Do not include "rails.mk" here.

(taca)

Do not include "rails.mk" here.

(taca)

Include "rails.mk" if RUBY_RAILS_SUPPORTED is defined.

(taca)

Set RUBY_RAILS_SUPPORTED to 42 and utilize it.

(taca)

Set RUBY_RAILS_SUPPORTED to 32 and utilize it.

(taca)

Updated security/putty to 0.69

(ryoon)

Update to 0.69

* Convert to use GTK 3 to fix build

Changelog:
These features are new in 0.69 (released 2017-04-29):

    Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory, even the names we missed when we thought we'd fixed this in 0.68. See vuln-indirect-dll-hijack-2.
    Windows PuTTY should work with MIT Kerberos again, after our DLL hijacking defences broke it.
    Jump lists should now appear again on the PuTTY shortcut in the Windows Start Menu.
    You can now explicitly configure SSH terminal mode settings not to be sent to the server, if your server objects to them.

(ryoon)

Updated www/php-nextcloud to 11.0.3

(ryoon)

Update to 11.0.3

Changelog:
Server

    Use the correct principal for shared addressbooks (server/3608)
    Fix saving backup codes by using a correct data uri (server/3652)
    Update icewind/streams to 0.5.2 (server/32931)
    Fix string comparison and return docs (server/3665)
    Typecast shared mount's storage_id to int as documented + some refactor to avoid similar bugs (server/3658)
    Use a proper date format for transfer ownership (server/3700)
    DAV sharing permissions should not depend on the order (server/3722)
    Add new user agent of windows 10 dav backend (server/37641)
    Add back appstoreenabled config switch (server/37671)
    Call right function after sudo mode (server/3820)
    Dont allow empty wildcard search (server/3842)
    Remove single quotes around search query like in user search (server/3849)
    Fix mimetype detection on public uploads for the workflow engine (server/3765)
    Fix branding and show Nextcloud (server/39691)
    Fix reshare with user activity message (server/39812)
    Create correct VCard and return correct error codes (server/4029)
    Prevent migration from ownCloud 10 to Nextcloud 11 (server/34151)
    Make sure transparency is an integer when saving a calendar (server/4167)
    Make public links work with master key (server/42071)
    Don't try to render the avatars if avatars are disabled (server/4214)
    Reduce error message text (server/42281)
    Don't list on public calendar endpoints (server/4229)
    Fix upload of folders in Chrome (server/4154)
    Make sure blob columns are correctly converted as parameters (server/4233)
    Save the scope of an auth token in the session (server/4225)
    Take share by mail into consideration if we calculate the access list (server/4242)
    Also add the root of external storages to the file id list (server/4237)
    Fix LDAP description (server/42382)
    Remove the double password confirmation on changing cron (server/4236)
    Fix scheduling plugin on legacy caldav endpoint (server/4235)
    Directly fix invalid values of DTEND and DTSTART (server/4234)
    Make JobList::next() lock free (server/4254)
    Don't remove owner property for public calendars (server/4272)
    Add capabilities for share by mail (server/42511)
    Dont use the permissions mask while scanning (server/4278)
    Add missing maintenance plugin to new DAV endpoint (server/4290)
    Fix bug with shared_by for own calendars if shared (server/4301)
    Translation string corrected > 1 user (server/4377)

Activity

    Fix activities for "Files drop" on external storages (activity/118)

User_SAML

    Bump to php-saml 2.10.5 (user_saml/1001)

Logreader

    Small screen layout improvements (logreader/2bcd915969386ceb77c7f91dfd5fc19fd3212346
    Fix log filtering (logreader/4095dfc62dcceb3c59a3f581baa5589737d0e6f3)
    Greatly speedup log iteration (logreader/71a4c6849641f821e80d96674c57a69fe7a8aa9e)
    Search more rows (logreader/b9d00b5599ac8a76862895266f1c23096391aad8)
    Stop iterating if we dont have a valid file handle (logreader/a87a8e653ecae5efef6342e645b98f2878219c87)
    Don't return a LogIterator on a broken handle (logreader/39069108f99d463b1cb8bc944f3ef24324b9f43d)
    More robust log iteration (logreader/c0eb04d55bf1dee94ef523dae0e3b0e6afc272a6)
    Use proper iso date format (logreader/13a31181a6d72d084797a71f49f2c5edee8c8dae)
    Automatically try to fix some common escape errors from copy-pasted log entries (logreader/031db2a7f9b9f8cee42acf6eae7d993d31d4660a)
    Fix stack trace parsing of incorrectly escaped logentries (logreader/538667770edfdd48374ef33e9c15498ed98ece60)
    Highlight entries from the same request when clicking on an entry (logreader/2d1ccd0e4cca32220fcbe0b4d79d1cd23f0e73a5)
    Fix copy paste info searchfield (logreader/0e91b2f46649a720feb7c3b6b8266b8657db5574)
    Fix reset search after 0 results (logreader/50bec8ecf7edd81cfb96a35089283c0d879b41f3)
    Allow searching for requestId and user (logreader/7f84e55bb4a1e4086ab0918a6bf58ad3885bbd91)
    Allow searching in url (logreader/7833d97cf85fd351d2f7550d67d21bd0c2a815f4)
    Fix infinite scroll (logreader/cbe874c6c068b9156ad8456edf31d112da40cbc9)
    Dont show loading indicator if we already have entries (logreader/d26a08dc0540126177e8d20c3e243b44c5a399c4)

Gallery

    Fix upload after core changes (gallery/b4ac4429841cfe2b7ea260dfb37fcde25580143c2)
    Update JavaScript libraries (gallery/247)

(ryoon)

Add examples to CHECK_WRKREF_SKIP.

(jperkin)

Add broken python scripts to CHECK_WRKREF_SKIP too.

(jperkin)

Updated www/py-tornado to 4.5.1; devel/py-pexpect to 4.2.1

(adam)

Version 4.2.1
* Fix to allow running ``env`` in replwrap-ed bash.
* Raise more informative exception from pxssh if it fails to connect.
* Change ``passmass`` example to not log passwords entered.

(adam)

What's new in Tornado 4.5

`tornado.log`
- Improved detection of libraries for colorized logging.

`tornado.httputil`
- `.url_concat` once again treats None as equivalent to an empty sequence.

(adam)

Remove rdoc.mk now.

(taca)

Remove RUBY_RDOC_PKGSRC_VERS.

(taca)

Remove setting RUBY_RDOC_REQD and using "rdoc.mk".

(taca)

Note remove of devel/ruby-rdoc package.

(taca)

Remove ruby-rdoc package since rdoc bultin ruby*-base is enough to use.

(taca)

Delete ruby-rdoc.

(taca)

Drop use of RUBY_RDOC_REQD.  Since current all ruby*-base packages
contains rdoc version 4.1.0 or later, there is no reason to require
sepatate devel/ruby-rdoc pacakge.

So, RUBY_RDOC_REQD is already noop, no PKGREVISION bump.

(taca)

oops, add gcc7 here, too.

I would like to know if other people have trouble with it.

(maya)

Add security patches & bump rev.
via FreeBSD bz #216658

https://nvd.nist.gov/vuln/detail/CVE-2017-5225
http://bugzilla.maptools.org/show_bug.cgi?id=2656
http://bugzilla.maptools.org/show_bug.cgi?id=2657
https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7

https://nvd.nist.gov/vuln/detail/CVE-2017-7592
http://bugzilla.maptools.org/show_bug.cgi?id=2658
https://github.com/vadz/libtiff/commit/48780b4fcc42

https://nvd.nist.gov/vuln/detail/CVE-2017-7593
http://bugzilla.maptools.org/show_bug.cgi?id=2651
https://github.com/vadz/libtiff/commit/d60332057b95

https://nvd.nist.gov/vuln/detail/CVE-2017-7594
http://bugzilla.maptools.org/show_bug.cgi?id=2659
https://github.com/vadz/libtiff/commit/8283e4d1b7e5
https://github.com/vadz/libtiff/commit/2ea32f7372b6

https://nvd.nist.gov/vuln/detail/CVE-2017-7595
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122

https://nvd.nist.gov/vuln/detail/CVE-2017-7598
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8

https://nvd.nist.gov/vuln/detail/CVE-2017-7601
https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490

https://nvd.nist.gov/vuln/detail/CVE-2017-7602
https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4

(sevan)

fix PLIST when the official-mozilla-branding option is enabled

(snj)

Updated devel/py-py to 1.4.33

(adam)

Changes 1.4.33: Clean up tox.ini and use tox-travis to run on Travis

(adam)

Updated devel/py-codestyle to 2.3.1

(adam)

Changes 2.3.1:
Bugs:
* Fix regression in detection of E302 and E306

(adam)

+ abcmidi-20170416, asterisk-13.14.1, claws-mail-3.15.0,
  libgphoto2-2.5.13, libmtp-1.1.13, lyx-2.3.0, mame-0.185,
  phpmyadmin-4.7.0, py-tornado-4.5.1, xfce4-desktop-4.13.0.

(wiz)

Updated databases/mongo-tools to 3.4.4

(fhajny)

Update databases/mongo-tools to 3.4.4

3.4.2
- PreProcessing is failling with "got invalid document size"
- mongo-replay crashes during playback
- nil pointer derereference when error occurs

3.4.1
- Stats collection has large playback performance impact
- Add option to set capture buffer size to avoid packet loss
- Playback file contains full reply payload
- mongoreplay: out of bounds error in "shortenreply" during record
- Add test for restoring a collection with a default collation
- nil pointer dereference in mongoreplay when error on new playback
  file creation

3.2.10
- Don't create intents for system.profile.metadata.json files
- tools do not respect readPreference=secondary when connecting to a
  mongos
- Mongodump SSL and GSSAPI authentication
- No numeric version in -version output
- Backport to v3.2
- Issue only one ApplyOps cmd per oplog entry

3.2.9
- Make -version spit out a bit more information.

3.2.8
- Mongostat with discover can find the same node twice in a sharded
  cluster
- mongostat -discover does not alias localhost to the target hostname
- mongoimport returns exit code 0 even when error prevents records
  from being inserted
- Wrong error message while using mongoimport
- add a "-assertExists" option to mongoexport
- Use v3.2.7 for qa tests
- mongoimport types jstest fails on functions

(fhajny)

Introduce CHECK_SHLIBS_BLACKLIST which allows users to specify a list of
regexps that will cause the checks to fail if they match resolved RPATHs.

(jperkin)

Updated databases/mysql55-client to 5.5.56

(mef)

Updated database/mysql55-{client,server} to 5.5.56
-------------------------------------------------------------------
(From https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-56.html)

Changes in MySQL 5.5.56 (2017-05-02, General availability)

Binary packages for MySQL 5.5.56 are identical to those for MySQL
5.5.55, except for the version number. The change in 5.5.56 for Bug
#25942414 is applicable only to those who build from source.

Security Notes

  For the WITH_SSL CMake option, no is no longer a permitted value or
the default value. The default is now bundled. Consequently, MySQL now
is always built with SSL support. (Bug #25942414)
-------------------------------------------------------------------
(pkgsrc changes)
- Removed ssl option both from PKG_{SUPPORTED,SUGGESTED}_OPTIONS.
  This may give error if ssl is explicitly designated, but I believe
  that is the (kind of) upstream intension.
  (or left ssl in SUPPORTED and ignore it ?)

(mef)

php71: require a GCC version newer than the one in PHP bug #74527
on i386, re-fixing the build on i386 in a simpler way.

(maya)

php71: revert my previous commit.
Next commit will require a newer GCC on i386 re-fixing the build.

This is to make pullups easier maybe.

(maya)

Updated lang/nodejs4 to 4.8.3

(fhajny)

Update lang/nodejs4 to 4.8.3.

- module: The module loading global fallback to the Node executable's
  directory now works correctly on Windows.
- src: fix base64 decoding in rare edgecase
- tls: fix rare segmentation faults when using TLS

(fhajny)

php70: require a GCC version newer than the one in PHP bug #74527
on i386. It doesn't appear with any pkgsrc compiler I've tried
(GCC 6, 5, 4.9). Fixes i386 build.

(maya)

Remove double line committed by mistake

(fhajny)

Note libressl

(maya)

libressl: update to 2.5.4

We have released LibreSSL 2.5.4, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. It includes the following
changes:

  * Reverted a previous change that forced consistency between return
    value and error code when specifing a certificate verification
    callback, since this breaks the documented API. When a user supplied
    callback always returns 1, and later code checks the error code to
    potentially abort post verification, this will result in incorrect
    successul certificate verification.

  * Switched Linux getrandom() usage to non-blocking mode, continuing to
    use fallback mechanims if unsuccessful. This works around a design
    flaw in Linux getrandom(2) where early boot usage in a library makes
    it impossible to recover if getrandom(2) is not yet initialized.

  * Fixed a bug caused by the return value being set early to signal
    successful DTLS cookie validation. This can mask a later failure and
    result in a positive return value being returned from
    ssl3_get_client_hello(), when it should return a negative value to
    propagate the error.

  * Fixed a build error on non-x86/x86_64 systems running Solaris.

We have released LibreSSL 2.5.3, based on OpenBSD 6.1, which will be the new
stable release series. LibreSSL 2.3.x support has also ended. LibreSSL 2.5.3
contains the following changes from the previous stable release.

* libtls now supports ALPN and SNI

* libtls adds a new callback interface for integrating custom IO functions.
    Thanks to Tobias Pape.

* libtls now handles 4 cipher suite groups:
    "secure" (TLSv1.2+AEAD+PFS)
    "compat" (HIGH:!aNULL)
    "legacy" (HIGH:MEDIUM:!aNULL)
    "insecure" (ALL:!aNULL:!eNULL)
  This allows for flexibility and finer grained control, rather than having
  two extremes (an issue raised by Marko Kreen some time ago).

* Tightened error handling for tls_config_set_ciphers().

* libtls now always loads CA, key and certificate files at the time the
  configuration function is called. This simplifies code and results in a single
  memory based code path being used to provide data to libssl.

* Added support for OCSP intermediate certificates.

* Added functions used by stunnel and exim from BoringSSL - this brings in
  X509_check_host, X509_check_email, X509_check_ip, and X509_check_ip_asc.

* Added initial support for iOS, thanks to Jacob Berkman.

* Improved behavior of arc4random on Windows when using memory leak analysis
  software.

* Correctly handle an EOF that occurs prior to the TLS handshake completing.
    Reported by Vasily Kolobkov, based on a diff from Marko Kreen.

* Limit the support of the "backward compatible" ssl2 handshake to only be
  used if TLS 1.0 is enabled.

* Fix incorrect results in certain cases on 64-bit systems when BN_mod_word()
  can return incorrect results. BN_mod_word() now can return an error condition.
  Thanks to Brian Smith.

* Added constant-time updates to address CVE-2016-0702

* Fixed undefined behavior in BN_GF2m_mod_arr()

* Removed unused Cryptographic Message Support (CMS)

* More conversions of long long idioms to time_t

* Improved compatibility by avoiding printing NULL strings with printf.

* Reverted change that cleans up the EVP cipher context in EVP_EncryptFinal()
  and EVP_DecryptFinal(). Some software relies on the previous behaviour.

* Avoid unbounded memory growth in libssl, which can be triggered by a TLS
  client repeatedly renegotiating and sending OCSP Status Request TLS extensions.

* Avoid falling back to a weak digest for (EC)DH when using SNI with libssl.

* X509_cmp_time() now passes a malformed GeneralizedTime field as an error.
  Reported by Theofilos Petsios.

* Detect zero-length encrypted session data early, instead of when malloc(0)
  fails or the HMAC check fails. Noted independently by jsing@ and Kurt Cancemi.

* Check for and handle failure of HMAC_{Update,Final} or EVP_DecryptUpdate().

* Massive update and normalization of manpages, conversion to mandoc format.
  Many pages were rewritten for clarity and accuracy. Portable doc links are
  up-to-date with a new conversion tool.

* Curve25519 Key Exchange support.

* Support for alternate chains for certificate verification.

* Code cleanups, CBB conversions, further unification of DTLS/SSL handshake
  code, further ASN1 macro expansion and removal.

* Private symbols are now hidden in libssl and libcrypto.

* Friendly certificate verification error messages in libtls, peer
  verification is now always enabled.

* Added OCSP stapling support to libtls and nc.

* Added ocspcheck utility to validate a certificate against its OCSP responder
  and save the reply for stapling

* Enhanced regression tests and error handling for libtls.

* Added explicit constant and non-constant time BN functions, defaulting to
  constant time wherever possible.

* Moved many leaked implementation details in public structs behind opaque
  pointers.

* Added ticket support to libtls.

* Added support for setting the supported EC curves via
  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
  SSL{_CTX}_set1_curves{_list} names. This also changes the default list of
  curves to be X25519, P-256 and P-384. All other curves must be manually
  enabled.

* Added -groups option to openssl(1) s_client for specifying the curves to be
  used in a colon-separated list.

* Merged client/server version negotiation code paths into one, reducing much
  duplicate code.

* Removed error function codes from libssl and libcrypto.

* Fixed an issue where a truncated packet could crash via an OOB read.

* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows client-initiated
  renegotiation. This is the default for libtls servers.

* Avoid a side-channel cache-timing attack that can leak the ECDSA private
  keys when signing. This is due to BN_mod_inverse() being used without the
  constant time flag being set. Reported by Cesar Pereida Garcia and Billy
  Brumley (Tampere University of Technology). The fix was developed by Cesar
  Pereida Garcia.

* iOS and MacOS compatibility updates from Simone Basso and Jacob Berkman.

* Added the recallocarray(3) memory allocation function, and converted various
  places in the library to use it, such as CBB and BUF_MEM_grow. recallocarray(3)
  is similar to reallocarray. Newly allocated memory is cleared similar to
  calloc(3). Memory that becomes unallocated while shrinking or moving existing
  allocations is explicitly discarded by unmapping or clearing to 0.

* Added new root CAs from SECOM Trust Systems / Security Communication of Japan.

* Added EVP interface for MD5+SHA1 hashes.

* Fixed DTLS client failures when the server sends a certificate request.

* Correct handling of padding when upgrading an SSLv2 challenge into an
  SSLv3/TLS connection.

* Allow protocols and ciphers to be set on a TLS config object in libtls.

* Improved nc(1) TLS handshake CPU usage and server-side error reporting.

* Add a constant time version of BN_gcd and use it default for BN_gcd to avoid
  the possibility of sidechannel timing attacks against RSA private key
  generation - Thanks to Alejandro Cabrera

We have released LibreSSL 2.5.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. It includes the following
changes:

    * Added the recallocarray(3) memory allocation function, and converted
      various places in the library to use it, such as CBB and BUF_MEM_grow.
      recallocarray(3) is similar to reallocarray. Newly allocated memory
      is cleared similar to calloc(3). Memory that becomes unallocated
      while shrinking or moving existing allocations is explicitly
      discarded by unmapping or clearing to 0.

    * Added new root CAs from SECOM Trust Systems / Security Communication
      of Japan.

    * Added EVP interface for MD5+SHA1 hashes.

    * Fixed DTLS client failures when the server sends a certificate
      request.

    * Correct handling of padding when upgrading an SSLv2 challenge into
      an SSLv3/TLS connection.

    * Allow protocols and ciphers to be set on a TLS config object in
      libtls.

    * Improved nc(1) TLS handshake CPU usage and server-side error
      reporting.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

(maya)

Updated lang/nodejs6 to 6.10.3

(fhajny)

Update lang/nodejs6 to 6.10.3

- module: The module loading global fallback to the Node executable's
  directory now works correctly on Windows.
- src: fix base64 decoding in rare edgecase
- tls: fix rare segmentation faults when using TLS

(fhajny)

Updated devel/ivykis to 0.42

(fhajny)

Update devel/ivykis to 0.42.

- Fix ->set_poll_timeout() related bug with timers that expire at time zero.

(fhajny)

Updated devel/cmake to 3.8.1

(adam)

Changes in 3.8.1 since 3.8.0:
* FindOpenSSL: Add more library name alternatives
* FindBoost: Restore tolerance of backslashes in paths
* Tests: Fix FindModulesExecuteAll when KDE4 is installed
* Tests: Simplify CMakeOnly.AllFindModules policy settings
* FindBoost: Fix library directory for VS 2017
* CPack/RPM doc: CPACK_RPM_BUILDREQUIRES docs
* source_group: Fix TREE with root that is not current source dir
* FindMatlab: Add support for Matlab 2017a
* VS: Fix project reference inspection in VS IDE
* FindBoost: Allow testing for multiple compiler suffixes
* FindBoost: Support prebuilt Windows binaries from SourceForge
* VS2017: Verify Windows 8.1 SDK before using it

(adam)

Updated textproc/the_silver_searcher to 1.0.3

(leot)

Update textproc/the_silver_searcher to 1.0.3

Changes:
1.0.3
=====
- Add .es6 to js file types
- Add support for log file types
- Add elm file type support
- Add twig to languages
- Add .gradle to groovy flie types
- Misc bug fixes and improvements

(leot)

Update salt to 2016.11.4

(sborrill)

Convert CXXFLAGS setting C++ standard to USE_LANGUAGES.

(jperkin)

Add support to USE_LANGUAGES for C++ standards from c++0x to gnu++14.

This allows packages to specify the version of the standard that they
require, and the infrastructure then distils that down in a similar way
to GCC_REQD to the newest standard, avoiding clashes with different -std
requirements based on CXXFLAGS.

Broad concensus on tech-pkg and tested in bulk builds.

(jperkin)

Update to 2016.11.4. Changelog:
https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html

Also ensure PID file paths are correct.

(sborrill)

Updated benchmarks/dnsperf to 2.1.0.0

(mef)

Updated benchmarks/dnsperl to 2.1.0.0
-------------------------------------
dnsperf 2.1.0.0
Release Notes
************************
December 15, 2015

In addition to various bug fixes, the following new capabilities
were added in this release:

- The -C option was added to resperf. This option enables the local
  server to act as multiple clients.  By default, the local server
  acts as a single client.

- the -T option was added to dnsperf. This option separates the
  number of clients from the number of threads and allows more
  clients to be simulated effectively.  Note that using this option
  impacts CPU and memory, so we recommend limiting the number of
  threads.

(mef)

chmod the right files, the .sh are just an identical wrapper now

(spz)

Updated benchmarks/fio to 2.19

(mef)

Updated benchmarks/fio to 2.19
------------------------------
  (Explicit ChangeLog/Release Note not known, sorry)

(mef)

gcc7: cleanup some accidential wip package and gcc-java leftovers

(maya)

Note GCC 7.1.0 addition

(maya)

Add GCC 7.1.0

GCC Java removed, package now uses ISL 0.16.1

Release notes:

We are proud to announce the next, major release of the
GNU Compiler Collection, 7.1.  This year we celebrated the 30th
anniversary of the first GCC beta release and this month
we will celebrate 30 years since the GCC 1.0 release.

GCC 7.1 is a major release containing substantial new
functionality not available in GCC 6.x or previous GCC releases.

The C++ frontend now has experimental support for all of the current C++17
draft, with the -std=c++1z and -std=gnu++1z options, and the libstdc++
library has most of the C++17 draft library features implemented too.

This releases features various improvements in the emitted diagnostics,
including improved locations, location ranges, suggestions for misspelled
identifiers, option names, fix-it hints and various new warnings
have been added.

The optimizers have been improved, with improvements appearing in all of
intra- and inter-procedural optimizations, link time optimizations and
various target backends, including, but not limited to, additions of store
merging pass, code hoisting optimization, loop splitting, and
shrink wrapping improvements.

The Address Sanitizer can now report uses of variables after leaving their
scope.  GCC now can be configured for OpenMP 4.5 offloading to NVidia PTX
GPGPUs.

Some code that compiled successfully with older GCC versions might require
some code adjustments, see http://gcc.gnu.org/gcc-7/porting_to.html for
details.

See

  https://gcc.gnu.org/gcc-7/changes.html

for more information about changes in GCC 7.1.

(maya)

Updated x11/dmenu to 4.7

(leot)

Update x11/dmenu to 4.7.

Changes:
4.7
===
New features
------------
- Add embedding support with -w option.
  This option can be used to xembed dmenu into an application. This is
  useful in particular for surf.
- config.h: add config option for word delimiters.

Noteworthy fixes
----------------
- die() on calloc failure.
- Sync new drw from libsl and minor fixes.
- arg.h: fixed argv checks order.
- Regression fix: Do not crash on e.g. dmenu < /dev/null
- Shut up glibc about _BSD_SOURCE being deprecated.
- Xinerama: correct variable declarations in preprocessor conditional.
- Small man page improvements.

Thanks in particular to the contributors
----------------------------------------
- Andrew Gregory
- Klemens Nanni
- Lucas Gabriel Vuotto
- Markus Teich
- Quentin Rameau
- S. Gilles
- Thomas Gardner

(leot)

* Remove patch adding syscall.Dup2() for SunOS, software should be using unix.Dup2() instead.
  https://github.com/joyent/pkgsrc/pull/492
* Improve handling of low-memory situations on Illumos.
  https://github.com/joyent/pkgsrc/pull/493

(fhajny)

Updated security/go-crypto-acme to 0.0.20170502

(fhajny)

Update go-crypto to state as of 20170502, no changelog available.
Fix build on (at least) SunOS by depending on go-sys.

(fhajny)

Enable go-sys

(fhajny)

Added devel/go-sys version 0.0.20170427

(fhajny)

Import go-sys from 20170427 as devel/go-sys.

This repository holds supplemental Go packages for low-level
interactions with the operating system.

(fhajny)

Updated net/nsd to 4.1.16

(ryoon)

Update to 4.1.16

Changelog:
Apr 25, 2017
Features
    zone parser can parse acronyms for algorithms ED25519 and ED448.
    Fix 1243: Option to make NSD emit really minimal responses, minimal-responses: yes in nsd.conf.

Bugfixes
    Calculate new udb index after growing the array, fix from Chaofeng Liu.
    Fix missing _t to _type conversion for disable-radix-tree option.
    Printout serial error with hint it may be too big.
    Fix 1228: OpenSSL include is not guarded with HAVE_SSL
    Patch for expire state in multi-master when masters includes broken master, from Manabu Sonoda.
    minor manpage fix.

(ryoon)

Updated textproc/mdoclint to 1.48

(wiz)

1.48: remove -P option; mandoc does most of these checks already
and the remaining ones were recently added.

>From Ingo Schwarze.

(wiz)

Bug fix from Ingo Schwarze: also look for empty lines in unfilled blocks.

(wiz)

Recursive bump for poppler-0.54.0

(wiz)

Updated print/poppler to 0.54.0

(wiz)

poppler*: update to 0.54.0:

Release 0.54.0
        core:
        * Make XRef reconstruction a bit better. Bug #100509

        glib:
        * Expose movie play mode. Bug #99625
        * demo: Show play mode in movie properties view

        qt5:
        * Compile with -DQT_NO_CAST_FROM_BYTEARRAY. Bug #100311

        utils:
        * pdfimages: don't fail listing if inline image data contains 'EI'. Bug #100737

Release 0.53.0
        core:
        * Form support improvements
        * SplashOutputDev: Fix memory leak when rendering images with colormap and matte color
        * Minor fix in GlobalParams documentation

        qt5:
        * Expose form calculate order
        * Expose Form additional actions

        utils:
        * pdfimages: support 16bpc png and tiff images. Bug #99988
        * pdftohtml: fix small memory leak when constructing some filenames
        * pdfinfo: fix leak when printing JS

        build sytem:
        * Compile in C++11 mode

(wiz)

Updated www/nginx-devel to 1.13.0

(fhajny)

* Update www/nginx-devel to 1.13.0.
* Update naxsi to 0.55.3

Changes with nginx 1.13.0                                        25 Apr 2017

- Change: SSL renegotiation is now allowed on backend connections.
- Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
  directives of the mail proxy and stream modules.
- Feature: the "return" and "error_page" directives can now be used to
  return 308 redirections.
  Thanks to Simon Leblanc.
- Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive.
- Feature: when logging signals nginx now logs PID of the process which
  sent the signal.
- Bugfix: in memory allocation error handling.
- Bugfix: if a server in the stream module listened on a wildcard
  address, the source address of a response UDP datagram could differ
  from the original datagram destination address.

Changes with nginx 1.11.13                                      04 Apr 2017

- Feature: the "http_429" parameter of the "proxy_next_upstream",
  "fastcgi_next_upstream", "scgi_next_upstream", and
  "uwsgi_next_upstream" directives.
  Thanks to Piotr Sikora.
- Bugfix: in memory allocation error handling.
- Bugfix: requests might hang when using the "sendfile" and
  "timer_resolution" directives on Linux.
- Bugfix: requests might hang when using the "sendfile" and "aio_write"
  directives with subrequests.
- Bugfix: in the ngx_http_v2_module.
  Thanks to Piotr Sikora.
- Bugfix: a segmentation fault might occur in a worker process when
  using HTTP/2.
- Bugfix: requests might hang when using the "limit_rate",
  "sendfile_max_chunk", "limit_req" directives, or the $r->sleep()
  embedded perl method with subrequests.
- Bugfix: in the ngx_http_slice_module.

Changes with nginx 1.11.12                                      24 Mar 2017

- Bugfix: nginx might hog CPU; the bug had appeared in 1.11.11.

Changes with nginx 1.11.11                                      21 Mar 2017

- Feature: the "worker_shutdown_timeout" directive.
- Feature: vim syntax highlighting scripts improvements.
  Thanks to Wei-Ko Kao.
- Bugfix: a segmentation fault might occur in a worker process if the
  $limit_rate variable was set to an empty string.
- Bugfix: the "proxy_cache_background_update",
  "fastcgi_cache_background_update", "scgi_cache_background_update",
  and "uwsgi_cache_background_update" directives might work incorrectly
  if the "if" directive was used.
- Bugfix: a segmentation fault might occur in a worker process if
  number of large_client_header_buffers in a virtual server was
  different from the one in the default server.
- Bugfix: in the mail proxy server.

Changes with nginx 1.11.10                                      14 Feb 2017

- Change: cache header format has been changed, previously cached
  responses will be invalidated.
- Feature: support of "stale-while-revalidate" and "stale-if-error"
  extensions in the "Cache-Control" backend response header line.
- Feature: the "proxy_cache_background_update",
  "fastcgi_cache_background_update", "scgi_cache_background_update",
  and "uwsgi_cache_background_update" directives.
- Feature: nginx is now able to cache responses with the "Vary" header
  line up to 128 characters long (instead of 42 characters in previous
  versions).
- Feature: the "build" parameter of the "server_tokens" directive.
  Thanks to Tom Thorogood.
- Bugfix: "[crit] SSL_write() failed" messages might appear in logs
  when handling requests with the "Expect: 100-continue" request header
  line.
- Bugfix: the ngx_http_slice_module did not work in named locations.
- Bugfix: a segmentation fault might occur in a worker process when
  using AIO after an "X-Accel-Redirect" redirection.
- Bugfix: reduced memory consumption for long-lived requests using
  gzipping.

(fhajny)

Updated www/nginx to 1.12.0

(fhajny)

* Update www/nginx to 1.12.0.
* Update naxsi to 0.55.3.

Approximate changelog since nginx 1.10.3 follows.

Changes with nginx 1.12.0                                        12 Apr 2017
- 1.12.x stable branch.

Changes with nginx 1.11.13                                      04 Apr 2017
- Feature: the "http_429" parameter of the "proxy_next_upstream",
  "fastcgi_next_upstream", "scgi_next_upstream", and
  "uwsgi_next_upstream" directives.
  Thanks to Piotr Sikora.
- Bugfix: in memory allocation error handling.
- Bugfix: requests might hang when using the "sendfile" and
  "timer_resolution" directives on Linux.
- Bugfix: requests might hang when using the "sendfile" and "aio_write"
  directives with subrequests.
- Bugfix: in the ngx_http_v2_module.
  Thanks to Piotr Sikora.
- Bugfix: a segmentation fault might occur in a worker process when
  using HTTP/2.
- Bugfix: requests might hang when using the "limit_rate",
  "sendfile_max_chunk", "limit_req" directives, or the $r->sleep()
  embedded perl method with subrequests.
- Bugfix: in the ngx_http_slice_module.

Changes with nginx 1.11.12                                      24 Mar 2017
- Bugfix: nginx might hog CPU; the bug had appeared in 1.11.11.

Changes with nginx 1.11.11                                      21 Mar 2017
- Feature: the "worker_shutdown_timeout" directive.
- Feature: vim syntax highlighting scripts improvements.
  Thanks to Wei-Ko Kao.
- Bugfix: a segmentation fault might occur in a worker process if the
  $limit_rate variable was set to an empty string.
- Bugfix: the "proxy_cache_background_update",
  "fastcgi_cache_background_update", "scgi_cache_background_update",
  and "uwsgi_cache_background_update" directives might work incorrectly
  if the "if" directive was used.
- Bugfix: a segmentation fault might occur in a worker process if
  number of large_client_header_buffers in a virtual server was
  different from the one in the default server.
- Bugfix: in the mail proxy server.

Changes with nginx 1.11.10                                      14 Feb 2017
- Change: cache header format has been changed, previously cached
  responses will be invalidated.
- Feature: support of "stale-while-revalidate" and "stale-if-error"
  extensions in the "Cache-Control" backend response header line.
- Feature: the "proxy_cache_background_update",
  "fastcgi_cache_background_update", "scgi_cache_background_update",
  and "uwsgi_cache_background_update" directives.
- Feature: nginx is now able to cache responses with the "Vary" header
  line up to 128 characters long (instead of 42 characters in previous
  versions).
- Feature: the "build" parameter of the "server_tokens" directive.
  Thanks to Tom Thorogood.
- Bugfix: "[crit] SSL_write() failed" messages might appear in logs
  when handling requests with the "Expect: 100-continue" request header
  line.
- Bugfix: the ngx_http_slice_module did not work in named locations.
- Bugfix: a segmentation fault might occur in a worker process when
  using AIO after an "X-Accel-Redirect" redirection.
- Bugfix: reduced memory consumption for long-lived requests using
  gzipping.

Changes with nginx 1.11.9                                        24 Jan 2017
- Bugfix: nginx might hog CPU when using the stream module; the bug had
  appeared in 1.11.5.
- Bugfix: EXTERNAL authentication mechanism in mail proxy was accepted
  even if it was not enabled in the configuration.
- Bugfix: a segmentation fault might occur in a worker process if the
  "ssl_verify_client" directive of the stream module was used.
- Bugfix: the "ssl_verify_client" directive of the stream module might
  not work.
- Bugfix: closing keepalive connections due to no free worker
  connections might be too aggressive.
  Thanks to Joel Cunningham.
- Bugfix: an incorrect response might be returned when using the
  "sendfile" directive on FreeBSD and macOS; the bug had appeared in
  1.7.8.
- Bugfix: a truncated response might be stored in cache when using the
  "aio_write" directive.
- Bugfix: a socket leak might occur when using the "aio_write"
  directive.

Changes with nginx 1.11.8                                        27 Dec 2016
- Feature: the "absolute_redirect" directive.
- Feature: the "escape" parameter of the "log_format" directive.
- Feature: client SSL certificates verification in the stream module.
- Feature: the "ssl_session_ticket_key" directive supports AES256
  encryption of TLS session tickets when used with 80-byte keys.
- Feature: vim-commentary support in vim scripts.
  Thanks to Armin Grodon.
- Bugfix: recursion when evaluating variables was not limited.
- Bugfix: in the ngx_stream_ssl_preread_module.
- Bugfix: if a server in an upstream in the stream module failed, it
  was considered alive only when a test connection sent to it after
  fail_timeout was closed; now a successfully established connection is
  enough.
- Bugfix: nginx/Windows could not be built with 64-bit Visual Studio.
- Bugfix: nginx/Windows could not be built with OpenSSL 1.1.0.

Changes with nginx 1.11.7                                        13 Dec 2016

- Change: now in case of a client certificate verification error the
  $ssl_client_verify variable contains a string with the failure
  reason, for example, "FAILED:certificate has expired".
- Feature: the $ssl_ciphers, $ssl_curves, $ssl_client_v_start,
  $ssl_client_v_end, and $ssl_client_v_remain variables.
- Feature: the "volatile" parameter of the "map" directive.
- Bugfix: dependencies specified for a module were ignored while
  building dynamic modules.
- Bugfix: when using HTTP/2 and the "limit_req" or "auth_request"
  directives client request body might be corrupted; the bug had
  appeared in 1.11.0.
- Bugfix: a segmentation fault might occur in a worker process when
  using HTTP/2; the bug had appeared in 1.11.3.
- Bugfix: in the ngx_http_mp4_module.
  Thanks to Congcong Hu.
- Bugfix: in the ngx_http_perl_module.

(fhajny)

Updated ImageMagick to 7.0.5.5.

2017-04-24  7.0.5-5 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.5-5, GIT revision 19908:bc92979:20170424.

2017-03-26  7.0.5-5 Cristy  <quetzlzacatenango@image...>
  * Minimize buffer copies to improve OpenCL performance.
  * Morphology thinning is no longer a no-op (reference
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31650).
  * Patch two PCD writer problems, corrupt output and dark pixels (reference
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=3164).
  * Support ICC based PDF's (reference
    https://github.com/ImageMagick/ImageMagick/issues/417).
  * Fix improper EPS clip path rendering (reference
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31722).

(wiz)

Updated graphics/ImageMagick to 7.0.5.5

(wiz)

Updated net/tor to 0.3.0.6

(wiz)

Updated tor to 0.3.0.6.

Changes in version 0.3.0.6 - 2017-04-26
  Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.

  With the 0.3.0 series, clients and relays now use Ed25519 keys to
  authenticate their link connections to relays, rather than the old
  RSA1024 keys that they used before. (Circuit crypto has been
  Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced
  the guard selection and replacement algorithm to behave more robustly
  in the presence of unreliable networks, and to resist guard-
  capture attacks.

  This series also includes numerous other small features and bugfixes,
  along with more groundwork for the upcoming hidden-services revamp.

  Per our stable release policy, we plan to support the Tor 0.3.0
  release series for at least the next nine months, or for three months
  after the first stable release of the 0.3.1 series: whichever is
  longer. If you need a release with long-term support, we recommend
  that you stay with the 0.2.9 series.

  Below are the changes since 0.2.9.10. For a list of only the changes
  since 0.3.0.5-rc, see the ChangeLog file.

  o Major features (directory authority, security):
    - The default for AuthDirPinKeys is now 1: directory authorities
      will reject relays where the RSA identity key matches a previously
      seen value, but the Ed25519 key has changed. Closes ticket 18319.

  o Major features (guard selection algorithm):
    - Tor's guard selection algorithm has been redesigned from the
      ground up, to better support unreliable networks and restrictive
      sets of entry nodes, and to better resist guard-capture attacks by
      hostile local networks. Implements proposal 271; closes
      ticket 19877.

  o Major features (next-generation hidden services):
    - Relays can now handle v3 ESTABLISH_INTRO cells as specified by
      prop224 aka "Next Generation Hidden Services". Service and clients
      don't use this functionality yet. Closes ticket 19043. Based on
      initial code by Alec Heifetz.
    - Relays now support the HSDir version 3 protocol, so that they can
      can store and serve v3 descriptors. This is part of the next-
      generation onion service work detailled in proposal 224. Closes
      ticket 17238.

  o Major features (protocol, ed25519 identity keys):
    - Clients now support including Ed25519 identity keys in the EXTEND2
      cells they generate. By default, this is controlled by a consensus
      parameter, currently disabled. You can turn this feature on for
      testing by setting ExtendByEd25519ID in your configuration. This
      might make your traffic appear different than the traffic
      generated by other users, however. Implements part of ticket
      15056; part of proposal 220.
    - Relays now understand requests to extend to other relays by their
      Ed25519 identity keys. When an Ed25519 identity key is included in
      an EXTEND2 cell, the relay will only extend the circuit if the
      other relay can prove ownership of that identity. Implements part
      of ticket 15056; part of proposal 220.
    - Relays now use Ed25519 to prove their Ed25519 identities and to
      one another, and to clients. This algorithm is faster and more
      secure than the RSA-based handshake we've been doing until now.
      Implements the second big part of proposal 220; Closes
      ticket 15055.

  o Major features (security):
    - Change the algorithm used to decide DNS TTLs on client and server
      side, to better resist DNS-based correlation attacks like the
      DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
      Feamster. Now relays only return one of two possible DNS TTL
      values, and clients are willing to believe DNS TTL values up to 3
      hours long. Closes ticket 19769.

  o Major bugfixes (client, onion service, also in 0.2.9.9):
    - Fix a client-side onion service reachability bug, where multiple
      socks requests to an onion service (or a single slow request)
      could cause us to mistakenly mark some of the service's
      introduction points as failed, and we cache that failure so
      eventually we run out and can't reach the service. Also resolves a
      mysterious "Remote server sent bogus reason code 65021" log
      warning. The bug was introduced in ticket 17218, where we tried to
      remember the circuit end reason as a uint16_t, which mangled
      negative values. Partially fixes bug 21056 and fixes bug 20307;
      bugfix on 0.2.8.1-alpha.

  o Major bugfixes (crash, directory connections):
    - Fix a rare crash when sending a begin cell on a circuit whose
      linked directory connection had already been closed. Fixes bug
      21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.

  o Major bugfixes (directory authority):
    - During voting, when marking a relay as a probable sybil, do not
      clear its BadExit flag: sybils can still be bad in other ways
      too. (We still clear the other flags.) Fixes bug 21108; bugfix
      on 0.2.0.13-alpha.

  o Major bugfixes (DNS):
    - Fix a bug that prevented exit nodes from caching DNS records for
      more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.

  o Major bugfixes (IPv6 Exits):
    - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
      any IPv6 addresses. Instead, only reject a port over IPv6 if the
      exit policy rejects that port on more than an IPv6 /16 of
      addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
      which rejected a relay's own IPv6 address by default. Fixes bug
      21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.

  o Major bugfixes (parsing):
    - Fix an integer underflow bug when comparing malformed Tor
      versions. This bug could crash Tor when built with
      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
      0.2.9.8, which were built with -ftrapv by default. In other cases
      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
      on 0.0.8pre1. Found by OSS-Fuzz.
    - When parsing a malformed content-length field from an HTTP
      message, do not read off the end of the buffer. This bug was a
      potential remote denial-of-service attack against Tor clients and
      relays. A workaround was released in October 2016, to prevent this
      bug from crashing Tor. This is a fix for the underlying issue,
      which should no longer matter (if you applied the earlier patch).
      Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing
      using AFL (http://lcamtuf.coredump.cx/afl/).

  o Major bugfixes (scheduler):
    - Actually compare circuit policies in ewma_cmp_cmux(). This bug
      caused the channel scheduler to behave more or less randomly,
      rather than preferring channels with higher-priority circuits.
      Fixes bug 20459; bugfix on 0.2.6.2-alpha.

  o Major bugfixes (security, also in 0.2.9.9):
    - Downgrade the "-ftrapv" option from "always on" to "only on when
      --enable-expensive-hardening is provided." This hardening option,
      like others, can turn survivable bugs into crashes--and having it
      on by default made a (relatively harmless) integer overflow bug
      into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
      bugfix on 0.2.9.1-alpha.

  o Minor feature (client):
    - Enable IPv6 traffic on the SocksPort by default. To disable this,
      a user will have to specify "NoIPv6Traffic". Closes ticket 21269.

  o Minor feature (fallback scripts):
    - Add a check_existing mode to updateFallbackDirs.py, which checks
      if fallbacks in the hard-coded list are working. Closes ticket
      20174. Patch by haxxpop.

  o Minor feature (protocol versioning):
    - Add new protocol version for proposal 224. HSIntro now advertises
      version "3-4" and HSDir version "1-2". Fixes ticket 20656.

  o Minor features (ciphersuite selection):
    - Allow relays to accept a wider range of ciphersuites, including
      chacha20-poly1305 and AES-CCM. Closes the other part of 15426.
    - Clients now advertise a list of ciphersuites closer to the ones
      preferred by Firefox. Closes part of ticket 15426.

  o Minor features (controller):
    - Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose
      shared-random values to the controller. Closes ticket 19925.
    - When HSFETCH arguments cannot be parsed, say "Invalid argument"
      rather than "unrecognized." Closes ticket 20389; patch from
      Ivan Markin.

  o Minor features (controller, configuration):
    - Each of the *Port options, such as SocksPort, ORPort, ControlPort,
      and so on, now comes with a __*Port variant that will not be saved
      to the torrc file by the controller's SAVECONF command. This
      change allows TorBrowser to set up a single-use domain socket for
      each time it launches Tor. Closes ticket 20956.
    - The GETCONF command can now query options that may only be
      meaningful in context-sensitive lists. This allows the controller
      to query the mixed SocksPort/__SocksPort style options introduced
      in feature 20956. Implements ticket 21300.

  o Minor features (diagnostic, directory client):
    - Warn when we find an unexpected inconsistency in directory
      download status objects. Prevents some negative consequences of
      bug 20593.

  o Minor features (directory authorities):
    - Directory authorities now reject descriptors that claim to be
      malformed versions of Tor. Helps prevent exploitation of
      bug 21278.
    - Reject version numbers with components that exceed INT32_MAX.
      Otherwise 32-bit and 64-bit platforms would behave inconsistently.
      Fixes bug 21450; bugfix on 0.0.8pre1.

  o Minor features (directory authority):
    - Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
      default) to control whether authorities should try to probe relays
      by their Ed25519 link keys. This option will go away in a few
      releases--unless we encounter major trouble in our ed25519 link
      protocol rollout, in which case it will serve as a safety option.

  o Minor features (directory cache):
    - Relays and bridges will now refuse to serve the consensus they
      have if they know it is too old for a client to use. Closes
      ticket 20511.

  o Minor features (ed25519 link handshake):
    - Advertise support for the ed25519 link handshake using the
      subprotocol-versions mechanism, so that clients can tell which
      relays can identity themselves by Ed25519 ID. Closes ticket 20552.

  o Minor features (entry guards):
    - Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not
      break regression tests.
    - Require UseEntryGuards when UseBridges is set, in order to make
      sure bridges aren't bypassed. Resolves ticket 20502.

  o Minor features (fallback directories):
    - Allow 3 fallback relays per operator, which is safe now that we
      are choosing 200 fallback relays. Closes ticket 20912.
    - Annotate updateFallbackDirs.py with the bandwidth and consensus
      weight for each candidate fallback. Closes ticket 20878.
    - Display the relay fingerprint when downloading consensuses from
      fallbacks. Closes ticket 20908.
    - Exclude relays affected by bug 20499 from the fallback list.
      Exclude relays from the fallback list if they are running versions
      known to be affected by bug 20499, or if in our tests they deliver
      a stale consensus (i.e. one that expired more than 24 hours ago).
      Closes ticket 20539.
    - Make it easier to change the output sort order of fallbacks.
      Closes ticket 20822.
    - Reduce the minimum fallback bandwidth to 1 MByte/s. Part of
      ticket 18828.
    - Require fallback directories to have the same address and port for
      7 days (now that we have enough relays with this stability).
      Relays whose OnionOO stability timer is reset on restart by bug
      18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for
      this issue. Closes ticket 20880; maintains short-term fix
      in 0.2.8.2-alpha.
    - Require fallbacks to have flags for 90% of the time (weighted
      decaying average), rather than 95%. This allows at least 73% of
      clients to bootstrap in the first 5 seconds without contacting an
      authority. Part of ticket 18828.
    - Select 200 fallback directories for each release. Closes
      ticket 20881.

  o Minor features (fingerprinting resistence, authentication):
    - Extend the length of RSA keys used for TLS link authentication to
      2048 bits. (These weren't used for forward secrecy; for forward
      secrecy, we used P256.) Closes ticket 13752.

  o Minor features (geoip):
    - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
      Country database.

  o Minor features (geoip, also in 0.2.9.9):
    - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
      Country database.

  o Minor features (infrastructure):
    - Implement smartlist_add_strdup() function. Replaces the use of
      smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.

  o Minor features (linting):
    - Enhance the changes file linter to warn on Tor versions that are
      prefixed with "tor-". Closes ticket 21096.

  o Minor features (logging):
    - In several places, describe unset ed25519 keys as "<unset>",
      rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.

  o Minor features (portability, compilation):
    - Autoconf now checks to determine if OpenSSL structures are opaque,
      instead of explicitly checking for OpenSSL version numbers. Part
      of ticket 21359.
    - Support building with recent LibreSSL code that uses opaque
      structures. Closes ticket 21359.

  o Minor features (relay):
    - We now allow separation of exit and relay traffic to different
      source IP addresses, using the OutboundBindAddressExit and
      OutboundBindAddressOR options respectively. Closes ticket 17975.
      Written by Michael Sonntag.

  o Minor features (reliability, crash):
    - Try better to detect problems in buffers where they might grow (or
      think they have grown) over 2 GB in size. Diagnostic for
      bug 21369.

  o Minor features (testing):
    - During 'make test-network-all', if tor logs any warnings, ask
      chutney to output them. Requires a recent version of chutney with
      the 21572 patch. Implements 21570.

  o Minor bugfix (control protocol):
    - The reply to a "GETINFO config/names" request via the control
      protocol now spells the type "Dependent" correctly. This is a
      breaking change in the control protocol. (The field seems to be
      ignored by the most common known controllers.) Fixes bug 18146;
      bugfix on 0.1.1.4-alpha.
    - The GETINFO extra-info/digest/<digest> command was broken because
      of a wrong base16 decode return value check, introduced when
      refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.

  o Minor bugfix (logging):
    - Don't recommend the use of Tor2web in non-anonymous mode.
      Recommending Tor2web is a bad idea because the client loses all
      anonymity. Tor2web should only be used in specific cases by users
      who *know* and understand the issues. Fixes bug 21294; bugfix
      on 0.2.9.3-alpha.

  o Minor bugfixes (bug resilience):
    - Fix an unreachable size_t overflow in base64_decode(). Fixes bug
      19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by
      Hans Jerry Illikainen.

  o Minor bugfixes (build):
    - Replace obsolete Autoconf macros with their modern equivalent and
      prevent similar issues in the future. Fixes bug 20990; bugfix
      on 0.1.0.1-rc.

  o Minor bugfixes (certificate expiration time):
    - Avoid using link certificates that don't become valid till some
      time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha

  o Minor bugfixes (client):
    - Always recover from failures in extend_info_from_node(), in an
      attempt to prevent any recurrence of bug 21242. Fixes bug 21372;
      bugfix on 0.2.3.1-alpha.
    - When clients that use bridges start up with a cached consensus on
      disk, they were ignoring it and downloading a new one. Now they
      use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.

  o Minor bugfixes (code correctness):
    - Repair a couple of (unreachable or harmless) cases of the risky
      comparison-by-subtraction pattern that caused bug 21278.

  o Minor bugfixes (config):
    - Don't assert on startup when trying to get the options list and
      LearnCircuitBuildTimeout is set to 0: we are currently parsing the
      options so of course they aren't ready yet. Fixes bug 21062;
      bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (configuration):
    - Accept non-space whitespace characters after the severity level in
      the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
    - Support "TByte" and "TBytes" units in options given in bytes.
      "TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
      supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.

  o Minor bugfixes (configure, autoconf):
    - Rename the configure option --enable-expensive-hardening to
      --enable-fragile-hardening. Expensive hardening makes the tor
      daemon abort when some kinds of issues are detected. Thus, it
      makes tor more at risk of remote crashes but safer against RCE or
      heartbleed bug category. We now try to explain this issue in a
      message from the configure script. Fixes bug 21290; bugfix
      on 0.2.5.4-alpha.

  o Minor bugfixes (consensus weight):
    - Add new consensus method that initializes bw weights to 1 instead
      of 0. This prevents a zero weight from making it all the way to
      the end (happens in small testing networks) and causing an error.
      Fixes bug 14881; bugfix on 0.2.2.17-alpha.

  o Minor bugfixes (crash prevention):
    - Fix an (currently untriggerable, but potentially dangerous) crash
      bug when base32-encoding inputs whose sizes are not a multiple of
      5. Fixes bug 21894; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (dead code):
    - Remove a redundant check for PidFile changes at runtime in
      options_transition_allowed(): this check is already performed
      regardless of whether the sandbox is active. Fixes bug 21123;
      bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (descriptors):
    - Correctly recognise downloaded full descriptors as valid, even
      when using microdescriptors as circuits. This affects clients with
      FetchUselessDescriptors set, and may affect directory authorities.
      Fixes bug 20839; bugfix on 0.2.3.2-alpha.

  o Minor bugfixes (directory mirrors):
    - Allow relays to use directory mirrors without a DirPort: these
      relays need to be contacted over their ORPorts using a begindir
      connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
    - Clarify the message logged when a remote relay is unexpectedly
      missing an ORPort or DirPort: users were confusing this with a
      local port. Fixes another case of bug 20711; bugfix
      on 0.2.8.2-alpha.

  o Minor bugfixes (directory system):
    - Bridges and relays now use microdescriptors (like clients do)
      rather than old-style router descriptors. Now bridges will blend
      in with clients in terms of the circuits they build. Fixes bug
      6769; bugfix on 0.2.3.2-alpha.
    - Download all consensus flavors, descriptors, and authority
      certificates when FetchUselessDescriptors is set, regardless of
      whether tor is a directory cache or not. Fixes bug 20667; bugfix
      on all recent tor versions.

  o Minor bugfixes (documentation):
    - Update the tor manual page to document every option that can not
      be changed while tor is running. Fixes bug 21122.

  o Minor bugfixes (ed25519 certificates):
    - Correctly interpret ed25519 certificates that would expire some
      time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (fallback directories):
    - Avoid checking fallback candidates' DirPorts if they are down in
      OnionOO. When a relay operator has multiple relays, this
      prioritizes relays that are up over relays that are down. Fixes
      bug 20926; bugfix on 0.2.8.3-alpha.
    - Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py.
      Fixes bug 20877; bugfix on 0.2.8.3-alpha.
    - Stop failing when a relay has no uptime data in
      updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (hidden service):
    - Clean up the code for expiring intro points with no associated
      circuits. It was causing, rarely, a service with some expiring
      introduction points to not open enough additional introduction
      points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha.
    - Resolve two possible underflows which could lead to creating and
      closing a lot of introduction point circuits in a non-stop loop.
      Fixes bug 21302; bugfix on 0.2.7.2-alpha.
    - Stop setting the torrc option HiddenServiceStatistics to "0" just
      because we're not a bridge or relay. Instead, we preserve whatever
      value the user set (or didn't set). Fixes bug 21150; bugfix
      on 0.2.6.2-alpha.

  o Minor bugfixes (hidden services):
    - Make hidden services check for failed intro point connections,
      even when they have exceeded their intro point creation limit.
      Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett.
    - Make hidden services with 8 to 10 introduction points check for
      failed circuits immediately after startup. Previously, they would
      wait for 5 minutes before performing their first checks. Fixes bug
      21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett.
    - Stop ignoring misconfigured hidden services. Instead, refuse to
      start tor until the misconfigurations have been corrected. Fixes
      bug 20559; bugfix on multiple commits in 0.2.7.1-alpha
      and earlier.

  o Minor bugfixes (IPv6):
    - Make IPv6-using clients try harder to find an IPv6 directory
      server. Fixes bug 20999; bugfix on 0.2.8.2-alpha.
    - When IPv6 addresses have not been downloaded yet (microdesc
      consensus documents don't list relay IPv6 addresses), use hard-
      coded addresses for authorities, fallbacks, and configured
      bridges. Now IPv6-only clients can use microdescriptors. Fixes bug
      20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha.

  o Minor bugfixes (memory leak at exit):
    - Fix a small harmless memory leak at exit of the previously unused
      RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix
      on 0.2.7.2-alpha.

  o Minor bugfixes (onion services):
    - Allow the number of introduction points to be as low as 0, rather
      than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (portability):
    - Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__".
      It is supported by OpenBSD itself, and also by most OpenBSD
      variants (such as Bitrig). Fixes bug 20980; bugfix
      on 0.1.2.1-alpha.

  o Minor bugfixes (portability, also in 0.2.9.9):
    - Avoid crashing when Tor is built using headers that contain
      CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
      without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
      on 0.2.9.1-alpha.
    - Fix Libevent detection on platforms without Libevent 1 headers
      installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (relay):
    - Avoid a double-marked-circuit warning that could happen when we
      receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
      on 0.1.0.1-rc.
    - Honor DataDirectoryGroupReadable when tor is a relay. Previously,
      initializing the keys would reset the DataDirectory to 0700
      instead of 0750 even if DataDirectoryGroupReadable was set to 1.
      Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".

  o Minor bugfixes (testing):
    - Fix Raspbian build issues related to missing socket errno in
      test_util.c. Fixes bug 21116; bugfix on 0.2.8.2. Patch by "hein".
    - Remove undefined behavior from the backtrace generator by removing
      its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha.
    - Use bash in src/test/test-network.sh. This ensures we reliably
      call chutney's newer tools/test-network.sh when available. Fixes
      bug 21562; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (tor-resolve):
    - The tor-resolve command line tool now rejects hostnames over 255
      characters in length. Previously, it would silently truncate them,
      which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
      Patch by "junglefowl".

  o Minor bugfixes (unit tests):
    - Allow the unit tests to pass even when DNS lookups of bogus
      addresses do not fail as expected. Fixes bug 20862 and 20863;
      bugfix on unit tests introduced in 0.2.8.1-alpha
      through 0.2.9.4-alpha.

  o Minor bugfixes (util):
    - When finishing writing a file to disk, if we were about to replace
      the file with the temporary file created before and we fail to
      replace it, remove the temporary file so it doesn't stay on disk.
      Fixes bug 20646; bugfix on 0.2.0.7-alpha. Patch by fk.

  o Minor bugfixes (Windows services):
    - Be sure to initialize the monotonic time subsystem before using
      it, even when running as an NT service. Fixes bug 21356; bugfix
      on 0.2.9.1-alpha.

  o Minor bugfixes (Windows):
    - Check for getpagesize before using it to mmap files. This fixes
      compilation in some MinGW environments. Fixes bug 20530; bugfix on
      0.1.2.1-alpha. Reported by "ice".

  o Code simplification and refactoring:
    - Abolish all global guard context in entrynodes.c; replace with new
      guard_selection_t structure as preparation for proposal 271.
      Closes ticket 19858.
    - Extract magic numbers in circuituse.c into defined variables.
    - Introduce rend_service_is_ephemeral() that tells if given onion
      service is ephemeral. Replace unclear NULL-checkings for service
      directory with this function. Closes ticket 20526.
    - Refactor circuit_is_available_for_use to remove unnecessary check.
    - Refactor circuit_predict_and_launch_new for readability and
      testability. Closes ticket 18873.
    - Refactor code to manipulate global_origin_circuit_list into
      separate functions. Closes ticket 20921.
    - Refactor large if statement in purpose_needs_anonymity to use
      switch statement instead. Closes part of ticket 20077.
    - Refactor the hashing API to return negative values for errors, as
      is done as throughout the codebase. Closes ticket 20717.
    - Remove data structures that were used to index or_connection
      objects by their RSA identity digests. These structures are fully
      redundant with the similar structures used in the
      channel abstraction.
    - Remove duplicate code in the channel_write_*cell() functions.
      Closes ticket 13827; patch from Pingl.
    - Remove redundant behavior of is_sensitive_dir_purpose, refactor to
      use only purpose_needs_anonymity. Closes part of ticket 20077.
    - The code to generate and parse EXTEND and EXTEND2 cells has been
      replaced with code automatically generated by the
      "trunnel" utility.

  o Documentation (formatting):
    - Clean up formatting of tor.1 man page and HTML doc, where <pre>
      blocks were incorrectly appearing. Closes ticket 20885.

  o Documentation (man page):
    - Clarify many options in tor.1 and add some min/max values for
      HiddenService options. Closes ticket 21058.

  o Documentation:
    - Change '1' to 'weight_scale' in consensus bw weights calculation
      comments, as that is reality. Closes ticket 20273. Patch
      from pastly.
    - Clarify that when ClientRejectInternalAddresses is enabled (which
      is the default), multicast DNS hostnames for machines on the local
      network (of the form *.local) are also rejected. Closes
      ticket 17070.
    - Correct the value for AuthDirGuardBWGuarantee in the manpage, from
      250 KBytes to 2 MBytes. Fixes bug 20435; bugfix on 0.2.5.6-alpha.
    - Include the "TBits" unit in Tor's man page. Fixes part of bug
      20622; bugfix on 0.2.5.1-alpha.
    - Small fixes to the fuzzing documentation. Closes ticket 21472.
    - Stop the man page from incorrectly stating that HiddenServiceDir
      must already exist. Fixes 20486.
    - Update the description of the directory server options in the
      manual page, to clarify that a relay no longer needs to set
      DirPort in order to be a directory cache. Closes ticket 21720.

  o Removed features:
    - The AuthDirMaxServersPerAuthAddr option no longer exists: The same
      limit for relays running on a single IP applies to authority IP
      addresses as well as to non-authority IP addresses. Closes
      ticket 20960.
    - The UseDirectoryGuards torrc option no longer exists: all users
      that use entry guards will also use directory guards. Related to
      proposal 271; implements part of ticket 20831.

  o Testing:
    - Add tests for networkstatus_compute_bw_weights_v10.
    - Add unit tests circuit_predict_and_launch_new.
    - Extract dummy_origin_circuit_new so it can be used by other
      test functions.
    - New unit tests for tor_htonll(). Closes ticket 19563. Patch
      from "overcaffeinated".
    - Perform the coding style checks when running the tests and fail
      when coding style violations are found. Closes ticket 5500.

(wiz)