Updated devel/ocaml-lwt to version 5.2.0.

This adds several updates and bugfixes, some of them breaking. For more
details see the CHANGES file in the distribution.

(jaapb)

doc: Updated www/ocaml-cohttp to 2.5.1

(jaapb)

Updated www/ocaml-cohttp to version 2.5.1.

Many changes since the last version; mostly they are minor though. See the
CHANGES.md file in the distribution for details.

(jaapb)

Use MAKE_ENV when calling dune in ocaml.mk

(jaapb)

doc: Updated www/ocaml-uri to 3.1.0

(jaapb)

Updated www/ocaml-uri to version 3.1.0.

This version splits out the uri and uri-sexp packages, and has some other
minor improvements and updates.

(jaapb)

doc: Update news/cleanscore to 0.9.8.1nb10

(micha)

(net/p5-WebService-MusicBrainz) Updated 1.04 to 1.05

ChangeLog does not record recent 1.04 -> 1.05 Change, just t/Area.t update ?

(mef)

news/cleanscore: Update to 0.9.8.1nb10

The old source archive URL was no longer valid.
Switch to the source from the slrn archive (that has the former
required patch already applied).

OK from is@.

(micha)

(net/p5-Net-Amazon-S3) Updated 0.85 to 0.89

0.89 Tue 11 Feb 2020 20:26:26
    - fix signature v4 test (Ali Zia)

0.88 Sat  1 Feb 2020 21:29:52
    - Allow passing headers from client to InitiateMultipartUpload request (Ali Zia)
    - sign uri with iam role (kuriyama)
    - Canned ACLs updated (ratsbane)

0.87 Mon  9 Dec 2019 19:53:42 GMT
    - Time::Piece fix from Eden Crane
    - eu-north-1 region (happy-barney)
    - drop hardcoded V2 in ListAllMyBuckets (happy-barney)
    - Fix setting of S3 XML document namespace (michal-josef-spacek)

0.86 Fri 12 Apr 2019 13:38:10 BST
    - Retry bucket HEAD few times see #51 (thanks Branislav Zahradník)
    - Support server side encryption also in Net::Amazon::S3::Bucket (thanks Branislav Zahradník)
    - Use session token if specified in Signature V4 as well #43 (thanks Branislav Zahradník)
    - Add website_redirect_location (thanks Gavin Carr)
    - Make keep_alive cache size configurable (thanks Michael Schout)
    - Pod::Weaver fixes (thanks Florian Schlichting)

(mef)

doc: Updated textproc/ocaml-markup to 0.8.2

(jaapb)

Updated textproc/ocaml-markup to version 0.8.2.

Changes are minor, plus a license change to MIT.

(jaapb)

Added ocaml-stdlib-shims to Makefile SUBDIRs

(jaapb)

doc: Added devel/ocaml-stdlib-shims version 0.2.0

(jaapb)

Added devel/ocaml-stdlib-shims, an OCaml compatibility library.

(jaapb)

doc: Updated devel/ocaml-resource-pooling to 1.1

(jaapb)

Updated devel/ocaml-resource-pooling to version 1.1.

No CHANGES file, so it's hard to see what changes are, but the updated
version of ocsigen-start will not run with the old version.

(jaapb)

(net/p5-Test-DNS) Updated 0.13 to 0.203

(pkgsrc)
  - Convert p5-Test-Deep-[0-9]  from BUILD_DEPENDS to DEPENDS
    (packaging process shows as Runtime requirement)

(upstream)
0.203    2019-04-22 19:49:38+03:00 Asia/Jerusalem

        - GH #3: Add the exact dependency as a module.
          (Mohammad S Anwar)

0.202    2019-04-22 16:40:55+03:00 Asia/Jerusalem

        - GH #2: Missed cpanfile. (Thanks, Slaven Rezić!)

0.201    2019-03-03 15:03:41+02:00 Asia/Jerusalem
        - Removed Set::Object dependency. (Should fix tests.)

0.200    2019-03-02 23:41:37+02:00 Asia/Jerusalem
        - All attributes are now immutable. If you need to change
          anything (nameservers, the object, even the follow_cname
          flag), create a new instance. Sorry and thank you.
        - Only provide nameservers when they are specified.
          (Otherwise, it won't look in /etc/resolv.conf.)
        - Allow user to provide their own test names.
        - Test methods now provide a proper, hopefully meaningful
          return value.
        - Simplify code considerably, make much more readable.
        - Updating DNS records.

(mef)

doc: Updated devel/ocaml-logs to 0.7.0

(jaapb)

Updated devel/ocaml-logs to version 0.7.0.

This version adds thread-safe logging, plus several other minor
improvements and bugfixes.

(jaapb)

doc: Updated graphics/libcaca to 0.99.19

(nia)

libcaca: Update to libcaca-0.99.19

Unknown changes - changelog was not updated for this release

(nia)

doc: Updated net/dhcpcd to 9.0.2

(roy)

Update to dhcpcd-9.0.2 with the following changes:

* Control sockets are not opened in test mode
* privsep: no longer aborts if protocol not available
* inet6: Don't regen temporary addresses without a state
* inet6: Reduce RA log spam
* dhcp6: Don't log when things consitently fail
* inet6: Add temporary directive to slaac option [1]
* Ensure current interface flags persist when setting a flag
* DHCP via BPF is now aligned correctly
* CMSG buffers are now aligned correctly
* hostnames are no longer clobbered when being forced and a RA is recieved

[1] dhcpcd no longer looks at any possible kernel settings when deciding to
manage IPv6 temporary addresses or not. You now instruct dhcpcd to do this
in dhcpcd.conf. Playing whack-a-mole with various kernel knobs wasn't fun
and some OS's have or are removing RA and thus temporary address managemnt
from the kernel so said knobs are no longer there.

(roy)

qt5-qtwebkit: Unlimit cputime

(nia)

doc: Updated archivers/arqiver to 0.5.0

(pin)

Update archivers/arqiver to version 0.5.0

Changes from 0.4.0

- Added read-only support for Android and MS Windows packages.
- Reset the GUI if the archive's password isn't entered (correctly).
- Speed up listing by using static regexes.
- Handle relative file paths correctly.

(pin)

doc: Updated devel/ninja-build to 1.10.0nb1

(dsainty)

news/flnews: Remove libXcursor dependency

It is a dependency of FLTK library (missing in the bl3 file there).

(micha)

x11/fltk13: Sync dependencies in bl3 with Makefile

Add libXcursor dependency to bl3.

(micha)

Support a shell other than /bin/sh as a workaround for MacOS X.

Under MacOS X the LD_LIBRARY_PATH variable is unset by the build system
running executables under /bin (namely /bin/sh).  This is part of MacOS X
System Integrity Protection.

Because many (most?) users of ninja/meson seem to need hacks involving
LD_LIBRARY_PATH, use a non-SIP-triggering shell under MacOS X.

Fixes MacOS X builds of glib2, gobject-introspection and others.

Bump PKGREVISION for the new behaviour under MacOS X.

(dsainty)

doc: Updated ham/xlog to 2.0.19

(mef)

(ham/xlog) Updated 2.0.17 to 2.0.19

- Changes for xlog version 2.0.19 - 2020-apr-19
  * Updated cty.dat 20200418 (cty-3007)

- Changes for xlog version 2.0.18 - 2019-jun-11
  * added FT4 support and updated to ADIF 3.1.0
  * Updated cty.dat 20190608

(mef)

Updated lang/python27, lang/py27-html-docs

(adam)

python27: updated to 2.7.18

Python 2.7.18, the last release of Python 2

The CPython core developers are pleased to announce the immediate availability of Python 2.7.18.

Python 2.7.18 is the last Python 2.7
release and therefore the last Python 2 release. It's time for the CPython
community to say a fond but firm farewell to Python 2.

Download this unique, commemorative Python release on python.org.

Python 2.7 has been under active development since the release of Python 2.6,
more than 11 years ago. Over all those years, CPython's core developers and
contributors sedulously applied bug fixes to the 2.7 branch, no small task as
the Python 2 and 3 branches diverged. There were large changes midway through
Python 2.7's life such as PEP 466's feature backports to the ssl module and
hash randomization. Traditionally, these features would never have been added
to a branch in maintenance mode, but exceptions were made to keep Python 2 users
secure. Thank you to CPython's community for such dedication.

Python 2.7 was lucky to have the services of two generations of binary builders
and operating system experts, Martin von L旦wis and Steve Dower for Windows, and
Ronald Oussoren and Ned Deily for macOS. The reason we provided binary Python
2.7 releases for macOS 10.9, an operating system obsoleted by Apple 4 years ago,
or why the "Microsoft Visual C++ Compiler for Python 2.7" exists is the
dedication of these individuals.

Python 3 would be nowhere without the dedication of the wider community. Library
maintainers followed CPython by maintaining Python 2 support for many years but
also threw their weight behind the Python 3 statement.
Linux distributors chased Python 2 out of their
archives. Users migrated hundreds of millions of lines of code, developed
porting guides, and kept Python 2 in their brain while Python 3 gained 10 years
of improvements.

Finally, thank you to GvR for creating Python 0.9, 1, 2, and 3.

Long live Python 3+!

(adam)

doc: Updated devel/git to 2.26.2

(leot)

git: Update to 2.26.2

Changes:
2.26.2
------
This release is to address the security issue: CVE-2020-11008

* With a crafted URL that contains a newline or empty host, or lacks
  a scheme, the credential helper machinery can be fooled into
  providing credential information that is not appropriate for the
  protocol in use and host being contacted.

  Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
  credentials are not for a host of the attacker's choosing; instead,
  they are for some unspecified host (based on how the configured
  credential helper handles an absent "host" parameter).

  The attack has been made impossible by refusing to work with
  under-specified credential patterns.

Credit for finding the vulnerability goes to Carlo Arenas.

(leot)

doc: Added net/rclone version 1.51.0

(leot)

net: Add rclone

(leot)

rclone: Import rclone-1.51.0 as net/rclone

Rclone is a command line program to sync files and directories to and from:

Amazon Drive, Amazon S3, Backblaze B2, Box, Ceph, DigitalOcean Spaces,
Dreamhost, Dropbox, FTP, Google Cloud Storage, Google Drive, HTTP, Hubic,
Memset Memstore, Microsoft Azure Blob Storage, Microsoft OneDrive, Minio,
Nextcloud, OVH, Openstack Swift, Oracle Cloud Storage, Owncloud, pCloud,
put.io, QingStor, Rackspace Cloud Files, SFTP, Wasabi, WebDAV, Yandex Disk,
The local filesystem

Features:

- MD5/SHA1 hashes checked at all times for file integrity
- Timestamps preserved on files
- Partial syncs supported on a whole file basis
- Copy mode to just copy new/changed files
- Sync (one way) mode to make a directory identical
- Check mode to check for file hash equality
- Can sync to and from network, eg two different cloud accounts
- Optional encryption (Crypt)
- Optional cache (Cache)
- Optional FUSE mount (rclone mount)

Packaged in pkgsrc-wip by myself and <yhardy>.

(leot)

dmidecode: add missing header

pkgsrc changes:
---------------
* Add missing header for FreeBSD.
* Bump revision.

(triaxx)

doc: Updated audio/opus-tools to 0.2

(nia)

opus-tools: Update to 0.2. Make audio output in opusdec work.

opus-tools 0.2

  Sep 18, 2018

  In this release the Opus decoder opusdec has been converted to use the
  opusfile library, and the Opus encoder opusenc has been converted to
  use the libopusenc library. These libraries make it easy to robustly
  read and write Ogg Opus audio files, and enable some new features.

  opusdec enhancements include:
    * Read directly from http or https sources
    * New option --force-stereo will force stereo output
    * Improved support for chained input files with differing sample rate
      or channel count
    * A summary is displayed for METADATA_BLOCK_PICTURE tags rather than
      displaying the base64-encoded data

  opusenc enhancements include:
    * Delayed decision support allows the encoder to look ahead up to two
      seconds in order to improve encoding decisions
    * The options --music and --speech can be used to tune low bitrate
      audio for music or speech, overriding automatic detection
    * The option --no-phase-inv disables the use of phase inversion for
      intensity stereo, which can be useful for streams that are likely
      to be downmixed to mono after decoding
    * New --tracknumber shortcut for setting tracknumber metadata

  Additionally:
    * The opusinfo utility can display the demixing matrix from Ogg Opus
      files using ambisonics channel mapping family 3
    * The experimental opusrtp tool supports new options to specify RTP
      payload type, Ogg Opus output file, original sample rate, and
      number of channels, and supports improved transmit timing,
      arbitrary network devices, and IPv6
    * Numerous bug fixes are also included

(nia)

doc: Added audio/libopusenc version 0.2.1

(nia)

audio: Add libopusenc

The libopusenc libraries provide a high-level API for encoding .opus files
and live streams. libopusenc depends only on libopus.

(nia)

Updated security/fail2ban to 0.11.1

(nils)

Updated security/fail2ban to 0.11.1

Upstream changelog:
0.9.7:
### Fixes
* Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
* filter.d/sshd.conf
    - Fixed non-anchored part of failregex (misleading match of colon inside
      IPv6 address instead of `: ` in the reason-part by missing space, gh-1658)
      (0.10th resp. IPv6 relevant only, amend for gh-1479)
* config/pathes-freebsd.conf
    - Fixed filenames for apache and nginx log files (gh-1667)
* filter.d/exim.conf
    - optional part `(...)` after host-name before `[IP]` (gh-1751)
    - new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
    - match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh-1766)
* filter.d/sshd.conf
    - new aggressive rules (gh-864):
      - Connection reset by peer (multi-line rule during authorization process)
      - No supported authentication methods available
    - single line and multi-line expression optimized, added optional prefixes
      and suffix (logged from several ssh versions), according to gh-1206;
    - fixed expression received disconnect auth fail (optional space after port
      part, gh-1652)
      and suffix (logged from several ssh versions), according to gh-1206;
* filter.d/suhosin.conf
    - greedy catch-all before `<HOST>` fixed (potential vulnerability)
* filter.d/cyrus-imap.conf
    - accept entries without login-info resp. hostname before IP address (gh-1707)
* Filter tests extended with check of all config-regexp, that contains greedy catch-all
  before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`

### New Features
* New Actions:
    - action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)

* New Filters:
    - filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)

### Enhancements
* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)

0.10.0-alpha1 :
### Fixes
* [Grave] memory leak's fixed (gh-1277, gh-1234)
* [Grave] Misleading date patterns defined more precisely (using extended syntax
  `%Ex[mdHMS]` for exact two-digit match or e. g. `%ExY` as more precise year
  pattern, within same century of last year and the next 3 years)
* [Grave] extends date detector template with distance (position of match in
  log-line), to prevent grave collision using (re)ordered template list (e.g.
  find-spot of wrong date-match inside foreign input, misleading date patterns
  by ambiguous formats, etc.)
* Distance collision check always prefers template with shortest distance
  (left for right) if date pattern is not anchored
* Tricky bug fix: last position of log file will be never retrieved (gh-795),
  because of CASCADE all log entries will be deleted from logs table together with jail,
  if used "INSERT OR REPLACE" statement
* Asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
* testSocket: sporadical bug repaired - wait for server thread starts a socket (listener)
* testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid file inside bash,
  kill tree in any case (gh-1155)
* purge database will be executed now (within observer).
* restoring currently banned ip after service restart fixed
  (now < timeofban + bantime), ignore old log failures (already banned)
* Fixed high-load of pyinotify-backend,
  see https://github.com/fail2ban/fail2ban/issues/885#issuecomment-248964591
* Database: stability fix - repack cursor iterator as long as locked
* File filter backends: stability fix for sporadically errors - always close file
  handle, otherwise may be locked (prevent log-rotate, etc.)
* Pyinotify-backend: stability fix for sporadically errors in multi-threaded
  environment (without lock)
* Fixed sporadically error in testCymruInfoNxdomain, because of unsorted values
* Misleading errors logged from ignorecommand in success case on retcode 1 (gh-1194)
* fail2ban.service - systemd service updated (gh-1618):
  - starting service in normal mode (without forking)
  - does not restart if service exited normally (exit-code 0, e.g. stopped via fail2ban-client)
  - does not restart if service can not start (exit-code 255, e.g. wrong configuration, etc.)
  - service can be additionally started/stopped with commands (fail2ban-client, fail2ban-server)
  - automatically creates `/var/run/fail2ban` directory before start fail2ban
    (systems with virtual resp. memory-based FS for `/var/run`), see gh-1531
  - if fail2ban running as systemd-service, for logging to the systemd-journal,
    the `logtarget` could be set to STDOUT
  - value `logtarget` for system targets allowed also in lowercase (stdout, stderr, syslog, etc.)
* Fixed UTC/GMT named time zone, using `%Z` and `%z` patterns
  (special case with 0 zone offset, see gh-1575)
* `filter.d/freeswitch.conf`
    - Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
    - User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)

### New Features
* IPv6 support:
    - IP addresses are now handled as objects rather than strings capable for
      handling both address types IPv4 and IPv6
    - iptables related actions have been amended to support IPv6 specific actions
      additionally
    - hostsdeny and route actions have been tested to be aware of v4 and v6 already
    - pf action for *BSD systems has been improved and supports now also v4 and v6
    - name resolution is now working for either address type
    - new conditional section functionality used in config resp. includes:
      - [Init?family=inet4] - IPv4 qualified hosts only
      - [Init?family=inet6] - IPv6 qualified hosts only
* Increment ban time (+ observer) functionality introduced.
  Thanks Serg G. Brester (sebres)
* Database functionality extended with bad ips.
* New reload functionality (now totally without restart, unbanning/rebanning, etc.),
  see gh-1557
* Several commands extended and new commands introduced:
  - `restart [--unban] [--if-exists] <JAIL>` - restarts the jail \<JAIL\>
    (alias for `reload --restart ... <JAIL>`)
  - `reload [--restart] [--unban] [--all]` - reloads the configuration without restarting
    of the server, the option `--restart` activates completely restarting of affected jails,
    thereby can unban IP addresses (if option `--unban` specified)
  - `reload [--restart] [--unban] [--if-exists] <JAIL>` - reloads the jail \<JAIL\>,
    or restarts it (if option `--restart` specified), at the same time unbans all IP addresses
    banned in this jail, if option `--unban` specified
  - `unban --all` - unbans all IP addresses (in all jails and database)
  - `unban <IP> ... <IP>` - unbans \<IP\> (in all jails and database) (see gh-1388)
  - introduced new option `-t` or `--test` to test configuration resp. start server only
    if configuration is clean (fails by wrong configured jails if option `-t` specified)
* New command action parameter `actionrepair` - command executed in order to restore
  sane environment in error case of `actioncheck`.
* Reporting via abuseipdb.com:
  - Bans can now be reported to abuseipdb
  - Catagories must be set in the config
  - Relevant log lines included in report

### Enhancements
* Huge increasing of fail2ban performance and especially test-cases performance (see gh-1109)
* Datedetector: in-place reordering using hits and last used time:
  matchTime, template list etc. rewritten because of performance degradation
* Prevent out of memory situation if many IP's makes extremely many failures (maxEntries)
* Introduced string to seconds (str2seconds) for configuration entries with time,
  use `1h` instead of `3600`, `1d` instead of `86400`, etc
* seekToTime - prevent completely read of big files first time (after start of service),
  initial seek to start time using half-interval search algorithm (see issue gh-795)
* Ticket and some other modules prepared to easy merge with newest version of 'ban-time-incr'
* Cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name,
  especially for wrong dns or lazy dns-system
* FailManager memory-optimization: increases performance,
  prevents memory leakage, because don't copy failures list on some operations
* fail2ban-testcases - new options introduced:
    - `-f`, `--fast` to decrease wait intervals, avoid passive waiting, and skip
      few very slow test cases (implied memory database, see `-m` and no gamin tests `-g`)
    - `-g`, `--no-gamin` to prevent running of tests that require the gamin (slow)
    - `-m`, `--memory-db` - run database tests using memory instead of file
    - `-i`, `--ignore` - negate [regexps] filter to ignore tests matched specified regexps
* Background servicing: prevents memory leak on some platforms/python versions, using forced GC
  in periodic intervals (latency and threshold)
* executeCmd partially moved from action to new module utils
* Several functionality of class `DNSUtils` moved to new class `IPAddr`,
  both classes moved to new module `ipdns`
* Pseudo-conditional section introduced, for conditional substitution resp.
  evaluation of parameters for different family qualified hosts,
  syntax `[Section?family=inet6]` (currently use for IPv6-support only).
* All the backends were rewritten to get reload-possibility, performance increased,
  so fewer greedy regarding cpu- resp. system-load now
* Numeric log-level allowed now in server (resp. fail2ban.conf);
* Implemented better error handling in some multi-threaded routines; shutdown of jails
  rewritten (faster and safer, does not breaks shutdown process if some error occurred)
* Possibility for overwriting some configuration options (read with config-readers)
  with command line option, e. g.:
```bash
## start server with DEBUG log-level (ignore level read from fail2ban.conf):
fail2ban-client --loglevel DEBUG start
## or
fail2ban-server -c /cfg/path --loglevel DEBUG start
## keep server log-level by reload (without restart it)
fail2ban-client --loglevel DEBUG reload
## switch log-level back to INFO:
fail2ban-client set loglevel INFO
```
* Optimized BanManager: increase performance, fewer system load, try to prevent
  memory leakage:
  - better ban/unban handling within actions (e.g. used dict instead of list)
  - don't copy bans resp. its list on some operations;
  - added new unbantime handling to relieve unBanList (prevent permanent
    searching for tickets to unban)
  - prefer failure-ID as identifier of the ticket to its IP (most of the time
    the same, but it can be something else e.g. user name in some complex jails,
    as introduced in 0.10)
* Regexp enhancements:
  - build replacement of `<HOST>` substitution corresponding parameter
    `usedns` - dns-part will be added only if `usedns` is not `no`,
    also using fail2ban-regex
  - new replacement for `<ADDR>` in opposition to `<HOST>`, for separate
    usage of 2 address groups only (regardless of `usedns`), `ip4` and `ip6`
    together, without host (dns)
* Misconfigured jails don't prevent fail2ban from starting, server starts
  nevertheless, as long as one jail was successful configured (gh-1619)
  Message about wrong jail configuration logged in client log (stdout, systemd
  journal etc.) and in server log with error level
* More precise date template handling (WARNING: theoretically possible incompatibilities):
  - datedetector rewritten more strict as earlier;
  - default templates can be specified exacter using prefix/suffix syntax (via `datepattern`);
  - more as one date pattern can be specified using option `datepattern` now
    (new-line separated);
  - some default options like `datepattern` can be specified directly in
    section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]`
    section, because of performance (each extra section costs time);
  - option `datepattern` can be specified in jail also (e. g. jails without filters
    or custom log-format, new-line separated for multiple patterns);
  - if first unnamed group specified in pattern, only this will be cut out from
    search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match
    pattern, and leaves `date:[] ...` for searching in filter);
  - faster match and fewer searching of appropriate templates
    (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
  - several standard filters extended with exact prefixed or anchored date templates;
* Added possibility to recognize restored state of the tickets (see gh-1669).
  New option `norestored` introduced, to ignore restored tickets (after restart).
  To avoid execution of ban/unban for the restored tickets, `norestored = true`
  could be added in definition section of action.
  For conditional usage in the shell-based actions an interpolation `<restored>`
  could be used also. E. g. it is enough to add following script-piece at begin
  of `actionban` (or `actionunban`) to prevent execution:
  `if [ '<restored>' = '1' ]; then exit 0; fi;`
  Several actions extended now using `norestored` option:
  - complain.conf
  - dshield.conf
  - mail-buffered.conf
  - mail-whois-lines.conf
  - mail-whois.conf
  - mail.conf
  - sendmail-buffered.conf
  - sendmail-geoip-lines.conf
  - sendmail-whois-ipjailmatches.conf
  - sendmail-whois-ipmatches.conf
  - sendmail-whois-lines.conf
  - sendmail-whois-matches.conf
  - sendmail-whois.conf
  - sendmail.conf
  - smtp.py
  - xarf-login-attack.conf
* fail2ban-testcases:
  - `assertLogged` extended with parameter wait (to wait up to specified timeout,
    before we throw assert exception) + test cases rewritten using that
  - added `assertDictEqual` for compatibility to early python versions (< 2.7);
  - new `with_foreground_server_thread` decorator to test several client/server commands

0.10.0:
### Fixes
* `filter.d/apache-auth.conf`:
  - better failure recognition using short form of regex (url/referer are foreign inputs, see gh-1645)
* `filter.d/apache-common.conf` (`filter.d/apache-*.conf`):
  - support of apache log-format if logging into syslog/systemd (gh-1695), using parameter `logging`,
    parameter usage for jail:
      filter = apache-auth[logging=syslog]
    parameter usage for `apache-common.local`:
      logging = syslog
* `filter.d/pam-generic.conf`:
  - [grave] injection on user name to host fixed
* `filter.d/sshd.conf`:
  - rewritten using `prefregex` and used MLFID-related multi-line parsing
    (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
  - optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all),
    see sshd for regex details)
* `filter.d/sendmail-reject.conf`:
  - rewritten using `prefregex` and used MLFID-related multi-line parsing;
  - optional parameter `mode` introduced: normal (default), extra or aggressive
* `filter.d/haproxy-http-auth`: do not mistake client port for part of an IPv6 address (gh-1745)
* `filter.d/postfix.conf`:
    - updated to latest postfix formats
    - joined several postfix filter together (normalized and optimized version, gh-1825)
    - introduced new parameter `mode` (see gh-1825): more (default, combines normal and rbl), auth, normal,
      rbl, ddos, extra or aggressive (combines all)
    - postfix postscreen (resp. other RBL's compatibility fix, gh-1764, gh-1825)
* `filter.d/postfix-rbl.conf`: removed (replaced with `postfix[mode=rbl]`)
* `filter.d/postfix-sasl.conf`: removed (replaced with `postfix[mode=auth]`)
* `filter.d/roundcube-auth.conf`:
    - fixed regex when `X-Real-IP` or/and `X-Forwarded-For` are present after host (gh-1303);
    - fixed regex when logging authentication errors to journal instead to a local file (gh-1159);
    - additionally fixed more complex injections on username (e. g. using dot after fake host).
* `filter.d/ejabberd-auth.conf`: fixed failregex - accept new log-format (gh-993)
* `action.d/complain.conf`
  - fixed using new tag `<ip-rev>` (sh/dash compliant now)
* `action.d/sendmail-geoip-lines.conf`
  - fixed using new tag `<ip-host>` (without external command execution)
* fail2ban-regex: fixed matched output by multi-line (buffered) parsing
* fail2ban-regex: support for multi-line debuggex URL implemented (gh-422)
* fixed ipv6-action errors on systems not supporting ipv6 and vice versa (gh-1741)
* fixed directory-based log-rotate for pyinotify-backend (gh-1778)

### New Features
* New Actions:

* New Filters:

### Enhancements
* Introduced new filter option `prefregex` for pre-filtering using single regular expression (gh-1698);
* Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without
  line buffering (scrolling of the buffer-window).
  Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs
  using single-line expressions:
  - tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same
    identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`,
    see sshd.conf for example);
  - tag `<F-MLFFORGET>`: can be used as mark to forget current multi-line MLFID (e. g. by connection
    closed, reset or disconnect etc);
  - tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info,
    e. g. from lines that contain IP-address);
  Opposite to obsolete multi-line parsing (using buffering with `maxlines`) it is more precise and
  can recognize multiple failure attempts within the same connection (MLFID).
* Several filters optimized with pre-filtering using new option `prefregex`, and multiline filter
  using `<F-MLFID>` + `<F-NOFAIL>` combination;
* Exposes filter group captures in actions (non-recursive interpolation of tags `<F-...>`,
  see gh-1698, gh-1110)
* Some filters extended with user name (can be used in gh-1243 to distinguish IP and user,
  resp. to remove after success login the user-related failures only);
* Safer, more stable and faster replaceTag interpolation (switched from cycle over all tags
  to re.sub with callable)
* substituteRecursiveTags optimization + moved in helpers facilities (because currently used
  commonly in server and in client)
* New tags (usable in actions):
  - `<fid>` - failure identifier (if raw resp. failures without IP address)
  - `<ip-rev>` - PTR reversed representation of IP address
  - `<ip-host>` - host name of the IP address
  - `<bancount>` - ban count of this offender if known as bad (started by 1 for unknown)
  - `<bantime>` - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
  - `<F-...>` - interpolates to the corresponding filter group capture `...`
  - `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`)
  - `<sh-hostname>` - short hostname (the same as `$(uname -n)`)
* Introduced new action command `actionprolong` to prolong ban-time (e. g. set new timeout if expected);
  Several actions (like ipset, etc.) rewritten using net logic with `actionprolong`.
  Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).
* Allow to use filter options by `fail2ban-regex`, example:
  fail2ban-regex text.log "sshd[mode=aggressive]"
* Samples test case factory extended with filter options - dict in JSON to control
  filter options (e. g. mode, etc.):
  # filterOptions: {"mode": "aggressive"}
* Introduced new jail option "ignoreself", specifies whether the local resp. own IP addresses
  should be ignored (default is true). Fail2ban will not ban a host which matches such addresses.
  Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS
  resp. IPs of the host self.
* Regex will be compiled as MULTILINE only if needed (buffering with `maxlines` > 1), that enables:
  - to improve performance by the single line parsing (see gh-1733);
  - make regex more precise (because distinguish between anchors `^`/`$` for the begin/end of string
    and the new-line character '\n', e. g. if coming from filters (like systemd journal) that allow
    the parsing of log-entries contain new-line chars (as single entry);
  - if multiline regex however expected (by single-line parsing without buffering) - prefix `(?m)`
    could be used in regex to enable it;
* Implemented execution of `actionstart` on demand (conditional), if action depends on `family` (gh-1742):
  - new action parameter `actionstart_on_demand` (bool) can be set to prevent/allow starting action
    on demand (default retrieved automatically, if some conditional parameter `param?family=...`
    presents in action properties), see `action.d/pf.conf` for example;
  - additionally `actionstop` will be executed only for families previously executing `actionstart`
    (starting on demand only)
* Introduced new command `actionflush`: executed in order to flush all bans at once
  e. g. by unban all, reload with removing action, stop, shutdown the system (gh-1743),
  the actions having `actionflush` do not execute `actionunban` for each single ticket
* Add new command `actionflush` default for several iptables/iptables-ipset actions (and common include);
* Add new jail option `logtimezone` to force the timezone on log lines that don't have an explicit one (gh-1773)
* Implemented zone abbreviations (like CET, CEST, etc.) and abbr+-offset functionality (accept zones
  like 'CET+0100'), for the list of abbreviations see strptime.TZ_STR;
* Introduced new option `--timezone` (resp. `--TZ`) for `fail2ban-regex`.
* Tokens `%z` and `%Z` are changed (more precise now);
* Introduced new tokens `%Exz` and `%ExZ` that fully support zone abbreviations and/or offset-based
  zones (implemented as enhancement using custom `datepattern`, because may be too dangerous for default
  patterns and tokens like `%z`);
  Note: the extended tokens supported zone abbreviations, but it can parse 1 or 3-5 char(s) in lowercase.
        Don't use them in default date-patterns (if not anchored, few precise resp. optional).
        Because python currently does not support mixing of case-sensitive with case-insensitive matching,
the TZ (in uppercase) cannot be combined with `%a`/`%b` etc (that are currently case-insensitive),
to avoid invalid date-time recognition in strings like '11-Aug-2013 03:36:11.372 error ...' with
wrong TZ "error".
        Hence `%z` currently match literal Z|UTC|GMT only (and offset-based), and `%Exz` - all zone
abbreviations.
* `filter.d/courier-auth.conf`: support failed logins with method only
* Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of
  python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is
  like our another features like `%(known/option)s`, etc. (gh-1750)
* Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now,
  but now the setting of parameter `backend` in default section of `jail.local` can overwrite default
  backend also (see gh-1750). In the future versions parameter `default_backend` can be removed (incompatibility,
  possibly some distributions affected).

0.10.1:
### Fixes
* fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891)
* jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884)
* avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables
  'LANGUAGE', 'LC_ALL', 'LC_CTYPE', and 'LANG', see gh-1587).
* action.d/pf.conf: several fixes for pf-action like anchoring, etc. (see gh-1866, gh-1867);
* fixed ignoreself issue "Retrieving own IPs of localhost failed: inet_pton() argument 2 must be string, not int" (see gh-1865);
* fixed tags `<fq-hostname>` and `<sh-hostname>`, could be used without ticket (a. g. in `actionstart` etc., gh-1859).

* setup.py: fixed several setup facilities (gh-1874):
  - don't check return code by dry-run: returns 256 on some python/setuptool versions;
  - `files/fail2ban.service` renamed as template to `files/fail2ban.service.in`;
  - setup process generates `build/fail2ban.service` from `files/fail2ban.service.in` using distribution related bin-path;
  - bug-fixing by running setup with option `--dry-run`;

### New Features
* introduced new command-line options `--dp`, `--dump-pretty` to dump the configuration using more
  human readable representation (opposite to `-d`);

### Enhancements
* nftables actions are IPv6-capable now (gh-1893)
* filter.d/dovecot.conf: introduced mode `aggressive` for cases like "disconnected before auth was ready" (gh-1880)

0.10.2:
### Incompatibility list:
* The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
  anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
  just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.

### Fixes
* Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid
  write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
* Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
  (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
  in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
* `action.d/pf.conf`:
  - fixed syntax error in achnor definition (documentation, see gh-1919);
  - enclose ports in braces for multiport jails (see gh-1925);
* `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
* `filter.d/sshd.conf`:
  - extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
    forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
    see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
  - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);

### New Features
* datedetector: extended default date-patterns (allows extra space between the date and time stamps);
  introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
  - %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
    (corresponds %H, but allows space if not zero-padded).
  - %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
    (corresponds %I, but allows space if not zero-padded).
* `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
* New Actions:
  - `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
    nginx-location with map-file);

### Enhancements
* jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
* action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
* Introduced new parameters for logging within fail2ban-server (gh-1980).
  Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
  - `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
    for the list of facilities);
  - `datetime` - add date-time to the message (default on, ignored if `format` specified);
  - `format` - specify own format how it will be logged, for example for short-log into STDOUT:
      `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
* Automatically recover or recreate corrupt persistent database (e. g. if failed to open with
  'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
  if repair fails - recreate new database (gh-1465, gh-2004).

0.10.3:
### ver. 0.10.3.1:
* fixed JSON serialization for the set-object within dump into database (gh-2103).

### Fixes
* `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
* `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
* `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069;
* `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
  - fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064);
* `filter.d/sshd.conf`:
  - failregex got an optional space in order to match new log-format (see gh-2061);
  - fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
  - fixed root login refused regex (optional port before preauth, gh-2080);
  - avoid banning of legitimate users when pam_unix used in combination with other password method, so
    bypass pam_unix failures if accepted available for this user gh-2070;
  - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly);
  - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
    it counts failure on closing connection within preauth-stage (gh-2085);
* `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);
* `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
* `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
* (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);

### New Features
* several stability and performance optimizations, more effective filter parsing, etc;
* stable runnable within python versions 3.6 (as well as within 3.7-dev);

### Enhancements
* `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);
* `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);
* date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029);
* possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038);
  the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line,
  e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line.
* badips.py now uses https instead of plain http when requesting badips.com (gh-2057);
* add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056);
* Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG):
  Usage `logtarget = target[padding=on|off]`

0.10.4:
### Fixes
* `filter.d/dovecot.conf`:
  - failregex enhancement to catch sql password mismatch errors (gh-2153);
  - disconnected with "proxy dest auth failed" (gh-2184);
* `filter.d/freeswitch.conf`:
  - provide compatibility for log-format from gh-2193:
    * extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
      `YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
    * more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
  - extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
    (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
    how to set it to mode `normal`.
* `filter.d/domino-smtp.conf`:
  - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
  - failregex extended to catch connections rejected for policy reasons (gh-2228);
* `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected
  and don't allowed in command-actions), see gh-2114;
* decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
  - fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
    `UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors;
  - actions: avoid possible conversion errors on wrong-chars by replace tags;
  - database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
    additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
  - logging in fail2ban is process-wide exception-safe now.
* repaired start-time of initial seek to time (as well as other log-parsing related data),
  if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
* systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);

### New Features
* new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`,
  `ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
* `ignorecommand` extended to use actions-similar replacement (capable to interpolate
  all possible tags like `<ip-host>`, `<family>`, `<fid>`, `F-USER` etc.)

### Enhancements
* `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
* since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
  additionally option `-V` can be used to get version in normalized machine-readable short format.

0.10.5:
### Fixes
* [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixed in gh-2444 in order to ignore
  user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392)
* [grave] fixed parsing of multi-line filters (`maxlines` > 1) together with systemd backend,
  now systemd-filter replaces newlines in message from systemd journal with `\n` (otherwise
  multi-line parsing may be broken, because removal of matched string from multi-line buffer window
  is confused by such extra new-lines, so they are retained and got matched on every followed
  message, see gh-2431)
* [stability] prevent race condition - no unban if the bans occur continuously (gh-2410);
  now an unban-check will happen not later than 10 tickets get banned regardless there are
  still active bans available (precedence of ban over unban-check is 10 now)
* fixed read of included config-files (`.local` overwrites options of `.conf` for config-files
  included with before/after)
* `action.d/abuseipdb.conf`: switched to use AbuseIPDB API v2 (gh-2302)
* `action.d/badips.py`: fixed start of banaction on demand (which may be IP-family related), gh-2390
* `action.d/helpers-common.conf`: rewritten grep arguments, now options `-wF` used to match only
  whole words and fixed string (not as pattern), gh-2298
* `filter.d/apache-auth.conf`:
  - ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548);
  - extended with option `mode` - `normal` (default) and `aggressive`
* `filter.d/sshd.conf`:
  - matches `Bad protocol version identification` in `ddos` and `aggressive` modes (gh-2404).
  - captures `Disconnecting ...: Change of username or service not allowed` (gh-2239, gh-2279)
  - captures `Disconnected from ... [preauth]`, preauth phase only, different handling by `extra`
    (with supplied user only) and `ddos`/`aggressive` mode (gh-2115, gh-2239, gh-2279)
* `filter.d/mysqld-auth.conf`:
  - MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words
    enclosed in brackets after "[Note]" (gh-2314)
* `filter.d/sendmail-reject.conf`:
  - `mode=extra` now captures port IDs of `TLSMTA` and `MSA` (defaults for ports 465 and 587 on some distros)
* `files/fail2ban.service.in`: fixed systemd-unit template - missing nftables dependency (gh-2313)
* several `action.d/mail*`: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341)
* `filter.d/sendmail-reject.conf`: fixed journal usage for some systems (e. g. CentOS): if only identifier
  set to `sm-mta` (no unit `sendmail`) for some messages (gh-2385)
* `filter.d/asterisk.conf`: asterisk can log additional timestamp if logs into systemd-journal
  (regex extended with optional part matching this, gh-2383)
* `filter.d/postfix.conf`:
    - regexp's accept variable suffix code in status of postfix for precise messages (gh-2442)
    - extended with new postfix filter mode `errors` to match "too many errors" (gh-2439),
      also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix
      parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`)
* `filter.d/named-refused.conf`:
    - support BIND 9.11.0 log format (includes an additional field @0xXXX..., gh-2406);
    - `prefregex` extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
* `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
  - ID in prefix can be longer as 14 characters (gh-2563);
* all filters would accept square brackets around IPv4 addresses also (e. g. monit-filter, gh-2494)
* avoids unhandled exception during flush (gh-2588)
* fixes pass2allow-ftp jail - due to inverted handling, action should prohibit access per default for any IP,
  therefore reset start on demand parameter for this action (it will be started immediately by repair);
* auto-detection of IPv6 subsystem availability (important for not on-demand actions or jails, like pass2allow);

### New Features
* new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559):
  - `<CIDR>` - helper regex to match CIDR (simple integer form of net-mask);
  - `<SUBNET>` - regex to match sub-net adresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
* grouped tags (`<ADDR>`, `<HOST>`, `<SUBNET>`) recognize IP addresses enclosed in square brackets
* new failregex-flag tag `<F-MLFGAINED>` for failregex, signaled that the access to service was gained
  (ATM used similar to tag `<F-NOFAIL>`, but it does not add the log-line to matches, gh-2279)
* filters: introduced new configuration parameter `logtype` (default `file` for file-backends, and
  `journal` for journal-backends, gh-2387); can be also set to `rfc5424` to force filters (which include common.conf)
  to use RFC 5424 conform prefix-line per default (gh-2467);
* for better performance and safety the option `logtype` can be also used to
  select short prefix-line for file-backends too for all filters using `__prefix_line` (`common.conf`),
  if message logged only with `hostname svc[nnnn]` prefix (often the case on several systems):
```ini
[jail]
backend = auto
filter = flt[logtype=short]
```
* `filter.d/common.conf`: differentiate `__prefix_line` for file/journal logtype's (speedup and fix parsing
  of systemd-journal);
* `filter.d/traefik-auth.conf`: used to ban hosts, that were failed through traefik
* `filter.d/znc-adminlog.conf`: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded

### Enhancements
* introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf) to contol
  how many matches per ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118);
* fail2ban.conf: introduced new section `[Thread]` and option `stacksize` to configure default size
  of the stack for threads running in fail2ban (gh-2356), it could be set in `fail2ban.local` to
  avoid runtime error "can't start new thread" (see gh-969);
* jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations
  containing new-line);
* fail2ban-client: extended to ban/unban multiple tickets (see gh-2351, gh-2349);
  Syntax:
  - `fail2ban-client set <jain> banip <ip1> ... <ipN>`
  - `fail2ban-client set <jain> unbanip [--report-absent] <ip1> ... <ipN>`
* fail2ban-client: extended with new feature which allows to inform fail2ban about single or multiple
  attempts (failure) for IP (resp. failure-ID), see gh-2351;
  Syntax:
  - `fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-messageN>]`
* `action.d/nftables.conf`:
  - isolate fail2ban rules into a dedicated table and chain (gh-2254)
  - `nftables-allports` supports multiple protocols in single rule now
  - combined nftables actions to single action `nftables`:
    * `nftables-common` is removed (replaced with single action `nftables` now)
    * `nftables-allports` is obsolete, superseded by `nftables[type=allports]`
    * `nftables-multiport` is obsolete, superseded by `nftables[type=multiport]`
  - allowed multiple protocols in `nftables[type=multiport]` action (single set with multiple rules
    in chain), following configuration in jail would replace 3 separate actions, see
    https://github.com/fail2ban/fail2ban/pull/2254#issuecomment-534684675
* `action.d/badips.py`: option `loglevel` extended with level of summary message,
  following example configuration logging summary with NOTICE and rest with DEBUG log-levels:
  `action = badips.py[loglevel="debug, notice"]`
* samplestestcase.py (testSampleRegexsFactory) extended:
  - allow coverage of journal logtype;
  - new option `fileOptions` to set common filter/test options for whole test-file;
* large enhancement: auto-reban, improved invariant check and conditional operations (gh-2588):
  - improves invariant check and repair (avoid unhandled exception, consider family on conditional operations, etc),
    prepared for bulk re-ban in repair case (if bulk-ban becomes implemented);
  - automatic reban (repeat banning action) after repair/restore sane environment, if already logged ticket causes
    new failures (via new action operation `actionreban` or `actionban` if still not defined in action);
  * introduces banning epoch for actions and tickets (to distinguish or recognize removed set of the tickets);
  * invariant check avoids repair by unban/stop (unless parameter `actionrepair_on_unban` set to `true`);
  * better handling for all conditional operations (distinguish families for certain operations like
    repair/flush/stop, prepared for other families, e. g. if different handling for subnets expected, etc);
  * partially implements gh-980 (more breakdown safe handling);
  * closes gh-1680 (better as large-scale banning implementation with on-demand reban by failure,
    at least unless a bulk-ban gets implemented);
* fail2ban-regex - several enhancements and fixes:
  - improved usage output (don't put a long help if an error occurs);
  - new option `--no-check-all` to avoid check of all regex's (first matched only);
  - new option `-o`, `--out` to set token only provided in output (disables check-all and outputs only expected data).

0.11.1:
### Compatibility:
* to v.0.10:
  - 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database
    got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you
    have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema)
    if you would need to downgrade to 0.10 for some reason.
* to v.0.9:
  - Filter (or `failregex`) internal capture-groups:

    * If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
      rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
      (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).

      Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
      ```
      testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
      fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
      ```
    * New internal groups (currently reserved for internal usage):
      `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
      mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).

  - v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some
    user configurations resp. `datepattern`.

  - Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are
    IPv6-capable now.

### Fixes
* purge database will be executed now (within observer).
* restoring currently banned ip after service restart fixed
  (now < timeofban + bantime), ignore old log failures (already banned)
* upgrade database: update new created table `bips` with entries from table `bans` (allows restore
  current bans after upgrade from version <= 0.10)

### New Features
* Increment ban time (+ observer) functionality introduced.
* Database functionality extended with bad ips.
* New tags (usable in actions):
  - `<bancount>` - ban count of this offender if known as bad (started by 1 for unknown)
  - `<bantime>` - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
* Introduced new action command `actionprolong` to prolong ban-time (e. g. set new timeout if expected);
  Several actions (like ipset, etc.) rewritten using net logic with `actionprolong`.
  Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).

### Enhancements
* algorithm of restore current bans after restart changed: update the restored ban-time (and therefore
  end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater
  (or persistent); not affected if ban-time of the jail is unchanged between stop/start.
* added new setup-option `--without-tests` to skip building and installing of tests files (gh-2287).
* added new command `fail2ban-client get <JAIL> banip ?sep-char|--with-time?` to get the banned ip addresses (gh-1916).

Pkgsrc changes :
* switched to the Github framework for distfile fetching ;
* updated the config files lists (fail2ban puts a lot of files into config files) ;
* updated substition for better pkgsrc path handling in config files ;
* call the python tool "2to3" to convert all the python 2 code still present ;
* as a result, PLIST needed updating.

(nils)

windowmaker: fix pkg-config files

(adam)

creduce: port to LLVM 10

(adam)

doc: reverted meld upgrade

(wiz)

meld: downgrade to 3.20, 3.21 dumps core

(wiz)

tin: Add comment for bug (fixed upstream) to patch

(micha)

doc: Added devel/py-approvaltests version 0.2.6

(schmonz)

Add and enable py-approvaltests.

(schmonz)

Initial import of py-approvaltests, the Python port of an
assertion/verification library to aid testing.

You can use ApprovalTests to verify objects that require more than a
simple assert including long strings, large arrays, and complex hash
structures and objects. ApprovalTests really shines when you need a more
granular look at the test failure. Sometimes, trying to find a small
difference in a long string printed to STDOUT is just too hard!
ApprovalTests solves this problem by providing reporters which let you
view the test results in one of many popular diff utilities.

(schmonz)

gcc9: start fixing gccgo build under NetBSD.

This fixes the build of the "runtime" package, now the compilation is
stuck in the "syscall" package instead.

Submitted upstream as https://go-review.googlesource.com/c/gofrontend/+/228918/.
Upstream bug report at https://github.com/golang/go/issues/38538.

(bsiegert)

doc: Updated news/bystand to 1.1.0

(micha)

bystand: Update to 1.1.0

Use LISTGROUP to find the highest valid article number if the high water
number is not valid. Also fix it in the case where a newsgroup is empty.

(micha)

+sysutils/p5-Quota to 1.8.0 +sysutils/p5-Sys-CpuLoad to 0.30

Updated sysutils/p5-Quota to 1.8.0
Updated sysutils/p5-Sys-CpuLoad to 0.30

(mef)

(sysutils/p5-Sys-CpuLoad) Updated 0.03 to 0.30

0.30      2020-04-06 08:14:52+01:00 Europe/London

0.29      2020-04-04 11:13:49+01:00 Europe/London (TRIAL RELEASE)
  [Enhancements]
  - Added support for changing the default load() function.

  [Documentation]
  - Added contributors names in Changes for earlier versions.

  [Tests]
  - Test for warnings.

  - Use Test::More and Test::Deep instead of Test::Most,
    due to global destruction warnings in latest Test::Most.

  [Other]
  - Rearrange POD to be interleaved with source code.

0.28      2020-04-02 17:35:22+01:00 Europe/London (TRIAL RELEASE)
  [Bug Fixes]
  - Fix how parsed values from uptime are numified for different locales.

0.27      2020-04-02 12:37:28+01:00 Europe/London (TRIAL RELEASE)
  [Bug Fixes]
  - Numify parsed values from uptime.

  [Tests]
  - Use locale-independent test that value is numeric.

0.26      2020-04-01 21:22:26+01:00 Europe/London (TRIAL RELEASE)
  [Bug Fixes]
  - Parse uptime output formatted with using different locales, thanks srezic.

  [Tests]
  - Fix skip_all to handle when no executable is found.

  - Fix comment on skip_all.

  [Other]
  - Add keywords to distribution metadata.

0.25      2020-03-30 23:30:00+01:00 Europe/London (TRIAL RELEASE)
  [Tests]
  - Check if uptime is executable.

  - Fix comment on t/13-w.t.

0.24      2020-03-30 12:25:45+01:00 Europe/London (TRIAL RELEASE)
  [Enhancements]
  - Use IPC::Run3 for uptime.

  - Add the ability to override the path of uptime.
  [Bug Fixes]
  - Check for uptime errors.

  [Other]
  - Move Perl::Critic exceptions into t/etc/perlcriticrc.

0.23      2020-03-29 13:09:50+01:00 Europe/London (TRIAL RELEASE)
  [Enhancements]
  - Support getloadavg for DragonFly BSD.

  - Change uptime to use backticks instead of piped open.

  [Bug Fixes]
  - uptime immediately returns undef if path to `uptime` cannot be found.

  [Tests]
  - Fixed test when skipping getloadavg test.

  - Skip uptime test if uptime cannot be found.

0.22      2020-03-27 12:51:39+00:00 Europe/London (TRIAL RELEASE)
  [Enhancements]
  - Split getloadavg, proc_loadavg and uptime into separate functions.

  - Use File::Which to locate uptime.

  [Incompatabilities]
  - Renamed _getbsdload to getloadavg.

  [Bug Fixes]
  - Accept uptime output without commas, RT#14034.

  [Tests]
  - Fix bug testing high loads.

  - Add tests for each function.

0.21      2020-03-25 13:03:11+00:00 Europe/London
  [Bug Fixes]
  - Actually use system getloadavg for NetBSD and Solaris.

0.20      2020-03-25 12:35:33+00:00 Europe/London
  [Enhancements]
  - Add support for NetBSD #2 and Solaris.

  - Return a single undef when the load function fails.

  [Bug Fixes]
  - The return value of getloadavg is now checked, #4.

  - The load method is set up in a BEGIN block instead of import, #5.

  [Documentation]
  - Update POD about changes in version 0.12.

0.12      2020-03-24 23:22:57+00:00 Europe/London
  [Enhancements]
  - Use getloadavg system call in Linux.

  - Port changes for Cygwin from Sys::CpuLoadX.

  [Tests]
  - Show diagnostics.

0.11      2020-03-24 22:57:02+00:00 Europe/London
  [Enhancements]
  - Added support for OS/X, thanks to Vincent Lef竪vre, RT#14034/GH#3.

0.10      2020-03-24 22:41:56+00:00 Europe/London
  - Maintenance taken over by Robert Rothenberg.

  [Enhancements]
  - Modernised code style.

  - The load average method is determined during module import.

  - Use XSLoader instead of DynaLoader.

  [Bug Fixes]
  - Fixed VERSION.

  - Removed unnecessary use of AutoLoader.

  [Incompatabilities]
  - Minimum version is v5.6.

  - Renamed `getbsdload` to `_getbsdload`.

  [Documentation]
  - Reformatted Changes to conform to CPAN::Changes::Spec.

  [Tests]
  - Modernised the test, and added a test of the load function.

  [Other]
  - Reorganised files for modern CPAN distributions.

  - Distribution is minted with Dist::Zilla.

(mef)

(sysutils/p5-Quota) Updated to 1.8.0

Changes in 1.8.0 (April 2020)
- revised "tirpc" change in 1.7.3: use "-ltirpc" only when SUN-RPC is
  NOT included in libc; else we may compile against tirpc but linker
  may resolved against libc; leads to memory corruption in auth_destroy()
- cntd. attempt at fixing Makefile.PL for build on NetBSD release > 6
- Backport of minor fixes & enhancements done while porting to Python
  - extended test scripts (RPC test; read-back&verify limits after setqlim)
  - RPC result handling: removed forced ESRCH error upon 0 limits
    so that behavior matches that of local query (at least on Linux)
  - corrected Quota::strerr() for errors caused in Sun-RPC library funcs
  - updated include/quotaio_xfs.h to latest version in Linux headers
    and use newer (~2004) interface Q_XQUOTASYNC for Quota::sync()

Changes in 1.7.4 (March 2020)
- Build fixes for NetBSD release > 6 and Apple/Darwin
  based on failure reports of automated CPAN testing
- Added support for group quotas in test.pl;
  Corrections to documentation of group quota handling

Changes in 1.7.3 (March 2020)
- Added detection for missing header rpc/rpc.h;
  automatically switch to using "tirpc", if present.
  Issue reported by Michael Stauber via CPAN ticket 128302
- Also fixed compiler warnings in ancient RPC code.

(mef)

Skip portability for bash script

(joerg)

As discussed on IRC, use the same environment for build and install.
This avoids cargo deciding to rebuild most packages just because it now
knows the DESTDIR.

(joerg)

eet-1.7.10

(joerg)

Update to eet-1.7.10 with an additional patch for OpenSSL 1.1:
    * Fix memory leak in eet_image.
    * With segfault with edje_cc in some cases
    * Fix eet_cache_concurrency test

(joerg)

eina 1.7.10

(joerg)

Update to eina-1.7.10:
    * Fix race condition when calling eina_file_open/eina_file_close.
    * Fix memory leak in eina_xattr_value_ls

(joerg)

Declare classes before dyncasting them

(joerg)

Upgrade to 1.3.6c:

1.3.6c
---------
  + Fixed regression in directory listing latency (Issue #863).
  + Detect OpenSSH-specific formatted SFTPHostKeys, and log hint for
    converting them to supported format.
  + Fixed use-after-free vulnerability during data transfers (Issue #903).
  + Fixed out-of-bounds read in mod_cap by updating the bundled libcap
    (Issue #902).

1.3.6b
---------
  + Fixed pre-authentication remote denial-of-service issue (Issue #846).
  + Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824).

1.3.6a
---------
  + Fixed symlink navigation (Bug#4332).
  + Fixed building of mod_sftp using OpenSSL 1.1.x releases (Issue#674).
  + Fixed SITE COPY honoring of <Limit> restrictions (Bug#4372).
  + Fixed segfault on login when using mod_sftp + mod_sftp_pam (Issue#656).
  + Fixed restarts when using mod_facl as a static module.

(christos)

Updated graphics/p5-Image-ExifTool, lang/py-parso

(adam)

py-parso: updated to 0.7.0

0.7.0:
- Fix a lot of annoying bugs in the diff parser. The fuzzer did not find
  issues anymore even after running it for more than 24 hours (500k tests).
- Small grammar change: suites can now contain newlines even after a newline.
  This should really not matter if you don't use error recovery. It allows for
  nicer error recovery.

(adam)

p5-Image-ExifTool: updated to 11.85

Version 11.85 (production release)
- Added a new Sony LensType
- Added a new Olympus CameraType
- Added a two new Pentax LensType values
- Added a new FujiFilm FocusMode
- Decode timed GPS from Akaso dashcam MOV videos
- Decode Insta360 trailer from INSP images and made Insta360 a deletable group
- Patched kml.fmt file to limit maximum image size
- Fixed problem decoding values from Leica M10 and S maker notes

Version 11.84
- Decode accelerometer data from timed metadata of more dashcam videos
- Decode Canon G9 white balance tags
- Recognize INSP files

Version 11.83
- Added a couple of new XMP-crs tags
- Fixed bug introduced in 11.82 with the -php -D output
- Fixed problem where some flattened XMP tags could be written when they
  should be avoided

Version 11.82
- Added a new Canon LensType
- Added a new CanonModelID
- Added ability to process SubDirectories in QuickTime Keys tags
- Removed minor error when writing PDF 2.0 files
- Fixed problem where trailing null bytes were removed from binary values in
  the -php output when the -b option was used

Version 11.81
- Added a new Nikon LensID
- Added two new CanonModelID's
- Decode AVIF AV1 configuration record
- Changed names of QuickTime MovieData tags to "MediaData"
- Patched to use 4-digit years in Time::Local calls
- Patched Composite sub-second date/time tags to do additional validation of
  source EXIF date/time tags before adding sub seconds
- Fixed problem where -json output could produce invalid JSON when -struct was
  used and the structure field names contained special characters
- Fixed spelling in a Panasonic SceneMode value

Version 11.80
- Added a new Canon LensType
- Added a new Nikon Z LensID
- Added a few new Sony LensType values
- Attempt to improve reliability of Samsung DepthMapWidth/Height decoding
- Updated a number of Canon-mount Tamron lens names to include the Tamron
  model number
- Patched MOV/MP4 writer to allow a small amount of garbage at the end of a
  file to be deleted when writing with the -m option
- Fixed bug where some Composite tags may not have taken priority over other
  tags as they should have

Version 11.79
- Added support for AVIF files
- Added new Canon, Sigma and Sony LensType values
- Made PDF 2.0 writable at your own risk with the -m option
- Enhanced -validate feature to warn about duplicate languages in an XMP
  lang-alt list
- Fixed inconsistency between documentation and ExifTool capabilities for
  "Writable" status of some tags

Version 11.78
- Added a new Nikon LensID
- Added two new FujiFilm SceneRecognition values
- Patched to avoid crash in Windows when writing a negative epoch time using
  the "-d %s" option
- Fixed problem editing MIE tags when using the "-wm w" option

Version 11.77
- Added a new Nikon LensID
- Added a number of new Olympus LensType values
- Added a new Canon LensType
- Decode timed GPS from Ambarella A12 dash cam MP4 videos
- Decode a number of new Sigma tags
- Decode a couple of new PanasonicRaw tags
- Enhanced -fileOrder option to add -fast feature

Version 11.76
- Added support for the Sony ILCE-9M2
- Added a couple of new XMP-GCamera tags
- Added MIMEType values for some formats that previously reported
  "application/unknown"
- Enhanced -geotag feature to write pitch to CameraElevationAngle if available
- Improved determination of MIMEEncoding for TXT files

Version 11.75
- Added ability to read some basic characteristics of TXT files
- Added kml_track.fmt to the fmt_files of the full distribution
- Added built-in support for decoding GPS from the four video subtitle text
  formats that were previously handled by separate config files, and removed
  these config files from the distribution
- Derive GPSDateTime from CreateDate and SampleTime if not already available
  when extracting timed GPS metadata from QuickTime-format videos
- Changed family 2 groups of some Extra tags

Version 11.74
- Added support for new XMP IPTC Extension version 1.5 tags
- Added a new Nikon LensID
- Decode GPS track from Auto-Vox dashcam MOV videos
- Improved Russian translations
- Enhanced convert_regions.config to support new IPTC Extension 1.5 ImageRegion
- Changed the way the FlatName element works when used in a structure element
  (the structure name is now added as a prefix to the flattened tag name)
- Patched gpx.fmt and gpx_wpt.fmt to support sub-seconds in GPSDateTime value

Version 11.73
- Decode timed metadata from Parrot drone videos
- Patched dji.config file to properly handle time zones
- Fixed bug which caused runtime error when reading timed metadata from Cobra
  Dash Cam AVI videos

Version 11.72
- Added warning messages for corrupted Photoshop document data
- Added a new Olympus CameraType
- Added a new Canon LensType
- Decode more Sigma tags
- Improved Russian translations
- Updated decoding of some CanonCustom settings for recent models
- Documented DNG OpcodeList values

Version 11.71
- Added a new Sony LensType
- Added a few new Nikon Z LensID's
- Added a simple print conversion for DNG OpcodeList tags (note that due to
  this, these tags must now be copied using the -n option)
- Fixed problems determining some video parameters for DV files
- Changed behaviour of -sep option when writing empty list items
- API Changes:
    - Changed ListSplit option to preserve empty list items

(adam)

Use bash for this build unconditionally, the difficulty in parsing the shell
script is not limited to Irix.

Fixes the build when using ksh (on MacOS) as the preferred shell.

No version bump, this change only repairs outright build failures.

(dsainty)

doc: Updated devel/gettext to 0.20.2

(wiz)

gettext*: update to 0.20.2

Version 0.20.2 - April 2020

* Improvements for maintainers:
  - A dependency bug in po/Makefile.in.in has been fixed.

* Programming languages support:
  - Shell:
    o The programs 'gettext', 'ngettext', when invoked with option -e, now
      expand '\\' and octal escape sequences, instead of swallowing them.
      (Bug present since the beginning.)
    o xgettext now recognizes 'gettext' program invocations with the '-e'
      option, such as
        gettext -e 'some\nstring\n'
  - Python:
    xgettext now assumes a Python source file is in UTF-8 encoding by default,
    as stated in PEP 3120.
  - Desktop Entry:
    The value of the 'Icon' property is no longer extracted into the POT file
    by xgettext.  The documentation explains how to localize icons.

* Runtime behaviour:
  - The interpretation of the language preferences on macOS has been improved,
    especially in the case where a system locale does not exist for the
    combination of the selected primary language and the selected territory.
  - Fixed a multithread-safety bug on Cygwin and native Windows.

(wiz)

doc: Updated devel/meld to 3.21.0nb1

(wiz)

meld: update to 3.21.0nb1.

Switch to meson build system, update dependencies.

(wiz)

Updated textproc/libyaml, devel/libuv

(adam)

libuv: updated to 1.37.0

Version 1.37.0 (Stable)
* timer: remove redundant check in heap compare
* udp: add flag to enable recvmmsg(2) explicitly

(adam)

libyaml: updated to 0.2.4

0.2.4:
Add packaging/docker-dist to Makefile.am
Fix logic for document end before directive

(adam)