"
version = "1.0.0"

[javascript]
runtime = "deno"

Thank you to Brett Kolodny for this feature!
Thanks

Gleam is made possible by the support of all the kind people and companies who
have very generously sponsored or contributed to the project. Thank you all!

If you like Gleam consider sponsoring or asking your employer to sponsor Gleam
development. I work full time on Gleam and your kind sponsorship is how I pay
my bills!

(nikita)

zig: fix issues with generating package.

(nikita)

Un-break FreeBSD build - it does not define ENODATA.

See also this thread
<kern/2012/04/30/msg013090.html>.">https://mail-index.netbsd.org/tech-kern/2012/04/30/msg013090.html>.

(hauke)

textproc/ruby-classifier-reborn: fix condition for Ruby's version

Take care of Ruby 3.1 above.

(taca)

doc: Updated www/passenger to 5.3.7nb13

(taca)

www/passenger: Ruby 3.2 compatibility

Add Ruby 3.2 compatibility fix.

Bump PKGREVISION.

(taca)

devel/ccache*: Adjust comment about xz to modern reality

(gdt)

doc: Updated www/ramaze to 2023.01.06

(taca)

www/ramaze: update to 2023.01.06

2023.01.06

No release note nor changelog.  Basically, refacter and catch up to recent
innate and Ruby.

Please refer
<https://github.com/Ramaze/ramaze/compare/2015.10.28...2023.01.06> in
detail.

(taca)

Added net/nagios-plugin-x509 version 0.1

This Nagios plugin monitors x509 certificates for expiration or revokation

(manu)

doc: Updated textproc/ruby-kramdown-rfc2629 to 1.6.20

(taca)

textproc/ruby-kramdown-rfc2629: update to 1.6.20

1.6.18 (2023-01-09)

* Ruby 3.2 compatibility

1.6.19 (2023-01-10)

* More Ruby 3.2 compatibility

1.6.20

* Ignore target attributes in RFC and I-D bibxml
* Fix DOI retrieval for 10.4711_... (underscore)

(taca)

doc: Updated security/ruby-rex-socket to 0.1.45

(taca)

Build fix: Detect hdb_generate_key_set_password() signature change

Details about the API change can be found here:
https://github.com/heimdal/heimdal/issues/246

(manu)

security/ruby-rex-socket: update to 0.1.45

0.1.44 (2023-01-10)

* Do not assign blank hostname to (SSL) Socket

0.1.45 (2023-01-13)

* Fix deprecation warning in socks proxy support

(taca)

doc: Updated security/ruby-rex-core to 0.1.29

(taca)

security/ruby-rex-core: update to 0.1.29

0.1.29 (2023-01-11)

* Allow developer configurable messages in exceptions

(taca)

doc: Updated security/ruby-net-sftp to 4.0.0

(taca)

security/ruby-net-sftp: update to 4.0.0

4.0.0 (2022-11-01)

* Fix multibyte string write
* correct typo "raeddir"
* Fix mocha deprectaion warning to not require setup
* Allow net-ssh v7 which fixes OpenSSL 3 compat
* Update cert

(taca)

doc: Updated security/ruby-metasploit-payloads to 2.0.107

(taca)

security/ruby-metasploit-payloads: update to 2.0.107

2.0.106 (2023-01-12)

* add enumdesktops command to windows python meterpreter

2.0.107 (2023-01-13)

* Land #600, add enumdesktops to python meterpreter

(taca)

doc: Updated net/ruby-ruby_smb to 3.2.2

(taca)

net/ruby-ruby_smb: update to 3.2.2

3.2.2 (2023-01-18)

* Land #245, Update ruby versions
* Land #246, Add support for Ruby 3.2
* Don't crash when the buffer is empty

(taca)

entr: fix some pkglint

(wiz)

doc: update Ruby on Rails 7.0 related packages to 7.0.4.1

devel/ruby-activesupport70
devel/ruby-activemodel70
devel/ruby-activejob70
www/ruby-actionview70
www/ruby-actionpack70
databases/ruby-activerecord70
devel/ruby-activestorage70
mail/ruby-actionmailer70
mail/ruby-actionmailbox70
www/ruby-actioncable70
devel/ruby-railties70
textproc/ruby-actiontext70
www/ruby-rails70

(taca)

www/ruby-rails70: update to 7.0.4.1

Rails 7.0.4.1 (2023-01-17)

devel/ruby-activesupport70

* Avoid regex backtracking in Inflector.underscore

  [CVE-2023-22796]

www/ruby-actionpack70

* Fix sec issue with _url_host_allowed?

  Disallow certain strings from `_url_host_allowed?` to avoid a redirect
  to malicious sites.

  [CVE-2023-22797]

* Avoid regex backtracking on If-None-Match header

  [CVE-2023-22795]

* Use string#split instead of regex for domain parts

  [CVE-2023-22792]

databases/ruby-activerecord70

* Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was
  attempting sanitization. That sanitization could be bypassed with
  carefully crafted input.

  This commit makes the sanitization more robust by replacing any
  occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
  first pass to remove one surrounding comment to avoid compatibility
  issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not
  be provided user input.

  [CVE-2023-22794]

* Added integer width check to PostgreSQL::Quoting

  Given a value outside the range for a 64bit signed integer type
  PostgreSQL will treat the column type as numeric. Comparing
  integer values against numeric values can result in a slow
  sequential scan.

  This behavior is configurable via
  ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

  [CVE-2022-44566]

(taca)

doc: update Ruby on Rails 6.1 related packages to 6.1.7.1

devel/ruby-activesupport61
devel/ruby-activemodel61
devel/ruby-activejob61
www/ruby-actionview61
www/ruby-actionpack61
databases/ruby-activerecord61
devel/ruby-activestorage61
mail/ruby-actionmailer61
mail/ruby-actionmailbox61
www/ruby-actioncable61
devel/ruby-railties61
textproc/ruby-actiontext61
www/ruby-rails61

(taca)

www/ruby-rails61: update to 6.1.7.1

Rails 6.1.7.1 (2023-01-17)

devel/ruby-activesupport61

* Avoid regex backtracking in Inflector.underscore

    [CVE-2023-22796]

www/ruby-actionpack61

* Avoid regex backtracking on If-None-Match header

  [CVE-2023-22795]

* Use string#split instead of regex for domain parts

  [CVE-2023-22792]

databases/ruby-activerecord61

* Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was
  attempting sanitization. That sanitization could be bypassed with
  carefully crafted input.

  This commit makes the sanitization more robust by replacing any
  occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
  first pass to remove one surrounding comment to avoid compatibility
  issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not
  be provided user input.

  [CVE-2023-22794]

* Added integer width check to PostgreSQL::Quoting

  Given a value outside the range for a 64bit signed integer type
  PostgreSQL will treat the column type as numeric. Comparing
  integer values against numeric values can result in a slow
  sequential scan.

  This behavior is configurable via
  ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

  [CVE-2022-44566]

(taca)

doc: update Ruby on Rails 6.0 and related packages to 6.0.6.1

devel/ruby-activesupport60
devel/ruby-activemodel60
devel/ruby-activejob60
www/ruby-actionview60
www/ruby-actionpack60
databases/ruby-activerecord60
mail/ruby-actionmailer60
devel/ruby-activestorage60
mail/ruby-actionmailbox60
www/ruby-actioncable60
devel/ruby-railties60
textproc/ruby-actiontext60
www/ruby-rails60

(taca)

www/ruby-rails60: update to 6.0.6.1

Only databases/ruby-activerecord61 has updated.

Rails 6.0.6.1 (2023-01-17)

* Make `sanitize_as_sql_comment` more strict

  Though this method was likely never meant to take user input, it was
  attempting sanitization. That sanitization could be bypassed with
  carefully crafted input.

  This commit makes the sanitization more robust by replacing any
  occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
  first pass to remove one surrounding comment to avoid compatibility
  issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not
  be provided user input.

  [CVE-2023-22794]

(taca)

doc: Updated www/ruby-rack2 to 2.2.6.2

(taca)

www/ruby-rack2: update to 2.2.6.2

2.2.6 (2022-01-17)

* Extend Rack::MethodOverride to handle QueryParser::ParamsTooDeepError
  error.  (#2011, @byroot)

2.2.6.1 (2022-01-17)

* [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
* [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
* [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)

2.2.6.2 (2022-01-17)

* [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges

(taca)

doc: Updated www/ruby-rack to 3.0.4.1

(taca)

www/ruby-rack: update to 3.0.4.1

3.0.4 (2023-01-17)

* Rack::Request#POST should consistently raise errors.  Cache errors that
  occur when invoking Rack::Request#POST so they can be raised again later.
  (#2010, @ioquatix)

* Fix Rack::Lint error message for HTTP_CONTENT_TYPE and
  HTTP_CONTENT_LENGTH.  (#2007, @byroot)

* Extend Rack::MethodOverride to handle QueryParser::ParamsTooDeepError
  error.  (#2006, @byroot)

3.0.4.1 (2023-01-17)

* [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
* [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
* [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)

(taca)

doc: Updated www/ruby-faraday1 to 1.10.3

(taca)

www/ruby-faraday1: update to 1.10.3

1.10.3 (2023-01-19)

What's Changed

* Add support for Ruby 3.2.0 in Faraday v1.x by @timrogers in #1483

New Contributors

* @timrogers made their first contribution in #1483

(taca)

doc: Updated www/ruby-faraday to 2.7.3

(taca)

www/ruby-faraday: update to 2.7.3

2.7.3 (2023-01-16)

What's Changed

Fixes:

* Fix Style/ZeroLengthPredicate by @olleolleolle in #1480
* Connection#build_exclusive_url: replace simple syntax by @hyuraku in #1481
* Add URL to to_hash in Faraday::Response (#1474) by @aaronstillwell in #1475

Misc:

* Clarify diff between connection settings timeout and open_timeout by
  @Yu-Chieh-Henry-Yang in #1470
* Adds Ruby 3.2 to the CI matrix. by @petergoldstein in #1471
* Fix typo in Adapters documentation by @henrialb in #1473
* docs: Update to 2023 by @frederikspang in #1477
* Update connection.rb documentation to use PUT in an example by @wlads in
  #1482

New Contributors

* @Yu-Chieh-Henry-Yang made their first contribution in #1470
* @henrialb made their first contribution in #1473
* @frederikspang made their first contribution in #1477
* @aaronstillwell made their first contribution in #1475
* @wlads made their first contribution in #1482

(taca)

doc: Updated devel/ruby-rspec-mocks to 3.12.3

(taca)

devel/ruby-rspec-mocks: update to 3.12.3

3.12.3 (2023-01-17)

Bug Fixes:

* Fix keyword delegation in send for verifying doubles on Ruby 3.
  (Charlie Honig, #1485)

(taca)