guile22: include bugticket in patch

(nikita)

doc: Updated devel/guile-git to 0.3.0

(nikita)

devel/guile-git: Update to 0.3.0

Changelog:

* Changes in 0.3.0 (since 0.2.0)

** New Functionality

*** Add new (git tag) procedures

Four new procedures were added to (git tag) related to creating tags
in a git repository.

~tag-create~ and ~tag-create!~ are used to create what is known as
"annotated" tags in git which contain a creation date, creator's
signature, and a message. The ~tag-create!~ procedure can replace
existing references with the same name.

~tag-create-lightweight~ and ~tag-create-lightweight!~ are used to
create lightweight tags in git which just create a reference that
points directly to a git object.

*** Add (git signature) module

The (git signature) module adds three new procedures related to
signatures. Signatures are objects which identify a name, email, and
time that are found on many git objects. You would need to create a
signature if you want to use the ~tag-create~ procedure mentioned
above.

~signature-default~ creates a signature by looking up the ~user.name~
and ~user.email~ from the repository's configuration. It also uses the
current time.

~signature-new~ creates a signature with the passed in name, email,
time and timezone offset.

~signature-now~ creates a signature with the passed in name and
email. The time will use the current time.

*** Add (git describe) module

The (git describe) module adds several new procedures used to create
human readable names for objects based on an available references.

*** Support for Guile 3.0

Upgrade the configure script to be able to find Guile 3.0.

*** Add accessor and setter for the download tags of ~fetch-options~

The (git structs) module has added ~fetch-options-download-tags~ and
~set-fetch-options-download-tags!~ procedures for accessing and
setting the download tags field of ~fetch-options~. This field
determines the tag download policy when fetching from a remote.

*** Add ~CREDTYPE-*~ variables

(git cred) module has added several new variables which are used to
represent a bitmask for the supported credential types.

*** Add ssh authentication support

Add ssh auth support to ~clone~ and ~remote-fetch~ procedures with an
authentication method from the new module (git auth).

*** Add (git blob) module

(git blob) module adds several procedures for accessing and
interacting with blobs.

** Changes

*** ~repository-state~ return a symbols instead of an int

The ~repository-state~ procedure used to return an integer to
represent a state like none, merge, revert. It now returns the
following symbols based on the state of the repository

    - ~repository-state/none~
    - ~repository-state/merge~
    - ~repository-state/revert~
    - ~repository-state/revert-sequence~
    - ~repository-state/cherrypick~
    - ~repository-state/cherrypick-sequence~
    - ~repository-state/bisect~
    - ~repository-state/rebase~
    - ~repository-state/rebase-interactive~
    - ~repository-state/rebase-merge~
    - ~repository-state/apply-mailbox~
    - ~repository-state/apply-mailbox-or-rebase~

*** Rename ~foo-init-options~ procedures to be more idiomatic

Several procedures named like ~foo-init-options~ were renamed to be
more idiomatic like ~make-foo-options~. The previous functions are
deprecated and will be removed in a future version of Guile Git. The
functions renamed are:

    - ~clone-init-options~ renamed to ~make-clone-options~
    - ~fetch-init-options~ renamed to ~make-fetch-options~
    - ~status-init-options~ renamed to ~make-status-options~

(nikita)

doc: Updated devel/SDL to 1.2.15nb31

(nia)

SDL: fix CVE-2019-13616

bump PKGREVISION

(nia)

cyrus-sasl: Resolve some pkglint warnings

(nia)

security/gnutls: revbump, add support for building guile bindings

(nikita)

lang/guile22: crude but working patch to make target-vendor check conforming

(nikita)

doc: Updated security/cyrus-sasl to 2.1.27nb1

(nia)

doc: Updated lang/php72 to 7.2.31

(taca)

cyrus-sasl: Fix CVE-2019-19906

(nia)

lang/php72: update to 7.2.31

Update php72 to 7.2.31 (PHP 7.2.31).

14 May 2020, PHP 7.2.31

- Core:
  . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
    (CVE-2019-11048) (cmb)
  . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
    files are not cleaned). (CVE-2019-11048) (cmb)

(taca)

doc: Updated lang/php74 to 7.4.6

(taca)

lang/php74: update to 7.4.6

Update php74 to 7.4.6 (PHP 7.4.6).

14 May 2020, PHP 7.4.6

- Core:
  . Fixed bug #78434 (Generator yields no items after valid() call). (Nikita)
  . Fixed bug #79477 (casting object into array creates references). (Nikita)
  . Fixed bug #79514 (Memory leaks while including unexistent file). (cmb,
    Nikita)
  . Fixed bug #79470 (PHP incompatible with 3rd party file system on demand).
    (cmb)
  . Fixed bug #78784 (Unable to interact with files inside a VFS for Git
    repository). (cmb)
  . Fixed bug #78875 (Long variables cause OOM and temp files are not cleaned).
    (cmb) (CVE-2019-11048)
  . Fixed bug #78876 (Long variables cause OOM and temp files are not cleaned).
    (cmb) (CVE-2019-11048)

- DOM:
  . Fixed bug #78221 (DOMNode::normalize() doesn't remove empty text nodes).
    (cmb)

- EXIF:
  . Fixed bug #79336 (ext/exif/tests/bug79046.phpt fails on Big endian arch).
    (Nikita)

- FCGI:
  . Fixed bug #79491 (Search for .user.ini extends up to root dir). (cmb)

- MBString:
  . Fixed bug #79441 (Segfault in mb_chr() if internal encoding is unsupported).
    (Girgias)

- OpenSSL:
  . Fixed bug #79497 (stream_socket_client() throws an unknown error sometimes
    with <1s timeout). (Joe Cai)

- PCRE:
  . Upgraded to PCRE2 10.34. (cmb)

- Phar:
  . Fixed bug #79503 (Memory leak on duplicate metadata). (cmb)

- SimpleXML:
  . Fixed bug #79528 (Different object of the same xml between 7.4.5 and
    7.4.4). (cmb)

- SPL:
  . Fixed bug #69264 (__debugInfo() ignored while extending SPL classes). (cmb)
  . Fixed bug #67369 (ArrayObject serialization drops the iterator class).
    (Alex Dowad)

- Standard:
  . Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter
    appended). (dinosaur)
  . Fixed bug #79447 (Serializing uninitialized typed properties with __sleep
    should not throw). (nicolas-grekas)

(taca)

doc: Updated lang/php73 to 7.3.18

(taca)

lang/php73: update to 7.3.18

Update php73 to 7.3.18 (PHP 7.3.18).

14 May 2020, PHP 7.3.18

- Core:
  . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
    (CVE-2019-11048) (cmb)
  . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
    files are not cleaned). (CVE-2019-11048) (cmb)
  . Fixed bug #79434 (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference
    on !CS constant). (Nikita)
  . Fixed bug #79477 (casting object into array creates references). (Nikita)
  . Fixed bug #79470 (PHP incompatible with 3rd party file system on demand).
    (cmb)
  . Fixed bug #78784 (Unable to interact with files inside a VFS for Git
    repository). (cmb)

- DOM:
  . Fixed bug #78221 (DOMNode::normalize() doesn't remove empty text nodes).
    (cmb)

- FCGI:
  . Fixed bug #79491 (Search for .user.ini extends up to root dir). (cmb)

- MBString:
  . Fixed bug #79441 (Segfault in mb_chr() if internal encoding is unsupported).
    (Girgias)

- OpenSSL:
  . Fixed bug #79497 (stream_socket_client() throws an unknown error sometimes
    with <1s timeout). (Joe Cai)

- Phar:
  . Fix bug #79503 (Memory leak on duplicate metadata). (cmb)

- SimpleXML:
  . Fixed bug #79528 (Different object of the same xml between 7.4.5 and
    7.4.4). (cmb)

- Standard:
  . Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter
    appended). (dinosaur)

(taca)

thunderbird: Sync DESCR with reality.

Thunderbird is no longer Mozilla-branded. It no longer uses gtk2.

Future versions of Thunderbird will not have ESR releases because
every Thunderbird release is now an ESR release.

(nia)

star: Fix typo in comment.

(wiz)

(devel/p5-Devel-CallParser) Fix build. Add DEPENDS+= p5-DynaLoader-Functions-[0-9]*

(mef)

(cad/openscad) fix build with boost 1.73. PKGREVISION++ ? (not yet)

(mef)

doc: Updated mail/thunderbird-l10n to 68.8.0

(ryoon)

thunderbird-l10n: Update to 68.8.0

Sync with mail/thunderbird-68.8.0.

(ryoon)

doc: Updated mail/thunderbird to 68.8.0

(ryoon)

thunderbird: Update to 68.8.0

Changelog:
Fixes
Account Manager: text fields were too small in some cases
Account Manager: Authentication method did not update when selecting an SMTP server
Links with embedded credentials did not open on Windows
Messages were sometimes sent with a badly formed address when filled from the address book
Accessibility: Screen readers were reporting too many activities from the status bar
MailExtensions: Setting IMAP messages as read with browser.messages.updated failed to persist
Various security fixes

Security fixes:
#CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode characters
#CVE-2020-12387: Use-after-free during worker shutdown
#CVE-2020-6831: Buffer overflow in SCTP chunk input validation
#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
#CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0

(ryoon)

doc: Update archivers/star to 1.6.1nb7

(micha)

archivers/star: Fix man page handling for different operating systems

- Check which systems need and support processing tables with tbl
  The default case matches for NetBSD (no processing)
- Man pages are installed into native OS sections
  PLIST must match this logic (use variables)

(micha)

add go-ffuf

(nikita)

Add www/go-ffuf Version 1.0.2

Fast web fuzzer written in Go.

(nikita)

archivers/star: Workaround for man page handling

tbl of NetBSD 9 does not work.
Install man pages with unprocessed tables as workaround.

(micha)

Updated lang/mozjs60 to 60.8.0nb5
Updated lang/mozjs68 to 68.6.0nb2

(rin)

PR pkg/55255

Fix build for NetBSD/arm in the same manner as lang/mozjs60.
Bump revision.

(rin)

PR pkg/55255

Fix build for NetBSD/arm. Bump revision.

Tested by jun@. Thanks!

(rin)

Updated misc/py-immutables, www/py-w3lib

(adam)

py-w3lib: updated to 1.22.0

1.22.0:
- Python 3.4 is no longer supported
- :func:`w3lib.url.safe_url_string` now supports an optional ``quote_path``
  parameter to disable the percent-encoding of the URL path
- :func:`w3lib.url.add_or_replace_parameter` and
  :func:`w3lib.url.add_or_replace_parameters` no longer remove duplicate
  parameters from the original query string that are not being added or
  replaced
- :func:`w3lib.html.remove_tags` now raises a :exc:`ValueError` exception
  instead of :exc:`AssertionError` when using both the ``which_ones`` and the
  ``keep`` parameters
- Test improvements
- Documentation improvements
- Code cleanup

(adam)

py-immutables: updated to 0.13

v0.13:
Bugfixes
Various improvements w.r.t. type annotations & typing
Fix pure-Python implementation to accept keyword argument

(adam)

Updated textproc/py-toml, net/py-xandikos

(adam)

py-xandikos: updated to 0.2.2

0.2.2:
* Fix use of xandikos.wsgi module in uwsgi.

(adam)

py-toml: updated to 0.10.1

0.10.1:
Update copyright notices

(adam)

oo2c: fix a patch checksum

(gutteridge)

print/Makefile: appease weekly pkgsrc check script (sort)

(gutteridge)

doc: Updated x11/xfce4-settings to 4.14.3

(gutteridge)

xfce4-settings: update to 4.14.3

Change log:

4.14.3
======
- display: Allow resizing of minimal dialog (Bug #15450)
- display: Use proper fallback configuration on "apply" and "toggle off"
  (Bug #16476)
- keyboard: Fix crash when editing shortcut (Bug #15958)
- keyboard: Fix log flood (bug #16521)
- settings-manager: Make sure content determines size
- xfsettingsd: Handle failure to get Xkl engine for display (Bug #16017)
- Translation Updates:
  Albanian, Asturian, Belarusian, Belarusian (Tarask), Catalan, Hebrew,
  Kazakh, Malay, Portuguese, Swedish, Ukrainian

(gutteridge)

doc: Updated x11/xfce4-panel to 4.14.4

(gutteridge)

xfce4-panel: update to 4.14.4

Change log:

4.14.4
======
- Fix panel build with vala 0.48 (Bug #16426)
- Fix memory leak in panel plugin wrapper (Bug #16640)
- tasklist: Fix crash middle-click-closing grouped windows (Bug #16410)
- panel: Make sure "span monitors" is conditionally sensitive
  (Bug #15169)
- Translation Updates:
  Albanian, Amharic, Arabic, Armenian (Armenia), Belarusian, Bengali,
  Catalan, Chinese (China), Chinese (Hong Kong), Croatian, Czech, Danish,
  Dutch, English (Australia), Estonian, Finnish, French, Galician,
  Georgian, Hebrew, Hungarian, Icelandic, Indonesian, Italian, Japanese,
  Kazakh, Malay, Norwegian Bokm奪l, Norwegian Nynorsk, Occitan (post
  1500), Panjabi (Punjabi), Portuguese, Romanian, Sinhala, Swedish, Thai,
  Uighur, Ukrainian, Vietnamese

(gutteridge)

Updated security/py-cybox, security/py-stix

(adam)

py-stix: updated to 1.2.0.10

Version 1.2.0.10
- Check add_reference methods to prevent NoneType has no attribute 'append'
- Changes to STIXPackage to prevent the empty <stix:TTPs/> tag from appearing in serialization

Version 1.2.0.9
- TTPs would fail to serialize XML Kill_Chains if no TTP was set
- Added Python 3.8 to test harness

Version 1.2.0.8
- Add xnl:Type to the PersonName element (CIQ)
- Update the allowable values for PersonName and OrganisationName
- Update tests per recent CybOX release

Version 1.2.0.7
- Update package requirements

(adam)

py-cybox: updated to 2.1.0.21

Version 2.1.0.21
- New API Objects Support
- 8 New Objects API Classes
- 12 New Common API Classes
- Observable DefinedEffects
- More tests to cover new or existent objects
- Update documentation and coverage
- Rename module cybox/objects/{win_user_object.py → win_user_account_object.py} for consistency
- Some objects have been revised for TypedFields and/or new properties are now available

Version 2.1.0.20
- Fix parsing if algorithm, compression_mechanism, or encryption_mechanism are not present in Factories
- Factory classes now have a register_extension method decorator to extend API classes for the pack/unpack functionality
- The factory will fallback to the Base class when no mapping is found

Version 2.1.0.19
- Implement the Packaging attribute from Artifacts as a TypedField
- Fix a wrapping problem with one of the helper methods for ipv4 observables

Version 2.1.0.18
- Add missing methods to ListFieldMixin.
- Fix handling of empty Hash values.

(adam)

doc: Updated devel/xa65 to 2.3.11

(fcambus)

xa: update to 2.3.11.

ChangeLog:

  * Compilation fix for gcc 10 (thanks Dan Horak).
  * Allow pointer arithmetic in relocating mode within the same segment, since
    the result is segmentless (thanks Andre for the report).
  * .dsb with negative quantities shouldn't work (thanks Andre for the report).
  * Stop a divide-by-zero floating point exception (thanks Frederic Cambus).
  * Testsuite expanded.

(fcambus)

doc: Updated converters/2vcard to 0.6

(fcambus)

2vcard: update to 0.6.

ChangeLog:

2015-07-31: Actually release version 0.6:
            - incorporate fix from Riley Baird to handle multiple
              whitespaces in mutt alias formats

2005-07-30: Released version 0.6:
            - improve support for pine formats via patch/suggestions
              from Neale Banks <neale@lowendale.com.au>:
                - email address might be <email@address>
                - name fields can be either 'Full Name' or 'Last, First'
                - lists can contain name fields (ignore for now)
            - code cleanup:
                - use subroutines for repeatedly used statements

(fcambus)

doc: Updated www/ruby-rouge to 3.19.0

(fcambus)

ruby-rouge: update to 3.19.0.

ChangeLog:

No new lexers this but release but we do have fixes for the JavaScript,
Kotlin, Python, SPARQL and Turtle lexers. In addition, there have been
some under the hood improvements to how keywords are generated for
certain languages.

(fcambus)

lsof: fix wrong conditional added in patch-af 1.20

machine/ptrace.h pulls in sys/module_hook.h after 2019-11-27 under _KERNEL
This corresponds to NetBSD 9.99.19.
sys/module_hook.h is not installed.
Ergo sys/ptrace.h must be included /without/ defining _KERNEL.

(tnn)

Updated textproc/fmtlib, math/py-lmfit

(adam)

py-lmfit: updated to 1.0.1

Version 1.0.1 Release Notes
============================

**Version 1.0.1 is the last release that supports Python 3.5**. All newer version will
require 3.6+ so that we can use formatting-strings and rely on dictionaries being ordered.

New features:
- added thermal distribution model and lineshape
- introduced a new argument ``max_nfev`` to uniformly specify the maximum number of function evalutions
  **Please note: all other arguments (e.g., ``maxfev``, ``maxiter``, ...) will no longer be passed to the underlying
  solver. A warning will be emitted stating that one should use ``max_nfev``.**
- the attribute ``call_kws`` was added to the ``MinimizerResult`` class and contains the keyword arguments that are
  supplied to the solver in SciPy.

Bug fixes:
- fixes to the ``load`` and ``__setstate__`` methods of the Parameter class
- fixed failure of ModelResult.dump() due to missing attributes
- ``guess_from_peak`` function now also works correctly with decreasing x-values or when using
  pandas
- the ``Parameter.set()`` method now correctly first updates the boundaries and then the value

Various:
- fixed typo for the use of expressions in the documentation
- removal of PY2-compatibility and unused code and improved test coverage
- removed deprecated ``isParameter`` function and automatic conversion of an ``uncertainties`` object
- inaccurate FWHM calculations were removed from built-in models, others labeled as estimates
- corrected spelling mistake for the Doniach lineshape and model
- removed unsupported/untested code for IPython notebooks in lmfit/ui/*

(adam)

fmtlib: updated to 6.2.1

6.2.1
Fixed ostream support in sprintf
Fixed type detection when using implicit conversion to string_view and ostream operator<< inconsistently

(adam)

Updated textproc/py-deepdiff, devel/py-curtsies

(adam)

py-curtsies: updated to 0.3.1

0.3.1:
Unknown changes

(adam)

py-deepdiff: updated to 4.3.2

v4-3-2: Deprecation Warning Enhancement
v4-3-1: Fixing the issue with exclude_path and hash calculations when dictionaries were inside iterables. https://github.com/seperman/deepdiff/issues/174
v4-3-0: adding exclude_obj_callback
v4-2-0: .json property is finally removed. Fix for Py3.10. Dropping support for EOL Python 3.4. Ignoring private keys when calculating hashes. For example init is not a part of hash calculation anymore. Fix for 166 Problem with comparing lists, with an boolean as element.
v4-0-9: Fixing the bug for hashing custom unhashable objects
v4-0-8: Adding ignore_nan_inequality for float('nan')

(adam)

Updated textproc/py-markovify, devel/py-pygit2

(adam)

py-pygit2: updated to 1.2.1

1.2.1:
- Fix segfault in ``Object.raw_name`` when not reached through a tree
- Internal: Use @ffi.def_extern instead of @ffi.callback
- Internal: callbacks code refactored
- Test suite completely switched to pytest
- New unit tests
- Documentation changes

Deprecations:
- Deprecate ``Repository.create_remote(...)``, use instead
  ``Repository.remotes.create(...)``
- Deprecate ``GIT_CREDTYPE_XXX`` contants, use ``GIT_CREDENTIAL_XXX`` instead.

(adam)

doc: Updated security/clamav to 0.102.3

(taca)

security/clamav: update to 0.102.3

Update clamav to 0.102.3.

## 0.102.3

ClamAV 0.102.3 is a bug patch release to address the following issues.

- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
  Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
  could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
  an unsigned variable results in an out-of-bounds read which causes a crash.

  Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
  parsing vulnerability.

- [CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
  Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
  could cause a Denial-of-Service (DoS) condition. Improper size checking of
  a buffer used to initialize AES decryption routines results in an out-of-
  bounds read which may cause a crash. Bug found by OSS-Fuzz.

- Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.

- Fix a couple of minor memory leaks.

- Updated libclamunrar to UnRAR 5.9.2.

(taca)

py-markovify: updated to 0.8.0

0.8.0:
Unknown changes

(adam)

Updated misc/py-immutables, math/py-ephem

(adam)

py-ephem: updated to 3.7.7.1

3.7.7.1:
Unknown changes

(adam)

py-immutables: updated to 0.12

v0.12:
Bug Fixes
Fix the mutation API to maintain elements count correctly

(adam)

Updated devel/py-requests-mock, www/py-waitress, www/py-WebTest, databases/py-redis

(adam)

py-redis: updated to 3.5.1

3.5.1:
Fix for HSET argument validation to allow any non-None key.

(adam)

py-WebTest: updated to 2.0.35

2.0.35:
- python3.8 compat
- Remove use of deprecated splittype and splithost

(adam)

py-waitress: updated to 1.4.3

1.4.3 (2020-02-02)
------------------

Security Fixes
~~~~~~~~~~~~~~

- In Waitress version 1.4.2 a new regular expression was added to validate the
  headers that Waitress receives to make sure that it matches RFC7230.
  Unfortunately the regular expression was written in a way that with invalid
  input it leads to catastrophic backtracking which allows for a Denial of
  Service and CPU usage going to a 100%.

  This was reported by Fil Zembowicz to the Pylons Project. Please see
  https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
  for more information.

1.4.2 (2020-01-02)
------------------

Security Fixes
~~~~~~~~~~~~~~

- This is a follow-up to the fix introduced in 1.4.1 to tighten up the way
  Waitress strips whitespace from header values. This makes sure Waitress won't
  accidentally treat non-printable characters as whitespace and lead to a
  potental HTTP request smuggling/splitting security issue.

  Thanks to ZeddYu Lu for the extra test cases.

  Please see the security advisory for more information:
  https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4

  CVE-ID: CVE-2019-16789

Bugfixes
~~~~~~~~

- Updated the regex used to validate header-field content to match the errata
  that was published for RFC7230.

  See: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189

1.4.1 (2019-12-24)
------------------

Security Fixes
~~~~~~~~~~~~~~

- Waitress did not properly validate that the HTTP headers it received were
  properly formed, thereby potentially allowing a front-end server to treat a
  request different from Waitress. This could lead to HTTP request
  smuggling/splitting.

  Please see the security advisory for more information:
  https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4

  CVE-ID: CVE-2019-16789

1.4.0 (2019-12-20)
------------------

Bugfixes
~~~~~~~~

- Waitress used to slam the door shut on HTTP pipelined requests without
  setting the ``Connection: close`` header as appropriate in the response. This
  is of course not very friendly. Waitress now explicitly sets the header when
  responding with an internally generated error such as 400 Bad Request or 500
  Internal Server Error to notify the remote client that it will be closing the
  connection after the response is sent.

- Waitress no longer allows any spaces to exist between the header field-name
  and the colon. While waitress did not strip the space and thereby was not
  vulnerable to any potential header field-name confusion, it should have sent
  back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273

Security Fixes
~~~~~~~~~~~~~~

- Waitress implemented a "MAY" part of the RFC7230
  (https://tools.ietf.org/html/rfc7230#section-3.5) which states:

      Although the line terminator for the start-line and header fields is
      the sequence CRLF, a recipient MAY recognize a single LF as a line
      terminator and ignore any preceding CR.

  Unfortunately if a front-end server does not parse header fields with an LF
  the same way as it does those with a CRLF it can lead to the front-end and
  the back-end server parsing the same HTTP message in two different ways. This
  can lead to a potential for HTTP request smuggling/splitting whereby Waitress
  may see two requests while the front-end server only sees a single HTTP
  message.

  For more information I can highly recommend the blog post by ZeddYu Lu
  https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/

  Please see the security advisory for more information:
  https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p

  CVE-ID: CVE-2019-16785

- Waitress used to treat LF the same as CRLF in ``Transfer-Encoding: chunked``
  requests, while the maintainer doesn't believe this could lead to a security
  issue, this is no longer supported and all chunks are now validated to be
  properly framed with CRLF as required by RFC7230.

- Waitress now validates that the ``Transfer-Encoding`` header contains only
  transfer codes that it is able to decode. At the moment that includes the
  only valid header value being ``chunked``.

  That means that if the following header is sent:

  ``Transfer-Encoding: gzip, chunked``

  Waitress will send back a 501 Not Implemented with an error message stating
  as such, as while Waitress supports ``chunked`` encoding it does not support
  ``gzip`` and it is unable to pass that to the underlying WSGI environment
  correctly.

  Waitress DOES NOT implement support for ``Transfer-Encoding: identity``
  eventhough ``identity`` was valid in RFC2616, it was removed in RFC7230.
  Please update your clients to remove the ``Transfer-Encoding`` header if the
  only transfer coding is ``identity`` or update your client to use
  ``Transfer-Encoding: chunked`` instead of ``Transfer-Encoding: identity,
  chunked``.

  Please see the security advisory for more information:
  https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p

  CVE-ID: CVE-2019-16786

- While validating the ``Transfer-Encoding`` header, Waitress now properly
  handles line-folded ``Transfer-Encoding`` headers or those that contain
  multiple comma seperated values. This closes a potential issue where a
  front-end server may treat the request as being a chunked request (and thus
  ignoring the Content-Length) and Waitress using the Content-Length as it was
  looking for the single value ``chunked`` and did not support comma seperated
  values.

- Waitress used to explicitly set the Content-Length header to 0 if it was
  unable to parse it as an integer (for example if the Content-Length header
  was sent twice (and thus folded together), or was invalid) thereby allowing
  for a potential request to be split and treated as two requests by HTTP
  pipelining support in Waitress. If Waitress is now unable to parse the
  Content-Length header, a 400 Bad Request is sent back to the client.

  Please see the security advisory for more information:
  https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6

(adam)

py-requests-mock: updated to 1.8.0

1.8.0
* Remove requests 2.3 compatibility code
* Add release notes for reset function
* Add release note for session scoped mock
* Allow passing session as postiional argument
* Create bound method instead of a wrapper
* Added reset\_mock to \_RequestHistoryTracker and Adapter
* doc on session Mockers
* doc on nesting Mockers
* fix README.rst typo
* suggest Mocker for users unfamiliar with adapters
* update examples to mount adapter on 'mock://'
* fix global/session mock interactions and real\_http
* Added installation instructions
* Add release note for nested mocking
* fix redirects and mock nesting
* Mark IOReader object closed when using a stream
* Add the default response reason if not set
* Don't check that proxies are set in test
* Add StackOverflow tag to README
* Mention pytest fixture on the README
* Add background information to pytest doc
* docs: update examples to match Read the Docs
* Expose real\_http as a public property
* fix py27 error
* easier session scoped mock

(adam)

devel/ruby-redmine: fix changing permission of files

Fix changing permission of files.

(taca)

Pullup tickets up to #6193

(bsiegert)

Pullup ticket #6193 - requested by nia
graphics/openjpeg: security fix

Revisions pulled up:
- graphics/openjpeg/Makefile                                    1.21
- graphics/openjpeg/distinfo                                    1.18
- graphics/openjpeg/patches/patch-src_lib_openjp2_j2k.c        1.1
- graphics/openjpeg/patches/patch-src_lib_openjp2_tcd.c        1.1

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Tue May 12 10:44:46 UTC 2020

  Modified Files:
  pkgsrc/graphics/openjpeg: Makefile distinfo
  Added Files:
  pkgsrc/graphics/openjpeg/patches: patch-src_lib_openjp2_j2k.c
      patch-src_lib_openjp2_tcd.c

  Log Message:
  openjpeg: Cherrypick fixes for the following CVEs from upstream:

  https://nvd.nist.gov/vuln/detail/CVE-2020-6851 - out-of-bounds-write
  https://nvd.nist.gov/vuln/detail/CVE-2020-8112 - heap-overflow

  Please make releases for your software. :/

  Bump PKGREVISION

(bsiegert)

Pullup ticket #6192 - requested by leot
net/youtube-dl: update for extractor changes

Revisions pulled up:
- net/youtube-dl/Makefile                                      1.205-1.206
- net/youtube-dl/distinfo                                      1.187-1.188

---
  Module Name:    pkgsrc
  Committed By:  leot
  Date:          Sat May  2 17:17:21 UTC 2020

  Modified Files:
          pkgsrc/net/youtube-dl: Makefile distinfo

  Log Message:
  youtube-dl: Update to 20200503

  Changes:
  20200503
  --------
  Core
  + [extractor/common] Extract multiple JSON-LD entries
  * [options] Clarify doc on --exec command (#19087, #24883)
  * [extractor/common] Skip malformed ISM manifest XMLs while extracting
    ISM formats (#24667)

  Extractors
  * [crunchyroll] Fix and improve extraction (#25096, #25060)
  * [youtube] Improve player id extraction
  * [youtube] Use redirected video id if any (#25063)
  * [yahoo] Fix GYAO Player extraction and relax URL regular expression
    (#24178, #24778)
  * [tvplay] Fix Viafree extraction (#15189, #24473, #24789)
  * [tenplay] Relax URL regular expression (#25001)
  + [prosiebensat1] Extract series metadata
  * [prosiebensat1] Improve extraction and remove 7tv.de support (#24948)
  - [prosiebensat1] Remove 7tv.de support (#24948)
  * [youtube] Fix DRM videos detection (#24736)
  * [thisoldhouse] Fix video id extraction (#24548, #24549)
  + [soundcloud] Extract AAC format (#19173, #24708)
  * [youtube] Skip broken multifeed videos (#24711)
  * [nova:embed] Fix extraction (#24700)
  * [motherless] Fix extraction (#24699)
  * [twitch:clips] Extend URL regular expression (#24290, #24642)
  * [tv4] Fix ISM formats extraction (#24667)
  * [tele5] Fix extraction (#24553)
  + [mofosex] Add support for generic embeds (#24633)
  + [youporn] Add support for generic embeds
  + [spankwire] Add support for generic embeds (#24633)
  * [spankwire] Fix extraction (#18924, #20648)

---
  Module Name:    pkgsrc
  Committed By:  leot
  Date:          Fri May  8 11:21:09 UTC 2020

  Modified Files:
          pkgsrc/net/youtube-dl: Makefile distinfo

  Log Message:
  youtube-dl: Update to 20200508

  Changes:
  20200508
  --------
  Core
  * [downloader/http] Request last data block of exact remaining size
  * [downloader/http] Finish downloading once received data length matches
    expected
  * [extractor/common] Use compat_cookiejar_Cookie for _set_cookie to always
    ensure cookie name and value are bytestrings on python 2 (#23256, #24776)
  + [compat] Introduce compat_cookiejar_Cookie
  * [utils] Improve cookie files support
      + Add support for UTF-8 in cookie files
      * Skip malformed cookie file entries instead of crashing (invalid entry
        length, invalid expires at)

  Extractors
  * [youtube] Improve signature cipher extraction (#25187, #25188)
  * [iprima] Improve extraction (#25138)
  * [uol] Fix extraction (#22007)
  + [orf] Add support for more radio stations (#24938, #24968)
  * [dailymotion] Fix typo
  - [puhutv] Remove no longer available HTTP formats (#25124)

(bsiegert)

Pullup ticket #6191 - requested by nia
www/firefox68-l10n: dependent update

Revisions pulled up:
- www/firefox68-l10n/Makefile                                  1.13
- www/firefox68-l10n/distinfo                                  1.10

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Sat May  9 13:21:31 UTC 2020

  Modified Files:
  pkgsrc/www/firefox68-l10n: Makefile distinfo

  Log Message:
  firefox68-l10n: Sync with firefox68

(bsiegert)

Pullup ticket #6190 - requested by nia
www/firefox68: security fix

Revisions pulled up:
- www/firefox68/Makefile                                        1.20
- www/firefox68/PLIST                                          1.6
- www/firefox68/distinfo                                        1.15

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Sat May  9 13:08:01 UTC 2020

  Modified Files:
  pkgsrc/www/firefox68: Makefile PLIST distinfo

  Log Message:
  firefox68: Update to 68.8.0

  Security Vulnerabilities fixed in Firefox ESR 68.8

      #CVE-2020-12387: Use-after-free during worker shutdown

      #CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens

      #CVE-2020-12389: Sandbox escape with improperly separated process types

      #CVE-2020-6831: Buffer overflow in SCTP chunk input validation

      #CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'

      #CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape
      website-controlled data, potentially leading to command injection

      #CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

(bsiegert)

sndfile-tools: Update PLIST

(nia)

sndfile-tools: Avoid conflicting with libsamplerate

(nia)

R-Rcpp: Catch more .deb files to skip checks for.

(jperkin)

tex-texlive-scripts-doc: Fix PKGMANDIR.

(jperkin)

luatex: Fix SunOS build.

(jperkin)

archivers/star: Add build fix for SmartOS

The second patch silence a warning on NetBSD.

(micha)

doc: Updated www/davical to 1.1.9.3

(triaxx)

davical: update to 1.1.9.3

upstream changes:
-----------------
2020-04-04 Florian Schlichting <fsfs@debian.org>
  * LSID logins were removed from AWL, drop related bits in davical
2019-12-06 Florian Schlichting <fsfs@debian.org>
  * use foreach() instead of deprecated each() (fixes #190)
  * HTTP_REFERER will usually be unset for caldav requests, prevent "Undefined index" warnings

(triaxx)

lang/oo2c: fix build on NetBSD 8.0

(rillig)

doc: Updated sysutils/dmidecode to 3.2nb7

(msaitoh)

Add thtree officially recommended patches to sysutils/dmidecode:

2020-03-23 Jean Delvare <jdelvare@suse.de>

Print type 33 name unconditionally.

  Even if a type 33 structure is too short, we can still display its
  type name as we do for all other structure types.

2020-03-23 Jean Delvare <jdelvare@suse.de>

Don't choke on invalid processor voltage.

  If the processor voltage encoding has some of the reserved bits set
  and none of the proper bits set, print it as "Unknown" instead of an
  empty field.

2020-03-23 Jean Delvare <jdelvare@suse.de>

Fix the alignment of type 25 name.

  No tabulation needed before DMI structure names.

(msaitoh)

Updated textproc/py-jmespath, www/py-google-api-python-client

(adam)

databases/mariadb55-client: remove no-op SUBST block

None of the mentioned files actually exists.

(rillig)

devel/ruby-subversion: suppress USE_TOOLS+=perl warning

(rillig)

devel/py-subversion: suppress USE_TOOLS+=perl warning

(rillig)

py-google-api-python-client: updated to 1.8.3

1.8.3:
Bug Fixes
downgrade repetitive logging calls to debug

(adam)

doc: Updated sysutils/intel-microcode-netbsd to 20200508

(msaitoh)

Update intel-microcode-netbsd to 20200508.

== 20200508 Release ==
-- Updates upon 20191115 release --
Processor            Identifier    Version      Products
Model        Stepping F-MO-S/PI      Old->New
---- new platforms ----------------------------------------

---- updated platforms ------------------------------------
ICL-U/Y      D1      6-7e-5/80 00000046->00000078 Core Gen10 Mobile

---- removed platforms ------------------------------------

(msaitoh)

cross/h8300-elf-gcc: suppress USE_TOOLS+=perl warning

(rillig)

py-jmespath: updated to 0.10.0

0.10.0
Python 2.6 and 3.3 have reached end-of-life and have been deprecated.
Fix race condition when clearing cached parsed expressions.

(adam)

lang/gcc3*: suppress USE_TOOLS+=perl warning

(rillig)

databases/postgresql: suppress USE_TOOLS+=perl warning

(rillig)