(fonts/Hack-ttf) Updated 2.020 to 3.003, overs 160 lines ChangeLog ommitted (CHANGELOG.md)

(mef)

Updated devel/meson, multimedia/py-m3u8

(adam)

py-m3u8: updated to 0.5.3

0.5.3:
Allow individual EXT-X-MAP tag for segment

(adam)

meson: updated to 0.52.1

0.52.1:
Bug fixes (no release notes)

(adam)

doc: Updated devel/meson to 0.52.0nb1

(jperkin)

meson: Backport fix for executable bit tests.

Bump PKGREVISION.

(jperkin)

Updated devel/py-test-mock, textproc/py-sphinxcontrib-websupport, security/py-paramiko

(adam)

py-paramiko: updated to 2.7.1

2.7.1:
[Bug] Fix a bug in support for ECDSA keys under the newly supported OpenSSH key format. Thanks to Pierce Lopez for the patch.
[Bug] The new-style private key format (added in 2.7) suffered from an unpadding bug which had been fixed earlier for Ed25519 (as that key type has always used the newer format). That fix has been refactored and applied to the base key class, courtesy of Pierce Lopez.

2.7.0:
[Feature]: Add new convenience classmethod constructors to SSHConfig: from_text, from_file, and from_path. No more annoying two-step process!
[Feature] Implement most 窶歪anonical hostname窶� ssh_config functionality (CanonicalizeHostname, CanonicalDomains, CanonicalizeFallbackLocal, and CanonicalizeMaxDots; CanonicalizePermittedCNAMEs has not yet been implemented). All were previously silently ignored. Reported by Michael Leinartas.
[Feature] Implement support for the Match keyword in ssh_config files. Previously, this keyword was simply ignored & keywords inside such blocks were treated as if they were part of the previous block. Thanks to Michael Leinartas for the initial patchset.

Note
This feature adds a new optional install dependency, Invoke, for managing Match exec subprocesses.

[Feature]: A couple of outright SSHConfig parse errors were previously represented as vanilla Exception instances; as part of recent feature work a more specific exception class, ConfigParseError, has been created. It is now also used in those older spots, which is naturally backwards compatible.
[Feature] Implement support for OpenSSH 6.5-style private key files (typically denoted as having BEGIN OPENSSH PRIVATE KEY headers instead of PEM format窶冱 BEGIN RSA PRIVATE KEY or similar). If you were getting any sort of weird auth error from 窶徇odern窶� keys generated on newer operating system releases (such as macOS Mojave), this is the first update to try.

Major thanks to everyone who contributed or tested versions of the patch, including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and Jared Hobbs.

[Bug]: Perform deduplication of IdentityFile contents during ssh_config parsing; previously, if your config would result in the same value being encountered more than once, IdentityFile would contain that many copies of the same string.
[Bug]: Paramiko窶冱 use of subprocess for ProxyCommand support is conditionally imported to prevent issues on limited interpreter platforms like Google Compute Engine. However, any resulting ImportError was lost instead of preserved for raising (in the rare cases where a user tried leveraging ProxyCommand in such an environment). This has been fixed.
[Bug]: ssh_config token expansion used a different method of determining the local username ($USER env var), compared to what the (much older) client connection code does (getpass.getuser, which includes $USER but may check other variables first, and is generally much more comprehensive). Both modules now use getpass.getuser.
[Support]: Explicitly document which ssh_config features we currently support. Previously users just had to guess, which is simply no good.
[Support]: Additional installation extras_require 窶彷lavors窶� (ed25519, invoke, and all) have been added to our packaging metadata; see the install docs for details.

(adam)

py-smb: updated to 1.1.28

pysmb-1.1.28:
- SharedFile instances returned from the listPath() method now has a new
  file_id attribute which represents the file reference number given by the SMB server.

(adam)

py-sphinxcontrib-websupport: updated to 1.1.2

Release 1.1.2:
* sphinxcontrib-websupport doesn't work with Sphinx 2.0

Release 1.1.1:
* sphinxcontrib-websupport doesn't work with Sphinx 2.0.0b1

(adam)

py-test-mock: updated to 1.13.0

1.13.0:
* The object returned by ``mocker.spy`` now also tracks any side effect
  of the spied method/function.

(adam)

doc: Fix sysutils/virt-what entry (it was added, not updated)

(leot)

Updated devel/py-importlib-metadata, time/py-icalendar

(adam)

py-icalendar: updated to 4.0.4

4.0.4:
Bug fixes:
- Reduce Hypothesis iterations to speed up testing, allowing PRs to pass

(adam)

py-importlib-metadata: updated to 1.3.0

v1.3.0
Improve custom finders documentation.

(adam)

Updated databases/py-multidict, www/py-yarl

(adam)

py-yarl: updated to 1.4.2

1.4.1:
* Fix regression, make the library work on Python 3.5 and 3.6 again.

1.4.0:
* Distinguish an empty password in URL from a password not provided at all
* Fixed annotations for optional parameters of ``URL.build``
* Use None as default value of ``user`` parameter of ``URL.build``
* Enforce building C Accelerated modules when installing from source tarball, use
  ``YARL_NO_EXTENSIONS`` environment variable for falling back to (slower) Pure Python
  implementation
* Drop Python 3.5 support
* Fix quoting of plus in path by pure python version
* Don't create a new URL if fragment is unchanged
* Included in error msg the path that produces starting slash forbidden error
* Skip slow IDNA encoding for ASCII-only strings

(adam)

py-multidict: updated to 4.7.0

4.7.0:

Features
- Replace Cython optimization with pure C
- Implement ``__length_hint__()`` for iterators
- Support the MultiDict[str] generic specialization in the runtime.
- Embed pair_list_t structure into MultiDict Python object
- Embed multidict pairs for small dictionaries to amortize the memory usage.
- Support weak references to C Extension classes.
- Add docstrings to provided classes.
- Merge ``multidict._istr`` back with ``multidict._multidict``.

Bugfixes
- Explicitly call ``tp_free`` slot on deallocation.
- Return class from __class_getitem__ to simplify subclassing

(adam)

Updated devel/cmake

(adam)

cmake: updated to 3.16.1

CMake 3.16.1
* bootstrap: Add target_link_options command
* Check for support before adding bigtoc linker flag
* TestDriver: ignore strcpy call
* FindThreads: Restore hard-coded '-l' flag on library name
* PCH: Do not add #pragma system_header for Xcode generator
* Unity/PCH: Skip more target types when adding automatic sources
* Unity: Generic source file handling for all generators
* Unity: Proper handling of object libraries
* PCH: Use the target's PREFIX for building the pdb file name
* CTest Resource Allocation: Add test for spec file with no version
* FindwxWidgets: Add support for 3.1.3 on macOS

(adam)

doc: reflect Enlightenment 0.23.1 in TODO

Whoops, put back "the other version" of Enlightenment, and, while here,
note the newest release of it.

(gutteridge)

doc: Updated wm/enlightenment to 1.0.21nb2

(gutteridge)

wm/enlightenment: make vera-ttf a suggested dependency

vera-ttf is small, so it's simpler and safer to just make it a
suggested dependency.

(gutteridge)

Updated security/gnupg-pkcs11-scd to 0.9.2

(manu)

Update gnupg-pkcs11-scd to 0.9.2

Changelog since 0.7.0

2019-01-05 - Version 0.9.2

* Fixu Windows build issues, thanks Luka Logar.
* Use pin-cache configuration, thanks Luka Logar.
* Support openssl-1.1, thanks Thorsten Alteholz, W. Michael Petullo.

2017-09-26 - Version 0.9.1

* Support unix domain socket credentials on FreeBSD.
* Introduce GNUPG_PKCS11_SOCKETDIR to instruct where sockets are created.
* Make proxy systemd service work again per change of systemd behavior.

2017-08-25 - Version 0.9.0

* Avoid dup of stdin/stdout so that the terminate assuan hack operational
  again.
* Introduce gnupg-pkcs11-scd-proxy to allow isolation of the PKCS#11
  provider.
* Lots of cleanups.

2017-07-15 - Version 0.8.0

* Support multiple tokens via serial numbers by hashing token id into
  serial number.
  Implementation changes the card serial number yet again, executing
  gpg --card-status should resync.

2017-04-18 - Version 0.7.6

* Add --homedir parameter.
* Rework serial responses for gnupg-2.1.19.

2017-03-01 - Version 0.7.5

* Fix issue with decrypting padded data, thanks to smunaut.
* Catchup with gnupg-2.1 changes which caused inability to support
  both gpg and gpgsm. Implementation had to change card serial
  number, as a result current keys of gpg will look for the
  previous serial card.
  emulate-openpgpg option is obsoleted and removed.

  ACTION REQUIRED
  in order to assign new card serial number to existing keys.
  backup your ~/.gnupg.
  delete all PKCS#11 secret keys using:
      gpg --delete-secret-keys $KEY then
  Then refresh keys using:
      gpg --card-edit
  In <gnupg-2.1.19 the keys should be re-generated using:
      admin
      generate
  Do not replace keys!
  gpg will learn the private keys of the new card and attach to
  the existing public keys.
* Support gnupg-2.1 features of using existing keys, keys
  should not be explicitly specified in configuration file
  any more.

2017-01-18 - Version 0.7.4

* Fix gpg change in serialno attribute.
* Sync with gnupg-2.1, thanks to Moritz Bechler.

2011-07-30 -- Version 0.7.3

* Use assuan_sock_init, bug#3382372.

2011-04-09 -- Version 0.7.2

* Some cleanups, thanks to Timo Schulz.
* Sync hashing algorithms for OpenPGP.

2011-03-16 -- Version 0.7.1

* Sync with gnupg-2.0.17.

(manu)

Updated games/rocksndiamonds, sysutils/ansible

(adam)

ansible: updated to 2.9.2

v2.9.2

Minor Changes
- Provides additional information about collection namespace name restrictions
- docker_swarm_service - Sort lists when checking for changes.

Bugfixes
- Check NoneType for raw_params before proceeding in include_vars
- Fix nxos_facts rendering of keys
- Fix regression when ``ansible_failed_task`` and ``ansible_failed_result`` are not defined in the rescue block
- Fix string parsing of inline vault strings for plugin config variable sources
- Fixed typo in vmware_guest_powerstate module
- Revert customization of guest custom value behavior
- ``AnsibleUnsafe``/``AnsibleContext``/``Templar`` - Do not treat ``AnsibleUndefined`` as being "unsafe"
- acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account`` set to ``false``.
- ansible-galaxy - Fix ``collection install`` when installing from a URL or a file - https://github.com/ansible/ansible/issues/65109
- ansible-galaxy - Return the HTTP code reason if no error msg was returned by the server - https://github.com/ansible/ansible/issues/64850
- ansible-galaxy - Set ``User-Agent`` to Ansible version when interacting with Galaxy or Automation Hub
- ansible-test now properly handles enumeration of git submodules. Enumeration is now done with ``git submodule status --recursive`` without specifying ``.`` for the path, since that could cause the command to fail. Instead, relative paths outside the current directory are filtered out of the results. Errors from ``git`` commands will now once again be reported as errors instead of warnings.
- ansible-test windows coverage - Output temp files as UTF-8 with BOM to standardise against non coverage runs
- become - Fix various plugins that still used play_context to get the become password instead of through the plugin - https://github.com/ansible/ansible/issues/62367
- ce modules - Update(add) docs notes to tell user modules work connection.
- ce modules - Update(add) docs notes to tell user modules work connection.
- ce modules - Update(add) docs notes to tell user modules work connection.
- ce modules - Update(add) docs notes to tell user modules work connection.
- ce modules - Update(add) docs notes to tell user modules work connection.
- ce modules - Update(add) docs notes to tell user modules work connection.
- decouple k8s_scale from the k8s module utils so that it doesn't complain about missing arguments
- docker_container - fix network idempotence comparison error.
- docker_network - fix idempotence comparison error.
- fix all checkpoint modules to be able to get parameter with value false
- fortios httpapi plugin - fix the issue that fortios httpapi plugin does not support python2
- netconf_rpc module does not work with nxos
- netscaler_service - fixed issue preventing use of graceful attribute
- openssh_keypair - fixes idempotence issue with public key
- openssl_csr - the module will now enforce that ``privatekey_path`` is specified when ``state=present``.
- plugins-netconf-ce - Fix failed to get version information.
- postgres.py - add a new keyword argument ``query_params``
- postgresql_db - Removed exception for 'LibraryError'
- postgresql_idx.py - use the ``query_params`` arg of exec_sql function
- postgresql_lang - use query params with cursor.execute
- postgresql_owner - use query_params with cursor object
- postgresql_privs - sort results before comparing so that the values are compared and not the result of ``.sort()``
- postgresql_privs.py - fix reports as changed behavior of module when using ``type=default_privs``
- postgresql_user - fix the module doesn't correctly commit changes if groups is set
- proxmox - fix version detection of proxmox 6 and up (Fixes https://github.com/ansible/ansible/issues/59164)
- pulp_repo - the ``client_cert`` and ``client_key`` options were used for both requests to the Pulp instance and for the repo to sync with, resulting in errors when they were used. Use the new options ``feed_client_cert`` and ``feed_client_key`` for client certificates that should only be used for repo synchronisation, and not for communication with the Pulp instance.
- runas - Fix the ``runas`` ``become_pass`` variable fallback from ``ansible_runas_runas`` to ``ansible_runas_pass``
- win_chocolatey - Improve error checking when finding the path of a newly installed Chocolatey app
- win_domain_computer - Fix idempotence checks when ``sAMAccountName`` is different from ``name``
- win_iis_webapppool - Do not try and set attributes in check mode when the pool did not exist
- yarn - handle no version when installing module by name
- zabbix_action - arguments ``event_source`` and ``esc_period`` no longer required when ``state=absent``

(adam)

rocksndiamonds: updated to 4.1.3.0

Rocks'n'Diamonds 4.1.3.0

A new feature release is available which contains changes that are mainly useful for creating global animations with some more actions and events, but which also add some other features and bug fixes:

Global animations:
added support for handling multiple event definitions for global animations
added support for several new event types that can trigger global animations (窶彿nit窶�, 窶徭tart窶�, 窶彳nd窶� and 窶徘ost窶� to trigger new animations when other animations are initialized using init delay, started, ended or when an animation窶冱 post delay ends)
added global animation event 窶忖nclick:any窶� to handle mouse release events
added global animation class 窶徘ointer窶� for animation at mouse position
added global animation actions executed after init/anim/post delay

Touch devices:
added detecting use of touch device for user input on current platform
added cycling through all zoom tilesizes in editor when using touch device

Bug fixes:
fixed some bugs with drag-and-drop support for level set zip files
fixed level editor copy/paste using Ctrl-c/v for custom/group/DF elements
fixed level sketch copy/paste via clipboard on Windows
lots of other bugs fixed in this release (see Git commit messages)

(adam)

doc: Updated sysutils/virt-what to 1.20

(otis)

Added sysutils/virt-what

(otis)

virt-what: A script to detect if being run in virtual or bare metal environment

(otis)

fix CPU status applet, on NetBSD at least

(plunky)

doc: Updated devel/git to 2.24.1

(leot)

git: Update to 2.24.1

Changes:
2.24.1
======

This release merges up the fixes that appear in v2.14.6, v2.15.4,
v2.17.3, v2.20.2 and in v2.21.1, addressing the security issues
CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, and
CVE-2019-19604.

* CVE-2019-1348:
  The --export-marks option of git fast-import is exposed also via
  the in-stream command feature export-marks=... and it allows
  overwriting arbitrary paths.

* CVE-2019-1349:
  When submodules are cloned recursively, under certain circumstances
  Git could be fooled into using the same Git directory twice. We now
  require the directory to be empty.

* CVE-2019-1350:
  Incorrect quoting of command-line arguments allowed remote code
  execution during a recursive clone in conjunction with SSH URLs.

* CVE-2019-1351:
  While the only permitted drive letters for physical drives on
  Windows are letters of the US-English alphabet, this restriction
  does not apply to virtual drives assigned via subst <letter>:
  <path>. Git mistook such paths for relative paths, allowing writing
  outside of the worktree while cloning.

* CVE-2019-1352:
  Git was unaware of NTFS Alternate Data Streams, allowing files
  inside the .git/ directory to be overwritten during a clone.

* CVE-2019-1353:
  When running Git in the Windows Subsystem for Linux (also known as
  "WSL") while accessing a working directory on a regular Windows
  drive, none of the NTFS protections were active.

* CVE-2019-1354:
  Filenames on Linux/Unix can contain backslashes. On Windows,
  backslashes are directory separators. Git did not use to refuse to
  write out tracked files with such filenames.

* CVE-2019-1387:
  Recursive clones are currently affected by a vulnerability that is
  caused by too-lax validation of submodule names, allowing very
  targeted attacks via remote code execution in recursive clones.

Credit for finding these vulnerabilities goes to Microsoft Security
Response Center, in particular to Nicolas Joly. The `fast-import`
fixes were provided by Jeff King, the other fixes by Johannes
Schindelin with help from Garima Singh.

* CVE-2019-19604:
  The change to disallow `submodule.<name>.update=!command` entries in
  `.gitmodules` which was introduced v2.15.4 (and for which v2.17.3
  added explicit fsck checks) fixes the vulnerability in v2.20.x where
  a recursive clone followed by a submodule update could execute code
  contained within the repository without the user explicitly having
  asked for that.

Credit for finding this vulnerability goes to Joern Schneeweisz,
credit for the fixes goes to Jonathan Nieder.

(leot)

doc: Updated textproc/guile-json to 3.3.0

(ng0)

textproc/guile-json: Update to version 3.3.0

Changelog extracted from Changelog file:

bump version to 3.3.0
builder: use string instead of bytevector when throwing exception
Add info to json invalid exception
builder: add #:validate key argument to skip validation
json-builder: throw sensible error warning
parser: make sure empty array slots are considered invalid
added unit tests for scheme object validations
validate scheme object when building JSON document
bump version to 3.2.0
builder: small simplification
add a case for building the JSON of empty JSON objects
builder: document the use of symbols and numbers as JSON object keys
tests: added unit tests for invalid numbers
builder: don't allow complex numbers, inf and nan
bump version to 3.1.0

(ng0)

doc: Updated devel/guile-gcrypt to 0.2.0

(ng0)

devel/guile-gcrypt: Update to version 0.2.0

Changelog:

* Changes in 0.2.0 (since 0.1.0)

** (gcrypt hash) now exposes all the algorithms supported by Libgcrypt
** (guix mac) now exposes all the MAC algorithms, not just HMAC
** (guix hmac) is deprecated in favor of (guix mac)
** Guile-Gcrypt can now be compiled with Guile 2.9 (future 3.0)
** Guile-Gcrypt can now be cross-compiled

(ng0)

doc: Updated www/nsm to 1.23

(ng0)

www/nsm: Update to 1.23

Changelog picked from https://github.com/nifty-site-manager/nsm/releases:

Nift (aka nsm) v1.23
Release Notes:
    fixed Windows bugs and tidied up with pre/post build/serve scripts and @script, @scriptoutput, @scriptraw
    fixed indenting inside pre blocks with methods to input from file
    added allowing quoted string variable names with whitespace and open brackets
    improved filenames for temporary files
    added syntax @\n to template language
    added in syntax for Nift comments to template language:
        <@-- .. --@> (raw multi line comment)
        @/* .. @*/ (parsed multi line comment)
        @--- .. @--- (parsed special multi line comment)
        @# (raw single line comment)
        @// (parsed single line comment)
        @!\n (parsed special single line comment)

Nift (aka nsm) v1.22
Release Notes:
    added in scriptExt to config files, better way to do pre/post build/serve scripts
    added command new-script-ext (page-name) scriptExt
    changed/improved how pre/post build/serve scripts are done
    hopefully fixed bugs with @script, @scriptoutput, @scriptraw functions
    added optional parameter string parameter to @script, @scriptoutput, @scriptraw functions
    updated Nift info commands with additional page information
    added pageinfo syntax @pagecontentext, @pagepageext, @pagescriptext to template language
    added siteinfo syntax @scriptext to template language
    added in buildThreads to config files
    added command no-build-thrds (no-threads)

(ng0)

modular-xorg-server: Sync with current NetBSD xsrc

Match the modesetting driver on x86 and ARM NetBSD.

from maya

Bump PKGREVISION

(nia)

Make sure xygrib does not create a bundle on MacOSX

Make sure xygrib does not create a bundle on MacOSX.

(nros)

atheme: Update DESCR

(nia)

doc: Updated chat/atheme to 7.2.10.r2

(nia)

atheme: Update to 7.2.10.r2

Changes since v7.2.9:

    Bugfixes and better logic in verify_password()
    Fix potential NULL dereference in modules/crypto/posix
    Backport some modules/crypto/pbkdf2v2 improvements from master
    Backport modules/crypto/argon2d from master
    Backport Base-64 codec from master
    Backport some build/configuration system improvements from master
    Bump E-Mail address maximum length to 254 characters
    Use flags setter information in modules/chanserv/access & modules/chanserv/flags
    Fix issue where modules/misc/httpd wasn't closing its listening socket on deinit
    Fix GroupServ data loss issue when a group was the founder of another group

(nia)

Updated net/samba4

(adam)

doc: Updated net/tor to 0.4.2.5

(ng0)

Update net/tor to version 0.4.2.5

Changelog:

Changes in version 0.4.2.5 - 2019-12-09
  This is the first stable release in the 0.4.2.x series. This series
  improves reliability and stability, and includes several stability and
  correctness improvements for onion services. It also fixes many smaller
  bugs present in previous series.

  Per our support policy, we will support the 0.4.2.x series for nine
  months, or until three months after the release of a stable 0.4.3.x:
  whichever is longer. If you need longer-term support, please stick
  with 0.3.5.x, which will we plan to support until Feb 2022.

  Per our support policy, we will support the 0.4.2.x series for nine
  months, or until three months after the release of a stable 0.4.3.x:
  whichever is longer. If you need longer-term support, please stick
  with 0.3.5.x, which will we plan to support until Feb 2022.

  Below are the changes since 0.4.1.4-rc. For a complete list of changes
  since 0.4.1.5, see the ReleaseNotes file.

  o Minor features (geoip):
    - Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
      Country database. Closes ticket 32685.

  o Testing:
    - Require C99 standards-conforming code in Travis CI, but allow GNU
      gcc extensions. Also activates clang's -Wtypedef-redefinition
      warnings. Build some jobs with -std=gnu99, and some jobs without.
      Closes ticket 32500.

Changes in version 0.4.2.4-rc - 2019-11-15
  Tor 0.4.2.4-rc is the first release candidate in its series. It fixes
  several bugs from earlier versions, including a few that would result in
  stack traces or incorrect behavior.

  o Minor features (build system):
    - Make pkg-config use --prefix when cross-compiling, if
      PKG_CONFIG_PATH is not set. Closes ticket 32191.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2
      Country database. Closes ticket 32440.

  o Minor bugfixes (client, onion service v3):
    - Fix a BUG() assertion that occurs within a very small race window
      between when a client intro circuit opens and when its descriptor
      gets cleaned up from the cache. The circuit is now closed early,
      which will trigger a re-fetch of the descriptor and continue the
      connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (code quality):
    - Fix "make check-includes" so it runs correctly on out-of-tree
      builds. Fixes bug 31335; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (configuration):
    - Log the option name when skipping an obsolete option. Fixes bug
      32295; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (crash):
    - When running Tor with an option like --verify-config or
      --dump-config that does not start the event loop, avoid crashing
      if we try to exit early because of an error. Fixes bug 32407;
      bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (directory):
    - When checking if a directory connection is anonymous, test if the
      circuit was marked for close before looking at its channel. This
      avoids a BUG() stacktrace if the circuit was previously closed.
      Fixes bug 31958; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (shellcheck):
    - Fix minor shellcheck errors in the git-*.sh scripts. Fixes bug
      32402; bugfix on 0.4.2.1-alpha.
    - Start checking most scripts for shellcheck errors again. Fixes bug
      32402; bugfix on 0.4.2.1-alpha.

  o Testing (continuous integration):
    - Use Ubuntu Bionic images for our Travis CI builds, so we can get a
      recent version of coccinelle. But leave chutney on Ubuntu Trusty,
      until we can fix some Bionic permissions issues (see ticket
      32240). Related to ticket 31919.
    - Install the mingw OpenSSL package in Appveyor. This makes sure
      that the OpenSSL headers and libraries match in Tor's Appveyor
      builds. (This bug was triggered by an Appveyor image update.)
      Fixes bug 32449; bugfix on 0.3.5.6-rc.
    - In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.

Changes in version 0.4.2.3-alpha - 2019-10-24
  This release fixes several bugs from the previous alpha release, and
  from earlier versions of Tor.

  o Major bugfixes (relay):
    - Relays now respect their AccountingMax bandwidth again. When
      relays entered "soft" hibernation (which typically starts when
      we've hit 90% of our AccountingMax), we had stopped checking
      whether we should enter hard hibernation. Soft hibernation refuses
      new connections and new circuits, but the existing circuits can
      continue, meaning that relays could have exceeded their configured
      AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.

  o Major bugfixes (v3 onion services):
    - Onion services now always use the exact number of intro points
      configured with the HiddenServiceNumIntroductionPoints option (or
      fewer if nodes are excluded). Before, a service could sometimes
      pick more intro points than configured. Fixes bug 31548; bugfix
      on 0.3.2.1-alpha.

  o Minor feature (onion services, control port):
    - The ADD_ONION command's keyword "BEST" now defaults to ED25519-V3
      (v3) onion services. Previously it defaulted to RSA1024 (v2).
      Closes ticket 29669.

  o Minor features (testing):
    - When running tests that attempt to look up hostnames, replace the
      libc name lookup functions with ones that do not actually touch
      the network. This way, the tests complete more quickly in the
      presence of a slow or missing DNS resolver. Closes ticket 31841.

  o Minor features (testing, continuous integration):
    - Disable all but one Travis CI macOS build, to mitigate slow
      scheduling of Travis macOS jobs. Closes ticket 32177.
    - Run the chutney IPv6 networks as part of Travis CI. Closes
      ticket 30860.
    - Simplify the Travis CI build matrix, and optimise for build time.
      Closes ticket 31859.
    - Use Windows Server 2019 instead of Windows Server 2016 in our
      Appveyor builds. Closes ticket 32086.

  o Minor bugfixes (build system):
    - Interpret "--disable-module-dirauth=no" correctly. Fixes bug
      32124; bugfix on 0.3.4.1-alpha.
    - Interpret "--with-tcmalloc=no" correctly. Fixes bug 32124; bugfix
      on 0.2.0.20-rc.
    - Stop failing when jemalloc is requested, but tcmalloc is not
      found. Fixes bug 32124; bugfix on 0.3.5.1-alpha.
    - When pkg-config is not installed, or a library that depends on
      pkg-config is not found, tell the user what to do to fix the
      problem. Fixes bug 31922; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (connections):
    - Avoid trying to read data from closed connections, which can cause
      needless loops in Libevent and infinite loops in Shadow. Fixes bug
      30344; bugfix on 0.1.1.1-alpha.

  o Minor bugfixes (error handling):
    - Always lock the backtrace buffer before it is used. Fixes bug
      31734; bugfix on 0.2.5.3-alpha.

  o Minor bugfixes (mainloop, periodic events, in-process API):
    - Reset the periodic events' "enabled" flag when Tor is shut down
      cleanly. Previously, this flag was left on, which caused periodic
      events not to be re-enabled when Tor was relaunched in-process
      with tor_api.h after a shutdown. Fixes bug 32058; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (process management):
    - Remove overly strict assertions that triggered when a pluggable
      transport failed to launch. Fixes bug 31091; bugfix
      on 0.4.0.1-alpha.
    - Remove an assertion in the Unix process backend. This assertion
      would trigger when we failed to find the executable for a child
      process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (testing):
    - Avoid intermittent test failures due to a test that had relied on
      inconsistent timing sources. Fixes bug 31995; bugfix
      on 0.3.1.3-alpha.
    - When testing port rebinding, don't busy-wait for tor to log.
      Instead, actually sleep for a short time before polling again.
      Also improve the formatting of control commands and log messages.
      Fixes bug 31837; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (tls, logging):
    - Log bugs about the TLS read buffer's length only once, rather than
      filling the logs with similar warnings. Fixes bug 31939; bugfix
      on 0.3.0.4-rc.

  o Minor bugfixes (v3 onion services):
    - Fix an implicit conversion from ssize_t to size_t discovered by
      Coverity. Fixes bug 31682; bugfix on 0.4.2.1-alpha.
    - Fix a memory leak in an unlikely error code path when encoding HS
      DoS establish intro extension cell. Fixes bug 32063; bugfix
      on 0.4.2.1-alpha.
    - When cleaning up intro circuits for a v3 onion service, don't
      remove circuits that have an established or pending circuit, even
      if they ran out of retries. This way, we don't remove a circuit on
      its last retry. Fixes bug 31652; bugfix on 0.3.2.1-alpha.

  o Documentation:
    - Correct the description of "GuardLifetime". Fixes bug 31189;
      bugfix on 0.3.0.1-alpha.
    - Make clear in the man page, in both the bandwidth section and the
      AccountingMax section, that Tor counts in powers of two, not
      powers of ten: 1 GByte is 1024*1024*1024 bytes, not one billion
      bytes. Resolves ticket 32106.

Changes in version 0.4.2.2-alpha - 2019-10-07
  This release fixes several bugs from the previous alpha release, and
  from earlier versions. It also includes a change in authorities, so
  that they begin to reject the currently unsupported release series.

  o Major features (directory authorities):
    - Directory authorities now reject relays running all currently
      deprecated release series. The currently supported release series
      are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.

  o Major bugfixes (embedded Tor):
    - Avoid a possible crash when restarting Tor in embedded mode and
      enabling a different set of publish/subscribe messages. Fixes bug
      31898; bugfix on 0.4.1.1-alpha.

  o Major bugfixes (torrc parsing):
    - Stop ignoring torrc options after an %include directive, when the
      included directory ends with a file that does not contain any
      config options (but does contain comments or whitespace). Fixes
      bug 31408; bugfix on 0.3.1.1-alpha.

  o Minor features (auto-formatting scripts):
    - When annotating C macros, never generate a line that our check-
      spaces script would reject. Closes ticket 31759.
    - When annotating C macros, try to remove cases of double-negation.
      Closes ticket 31779.

  o Minor features (continuous integration):
    - When building on Appveyor and Travis, pass the "-k" flag to make,
      so that we are informed of all compilation failures, not just the
      first one or two. Closes ticket 31372.

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 1 2019 Maxmind GeoLite2
      Country database. Closes ticket 31931.

  o Minor features (maintenance scripts):
    - Add a Coccinelle script to detect bugs caused by incrementing or
      decrementing a variable inside a call to log_debug(). Since
      log_debug() is a macro whose arguments are conditionally
      evaluated, it is usually an error to do this. One such bug was
      30628, in which SENDME cells were miscounted by a decrement
      operator inside a log_debug() call. Closes ticket 30743.

  o Minor features (onion services v3):
    - Assist users who try to setup v2 client authorization in v3 onion
      services by pointing them to the right documentation. Closes
      ticket 28966.

  o Minor bugfixes (Appveyor continuous integration):
    - Avoid spurious errors when Appveyor CI fails before the install
      step. Fixes bug 31884; bugfix on 0.3.4.2-alpha.

  o Minor bugfixes (best practices tracker):
    - When listing overbroad exceptions, do not also list problems, and
      do not list insufficiently broad exceptions. Fixes bug 31338;
      bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (controller protocol):
    - Fix the MAPADDRESS controller command to accept one or more
      arguments. Previously, it required two or more arguments, and
      ignored the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (logging):
    - Add a missing check for HAVE_PTHREAD_H, because the backtrace code
      uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
    - Disable backtrace signal handlers when shutting down tor. Fixes
      bug 31614; bugfix on 0.2.5.2-alpha.
    - Rate-limit our the logging message about the obsolete .exit
      notation. Previously, there was no limit on this warning, which
      could potentially be triggered many times by a hostile website.
      Fixes bug 31466; bugfix on 0.2.2.1-alpha.
    - When initialising log domain masks, only set known log domains.
      Fixes bug 31854; bugfix on 0.2.1.1-alpha.

  o Minor bugfixes (logging, protocol violations):
    - Do not log a nonfatal assertion failure when receiving a VERSIONS
      cell on a connection using the obsolete v1 link protocol. Log a
      protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (modules):
    - Explain what the optional Directory Authority module is, and what
      happens when it is disabled. Fixes bug 31825; bugfix
      on 0.3.4.1-alpha.

  o Minor bugfixes (multithreading):
    - Avoid some undefined behaviour when freeing mutexes. Fixes bug
      31736; bugfix on 0.0.7.

  o Minor bugfixes (relay):
    - Avoid crashing when starting with a corrupt keys directory where
      the old ntor key and the new ntor key are identical. Fixes bug
      30916; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (tests, SunOS):
    - Avoid a map_anon_nofork test failure due to a signed/unsigned
      integer comparison. Fixes bug 31897; bugfix on 0.4.1.1-alpha.

  o Code simplification and refactoring:
    - Refactor connection_control_process_inbuf() to reduce the size of
      a practracker exception. Closes ticket 31840.
    - Refactor the microdescs_parse_from_string() function into smaller
      pieces, for better comprehensibility. Closes ticket 31675.
    - Use SEVERITY_MASK_IDX() to find the LOG_* mask indexes in the unit
      tests and fuzzers, rather than using hard-coded values. Closes
      ticket 31334.
    - Interface for function `decrypt_desc_layer` cleaned up. Closes
      ticket 31589.

  o Documentation:
    - Document the signal-safe logging behaviour in the tor man page.
      Also add some comments to the relevant functions. Closes
      ticket 31839.
    - Explain why we can't destroy the backtrace buffer mutex. Explain
      why we don't need to destroy the log mutex. Closes ticket 31736.
    - The Tor source code repository now includes a (somewhat dated)
      description of Tor's modular architecture, in doc/HACKING/design.
      This is based on the old "tor-guts.git" repository, which we are
      adopting and superseding. Closes ticket 31849.

(ng0)

doc: Updated net/dnscrypt-proxy2 to 2.0.35

(nia)

dnscrypt-proxy2: Update to 2.0.35

* Version 2.0.35
- New option: `block_unqualified` to block `A`/`AAAA` queries with
unqualified host names. These will very rarely get an answer from upstream
resolvers, but can leak private information to these, as well as to root
servers.
- When a `CNAME` pointer is blocked, the original query name is now logged
along with the pointer. This makes it easier to know what the original
query name, so it can be whitelisted, or what the pointer was, so it
can be removed from the blacklist.

(nia)

doc: Updated chat/weechat to 2.7

(nia)

weechat: Update to 2.7

Among the new features:

- add option logger.file.color_lines (support of ANSI color codes in log files)
- add filters on IRC raw buffer
- add IRC server option "ssl_password"
- add option irc.look.display_pv_warning_address
- add options irc.color.message_kick and irc.color.reason_kick
- add option xfer.file.download_temporary_suffix
- add option weechat.look.nick_color_hash_salt
- add different WeeChat icons sizes
- add calculation of expression in evaluation of expressions with "calc:xxx"
- add optional default path (evaluated) in completion "filename"
- add modifier "color_encode_ansi"
- add support of Guile 2.2
- add support of Python 3.8
- many bugs fixed.

(nia)

samba4: updated to 4.11.3

Samba 4.11.3
This is a security release in order to address the following defects:
o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
  management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
  on Samba AD DC.

(adam)

mpv: More evdev mouse button definitions now needed

(nia)

doc: Updated print/ghostscript-agpl to 9.50

(leot)

ghostscript-agpl: Update to 9.50

Changes:
Version 9.50 (2019-09-30)

Highlights in this release include:

  * The change to version 9.50 (rather than the intended 9.28) follows
    recognition of the extent and importance of the file access control
    redesign/reimplementation outlined below.
  * The file access control capability (enable with -dSAFER) has been
    completely rewritten, with a ground-up rethink of the design. For more
    details, see: SAFER.

    It is important to note that -dSAFER now only enables the file access
    controls, and no longer applies restrictions to standard Postscript
    functionality (specifically, restrictions on setpagedevice. If your
    application relies on these Postscript restrictions, see OLDSAFER, and
    please get in touch, as we do plan to remove those Postscript restrictions
    unless we have reason not to.

    IMPORTANT: File access controls are now enabled by default. In order to run
    Ghostscript without these controls, see NOSAFER

    Important Note for Windows Users: See below under Incompatible Changes
  * IMPORTANT: We are in the process of forking LittleCMS. LCMS2 is not thread
    safe, and cannot be made thread safe without breaking the ABI. Our fork
    will be thread safe, and include performance enhancements (these changes
    have all be been offered and rejected upstream). We will maintain
    compatibility between Ghostscript and LCMS2 for a time, but not in
    perpetuity. Our fork will be available as its own package separately from
    Ghostscript (and MuPDF).
  * The usual round of bug fixes, compatibility changes, and incremental
    improvements.
  * Special thanks to Akira Kakuto, Paul Wessel, William Bader, Nelson H. F.
    Beebe and everyone else who put time and effort into testing this new
    release.

For a list of open issues, or to report problems, please visit
bugs.ghostscript.com.

Incompatible changes

  * There are a couple of subtle incompatibilities between the old and new
    SAFER implementations. Firstly, as mentioned above, SAFER now leaves
    standard Postcript functionality unchanged (except for the file access
    limitations). Secondly, the interaction with save&sol;restore operations,
    see SAFER.

    Important Note for Windows Users:
    The file/path pattern matching is case sensitive, even on Windows. This is
    a change in behaviour compared to the old code which, on Windows, was case
    insensitive. This is in recognition of changes in Windows behaviour, in
    that it now supports (although does not enforce) case sensitivity.
  * The following is not strictly speaking new to 9.50, as not much has changed
    since 9.27 in this area, but for those who don't upgrade with every
    release:

    The process of "tidying" the Postscript name space should have removed only
    non-standard and undocumented operators. Nevertheless, it is possible that
    any integrations or utilities that rely on those non-standard and
    undocumented operators may stop working, or may change behaviour.

    If you encounter such a case, please contact us (either the #ghostscript
    IRC channel, or the gs-devel mailing list would be best), and we'll work
    with you to either find an alternative solution or return the previous
    functionality, if there is genuinely no other option.

    One case we know this has occurred is GSView 5 (and earlier). GSView 5
    support for PDF files relied upon internal use only features which are no
    longer available. GSView 5 will still work as previously for Postscript
    files. For PDF files, users are encouraged to look at MuPDF.

(leot)

doc: Updated graphics/jbig2dec to 0.17

(leot)

jbig2dec: Update to 0.17

pkgsrc changes:
- Update HOMEPAGE

Changes:
Version 0.17 (2019 October 1)
* Updated documentation with accurate contact information.
* Moved version number to jbig2.h, and adapted configure
  correspondingly. Added pkg-config file to be installed
  along side library. Added run-time check of version
  number so that the correct header is used with the matching
  binary library.
* Bug fixes.

(leot)

jbig2dec: Update LICENSE: it's under AGPLv3, not GPLv3!

(leot)

wm/enlightenment: fix PLIST for OSes which build libhack

Build fix for Linux, SunOS, et al.

(gutteridge)

www/php-apcu_bc: allow build with php73

Allow build with php73.

(taca)

doc: Updated pkgtools/pkglint to 19.3.16

(rillig)

pkgtools/pkglint: update to 19.3.16

Changes since 19.3.15:

When a package-settable variable gets a default value using the ?=
operator, pkglint no longer suggests to include bsd.prefs.mk, since that
doesn't make sense. Including bsd.prefs.mk only defines user-settable
and system-provided variables.

User and group names may be a single character only. While not widely
used, it's syntactically valid and there's no reason to prevent this.

In variable assignments, when pkglint removes unnecessary whitespace
between the variable name and the operator, it keeps the indentation of
the variable value the same as before. Previously, the indentation had
been changed, which required another run of pkglint --autofix.

PREFIX can only be used as a replacement for LOCALBASE after the whole
package Makefile has been loaded. This is because PREFIX is defined
very late, by bsd.pkg.mk. Therefore, don't suggest to replace LOCALBASE
with PREFIX in .if conditions.

When pkglint suggests to replace INSTALL_DATA_DIR commands with setting
INSTALLATION_DIRS instead, paths with a trailing slash are correctly
looked up in the PLIST. This suggests to use AUTO_MKDIRS more often.

(rillig)

Updated lang/npm, devel/yarn

(adam)

yarn: updated to 1.19.2

1.19.2
Folders like .cache won't be pruned from the node_modules after each install.
Correctly installs workspace child dependencies when workspace child not symlinked to root.
Makes running scripts with Plug'n Play possible on node 13.
Change run command to check cwd/node_modules/.bin for commands. Fixes run in workspaces.

(adam)

npm: updated to 6.13.2

6.13.2:

BUG FIXES
* fix docs target typo
* fix(packageRelativePath): fix 'where' for file deps
* Revert "windows: Add preliminary WSL support for npm and npx"
* remove unnecessary package.json read when reading shrinkwrap
* fix(fund): open url for string shorthand
* Don't log error message if git tagging is disabled
* Warn the user that it is uninstalling npm-install

(adam)

Updated lang/nodejs

(adam)

nodejs8: update Makefile after recent changes to nodejs/Makefile.common

(adam)

nodejs: added version 12.13.1, removed version 6.14.3

Moved nodejs to nodejs10 - version 10.17.0

Version 12.13.1 'Erbium' (LTS):

Notable changes
Experimental support for building Node.js with Python 3 is improved.
ICU time zone data is updated to version 2019c. This fixes the date offset in Brazil.

(adam)

nodejs: updated to 13.3.0

Version 13.3.0:

Notable Changes
fs:
Reworked experimental recursive rmdir()
The maxBusyTries option is renamed to maxRetries, and its default is set to 0. The emfileWait option has been removed, and EMFILE errors use the same retry logic as other errors. The retryDelay option is now supported. ENFILE errors are now retried.
http:
Make maximum header size configurable per-stream or per-server
http2:
Make maximum tolerated rejected streams configurable
Allow to configure maximum tolerated invalid frames
wasi:
Introduce initial WASI support

(adam)

Fix compilation on platforms that need sys/loadavg.h for loadavg

Make mod_load look for sys/loadavg.h using configure and include it if found.

(nros)

Updated security/gnupg2, mail/exim, mail/exim-html

(adam)

exim: updated to 4.93

Exim version 4.93
-----------------

JH/01 OpenSSL: With debug enabled output keying information sufficient, server
      side, to decode a TLS 1.3 packet capture.

JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets.
      Previously the default library behaviour applied, sending two, each in
      its own TCP segment.

JH/03 Debug output for ACL now gives the config file name and line number for
      each verb.

JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.

JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.

JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
      buffer overrun for (non-chunking) other transports.

JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
      TLS1.3, means that a server rejecting a client certificate is not visible
      to the client until the first read of encrypted data (typically the
      response to EHLO).  Add detection for that case and treat it as a failed
      TLS connection attempt, so that the normal retry-in-clear can work (if
      suitably configured).

JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
      and/or domain.  Found and fixed by Jason Betts.

JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
      configuration).  If a CNAME target was not a wellformed name pattern, a
      crash could result.

JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when
      the OS reports them interleaved with other addresses.

JH/10 OpenSSL: Fix aggregation of messages.  Previously, when PIPELINING was
      used both for input and for a verify callout, both encrypted, SMTP
      responses being sent by the server could be lost.  This resulted in
      dropped connections and sometimes bounces generated by a peer sending
      to this system.

JH/11 Harden plaintext authenticator against a badly misconfigured client-send
      string.  Previously it was possible to cause undefined behaviour in a
      library routine (usually a crash).  Found by "zerons".

JH/12 Bug 2384: fix "-bP smtp_receive_timeout".  Previously it returned no
      output.

JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward.  Some old
      API was removed, so update to use the newer ones.

JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without
      any timeout set, is taking a long time.  Previously we would hang on to a
      rotated logfile "forever" if the input was arriving with long gaps
      (a previous attempt to fix addressed lack, for a long time, of initial
      input).

HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a
      shared (NFS) environment. The length of the tempfile name is now
      4 + 16 ("hdr.$message_exim_id") which might break on file
      systems which restrict the file name length to lower values.
      (It was "hdr.$pid".)

HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a
      shared (NFS) environment.

HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it
      did for all versions <4.90). Notably -M, -m, --invert, -I may be
      affected.

JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors
      on some platforms for bit 31.

JH/16 GnuTLS: rework ciphersuite strings under recent library versions.  Thanks
      to changes apparently associated with TLS1.3 handling some of the APIs
      previously used were either nonfunctional or inappropriate.  Strings
      like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256
      and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace
      the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 .
      This affects log line X= elements, the $tls_{in,out}_cipher variables,
      and the use of specific cipher names in the encrypted= ACL condition.

JH/17 OpenSSL: the default openssl_options now disables ssl_v3.

JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
      verification result was not updated unless hosts_require_ocsp applied.

JH/19 Bug 2398: fix listing of a named-queue.  Previously, even with the option
      queue_list_requires_admin set to false, non-admin users were denied the
      facility.

JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
      directory-of-certs mode.  Previously they were advertised despite the
      documentation.

JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
      A single TCP connection by a client will now hold a TLS connection open
      for multiple message deliveries, by default.  Previoud the default was to
      not do so.

JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
      default.  If built with the facility, DANE will be used.  The facility
      SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".

JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
      is replaced with DISABLE_TLS.  Either USE_GNUTLS or (the new) USE_OPENSSL
      must be defined and you must still, unless you define DISABLE_TLS, manage
      the the include-dir and library-file requirements that go with that
      choice.  Non-TLS builds are still supported.

JH/24 Fix duplicated logging of peer name/address, on a transport connection-
      reject under TFO.

JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by
      default.  If the platform supports and has the facility enabled, it will
      be requested on all coneections.

JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now
      controlled by the build-time option SUPPORT_PIPE_CONNECT.

PP/01 Unbreak heimdal_gssapi, broken in 4.92.

JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for
      success-DSN messages.  Previously the From: header was always the default
      one for these; the option was ignored.

JH/28 Fix the timeout on smtp response to apply to the whole response.
      Previously it was reset for every read, so a teergrubing peer sending
      single bytes within the time limit could extend the connection for a
      long time.  Credit to Qualsys Security Advisory Team for the discovery.

JH/29 Fix DSN Final-Recipient: field.  Previously it was the post-routing
      delivery address, which leaked information of the results of local
      forwarding.  Change to the original envelope recipient address, per
      standards.

JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
      requested.  Previously not bounce was generated and a log entry of
      error ignored was made.

JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)

JH/32 Introduce a general tainting mechanism for values read from the input
      channel, and values derived from them.  Refuse to expand any tainted
      values, to catch one form of exploit.

JH/33 Bug 2413: Fix dkim_strict option.  Previously the expansion result
      was unused and the unexpanded text used for the test.  Found and
      fixed by Ruben Jenster.

JH/34 Fix crash after TLS shutdown.  When the TCP/SMTP channel was left open,
      an attempt to use a TLS library read routine dereffed a nul pointer,
      causing a segfault.

JH/35 Bug 2409: filter out-of-spec chars from callout response before using
      them in our smtp response.

JH/36 Have the general router option retry_use_local_part default to true when
      any of the restrictive preconditions are set (to anything).  Previously it
      was only for check_local user.  The change removes one item of manual
      configuration which is required for proper retries when a remote router
      handles a subset of addresses for a domain.

JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file
      link count into consideration.

HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line
      caused the extension of big_buffer, the following lines were ignored.

JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in
      accordance with RFC 2308.  Previously there was no expiry, so a longlived
      receive process (eg. due to ACL delays) versus a short SOA value could
      surprise.

HS/05 Handle trailing backslash gracefully. (CVE-2019-15846)

JH/39 Promote DMARC support to mainline.

JH/40 Bug 2452: Add a References: header to DSNs.

JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
      parameters.  The relevant library call is documented as "Deprecated: This
      function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
      3.6.0, DH parameters are negotiated following RFC7919."

HS/06 Change the default of dnssec_request_domains to "*"

JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected.  Previously we
      carried on and emitted a BDAT command, even when PIPELINING was not
      active.

JH/43 Bug 2465: Fix taint-handling in dsearch lookup.  Previously a nontainted
      buffer was used for the filename, resulting in a trap when tainted
      arguments (eg. $domain) were used.

JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below;
      recommended to avoid a possible server-load attack.  The feature can be
      re-enabled via the openssl_options main cofiguration option.

JH/45 local_scan API: documented the current smtp_printf() call. This changed
      for version 4.90 - adding a "more data" boolean to the arguments.
      Bumped the ABI version number also, this having been missed previously;
      release versions 4.90 to 4.92.3 inclusive were effectively broken in
      respect of usage of smtp_printf() by either local_scan code or libraries
      accessed via the ${dlfunc } expansion item.  Both will need coding
      adjustment for any calls to smtp_printf() to match the new function
      signature; a FALSE value for the new argument is always safe.

JH/46 FreeBSD: fix use of the sendfile() syscall.  The shim was not updating
      the file-offset (which the Linux syscall does, and exim expects); this
      resulted in an indefinite loop.

JH/47 ARC: fix crash in signing, triggered when a configuration error failed
      to do ARC verification.  The Authentication-Results: header line added
      by the configuration then had no ARC item.

(adam)

gnupg2: updated to 2.2.19

Noteworthy changes in version 2.2.19:

* gpg: Fix double free when decrypting for hidden recipients.
  Regression in 2.2.18.

* gpg: Use auto-key-locate for encryption even for mail addressed
  given with angle brackets.

* gpgsm: Add special case for certain expired intermediate
  certificates.

(adam)

salt-docs: Skip legitimate hardcoded paths.

(jperkin)

lang/php: update examples to php73 in comment

Update examples to php73 in comment.

(taca)

Bump PKGREVISION by changing of default PHP version.

(taca)

lang/php: change default version of php to 7.3.x

Change default version of php from 7.1.x to 7.3.x.

* PHP 7.1.x is now EOL after 1st Dec 2019.
* PHP 7.3.x is actively maintained release.

(taca)

doc: Updated graphics/gnuplot to 5.2.8nb1

(rin)

PR pkg/54623 (Joern Clausen)

Disable gnuplot-pdf-doc by default. This option requires TeX packages,
that are too much for users who merely wants to plot graphs.

Bump revision.

(rin)

doc: Updated net/gallery-dl to 1.12.0

(leot)

gallery-dl: Update to 1.12.0

Changes:
1.12.0
------
### Additions
- [flickr] support 3k, 4k, 5k, and 6k photo sizes (#472)
- [imgur] add extractor for subreddit links (#500)
- [newgrounds] add extractors for `audio` listings and general `media`
  files (#394)
- [newgrounds] implement login support (#394)
- [postprocessor:metadata] implement a `extension-format` option (#477)
- `--exec-after`

### Changes
- [deviantart] ensure consistent username capitalization (#455)
- [directlink] split `{path}` into `{path}/{filename}.{extension}`
- [twitter] update metadata fields with user/author information
- [postprocessor:metadata] filter private entries & rename `format` to
  `content-format`
- Enable `cookies-update` by default

### Fixes
- [2chan] fix metadata extraction
- [behance] get images from 'media_collection' modules
- [bobx] fix image downloads by randomly generating session cookies (#482)
- [deviantart] revert to getting download URLs from OAuth API calls (#488)
- [deviantart] fix URL generation from '/extended_fetch' results (#505)
- [flickr] adjust OAuth redirect URI (#503)
- [hentaifox] fix extraction
- [imagefap] adapt to new image URL format
- [imgbb] fix error in galleries without user info (#471)
- [instagram] prevent errors with missing 'video_url' fields (#479)
- [nijie] fix `date` parsing
- [pixiv] match new search URLs (#507)
- [plurk] fix comment pagination
- [sexcom] send specific Referer headers when downloading videos
- [twitter] fix infinite loops (#499)
- [vsco] fix user profile and collection extraction (#480)
- Fix Cloudflare DDoS protection bypass

### Removals
- `--abort-on-skip`

(leot)