py-test-flake8: updated to 1.0.6

1.0.6
- Fix compatibility with flake8 >= 3.8

(adam)

fix pytest->test

(adam)

pytest from versioned depends

(adam)

pytest from versioned depends

(adam)

py-backcall: pytest from versioned depends

(adam)

py-attrs: pytest from versioned depends

(adam)

py-mutagen: pytest from versioned depends

(adam)

py-atomicwrites: pytest from versioned depends

(adam)

py-redis: pytest from versioned depends

(adam)

py-alembic: pytest from versioned depends

(adam)

py-mysqlclient: pytest from versioned depends

(adam)

py-alembic: pytest from versioned depends

(adam)

py-chardet: not need to include application.mk

(adam)

py-chardet: pytest from versioned depens

(adam)

py-MyHDL: pytest from versioned depens

(adam)

py-werkzeug: remove pytest from depends

(adam)

py-test-runner: pytest from versioned deps.

(adam)

doc: Updated lang/go113 to 1.13.11

(bsiegert)

Update go113 to 1.13.11.

go1.13.11 (released 2020/05/14) includes fixes to the compiler. See the Go
1.13.11 milestone on our issue tracker for details.

(bsiegert)

py-lz4: updated to 3.0.2

v3.0.2:
This release removes py3c from the codebase and strips out unused Python 2 support code. No functional changes are included with this release.

v3.0.1:
This release fixes an issue that prevented the OSX wheels from being published to PyPi, and contains no functional changes.

v3.0.0:
This release:
* Drops support for Python 2 (although some dead code remains for future removal)
* Adds streams support thanks to the hard work of @tSed
* Fixes a performance bug with the frame bindings - thanks to @bjonen for the careful report and reproducer
* Adds Python 3.8 support

(adam)

py-wtforms-components: pytest from versioned deps.

(adam)

python: add pytest to versioned_dependencies.mk

(adam)

Updated devel/py-test

(adam)

py-test: updated to 5.4.2

pytest 5.4.2:
Bug Fixes
* Fix crash with captured output when using the capsysbinary fixture.
* Ensure a unittest.IsolatedAsyncioTestCase is actually awaited.
* Fix TerminalRepr instances to be hashable again.
* Fix regression where functions registered with TestCase.addCleanup were not being called on test failures.
* Allow users to still set the deprecated TerminalReporter.writer attribute.
* Revert 窶徼mpdir: clean up indirection via config for factories窶� 6767 as it breaks pytest-xdist.
* Fixed regression: asyncbase.TestCase tests are executed correctly again.
* Fix File.from_constructor so it forwards extra keyword arguments to the constructor.
* Classes with broken __getattribute__ methods are displayed correctly during failures.
* Fix _is_setup_py for files encoded differently than locale.

pytest 5.4.1:
Bug Fixes
* Revert the change introduced by 6330, which required all arguments to @pytest.mark.parametrize to be explicitly defined in the function signature.
The intention of the original change was to remove what was expected to be an unintended/surprising behavior, but it turns out many people relied on it, so the restriction has been reverted.
* Fix crash when plugins return an unknown stats while using the --reportlog option.

pytest 5.4.0:
Breaking Changes
* Matching of -k EXPRESSION to test names is now case-insensitive.
* Plugins specified with -p are now loaded after internal plugins, which results in their hooks being called before the internal ones.
This makes the -p behavior consistent with PYTEST_PLUGINS.
* Removed the long-deprecated pytest_itemstart hook.
This hook has been marked as deprecated and not been even called by pytest for over 10 years now.
* Reversed / fix meaning of 窶�+/-窶� in error diffs. 窶�-窶� means that sth. expected is missing in the result and 窶�+窶� means that there are unexpected extras in the result.
* The cached_result attribute of FixtureDef is now set to None when the result is unavailable, instead of being deleted.
If your plugin performs checks like hasattr(fixturedef, 'cached_result'), for example in a pytest_fixture_post_finalizer hook implementation, replace it with fixturedef.cached_result is not None. If you del the attribute, set it to None instead.

Deprecations
* Option --no-print-logs is deprecated and meant to be removed in a future release. If you use --no-print-logs, please try out --show-capture and provide feedback.
--show-capture command-line option was added in pytest 3.5.0 and allows to specify how to display captured output when tests fail: no, stdout, stderr, log or all (the default).
* Deprecate the unused/broken pytest_collect_directory hook. It was misaligned since the removal of the Directory collector in 2010 and incorrect/unusable as soon as collection was split from test execution.
* Deprecate using direct constructors for Nodes.
Instead they are now constructed via Node.from_parent.
This transitional mechanism enables us to untangle the very intensely entangled Node relationships by enforcing more controlled creation/configuration patterns.
As part of this change, session/config are already disallowed parameters and as we work on the details we might need disallow a few more as well.
Subclasses are expected to use super().from_parent if they intend to expand the creation of Nodes.
* The TerminalReporter.writer attribute has been deprecated and should no longer be used. This was inadvertently exposed as part of the public API of that plugin and ties it too much with py.io.TerminalWriter.

Features
* New 窶田apture=tee-sys option to allow both live printing and capturing of test output.
* Now all arguments to @pytest.mark.parametrize need to be explicitly declared in the function signature or via indirect. Previously it was possible to omit an argument if a fixture with the same name existed, which was just an accident of implementation and was not meant to be a part of the API.
* Changed default for -r to fE, which displays failures and errors in the short test summary. -rN can be used to disable it (the old behavior).
* New options have been added to the junit_logging option: log, out-err, and all.
* Excess warning summaries are now collapsed per file to ensure readable display of warning summaries.

Improvements
* pytest.mark.parametrize accepts integers for ids again, converting it to strings.
* Use 窶忱ellow窶� main color with any XPASSED tests.
* Revert 窶廣 warning is now issued when assertions are made for None窶�.
The warning proved to be less useful than initially expected and had quite a few false positive cases.
* tmpdir_factory.mktemp now fails when given absolute and non-normalized paths.
* The pytest_warning_captured hook now receives a location parameter with the code location that generated the warning.
* pytester: the testdir fixture respects environment settings from the monkeypatch fixture for inner runs.
* --fulltrace is honored with collection errors.
* Make --showlocals work also with --tb=short.
* Add support for matching lines consecutively with LineMatcher窶冱 fnmatch_lines() and re_match_lines().
* Code is now highlighted in tracebacks when pygments is installed.
Users are encouraged to install pygments into their environment and provide feedback, because the plan is to make pygments a regular dependency in the future.
* Import usage error message with invalid -o option.
* pytest.mark.parametrize supports iterators and generators for ids.

Bug Fixes
* Add support for calling pytest.xfail() and pytest.importorskip() with doctests.
* --trace now works with unittests.
* Fixed some warning reports produced by pytest to point to the correct location of the warning in the user窶冱 code.
* Fix --last-failed to collect new tests from files with known failures.
* Report PytestUnknownMarkWarning at the level of the user窶冱 code, not pytest窶冱.
* Fix interaction with --pdb and unittests: do not use unittest窶冱 TestCase.debug().
* Fix summary entries appearing twice when f/F and s/S report chars were used at the same time in the -r command-line option (for example -rFf).
The upper case variants were never documented and the preferred form should be the lower case.
* Fallback to green (instead of yellow) for non-last items without previous passes with colored terminal progress indicator.
* --disable-warnings is honored with -ra and -rA.
* Fix bug in the comparison of request key with cached key in fixture.
A construct if key == cached_key: can fail either because == is explicitly disallowed, or for, e.g., NumPy arrays, where the result of a == b cannot generally be converted to bool. The implemented fix replaces == with is.
* Make capture output streams .write() method return the same return value from original streams.
* Fix EncodedFile.writelines to call the underlying buffer窶冱 writelines method.
* Fix internal crash when faulthandler starts initialized (for example with PYTHONFAULTHANDLER=1 environment variable set) and faulthandler_timeout defined in the configuration file.
* Fix node ids which contain a parametrized empty-string variable.
* Assertion rewriting hooks are (re)stored for the current item, which fixes them being still used after e.g. pytester窶冱 testdir.runpytest etc.
* pytest.exit() is handled when emitted from the pytest_sessionfinish hook. This includes quitting from a debugger.
* When pytest.raises() is used as a function (as opposed to a context manager), a match keyword argument is now passed through to the tested function. Previously it was swallowed and ignored (regression in pytest 5.1.0).
* Do not display empty lines inbetween traceback for unexpected exceptions with doctests.
* The testdir fixture works within doctests now.

Improved Documentation
* Add list of fixtures to start of fixture chapter.
* Expand first sentence on fixtures into a paragraph.
Trivial/Internal Changes
* Remove usage of parser module, deprecated in Python 3.9.

(adam)

graphics/OpenRM: fix typo in variable name

(rillig)

py-test4: added version 4.6.10

pytest 4.6.10:

Features
- New ``Config.invocation_args`` attribute containing the unchanged arguments passed to ``pytest.main()``.
  Remark: while this is technically a new feature and according to our `policy <https://docs.pytest.org/en/latest/py27-py34-deprecation.html#what-goes-into-4-6-x-releases>`_ it should not have been backported, we have opened an exception in this particular case because it fixes a serious interaction with ``pytest-xdist``, so it can also be considered a bugfix.

Trivial/Internal Changes
- Remove usage of ``parser`` module, deprecated in Python 3.9.

pytest 4.6.9:

Bug Fixes
- Fix assertion rewriting for egg-based distributions and ``editable`` installs (``pip install --editable``).

pytest 4.6.8:

Features
- JUnit XML now includes a timestamp and hostname in the testsuite tag.

Bug Fixes
- junitxml: Logs for failed test are now passed to junit report in case the test fails during call phase.

Trivial/Internal Changes
- Pin ``colorama`` to ``0.4.1`` only for Python 3.4 so newer Python versions can still receive colorama updates.

pytest 4.6.7:

Bug Fixes
- The XML file produced by ``--junitxml`` now correctly contain a ``<testsuites>`` root element.
-  Properly ignore ``FileNotFoundError`` (``OSError.errno == NOENT`` in Python 2) exceptions when trying to remove old temporary directories,
  for instance when multiple processes try to remove the same directory (common with ``pytest-xdist``
  for example).

(adam)

Updated finance/py-braintree, devel/py-distorm3

(adam)

py-distorm3: updated to 3.4.4

3.4.4:
Update __init__.py
Fixed decompose wrapper bug.

(adam)

py-braintree: updated to 4.1.0

4.1.0
Add DisputeAccepted, DisputeDisputed, and DisputeExpired webhook constants
Add three_d_secure_pass_thru to CreditCard.create, CreditCard.update, PaymentMethod.create, PaymentMethod.update, Customer.create, and Customer.update.
Add Verification validation errors for 3D Secure
Add payment_method_token to CreditCardVerificationSearch
Add recurring_customer_consent and recurring_max_amount to authentication_insight_options for PaymentMethodNonce.create
Add FileIsEmpty error code
Eliminates usage of mutable objects for function parameters.

(adam)

Updated devel/py-guppy3, databases/py-redis

(adam)

py-redis: updated to 3.5.2

3.5.2:
* Tune the locking in ConnectionPool.get_connection so that the lock is
  not held while waiting for the socket to establish and validate the
  TCP connection.

(adam)

py-guppy3: updated to 3.0.10.1

3.0.10:
* Skip modules that don't have __dict__ attributes
* Replace a few instances of ZeroDivisionError with inspect.currentframe()

(adam)

removed tclticker

(rillig)

finance/tclticker: remove the package

This package got its stock quotes from web sites that were active around
2000 and that no longer exist.  It had not resolved the PREFIX
placeholder, which meant it could not even ask the web sites for the
quotes.  Therefore chances are high that this package is not used by
anyone.

(rillig)

doc: Updated pkgtools/createbuildlink to 3.18

(rillig)

pkgtools/createbuildlink: remove unused placeholder

(rillig)

pkgtools/createbuildlink: use SUBST instead of ad-hoc sed

This allows to show the actual changes by setting SUBST_SHOW_DIFF=yes,
and with SUBST_NOOP_OK=no it also demonstrates that no substitutions are
needed for substplistbasedirs.

Another thing this demonstrates is this wrong patch:

-echo >>$sedrules "s|@@PKGVERSION@@|@PKGVERSION@|g"
+echo >>$sedrules "s|@3.17@|3.17|g"

(rillig)

devel/acr: fix forgotten placeholders

(rillig)

Updated multimedia/libdvdread, sysutils/py-crontab, devel/py-more-itertools, www/py-hstspreload

(adam)

py-hstspreload: updated to 2020.5.16

2020.5.16:
Sync with Chromium repository.

(adam)

py-more-itertools: updated to 8.3.0

8.3.0

* New itertools
    * :func:`zip_equal`

* Changes to existing itertools:
    * :func:`split_at`, :func:`split_before`, :func:`split_after`, and :func:`split_when` all got a ``maxsplit`` paramter
    * :func:`split_at` now accepts a ``keep_separator`` parameter
    * :func:`distinct_permutations` can now generate ``r``-length permutations
    * The :func:`windowed` implementation was improved
    * The :func:`spy` implementation was improved

* Other changes
    * Type stubs are now tested with ``stubtest``
    * Tests now run with ``python -m unittest`` instead of ``python setup.py test``

(adam)

py-crontab: updated to 2.5.0

2.5.0:
Unknown changes

(adam)

libdvdread: updated to 6.1.1

libdvdread (6.1.1)
* Fix the soversion following ABI breakage

(adam)

doc: Updated audio/fasttracker2 to 1.24

(fox)

audio/fasttracker2: Updates to v1.24

Changes since v1.23

v1.24 - 13.05.2020
- Fixed a bug with saving looping 16-bit samples as .RAW/.IFF/.WAV. Two sample
  points somewhere in the waveform would be set to wrong values.
- Linux: Fixed the mouse not working with KMSDRM (hopefully)

(fox)

Drop unused but conflicting prototype.

(joerg)

Needs gs at runtime. Bump revision.

(joerg)

boost::placeholders fallout

(joerg)

Needs itstool

(joerg)

Needs pkg-config

(joerg)

Resolve conflict with C++17 <version>

(joerg)

Allow building formulas with current ghostscript. Bump revision.

(joerg)

Use explicit encoding in setup.py for unicode source.

(joerg)

doc: Updated net/sayaka to 3.4.5

(tsutsui)

sayaka: update to 3.4.5.

Upstream changes:

* 3.4.5 (2020/05/15)
- re-implement judgements of displaying tweets to avoid tweets from
  following to non-following users in some case
- fix ng word judgements missed in some case
- implement '--record-all' option

(tsutsui)

pkg_create -U doesn't do anything, don't pass the flag.

(maya)

postgresql10-server: fix PLIST

(adam)

postgresql11-server: fix PLIST

(adam)

postgresql12-client: fix PLIST

(adam)

fio: add linux-specific plist items.

the makefile logic seems to build this only on linux.
Reported by Joern Clausen in PR pkg/55267

(maya)

doc: Added audio/strawberry version 0.6.10

(nia)

audio: Add strawberry.

Strawberry is a music player and music collection organizer. It is a fork
of Clementine, aimed at music collectors and audiophiles. It's written in
C++ using the Qt 5 toolkit.

(nia)

doc: Updated mail/alpine to 2.22

(bsiegert)

Update alpine to 2.22.

Additions include:

  * Support for XOAUTH2 authentication method in Gmail.
  * PC-Alpine builds with LibreSSL and supports S/MIME.
  * NTLM authentication support with the ntlm library, in Unix systems. Based
    on code provided by Maciej W. Rozycki.
  * Add /tls1_3 flag for servers that support it. Read more information in the
    secure protocols help.
  * To increase user's privacy, remove phone-home code that would prompt users
    to send an email message upon starting Alpine for the first time for
    purposes of counting. Your use of Alpine does not disclose information
    about you or your use of Alpine to the developers of Alpine.
  * New variable encryption-protocol-range that allows users to configure
    versions of the SSL/TLS protocol that Alpine is restricted to try when
    establishing a secure connection SSL/TLS to a remote server. The default
    can be set at compilation time.
  * Add -dict option to PC-Pico, which allows users to choose a dictionary when
    spelling. Sample usage: -dict "en_US, de_DE, fr_FR".
  * Improvements to the configure stage of compilation. Some of these
    contributed by Helmut Grohne. See Bug 876164 in Debian.
  * Add "remove password" command to the management screen for the password
    file encryption key. This allows users to use their password file without
    entering a master password.
  * Add the "g" option to the select command that works in IMAP servers that
    implement the X-GM-EXT-1 capability (such as the one offered by Gmail.)
    This allows users to do selection in Alpine as if they were doing a search
    in the web interface for Gmail.
  * New variable close-connection-timeout, which tells Alpine to close a
    connection that is having problems being kept alive after the number of
    seconds configured in this variable, if the connection has not recovered.
    The default is 0, which means to keep the connection alive and wait for the
    connection to recover.
  * When a message is of type multipart/mixed, and its first part is multipart/
    signed, Alpine will include the text of the original message in a reply
    message, instead of including a multipart attachment. Suggested by Barry
    Landy.
  * S/MIME: Some clients do not transform messages to canonical form when
    signing first and encrypting second, which makes Alpine fail to parse the
    signed data after encryption. Reported by Holger Trapp.
  * Add /auth=XYZ to the way to define a server. This allows users to select
    the method to authenticate to an IMAP, SMTP or POP3 server. Examples are /
    auth=plain, or /auth=gssapi, etc.
  * Add backward search in the index screen. Based on patch by Astyanax Foo,
    submitted in 2009, but resubmitted by Erich Eckner on 2019.
  * SMIME: When Alpine is set to validate a message using the user's store, and
    user agrees to save a certificate of another user, use the saved
    certificate immediately to verify the smime message. Reported by Stefan
    Mueller.
  * Do not use a delay when printing messages to screen when the initial
    keystroke sequence of commands is active. Based on a report from Holger
    Trapp.
  * In PC-Alpine, when the decoded name of an attachment does not agree with
    its encoded name, Alpine will offer to save the file using the UTF8 encoded
    name.

Bugs that have been addressed include:

  * Width of characters is not always determined correctly when wcwidth is
    used. Revert to using code for the Windows operating system. Reported by
    Andrew Ho.
  * The call realpath(..., NULL) gives an error in Solaris, which means that we
    need to allocate memory for storing the resolved path. Reported by Fabian
    Schmidt.
  * Crash when attempting to bounce a message due to lack of space in allocated
    space for key menu array. Reported by David Sewell.
  * Crash when a CA certificate failed to load, and user attempted to view
    certificate information of other certificate authorities.
  * Crash in the S/MIME configuration screen when a user turned off S/MIME, and
    then re-enabled it. Also crash when attempting to enter the S/MIME
    configuration screen if S/MIME was turned off.
  * Deactivate some color code from Pico (as standalone editor in the windows
    version) until I find a way to activate it again. This is not critical and
    it is not something that PC-Pico must have (some of it already exists in
    other ways, like color support, what does not exist is the more complex
    code that Unix-Pico has with color codes for specific colors.)
  * When a message is multipart, and the first part is flowed text, then
    forwarding the message will set the first part to be flowed, and sent that
    way even when the option Do Not Send Flowed Text is enabled. Reported by
    Holger Trapp.
  * When a message/rfc822 part of a message is encoded with
    Content-Transfer-Encoding: QUOTED-PRINTABLE, Alpine will stop processing
    that message. Later this causes Alpine to crash because when it displays
    messages, it assumes that both header and body parts are processed.
    Reported by Mark Crispin in 2010, in the Alpine-info list (message with
    subject "crash bug in alpine/mailpart.c:format_msg_att()") with no example,
    and reported now by Holger Trapp, with an example.
  * In addition to the previous report, Alpine encodes message/rfc822 messages
    as QUOTED-PRINTABLE, in contradiction with RFC 2045, when it receives a
    report that its encoding is 8bit. We preserve the encoding reported by the
    IMAP server, and do not encode in QUOTED-PRINTABLE.
  * Update build.bat file to add /DWINVER=0x0501 so that Alpine can build when
    using Visual Studio 2017. Fix contributed by Ulf-Dietrich Braunmann.
  * When the locale is not set up to UTF-8, alpine might determine the width of
    a character incorrectly. Reported by Alexandre Fedotov.
  * In some rare cases, when attachments are deleted before saving emails, the
    filenames will be displayed in RFC1522 representation, instead of in
    decoded form. Reported and patched by Wang Kang.
  * When colors are edited from the main setup configuration screen, some color
    settings are not updated until Alpine is restarted. Reported by Andrew
    Hill.
  * If the first part of a message is multipart/alternative, and the first part
    of this is also a multipart type, then Alpine might fail to select the
    first text part when replying to a message. Reported by Lucio Chiappetti.
  * TLS 1.2 works does not work if Alpine is compiled with openssl >= 1.1.0.
    Reported and patched by Kyle George.
  * If the directory where Alpine saves the certificates is empty, alpine would
    not create a self-signed certificate to encrypt the password file.
  * S/MIME: The list of public certificates is freed before it is reused when a
    signature fails to verify. This causes Alpine to crash. Patch submitted by
    Linus Torvalds.
  * S/MIME: A message could fail to verify its signature even if the
    certificate was saved when the message was open. Based on a report by David
    Woodhouse to the RedHat bugzilla system.
  * When there are time changes in the clock, Alpine might go to sleep for big
    amounts of time while displaying messages in the screen. Reset sleep time
    to 5 seconds in case it finds it needs to sleep more than 5 seconds or a
    negative amount of time.
  * Restore recognition of empty directories. It was deleted by mistake when
    added support for internationalization in folders. Based on a report by
    Michael Rutter.
  * Alpine stops parsing the mailcap file when it finds an invalid entry.
    Reported by Matt Roberds to the Debian bug system at https://
    bugs.debian.org/cgi-bin/bugreport.cgi?bug=886370.
  * Crash with error "Lock when already locked" when an attempt to check for
    new mail on a locked stream that is being used for a save operation.
    Reported by Carlos E.R.
  * Alpine removes trailing spaces from passwords, making a longin attempt
    fail. Reported by R. Lyons.
  * Alpine crashes when opening a remote imap folder and computing scores.
    Reported by Paul DeStefano.
  * When more than one server was given in the server-name configuration option
    of rldap servers, none of them worked. Reported by Robert Wolf.

(bsiegert)

Pullup tickets up to #6201

(bsiegert)

Pullup ticket #6201 - requested by nia
mail/mailman: security fix

Revisions pulled up:
- mail/mailman/Makefile                                        1.91
- mail/mailman/PLIST                                            1.29
- mail/mailman/distinfo                                        1.27

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Fri May 15 09:40:46 UTC 2020

  Modified Files:
  pkgsrc/mail/mailman: Makefile PLIST distinfo

  Log Message:
  mailman: Update to 2.1.33

  >From jcea via pkgsrc-wip

  2.1.33 (07-May-2020)

    Security

      - A content injection vulnerability via the private login page has been
        fixed.  (LP: #1877379)

  2.1.32 (05-May-2020)

    i18n

      Fixed a typo in the Spanish translation and uptated mailman.pot and
      the message catalog for 2.1.31 security fix.

  2.1.31 (05-May-2020)

    Security

      - A content injection vulnerability via the options login page has been
        discovered and reported by Vishal Singh. This is fixed.  (LP: #1873722)

    i18n

      - The Spanish translation has been updated by Omar Walid Llorente.

    Bug Fixes and other patches

      - Bounce recognition for a non-compliant Yahoo format is added.

      - Archiving workaround for non-ascii in string.lowercase in some Python
        packages is added.

  2.1.30 (13-Apr-2020)

    New Features

      - Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses
        list setting that can be used to apply dmarc_moderation_action to mail
        From: addresses listed or matching listed regexps.  This can be used
        to modify mail to addresses that don't accept external mail From:
        themselves.

      - There is a new MAX_LISTNAME_LENGTH setting.  The fix for LP: #1780874
        obtains a list of the names of all the all the lists in the installation
        in order to determine the maximum length of a legitimate list name.  It
        does this on every web access and on sites with a very large number of
        lists, this can have performance implications.  See the description in
        Defaults.py for more information.

      - Thanks to Ralf Jung there is now the ability to add text based captchas
        (aka textchas) to the listinfo subscribe form.  See the documentation
        for the new CAPTCHA setting in Defaults.py for how to enable this.  Also
        note that if you have custom listinfo.html templates, you will have to
        add a <mm-captcha-ui> tag to those templates to make this work.  This
        feature can be used in combination with or instead of the Google
        reCAPTCHA feature added in 2.1.26.

      - Thanks to Ralf Hildebrandt the web admin Membership Management section
        now has a feature to sync the list's membership with a list of email
        addresses as with the bin/sync_members command.

      - There is a new drop_cc list attribute set from DEFAULT_DROP_CC.  This
        controls the dropping of addresses from the Cc: header in delivered
        messages by the duplicate avoidance process.  (LP: #1845751)

      - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause
        a second request to subscribe to a list when there is already a pending
        confirmation for that user.  This can be set to Yes to prevent
        mailbombing of a third party by repeatedly posting the subscribe form.
        (LP: #1859104)

    i18n

      - The Japanese translation has been updated by Yasuhito FUTATSUKI.

      - The German translation has been updated by Ludwig Reiter.

      - The Spanish translation has been updated by Omar Walid Llorente.

      - The Brazilian Portugese translation has been updated by Emerson de Mello.

    Bug Fixes and other patches

      - Fixed the confirm CGI to catch a rare TypeError on simultaneous
        confirmations of the same token.  (LP: #1785854)

      - Scrubbed application/octet-stream MIME parts will now be given a
        .bin extension instead of .obj.

      - Added bounce recognition for a non-compliant opensmtpd DSN with
        Action: error.  (LP: #1805137)

      - Corrected and augmented some security log messages.  (LP: #1810098)

      - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All.
        (LP: #1818205)

      - Leading/trailing spaces in provided email addresses for login to private
        archives and the user options page are now ignored.  (LP: #1818872)

      - Fixed the spelling of the --no-restart option for mailmanctl.

      - Fixed an issue where certain combinations of charset and invalid
        characters in a list's description could produce a List-ID header
        without angle brackets.  (LP: #1831321)

      - With the Postfix MTA and virtual domains, mappings for the site list
        -bounces and -request addresses in each virtual domain are now added
        to data/virtual-mailman (-owner was done in 2.1.24).  (LP: #1831777)

      - The paths.py module now extends sys.path with the result of
        site.getsitepackages() if available.  (LP: #1838866)

      - A bug causing a UnicodeDecodeError in preparing to send the confirmation
        request message to a new subscriber has been fixed.  (LP: #1851442)

      - The SimpleMatch heuristic bounce recognizer has been improved to not
        return most invalid email addresses.  (LP: #1859011)

(bsiegert)

Pullup ticket #6200 - requested by taca
lang/php72: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.298
- lang/php72/distinfo                                          1.55

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu May 14 14:26:59 UTC 2020

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php72: distinfo

  Log Message:
  lang/php72: update to 7.2.31

  Update php72 to 7.2.31 (PHP 7.2.31).

  14 May 2020, PHP 7.2.31

  - Core:
    . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
      (CVE-2019-11048) (cmb)
    . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
      files are not cleaned). (CVE-2019-11048) (cmb)

(bsiegert)

Pullup ticket #6199 - requested by taca
lang/php74: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.297
- lang/php74/distinfo                                          1.8

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu May 14 14:24:53 UTC 2020

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php74: distinfo

  Log Message:
  lang/php74: update to 7.4.6

  Update php74 to 7.4.6 (PHP 7.4.6).

  14 May 2020, PHP 7.4.6

  - Core:
    . Fixed bug #78434 (Generator yields no items after valid() call). (Nikita)
    . Fixed bug #79477 (casting object into array creates references). (Nikita)
    . Fixed bug #79514 (Memory leaks while including unexistent file). (cmb,
      Nikita)
    . Fixed bug #79470 (PHP incompatible with 3rd party file system on demand).
      (cmb)
    . Fixed bug #78784 (Unable to interact with files inside a VFS for Git
      repository). (cmb)
    . Fixed bug #78875 (Long variables cause OOM and temp files are not cleaned).
      (cmb) (CVE-2019-11048)
    . Fixed bug #78876 (Long variables cause OOM and temp files are not cleaned).
      (cmb) (CVE-2019-11048)

  - DOM:
    . Fixed bug #78221 (DOMNode::normalize() doesn't remove empty text nodes).
      (cmb)

  - EXIF:
    . Fixed bug #79336 (ext/exif/tests/bug79046.phpt fails on Big endian arch).
      (Nikita)

  - FCGI:
    . Fixed bug #79491 (Search for .user.ini extends up to root dir). (cmb)

  - MBString:
    . Fixed bug #79441 (Segfault in mb_chr() if internal encoding is unsupported).
      (Girgias)

  - OpenSSL:
    . Fixed bug #79497 (stream_socket_client() throws an unknown error sometimes
      with <1s timeout). (Joe Cai)

  - PCRE:
    . Upgraded to PCRE2 10.34. (cmb)

  - Phar:
    . Fixed bug #79503 (Memory leak on duplicate metadata). (cmb)

  - SimpleXML:
    . Fixed bug #79528 (Different object of the same xml between 7.4.5 and
      7.4.4). (cmb)

  - SPL:
    . Fixed bug #69264 (__debugInfo() ignored while extending SPL classes). (cmb)
    . Fixed bug #67369 (ArrayObject serialization drops the iterator class).
      (Alex Dowad)

  - Standard:
    . Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter
      appended). (dinosaur)
    . Fixed bug #79447 (Serializing uninitialized typed properties with __sleep
      should not throw). (nicolas-grekas)

(bsiegert)

Pullup ticket #6197 - requested by nia
devel/SDL: security fix

Revisions pulled up:
- devel/SDL/Makefile                                            1.139
- devel/SDL/distinfo                                            1.83
- devel/SDL/patches/patch-src_video_SDL__bmp.c                  1.2

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Thu May 14 14:44:17 UTC 2020

  Modified Files:
  pkgsrc/devel/SDL: Makefile distinfo
  pkgsrc/devel/SDL/patches: patch-src_video_SDL__bmp.c

  Log Message:
  SDL: fix CVE-2019-13616

  bump PKGREVISION

(bsiegert)

Pullup ticket #6198 - requested by taca
lang/php73: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.296
- lang/php73/distinfo                                          1.22

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu May 14 14:23:08 UTC 2020

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php73: distinfo

  Log Message:
  lang/php73: update to 7.3.18

  Update php73 to 7.3.18 (PHP 7.3.18).

  14 May 2020, PHP 7.3.18

  - Core:
    . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
      (CVE-2019-11048) (cmb)
    . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
      files are not cleaned). (CVE-2019-11048) (cmb)
    . Fixed bug #79434 (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference
      on !CS constant). (Nikita)
    . Fixed bug #79477 (casting object into array creates references). (Nikita)
    . Fixed bug #79470 (PHP incompatible with 3rd party file system on demand).
      (cmb)
    . Fixed bug #78784 (Unable to interact with files inside a VFS for Git
      repository). (cmb)

  - DOM:
    . Fixed bug #78221 (DOMNode::normalize() doesn't remove empty text nodes).
      (cmb)

  - FCGI:
    . Fixed bug #79491 (Search for .user.ini extends up to root dir). (cmb)

  - MBString:
    . Fixed bug #79441 (Segfault in mb_chr() if internal encoding is unsupported).
      (Girgias)

  - OpenSSL:
    . Fixed bug #79497 (stream_socket_client() throws an unknown error sometimes
      with <1s timeout). (Joe Cai)

  - Phar:
    . Fix bug #79503 (Memory leak on duplicate metadata). (cmb)

  - SimpleXML:
    . Fixed bug #79528 (Different object of the same xml between 7.4.5 and
      7.4.4). (cmb)

  - Standard:
    . Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter
      appended). (dinosaur)

(bsiegert)

doc: Updated net/tor to 0.4.3.5

(wiz)

tor: update to 0.4.3.5.

Changes in version 0.4.3.5 - 2020-05-15
  Tor 0.4.3.5 is the first stable release in the 0.4.3.x series. This
  series adds support for building without relay code enabled, and
  implements functionality needed for OnionBalance with v3 onion
  services. It includes significant refactoring of our configuration and
  controller functionality, and fixes numerous smaller bugs and
  performance issues.

  Per our support policy, we support each stable release series for nine
  months after its first stable release, or three months after the first
  stable release of the next series: whichever is longer. This means
  that 0.4.3.x will be supported until around February 2021--later, if
  0.4.4.x is later than anticipated.

  Note also that support for 0.4.1.x is about to end on May 20 of this
  year; 0.4.2.x will be supported until September 15. We still plan to
  continue supporting 0.3.5.x, our long-term stable series, until
  Feb 2022.

  Below are the changes since 0.4.2.6. For a list of only the changes
  since 0.4.3.4-rc, see the ChangeLog file.

  o New system requirements:
    - When building Tor, you now need to have Python 3 in order to run
      the integration tests. (Python 2 is officially unsupported
      upstream, as of 1 Jan 2020.) Closes ticket 32608.

  o Major features (build system):
    - The relay code can now be disabled using the --disable-module-relay
      configure option. When this option is set, we also disable the
      dirauth module. Closes ticket 32123.
    - When Tor is compiled --disable-module-relay, we also omit the code
      used to act as a directory cache. Closes ticket 32487.

  o Major features (directory authority, ed25519):
    - Add support for banning a relay's ed25519 keys in the approved-
      routers file. This will help us migrate away from RSA keys in the
      future. Previously, only RSA keys could be banned in approved-
      routers. Resolves ticket 22029. Patch by Neel Chauhan.

  o Major features (onion services):
    - New control port commands to manage client-side onion service
      authorization credentials. The ONION_CLIENT_AUTH_ADD command adds
      a credential, ONION_CLIENT_AUTH_REMOVE deletes a credential, and
      ONION_CLIENT_AUTH_VIEW lists the credentials. Closes ticket 30381.
    - Introduce a new SocksPort flag, ExtendedErrors, to support more
      detailed error codes in information for applications that support
      them. Closes ticket 30382; implements proposal 304.

  o Major features (proxy):
    - In addition to its current supported proxy types (HTTP CONNECT,
      SOCKS4, and SOCKS5), Tor can now make its OR connections through a
      HAProxy server. A new torrc option was added to specify the
      address/port of the server: TCPProxy <protocol> <host>:<port>.
      Currently the only supported protocol for the option is haproxy.
      Closes ticket 31518. Patch done by Suphanat Chunhapanya (haxxpop).

  o Major bugfixes (security, denial-of-service):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Major bugfixes (directory authority):
    - Directory authorities will now send a 503 (not enough bandwidth)
      code to clients when under bandwidth pressure. Known relays and
      other authorities will always be answered regardless of the
      bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.

  o Major bugfixes (DoS defenses, bridges, pluggable transport):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Major bugfixes (networking):
    - Correctly handle IPv6 addresses in SOCKS5 RESOLVE_PTR requests,
      and accept strings as well as binary addresses. Fixes bug 32315;
      bugfix on 0.3.5.1-alpha.

  o Major bugfixes (onion service):
    - Report HS circuit failure back into the HS subsystem so we take
      appropriate action with regards to the client introduction point
      failure cache. This improves reachability of onion services, since
      now clients notice failing introduction circuits properly. Fixes
      bug 32020; bugfix on 0.3.2.1-alpha.

  o Minor feature (heartbeat, onion service):
    - Add the DoS INTRODUCE2 defenses counter to the heartbeat DoS
      message. Closes ticket 31371.

  o Minor feature (sendme, flow control):
    - Default to sending SENDME version 1 cells. (Clients are already
      sending these, because of a consensus parameter telling them to do
      so: this change only affects what clients would do if the
      consensus didn't contain a recommendation.) Closes ticket 33623.

  o Minor features (best practices tracker):
    - Practracker now supports a --regen-overbroad option to regenerate
      the exceptions file, but only to revise exceptions to be _less_
      tolerant of best-practices violations. Closes ticket 32372.

  o Minor features (configuration validation):
    - Configuration validation can now be done by per-module callbacks,
      rather than a global validation function. This will let us reduce
      the size of config.c and some of its more cumbersome functions.
      Closes ticket 31241.

  o Minor features (configuration):
    - If a configured hardware crypto accelerator in AccelName is
      prefixed with "!", Tor now exits when it cannot be found. Closes
      ticket 32406.
    - We now use flag-driven logic to warn about obsolete configuration
      fields, so that we can include their names. In 0.4.2, we used a
      special type, which prevented us from generating good warnings.
      Implements ticket 32404.

  o Minor features (configure, build system):
    - Output a list of enabled/disabled features at the end of the
      configure process in a pleasing way. Closes ticket 31373.

  o Minor features (continuous integration):
    - Run Doxygen Makefile target on Travis, so we can learn about
      regressions in our internal documentation. Closes ticket 32455.
    - Stop allowing failures on the Travis CI stem tests job. It looks
      like all the stem hangs we were seeing before are now fixed.
      Closes ticket 33075.

  o Minor features (controller):
    - Add stream isolation data to STREAM event. Closes ticket 19859.
    - Implement a new GETINFO command to fetch microdescriptor
      consensus. Closes ticket 31684.

  o Minor features (debugging, directory system):
    - Don't crash when we find a non-guard with a guard-fraction value
      set. Instead, log a bug warning, in an attempt to figure out how
      this happened. Diagnostic for ticket 32868.

  o Minor features (defense in depth):
    - Add additional checks around tor_vasprintf() usage, in case the
      function returns an error. Patch by Tobias Stoeckmann. Fixes
      ticket 31147.

  o Minor features (developer tools):
    - Remove the 0.2.9.x series branches from git scripts (git-merge-
      forward.sh, git-pull-all.sh, git-push-all.sh, git-setup-dirs.sh).
      Closes ticket 32772.
    - Add a check_cocci_parse.sh script that checks that new code is
      parseable by Coccinelle. Add an exceptions file for unparseable
      files, and run the script from travis CI. Closes ticket 31919.
    - Call the check_cocci_parse.sh script from a 'check-cocci' Makefile
      target. Closes ticket 31919.
    - Add a rename_c_identifiers.py tool to rename a bunch of C
      identifiers at once, and generate a well-formed commit message
      describing the change. This should help with refactoring. Closes
      ticket 32237.
    - Add some scripts in "scripts/coccinelle" to invoke the Coccinelle
      semantic patching tool with the correct flags. These flags are
      fairly easy to forget, and these scripts should help us use
      Coccinelle more effectively in the future. Closes ticket 31705.

  o Minor features (diagnostic):
    - Improve assertions and add some memory-poisoning code to try to
      track down possible causes of a rare crash (32564) in the EWMA
      code. Closes ticket 33290.

  o Minor features (directory authorities):
    - Directory authorities now reject descriptors from relays running
      Tor versions from the 0.2.9 and 0.4.0 series. The 0.3.5 series is
      still allowed. Resolves ticket 32672. Patch by Neel Chauhan.

  o Minor features (Doxygen):
    - Update Doxygen configuration file to a more recent template (from
      1.8.15). Closes ticket 32110.
    - "make doxygen" now works with out-of-tree builds. Closes
      ticket 32113.
    - Make sure that doxygen outputs documentation for all of our C
      files. Previously, some were missing @file declarations, causing
      them to be ignored. Closes ticket 32307.
    - Our "make doxygen" target now respects --enable-fatal-warnings by
      default, and does not warn about items that are missing
      documentation. To warn about missing documentation, run configure
      with the "--enable-missing-doc-warnings" flag: doing so suspends
      fatal warnings for doxygen. Closes ticket 32385.

  o Minor features (git scripts):
    - Add TOR_EXTRA_CLONE_ARGS to git-setup-dirs.sh for git clone
      customisation. Closes ticket 32347.
    - Add git-setup-dirs.sh, which sets up an upstream git repository
      and worktrees for tor maintainers. Closes ticket 29603.
    - Add TOR_EXTRA_REMOTE_* to git-setup-dirs.sh for a custom extra
      remote. Closes ticket 32347.
    - Call the check_cocci_parse.sh script from the git commit and push
      hooks. Closes ticket 31919.
    - Make git-push-all.sh skip unchanged branches when pushing to
      upstream. The script already skipped unchanged test branches.
      Closes ticket 32216.
    - Make git-setup-dirs.sh create a master symlink in the worktree
      directory. Closes ticket 32347.
    - Skip unmodified source files when doing some existing git hook
      checks. Related to ticket 31919.

  o Minor features (IPv6, client):
    - Make Tor clients tell dual-stack exits that they prefer IPv6
      connections. This change is equivalent to setting the PreferIPv6
      flag on SOCKSPorts (and most other listener ports). Tor Browser
      has been setting this flag for some time, and we want to remove a
      client distinguisher at exits. Closes ticket 32637.

  o Minor features (portability, android):
    - When building for Android, disable some tests that depend on $HOME
      and/or pwdb, which Android doesn't have. Closes ticket 32825.
      Patch from Hans-Christoph Steiner.

  o Minor features (relay modularity):
    - Split the relay and server pluggable transport config code into
      separate files in the relay module. Disable this code when the
      relay module is disabled. Closes part of ticket 32213.
    - When the relay module is disabled, reject attempts to set the
      ORPort, DirPort, DirCache, BridgeRelay, ExtORPort, or
      ServerTransport* options, rather than ignoring the values of these
      options. Closes part of ticket 32213.
    - When the relay module is disabled, change the default config so
      that DirCache is 0, and ClientOnly is 1. Closes ticket 32410.

  o Minor features (release tools):
    - Port our ChangeLog formatting and sorting tools to Python 3.
      Closes ticket 32704.

  o Minor features (testing):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.
    - Detect some common failure cases for test_parseconf.sh in
      src/test/conf_failures. Closes ticket 32451.
    - Allow test_parseconf.sh to test expected log outputs for successful
      configs, as well as failed configs. Closes ticket 32451.
    - The test_parseconf.sh script now supports result variants for any
      combination of the optional libraries lzma, nss, and zstd. Closes
      ticket 32397.
    - When running the unit tests on Android, create temporary files in
      a subdirectory of /data/local/tmp. Closes ticket 32172. Based on a
      patch from Hans-Christoph Steiner.

  o Minor features (usability):
    - Include more information when failing to parse a configuration
      value. This should make it easier to tell what's going wrong when
      a configuration file doesn't parse. Closes ticket 33460.

  o Minor bugfix (relay, configuration):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (bridges):
    - Lowercase the configured value of BridgeDistribution before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.

  o Minor bugfixes (build system):
    - Fix "make autostyle" for out-of-tree builds. Fixes bug 32370;
      bugfix on 0.4.1.2-alpha.

  o Minor bugfixes (compiler compatibility):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
    - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
      on 0.4.0.3-alpha.

  o Minor bugfixes (configuration handling):
    - Make control_event_conf_changed() take in a config_line_t instead
      of a smartlist of alternating key/value entries. Fixes bug 31531;
      bugfix on 0.2.3.3-alpha. Patch by Neel Chauhan.
    - Check for multiplication overflow when parsing memory units inside
      configuration. Fixes bug 30920; bugfix on 0.0.9rc1.
    - When dumping the configuration, stop adding a trailing space after
      the option name when there is no option value. This issue only
      affects options that accept an empty value or list. (Most options
      reject empty values, or delete the entire line from the dumped
      options.) Fixes bug 32352; bugfix on 0.0.9pre6.
    - Avoid changing the user's value of HardwareAccel as stored by
      SAVECONF, when AccelName is set but HardwareAccel is not. Fixes
      bug 32382; bugfix on 0.2.2.1-alpha.
    - When creating a KeyDirectory with the same location as the
      DataDirectory (not recommended), respect the DataDirectory's
      group-readable setting if one has not been set for the
      KeyDirectory. Fixes bug 27992; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (continuous integration):
    - Remove the buggy and unused mirroring job. Fixes bug 33213; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (controller protocol):
    - When receiving "ACTIVE" or "DORMANT" signals on the control port,
      report them as SIGNAL events. Previously we would log a bug
      warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (controller):
    - In routerstatus_has_changed(), check all the fields that are
      output over the control port. Fixes bug 20218; bugfix
      on 0.1.1.11-alpha.

  o Minor bugfixes (developer tools):
    - Allow paths starting with ./ in scripts/add_c_file.py. Fixes bug
      31336; bugfix on 0.4.1.2-alpha.

  o Minor bugfixes (dirauth module):
    - Split the dirauth config code into a separate file in the dirauth
      module. Disable this code when the dirauth module is disabled.
      Closes ticket 32213.
    - When the dirauth module is disabled, reject attempts to set the
      AuthoritativeDir option, rather than ignoring the value of the
      option. Fixes bug 32213; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (embedded Tor):
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (git scripts):
    - Avoid sleeping before the last push in git-push-all.sh. Closes
      ticket 32216.
    - Forward all unrecognised arguments in git-push-all.sh to git push.
      Closes ticket 32216.

  o Minor bugfixes (key portability):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging):
    - Stop truncating IPv6 addresses and ports in channel and connection
      logs. Fixes bug 33918; bugfix on 0.2.4.4-alpha.
    - Flush stderr, stdout, and file logs during shutdown, if supported
      by the OS. This change helps make sure that any final logs are
      recorded. Fixes bug 33087; bugfix on 0.4.1.6.
    - Stop closing stderr and stdout during shutdown. Closing these file
      descriptors can hide sanitiser logs. Fixes bug 33087; bugfix
      on 0.4.1.6.
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.
    - When logging a bug, do not say "Future instances of this warning
      will be silenced" unless we are actually going to silence them.
      Previously we would say this whenever a BUG() check failed in the
      code. Fixes bug 33095; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (onion services v2):
    - Move a series of v2 onion service warnings to protocol-warning
      level because they can all be triggered remotely by a malformed
      request. Fixes bug 32706; bugfix on 0.1.1.14-alpha.
    - When sending the INTRO cell for a v2 Onion Service, look at the
      failure cache alongside timeout values to check if the intro point
      is marked as failed. Previously, we only looked at the relay
      timeout values. Fixes bug 25568; bugfix on 0.2.7.3-rc. Patch by
      Neel Chauhan.

  o Minor bugfixes (onion services v3):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.
    - Relax severity of a log message that can appear naturally when
      decoding onion service descriptors as a relay. Also add some
      diagnostics to debug any future bugs in that area. Fixes bug
      31669; bugfix on 0.3.0.1-alpha.
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.
    - Properly handle the client rendezvous circuit timeout. Previously
      Tor would sometimes timeout a rendezvous circuit awaiting the
      introduction ACK, and find itself unable to re-establish all
      circuits because the rendezvous circuit timed out too early. Fixes
      bug 32021; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (onion services):
    - Do not rely on a "circuit established" flag for intro circuits but
      instead always query the HS circuit map. This is to avoid sync
      issue with that flag and the map. Fixes bug 32094; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion services, all):
    - In cancel_descriptor_fetches(), use
      connection_list_by_type_purpose() instead of
      connection_list_by_type_state(). Fixes bug 32639; bugfix on
      0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (pluggable transports):
    - When receiving a message on standard error from a pluggable
      transport, log it at info level, rather than as a warning. Fixes
      bug 33005; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (rust, build):
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (scripts):
    - Fix update_versions.py for out-of-tree builds. Fixes bug 32371;
      bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (testing):
    - Use the same code to find the tor binary in all of our test
      scripts. This change makes sure we are always using the coverage
      binary when coverage is enabled. Fixes bug 32368; bugfix
      on 0.2.7.3-rc.
    - Stop ignoring "tor --dump-config" errors in test_parseconf.sh.
      Fixes bug 32468; bugfix on 0.4.2.1-alpha.
    - Our option-validation tests no longer depend on specially
      configured non-default, non-passing sets of options. Previously,
      the tests had been written to assume that options would _not_ be
      set to their defaults, which led to needless complexity and
      verbosity. Fixes bug 32175; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (TLS bug handling):
    - When encountering a bug in buf_read_from_tls(), return a "MISC"
      error code rather than "WANTWRITE". This change might help avoid
      some CPU-wasting loops if the bug is ever triggered. Bug reported
      by opara. Fixes bug 32673; bugfix on 0.3.0.4-alpha.

  o Deprecated features:
    - Deprecate the ClientAutoIPv6ORPort option. This option was not
      true "Happy Eyeballs", and often failed on connections that
      weren't reliably dual-stack. Closes ticket 32942. Patch by
      Neel Chauhan.

  o Documentation:
    - Provide a quickstart guide for a Circuit Padding Framework, and
      documentation for researchers to implement and study circuit
      padding machines. Closes ticket 28804.
    - Add documentation in 'HelpfulTools.md' to describe how to build a
      tag file. Closes ticket 32779.
    - Create a high-level description of the long-term software
      architecture goals. Closes ticket 32206.
    - Describe the --dump-config command in the manual page. Closes
      ticket 32467.
    - Unite coding advice from this_not_that.md in torguts repo into our
      coding standards document. Resolves ticket 31853.

  o Removed features:
    - Our Doxygen configuration no longer generates LaTeX output. The
      reference manual produced by doing this was over 4000 pages long,
      and generally unusable. Closes ticket 32099.
    - The option "TestingEstimatedDescriptorPropagationTime" is now
      marked as obsolete. It has had no effect since 0.3.0.7, when
      clients stopped rejecting consensuses "from the future". Closes
      ticket 32807.
    - We no longer support consensus methods before method 28; these
      methods were only used by authorities running versions of Tor that
      are now at end-of-life. In effect, this means that clients,
      relays, and authorities now assume that authorities will be
      running version 0.3.5.x or later. Closes ticket 32695.

  o Testing:
    - Avoid conflicts between the fake sockets in tor's unit tests, and
      real file descriptors. Resolves issues running unit tests with
      GitHub Actions, where the process that embeds or launches the
      tests has already opened a large number of file descriptors. Fixes
      bug 33782; bugfix on 0.2.8.1-alpha. Found and fixed by
      Putta Khunchalee.
    - Add more test cases for tor's UTF-8 validation function. Also,
      check the arguments passed to the function for consistency. Closes
      ticket 32845.
    - Improve test coverage for relay and dirauth config code, focusing
      on option validation and normalization. Closes ticket 32213.
    - Improve the consistency of test_parseconf.sh output, and run all
      the tests, even if one fails. Closes ticket 32213.
    - Run the practracker unit tests in the pre-commit git hook. Closes
      ticket 32609.

  o Code simplification and refactoring (channel):
    - Channel layer had a variable length cell handler that was not used
      and thus removed. Closes ticket 32892.

  o Code simplification and refactoring (configuration):
    - Immutability is now implemented as a flag on individual
      configuration options rather than as part of the option-transition
      checking code. Closes ticket 32344.
    - Instead of keeping a list of configuration options to check for
      relative paths, check all the options whose type is "FILENAME".
      Solves part of ticket 32339.
    - Our default log (which ordinarily sends NOTICE-level messages to
      standard output) is now handled in a more logical manner.
      Previously, we replaced the configured log options if they were
      empty. Now, we interpret an empty set of log options as meaning
      "use the default log". Closes ticket 31999.
    - Remove some unused arguments from the options_validate() function,
      to simplify our code and tests. Closes ticket 32187.
    - Simplify the options_validate() code so that it looks at the
      default options directly, rather than taking default options as an
      argument. This change lets us simplify its interface. Closes
      ticket 32185.
    - Use our new configuration architecture to move most authority-
      related options to the directory authority module. Closes
      ticket 32806.
    - When parsing the command line, handle options that determine our
      "quiet level" and our mode of operation (e.g., --dump-config and
      so on) all in one table. Closes ticket 32003.

  o Code simplification and refactoring (controller):
    - Create a new abstraction for formatting control protocol reply
      lines based on key-value pairs. Refactor some existing control
      protocol code to take advantage of this. Closes ticket 30984.
    - Create a helper function that can fetch network status or
      microdesc consensuses. Closes ticket 31684.

  o Code simplification and refactoring (dirauth modularization):
    - Remove the last remaining HAVE_MODULE_DIRAUTH inside a function.
      Closes ticket 32163.
    - Replace some confusing identifiers in process_descs.c. Closes
      ticket 29826.
    - Simplify some relay and dirauth config code. Closes ticket 32213.

  o Code simplification and refactoring (mainloop):
    - Simplify the ip_address_changed() function by removing redundant
      checks. Closes ticket 33091.

  o Code simplification and refactoring (misc):
    - Make all the structs we declare follow the same naming convention
      of ending with "_t". Closes ticket 32415.
    - Move and rename some configuration-related code for clarity.
      Closes ticket 32304.
    - Our include.am files are now broken up by subdirectory.
      Previously, src/core/include.am covered all of the subdirectories
      in "core", "feature", and "app". Closes ticket 32137.
    - Remove underused NS*() macros from test code: they make our tests
      more confusing, especially for code-formatting tools. Closes
      ticket 32887.

  o Code simplification and refactoring (relay modularization):
    - Disable relay_periodic when the relay module is disabled. Closes
      ticket 32244.
    - Disable relay_sys when the relay module is disabled. Closes
      ticket 32245.

  o Code simplification and refactoring (tool support):
    - Add numerous missing dependencies to our include files, so that
      they can be included in different reasonable orders and still
      compile. Addresses part of ticket 32764.
    - Fix some parts of our code that were difficult for Coccinelle to
      parse. Related to ticket 31705.
    - Fix some small issues in our code that prevented automatic
      formatting tools from working. Addresses part of ticket 32764.

  o Documentation (manpage):
    - Alphabetize the Server and Directory server sections of the tor
      manpage. Also split Statistics options into their own section of
      the manpage. Closes ticket 33188. Work by Swati Thacker as part of
      Google Season of Docs.
    - Document the __OwningControllerProcess torrc option and specify
      its polling interval. Resolves issue 32971.
    - Split "Circuit Timeout" options and "Node Selection" options into
      their own sections of the tor manpage. Closes tickets 32928 and
      32929. Work by Swati Thacker as part of Google Season of Docs.
    - Alphabetize the Client Options section of the tor manpage. Closes
      ticket 32846.
    - Alphabetize the General Options section of the tor manpage. Closes
      ticket 32708.
    - In the tor(1) manpage, reword and improve formatting of the
      COMMAND-LINE OPTIONS and DESCRIPTION sections. Closes ticket
      32277. Based on work by Swati Thacker as part of Google Season
      of Docs.
    - In the tor(1) manpage, reword and improve formatting of the FILES,
      SEE ALSO, and BUGS sections. Closes ticket 32176. Based on work by
      Swati Thacker as part of Google Season of Docs.

  o Testing (Appveyor CI):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.

  o Testing (circuit, EWMA):
    - Add unit tests for circuitmux and EWMA subsystems. Closes
      ticket 32196.

  o Testing (Travis CI):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.

(wiz)

Pullup ticket #6196 - requested by nia
security/cyrus-sasl: security fix

Revisions pulled up:
- security/cyrus-sasl/Makefile                                  1.77
- security/cyrus-sasl/distinfo                                  1.38
- security/cyrus-sasl/patches/patch-CVE-2019-19906              1.1

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Thu May 14 14:27:32 UTC 2020

  Modified Files:
  pkgsrc/security/cyrus-sasl: Makefile distinfo
  Added Files:
  pkgsrc/security/cyrus-sasl/patches: patch-CVE-2019-19906

  Log Message:
  cyrus-sasl: Fix CVE-2019-19906

(bsiegert)

Pullup ticket #6195 - requested by taca
security/clamav: security fix

Revisions pulled up:
- security/clamav/Makefile                                      1.64-1.65
- security/clamav/Makefile.common                              1.16
- security/clamav/distinfo                                      1.33

---
  Module Name: pkgsrc
  Committed By: adam
  Date: Wed May  6 14:05:09 UTC 2020

  Modified Files:
  pkgsrc/security/clamav: Makefile

  Log Message:
  revbump after boost update

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Wed May 13 14:58:58 UTC 2020

  Modified Files:
  pkgsrc/security/clamav: Makefile Makefile.common distinfo

  Log Message:
  security/clamav: update to 0.102.3

  Update clamav to 0.102.3.

  ## 0.102.3

  ClamAV 0.102.3 is a bug patch release to address the following issues.

  - [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
    Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
    could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
    an unsigned variable results in an out-of-bounds read which causes a crash.

    Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
    parsing vulnerability.

  - [CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
    Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
    could cause a Denial-of-Service (DoS) condition. Improper size checking of
    a buffer used to initialize AES decryption routines results in an out-of-
    bounds read which may cause a crash. Bug found by OSS-Fuzz.

  - Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.

  - Fix a couple of minor memory leaks.

  - Updated libclamunrar to UnRAR 5.9.2.

(bsiegert)

eureka: Avoid sys/time.h SEC pollution.

Remove BROKEN_ON_PLATFORM for SunOS.

(jperkin)

games/doomlegacy: Broken on SunOS

(micha)

doc: Updated net/syncthing to 1.5.0

(triaxx)

syncthing: update to 1.5.0

upstream changes:
-----------------
v1.5.0

This release changes the default location for the index database under
some circumstances. Two new flags can also be used to affect the
location of the configuration (-config) and database (-data)
separately. The old -home flag is equivalent to setting both of these
to the same directory. When no flags are given the following logic is
used to determine the data location:

    If a database exists in the old default location, that location is
    still used. This means existing installations are not affected by this
    change.
    If $XDG_DATA_HOME is set, use $XDG_DATA_HOME/syncthing.
    If ~/.local/share/syncthing exists, use that location.
    Use the old default location.

This logic is used on non-Windows, non-Mac platforms only. On Windows
and Mac the logic is unchanged.

Bugfixes:

    #3808: gui: Number of days must be number flashes red then disappears
    #5809: stdiscosrv failed to load keypair without proper error message
    #6410: Wrong 30-days-interval in staggered versioning
    #6430: Incorrect out-of-sync/locally changed status indication on folders
    #6436: Revert Local Changes red button does not work correctly
    #6440: Doesn't run monitor process when started with STNORESTART=1
    #6450: LDAP auth doesn't handle LDAPS with certificate validation
    #6487: Scan problem within single unignored subdirectory prevents bidirectional sync

Enhancements:

    #4924: Move index db to $XDG_DATA_HOME/syncthing/
    #5376: Improve LDAP authentication
    #6384: Do auto upgrades early and synchronously on startup
    #6416: Improve device status for "unused" devices
    #6432: Deleted file that existed locally only reported as locally changed
    #6437: Don't start browser when restarting after upgrade

Other issues:

    #6471: Windows exe isn't properly version tagged

(triaxx)

doc: Updated parallel/paexec to 1.1.3

(cheusov)

Update to 1.1.3:

  Fix use of uninitialized array.
  As a rsult paexec generates incorrect shell command to run
  on nodes. Seen with "clang-7.0.1" with -O2 and -D_FORTIFY_SOURCE=2

  Add one line description to projects.
  So, one can run "mkcmake help"

(cheusov)

graphics/GraphicsMagick: remove unknown configure option

(rillig)

cross/nios2: skip check for unknown configure script and portability

(rillig)

doc: Removed sysutils/gnometoaster

(nia)