Add tex-ellipse{,-doc} 1.0

Draw ellipses and elliptical arcs using the standard LaTeX2e
picture environment.

(markd)

Updated www/py-werkzeug to 0.11.15.
Updated www/py-werkzeug-docs to 0.11.15.

(kleink)

Update py-werkzeug{,-docs} to 0.11.15.

Version 0.11.15
---------------

Released on December 30th 2016.

- Bugfix for the bugfix in the previous release.

Version 0.11.14
---------------

Released on December 30th 2016.

- Check if platform can fork before importing ``ForkingMixIn``, raise exception
  when creating ``ForkingWSGIServer`` on such a platform, see PR ``#999``.

Version 0.11.13
---------------

Released on December 26th 2016.

- Correct fix for the reloader issuer on certain Windows installations.

Version 0.11.12
---------------

Released on December 26th 2016.

- Fix more bugs in multidicts regarding empty lists. See ``#1000``.
- Add some docstrings to some `EnvironBuilder` properties that were previously
  unintentionally missing.
- Added a workaround for the reloader on windows.

Version 0.11.11
---------------

Released on August 31st 2016.

- Fix JSONRequestMixin for Python3. See #731
- Fix broken string handling in test client when passing integers. See #852
- Fix a bug in ``parse_options_header`` where an invalid content type
  starting with comma or semi-colon would result in an invalid return value,
  see issue ``#995``.
- Fix a bug in multidicts when passing empty lists as values, see issue
  ``#979``.
- Fix a security issue that allows XSS on the Werkzeug debugger. See ``#1001``.

(kleink)

Pullup ticket #5195 - requested by taca
www/typo3_62: security fix

Revisions pulled up:
- www/typo3_62/Makefile                                        1.21
- www/typo3_62/PLIST                                            1.17
- www/typo3_62/distinfo                                        1.19

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri Jan 13 15:06:40 UTC 2017

  Modified Files:
  pkgsrc/www/typo3_62: Makefile PLIST distinfo

  Log Message:
  Update typo3_62 to 6.2.30 (TYPO3 6.2.30) including security fixes.

  2017-01-03  ec284cf                  [RELEASE] Release of TYPO3 6.2.30 (TYPO3 Release Team)
  2017-01-03  0f79d43  #79114          [SECURITY] Protect Mailtransport (Wouter Wolters)
  2016-12-31  7a99325  #70106          [BUGFIX] Do not use realpath for temporary file names (Stefan Froemken)
  2016-12-30  5bb34d0  #76478          [TASK] Clean up DebuggerUtility (Nicole Cordes)
  2016-12-24  98dd27a  #70962          [BUGFIX] FAL relations duplicated when saving in workspaces (Andreas Wolf)
  2016-12-16  5124e88  #78915,#78977  [BUGFIX] Optimize cache handling in ReflectionService (Helmut Hummel)
  2016-12-15  18b19ea  #78977          Revert "[BUGFIX] Reflection Cache does not save methodReflections" (Nicole Cordes)
  2016-12-13  8095288  #78925          [BUGFIX] Fix exception in QuickEdit mode for empty pages (Manuel Selbach)
  2016-12-12  8ef727a  #78915          [BUGFIX] Reflection Cache does not save methodReflections (Tymoteusz Motylewski)
  2016-12-08  01a927d  #73241          [BUGFIX] Do not fetch pages with pid < 0 in prepareCacheFlush (Steffen G旦de)
  2016-12-08  bab723b  #72654,#62660  [BUGFIX] Improve DataHandler handling for dbType fields (Nicole Cordes)
  2016-12-07  1a32e92  #78551          [BUGFIX] Reset hidden field information in FormViewhelper (Nicole Cordes)
  2016-12-03  b927c7b  #77097          [BUGFIX] Reset FormViewHelper on execution (Helmut Hummel)

(bsiegert)

Pullup ticket #5194 - requested by joerg
security/botan-devel: build fix

Revisions pulled up:
- security/botan-devel/distinfo                                1.12
- security/botan-devel/patches/patch-src_build-data_os_solaris.txt 1.1
- security/botan-devel/patches/patch-src_lib_utils_locking__allocator_info.txt 1.1
- security/botan-devel/patches/patch-src_lib_utils_os__utils.cpp 1.4

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Mon Jan 16 01:50:15 UTC 2017

  Modified Files:
  pkgsrc/security/botan-devel: distinfo
  pkgsrc/security/botan-devel/patches: patch-src_lib_utils_os__utils.cpp
  Added Files:
  pkgsrc/security/botan-devel/patches:
      patch-src_build-data_os_solaris.txt
      patch-src_lib_utils_locking__allocator_info.txt

  Log Message:
  More fixes for build on SmartOS/Solaris.

(bsiegert)

Added www/py-flask-webpack version 0.1.0.

(kleink)

Add py-flask-webpack.

(kleink)

Import Flask-Webpack-0.1.0 as www/py-flask-webpack.

Flask-Webpack ties Webpack and Flask together. It exposes a few
global template tags so that you can work with assets in your jinja
templates and it works with any wsgi server.

(kleink)

Note update of security/opendnssec to 1.4.13.

(he)

Update OpenDNSSEC to version 1.4.13.

Pkgsrc changes:
* Remove patch now integrated.

Upstream changes:

OpenDNSSEC 1.4.13 - 2017-01-20

* OPENDNSSEC-778: Double NSEC3PARAM record after resalt.
* OPENDNSSEC-853: Fixed serial_xfr_acquired not updated in state file.
* Wrong error was sometimes being print on failing TCP connect.
* Add support for OpenSSL 1.1.0.
* OPENDNSSEC-866: Script for migration between MySQL and SQLite was outdated.

(he)

Fix build on SunOS.

(jperkin)

Updated www/firefox45 to 45.6.0nb2
Updated www/firefox to 50.1.0nb2

(ryoon)

Fix an insecure connection error in HTTP2 case with devel/nss-3.28 or later
Bump PKGREVISION

(ryoon)

Updated devel/nss to 3.28.1

(ryoon)

Update to 3.28.1

* Bump nspr requirement

Changelog:
3.28.1:
The NSS team has released Network Security Services (NSS) 3.28.1,
which is a patch release.

Below is a summary of the changes.
Please refer to the full release notes for additional details,
including the SHA256 fingerprints of the changed CA certificates.

No new functionality is introduced in this release. This is a patch release to
update the list of root CA certificates and address a minor TLS compatibility
issue that some applications experienced with NSS 3.28.

Notable Changes:
* The following CA certificates were Removed
- CN = Buypass Class 2 CA 1
- CN = Root CA Generalitat Valenciana
- OU = RSA Security 2048 V3
* The following CA certificates were Added
- OU = AC RAIZ FNMT-RCM
- CN = Amazon Root CA 1
- CN = Amazon Root CA 2
- CN = Amazon Root CA 3
- CN = Amazon Root CA 4
- CN = LuxTrust Global Root 2
- CN = Symantec Class 1 Public Primary Certification Authority - G4
- CN = Symantec Class 1 Public Primary Certification Authority - G6
- CN = Symantec Class 2 Public Primary Certification Authority - G4
- CN = Symantec Class 2 Public Primary Certification Authority - G6
* The version number of the updated root CA list has been set to 2.11
* A misleading assertion/alert has been removed when NSS tries to flush data
  to the peer but the connection was already reset.

3.28:
The NSS team has released Network Security Services (NSS) 3.28,
which is a minor release.

Below is a summary of the changes.

Please refer to the full release notes for additional details:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes

Request to test and prepare for TLS 1.3 (draft):
================================================
To prepare for a change of default build options, which is
planned for
the future NSS 3.29 release, we'd like to encourage all users of NSS
3.28
to override the standard NSS build configuration to enable support for
(draft
) TLS 1.3 by defining NSS_ENABLE_TLS_1_3=1 at build time.
We'd like to ask you to
please give feedback to the NSS developers for any
compatibility issues that you
might encounter in your tests.

For providing feedback, you may send a message to this mailing list, see:
  https://lists.mozilla.org/listinfo/dev-tech-crypto
or please report a bug here:
  https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS

New functionality:
==================
* NSS includes support for TLS 1.3 draft -18. This includes a number 
  of
improvements to TLS 1.3:
  - The signed certificate timestamp, used in
certificate transparency, 
    is supported in TLS 1.3.
  - Key exporters for TLS
1.3 are supported. This includes the early key
    exporter, which can be used if
0-RTT is enabled. Note that there is a
    difference between TLS 1.3 and key
exporters in older versions of TLS.
    TLS 1.3 does not distinguish between an
empty context and no context.
  - The TLS 1.3 (draft) protocol can be enabled, by
defining
    NSS_ENABLE_TLS_1_3=1 when building NSS.
* NSS includes support for
the X25519 key exchange algorithm, which is
  supported and enabled by default in
all versions of TLS.

New Functions:
==============
* SSL_ExportEarlyKeyingMaterial
* SSL_SendAdditionalKeyShares
* SSL_SignatureSchemePrefSet
* SSL_SignatureSchemePrefGet

Notable Changes:
================
* NSS can no longer be compiled with support for additional elliptic curves.
  This was previously possible by replacing certain NSS source files.
* NSS will now detect the presence of tokens that support additional
  elliptic curves and enable those curves for use in TLS.
  Note that this detection has a one-off performance cost, which can be
  avoided by using the SSL_NamedGroupConfig function to limit supported
  groups to those that NSS provides.
* PKCS#11 bypass for TLS is no longer supported and has been removed.
* Support for "export" grade SSL/TLS cipher suites has been removed.
* NSS now uses the signature schemes definition in TLS 1.3.
  This also affects TLS 1.2. NSS will now only generate signatures with the
  combinations of hash and signature scheme that are defined in TLS 1.3,
  even when negotiating TLS 1.2.
  - This means that SHA-256 will only be used with P-256 ECDSA certificates,
    SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.
    SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward
    compatibility reasons.
  - New functions to configure signature schemes are provided:
    SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet.
    The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are
    now deprecated.
  - NSS will now no longer assume that default signature schemes are 
    supported by a peer if there was no commonly supported signature scheme.
* NSS will now check if RSA-PSS signing is supported by the token that holds
  the private key prior to using it for TLS.
* The certificate validation code contains checks to no longer trust
  certificates that are issued by old WoSign and StartCom CAs after 
  October 21, 2016. This is equivalent to the behavior that Mozilla will
  release with Firefox 51.

(ryoon)

Updated archivers/p5-Archive-Extract to 0.80

(mef)

Updated archivers/p5-Archive-Extract to 0.80
--------------------------------------------
0.80    Wed Jan 18 23:14:32 GMT 2017
* Change Linux unzip heuristic to match FreeBSD's [rt#119905]

(mef)

Enable oce

(fhajny)

Added cad/oce version 0.18

(fhajny)

Import OCE 0.18 as cad/oce, based on wip/oce.

Opencascade Community Edition project gathers patches/changes/improvements
from the OCC community over the latest release.

Open CASCADE Technology is a software development platform freely available
in open source. It includes C++ components for 3D surface and solid modeling,
visualization, data exchange and rapid application development.

(fhajny)

Updated devel/py-argcomplete to 1.8.0

(fhajny)

Update devel/py-argcomplete to 1.8.0.

- Simplify nospace handling in global completion (#195)
- Specially handle all characters in COMP_WORDBREAKS (#187)
- Use setuptools tests-require directive, fixes #186
- Complete files using the specified interpreter (#192)
- Fix completion for scripts run via python (#191)
- Clarify argument to register-python-argcomplete (#190)
- Fix handling of commas and other special chars (#172); handle more
  special characters (#189)
- Fix handling of special characters in tcsh (#188)
- Update my_shlex to Python 3.6 version (#184)
- Fix additional trailing space in exact matches (#183)
- Adjust tests to handle development environments (#180)
- Fix tcsh tests on OSX (#177); Update bash on OSX (#176); Check output
  of test setup command (#179)
- Optionally disable duplicated flags (#143)
- Add default_completer option to CompletionFinder.call (#167)
- Let bash add or suppress trailing space (#159)

(fhajny)

Note update of lang/php56 package to 5.6.30.

(taca)

Update php56 to 5.6.30.

PHP                                                                        NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
19 Jan 2017, PHP 5.6.30

- EXIF:
  . Fixed bug #73737 (FPE when parsing a tag format). (Stas)

- GD:
  . Fixed bug #73549 (Use after free when stream is passed to imagepng). (cmb)
  . Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (cmb)
  . Fixed bug #73869 (Signed Integer Overflow gd_io.c). (cmb)

- Intl:
  . Fixed bug #68447 (grapheme_extract take an extra trailing character).
    (SATŌ Kentarō)

- Phar:
  . Fixed bug #73764 (Crash while loading hostile phar archive). (Stas)
  . Fixed bug #73768 (Memory corruption when loading hostile phar). (Stas)
  . Fixed bug #73773 (Seg fault when loading hostile phar). (Stas)

- SQLite3:
  . Reverted fix for bug #73530 (Unsetting result set may reset other result
    set). (cmb)

- Standard:
  . Fixed bug #70213 (Unserialize context shared on double class lookup).
    (Taoguang Chen)
  . Fixed bug #73825 (Heap out of bounds read on unserialize in
    finish_nested_data()). (Stas)

(taca)

Added www/SOGo3 version 3.2.5

(wiedi)

Import SOGo-3.2.5 as www/SOGo3

Since upstream still maintaines the 2-series it is kept in www/SOGo.
Version 3, introduced in early 2016, has a modern, fully responsive Web
frontend. Both versions share a common implementation of the communication
protocols supported in SOGo and SOPE: LDAP, IMAP, SQL, CardDAV, CalDAV, and
Microsoft Enterprise ActiveSync.

DESCR:
SOGo is fully supported and trusted groupware server with a focus
on scalability and open standards. SOGo is released under the GNU
GPL/LGPL v2 and above.

SOGo provides a rich AJAX-based Web interface and supports multiple
native clients through the use of standard protocols such as CalDAV,
CardDAV and GroupDAV.

SOGo is the missing component of your infrastructure; it sits in
the middle of your servers to offer your users an uniform and
complete interface to access their information. It has been deployed
in production environments where thousands of users are involved.

(wiedi)

Updated lang/py35-html-docs to 3.5.3

(leot)

Update lang/py35-html-docs to py35-html-docs-3.5.3

pkgsrc changes:
- Switch MASTER_SITES to https://www.python.org/ftp/python/doc/${VERS}/
  Unlike previous MASTER_SITES the documentation there is not regenerated
  periodically (so it will avoid possible changes in the distfiles).

Changes (from the `Documentation' section of the Python 3.5.3 Changelog):
- Issue #28513: Documented command-line interface of zipfile.

(leot)

Pullup ticket #5192 - requested by schmonz
www/ikiwiki: security fix

Revisions pulled up:
- www/ikiwiki/Makefile                                          1.145-1.148
- www/ikiwiki/distinfo                                          1.117-1.120

---
  Module Name: pkgsrc
  Committed By: schmonz
  Date: Fri Dec 30 03:21:11 UTC 2016

  Modified Files:
  pkgsrc/www/ikiwiki: Makefile distinfo

  Log Message:
  Update to 3.20161229. From the changelog:

  * Security: force CGI::FormBuilder->field to scalar context where
    necessary, avoiding unintended function argument injection
    analogous to CVE-2014-1572. In ikiwiki this could be used to
    forge commit metadata, but thankfully nothing more serious.
    (CVE-2016-9646)
  * Security: try revert operations in a temporary working tree before
    approving them. Previously, automatic rename detection could result in
    a revert writing outside the wiki srcdir or altering a file that the
    reverting user should not be able to alter, an authorization bypass.
    (CVE-2016-10026 represents the original vulnerability.)
    The incomplete fix released in 3.20161219 was not effective for git
    versions prior to 2.8.0rc0.
    (CVE-2016-9645 represents that incomplete solution.)
  * Add CVE references for CVE-2016-10026
  * Add automated test for using the CGI with git, including
    CVE-2016-10026
    - Build-depend on libipc-run-perl for better build-time test coverage
  * Add missing ikiwiki.setup for the manual test for CVE-2016-10026
  * git: don't issue a warning if the rcsinfo CGI parameter is undefined
  * git: do not fail to commit changes with a recent git version
    and an anonymous committer

---
  Module Name: pkgsrc
  Committed By: schmonz
  Date: Fri Dec 30 13:59:42 UTC 2016

  Modified Files:
  pkgsrc/www/ikiwiki: Makefile distinfo

  Log Message:
  Update to 3.20161229.1. From the changelog:

  * git: Attribute reverts to the user doing the revert, not the wiki
    itself.
  * git: Do not disable the commit hook while preparing a revert.

---
  Module Name: pkgsrc
  Committed By: schmonz
  Date: Wed Jan 11 02:15:54 UTC 2017

  Modified Files:
  pkgsrc/www/ikiwiki: Makefile distinfo

  Log Message:
  Update to 3.20170110. From the changelog:

  [ Amitai Schleier ]
  * wrappers: Correctly escape quotes in git_wrapper_background_command

  [ Simon McVittie ]
  * git: use an explicit function parameter for the directory to work
    in. Previously, we used global state that was not restored correctly
    on catching exceptions, causing an unintended log message
    "cannot chdir to .../ikiwiki-temp-working: No such file or directory"
    with versions >= 3.20161229 when an attempt to revert a change fails
    or is disallowed
  * git: don't run "git rev-list ... -- -- ..." which would select the
    wrong commits if a file named literally "--" is present in the
    repository
  * check_canchange: log "bad file name whatever", not literal string
    "bad file name %s"
  * t/git-cgi.t: fix a race condition that made the test fail
    intermittently
  * t/git-cgi.t: be more careful to provide a syntactically valid
    author/committer name and email, hopefully fixing this test on
    ci.debian.net
  * templates, comments, passwordauth: use rel=nofollow microformat
    for dynamic URLs
  * templates: use rel=nofollow microformat for comment authors
  * news: use Debian security tracker instead of MITRE for security
    references. Thanks, anarcat
  * Set package format to 3.0 (native)
  * d/copyright: re-order to put more specific stanzas later, to get the
    intended interpretation
  * d/source/lintian-overrides: override obsolete-url-in-packaging for
    OpenID Selector, which does not seem to have any more current URL
    (and in any case our version is a fork)
  * docwiki.setup: exclude TourBusStop from offline documentation.
    It does not make much sense there.
  * d/ikiwiki.lintian-overrides: override script-not-executable warnings
  * d/ikiwiki.lintian-overrides: silence false positive spelling warning
    for Moin Moin
  * d/ikiwiki.doc-base: register the documentation with doc-base
  * d/control: set libmagickcore-6.q16-3-extra as preferred
    build-dependency, with virtual package libmagickcore-extra as an
    alternative, to help autopkgtest to do the right thing

---
  Module Name: pkgsrc
  Committed By: schmonz
  Date: Thu Jan 12 00:44:15 UTC 2017

  Modified Files:
  pkgsrc/www/ikiwiki: Makefile distinfo

  Log Message:
  Update to 3.20170111. From the changelog:

  * passwordauth: prevent authentication bypass via multiple name
    parameters (CVE-2017-0356, OVE-20170111-0001)
  * passwordauth: avoid userinfo forgery via repeated email parameter
    (also in the scope of CVE-2017-0356)
  * CGI, attachment, passwordauth: harden against repeated parameters
    (not believed to have been a vulnerability)
  * remove: make it clearer that repeated page parameter is OK here
  * t/passwordauth.t: new automated test for passwordauth

(bsiegert)

Pullup ticket #5185 (second part) - requested by wiz
security/gnutls: build fix

Revisions pulled up:
- security/gnutls/buildlink3.mk                                1.32

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Wed Jan 11 17:06:52 UTC 2017

  Modified Files:
  pkgsrc/security/gnutls: buildlink3.mk

  Log Message:
  Add libunistring to bl3.mk, it's linked into libgnutls{,xx}.so.

  PR 51830

(bsiegert)

Pullup ticket #5185 - requested by wiz
security/gnutls: security fix

Revisions pulled up:
- security/gnutls/Makefile                                      1.168-1.169
- security/gnutls/PLIST                                        1.54
- security/gnutls/distinfo                                      1.122
- security/gnutls/patches/patch-tests_mini-server-name.c        deleted

---
  Module Name: pkgsrc
  Committed By: maya
  Date: Sat Jan  7 18:49:16 UTC 2017

  Modified Files:
  pkgsrc/security/gnutls: Makefile

  Log Message:
  gnutls: don't redefine max_align_t on FreeBSD. It incorrectly fails the
  configure test because the type in stddef.h is guarded by a c11 macro
  (most likely).

  Force the configure test to pass.

  From David Shao in PR pkg/51793 (originally from FreeBSD ports).

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Tue Jan 10 16:23:50 UTC 2017

  Modified Files:
  pkgsrc/security/gnutls: Makefile PLIST distinfo
  Removed Files:
  pkgsrc/security/gnutls/patches: patch-tests_mini-server-name.c

  Log Message:
  Updated gnutls to 3.5.8.

  * Version 3.5.8 (released 2016-01-09)

  ** libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
    functions will not leave the verification profiles field to an
    undefined state. The last call will take precedence.

  ** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
    by PKCS#8 decryption functions when an invalid key is provided. This
    addresses regression on decrypting certain PKCS#8 keys.

  ** libgnutls: Introduced option to override the default priority string
    used by the library. The intention is to allow support of system-wide
    priority strings (as set with --with-system-priority-file). The
    configure option is --with-default-priority-string.

  ** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
    This prevents crashes when decrypting malformed PKCS#8 keys.

  ** libgnutls: Fix crash on the loading of malformed private keys with certain
    parameters set to zero.

  ** libgnutls: Fix double free in certificate information printing. If the PKIX
    extension proxy was set with a policy language set but no policy specified,
    that could lead to a double free.

  ** libgnutls: Addressed memory leaks in client and server side error paths
    (issues found using oss-fuzz project)

  ** libgnutls: Addressed memory leaks in X.509 certificate printing error paths
    (issues found using oss-fuzz project)

  ** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
    parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)

  ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
    (issues found using oss-fuzz project)

  ** API and ABI modifications:
  No changes since last version.

  * Version 3.5.7 (released 2016-12-8)

  ** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128
    and SECURE256 priority strings.

  ** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly
    operate with OIDs which have elements that exceed 2^32.

  ** libgnutls: The DN decoding functions output the traditional DN format
    rather than the strict RFC4514 compliant textual DN. This reverts the
    3.5.6 introduced change, and allows applications which depended on the
    previous format to continue to function. Introduced new functions which
    output the strict format by default, and can revert to the old one using
    a flag.

  ** libgnutls: Improved TPM key handling. Check authorization requirements
    prior to using a key and fix issue on loop for PIN input. Patches by
    James Bottomley.

  ** libgnutls: In all functions accepting UTF-8 passwords, ensure that
    passwords are normalized according to RFC7613. When invalid UTF-8
    passwords are detected, they are only tolerated for decryption.
    This introduces a libunistring dependency on GnuTLS. A version of
    libunistring is included in the library for the platforms that do
    not ship it; it can be used with the '--with-included-unistring'
    option to configure script.

  ** libgnutls: When setting a subject alternative name in a certificate
    which is in UTF-8 format, it will transparently be converted to IDNA form
    prior to storing.

  ** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print()
    will print the SHA256 key-ID instead of a certificate fingerprint.

  ** libgnutls: enhance the PKCS#7 verification capabilities. In the case
    signers that are not discoverable using the trust list or input, use
    the stored list as pool to generate a trusted chain to the signer.

  ** libgnutls: Improved MTU calculation precision for the CBC ciphersuites
    under DTLS.

  ** libgnutls: [added missing news entry since 3.5.0]
    No longer tolerate certificate key usage violations for
    TLS signature verification, and decryption. That is GnuTLS will fail
    to connect to servers which incorrectly use a restricted to signing certificate
    for decryption, or vice-versa. This reverts the lax behavior introduced
    in 3.1.0, due to several such broken servers being available. The %COMPAT
    priority keyword can be used to work-around connecting on these servers.

  ** certtool: When exporting a CRQ in DER format ensure no text data are
    intermixed. Patch by Dmitry Eremin-Solenikov.

  ** certtool: Include the SHA-256 variant of key ID in --certificate-info
    options.

  ** p11tool: Introduced the --initialize-pin and --initialize-so-pin
    options.

  ** API and ABI modifications:
  gnutls_utf8_password_normalize: Added
  gnutls_ocsp_resp_get_responder2: Added
  gnutls_x509_crt_get_issuer_dn3: Added
  gnutls_x509_crt_get_dn3: Added
  gnutls_x509_rdn_get2: Added
  gnutls_x509_dn_get_str2: Added
  gnutls_x509_crl_get_issuer_dn3: Added
  gnutls_x509_crq_get_dn3: Added

  * Version 3.5.6 (released 2016-11-04)

  ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
    (pre-rfc5652) structures with arbitrary encapsulated content.

  ** libgnutls: Introduced a function group to set known DH parameters
    using groups from RFC7919.

  ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
    Now the generated textual DN is in reverse order according to RFC4514,
    and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
    set the expected DN (reverse of the provided string).

  ** libgnutls: Introduced time and constraints checks in the end certificate
    in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
    functions.

  ** libgnutls: Set limits on the maximum number of alerts handled. That is,
    applications using gnutls could be tricked into an busy loop if the
    peer sends continuously alert messages. Applications which set a maximum
    handshake time (via gnutls_handshake_set_timeout) will eventually recover
    but others may remain in a busy loops indefinitely. This is related but
    not identical to CVE-2016-8610, due to the difference in alert handling
    of the libraries (gnutls delegates that handling to applications).

  ** libgnutls: Reverted the change which made the gnutls_certificate_set_*key*
    functions return an index (introduced in 3.5.5), to avoid affecting programs
    which explicitly check success of the function as equality to zero. In order
    for these functions to return an index an explicit call to gnutls_certificate_set_flags
    with the GNUTLS_CERTIFICATE_API_V2 flag is now required.

  ** libgnutls: Reverted the behavior of sending a status request extension even
    without a response (introduced in 3.5.5). That is, we no longer reply to a
    client's hello with a status request, with a status request extension. Although
    that behavior is legal, it creates incompatibility issues with releases in
    the gnutls 3.3.x branch.

  ** libgnutls: Delayed the initialization of the random generator at
    the first call of gnutls_rnd(). This allows applications to load
    on systems which getrandom() would block, without blocking until
    real random data are needed.

  ** certtool: --get-dh-params will output parameters from the RFC7919
    groups.

  ** p11tool: improvements in --initialize option.

  ** API and ABI modifications:
  GNUTLS_CERTIFICATE_API_V2: Added
  GNUTLS_NO_TICKETS: Added
  gnutls_pkcs7_get_embedded_data_oid: Added
  gnutls_anon_set_server_known_dh_params: Added
  gnutls_certificate_set_known_dh_params: Added
  gnutls_psk_set_server_known_dh_params: Added
  gnutls_x509_crt_check_key_purpose: Added

  * Version 3.5.5 (released 2016-10-09)

  ** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file()
    to allow importing multiple OCSP request files, one for each chain
    provided.

  ** libgnutls: The gnutls_certificate_set_key* functions return an
    index of the added chain. That index can be used either with
    gnutls_certificate_set_ocsp_status_request_file(), or with
    gnutls_certificate_get_crt_raw() and friends.

  ** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations
    for the aarch64 architecture. Uses Andy Polyakov's assembly code.

  ** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
    failures due to key mismatch. This prevents leaks or double freeing
    on such failures.

  ** libgnutls: Increased the maximum size of the handshake message hash.
    This will allow the library to cope better with larger packets, as
    the ones offered by current TLS 1.3 drafts.

  ** libgnutls: Allow to use client certificates despite them containing
    disallowed algorithms for a session. That allows for example a client
    to use DSA-SHA1 due to his old DSA certificate, without requiring him
    to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).

  ** libgnutls: Reverted AESNI code on x86 to earlier version as the
    latest version was creating position depending code. Added checks
    in the CI to detect position depending code early.

  ** guile: Update code to the I/O port API of Guile >= 2.1.4
    This makes sure the GnuTLS bindings will work with the forthcoming 2.2
    stable series of Guile, of which 2.1 is a preview.

  ** API and ABI modifications:
  gnutls_certificate_set_ocsp_status_request_function2: Added
  gnutls_session_ext_register: Added
  gnutls_session_supplemental_register: Added
  GNUTLS_E_PK_INVALID_PUBKEY: Added
  GNUTLS_E_PK_INVALID_PRIVKEY: Added

(bsiegert)

Pullup ticket #5193 - requested by wiz
security/libtasn1: bugfix, build fix

Revisions pulled up:
- security/libtasn1/Makefile                                    1.67-1.68
- security/libtasn1/distinfo                                    1.47

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Tue Jan 10 15:26:32 UTC 2017

  Modified Files:
  pkgsrc/security/libtasn1: Makefile distinfo

  Log Message:
  Updated libtasn1 to 4.9.

  * Noteworthy changes in release 4.9 (released 2016-07-25) [stable]
  - Fixes to OID encoding of OIDs which have elements which exceed 2^32

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Wed Jan 11 16:25:06 UTC 2017

  Modified Files:
  pkgsrc/security/libtasn1: Makefile

  Log Message:
  Remove -Werror from compilation flags.

  PR 51821
  PR 51829

(bsiegert)

Convert all occurrences (353 by my count) of

MASTER_SITES= site1 \
site2

style continuation lines to be simple repeated

MASTER_SITES+= site1
MASTER_SITES+= site2

lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.

(agc)

Note update of sysutils/collectd to 5.6.2nb1.

(he)

Reinstate the "processes" plugin for NetBSD by initializing the
two per-process context switch counters to -1, indicating no support.
Our kinfo_lwp structure doesn't contain the context switch counters,
which in the kernel is part of the lwp structure.

Also make this build on netbsd-6 and on ports which don't yet have
nearbyint() by simply defining it as rint() on NetBSD.

Bump PKGREVISION.

(he)

Note update of www/contao35 package to 3.5.24.

(taca)

Update contao35 to 3.5.24.

Version 3.5.24 (2017-01-19)
---------------------------

### Fixed
Correctly handle SVGZ files in the file manager (also fixes #8624).

### Fixed
Revert the download element changes (see #8620).

(taca)

Note update of www/contao43 package to 4.3.3.

(taca)

Update contao43 to 4.3.3.

* Correctly handle nested public folders when symlinking a folder.
* Correctly handle SVGZ files in the file manager (see contao/core#8624).
* Prevent an endless redirect loop if the page alias is "/" (see contao/core#8560).
* Correctly parse German dates with two digit years in MooTools (see contao/core#8593).
* Correctly add new resources to the user/group permissions (see contao/core#8583).
* Trigger the auto-submit function in the date picker (see contao/core#8603).
* Call the load callback when loading page/file picker nodes (see contao/core#7702).

(taca)

Note update of lang/php70 package to 7.0.15.

(taca)

Update php70 to 7.0.15.

PHP                                                                        NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
19 Jan 2017 PHP 7.0.15

- Core:
  . Fixed bug #73792 (invalid foreach loop hangs script). (Dmitry)
  . Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created
    with list()). (Laruence)
  . Fixed bug #73585 (Logging of "Internal Zend error - Missing class
    information" missing class name). (Laruence)
  . Fixed bug #73753 (unserialized array pointer not advancing). (David Walker)
  . Fixed bug #73825 (Heap out of bounds read on unserialize in
    finish_nested_data()). (Stas)
  . Fixed bug #73831 (NULL Pointer Dereference while unserialize php object).
    (Stas)
  . Fixed bug #73832 (Use of uninitialized memory in unserialize()). (Stas)
  . Fixed bug #73092 (Unserialize use-after-free when resizing object's
    properties hash table). (Nikita)
  . Fixed bug #69425 (Use After Free in unserialize()). (Nikita)
  . Fixed bug #72731 (Type Confusion in Object Deserialization). (Nikita)

- COM:
  . Fixed bug #73679 (DOTNET read access violation using invalid codepage).
    (Anatol)

- DOM:
  . Fixed bug #67474 (getElementsByTagNameNS filter on default ns). (aboks)

- EXIF:
  . Bug bug #73737 (FPE when parsing a tag format). (Stas)

- GD:
  . Fixed bug #73869 (Signed Integer Overflow gd_io.c). (cmb)
  . Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (cmb)

- GMP:
  . Fixed bug #70513 (GMP Deserialization Type Confusion Vulnerability).
    (Nikita)

- Mysqli:
  . Fixed bug #73462 (Persistent connections don't set $connect_errno).
    (darkain)

- Mysqlnd:
  . Fixed issue with decoding BIT columns when having more than one rows in the
    result set. 7.0+ problem. (Andrey)
  . Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
(vanviegen)

- PCRE:
  . Fixed bug #73612 (preg_*() may leak memory). (cmb)

- PDO_Firebird:
  . Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning
    statement). (Dorin Marcoci)

- Phar:
  . Fixed bug #73773 (Seg fault when loading hostile phar). (Stas)
  . Fixed bug #73768 (Memory corruption when loading hostile phar). (Stas)
  . Fixed bug #73764 (Crash while loading hostile phar archive). (Stas)

- Phpdbg:
  . Fixed bug #73615 (phpdbg without option never load .phpdbginit at startup).
    (Bob)
  . Fixed issue getting executable lines from custom wrappers. (Bob)
  . Fixed bug #73704 (phpdbg shows the wrong line in files with shebang). (Bob)

- Reflection:
  . Fixed bug #46103 (ReflectionObject memory leak). (Nikita)

- Streams:
  . Fixed bug #73586 (php_user_filter::$stream is not set to the stream the
    filter is working on). (Dmitry)

- SQLite3:
  . Reverted fix for bug #73530 (Unsetting result set may reset other result
    set). (cmb)

- Standard:
  . Fixed bug #73594 (dns_get_record does not populate $additional out
    parameter). (Bruce Weirdan)
  . Fixed bug #70213 (Unserialize context shared on double class lookup).
    (Taoguang Chen)
  . Fixed bug #73154 (serialize object with __sleep function crash). (Nikita)
  . Fixed bug #70490 (get_browser function is very slow). (Nikita)
  . Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
    (Nikita)
  . Fixed bug #31875 (get_defined_functions additional param to exclude
disabled functions). (willianveiga)

- Zlib:
  . Fixed bug #73373 (deflate_add does not verify that output was not truncated).
    (Matt Bonneau)

(taca)

Note update of lang/php71 package to 7.1.1.

(taca)

Update php71 to 7.1.1.

PHP                                                                        NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
19 Jan 2017, PHP 7.1.1

- Core:
  . Fixed bug #73792 (invalid foreach loop hangs script). (Dmitry)
  . Fixed bug #73686 (Adding settype()ed values to ArrayObject results in
    references). (Nikita, Laruence)
  . Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created
    with list()). (Laruence)
  . Fixed bug #73727 (ZEND_MM_BITSET_LEN is "undefined symbol" in
    zend_bitset.h). (Nikita)
  . Fixed bug #73753 (unserialized array pointer not advancing). (David Walker)
  . Fixed bug #73783 (SIG_IGN doesn't work when Zend Signals is enabled).
    (David Walker)
  . Fixed bug #73825 (Heap out of bounds read on unserialize in
    finish_nested_data()). (Stas)
  . Fixed bug #73831 (NULL Pointer Dereference while unserialize php object).
    (Stas)
  . Fixed bug #73832 (Use of uninitialized memory in unserialize()). (Stas)

- CLI:
  . Fixed bug #72555 (CLI output(japanese) on Windows). (Anatol)

- COM:
  . Fixed bug #73679 (DOTNET read access violation using invalid codepage).
    (Anatol)

- DOM:
  . Fixed bug #67474 (getElementsByTagNameNS filter on default ns). (aboks)

- EXIF:
  . Bug bug #73737 (FPE when parsing a tag format). (Stas)

- GD:
  . Fixed bug #73869 (Signed Integer Overflow gd_io.c). (cmb)
  . Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (cmb)

- Mbstring:
  . Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
    (Laruence)

- Mysqli:
  . Fixed bug #73462 (Persistent connections don't set $connect_errno).
    (darkain)

- Mysqlnd:
  . Optimized handling of BIT fields - less memory copies and lower memory
    usage. (Andrey)
  . Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
(vanviegen)

- Opcache:
  . Fixed bug #73789 (Strange behavior of class constants in switch/case block).
    (Laruence)
  . Fixed bug #73746 (Method that returns string returns UNKNOWN:0 instead).
    (Laruence)
  . Fixed bug #73654 (Segmentation fault in zend_call_function). (Nikita)
  . Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by
    minus 1). (Nikita)
  . Fixed bug #73847 (Recursion when a variable is redefined as array). (Nikita)

- PDO_Firebird:
  . Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning
    statement). (Dorin Marcoci)

- Phar:
  . Fixed bug #73773 (Seg fault when loading hostile phar). (Stas)
  . Fixed bug #73768 (Memory corruption when loading hostile phar). (Stas)
  . Fixed bug #73764 (Crash while loading hostile phar archive). (Stas)

- phpdbg:
  . Fixed bug #73794 (Crash (out of memory) when using run and # command
    separator). (Bob)
  . Fixed bug #73704 (phpdbg shows the wrong line in files with shebang). (Bob)

- SQLite3:
  . Reverted fix for bug #73530 (Unsetting result set may reset other result
    set). (cmb)

- Standard:
  . Fixed bug #73594 (dns_get_record does not populate $additional out
    parameter). (Bruce Weirdan)
  . Fixed bug #70213 (Unserialize context shared on double class lookup).
    (Taoguang Chen)
  . Fixed bug #73154 (serialize object with __sleep function crash). (Nikita)
  . Fixed bug #70490 (get_browser function is very slow). (Nikita)
  . Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
    (Nikita)
  . Add subject to mail log. (tomsommer)
  . Fixed bug #31875 (get_defined_functions additional param to exclude
disabled functions). (willianveiga)

- Zlib
  . Fixed bug #73373 (deflate_add does not verify that output was not truncated).
    (Matt Bonneau)

(taca)

Updated converters/p5-JSON-MaybeXS to 1.003008

(wen)

Update to 1.003008
Update DEPENDS

Upstream changes:
1.003008 - 2016-10-03
- added an INSTALLATION section to documentation, to clarify the use of
  dynamic prerequisites in Makefile.PL
- minimize prereqs listed in META.json to avoid giving the appearance of XS
  prerequisites, and confusing static inspection tools such as metacpan.org.

1.003007 - 2016-09-11
- no changes since 1.003006_001

1.003006_001 - 2016-06-28
- bump prereq on JSON::PP, to ensure we get the fix for parsing utf8-encoded
  values (in JSON::PP 2.27300)
- we now always upgrade JSON::XS if it is installed and below version 3.0,
  due to changes in handling booleans
- remove test dependency on Test::Without::Module (RT#115394)

(wen)

Updated lang/python35 to 3.5.3

(wen)

Update to 3.5.3

Upstream changes:
What's New in Python 3.5.3?
===========================

Release date: 2017-01-16

There were no code changes between 3.5.3rc1 and 3.5.3 final.

What's New in Python 3.5.3 release candidate 1?
===============================================

Release date: 2017-01-02

Core and Builtins
-----------------

- Issue #29073: bytearray formatting no longer truncates on first null byte.

- Issue #28932: Do not include <sys/random.h> if it does not exist.

- Issue #28147: Fix a memory leak in split-table dictionaries: setattr()
  must not convert combined table into split table.

- Issue #25677: Correct the positioning of the syntax error caret for
  indented blocks.  Based on patch by Michael Layzell.

- Issue #29000: Fixed bytes formatting of octals with zero padding in alternate
  form.

- Issue #28512: Fixed setting the offset attribute of SyntaxError by
  PyErr_SyntaxLocationEx() and PyErr_SyntaxLocationObject().

- Issue #28991:  functools.lru_cache() was susceptible to an obscure reentrancy
  bug caused by a monkey-patched len() function.

- Issue #28648: Fixed crash in Py_DecodeLocale() in debug build on Mac OS X
  when decode astral characters.  Patch by Xiang Zhang.

- Issue #19398: Extra slash no longer added to sys.path components in case of
  empty compile-time PYTHONPATH components.

- Issue #28426: Fixed potential crash in PyUnicode_AsDecodedObject() in debug
  build.

- Issue #23782: Fixed possible memory leak in _PyTraceback_Add() and exception
  loss in PyTraceBack_Here().

- Issue #28379: Added sanity checks and tests for PyUnicode_CopyCharacters().
  Patch by Xiang Zhang.

- Issue #28376: The type of long range iterator is now registered as Iterator.
  Patch by Oren Milman.

- Issue #28376: The constructor of range_iterator now checks that step is not 0.
  Patch by Oren Milman.

- Issue #26906: Resolving special methods of uninitialized type now causes
  implicit initialization of the type instead of a fail.

- Issue #18287: PyType_Ready() now checks that tp_name is not NULL.
  Original patch by Niklas Koep.

- Issue #24098: Fixed possible crash when AST is changed in process of
  compiling it.

- Issue #28350: String constants with null character no longer interned.

- Issue #26617: Fix crash when GC runs during weakref callbacks.

- Issue #27942: String constants now interned recursively in tuples and frozensets.

- Issue #21578: Fixed misleading error message when ImportError called with
  invalid keyword args.

- Issue #28203: Fix incorrect type in error message from
  ``complex(1.0, {2:3})``. Patch by Soumya Sharma.

- Issue #27955: Fallback on reading /dev/urandom device when the getrandom()
  syscall fails with EPERM, for example when blocked by SECCOMP.

- Issue #28131: Fix a regression in zipimport's compile_source().  zipimport
  should use the same optimization level as the interpreter.

- Issue #25221: Fix corrupted result from PyLong_FromLong(0) when
  Python is compiled with NSMALLPOSINTS = 0.

- Issue #25758: Prevents zipimport from unnecessarily encoding a filename
  (patch by Eryk Sun)

- Issue #28189: dictitems_contains no longer swallows compare errors.
  (Patch by Xiang Zhang)

- Issue #27812: Properly clear out a generator's frame's backreference to the
  generator to prevent crashes in frame.clear().

- Issue #27811: Fix a crash when a coroutine that has not been awaited is
  finalized with warnings-as-errors enabled.

- Issue #27587: Fix another issue found by PVS-Studio: Null pointer check
  after use of 'def' in _PyState_AddModule().
  Initial patch by Christian Heimes.

- Issue #26020: set literal evaluation order did not match documented behaviour.

- Issue #27782: Multi-phase extension module import now correctly allows the
  ``m_methods`` field to be used to add module level functions to instances
  of non-module types returned from ``Py_create_mod``. Patch by Xiang Zhang.

- Issue #27936: The round() function accepted a second None argument
  for some types but not for others.  Fixed the inconsistency by
  accepting None for all numeric types.

- Issue #27487: Warn if a submodule argument to "python -m" or
  runpy.run_module() is found in sys.modules after parent packages are
  imported, but before the submodule is executed.

- Issue #27558: Fix a SystemError in the implementation of "raise" statement.
  In a brand new thread, raise a RuntimeError since there is no active
  exception to reraise. Patch written by Xiang Zhang.

- Issue #27419: Standard __import__() no longer look up "__import__" in globals
  or builtins for importing submodules or "from import".  Fixed handling an
  error of non-string package name.

- Issue #27083: Respect the PYTHONCASEOK environment variable under Windows.

- Issue #27514: Make having too many statically nested blocks a SyntaxError
  instead of SystemError.

- Issue #27473: Fixed possible integer overflow in bytes and bytearray
  concatenations.  Patch by Xiang Zhang.

- Issue #27507: Add integer overflow check in bytearray.extend().  Patch by
  Xiang Zhang.

- Issue #27581: Don't rely on wrapping for overflow check in
  PySequence_Tuple().  Patch by Xiang Zhang.

- Issue #27443: __length_hint__() of bytearray iterators no longer return a
  negative integer for a resized bytearray.

- Issue #27942: Fix memory leak in codeobject.c

Library
-------

- Issue #15812: inspect.getframeinfo() now correctly shows the first line of
  a context.  Patch by Sam Breese.

- Issue #29094: Offsets in a ZIP file created with extern file object and modes
  "w" and "x" now are relative to the start of the file.

- Issue #13051: Fixed recursion errors in large or resized
  curses.textpad.Textbox.  Based on patch by Tycho Andersen.

- Issue #29119: Fix weakrefs in the pure python version of
  collections.OrderedDict move_to_end() method.
  Contributed by Andra Bogildea.

- Issue #9770: curses.ascii predicates now work correctly with negative
  integers.

- Issue #28427: old keys should not remove new values from
  WeakValueDictionary when collecting from another thread.

- Issue 28923: Remove editor artifacts from Tix.py.

- Issue #28871: Fixed a crash when deallocate deep ElementTree.

- Issue #19542: Fix bugs in WeakValueDictionary.setdefault() and
  WeakValueDictionary.pop() when a GC collection happens in another
  thread.

- Issue #20191: Fixed a crash in resource.prlimit() when pass a sequence that
  doesn't own its elements as limits.

- Issue #28779: multiprocessing.set_forkserver_preload() would crash the
  forkserver process if a preloaded module instantiated some
  multiprocessing objects such as locks.

- Issue #28847: dbm.dumb now supports reading read-only files and no longer
  writes the index file when it is not changed.

- Issue #25659: In ctypes, prevent a crash calling the from_buffer() and
  from_buffer_copy() methods on abstract classes like Array.

- Issue #28732: Fix crash in os.spawnv() with no elements in args

- Issue #28485: Always raise ValueError for negative
  compileall.compile_dir(workers=...) parameter, even when multithreading is
  unavailable.

- Issue #28387: Fixed possible crash in _io.TextIOWrapper deallocator when
  the garbage collector is invoked in other thread.  Based on patch by
  Sebastian Cufre.

- Issue #27517: LZMA compressor and decompressor no longer raise exceptions if
  given empty data twice.  Patch by Benjamin Fogle.

- Issue #28549: Fixed segfault in curses's addch() with ncurses6.

- Issue #28449: tarfile.open() with mode "r" or "r:" now tries to open a tar
  file with compression before trying to open it without compression.  Otherwise
  it had 50% chance failed with ignore_zeros=True.

- Issue #23262: The webbrowser module now supports Firefox 36+ and derived
  browsers.  Based on patch by Oleg Broytman.

- Issue #27939: Fixed bugs in tkinter.ttk.LabeledScale and tkinter.Scale caused
  by representing the scale as float value internally in Tk.  tkinter.IntVar
  now works if float value is set to underlying Tk variable.

- Issue #28255: calendar.TextCalendar().prmonth() no longer prints a space
  at the start of new line after printing a month's calendar.  Patch by
  Xiang Zhang.

- Issue #20491: The textwrap.TextWrapper class now honors non-breaking spaces.
  Based on patch by Kaarle Ritvanen.

- Issue #28353: os.fwalk() no longer fails on broken links.

- Issue #25464: Fixed HList.header_exists() in tkinter.tix module by addin
  a workaround to Tix library bug.

- Issue #28488: shutil.make_archive() no longer add entry "./" to ZIP archive.

- Issue #24452: Make webbrowser support Chrome on Mac OS X.

- Issue #20766: Fix references leaked by pdb in the handling of SIGINT
  handlers.

- Issue #26293: Fixed writing ZIP files that starts not from the start of the
  file.  Offsets in ZIP file now are relative to the start of the archive in
  conforming to the specification.

- Issue #28321: Fixed writing non-BMP characters with binary format in plistlib.

- Issue #28322: Fixed possible crashes when unpickle itertools objects from
  incorrect pickle data.  Based on patch by John Leitch.

- Fix possible integer overflows and crashes in the mmap module with unusual
  usage patterns.

- Issue #1703178: Fix the ability to pass the --link-objects option to the
  distutils build_ext command.

- Issue #28253: Fixed calendar functions for extreme months: 0001-01
  and 9999-12.

  Methods itermonthdays() and itermonthdays2() are reimplemented so
  that they don't call itermonthdates() which can cause datetime.date
  under/overflow.

- Issue #28275: Fixed possible use after free in the decompress()
  methods of the LZMADecompressor and BZ2Decompressor classes.
  Original patch by John Leitch.

- Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()
  if pass invalid string-like object as a name.  Patch by Xiang Zhang.

- Issue #18893: Fix invalid exception handling in Lib/ctypes/macholib/dyld.py.
  Patch by Madison May.

- Issue #27611: Fixed support of default root window in the tkinter.tix module.

- Issue #27348: In the traceback module, restore the formatting of exception
  messages like "Exception: None".  This fixes a regression introduced in
  3.5a2.

- Issue #25651: Allow falsy values to be used for msg parameter of subTest().

- Issue #27932: Prevent memory leak in win32_ver().

- Fix UnboundLocalError in socket._sendfile_use_sendfile.

- Issue #28075: Check for ERROR_ACCESS_DENIED in Windows implementation of
  os.stat().  Patch by Eryk Sun.

- Issue #25270: Prevent codecs.escape_encode() from raising SystemError when
  an empty bytestring is passed.

- Issue #28181: Get antigravity over HTTPS. Patch by Kaartic Sivaraam.

- Issue #25895: Enable WebSocket URL schemes in urllib.parse.urljoin.
  Patch by Gergely Imreh and Markus Holtermann.

- Issue #27599: Fixed buffer overrun in binascii.b2a_qp() and binascii.a2b_qp().

- Issue #19003:m email.generator now replaces only \r and/or \n line
  endings, per the RFC, instead of all unicode line endings.

- Issue #28019: itertools.count() no longer rounds non-integer step in range
  between 1.0 and 2.0 to 1.

- Issue #25969: Update the lib2to3 grammar to handle the unpacking
  generalizations added in 3.5.

- Issue #14977: mailcap now respects the order of the lines in the mailcap
  files ("first match"), as required by RFC 1542.  Patch by Michael Lazar.

- Issue #24594: Validates persist parameter when opening MSI database

- Issue #17582: xml.etree.ElementTree nows preserves whitespaces in attributes
  (Patch by Duane Griffin.  Reviewed and approved by Stefan Behnel.)

- Issue #28047: Fixed calculation of line length used for the base64 CTE
  in the new email policies.

- Issue #27445: Don't pass str(_charset) to MIMEText.set_payload().
  Patch by Claude Paroz.

- Issue #22450: urllib now includes an "Accept: */*" header among the
  default headers.  This makes the results of REST API requests more
  consistent and predictable especially when proxy servers are involved.

- lib2to3.pgen3.driver.load_grammar() now creates a stable cache file
  between runs given the same Grammar.txt input regardless of the hash
  randomization setting.

- Issue #27570: Avoid zero-length memcpy() etc calls with null source
  pointers in the "ctypes" and "array" modules.

- Issue #22233: Break email header lines *only* on the RFC specified CR and LF
  characters, not on arbitrary unicode line breaks.  This also fixes a bug in
  HTTP header parsing.

- Issue 27988: Fix email iter_attachments incorrect mutation of payload list.

- Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name
  fields in X.509 certs.

- Issue #27850: Remove 3DES from ssl module's default cipher list to counter
  measure sweet32 attack (CVE-2016-2183).

- Issue #27766: Add ChaCha20 Poly1305 to ssl module's default ciper list.
  (Required OpenSSL 1.1.0 or LibreSSL).

- Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.

- Remove support for passing a file descriptor to os.access. It never worked but
  previously didn't raise.

- Issue #12885: Fix error when distutils encounters symlink.

- Issue #27881: Fixed possible bugs when setting sqlite3.Connection.isolation_level.
  Based on patch by Xiang Zhang.

- Issue #27861: Fixed a crash in sqlite3.Connection.cursor() when a factory
  creates not a cursor.  Patch by Xiang Zhang.

- Issue #19884: Avoid spurious output on OS X with Gnu Readline.

- Issue #27706: Restore deterministic behavior of random.Random().seed()
  for string seeds using seeding version 1.  Allows sequences of calls
  to random() to exactly match those obtained in Python 2.
  Patch by Nofar Schnider.

- Issue #10513: Fix a regression in Connection.commit().  Statements should
  not be reset after a commit.

- A new version of typing.py from https://github.com/python/typing:
  - Collection (only for 3.6) (Issue #27598)
  - Add FrozenSet to __all__ (upstream #261)
  - fix crash in _get_type_vars() (upstream #259)
  - Remove the dict constraint in ForwardRef._eval_type (upstream #252)

- Issue #27539: Fix unnormalised ``Fraction.__pow__`` result in the case
  of negative exponent and negative base.

- Issue #21718: cursor.description is now available for queries using CTEs.

- Issue #2466: posixpath.ismount now correctly recognizes mount points which
  the user does not have permission to access.

- Issue #27773: Correct some memory management errors server_hostname in
  _ssl.wrap_socket().

- Issue #26750: unittest.mock.create_autospec() now works properly for
  subclasses of property() and other data descriptors.

- In the curses module, raise an error if window.getstr() or window.instr() is
  passed a negative value.

- Issue #27783: Fix possible usage of uninitialized memory in
  operator.methodcaller.

- Issue #27774: Fix possible Py_DECREF on unowned object in _sre.

- Issue #27760: Fix possible integer overflow in binascii.b2a_qp.

- Issue #27758: Fix possible integer overflow in the _csv module for large
  record lengths.

- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
  that the script is in CGI mode.

- Issue #27656: Do not assume sched.h defines any SCHED_* constants.

- Issue #27130: In the "zlib" module, fix handling of large buffers
  (typically 4 GiB) when compressing and decompressing.  Previously, inputs
  were limited to 4 GiB, and compression and decompression operations did not
  properly handle results of 4 GiB.

- Issue #27533: Release GIL in nt._isdir

- Issue #17711: Fixed unpickling by the persistent ID with protocol 0.
  Original patch by Alexandre Vassalotti.

- Issue #27522: Avoid an unintentional reference cycle in email.feedparser.

- Issue #26844: Fix error message for imp.find_module() to refer to 'path'
  instead of 'name'. Patch by Lev Maximov.

- Issue #23804: Fix SSL zero-length recv() calls to not block and not raise
  an error about unclean EOF.

- Issue #27466: Change time format returned by http.cookie.time2netscape,
  confirming the netscape cookie format and making it consistent with
  documentation.

- Issue #26664: Fix activate.fish by removing mis-use of ``$``.

- Issue #22115: Fixed tracing Tkinter variables: trace_vdelete() with wrong
  mode no longer break tracing, trace_vinfo() now always returns a list of
  pairs of strings, tracing in the "u" mode now works.

- Fix a scoping issue in importlib.util.LazyLoader which triggered an
  UnboundLocalError when lazy-loading a module that was already put into
  sys.modules.

- Issue #27079: Fixed curses.ascii functions isblank(), iscntrl() and ispunct().

- Issue #26754: Some functions (compile() etc) accepted a filename argument
  encoded as an iterable of integers. Now only strings and byte-like objects
  are accepted.

- Issue #27048: Prevents distutils failing on Windows when environment
  variables contain non-ASCII characters

- Issue #27330: Fixed possible leaks in the ctypes module.

- Issue #27238: Got rid of bare excepts in the turtle module.  Original patch
  by Jelle Zijlstra.

- Issue #27122: When an exception is raised within the context being managed
  by a contextlib.ExitStack() and one of the exit stack generators
  catches and raises it in a chain, do not re-raise the original exception
  when exiting, let the new chained one through.  This avoids the PEP 479
  bug described in issue25782.

- [Security] Issue #27278: Fix os.urandom() implementation using getrandom() on
  Linux.  Truncate size to INT_MAX and loop until we collected enough random
  bytes, instead of casting a directly Py_ssize_t to int.

- Issue #26386: Fixed ttk.TreeView selection operations with item id's
  containing spaces.

- [Security] Issue #22636: Avoid shell injection problems with
  ctypes.util.find_library().

- Issue #16182: Fix various functions in the "readline" module to use the
  locale encoding, and fix get_begidx() and get_endidx() to return code point
  indexes.

- Issue #27392: Add loop.connect_accepted_socket().
  Patch by Jim Fulton.

- Issue #27930: Improved behaviour of logging.handlers.QueueListener.
  Thanks to Paulo Andrade and Petr Viktorin for the analysis and patch.

- Issue #21201: Improves readability of multiprocessing error message.  Thanks
  to Wojciech Walczak for patch.

- Issue #27456: asyncio: Set TCP_NODELAY by default.

- Issue #27906: Fix socket accept exhaustion during high TCP traffic.
  Patch by Kevin Conway.

- Issue #28174: Handle when SO_REUSEPORT isn't properly supported.
  Patch by Seth Michael Larson.

- Issue #26654: Inspect functools.partial in asyncio.Handle.__repr__.
  Patch by iceboy.

- Issue #26909: Fix slow pipes IO in asyncio.
  Patch by INADA Naoki.

- Issue #28176: Fix callbacks race in asyncio.SelectorLoop.sock_connect.

- Issue #27759: Fix selectors incorrectly retain invalid file descriptors.
  Patch by Mark Williams.

- Issue #28368: Refuse monitoring processes if the child watcher has
  no loop attached.
  Patch by Vincent Michel.

- Issue #28369: Raise RuntimeError when transport's FD is used with
  add_reader, add_writer, etc.

- Issue #28370: Speedup asyncio.StreamReader.readexactly.
  Patch by ▒<9A>о▒<80>енбе▒<80>г ▒<9C>а▒<80>к.

- Issue #28371: Deprecate passing asyncio.Handles to run_in_executor.

- Issue #28372: Fix asyncio to support formatting of non-python coroutines.

- Issue #28399: Remove UNIX socket from FS before binding.
  Patch by ▒<9A>о▒<80>енбе▒<80>г ▒<9C>а▒<80>к.

- Issue #27972: Prohibit Tasks to await on themselves.

- Issue #26923: Fix asyncio.Gather to refuse being cancelled once all
  children are done.
  Patch by Johannes Ebke.

- Issue #26796: Don't configure the number of workers for default
  threadpool executor.
  Initial patch by Hans Lawrenz.

- Issue #28600: Optimize loop.call_soon().

- Issue #28613: Fix get_event_loop() return the current loop if
  called from coroutines/callbacks.

- Issue #28639: Fix inspect.isawaitable to always return bool
  Patch by Justin Mayfield.

- Issue #28652: Make loop methods reject socket kinds they do not support.

- Issue #28653: Fix a refleak in functools.lru_cache.

- Issue #28703: Fix asyncio.iscoroutinefunction to handle Mock objects.

- Issue #24142: Reading a corrupt config file left the parser in an
  invalid state.  Original patch by Florian Höch.

- Issue #28990: Fix SSL hanging if connection is closed before handshake
  completed.
  (Patch by HoHo-Ho)

IDLE
----

- Issue #15308: Add 'interrupt execution' (^C) to Shell menu.
  Patch by Roger Serwy, updated by Bayard Randel.

- Issue #27922: Stop IDLE tests from 'flashing' gui widgets on the screen.

- Add version to title of IDLE help window.

- Issue #25564: In section on IDLE -- console differences, mention that
  using exec means that __builtins__ is defined for each statement.

- Issue #27714: text_textview and test_autocomplete now pass when re-run
  in the same process.  This occurs when test_idle fails when run with the
  -w option but without -jn.  Fix warning from test_config.

- Issue #25507: IDLE no longer runs buggy code because of its tkinter imports.
  Users must include the same imports required to run directly in Python.

- Issue #27452: add line counter and crc to IDLE configHandler test dump.

- Issue #27365: Allow non-ascii chars in IDLE NEWS.txt, for contributor names.

- Issue #27245: IDLE: Cleanly delete custom themes and key bindings.
  Previously, when IDLE was started from a console or by import, a cascade
  of warnings was emitted.  Patch by Serhiy Storchaka.

C API
-----

- Issue #28808: PyUnicode_CompareWithASCIIString() now never raises exceptions.

- Issue #26754: PyUnicode_FSDecoder() accepted a filename argument encoded as
  an iterable of integers. Now only strings and bytes-like objects are accepted.

Documentation
-------------

- Issue #28513: Documented command-line interface of zipfile.

Tests
-----

- Issue #28950: Disallow -j0 to be combined with -T/-l/-M in regrtest
  command line arguments.

- Issue #28666: Now test.support.rmtree is able to remove unwritable or
  unreadable directories.

- Issue #23839: Various caches now are cleared before running every test file.

- Issue #28409: regrtest: fix the parser of command line arguments.

- Issue #27787: Call gc.collect() before checking each test for "dangling
  threads", since the dangling threads are weak references.

- Issue #27369: In test_pyexpat, avoid testing an error message detail that
  changed in Expat 2.2.0.

Tools/Demos
-----------

- Issue #27952: Get Tools/scripts/fixcid.py working with Python 3 and the
  current "re" module, avoid invalid Python backslash escapes, and fix a bug
  parsing escaped C quote signs.

- Issue #27332: Fixed the type of the first argument of module-level functions
  generated by Argument Clinic.  Patch by Petr Viktorin.

- Issue #27418: Fixed Tools/importbench/importbench.py.

Windows
-------

- Issue #28251: Improvements to help manuals on Windows.

- Issue #28110: launcher.msi has different product codes between 32-bit and
  64-bit

- Issue #25144: Ensures TargetDir is set before continuing with custom
  install.

- Issue #27469: Adds a shell extension to the launcher so that drag and drop
  works correctly.

- Issue #27309: Enabled proper Windows styles in python[w].exe manifest.

Build
-----

- Issue #29080: Removes hard dependency on hg.exe from PCBuild/build.bat

- Issue #23903: Added missed names to PC/python3.def.

- Issue #10656: Fix out-of-tree building on AIX.  Patch by Tristan Carel and
  Michael Haubenwallner.

- Issue #26359: Rename --with-optimiations to --enable-optimizations.

- Issue #28444: Fix missing extensions modules when cross compiling.

- Issue #28248: Update Windows build and OS X installers to use OpenSSL 1.0.2j.

- Issue #28258: Fixed build with Estonian locale (python-config and distclean
  targets in Makefile).  Patch by Arfrever Frehtes Taifersar Arahesis.

- Issue #26661: setup.py now detects system libffi with multiarch wrapper.

- Issue #28066: Fix the logic that searches build directories for generated
  include files when building outside the source tree.

- Issue #15819: Remove redundant include search directory option for building
  outside the source tree.

- Issue #27566: Fix clean target in freeze makefile (patch by Lisa Roach)

- Issue #27705: Update message in validate_ucrtbase.py

- Issue #27983: Cause lack of llvm-profdata tool when using clang as
  required for PGO linking to be a configure time error rather than
  make time when --with-optimizations is enabled.  Also improve our
  ability to find the llvm-profdata tool on MacOS and some Linuxes.

- Issue #26307: The profile-opt build now applies PGO to the built-in modules.

- Issue #26359: Add the --with-optimizations configure flag.

- Issue #27713: Suppress spurious build warnings when updating importlib's
  bootstrap files.  Patch by Xiang Zhang

- Issue #25825: Correct the references to Modules/python.exp and ld_so_aix,
  which are required on AIX.  This updates references to an installation path
  that was changed in 3.2a4, and undoes changed references to the build tree
  that were made in 3.5.0a1.

- Issue #27453: CPP invocation in configure must use CPPFLAGS. Patch by
  Chi Hsuan Yen.

- Issue #27641: The configure script now inserts comments into the makefile
  to prevent the pgen and _freeze_importlib executables from being cross-
  compiled.

- Issue #26662: Set PYTHON_FOR_GEN in configure as the Python program to be
  used for file generation during the build.

- Issue #10910: Avoid C++ compilation errors on FreeBSD and OS X.
  Also update FreedBSD version checks for the original ctype UTF-8 workaround.

- Issue #28676: Prevent missing 'getentropy' declaration warning on macOS.
  Patch by Gareth Rees.

(wen)

Update PLIST.{Linux,SunOS} to reflect removed plat-* modules.

According to Python 3.6 changelog:

The undocumented IN, CDROM, DLFCN, TYPES, CDIO, and STROPTS modules have been
removed. They had been available in the platform specific Lib/plat-*/
directories, but were chronically out of date, inconsistently available across
platforms, and unmaintained. The script that created these modules is still
available in the source distribution at Tools/scripts/h2py.py.

No PKGREVISION bump since they failed to install on these platforms.

TODO: PLIST.IRIX entries seems to still contains plat-* modules but the ones
TODO: contained are not explicitly documented in the changelog, so they can
TODO: maybe still installed.

Pointed out by Joyent's Linux and SmartOS bulk builds and thanks to <jperkin>
for testing it!

(leot)

Tonights updates

(markd)

Update to stow 2.2.2

* Changes in version 2.2.2

** @VERSION@ substitution was set up for the Stow::Util module.

* Changes in version 2.2.1

Version 2.2.1 was not released since it was rejected by pause.perl.org
due to Stow::Util missing $VERSION.

** Small improvements to documentation
** Fix Perl warnings
** Fix "Undefined subroutine &main::error" error
** Failed system calls now include error description
** Default ignore list now ignores top-level README.*, LICENSE.*,
  and COPYING
** Correctly handle the stow/target directories as non-canonical paths
** Fix stowing of relative links when --no-folding is used.

* Changes in version 2.2.0

** New --no-folding option
** Remove -a option (--adopt still available)
** Improve error message when stow package is not found.
** Test suite improvements
** Documentation improvements
** Remove "There are no outstanding operations to perform" warning.

* Changes in version 2.1.3

** New --adopt / -a option
** ./configure now checks for Perl modules required by the test suite.

* Changes in version 2.1.2

  Many thanks to Stefano Lattarini for help with numerous autoconf and
  automake issues which are addressed in this release.
** Significantly improve the handling of --with-pmdir.
** ./configure now aborts if Perl isn't found.
** Ensured the ChangeLog is up-to-date when making a new distribution.
** Fixed bug with `make clean' removing files which the user may not
  be able to rebuild.

* Changes in version 2.1.1

** Fixed bug where ./configure --with-pmdir=X was ineffectual.
** Calculated the correct default value for pmdir based on the
  local Perl installation.
** Fixed some automake issues
** Improved various bits of documentation.

* Changes in version 2.1.0

** Major refactoring of code into separate Stow and Stow::Util Perl
  modules.
** Added support for ignore list files.
** Added support for CPAN-style installation and distribution via
  Module::Build.
** Introduced `make test' target and significantly tightened up test
  suite.
** Very large number of code and documentation fixes (over 80 commits
  since version 2.0.1).
** The '--conflicts' option has been removed.
** Improved debugging output.
** Converted man page to POD format.
** Include PDF, and both split- and single-page HTML versions of manual
  in the distribution.
** Fixed code style consistency issues.
** Running configure from outside the source tree now works.
** `make distcheck' now works.

* Changes in version 2.0.1

** Defer operations until all potential conflicts have been assessed.
** Multiple stow directories will now cooperate in folding/unfolding.
** Conflict messages are more uniform and informative.
** Verbosity and tracing is more extensive and uniform.
** Implemented option parsing via Getopt::Long.
** Default command line arguments set via '.stowrc' and '~/.stowrc' files.
** Support multiple actions per invocation.
** New (repeatable) command line arg: --ignore='<regex>'
** New (repeatable) command line arg: --defer='<regex>'
** New (repeatable) command line arg: --defer='<regex>'
** New (repeatable) command line arg: --override='<regex>'
** By default, search less aggressively for invalid symlinks when unstowing.
** New chkstow utility for checking the integrity of the target directory.

(markd)

Fix path to pdftpps.
mv cups-browsed.conf from correct post install location.

(markd)

Currently doesn't build with python36 - cann't find python libs

(markd)

PKGREVISION bumps for systemwide vimrc support

(markd)

Allow system-wide vimrc in PKG_SYSCONFDIR

(markd)

More automoc cleanup

(markd)

More automoc cleanup

(markd)

More automoc cleanup

(markd)

More automoc cleanup

(markd)

More automoc cleanup.

(markd)