flactag: Fix build on NetBSD 9.99.17

Adapt the local patch for the POSIX iconv(3) API change in new NetBSD.

(kamil)

doc: Updated lang/ghc to 6.8.3nb10

(gutteridge)

ghc: adjust patch to allow for Perl >= 5.30

(gutteridge)

textproc/Makefile: sort entries

(gutteridge)

postgresql12: fix nls option support

(triaxx)

postgresql11: fix nls option support

(triaxx)

postgresql12: make nls option on by default

(triaxx)

postgresql11: make nls option on by default

(triaxx)

update libtasn1 to version 4.14:
* Noteworthy changes in release 4.14 (released 2019-07-21) [stable]
- New #defines for version checking: ASN1_VERSION_MAJOR, ASN1_VERSION_MINOR,
  ASN1_VERSION_PATCH, ASN1_VERSION_NUMBER. The next release will switch
  to semantic version semantics.
- Simplify ordering of SET OF elements by using qsort().
- Marked explicitly const uses of asn1_node with the introduction
  of the (compatible) asn1_node_const type.
- Limit recursion in _asn1_expand_object_id() to detect infinite
  recursion in incorrect .asn files (#4).
- asn1_array2tree(): fixed thread safety issues.
- Several fixes in gtk-doc generation.

fixes CVE-2018-1000654

(spz)

postgresql11: make nls support optional

(triaxx)

Revert previous

* devel/meson can handle cmake case correctly now.

(ryoon)

doc/TODO: update some

+ mysql-server-8.0.18, ruby-redmine-4.0.5, samba-4.11.1.

(taca)

doc: Updated lang/php71 to 7.1.33

(taca)

lang/php71: update to 7.1.33

Update php71 to 7.1.33.

24 Oct 2019, PHP 7.1.33

- FPM:
  . Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE).
    (CVE-2019-11043) (Jakub Zelenka)

(taca)

doc: Updated lang/php73 to 7.3.11

(taca)

lang/php73: update to 7.3.11

Update php73 to 7.3.11.

24 Oct 2019, PHP 7.3.11

- Core:
  . Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
    (bugreportuser)
  . Fixed bug #78620 (Out of memory error). (cmb, Nikita)

- Exif :
  . Fixed bug #78442 ('Illegal component' on exif_read_data since PHP7)
(Kalle)

- FPM:
  . Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE).
    (CVE-2019-11043) (Jakub Zelenka)
  . Fixed bug #78413 (request_terminate_timeout does not take effect after
    fastcgi_finish_request). (Sergei Turchanov)

- MBString:
  . Fixed bug #78633 (Heap buffer overflow (read) in mb_eregi). (cmb)
  . Fixed bug #78579 (mb_decode_numericentity: args number inconsistency).
    (cmb)
  . Fixed bug #78609 (mb_check_encoding() no longer supports stringable
    objects). (cmb)

- MySQLi:
  . Fixed bug #76809 (SSL settings aren't respected when persistent connections
    are used). (fabiomsouto)

- Mysqlnd:
  . Fixed bug #78525 (Memory leak in pdo when reusing native prepared
    statements). (Nikita)

- PCRE:
  . Fixed bug #78272 (calling preg_match() before pcntl_fork() will freeze
    child process). (Nikita)

- PDO_MySQL:
  . Fixed bug #78623 (Regression caused by "SP call yields additional empty
    result set"). (cmb)

- Session:
  . Fixed bug #78624 (session_gc return value for user defined session
    handlers). (bshaffer)

- Standard:
  . Fixed bug #76342 (file_get_contents waits twice specified timeout).
    (Thomas Calvet)
  . Fixed bug #78612 (strtr leaks memory when integer keys are used and the
    subject string shorter). (Nikita)
  . Fixed bug #76859 (stream_get_line skips data if used with data-generating
    filter). (kkopachev)

- Zip:
  . Fixed bug #78641 (addGlob can modify given remove_path value). (cmb)

(taca)

doc: Updated lang/php72 to 7.2.24 [taca 2019-10-25]

(taca)

doc: Updated devel/ruby-docile to 1.3.2

Note update of devel/ruby-docile to 1.3.2, I forgot to commit it.

(taca)

lang/php72: update to 7.2.24

Update php72 to 7.2.24.

24 Oct 2019, PHP 7.2.24

- Core:
  . Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
    (bugreportuser)
  . Fixed bug #78620 (Out of memory error). (cmb, Nikita)

- Exif:
  . Fixed bug #78442 ('Illegal component' on exif_read_data since PHP7)
(Kalle)

- FPM:
  . Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE).
    (CVE-2019-11043) (Jakub Zelenka)

- MBString:
  . Fixed bug #78579 (mb_decode_numericentity: args number inconsistency).
    (cmb)
  . Fixed bug #78609 (mb_check_encoding() no longer supports stringable
    objects). (cmb)

- MySQLi:
  . Fixed bug #76809 (SSL settings aren't respected when persistent connections
    are used). (fabiomsouto)

- PDO_MySQL:
  . Fixed bug #78623 (Regression caused by "SP call yields additional empty
    result set"). (cmb)

- Session:
  . Fixed bug #78624 (session_gc return value for user defined session
    handlers). (bshaffer)

- Standard:
  . Fixed bug #76342 (file_get_contents waits twice specified timeout).
    (Thomas Calvet)
  . Fixed bug #78612 (strtr leaks memory when integer keys are used and the
    subject string shorter). (Nikita)
  . Fixed bug #76859 (stream_get_line skips data if used with data-generating
    filter). (kkopachev)

- Zip:
  . Fixed bug #78641 (addGlob can modify given remove_path value). (cmb)

(taca)

net/unif: Add comment about why update to 5.11.50 is on hold

(gdt)

hex-a-hop: Fix build on NetBSD 9.99.17

Adapt the local patch for the POSIX iconv(3) API change in new NetBSD.

(kamil)

ocsync: Fix build on NetBSD 9.99.17

Adapt the local patch for the POSIX iconv(3) API change in new NetBSD.

(kamil)

subtitleeditor: Missing patch

(nia)

ncmpc: Fix build on NetBSD 9.99.17

Adapt the local patch for the POSIX iconv(3) API change in new NetBSD.

(kamil)

musicpd: Switch back to PYTHON_VERSIONED_DEPENDENCIES

(nia)

musicpd: Use current sphinx binary name

(nia)

doc: Updated audio/musicpd to 0.21.16

(nia)

musicpd: Update to 0.21.16

ver 0.21.16 (2019/10/16)
* queue
  - fix relative destination offset when moving a range
* storage
  - curl: request the "resourcetype" property to fix database update
  - curl: URL-encode more paths
  - curl: follow redirects for collections without trailing slash
* update
  - fix crash when music_directory is not a directory
* fix build with iconv() instead of ICU

(nia)

aspell-nds: Fix installation (conflicts with aspell)

(nia)

icoutils: Fix NLS

(nia)

Updated emulators/qemu, net/grpc, net/py-grpcio, net/py-grpcio-tools, net/wireshark

(adam)

wireshark: updated to 3.0.6

Wireshark 3.0.6:

What’s New

    • On macOS, Wireshark can now be installed by dropping Wireshark.app
      onto the Applications folder.

    • The macOS installer now ships with Qt 5.12.5. It previously
      shipped with Qt 5.12.3.

  Bug Fixes

  The following bugs have been fixed:

    • macOS installer uses wrong user ID. Bug 6991[1].

    • Using macosx-setup seems to prevent installing pre-built binary.
      Bug 11399[2].

    • macOS installer package is configured to disallow downgrades. Bug
      12593[3].

    • extcap: Several issues when capturing from multiple extcap
      interfaces. Bug 13653[4].

    • Expert Infos Incorrectly Displays Info Column instead of comment.
      Bug 15516[5].

    • Wireshark does not support USB packets with size greater than 256
      KiB. Bug 15985[6].

    • IS-IS: add support for decoding TE TLV Type 138 as per RFC 5307.
      Bug 16012[7].

    • NET-SNMP EngineID Length handling Warning. Bug 16051[8].

    • TLS decryption is very slow on Windows when using a large PMS
      file compared to Linux/macOS. Bug 16059[9].

    • wireshark-3.0.5/epan/dissectors/packet-nas_5gs.c:2459: bad test
      ?. Bug 16075[10].

    • ERSPAN Type III over GRE without sequence number not decoded
      correctly. Bug 16089[11].

    • Windows dumpcap -v does not display capture library info. Bug
      16108[12].

    • [Regression] FT_CHAR fields not supported in Lua API. Bug
      16129[13].

  Updated Protocol Support
  AgentX, BT L2CAP, ERSPAN, GRE, IPv4, IS-IS, NAS 5GS, OpcUa, SNMP, and
  SRT

(adam)

py-grpcio[-tools]: updated to 1.24.3

1.24.3
Add strip_prefix to python protoc plugin and py_grpc_library.
Switch py_proto_library from using src to deps to conform with google3.
Expose local credentials on Python layer.
Make default vtable for pointer argument a constant.
Gracefully handle errors from Future object callbacks.
Gracefully handle exceptions raised by signal handlers on the main thread while unary RPCs are in flight.
Separate py_grpc_library and py_proto_library.
Add wait_for_termination method to grpc.Server.
Add Python Cancellation Example.

(adam)

grpc: updated to 1.24.3

Release v1.24.3
This release contains refinements, improvements, and bug fixes.

Release v1.24.2
This release contains refinements, improvements, and bug fixes.

Release v1.24.1
This release contains refinements, improvements, and bug fixes.

Release v1.24.0
This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

gRPC Core starts to have a dependency against the C++ standard library such as libstdc++.so depending on the platform. This applies to all wrapped libraries and they have this new dependency, too. (For more detail, see the proposal)
Remove call from queued picks when failing it due to channel destruction.
Catch the error if socket initialization fails.
Do not create streams after a GOAWAY has been received.
Prevent HTTP2 parser from queueing a lot of induced frames.
Send RPC deadline to server in cronet header.
Mandate static string for host and method passed to grpc_channel_register.
Fail SEND_MESSAGE ops if stream is closed for writes.
Add Delegating Channel.
C++

Allow call credentials interception at PRE_SEND_INITIAL_METADATA.
Upgrade to Bazel 0.29 (including Windows RBE).
Update Google Benchmark v1.5.0 to get CMake < 3.6 fix.
Fix a big source of races in CHTTP2 code.
Channel idleness atomic.
Update C++ code generation to work with Bazel 0.29 .

(adam)

qemu: deal with static files generated by Sphinx

(adam)

lmms: remove note

(nia)

rust: Switch to using pkgsrc gzip for extraction on SunOS.

Something in the rust-1.38 tarball is tickling a bug in the version of
gzip shipped at least on SmartOS.

(jperkin)

doc: Update shells/pbosh to 20191007

(micha)

shells/pbosh: Update to 20191007

Based on SchilyTools Release from 2019-10-07.

Changelog
=========
- configure: Some shells report a syntax error with "< file (cmd)"
  and need the redirection statement to be *after* the command. Our
  changes to support the V7 shell by adding round braces caused ash
  variants like "dash" to fail.

  Thanks to Harald van Dijk for reporting

- cont/cc-config.sh: canged some :>some-file statements into
  (:)>some-file. they have meen missed when introducing work arounds
  for the V7 Shell on Ultrix that does not support I/O redirection
  for builtin commands.

  Thanks to Robert Clausecker for reporting

- libschily/comerr.c: If the environment COMERR_EXCODE has been set to
a value that starts with '0', the normal exit code mapping is switched
off, but all potential exit code values != 0 that follow the rule

    (excode % 256) == 0

  are mapped to -64. This helps to avoid unexpected behavior with
  historic shells that still use the old waitpid() and modern
  shells (using waitid() but in a backward compatible default mode)
  where a program that terminates with

    exit(256);

  is evaluated in conditional statements as if the exit code was 0.

- Bourne Shell: Missing Makefile.dot added.

- Bourne Shell / bsh / ved: The dotdiles TAR archives are now again named
  */dotfiles.tar.bz2 as the change in the previous release caused
  problems.

  Thanks for Gabriele Balducci balducci@units.it and Robert Clausecker
  for reporting

- Bourne Shell: Cstyle changes (long lines removed) in io.c & expand.c

- Bourne Shell: Fixed a bug that prevented to forward the special exit
  cause (NOTFOUND or NOEXEC) to the vfork() parent process via.
  struct siginfo.si_code in some cases. These values are added beyond
  the POSIX CLD_* values in siginfo.si_code from the POSIX standard.
  They are passed back from the vfork()ed child to the parent via the
  shared memory from the vfork() implementation.

- Bourne Shell: introduced shared memory to be able to forward the
  special exit cause (NOTFOUND or NOEXEC) to the parent even in case it
  used fork() instead of vfork().

- Bourne Shell: Added support for a new automatic parameter "$/" to
  complement the existing parameter "$?".

  This is a result from a discussion in a POSIX teleconference from
  April 2016.

  This new parameter returns *decimal numbers* for a normal command
  termination and *text* for abnormal command termination:

  number<>Exit code from normal termination. This is a signed 32 bit
    value from the exit() parameter on POSIX systems and a 8 bit
    value on pre-POSIX systems like Linux.

  signame>A signal name (see kill -l) if the command has been terminated
    by a signal. This is the signal name with the leading "SIG"
    stripped off.

  NOEXEC<>The command was found but could not be executed, e.g. as
    a result of missing permissions or because the name points
    to a directory.

  NOTFOUND The command could not be found.

  Note that currently, the strings "NOEXEC" and "NOTFOUND" are passed
  back reliably from vfork(2) childs or when the related state is already
  known by the cache. In other cases, the reliability of $/ with respect
  to "NOEXEC" and "NOTFOUND" has not yet been verified. It thus may
  return 126 or 127 as with $?. The string values "NOEXEC" and "NOTFOUND"
  cannot be passed back from a subshell, using only the waitid()
  mechanism. To circumvent that problem, from fork()ed subshells,.
  shared memory or non-fork()ed virtual subshells would work.

  If you detect a complex command where you get 126 or 127 instead of
  the exoected "NOEXEC" or "NOTFOUND", please send a report.

  We for now choose to use shared memory as this is easier to implement.
  Later versions will mosy likely implement virtual fork()less
  subshells.

- Bourne Shell: minor Cstyle changes on word.c and macro.c

- Bourne Shell: New version date

(micha)

doc: Update shells/bosh to 20191007

(micha)

shells/bosh: Update to 20191007

Based on SchilyTools Release from 2019-10-07.

Changelog
=========
- configure: Some shells report a syntax error with "< file (cmd)"
  and need the redirection statement to be *after* the command. Our
  changes to support the V7 shell by adding round braces caused ash
  variants like "dash" to fail.

  Thanks to Harald van Dijk for reporting

- cont/cc-config.sh: canged some :>some-file statements into
  (:)>some-file. they have meen missed when introducing work arounds
  for the V7 Shell on Ultrix that does not support I/O redirection
  for builtin commands.

  Thanks to Robert Clausecker for reporting

- libschily/comerr.c: If the environment COMERR_EXCODE has been set to
a value that starts with '0', the normal exit code mapping is switched
off, but all potential exit code values != 0 that follow the rule

    (excode % 256) == 0

  are mapped to -64. This helps to avoid unexpected behavior with
  historic shells that still use the old waitpid() and modern
  shells (using waitid() but in a backward compatible default mode)
  where a program that terminates with

    exit(256);

  is evaluated in conditional statements as if the exit code was 0.

- Bourne Shell: Missing Makefile.dot added.

- Bourne Shell / bsh / ved: The dotdiles TAR archives are now again named
  */dotfiles.tar.bz2 as the change in the previous release caused
  problems.

  Thanks for Gabriele Balducci balducci@units.it and Robert Clausecker
  for reporting

- Bourne Shell: Cstyle changes (long lines removed) in io.c & expand.c

- Bourne Shell: Fixed a bug that prevented to forward the special exit
  cause (NOTFOUND or NOEXEC) to the vfork() parent process via.
  struct siginfo.si_code in some cases. These values are added beyond
  the POSIX CLD_* values in siginfo.si_code from the POSIX standard.
  They are passed back from the vfork()ed child to the parent via the
  shared memory from the vfork() implementation.

- Bourne Shell: introduced shared memory to be able to forward the
  special exit cause (NOTFOUND or NOEXEC) to the parent even in case it
  used fork() instead of vfork().

- Bourne Shell: Added support for a new automatic parameter "$/" to
  complement the existing parameter "$?".

  This is a result from a discussion in a POSIX teleconference from
  April 2016.

  This new parameter returns *decimal numbers* for a normal command
  termination and *text* for abnormal command termination:

  number<>Exit code from normal termination. This is a signed 32 bit
    value from the exit() parameter on POSIX systems and a 8 bit
    value on pre-POSIX systems like Linux.

  signame>A signal name (see kill -l) if the command has been terminated
    by a signal. This is the signal name with the leading "SIG"
    stripped off.

  NOEXEC<>The command was found but could not be executed, e.g. as
    a result of missing permissions or because the name points
    to a directory.

  NOTFOUND The command could not be found.

  Note that currently, the strings "NOEXEC" and "NOTFOUND" are passed
  back reliably from vfork(2) childs or when the related state is already
  known by the cache. In other cases, the reliability of $/ with respect
  to "NOEXEC" and "NOTFOUND" has not yet been verified. It thus may
  return 126 or 127 as with $?. The string values "NOEXEC" and "NOTFOUND"
  cannot be passed back from a subshell, using only the waitid()
  mechanism. To circumvent that problem, from fork()ed subshells,.
  shared memory or non-fork()ed virtual subshells would work.

  If you detect a complex command where you get 126 or 127 instead of
  the exoected "NOEXEC" or "NOTFOUND", please send a report.

  We for now choose to use shared memory as this is easier to implement.
  Later versions will mosy likely implement virtual fork()less
  subshells.

- Bourne Shell: minor Cstyle changes on word.c and macro.c

- Bourne Shell: New version date

(micha)

Fix incorrect wording in a comment

(pho)

doc: Update archivers/star to 1.6.1nb2

(micha)

archivers/star: Update to 1.6.1nb2

Based on Release 2019-10-07.

Changelog
=========
- configure: Some shells report a syntax error with "< file (cmd)"
  and need the redirection statement to be *after* the command. Our
  changes to support the V7 shell by adding round braces caused ash
  variants like "dash" to fail.

  Thanks to Harald van Dijk for reporting

- cont/cc-config.sh: canged some :>some-file statements into
  (:)>some-file. they have meen missed when introducing work arounds
  for the V7 Shell on Ultrix that does not support I/O redirection
  for builtin commands.

  Thanks to Robert Clausecker for reporting

- libschily/resolvepath.c: resolving a symlink that points to another
  symlink that points to itself, caused a coredump as a result from an
  endless recursion.

  We now detect this situation and abort the check before the endless
  recursion causes a stack overflow. A symlink that directly loops
  is immediately stopped. A longer symlink loop chain over more than one
  symlink can only be detected by the recursion nesting level and is
  aborted after a nesting level of 1024 has been reached. This works
  under the assumption that the minimum stack size is more than
  1024 * PATH_MAX and that there is no useful directory path with more
  than 1024 symlinks in the path.

  ----> This problem affected star and SCCS.

  Thanks to Philipp Wellner for reporting

- star: Added a hint to the man page that helps to find pkglist= as a.
  similar option to list=

- star: The new method to avoid extracting symlinks that point outside
  the star working directory that has been introduced in October 2018
  could cause a core dump if a symlink is checked that points to
  another aready existing symlink that points to itself. This was caused
  by a problem in libschily/resolvepath.c, see above.

  Thanks to Philipp Wellner for reporting

- star: The option -no-secure-links now may be configured as a global
  default via the tag STAR_SECURE_LINKS= in the file /etc/default/star
  and as a private default via an environment of the same name.

  If the value for this tag is 'n' or 'N', -no-secure-links is made the
  default, any other value sets the option -secure-links as the default.

  This may be useful for sysadmins that frequently use star to copy
  installation specific files, but it is risky in case that alien TAR
  archives are imported. The good news is that this permits users to
  switch to the old star behavior where no checks for risky links
  existed.

  Thanks to Dennis Clarke for reporting

-  star: A new enviroment STAR_NOHINT has been introduced to supress
  hint messages that are otherwise seen in case STAR_SECURE_LINKS or
  STAR_FSYNC is in the environment or in /etc/default/star

- star: New version date

(micha)

doc: Update devel/smake to 1.3nb6

(micha)

devel/smake: Update to 1.3nb6

Based on Release 2019-10-07.

Changelog
=========
- configure: Some shells report a syntax error with "< file (cmd)"
  and need the redirection statement to be *after* the command. Our
  changes to support the V7 shell by adding round braces caused ash
  variants like "dash" to fail.

  Thanks to Harald van Dijk for reporting

- cont/cc-config.sh: canged some :>some-file statements into
  (:)>some-file. they have meen missed when introducing work arounds
  for the V7 Shell on Ultrix that does not support I/O redirection
  for builtin commands.

  Thanks to Robert Clausecker for reporting

- smake: The error message for failed shell commands has been modified
  to "Code %d (%s) from command line..." in order to cause less confusion
  with the text printed by smake.

  The text for %s is the strerror() result for the exit code if
  applicable.

  Thanks to Robert Clausecker for reporting

(micha)

doc: Updated audio/lmms to 1.2.1

(nia)

lmms: Update to 1.2.1

pkgsrc changes:

- Fixed initial midi settings on NetBSD (use /dev/rmidi0 instead of /dev/midi)
- Enable only "native" audio outputs by default
- Disable some no longer used dependencies

New changes in 1.2.1: (2019-10-21)

    General improvements
        Respect OS' case sensitivity when checking for existing files (#4768)
        Remove MIDI connections from factory .mmpz files (#5163)
        Show FreeBSD in the build version info (732448c)
    UI improvements
        Make splash screen text white (#5149)
        Show Beat/Bassline Editor on clicking track labels of B/B tracks (#5060)
        Enable dark title bar on macOS (df79f8c)
    Bug Fixes
        Fix building RemoteVstPlugin with Wine >= 4.14 (#5210)
        Fix stuck keys when dragging on the piano view (#5127)
        Fix crash on unmarking octave semitones (#5184)
        Fix invalid MIDI Program Change decoding (#5154)
        Rubberband fix for selecting a large area in the song editor (#5003)
        VeSTige: show icon on 'Turn off all notes' button (#5237)
        RemoteVstPlugin: fix crashes when failed to open a file (#5235)
        Organic: fix glitch at the beginning of a note (#5252)
        Fix broken audio sample exporting on high sampling rate (#5226)
    Localization
        Better French translations in the menu item file (#4711)
        Fix too long translations to fix the UI misalignment (#5185)

(nia)

lang/ruby: change for --no-document option

Replace RUBY_BUILD_RDOC and RUBY_BUILD_RI with RUBY_BUILD_DOCUMENT since
rdoc's --no-rdoc and --no-ri options are deprecated almost 8 years ago
and these options are replaced with -no-document option.

No package should be changed.

(taca)

Updated devel/py-test-forked, devel/py-test-mock

(adam)

py-test-mock: updated to 1.11.2

1.11.2:
* The *pytest introspection follows* message is no longer shown
  if there is no pytest introspection.
* ``mocker`` now raises a ``TypeError`` when used as a context-manager.

(adam)

doc: Updated textproc/json2tsv to 0.3

(leot)

json2tsv: Update to 0.3

Changes:
0.3
---
- Separate into more preciso JSON types primitives (p) to: bool (b),
  null (?), number (n)
- Misc bug fixes and improvements

(leot)

bind914: Fix build on SmartOS

SmartOS requires _XOPEN_SOURCE for various macros and functions (CMSG_DATA() et
al.)

(otis)

py-test-forked: updated to 1.1.3

v1.1.3
* Another dummy release to sort out missing wheels (hopefully).

v1.1.2
* Another dummy release to sort out missing wheels (hopefully).

v1.1.1
* Dummy release to sort out CI issues.

v1.1.0
* New marker `pytest.mark.forked` to fork before individual tests.

(adam)

bash: bump revision

(triaxx)

doc: Updated games/nethack to 3.6.2

(pho)

doc: Updated games/nethack to 3.6.2

(pho)

bash: add missing options.mk

(triaxx)

Update to NetHack 3.6.2

See release notes for the changes from 3.4.3:
* http://nethack.org/v360/release.html
* http://nethack.org/v361/release.html
* http://nethack.org/v362/release.html

IMPORTANT NOTICE:
  Old 3.4.x save files are *incompatible* with this version (which
  isn't my fault). Files are now saved in /var/games/nethack360.

(pho)

bash: make nls support optional

pkgsrc changes:
  - remove broken static option
  - add nls option (disable by default)
  - change LOCALBASE to PREFIX (appease pkglint)

(triaxx)

more packages with wrong LICENSE tag

(tnn)

Update to NetHack 3.6.2

See release notes for the changes from 3.4.3:
* http://nethack.org/v360/release.html
* http://nethack.org/v361/release.html
* http://nethack.org/v362/release.html

IMPORTANT NOTICE:
  Old 3.4.x save files are *incompatible* with this version (which
  isn't my fault). Files are now saved in /var/games/nethack360.

(pho)

Update to NetHack 3.6.2

See release notes for the changes from 3.4.3:
* http://nethack.org/v360/release.html
* http://nethack.org/v361/release.html
* http://nethack.org/v362/release.html

IMPORTANT NOTICE:
  Old 3.4.x save files are *incompatible* with this version (which
  isn't my fault). Files are now saved in /var/games/nethack360.

(pho)

Update to NetHack 3.6.2

See release notes for the changes from 3.4.3:
* http://nethack.org/v360/release.html
* http://nethack.org/v361/release.html
* http://nethack.org/v362/release.html

IMPORTANT NOTICE:
  Old 3.4.x save files are *incompatible* with this version (which
  isn't my fault). Files are now saved in /var/games/nethack360.

(pho)

catch up with llvm relicensing and bump PKGREVISIONs

(tnn)

llvm: Extend linkmap fix to another file for SunOS.

(jperkin)

bison: Remove broken and now entirely redundant nls section.

(jperkin)

python38: Make float words test a little less insane.

Fixes build on SunOS with the native grep.

(jperkin)

bison: Spell CONFIGURE_ARGS correctly.

(jperkin)

meson: don't expose cmake if the package didn't also set USE_CMAKE

(tnn)

print: Reorder entries in Makefile

(micha)

print/flpsed: Remove unregistered patch (already merged in current version)

(micha)

postgresql12: make nls support optional

(triaxx)

doc: Updated emulators/cannonball to 0.3.20191023

(fox)

emulators/cannonball: Removes the patch (missed in the last commit).

- Removes patch that has been merged upstream.

(fox)

emulators/cannonball: Update to 0.3.20191023

- Removes patch that has been merged upstream.

Changes since 0.3.20190924:

- bsd.cmake now defaults to using SDL2.

(fox)

fs-uae is NOT_PAX_MPROTECT_SAFE.

(rhialto)

buzztrax: Missing dependencies

(nia)

anjuta: Needs itstool

(nia)

qsynth: Needs qt tools

(nia)

devel/ruby-docile: update to 1.3.2

Update ruby-docile to 1.3.2.

## v1.3.2 (2019-06-12)

  - Special thanks (again!) to Taichi Ishitani (@taichi-ishitani):
  - Fix for DSL object is replaced when #dsl_eval is nested (#33, PR #34)

(taca)

doc: Updated devel/ruby-backports to 3.15.0

(taca)

devel/ruby-backports: update to 3.15.0

Update ruby-backports to 3.15.0.

== Version 3.15.0 - May 15th, 2019

  * Proc / Method
    * +<<+, +>>+

(taca)

doc: Added archivers/ruby-ffi-libarchive version 0.4.10

(taca)

archivers/Makefile: add and enable ruby-ffi-libarchive

(taca)

archivers/ruby-ffi-libarchive: add version 0.4.10

Add ruby-ffi-libarchive package version 0.4.10.

ffi-libarchive

A Ruby FFI binding to libarchive.

(taca)

doc: Updated devel/ruby2ruby to 2.4.4

(taca)

devel/ruby2ruby: update to 2.4.4

Update ruby2ruby to 2.4.4.

=== 2.4.4 / 2019-09-24

* 1 bug fix:

  * Fixed deprecation warnings from patterns change in sexp_processor.

=== 2.4.3 / 2019-06-03

* 4 bug fixes:

  * Added shadow block args. (jaynetics)
  * Fixed generation for block args w/ trailing commas.
  * Fixed nested masgn block args and arrays. (jaynetics)
  * Fixes for stabby proc / lambda changes.

(taca)

doc: Updated devel/hoe to 3.18.1

(taca)

devel/hoe: update to 3.18.1

Update hoe to 3.18.1.

=== 3.18.1 / 2019-09-14

* 1 minor enhancement:

  * Added deprecations to minitest/test_task: TESTOPTS, N (for #threads), FILTER.

* 3 bug fixes:

  * Fixed one use of Array.prepend on ruby 2.3-2.4.
  * Removed FILTER/N/X handling from hoe/test.rb in favor of minitest/test_task.rb.
  * Sort globs before shuffling to normalize different file systems.

(taca)

devel/ZenTest: update to 4.12.0

Update ZenTest to 4.12.0

=== 4.12.0 / 2019-09-22

* 3 major enhancements:

  * Deleted autotest from project. Use minitest-autotest instead.
  * Removed multiruby_setup. Use ruby-install or ruby-build or install your own.
  * Update multiruby to use ~/.rubies (default for ruby-install).

* 4 minor enhancements:

  * Find and use the multiruby next to multigem.
  * multiruby ignores GEM_HOME and GEM_PATH (to allow multigem to work).
  * multiruby respects global `multiruby_skip` entries in `~/.hoerc`.
  * multiruby sorts versions properly so glob ordering is consistent.

* 1 bug fix:

  * Removed hacks for rbx because nobody uses rbx.

(taca)

doc: Updated databases/ruby-sequel to 5.25.0

(taca)

databases/ruby-sequel: update to 5.25.0

Update ruby-sequel to 5.25.0.

=== 5.25.0 (2019-10-01)

* Fix Sequel::SQL::NumericMethods#coerce to not raise NoMethodError if super method is not defined (jeremyevans) (#1645)

* Allow setting a default for a column that already has a default on Microsoft SQL Server (jeremyevans)

* Fix keyword argument separation warnings on Ruby master branch in csv_serializer plugin (jeremyevans)

* Add association_multi_add_remove plugin for adding/removing multiple associated objects in a single method call (AlexWayfer, jeremyevans) (#1641, #1643)

* Make sharding plugin integrate with server_block extension (jeremyevans)

(taca)

doc: Updated databases/ruby-moneta to 1.2.0

(taca)

databases/ruby-moneta: update to 1.2.0

1.2.0

* Adapters::Sequel - fix for compatibility with new version of JDBC SQLite
* Adapters::Couch - refactor of error handling, #clear, #merge!, #slice, rev caching
* Fallback - add fallback proxy (#162)
* Pool - rewrite to enable limiting of size, gradual shrinking
* Enumerable - add proxy providing Enumerable API (using #each_key)
* Adapters::Couch, Adapters::RestClient - add Faraday :adapter option
* Adapters::Couch - add :full_commit and :batch options to some operations
* Adapters::LRUHash - rewrite to take advantage of ordered hashes
* Adapters::ActiveRecord - recover from deadlock during increment

(taca)

doc: Updated databases/ruby-hiera to 3.6.0

(taca)

databases/ruby-hiera: update to 3.6.0

Update ruby-hiera to 3.6.0

No change except version.

(taca)

Note update of security/vault to 1.2.3.

(he)

Upgrade security/vault to version 1.2.3.

Pkgsrc changes:
* Fix == in shell script test.
* Add some patches to make this build on NetBSD.

Upstream changes:

## 1.2.3 (September 12, 2019)

FEATURES:
* Oracle Cloud (OCI) Integration: Vault now support using Oracle
  Cloud for storage, auto unseal, and authentication.

IMPROVEMENTS:
* auth/jwt: Groups claim matching now treats a string response
  as a single element list [JWT-63]
* auth/kubernetes: enable better support for projected tokens
  API by allowing user to specify issuer [GH-65]
* auth/pcf: The PCF auth plugin was renamed to the CF auth plugin,
  maintaining full backwards compatibility [GH-7346]
* replication: Premium packages now come with unlimited performance
  standby nodes

BUG FIXES:
* agent: Allow batch tokens and other non-renewable tokens to be
  used for agent operations [GH-7441]
* auth/jwt: Fix an error where newer (v1.2) token_* configuration
  parameters were not being applied to tokens generated using
  the OIDC login flow [JWT-67]
* seal/transit: Allow using Vault Agent for transit seal operations
  [GH-7441]
* storage/couchdb: Fix a file descriptor leak [GH-7345]
* ui: Fix a bug where the status menu would disappear when trying
  to revoke a token [GH-7337]
* ui: Fix a regression that prevented input of custom items in
  search-select [GH-7338]
* ui: Fix an issue with the namespace picker being unable to
  render nested namespaces named with numbers and sorting of
  namespaces in the picker [GH-7333]

## 1.2.2 (August 15, 2019)

CHANGES:
* auth/pcf: The signature format has been updated to use the
  standard Base64 encoding instead of the URL-safe variant.
  Signatures created using the previous format will continue to
  be accepted [PCF-27]
* core: The http response code returned when an identity token
  key is not found has been changed from 400 to 404

IMPROVEMENTS:
* identity: Remove 512 entity limit for groups [GH-7317]

BUG FIXES:
* auth/approle: Fix an error where an empty token_type string
  was not being correctly handled as TokenTypeDefault [GH-7273]
* auth/radius: Fix panic when logging in [GH-7286]
* ui: the string-list widget will now honor multiline input [GH-7254]
* ui: various visual bugs in the KV interface were addressed [GH-7307]
* ui: fixed incorrect URL to access help in LDAP auth [GH-7299]

1.2.1 (August 6th, 2019)

BUG FIXES:
* agent: Fix a panic on creds pulling in some error conditions
  in aws and alicloud auth methods [GH-7238]
* auth/approle: Fix error reading role-id on a role created
  pre-1.2 [GH-7231]
* auth/token: Fix sudo check in non-root namespaces on create
  [GH-7224]
* core: Fix health checks with perfstandbyok=true returning the
  wrong status code [GH-7240]
* ui: The web CLI will now parse input as a shell string, with
  special characters escaped [GH-7206]
* ui: The UI will now redirect to a page after authentication
  [GH-7088]
* ui (Enterprise): The list of namespaces is now cleared when
  logging out [GH-7186]

## 1.2.0 (July 30th, 2019)

CHANGES:
* Token store roles use new, common token fields for the values
  that overlap with other auth backends. period, explicit_max_ttl,
  and bound_cidrs will continue to work, with priority being
  given to the token_ prefixed versions of those parameters. They
  will also be returned when doing a read on the role if they
  were used to provide values initially; however, in Vault 1.4
  if period or explicit_max_ttl is zero they will no longer be
  returned. (explicit_max_ttl was already not returned if empty.)
* Due to underlying changes in Go version 1.12 and Go > 1.11.5,
  Vault is now stricter about what characters it will accept in
  path names. Whereas before it would filter out unprintable
  characters (and this could be turned off), control characters
  and other invalid characters are now rejected within Go's HTTP
  library before the request is passed to Vault, and this cannot
  be disabled. To continue using these (e.g. for already-written
  paths), they must be properly percent-encoded (e.g. \r becomes
  %0D, \x00 becomes %00, and so on).
* The user-configured regions on the AWSKMS seal stanza will now
  be preferred over regions set in the enclosing environment.
  This is a breaking change.
* All values in audit logs now are omitted if they are empty.
  This helps reduce the size of audit log entries by not reproducing
  keys in each entry that commonly don't contain any value, which
  can help in cases where audit log entries are above the maximum
  UDP packet size and others.
* Both PeriodicFunc and WALRollback functions will be called if
  both are provided. Previously WALRollback would only be called
  if PeriodicFunc was not set. See GH-6717 for details.
* Vault now uses Go's official dependency management system, Go
  Modules, to manage dependencies. As a result to both reduce
  transitive dependencies for API library users and plugin authors,
  and to work around various conflicts, we have moved various
  helpers around, mostly under an sdk/ submodule. A couple of
  functions have also moved from plugin helper code to the api/
  submodule. If you are a plugin author, take a look at some of
  our official plugins and the paths they are importing for
  guidance.
* AppRole uses new, common token fields for values that overlap
  with other auth backends. period and policies will continue to
  work, with priority being given to the token_ prefixed versions
  of those parameters. They will also be returned when doing a
  read on the role if they were used to provide values initially.
* In AppRole, "default" is no longer automatically added to the
  policies parameter. This was a no-op since it would always be
  added anyways by Vault's core; however, this can now be explicitly
  disabled with the new token_no_default_policy field.
* In AppRole, bound_cidr_list is no longer returned when reading
  a role
* rollback: Rollback will no longer display log messages when it
  runs; it will only display messages on error.
* Database plugins will now default to 4 max_open_connections
  rather than 2.

FEATURES:
* Integrated Storage: Vault 1.2 includes a tech preview of a new
  way to manage storage directly within a Vault cluster. This
  new integrated storage solution is based on the Raft protocol
  which is also used to back HashiCorp Consul and HashiCorp Nomad.
* Combined DB credential rotation: Alternative mode for the
  Combined DB Secret Engine to automatically rotate existing
  database account credentials and set Vault as the source of
  truth for credentials.
* Identity Tokens: Vault's Identity system can now generate
  OIDC-compliant ID tokens. These customizable tokens allow
  encapsulating a signed, verifiable snapshot of identity
  information and metadata. They can be use by other applications-even
  those without Vault authorization-as a way of establishing
  identity based on a Vault entity.
* Pivotal Cloud Foundry plugin: New auth method using Pivotal
  Cloud Foundry certificates for Vault authentication.
* ElasticSearch database plugin: New ElasticSearch database plugin
  issues unique, short-lived ElasticSearch credentials.
* New UI Features: An HTTP Request Volume Page and new UI for
  editing LDAP Users and Groups have been added.
* HA support for Postgres: PostgreSQL versions >= 9.5 may now
  but used as and HA storage backend.
* KMIP secrets engine (Enterprise): Allows Vault to operate as
  a KMIP Server, seamlessly brokering cryptographic operations
  for traditional infrastructure.
* Common Token Fields: Auth methods now use common fields for
  controlling token behavior, making it easier to understand
  configuration across methods.
* Vault API explorer: The Vault UI now includes an embedded API
  explorer where you can browse the endpoints avaliable to you
  and make requests. To try it out, open the Web CLI and type
  api.

IMPROVEMENTS:
* agent: Allow EC2 nonce to be passed in [GH-6953]
* agent: Add optional namespace parameter, which sets the default
  namespace for the auto-auth functionality [GH-6988]
* agent: Add cert auto-auth method [GH-6652]
* api: Add support for passing data to delete operations via
  DeleteWithData [GH-7139]
* audit/file: Dramatically speed up file operations by changing
  locking/marshaling order [GH-7024]
* auth/jwt: A JWKS endpoint may now be configured for signature
  verification [JWT-43]
* auth/jwt: A new verbose_oidc_logging role parameter has been
  added to help troubleshoot OIDC configuration [JWT-57]
* auth/jwt: bound_claims will now match received claims that are
  lists if any element of the list is one of the expected values
  [JWT-50]
* auth/jwt: Leeways for nbf and exp are now configurable, as is
  clock skew leeway [JWT-53]
* auth/kubernetes: Allow service names/namespaces to be configured
  as globs [KUBEAUTH-58]
* auth/token: Allow the support of the identity system for the
  token backend via token roles [GH-6267]
* auth/token: Add a large set of token configuration options to
  token store roles [GH-6662]
* cli: path-help now allows -format=json to be specified, which
  will output OpenAPI [GH-7006]
* cli: Add support for passing parameters to vault delete operations
  [GH-7139]
* cli: Add a log-format CLI flag that can specify either "standard"
  or "json" for the log format for the vault servercommand.
  [GH-6840]
* cli: Add -dev-no-store-token to allow dev servers to not store
  the generated token at the tokenhelper location [GH-7104]
* identity: Allow a group alias' canonical ID to be modified
* namespaces: Namespaces can now be created and deleted from
  performance replication secondaries
* plugins: Change the default for max_open_connections for DB
  plugins to 4 [GH-7093]
* replication: Client TLS authentication is now supported when
  enabling or updating a replication secondary
* secrets/database: Cassandra operations will now cancel on client
  timeout [GH-6954]
* secrets/kv: Add optional delete_version_after parameter, which
  takes a duration and can be set on the mount and/or the metadata
  for a specific key [GH-7005]
* storage/postgres: LIST now performs better on large datasets
  [GH-6546]
* storage/s3: A new path parameter allows selecting the path
  within a bucket for Vault data [GH-7157]
* ui: KV v1 and v2 will now gracefully degrade allowing a write
  without read workflow in the UI [GH-6570]
* ui: Many visual improvements with the addition of Toolbars
  [GH-6626], the restyling of the Confirm Action component
  [GH-6741], and using a new set of glyphs for our Icon component
  [GH-6736]
* ui: Lazy loading parts of the application so that the total
  initial payload is smaller [GH-6718]
* ui: Tabbing to auto-complete in filters will first complete a
  common prefix if there is one [GH-6759]
* ui: Removing jQuery from the application makes the initial JS
  payload smaller [GH-6768]

BUG FIXES:
* audit: Log requests and responses due to invalid wrapping token
  provided [GH-6541]
* audit: Fix bug preventing request counter queries from working
  with auditing enabled [GH-6767
* auth/aws: AWS Roles are now upgraded and saved to the latest
  version just after the AWS credential plugin is mounted.
  [GH-7025]
* auth/aws: Fix a case where a panic could stem from a malformed
  assumed-role ARN when parsing this value [GH-6917]
* auth/aws: Fix an error complaining about a read-only view that
  could occur during updating of a role when on a performance
  replication secondary [GH-6926]
* auth/jwt: Fix a regression introduced in 1.1.1 that disabled
  checking of client_id for OIDC logins [JWT-54]
* auth/jwt: Fix a panic during OIDC CLI logins that could occur
  if the Vault server response is empty [JWT-55]
* auth/jwt: Fix issue where OIDC logins might intermittently fail
  when using performance standbys [JWT-61]
* identity: Fix a case where modifying aliases of an entity could
  end up moving the entity into the wrong namespace
* namespaces: Fix a behavior (currently only known to be benign)
  where we wouldn't delete policies through the official functions
  before wiping the namespaces on deletion
* secrets/database: Escape username/password before using in
  connection URL [GH-7089]
* secrets/pki: Forward revocation requests to active node when
  on a performance standby [GH-7173]
* ui: Fix timestamp on some transit keys [GH-6827]
* ui: Show Entities and Groups in Side Navigation [GH-7138]
* ui: Ensure dropdown updates selected item on HTTP Request
  Metrics page

## 1.1.4/1.1.5 (July 25th/30th, 2019)

NOTE:

Although 1.1.4 was tagged, we realized very soon after the tag was
publicly pushed that an intended fix was accidentally left out. As
a result, 1.1.4 was not officially announced and 1.1.5 should be
used as the release after 1.1.3.

IMPROVEMENTS:
* identity: Allow a group alias' canonical ID to be modified
* namespaces: Improve namespace deletion performance [GH-6939]
* namespaces: Namespaces can now be created and deleted from
  performance replication secondaries

BUG FIXES:
* api: Add backwards compat support for API env vars [GH-7135]
* auth/aws: Fix a case where a panic could stem from a malformed
  assumed-role ARN when parsing this value [GH-6917]
* auth/ldap: Add use_pre111_group_cn_behavior flag to allow
  recovering from a regression caused by a bug fix starting in
  1.1.1 [GH-7208]
* auth/aws: Use a role cache to avoid separate locking paths
  [GH-6926]
* core: Fix a deadlock if a panic happens during request handling
  [GH-6920]
* core: Fix an issue that may cause key upgrades to not be cleaned
  up properly [GH-6949]
* core: Don't shutdown if key upgrades fail due to canceled
  context [GH-7070]
* core: Fix panic caused by handling requests while vault is
  inactive
* identity: Fix reading entity and groups that have spaces in
  their names [GH-7055]
* identity: Ensure entity alias operations properly verify
  namespace [GH-6886]
* mfa: Fix a nil pointer panic that could occur if invalid Duo
  credentials were supplied
* replication: Forward step-down on perf standbys to match HA
  behavior
* replication: Fix various read only storage errors on performance
  standbys
* replication: Stop forwarding before stopping replication to
  eliminate some possible bad states
* secrets/database: Allow cassandra queries to be cancled [GH-6954]
* storage/consul: Fix a regression causing vault to not connect
  to consul over unix sockets [GH-6859]
* ui: Fix saving of TTL and string array fields generated by Open
  API [GH-7094]

## 1.1.3 (June 5th, 2019)

IMPROVEMENTS:
* agent: Now supports proxying request query parameters [GH-6772]
* core: Mount table output now includes a UUID indicating the
  storage path [GH-6633]
* core: HTTP server timeout values are now configurable [GH-6666]
* replication: Improve performance of the reindex operation on
  secondary clusters when mount filters are in use
* replication: Replication status API now returns the state and
  progress of a reindex

BUG FIXES:
* api: Return the Entity ID in the secret output [GH-6819]
* auth/jwt: Consider bound claims when considering if there is at least one
  bound constraint [JWT-49]
* auth/okta: Fix handling of group names containing slashes [GH-6665]
* cli: Add deprecated stored-shares flag back to the init command [GH-6677]
* cli: Fix a panic when the KV command would return no data [GH-6675]
* cli: Fix issue causing CLI list operations to not return proper format when
  there is an empty response [GH-6776]
* core: Correctly honor non-HMAC request keys when auditing requests [GH-6653]
* core: Fix the `x-vault-unauthenticated` value in OpenAPI for a number of
  endpoints [GH-6654]
* core: Fix issue where some OpenAPI parameters were incorrectly listed as
  being sent as a header [GH-6679]
* core: Fix issue that would allow duplicate mount names to be used [GH-6771]
* namespaces: Fix behavior when using `root` instead of `root/` as the
  namespace header value
* pki: fix a panic when a client submits a null value [GH-5679]
* replication: Properly update mount entry cache on a secondary to apply all
  new values after a tune
* replication: Properly close connection on bootstrap error
* replication: Fix an issue causing startup problems if a namespace policy
  wasn't replicated properly
* replication: Fix longer than necessary WAL replay during an initial reindex
* replication: Fix error during mount filter invalidation on DR
  secondary clusters
* secrets/ad: Make time buffer configurable [AD-35]
* secrets/gcp: Check for nil config when getting credentials [SGCP-35]
* secrets/gcp: Fix error checking in some cases where the returned value could
  be 403 instead of 404 [SGCP-37]
* secrets/gcpkms: Disable key rotation when deleting a key [GCPKMS-10]
* storage/consul: recognize `https://` address even if schema not specified
  [GH-6602]
* storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA)
  could cause constant switching of the active node [GH-6637]
* storage/dynamodb: Eliminate a high-CPU condition that could occur if an
  error was received from the DynamoDB API [GH-6640]
* storage/gcs: Correctly use configured chunk size values [GH-6655]
* storage/mssql: Use the correct database when pre-created schemas exist
  [GH-6356]
* ui: Fix issue with select arrows on drop down menus [GH-6627]
* ui: Fix an issue where sensitive input values weren't being saved to the
  server [GH-6586]
* ui: Fix web cli parsing when using quoted values [GH-6755]
* ui: Fix a namespace workflow mapping identities from external namespaces by
  allowing arbitrary input in search-select component [GH-6728]
* core: Fix issue that would allow duplicate mount names to be used [GH-6771]
* namespaces: Fix behavior when using `root` instead of `root/` as the
  namespace header value
* pki: fix a panic when a client submits a null value [GH-5679]
* replication: Properly update mount entry cache on a secondary to apply all
  new values after a tune
* replication: Properly close connection on bootstrap error
* replication: Fix an issue causing startup problems if a namespace policy
  wasn't replicated properly
* replication: Fix longer than necessary WAL replay during an initial reindex
* replication: Fix error during mount filter invalidation on DR
  secondary clusters
* secrets/ad: Make time buffer configurable [AD-35]
* secrets/gcp: Check for nil config when getting credentials [SGCP-35]
* secrets/gcp: Fix error checking in some cases where the returned value could
  be 403 instead of 404 [SGCP-37]
* secrets/gcpkms: Disable key rotation when deleting a key [GCPKMS-10]
* storage/consul: recognize `https://` address even if schema not specified
  [GH-6602]
* storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA)
  could cause constant switching of the active node [GH-6637]
* storage/dynamodb: Eliminate a high-CPU condition that could occur if an
  error was received from the DynamoDB API [GH-6640]
* storage/gcs: Correctly use configured chunk size values [GH-6655]
* storage/mssql: Use the correct database when pre-created schemas exist
  [GH-6356]
* ui: Fix issue with select arrows on drop down menus [GH-6627]
* ui: Fix an issue where sensitive input values weren't being saved to the
  server [GH-6586]
* ui: Fix web cli parsing when using quoted values [GH-6755]
* ui: Fix a namespace workflow mapping identities from external namespaces by
  allowing arbitrary input in search-select component [GH-6728]

## 1.1.2 (April 18th, 2019)

This is a bug fix release containing the two items below. It is otherwise
unchanged from 1.1.1.

BUG FIXES:
* auth/okta: Fix a potential dropped error [GH-6592]
* secrets/kv: Fix a regression on upgrade where a KVv2 mount could fail to be
  mounted on unseal if it had previously been mounted but not written to
  [KV-31]

## 1.1.1 (April 11th, 2019)

SECURITY:
* Given: (a) performance replication is enabled; (b) performance standbys are
  in use on the performance replication secondary cluster; and (c) mount
  filters are in use, if a mount that was previously available to a secondary
  is updated to be filtered out, although the data would be removed from the
  secondary cluster, the in-memory cache of the data would not be purged on
  the performance standby nodes. As a result, the previously-available data
  could still be read from memory if it was ever read from disk, and if this
  included mount configuration data this could result in token or lease

BUG FIXES:
* agent: Allow auto-auth to be used with caching without having to define any
  sinks [GH-6468]
* agent: Disallow some nonsensical config file combinations [GH-6471]
* auth/ldap: Fix CN check not working if CN was not all in uppercase [GH-6518]
* auth/jwt: The CLI helper for OIDC logins will now open the
  browser to the correct URL when running on Windows [JWT-37]
* auth/jwt: Fix OIDC login issue where configured TLS certs weren't
  being used [JWT-40]
* auth/jwt: Fix an issue where the `oidc_scopes` parameter was
  not being included in the response to a role read request [JWT-35]
* core: Fix seal migration case when migrating to Shamir and a seal block
  wasn't explicitly specified [GH-6455]
* core: Fix unwrapping when using namespaced wrapping tokens [GH-6536]
* core: Fix incorrect representation of required properties in OpenAPI output
  [GH-6490]
* core: Fix deadlock that could happen when using the UI [GH-6560]
* identity: Fix updating groups removing existing members [GH-6527]
* identity: Properly invalidate group alias in performance secondary [GH-6564]
* identity: Use namespace context when loading entities and groups to ensure
  merging of duplicate entries works properly [GH-6563]
* replication: Fix performance standby election failure [GH-6561]
* replication: Fix mount filter invalidation on performance standby nodes
* replication: Fix license reloading on performance standby nodes
* replication: Fix handling of control groups on performance standby nodes
* replication: Fix some forwarding scenarios with request bodies using
  performance standby nodes [GH-6538]
* secret/gcp: Fix roleset binding when using JSON [GCP-27]
* secret/pki: Use `uri_sans` param in when not using CSR parameters [GH-6505]
* storage/dynamodb: Fix a race condition possible in HA configurations
  that could leave the cluster without a leader [GH-6512]
* ui: Fix an issue where in production builds OpenAPI model
  generation was failing, causing any form using it to render
  labels with missing fields [GH-6474]
* ui: Fix issue nav-hiding when moving between namespaces [GH-6473]
* ui: Secrets will always show in the nav regardless of access to
  cubbyhole [GH-6477]
* ui: fix SSH OTP generation [GH-6540]
* ui: add polyfill to load UI in IE11 [GH-6567]
* ui: Fix issue where some elements would fail to work properly if using ACLs
  with segment-wildcard paths (`/+/` segments) [GH-6525]

## 1.1.0 (March 18th, 2019)

CHANGES:
* auth/jwt: The `groups_claim_delimiter_pattern` field has been removed. If the
  groups claim is not at the top level, it can now be specified as a
  [JSONPointer](https://tools.ietf.org/html/rfc6901).
* auth/jwt: Roles now have a "role type" parameter with a default type of
  "oidc". To configure new JWT roles, a role type of "jwt" must be explicitly
  specified.
* cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI
  help/warning output in previous versions of Vault for updated commands.
* core: Vault no longer automatically mounts a K/V backend at the "secret/"
  path when initializing Vault
* core: Vault's cluster port will now be open at all times on HA standby nodes
* plugins: Vault no longer supports running netRPC plugins. These were
  deprecated in favor of gRPC based plugins and any plugin built since 0.9.4
  defaults to gRPC. Older plugins may need to be recompiled against the latest
  Vault dependencies.

FEATURES:
* **Vault Agent Caching**: Vault Agent can now be configured to act as a
  caching proxy to Vault. Clients can send requests to Vault Agent and the
  request will be proxied to the Vault server and cached locally in Agent.
  Currently Agent will cache generated leases and tokens and keep them
  renewed. The proxy can also use the Auto Auth feature so clients do not need
  to authenticate to Vault, but rather can make requests to Agent and have
  Agent fully manage token lifecycle.
* **OIDC Redirect Flow Support**: The JWT auth backend now supports OIDC
  roles. These allow authentication via an OIDC-compliant provider via the
  user's browser. The login may be initiated from the Vault UI or through
  the `vault login` command.
* **ACL Path Wildcard**: ACL paths can now use the `+` character to enable
  wild card matching for a single directory in the path definition.
* **Transit Auto Unseal**: Vault can now be configured to use the Transit
  Secret Engine in another Vault cluster as an auto unseal provider.

IMPROVEMENTS:
* auth/jwt: A default role can be set. It will be used during
  JWT/OIDC logins if a role is not specified.
* auth/jwt: Arbitrary claims data can now be copied into token &
  alias metadata.
* auth/jwt: An arbitrary set of bound claims can now be configured for a role.
* auth/jwt: The name "oidc" has been added as an alias for the
  jwt backend. Either name may be specified in the `auth enable` command.
* command/server: A warning will be printed when 'tls_cipher_suites'
  includes a blacklisted cipher suite or all cipher suites are blacklisted
  by the HTTP/2 specification [GH-6300]
* core/metrics: Prometheus pull support using a new sys/metrics
  endpoint. [GH-5308]
* core: On non-windows platforms a SIGUSR2 will make the server log a dump of
  all running goroutines' stack traces for debugging purposes [GH-6240]
* replication: The initial replication indexing process on newly
  initialized or upgraded clusters now runs asynchronously
* sentinel: Add token namespace id and path, available in rules as
  token.namespace.id and token.namespace.path
* ui: The UI is now leveraging OpenAPI definitions to pull in
  fields for various forms.  This means, it will not be necessary to add
  fields on the go and JS sides in the future.  [GH-6209]

BUG FIXES:
* auth/jwt: Apply `bound_claims` validation across all login paths
* auth/jwt: Update `bound_audiences` validation during non-OIDC
  logins to accept any matched audience, as documented and handled
  in OIDC logins [JWT-30]
* auth/token: Fix issue where empty values for token role update call were
  ignored [GH-6314]
* core: The `operator migrate` command will no longer hang on empty key names
  [GH-6371]
* identity: Fix a panic at login when external group has a nil alias [GH-6230]
* namespaces: Clear out identity store items upon namespace deletion
* replication/perfstandby: Fixed a bug causing performance standbys to wait
  longer than necessary after forwarding a write to the active node
* replication/mountfilter: Fix a deadlock that could occur when mount filters
  were updated [GH-6426]
* secret/kv: Fix issue where a v1穽2 upgrade could run on a performance
  standby when using a local mount
* secret/ssh: Fix for a bug where attempting to delete the last ssh role
  in the zeroaddress configuration could fail [GH-6390]
* secret/totp: Uppercase provided keys so they don't fail base32 validation
  [GH-6400]
* secret/transit: Multiple HMAC, Sign or Verify operations can now be
  performed with one API call using the new `batch_input` parameter [GH-5875]
* sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts
  that have been filtered. Similarly, `sys/internal/ui/mount/:path` will
  return a error response if a filtered mount path is requested. [GH-6412]
* ui: Fix for a bug where you couldn't access the data tab after clicking on
  wrap details on the unwrap page [GH-6404]
* ui: Fix an issue where the policies tab was erroneously hidden [GH-6301]
* ui: Fix encoding issues with kv interfaces [GH-6294]

## 1.0.3.1 (March 14th, 2019) (Enterprise Only)

SECURITY:

* A regression was fixed in replication mount filter code introduced in Vault
  1.0 that caused the underlying filtered data to be replicated to
  secondaries. This data was not accessible to users via Vault's API but via a
  combination of privileged configuration file changes/Vault commands it could
  be read.  Upgrading to this version or 1.1 will fix this issue and cause the
  replicated data to be deleted from filtered secondaries. More information
  was sent to customer contacts on file.

## 1.0.3 (February 12th, 2019)

CHANGES:
* New AWS authentication plugin mounts will default to using the generated
  role ID as the Identity alias name. This applies to both EC2 and IAM auth.
  Existing mounts that explicitly set this value will not be affected but
  mounts that specified no preference will switch over on upgrade.
* The default policy now allows a token to look up its associated identity
  entity either by name or by id [GH-6105]
* The Vault UI's navigation and onboarding wizard now only displays items that
  are permitted in a users' policy [GH-5980, GH-6094]
* An issue was fixed that caused recovery keys to not work on
  secondary clusters when using a different unseal mechanism/key
  than the primary. This would be hit if the cluster was rekeyed
  or initialized after 1.0. We recommend rekeying the recovery
  keys on the primary cluster if you meet the above requirements.

FEATURES:
* **cURL Command Output**: CLI commands can now use the `-output-curl-string`
  flag to print out an equivalent cURL command.
* **Response Headers From Plugins**: Plugins can now send back headers that
  will be included in the response to a client. The set of allowed headers can
  be managed by the operator.

IMPROVEMENTS:
* auth/aws: AWS EC2 authentication can optionally create entity aliases by
  role ID [GH-6133]
* auth/jwt: The supported set of signing algorithms is now configurable [JWT
  plugin GH-16]
* core: When starting from an uninitialized state, HA nodes will now attempt
  to auto-unseal using a configured auto-unseal mechanism after the active
  node initializes Vault [GH-6039]
* secret/database: Add socket keepalive option for Cassandra [GH-6201]
* secret/ssh: Add signed key constraints, allowing enforcement of key types
  and minimum key sizes [GH-6030]
* secret/transit: ECDSA signatures can now be marshaled in JWS-compatible
  fashion [GH-6077]
* storage/etcd: Support SRV service names [GH-6087]
* storage/aws: Support specifying a KMS key ID for server-side encryption
  [GH-5996]

BUG FIXES:
* core: Fix a rare case where a standby whose connection is entirely torn down
  to the active node, then reconnects to the same active node, may not
  successfully resume operation [GH-6167]
* cors: Don't duplicate headers when they're written [GH-6207]
* identity: Persist merged entities only on the primary [GH-6075]
* replication: Fix a potential race when a token is created and then used with
  a performance standby very quickly, before an associated entity has been
  replicated. If the entity is not found in this scenario, the request will
  forward to the active node.
* replication: Fix issue where recovery keys would not work on secondary
  clusters if using a different unseal mechanism than the primary.
* replication: Fix a "failed to register lease" error when using performance
  standbys
* storage/postgresql: The `Get` method will now return an Entry object with
  the `Key` member correctly populated with the full path that was requested
  instead of just the last path element [GH-6044]

## 1.0.2 (January 15th, 2019)

SECURITY:
* When creating a child token from a parent with `bound_cidrs`, the list of
  CIDRs would not be propagated to the child token, allowing the child token
  to be used from any address.

CHANGES:
* secret/aws: Role now returns `credential_type` instead of `credential_types`
  to match role input. If a legacy role that can supply more than one
  credential type, they will be concatenated with a `,`.
* physical/dynamodb, autoseal/aws: Instead of Vault performing environment
  variable handling, and overriding static (config file) values if found, we
  use the default AWS SDK env handling behavior, which also looks for
  deprecated values. If you were previously providing both config values and
  environment values, please ensure the config values are unset if you want to
  use environment values.
* Namespaces (Enterprise): Providing "root" as the header value for
  `X-Vault-Namespace` will perform the request on the root namespace. This is
  equivalent to providing an empty value. Creating a namespace called "root" in
  the root namespace is disallowed.

FEATURES:
* **InfluxDB Database Plugin**: Use Vault to dynamically create
  and manage InfluxDB users

IMPROVEMENTS:
* auth/aws: AWS EC2 authentication can optionally create entity aliases by
  image ID [GH-5846]
* autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal
  [GH-5999]
* physical/foundationdb: TLS support added. [GH-5800]

BUG FIXES:
* api: Fix a couple of places where we were using the `LIST` HTTP verb
  (necessary to get the right method into the wrapping lookup function) and
  not then modifying it to a `GET`; although this is officially the verb Vault
  uses for listing and it's fully legal to use custom verbs, since many WAFs
  and API gateways choke on anything outside of RFC-standardized verbs we fall
  back to `GET` [GH-6026]
* autoseal/aws: Fix reading session tokens when AWS access key/secret key are
  also provided [GH-5965]
* command/operator/rekey: Fix help output showing `-delete-backup` when it
  should show `-backup-delete` [GH-5981]
* core: Fix bound_cidrs not being propagated to child tokens
* replication: Correctly forward identity entity creation that originates from
  performance standby nodes (Enterprise)
* secret/aws: Make input `credential_type` match the output type (string, not
  array) [GH-5972]
* secret/cubbyhole: Properly cleanup cubbyhole after token revocation [GH-6006]
* secret/pki: Fix reading certificates on windows with the file
  storage backend [GH-6013]
* ui (enterprise): properly display perf-standby count on the
  license page [GH-5971]
* ui: fix disappearing nested secrets and go to the nearest parent
  when deleting a secret - [GH-5976]
* ui: fix error where deleting an item via the context menu would fail if the
  item name contained dots [GH-6018]
* ui: allow saving of kv secret after an errored save attempt [GH-6022]
* ui: fix display of kv-v1 secret containing a key named "keys" [GH-6023]

## 1.0.1 (December 14th, 2018)

SECURITY:
* Update version of Go to 1.11.3 to fix Go bug
  https://github.com/golang/go/issues/29233 which corresponds to
  CVE-2018-16875
* Database user revocation: If a client has configured custom revocation
  statements for a role with a value of `""`, that statement would be executed
  verbatim, resulting in a lack of actual revocation but success for the
  operation. Vault will now strip empty statements from any provided; as a
  result if an empty statement is provided, it will behave as if no statement
  is provided, falling back to the default revocation statement.

CHANGES:
* secret/database: On role read, empty statements will be returned as empty
  slices instead of potentially being returned as JSON null values. This makes
  it more in line with other parts of Vault and makes it easier for statically
  typed languages to interpret the values.

IMPROVEMENTS:
* cli: Strip iTerm extra characters from password manager input [GH-5837]
* command/server: Setting default kv engine to v1 in -dev mode can now be
  specified via -dev-kv-v1 [GH-5919]
* core: Add operationId field to OpenAPI output [GH-5876]
* ui: Added ability to search for Group and Policy IDs when creating Groups
  and Entities instead of typing them in manually

BUG FIXES:
* auth/azure: Cache azure authorizer [15]
* auth/gcp: Remove explicit project for service account in GCE authorizer [58]
* cli: Show correct stored keys/threshold for autoseals [GH-5910]
* cli: Fix backwards compatibility fallback when listing plugins [GH-5913]
* core: Fix upgrades when the seal config had been created on early versions
  of vault [GH-5956]
* namespaces: Correctly reload the proper mount when tuning or reloading the
  mount [GH-5937]
* secret/azure: Cache azure authorizer [19]
* secret/database: Strip empty statements on user input [GH-5955]
* secret/gcpkms: Add path for retrieving the public key [5]
* secret/pki: Fix panic that could occur during tidy operation when malformed
  data was found [GH-5931]
* secret/pki: Strip empty line in ca_chain output [GH-5779]
* ui: Fixed a bug where the web CLI was not usable via the `fullscreen`
  command - [GH-5909]
* ui: Fix a bug where you couldn't write a jwt auth method config [GH-5936]

## 0.11.6 (December 14th, 2018)

This release contains the three security fixes from 1.0.0 and 1.0.1 and the
following bug fixes from 1.0.0/1.0.1:

* namespaces: Correctly reload the proper mount when tuning or reloading the
  mount [GH-5937]
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
* replication/perfstandby: Fix redirect on approle update [GH-5820]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
  [GH-5809]

It is otherwise identical to 0.11.5.

## 1.0.0 (December 3rd, 2018)

SECURITY:
* When debugging a customer incident we discovered that in the case of
  malformed data from an autoseal mechanism, Vault's master key could be
  logged in Vault's server log. For this to happen, the data would need to be
  modified by the autoseal mechanism after being submitted to it by Vault but
  prior to encryption, or after decryption, prior to it being returned to
  Vault. To put it another way, it requires the data that Vault submits for
  encryption to not match the data returned after decryption. It is not
  sufficient for the autoseal mechanism to return an error, and it cannot be
  triggered by an outside attacker changing the on-disk ciphertext as all
  autoseal mechanisms use authenticated encryption. We do not believe that
  this is generally a cause for concern; since it involves the autoseal
  mechanism returning bad data to Vault but with no error, in a working Vault
  configuration this code path should never be hit, and if hitting this issue
  Vault will not be unsealing properly anyways so it will be obvious what is
  happening and an immediate rekey of the master key can be performed after
  service is restored. We have filed for a CVE (CVE-2018-19786) and a CVSS V3
  score of 5.2 has been assigned.

CHANGES:
* Tokens are now prefixed by a designation to indicate what type of token they
  are. Service tokens start with `s.` and batch tokens start with `b.`.
  Existing tokens will still work (they are all of service type and will be
  considered as such). Prefixing allows us to be more efficient when consuming
  a token, which keeps the critical path of requests faster.
* Paths within `auth/token` that allow specifying a token or accessor in the
  URL have been removed. These have been deprecated since March 2016 and
  undocumented, but were retained for backwards compatibility. They shouldn't
  be used due to the possibility of those paths being logged, so at this point
  they are simply being removed.
* Vault will no longer accept updates when the storage key has invalid UTF-8
  character encoding [GH-5819]
* Mount/Auth tuning the `options` map on backends will now upsert any provided
  values, and keep any of the existing values in place if not provided. The
  options map itself cannot be unset once it's set, but the keypairs within the
  map can be unset if an empty value is provided, with the exception of the
  `version` keypair which is handled differently for KVv2 purposes.
* Agent no longer automatically reauthenticates when new credentials are
  detected. It's not strictly necessary and in some cases was causing
  reauthentication much more often than intended.
* HSM Regenerate Key Support Removed: Vault no longer supports destroying and
  regenerating encryption keys on an HSM; it only supports creating them.
  Although this has never been a source of a customer incident, it is simply a
  code path that is too trivial to activate, especially by mistyping
  `regenerate_key` instead of `generate_key`.
* Barrier Config Upgrade (Enterprise): When upgrading from Vault 0.8.x, the
  seal type in the barrier config storage entry will be upgraded from
  "hsm-auto" to "awskms" or "pkcs11" upon unseal if using AWSKMS or HSM seals.
  If performing seal migration, the barrier config should first be upgraded
  prior to starting migration.
* Go API client uses pooled HTTP client: The Go API client now uses a
  connection-pooling HTTP client by default. For CLI operations this makes no
  difference but it should provide significant performance benefits for those
  writing custom clients using the Go API library. As before, this can be
  changed to any custom HTTP client by the caller.
* Builtin Secret Engines and Auth Methods are integrated deeper into the
  plugin system. The plugin catalog can now override builtin plugins with
  custom versions of the same name. Additionally the plugin system now
  requires a plugin `type` field when configuring plugins, this can be "auth",
  "database", or "secret".

FEATURES:
* **Auto-Unseal in Open Source**: Cloud-based auto-unseal has been migrated
  from Enterprise to Open Source. We've created a migrator to allow migrating
  between Shamir seals and auto unseal methods.
* **Batch Tokens**: Batch tokens trade off some features of service tokens for no
  storage overhead, and in most cases can be used across performance
  replication clusters.
* **Replication Speed Improvements**: We've worked hard to speed up a lot of
  operations when using Vault Enterprise Replication.
* **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
  pattern to keys stored within GCP Cloud KMS.
* **AppRole support in Vault Agent Auto-Auth**: You can now use AppRole
  credentials when having Agent automatically authenticate to Vault
* **OpenAPI Support**: Descriptions of mounted backends can be served directly
  from Vault
* **Kubernetes Projected Service Account Tokens**: Projected Service Account
  Tokens are now supported in Kubernetes auth
* **Response Wrapping in UI**: Added ability to wrap secrets and easily copy
  the wrap token or secret JSON in the UI

IMPROVEMENTS:
* agent: Support for configuring the location of the kubernetes service account
  [GH-5725]
* auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
* secret/totp: Allow @ character to be part of key name [GH-5652]
* secret/consul: Add support for new policy based tokens added in Consul 1.4
  [GH-5586]
* ui: Improve the token auto-renew warning, and automatically begin renewal
  when a user becomes active again [GH-5662]
* ui: The unbundled UI page now has some styling [GH-5665]
* ui: Improved banner and popup design [GH-5672]
* ui: Added token type to auth method mount config [GH-5723]
* ui: Display additonal wrap info when unwrapping. [GH-5664]
* ui: Empty states have updated styling and link to relevant actions and
  documentation [GH-5758]
* ui: Allow editing of KV V2 data when a token doesn't have capabilities to
  read secret metadata [GH-5879]

BUG FIXES:
* agent: Fix auth when multiple redirects [GH-5814]
* cli: Restore the `-policy-override` flag [GH-5826]
* core: Fix rekey progress reset which did not happen under certain
  circumstances. [GH-5743]
* core: Migration from autounseal to shamir will clean up old keys [GH-5671]
* identity: Update group memberships when entity is deleted [GH-5786]
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
* replication/perfstandby: Fix redirect on approle update [GH-5820]
* secrets/azure: Fix valid roles being rejected for duplicate ids despite
  having distinct scopes
  [[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
* storage/gcs: Send md5 of values to GCS to avoid potential corruption
  [GH-5804]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
  [GH-5809]
* secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
  for all other operations for backwards compatibility
  [[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
* ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
* ui: Fix dr secondary operation token generation via the ui [GH-5818]
* ui: Fix the PKI context menu so that items load [GH-5824]
* ui: Update DR Secondary Token generation command [GH-5857]
* ui: Fix pagination bug where controls would be rendered once for each
  item when viewing policies [GH-5866]
* ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
  the revoke button in the UI [GH-5647]
* ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]

## 0.11.5 (November 13th, 2018)

BUG FIXES:
* agent: Fix issue when specifying two file sinks [GH-5610]
* auth/userpass: Fix minor timing issue that could leak the presence of a
  username [GH-5614]
* autounseal/alicloud: Fix issue interacting with the API (Enterprise)
* autounseal/azure: Fix key version tracking (Enterprise)
* cli: Fix panic that could occur if parameters were not provided [GH-5603]
* core: Fix buggy behavior if trying to remount into a namespace
* identity: Fix duplication of entity alias entity during alias transfer
  between entities [GH-5733]
* namespaces: Fix tuning of auth mounts in a namespace
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
* ui: Fix issue where IE 11 didn't render the UI and also had a broken form
  when trying to use tool/hash [GH-5714]

## 0.11.4 (October 23rd, 2018)

CHANGES:
* core: HA lock file is no longer copied during `operator migrate` [GH-5503].
  We've categorized this as a change, but generally this can be considered
  just a bug fix, and no action is needed.

FEATURES:
* **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to
  remove older unused key versions
* **Web UI support for KV Version 2**: Browse, delete, undelete and destroy
  individual secret versions in the UI
* **Azure Existing Service Principal Support**: Credentials can
  now be generated against an existing service principal

IMPROVEMENTS:
* core: Add last WAL in leader/health output for easier debugging [GH-5523]
* identity: Identity names will now be handled case insensitively by default.
  This includes names of entities, aliases and groups [GH-5404]
* secrets/aws: Added role-option max_sts_ttl to cap TTL for AWS STS
  credentials [GH-5500]
* secret/database: Allow Cassandra user to be non-superuser so long as it has
  role creation permissions [GH-5402]
* secret/radius: Allow setting the NAS Identifier value in the generated
  packet [GH-5465]
* secret/ssh: Allow usage of JSON arrays when setting zero addresses [GH-5528]
* secret/transit: Allow trimming unused keys [GH-5388]
* ui: Support KVv2 [GH-5547], [GH-5563]
* ui: Allow viewing and updating Vault license via the UI
* ui: Onboarding will now display your progress through the chosen tutorials
* ui: Dynamic secret backends obfuscate sensitive data by default and
  visibility is toggleable

BUG FIXES:
* agent: Fix potential hang during agent shutdown [GH-5026]
* auth/ldap: Fix listing of users/groups that contain slashes [GH-5537]
* core: Fix memory leak during some expiration calls [GH-5505]
* core: Fix generate-root operations requiring empty `otp` to be provided
  instead of an empty body [GH-5495]
* identity: Remove lookup check during alias removal from entity [GH-5524]
* secret/pki: Fix TTL/MaxTTL check when using `sign-verbatim` [GH-5549]
* secret/pki: Fix regression in 0.11.2+ causing the NotBefore value of
  generated certificates to be set to the Unix epoch if the role value was not
  set, instead of using the default of 30 seconds [GH-5481]
* storage/mysql: Use `varbinary` instead of `varchar` when creating HA tables
  [GH-5529]

## 0.11.3 (October 8th, 2018)

SECURITY:
* Revocation: A regression in 0.11.2 (OSS) and 0.11.0 (Enterprise) caused
  lease IDs containing periods (`.`) to not be revoked properly. Upon startup
  when revocation is tried again these should now revoke successfully.

IMPROVEMENTS:
* auth/ldap: Listing of users and groups return absolute paths [GH-5537]
* secret/pki: OID SANs can now specify `*` to allow any value [GH-5459]

BUG FIXES:
* auth/ldap: Fix panic if specific values were given to be escaped [GH-5471]
* cli/auth: Fix panic if `vault auth` was given no parameters [GH-5473]
* secret/database/mongodb: Fix panic that could occur at high load [GH-5463]
* secret/pki: Fix CA generation not allowing OID SANs [GH-5459]

(he)