Update to 2.8.0

Changelog:
== System emulation ==
=== Incompatible changes ===
* The number of allow PCI host bridges for pSeries machine was reduced from 256 to 31 (more can be configured by setting up MMIO windows manually).
* Removed support for tftp:// in the block layer, since this has been broken forever for files bigger than 256KB.
=== Future incompatible changes ===
* Three options are using different names on the command line and in configuration file.  In particular:
** The "acpi" configuration file section matches command-line option "acpitable";
** The "boot-opts" configuration file section matches command-line option "boot";
** The "smp-opts" configuration file section matches command-line option "smp".
:-readconfig will standardize on the name for the command line option.
* Behavior of automatic calculation of SMP topology when some SMP topology options for -smp are omitted (sockets, cores, threads) will change in the future. If guest ABI needs to be preserved on upgrades while using the SMP topology options, users should either set set all options explicitly (sockets, cores, threads), or omit all of them.
* Devices "allwinner-a10", "pc87312", "ssi-sd" will be configured with explicit properties instead of implicitly.  This is unlikely to affect users.
* QMP command blockdev-add is still a work in progress.  It doesn't support all block drivers, it lacks a matching blockdev-del, and more.  It might change incompatibly.
* For x86, specifying a CPUID feature with both "+feature/-feature" and "feature=on/off" will cause a warning.  The current behavior for this combination ("+feature/-feature" wins over "feature=on/off") will be changed so that "+feature" and "-feature" will be synonyms for "feature=on" and "feature=off" respectively).
=== ARM ===
* Improvements to the Aspeed board.
* Support for HLT semihosting traps in AArch32 mode (both ARM and Thumb).
* The ACPI tables for the "virt" machine type support ITS.
* The Cadence GEM device now supports multiple priority queues through the num-priority-queues property.
* The STM32F2xx board (Netduino 2) now includes ADC and SPI devices.
==== KVM ====
=== MIPS ===
* Support for 24KEc CPUs.
=== PowerPC ===
* Support for POWER9 CPUs.
* Improvements for the new "powernv" platform.
==== pSeries ====
* PCI host bridges can be associated to NUMA nodes.
* Support for more than 1 TiB of guest memory.
* Support for more than 64 GiB of MMIO window in a PCI host bridge.
* Support for the "-prom-env" parameter
=== s390 ===
* Support for CPU models.
* Support for virtio-ccw revision 2.

=== SH ===
=== SPARC ===
=== TileGX ===
=== Tricore ===
=== x86 ===
* Support for several new CPUID features related to AVX-512 instruction set extensions.
* The emulated IOAPIC (used by TCG and, with KVM, if the "-machine kernel_irqchip" option has the value "off" or "split") now defaults to version 0x20, which supports directed end-of-interrupt messages.
* Support for Extended Interrupt Mode (EIM) in the intel_iommu device.  EIM requires KVM (Linux v4.7 or newer, for x2APIC support) and "-machine kernel-irqchip=split"; it is enabled automatically if interrupt remapping is enabled ("-machine kernel-irqchip=split -device intel_iommu,intremap=on").
* Support for up to 288 CPUs with the Q35 machine types.  256 or more CPUs are only supported if IOMMU and EIM are enabled.
==== Xen ====
* Support for unplugging SCSI disk.
* Support for SUSE xenlinux-compatible device unplug.
=== Device emulation and assignment ===
* QEMU now includes a generic loader pseudo-device that lets you load multiple images or values into memory at startup.  This device is documented in {{src|path=docs/generic-loader.txt}}.
==== ACPI ====
* Support for hotplugging of NVDIMM devices (_FIT)
==== Block devices ====
==== Network devices ====
* Support for fault tolerance based on coarse-grained lock stepping (COLO).
==== SCSI ====
==== PCI/PCIe ====
* The sample EDU device now supports MSI.
* [http://git.qemu.org/?p=qemu.git;a=blob;f=docs/pcie.txt;h=9fb20aaed9f41c302419206e1201d151c35e5a1c;hb=HEAD PCI Express Guidelines documentation] has been added for advice on topology and PCI vs PCIe.
==== USB ====
==== VFIO ====
==== virtio ====
* New device vhost-vsock.
* Initial support for graceful handling of guest errors (i.e. QEMU should not exit on guest errors).
* Support for new virtio-crypto device.

==== Xen ====
* Support for grant copy.
=== Character devices ===
=== Crypto subsystem ===
* Support for more hash algorithms for PBKDF.
* Support for CTR mode.
=== GUI ===
* SPICE can use pure OpenGL rendering if "gl=on" is specified.
=== Monitor ===
=== Migration ===
* Support for fault tolerance based on coarse-grained lock stepping (COLO).
=== Network ===
=== Block devices and tools ===
* More QMP commands support node-name (block-stream, block-commit, blockdev-backup, blockdev-mirror, blockdev-snapshot-delete-internal-sync, blockdev-snapshot-internal-sync, change-backing-file, drive-backup, drive-mirror, nbd-server-add).
* The BLOCK_IO_ERROR event now includes the node name.
* More QMP commands accept device model names (block_set_io_throttle, blockdev-change-medium, eject, x-blockdev-remove-medium, x-blockdev-insert-medium, blockdev-open-tray, blockdev-close-tray)
* The DEVICE_TRAY_MOVED event now includes the device id.
* Throttling now applies to the guest device only, and not to block jobs or the NBD server.
* drive-backup and blockdev-backup support writing out backups in compressed format.
* The LUKS format now can configure the PBKDF iteration count.
* block-stream supports streaming from a backing file to another backing file.
* Support for replication, for coarse-grained lock stepping (COLO) fault tolerance.
* New "dd" subcomamand of qemu-img.
* The DMG driver can be compiled to a separate driver, so as to make QEMU's dependency on libbz2 optional.
* Support for iSER in QEMU's iSCSI initiator through a iser:// URI.
* The NBD client and server support the NBD_CMD_WRITE_ZEROES extension.
* Raw images support "offset" and "size" options to access only a part of the file or device.

=== Tracing ===
* New tracing backend "syslog".
* Support for multiple "-d trace:PATTERN" command-line arguments.
=== CLI options ===

== User-mode emulation ==
=== Removed target support ===
* The unicore32-linux-user target implemented a different system call ABI from mainline Linux for this architecture. Support for it has been dropped.
=== New functionality ===
* Added support for more syscalls including preadv, pwritev, syslog.
* Major scalability improvements for multi-threaded programs (ARM, SPARC, x86).
* QEMU can now understand and generate fence and cmpxchg operations.

== TCG ==
* New TCG primitives have been added for safely modelling architectural synchronisation instructions (e.g. atomics, LL/SC, LOCK prefixes). arm, aarch64, alpha and x86 targets now use these primitives for multi-threaded linux-user programs. TCG target maintainers are encouraged to port their front-ends to use the new facilities.
* The TCG backends now emit appropriate barrier instructions for frontend barriers when running multi-threaded programs. However, emulating a strongly-ordered architecture (e.g., x86) on a weakly-ordered one (e.g., ARM or POWER) will not work yet.
* tb_flush() is finally thread-safe meaning multi-threaded programs are less likely to crash when the translation buffer is reset
* lock contention in the main cpu run-loop has been reduced improving performance for multi-threaded code
* a number of races were identified and fixed

A lot of the TCG work merged in this cycle where prerequisites for supporting multi-threaded system emulation (MTTCG). While full MTTCG support is expected to be merged in the next development cycle, multi-threaded linux-user programs will already benefit from this work.

(ryoon)

Added avahi as an option so ippfind can be build; unified PLIST and cleanup for Darwin

(adam)

Note update of www/contao43 package to 4.3.2.

(taca)

Update contao43 to 4.3.2, including fix for CVE-2016-10074.

* Raise the minimum SwiftMailer version.
* Remove some left-over settings labels.
* Go back to using the stable channel of Composer now that version 1.3 has
  been released.
* Reduce the filter menu width if preceded by the submit panel.

(taca)

Note update of www/contao35 package to 3.5.21.

(taca)

Update contao35 to 3.5.21.

Version 3.5.21 (2016-12-29)
---------------------------

### Updated
Update SwiftMailer to version 5.4.5 (fixes CVE-2016-10074).

(taca)

Note update of databases/phpmyadmin package to 4.6.5.2.

(taca)

Update phpmyadmin to 4.6.5.2, including security fixes.

4.6.5.2 (2016-12-05)
- issue #12765 Fixed SQL export with newlines

4.6.5.1 (2016-11-25)
- issue #12735 Incorrect parameters to escapeString in Node.php
- issue #12734 Fix PHP error when mbstring is not installed
- issue #12736 Don't force partition count to be specified when creating a new table

4.6.5 (2016-11-24)
- issue        Remove potentionally license problematic sRGB profile
- issue #12459 Display read only fields as read only when editing
- issue #12384 Fix expanding of navigation pane when clicking on database
- issue #12430 Impove partitioning support
- issue #12374 Reintroduced simplified PmaAbsoluteUri configuration directive
- issue        Always use UTC time in HTTP headers
- issue #12479 Simplified validation of external links
- issue #12483 Fix browsing tables with built in transformations
- issue #12485 Do not show warning about short blowfish_secret if none is set
- issue #12251 Fixed random logouts due to wrong cookie path
- issue #12480 Fixed editing of ENUM/SET/DECIMAL fields structure
- issue #12497 Missing escaping of configuration used in SQL (hide_db and only_db)
- issue #12476 Add error checking in reading advisory rules file
- issue #12477 Add checking missing elements and confirming element types from json_decode
- issue #12251 Automatically save SQL query in browser local storage rather than in cookie
- issue #12292 Unable to edit transformations
- issue #12502 Remove unused paramenter when connecting to MySQLi
- issue #12303 Fix number formatting with different settings of precision in PHP
- issue #12405 Use single quotes in PHP code
- issue #12534 Option for the dropped column is not removed from 'after_field' select, after the column is dropped
- issue #12531 Properly detect DROP DATABASE queries
- issue #12470 Fix possible race condition in setting URL hash
- issue #11924 Remove caching of server information
- issue #11628 Proper parsing of INSERT ... ON DUPLICATE KEY queries
- issue #12545 Proper parsing of CREATE TABLE ... PARTITION queries
- issue #12473 Code can throw unhandled exception
- issue #12550 Do not try to keep alive session even after expiry
- issue #12512 Fixed rendering BBCode links in setup
- issue #12518 Fixed copy of table with generated columns
- issue #12221 Fixed export of table with generated columns
- issue #12320 Copying a user does not copy usergroup
- issue #12272 Adding a new row with default enum goes to no selection when you want to add more then 2 rows
- issue #12487 Drag and drop import prevents file dropping to blob column file selector on the insert tab
- issue #12554 Absence of scrolling makes it impossible to read longer text values in grid editing
- issue #12530 "Edit routine" crashes when the current user is not the definer, even if privileges are adequate
- issue #12300 Export selective tables by-default dumps Events also
- issue #12298 Fixed export of view definitions
- issue #12242 Edit routine detail dialog does not fill "Return length" field in mysql functions
- issue #12575 New index Confirm adds whitespace around the field name
- issue #12382 Bug in zoom search
- issue #12321 Assign LIMIT clause only to syntactically correct queries
- issue #12461 Can't Execute SQL With Sub-Query Due To "LIMIT 0,25" Inserted At Wrong Place
- issue #12511 Clarify documentation on ArbitraryServerRegexp
- issue #12508 Remove duplicate code in SQL escaping
- issue #12475 Cleanup code for getting table information
- issue #12579 phpMyAdmin's export of a Select statment without a FROM clause generates Wrong SQL
- issue #12316 Correct export of complex SELECT statements
- issue #12080 Fixed parsing of subselect queries
- issue #11740 Fixed handling DELETE ... USING queries
- issue #12100 Fixed handling of CASE operator
- issue #12455 Query history stores separate entry for every letter typed
- issue #12327 Create PHP code no longer works
- issue #12179 Fixed bookmarking of query with multiple statements
- issue #12419 Wrong description on GRANT OPTION
- issue #12615 Fixed regexp for matching browser versions
- issue #12569 Avoid showing import errors twice
- issue #12362 prefs_manage.php can leave an orphaned temporary file
- issue #12619 Unable to export csv when using union select
- issue #12625 Broken Edit links in query results of JOIN query
- issue #12634 Drop DB error in import if DB doesn't exist
- issue #12338 Designer reverts to first saved ER after EACH relation create or delete
- issue #12639 'Show trace' in Console generates JS error for functions in query's trace called without any arguments
- issue #12366 Fix user creation with certain MariaDB setups
- issue #12616 Refuse to work with mbstring.func_overload enabled
- issue #12472 Properly report connection without password in setup
- issue #12365 Fix records count for large tables
- issue #12533 Fix records count for complex queries
- issue #12454 Query history not updated in console until page refresh
- issue #12344 Fixed parsing of labels in loop
- issue #12228 Fixed parsing of BEGIN labels
- issue #12637 Fixed editing some timestamp values
- issue #12622 Fixed javascript error in designer
- issue #12334 Missing page indicator or VIEWs
- issue #12610 Export of tables with Timestamp/Datetime/Time columns defined with ON UPDATE clause with precision fails
- issue #12661 Error inserting into pma__history after timeout
- issue #12195 Row_format = fixed not visible
- issue #12665 Cannot add a foreign key - non-indexed fields not listed in InnoDB tables
- issue #12674 Allow for proper MySQL-allowed strings as identifiers
- issue #12651 Allow for partial dates on table insert page
- issue #12681 Fixed designer with tables using special chars
- issue #12652 Fixed visual query builder for foreign keys with more fields
- issue #12257 Improved search page performance
- issue #12322 Avoid selecting default function for foreign keys
- issue #12453 Fixed escaping of SQL parts in some corner cases
- issue #12542 Missing table name in account privileges editor
- issue #12691 Remove ksort call on empty array in PMA_getPlugins function
- issue #12443 Check parameter type before processing
- issue #12299 Avoid generating too long URLs in search
- issue #12361 Fix self SQL injection in table-specific privileges
- issue #12698 Add link to release notes and download on new version notification
- issue #12712 Error when trying to setup replication (fatal error in call to an old PMA_DBI_connect function)
- issue        [security] Unsafe generation of $cfg['blowfish_secret'], see PMASA-2016-58
- issue        [security] phpMyAdmin's phpinfo functionality is removed, see PMASA-2016-59
- issue        [security] AllowRoot and allow/deny rule bypass with specially-crafted username, see PMASA-2016-60
- issue        [security] Username matching weaknesses with allow/deny rules, see PMASA-2016-61
- issue        [security] Possible to bypass logout timeout, see PMASA-2016-62
- issue        [security] Full path disclosure (FPD) weaknesses, see PMASA-2016-63
- issue        [security] Multiple XSS weaknesses, see PMASA-2016-64
- issue        [security] Multiple denial-of-service (DOS) vulnerabilities, see PMASA-2016-65
- issue        [security] Possible to bypass white-list protection for URL redirection, see PMASA-2016-66
- issue        [security] BBCode injection to login page, see PMASA-2016-67
- issue        [security] Denial-of-service (DOS) vulnerability in table partitioning, see PMASA-2016-68
- issue        [security] Multiple SQL injection vulnerabilities, see PMASA-2016-69
- issue        [security] Incorrect serialized string parsing, see PMASA-2016-70
- issue        [security] CSRF token not stripped from the URL, see PMASA-2016-71

(taca)

Note update of security/openssh package to 7.4.1.

(taca)

Update openssh to 7.4.1 (7.4p1), including security fixes.

For full changes, please refer ChangeLog file.

Future deprecation notice
=========================

We plan on retiring more legacy cryptography in future releases,
specifically:

* In approximately August 2017, removing remaining support for the
  SSH v.1 protocol (client-only and currently compile-time disabled).

* In the same release, removing support for Blowfish and RC4 ciphers
  and the RIPE-MD160 HMAC. (These are currently run-time disabled).

* Refusing all RSA keys smaller than 1024 bits (the current minimum
  is 768 bits)

* The next release of OpenSSH will remove support for running sshd(8)
  with privilege separation disabled.

* The next release of portable OpenSSH will remove support for
  OpenSSL version prior to 1.0.1.

This list reflects our current intentions, but please check the final
release notes for future releases.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

* This release removes server support for the SSH v.1 protocol.

* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
  block ciphers are not safe in 2016 and we don't want to wait until
  attacks like SWEET32 are extended to SSH. As 3des-cbc was the
  only mandatory cipher in the SSH RFCs, this may cause problems
  connecting to older devices using the default configuration,
  but it's highly likely that such devices already need explicit
  configuration for key exchange and hostkey algorithms already
  anyway.

* sshd(8): Remove support for pre-authentication compression.
  Doing compression early in the protocol probably seemed reasonable
  in the 1990s, but today it's clearly a bad idea in terms of both
  cryptography (cf. multiple compression oracle attacks in TLS) and
  attack surface. Pre-auth compression support has been disabled by
  default for >10 years. Support remains in the client.

* ssh-agent will refuse to load PKCS#11 modules outside a whitelist
  of trusted paths by default. The path whitelist may be specified
  at run-time.

* sshd(8): When a forced-command appears in both a certificate and
  an authorized keys/principals command= restriction, sshd will now
  refuse to accept the certificate unless they are identical.
  The previous (documented) behaviour of having the certificate
  forced-command override the other could be a bit confusing and
  error-prone.

* sshd(8): Remove the UseLogin configuration directive and support
  for having /bin/login manage login sessions.

Changes since OpenSSH 7.3
=========================

This is primarily a bugfix release.

Security
--------

* ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
  outside a trusted whitelist (run-time configurable). Requests to
  load modules could be passed via agent forwarding and an attacker
  could attempt to load a hostile PKCS#11 module across the forwarded
  agent channel: PKCS#11 modules are shared libraries, so this would
  result in code execution on the system running the ssh-agent if the
  attacker has control of the forwarded agent-socket (on the host
  running the sshd server) and the ability to write to the filesystem
  of the host running ssh-agent (usually the host running the ssh
  client). Reported by Jann Horn of Project Zero.

* sshd(8): When privilege separation is disabled, forwarded Unix-
  domain sockets would be created by sshd(8) with the privileges of
  'root' instead of the authenticated user. This release refuses
  Unix-domain socket forwarding when privilege separation is disabled
  (Privilege separation has been enabled by default for 14 years).
  Reported by Jann Horn of Project Zero.

* sshd(8): Avoid theoretical leak of host private key material to
  privilege-separated child processes via realloc() when reading
  keys. No such leak was observed in practice for normal-sized keys,
  nor does a leak to the child processes directly expose key material
  to unprivileged users. Reported by Jann Horn of Project Zero.

* sshd(8): The shared memory manager used by pre-authentication
  compression support had a bounds checks that could be elided by
  some optimising compilers. Additionally, this memory manager was
  incorrectly accessible when pre-authentication compression was
  disabled. This could potentially allow attacks against the
  privileged monitor process from the sandboxed privilege-separation
  process (a compromise of the latter would be required first).
  This release removes support for pre-authentication compression
  from sshd(8). Reported by Guido Vranken using the Stack unstable
  optimisation identification tool (http://css.csail.mit.edu/stack/)

* sshd(8): Fix denial-of-service condition where an attacker who
  sends multiple KEXINIT messages may consume up to 128MB per
  connection. Reported by Shi Lei of Gear Team, Qihoo 360.

* sshd(8): Validate address ranges for AllowUser and DenyUsers
  directives at configuration load time and refuse to accept invalid
  ones. It was previously possible to specify invalid CIDR address
  ranges (e.g. user@127.1.2.3/55) and these would always match,
  possibly resulting in granting access where it was not intended.
  Reported by Laurence Parry.

(taca)

Updated www/ikiwiki to 3.20161229

(schmonz)

Update to 3.20161229. From the changelog:

* Security: force CGI::FormBuilder->field to scalar context where
  necessary, avoiding unintended function argument injection
  analogous to CVE-2014-1572. In ikiwiki this could be used to
  forge commit metadata, but thankfully nothing more serious.
  (CVE-2016-9646)
* Security: try revert operations in a temporary working tree before
  approving them. Previously, automatic rename detection could result in
  a revert writing outside the wiki srcdir or altering a file that the
  reverting user should not be able to alter, an authorization bypass.
  (CVE-2016-10026 represents the original vulnerability.)
  The incomplete fix released in 3.20161219 was not effective for git
  versions prior to 2.8.0rc0.
  (CVE-2016-9645 represents that incomplete solution.)
* Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including
  CVE-2016-10026
  - Build-depend on libipc-run-perl for better build-time test coverage
* Add missing ikiwiki.setup for the manual test for CVE-2016-10026
* git: don't issue a warning if the rcsinfo CGI parameter is undefined
* git: do not fail to commit changes with a recent git version
  and an anonymous committer

(schmonz)

PKGREVISION shouldn't be in Makefile.common, even though the last two
bumps applied to both users.

(dholland)

Updated devel/py-dulwich to 0.16.1

(wiz)

Updated py-dulwich to 0.16.1.

0.16.1 2016-12-25

BUG FIXES

  * Fix python3 compatibility for dulwich.contrib.release_robot.
    (Jelmer Vernoo蝶)

0.16.0 2016-12-24

IMPROVEMENTS

  * Add support for worktrees. See `git-worktree(1)` and
    `gitrepository-layout(5)`. (Laurent Rineau)

  * Add support for `commondir` file in Git control
    directories. (Laurent Rineau)

  * Add support for passwords in HTTP URLs.
    (Jon Bain, Mika M辰enp辰辰)

  * Add `release_robot` script to contrib,
    allowing easy finding of current version based on Git tags.
    (Mark Mikofski)

  * Add ``Blob.splitlines`` method.
    (Jelmer Vernooij)

BUG FIXES

  * Fix ``porcelain.reset`` to respect the comittish argument.
    (Koen Martens)

  * Fix handling of ``Commit.tree`` being set to an actual
    tree object rather than a tree id. (Jelmer Vernooij)

  * Return remote refs from LocalGitClient.fetch_pack(),
    consistent with the documentation for that method.
    (#461, Jelmer Vernoo蝶)

  * Fix handling of unknown URL schemes in get_transport_and_path.
    (#465, Jelmer Vernooij)

(wiz)

Updated textproc/p5-YAML to 1.21

(wiz)

Updated p5-YAML to 1.21.

1.21 Fri Dec 23 21:19:15 CET 2016
- Apply PR/171 (fixes issue/109) @perlpunk++
- No more "used only once" warnings for $YAML::Indent etc.
- Apply PR/170 (fixes issue/131) hiratara@cpan.org++
- Empty mapping value at the end resolves to null (was becoming empty
  string)
- Apply PR/169 (PR/119) patrick.allen.higgins@gmail.com++
- Output key in warning when duplicate key was found
- Apply PR/157 and PR/168 (@lameventanas++ @perlpunk++)
- Allow reading and writing to IO::Handle

(wiz)

Updated devel/p5-Scalar-List-Utils to 1.47

(wiz)

Updated p5-Scalar-List-Utils to 1.47.

1.47 -- 2016/12/22 18:54:45
[CHANGES]
* Make XS code ppport.h-free when in core

[BUGFIXES]
* Fix compliling on C++11
* Perform taint checks using $^X instead of some %ENV key because of
  the Test::Simple vars (RT119169)

(wiz)

Updated time/p5-DateTime to 1.4200

(wiz)

Updated p5-DateTime to 1.4200.

1.42  2016-12-25

- The DateTime::Duration->add and ->subtract methods now accept
  DateTime::Duration objects. This used to work by accident, but this is now
  done intentionally (with docs and tests). Reported by Petr Pisar. GitHub
  #50.

(wiz)

Updated mail/notmuch to 0.23.4

(wiz)

Updated notmuch to 0.23.4.

Notmuch 0.23.4 (2016-12-24)
===========================

Command Line Interface
----------------------

Improve error handling in notmuch insert

  Database lock errors no longer prevent message file delivery to the
  filesystem.  Certain errors during `notmuch insert` most likely to
  be temporary return EX_TEMPFAIL.

Emacs
-----

Restore autoload cookie for notmuch-search.

(wiz)

Updated security/libgpg-error to 1.26

(wiz)

Updated libgpg-error to 1.26.

Noteworthy changes in version 1.26 (2016-12-21) [C21/A21/R0]
-----------------------------------------------

* New option --desc for gpg-error.

* Interface changes relative to the 1.25 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_UNKNOWN_FLAG            NEW.
GPG_ERR_INV_ORDER                NEW.
GPG_ERR_ALREADY_FETCHED          NEW.
GPG_ERR_TRY_LATER                NEW.
GPG_ERR_SYSTEM_BUG              NEW.
GPG_ERR_DNS_UNKNOWN           NEW.
GPG_ERR_DNS_SECTION           NEW.
GPG_ERR_DNS_ADDRESS           NEW.
GPG_ERR_DNS_NO_QUERY           NEW.
GPG_ERR_DNS_NO_ANSWER           NEW.
GPG_ERR_DNS_CLOSED           NEW.
GPG_ERR_DNS_VERIFY           NEW.
GPG_ERR_DNS_TIMEOUT           NEW.

(wiz)

Updated security/libgcrypt to 1.7.5

(wiz)

Updated libgcrypt to 1.7.5.

Noteworthy changes in version 1.7.5 (2016-12-15)  [C21/A1/R5]
------------------------------------------------

* Bug fixes:

  - Fix regression in mlock detection [bug#2870].

(wiz)

Updated devel/global to 6.5.6

(wiz)

Updated global to 6.5.6.

Version 6.5.6 - December 19 2016

[CHANGES]
New facilities:
o htags-server: New --retry[=n] option.
  If the port is already in use, retry n times with incrementing the port number.
  The default of n is 20.
o htags: Changed the format of function header (--show-position) to make copying
  text easier.
o geco.rc: Added 'fzf' as a selector candidate.
o gtags: New configuration variable 'gtags_hook'.
  gtags_hook=<command line>
Specify a command line which should be executed at the beginning of gtags(1).
Leading "./" in any path is always means the project root directory, since
gtags(1) is always invoked there.
  GTAGS_COMMANDLINE environment variable (read only)
You can get the effective command line of gtags(1) from the hook. It includes
both $GTAGS_OPTIONS and real arguments.

  [Usage]
  You can update 'gtags.files' before gtags(1) read it.

[gtags.conf]
+----------------------------------------
|...
|:gtags_hook=find src lib -print >gtags.files:

  You can refer the effective arguments of gtags(1) from the hook using
  environment variable GTAGS_COMMANDLINE.

[gtags.conf]
+----------------------------------------
|...
|:gtags_hook=./gen.sh:\
|:GTAGS_OPTIONS=-c:\

[gen.sh]
+----------------------------------------
|#!/bin/sh
|echo ">>> $GTAGS_COMMANDLINE" # show effective command line

$ gtags -O
>>> gtags -c -O
$ _

[INCOMPATIBLE CHANGES]
o htags: Now --cvsweb option always insert 'view=log' to the generated URLs.
  Because it seems to be almost always a desirable specification.

[FIXED BUGS]
o gtags: Gtags often aborts with a message "buffer overflow. strlimcpy" when
  it encounters a long token (> 152 bytes). Now gtags always ignores it with
  a message "symbol name is too long. (Ignored)".
o htags: Old packages included two CGI scripts (completion.cgi, global.cgi)
  generated in the release manager's machine by mistake. They have some literal
  path like '/opt/local/bin/perl' which works only with MacPorts.
  Now, they are generated in the target (your) machine.

(wiz)

Updated graphics/ImageMagick to 7.0.4.0

(wiz)

Updated ImageMagick to 7.0.4.0.

2016-12-18  7.0.4-0 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.4-0, GIT revision 19221:d5e8abc:20161218.

2016-12-14  7.0.4-0 Cristy  <quetzlzacatenango@image...>
* Lazily evaluate the image storage class and colorspace to prevent cache
  allocation when pinging an image.
* Do not close path for linejoins of round (reference
  https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31039).

(wiz)

Note update of gcc6 package.

(maya)

gcc6: update to 6.3.0.

This release is a bug-fix release, containing fixes for regressions in GCC
6.2 relative to previous releases of GCC.

An incomplete list of bugs fixed in GCC 6.3 is available here:
https://gcc.gnu.org/bugzilla/buglist.cgi?bug_status=RESOLVED&resolution=FIXED&target_milestone=6.3

(maya)

Updated geography/viking to 1.6.2

(gdt)

Update to 1.6.2

Upstream no longer builds documentation by default.  Don't enable it,
because then the build fails because it assumes mapnik is present.

Note that C++11 is now required by upstream, at least if mapnik is
included.  For now, just add C++ to languages.

Add patch to remediate new bashisms.

Viking 1.6.2 (2015-12-21)
Bug Fix Release
* Don't remove project name if one decides not to delete all layers.
* Fix routes not saved in GPX when tracks are made invisible.
* SF Bugs#103: Fix TrackWaypoint layer items may not be displayed when pasted
* Enable Catalan and Turkish translations.
* Restore opening of JPG files.
* SF Bugs#127: Fix initial display of Waypoint sort order.
* Fix map layer widget sensitivity dependent on map type.

Viking 1.6.1 (2015-11-24)
Bug Fix Release + updated translations
* Several fixes and many code improvements from Coverity scans
* Fix heap-buffer-overflows
* Mapnik3 support.
** C++ standard required is now C++11
* Reactivate building of the reference documentation
* SF Bugs#126: Fix crash in gdk_rgb_convert_0888 due to using deallocated memory.
* SF Bugs#121: Fix crash when invalidating previously acquired tiles.
* SF Bugs#123: Fix bzip2 decompression on Windows.
* SF Bugs#122: Fix memory cache confusion with multiple "On Disk OSM Tile Format" maps
* SF Bugs#120: Fix Track drawing bug across the 180th Meridian.
* Red Hat Bugzilla – Bug 1210403: Only download and process one Bing attribution list.
* Fix Geocaches acquiring with latest geo-* software
* Import latest Launchpad translation updates
* Many other small fixes - see the ChangeLog for the full details.

(gdt)

Updated www/py-idna to 2.2

(wiz)

Updated py-idna to 2.2.

2.2 (2016-12-21)
++++++++++++++++

- Made some changes to the UTS 46 data that should allow Jython to get around
  64kb Java class limits. (Thanks, John A. Booth and Marcin P��onka.)
- In Python 2.6, skip two tests that rely on data not present in that
  Python version's unicodedata module.
- Use relative imports to help downstream users.

(wiz)

Remove last mentions of gcc45,46,47 in mk/.
No functional change intended.

(maya)

Fix build. Not sure if this makes sense, since it's for the removed xen 4.1.

(wiz)

Remove some of the mentions for gcc{45,46,47}.
No functional change intended.
Still a few left.

(maya)

Updated meta-pkgs/bulk-medium to 20161229

(wiz)

Depend on existing xen packages. Bump version.

(wiz)

Fix build with SSP.

Closes my PR 51479.

(wiz)

Note removal of gcc{45,46,47} and gcc{46,47}-libs

(maya)

Remove gcc45,46,47 and libs as discussed in pkgsrc-users
GCC_REQD for these versions now resolves to gcc48 due to a previous commit.

Please file a bug report if you are having trouble with GCC 4.8.

(maya)

Make GCC_REQD+= 4.5 to 4.8 resolve to 4.8 (dropping the possibility to
match for 4.5, 4.6, 4.7, which will soon be dropped).

This commit is the functional change. Cleanup will be done in separate
commits.

(maya)

- spidermonkey-1.8.5 (was imported as lang/spidermonkey185)

(leot)

xentools works fine system curses.

(roy)

Fix USE_CURSES feature support.

(roy)

Updated multimedia/mpv to 0.23.0

(leot)

Update multimedia/mpv to mpv-0.23.0

Changes:
Release 0.23.0
==============
Now requires at least FFmpeg 3.2.2.

Features
--------
- vo_rpi: partially undeprecate

Added
~~~~~
- vo_opengl: hwdec_cuda: Support P016 output surfaces

Removed
~~~~~~~
- charset_conv: drop enca and libguess support in favor of uchardet
- vf_vdpaurb: remove this filter in favor of --hwdec=vdpau-copy

Options and Commands
--------------------
Added
~~~~~
- TOOLS/autoload: allow disabling through script-opts
- demux, stream: add --access-references to prevent opening referenced files

Deprecated
~~~~~~~~~~
- options: deprecate codec family selection in --vd/--ad

Removed
~~~~~~~
- macOS: remove --fs-black-out-screens
- options: remove deprecated sub-option handling for --vo and --ao

Fixes and Minor Enhancements
----------------------------
- Windows: window styles improvements (allow minimizing borderless/fullscreen window) (#2229, #2451)
- ad_spdif: Fix crash when spdif muxer is not available
- audio: fix --audio-stream-silence with ao_alsa
- audio: fix --audio-stream-silence with ao_wasapi
- build: drop build-time dependency on Perl
- build: support linking ANGLE (previously loaded dynamically)
- d3d11va: unconditionally load D3D DLLs (#3348)
- demux_mkv: fix seeking in some broken files (#3920)
- hwdec_cuda: allow building without CUDA SDK (load CUDA dynamically)
- macOS: fix dropping of URLs containing query strings on the window
- macOS: fullscreen refactoring (#2857, #3272, #1352, #2062, #3864)
- macOS: support append file to paylist on drop (#2166)
- macOS: update the menu and remove conflicting ���Quit & remember position��� item (#3865)
- osc: don't hide playlist buttons, just disable
- osc: fix possible race condition in right timecode
- osc: topbar: use same styles as bottombar
- player: don't print format detection error when aborting loading
- vdpau: fix vaapi probing if libvdpau-va-gl1 is present
- video: use demuxer-signaled duration for last video frame (#3924)

(leot)

Updated net/syncthing to 0.14.17

(wiz)

Updated syncthing to 0.14.17.

This is a normally scheduled feature and bugfix release.

Resolved issues:

    #3689: Panics caused by corrupt on disk database are now better explained in the panic message.

    #3817: Statically configured device addresses without port number now correctly defaults to port 22000 again.

    #3829: Inotify clients no longer cause 'invalid subpath' errors to be displayed.

New and improved functionality:

    #215: Folders can now be paused.

    #2679: "Master" folders are now called "send only" in order to standardize on a terminology of sending and receiving changes.

    #3407: Pausing devices and folders now persists across restarts.

    #3527: A rolling checksum is used to identify and reuse blocks that have moved within a file.

    #3790: Syncthing allows setting the type-of-service field on outgoing packets, configured by the advanced setting "trafficClass".

    #3809: Which device introduced another device is now visible in the GUI.

(wiz)

Note removal of old Xen packages.

(wiz)

Remove xenkernel and tools versions 3, 33, and 41.

As discussed on pkgsrc-users.

(wiz)

Mention old openoffice and libreoffice package removals.

(wiz)

Remove old openoffice and libreoffice packages.

As discussed on pkgsrc-users.

(wiz)

+ darktable-2.2.0, filezilla-3.23.0.2, handbrake-1.0.0,
  p5-DateTime-1.4200, plasma-5.8.5, py-ncclient-0.5.3, root-6.08.02,
  tor-0.2.9.8 [pkg/51745].

(wiz)

Note freeze end for 2016Q4.

(wiz)

Add CHANGES file for 2016Q4 branch.

(wiz)

Updated graphics/png to 1.6.27

(wiz)

Updated png to 1.6.27, security fix release.

Version 1.6.27beta01 [November 2, 2016]
  Restrict the new ADLER32-skipping to IDAT chunks.  It broke iCCP chunk
    handling: an erroneous iCCP chunk would throw a png_error and reject the
    entire PNG image instead of rejecting just the iCCP chunk with a warning,
    if built with zlib-1.2.8.1.

Version 1.6.27rc01 [December 27, 2016]
  Control ADLER32 checking with new PNG_IGNORE_ADLER32 option.
  Removed the use of a macro containing the pre-processor 'defined'
    operator.  It is unclear whether this is valid; a macro that
    "generates" 'defined' is not permitted, but the use of the word
    "generates" within the C90 standard seems to imply more than simple
    substitution of an expression itself containing a well-formed defined
    operation.
  Added ARM support to CMakeLists.txt (Andreas Franek).

Version 1.6.27 [December 29, 2016]
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).

(wiz)

Add a patch so that this builds on netbsd-6 as well.
OK from wiz@

(he)

sort

(jnemeth)

Pullup tickets #5174 and #5175.

(bsiegert)

Pullup ticket #5175 - requested by sevan
textproc/libxml2: security fix

Revisions pulled up:
- textproc/libxml2/Makefile.common                              1.4
- textproc/libxml2/distinfo                                    1.114
- textproc/libxml2/patches/patch-result_XPath_xptr_vidbase      1.1
- textproc/libxml2/patches/patch-test_XPath_xptr_vidbase        1.1
- textproc/libxml2/patches/patch-xpath.c                        1.1
- textproc/libxml2/patches/patch-xpointer.c                    1.4

---
  Module Name:    pkgsrc
  Committed By:  sevan
  Date:          Tue Dec 27 02:34:34 UTC 2016

  Modified Files:
          pkgsrc/textproc/libxml2: Makefile.common distinfo
  Added Files:
          pkgsrc/textproc/libxml2/patches: patch-result_XPath_xptr_vidbase
              patch-test_XPath_xptr_vidbase patch-xpath.c patch-xpointer.c

  Log Message:
  Patch for CVE-2016-4658 & CVE-2016-5131
  Bump rev

(bsiegert)

Pullup ticket #5174 - requested by sevan
www/lynx: security fix

Revisions pulled up:
- www/lynx/Makefile                                            1.123-1.124
- www/lynx/distinfo                                            1.34-1.35
- www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c    1.1-1.2
- www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c      1.1
- www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h      1.1
- www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h  1.1
- www/lynx/patches/patch-src_LYUtils.c                          1.1

---
  Module Name:    pkgsrc
  Committed By:  sevan
  Date:          Wed Dec 21 11:25:25 UTC 2016

  Modified Files:
          pkgsrc/www/lynx: Makefile distinfo
  Added Files:
          pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c
              patch-WWW_Library_Implementation_HTTP.c
              patch-WWW_Library_Implementation_HTTP.h
              patch-WWW_Library_Implementation_HTUTILS.h patch-src_LYUtils.c

  Log Message:
  Patch for POODLE & CVE-2016-9179.
  Bump rev.

---
  Module Name:    pkgsrc
  Committed By:  sevan
  Date:          Thu Dec 22 17:30:52 UTC 2016

  Modified Files:
          pkgsrc/www/lynx: Makefile distinfo
          pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c

  Log Message:
  Fix broken patch committed previously which resulted in lynx crashing.
  Bump rev again.

  Apologies to anyone caught out by this mistake.
  Heads up by alnsn@

(bsiegert)

Back out the NOT_JOBS_SAFE change. It turns out I was seeing an unrelated
problem. Sorry for the noise.

(bsiegert)

+ mpv-0.23.0

(leot)

Patch for CVE-2016-4658 & CVE-2016-5131
Bump rev

(sevan)

make the message about null page less OS specific (suggest linux
sysctl as well)

(maya)

Add nss-3.28

This breaks www/firefox for ECDSA https connection, for example, *.google.com.

(ryoon)

FIx PLIST for kde4 option

(ryoon)

PLIST catchup for recent update.

(markd)

Don't expect pointers to have a sign.

(joerg)

Fix clang detection again.

(joerg)

-std=c++11 is a C++-only option, so don't put it in CPPFLAGS.

(joerg)

Don't try using LuaJIT if detected.

(markd)

Note pcre dependency
Fix sysconfdir setting.

(markd)

Fix ruby-gnome2-gobject-introspection dependency as defined in the gem.

(tsutsui)

Note update of www/contao43 package to 4.3.1.

(taca)

Update contao43 to 4.3.1, a leaf package.

### 4.3.1 (2016-12-22)

* Preserve uppercase characters in custom sections IDs (see #639).
* Always show the section title instead of its ID (see #640).
* Correctly handle DropZone file uploads (see #637).
* Fix the markup of the CSV importers (see #645).
* Correctly symlink the logs directory under Windows (see #634).

(taca)

Updated finance/moneyguru to 2.10.2nb1

(wiz)

Some dependency (sphinx?) changed their behaviour -- update PLIST.

Bump PKGREVISION.

(wiz)

Fix jasper fallout.

(wiz)

Re-add gtk3 PLIST entries.

(wiz)

Fix PLIST from wiz@. Thank you

(ryoon)

+ fldigi-3.23.19, phpmyadmin-4.6.5.2 [pkg/51741].

(wiz)

Updated mail/exim to 4.88

(wiedi)

Update exim to 4.88
Security update to address CVE-2016-9963

Exim version 4.88
-----------------
JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
      supports it and a size is available (ie. the sending peer gave us one).

JH/02 The obsolete acl condition "demime" is removed (finally, after ten
      years of being deprecated). The replacements are the ACLs
      acl_smtp_mime and acl_not_smtp_mime.

JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
      a downgraded non-dane trust-anchor for the TLS connection (CA-style)
      or even an in-clear connection were permitted.  Now, if the host lookup
      was dnssec and dane was requested then the host is only used if the
      TLSA lookup succeeds and is dnssec.  Further hosts (eg. lower priority
      MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
      if one fails this test.
      This means that a poorly-configured remote DNS will make it incommunicado;
      but it protects against a DNS-interception attack on it.

JH/04 Bug 1810: make continued-use of an open smtp transport connection
      non-noisy when a race steals the message being considered.

JH/05 If main configuration option tls_certificate is unset, generate a
      self-signed certificate for inbound TLS connections.

JH/06 Bug 165: hide more cases of password exposure - this time in expansions
      in rewrites and routers.

JH/07 Retire gnutls_require_mac et.al.  These were nonfunctional since 4.80
      and logged a warning sing 4.83; now they are a configuration file error.

JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
      (lacking @domain).  Apply the same qualification processing as RCPT.

JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.

JH/10 Support ${sha256:} applied to a string (as well as the previous
      certificate).

JH/11 Cutthrough: avoid using the callout hints db on a verify callout when
      a cutthrough deliver is pending, as we always want to make a connection.
      This also avoids re-routing the message when later placing the cutthrough
      connection after a verify cache hit.
      Do not update it with the verify result either.

JH/12 Cutthrough: disable when verify option success_on_redirect is used, and
      when routing results in more than one destination address.

JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim
      signing (which inhibits the cutthrough capability).  Previously only
      the presence of an option was tested; now an expansion evaluating as
      empty is permissible (obviously it should depend only on data available
      when the cutthrough connection is made).

JH/14 Fix logging of errors under PIPELINING.  Previously the log line giving
      the relevant preceding SMTP command did not note the pipelining mode.

JH/15 Fix counting of empty lines in $body_linecount and $message_linecount.
      Previously they were not counted.

JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
      as one having no matching records.  Previously we deferred the message
      that needed the lookup.

JH/17 Fakereject: previously logged as a norml message arrival "<="; now
      distinguished as "(=".

JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work
      for missing MX records.  Previously it only worked for missing A records.

JH/19 Bug 1850: support Radius libraries that return REJECT_RC.

JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops
      after the data-go-ahead and data-ack.  Patch from Jason Betts.

JH/21 Bug 1846: Send DMARC forensic reports for reject and quaratine results,
      even for a "none" policy.  Patch from Tony Meyer.

JH/22 Fix continued use of a connection for further deliveries. If a port was
      specified by a router, it must also match for the delivery to be
      compatible.

JH/23 Bug 1874: fix continued use of a connection for further deliveries.
      When one of the recipients of a message was unsuitable for the connection
      (has no matching addresses), we lost track of needing to mark it
      deferred.  As a result mail would be lost.

JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO.

JH/25 Decoding ACL controls is now done using a binary search; the source code
      takes up less space and should be simpler to maintain.  Merge the ACL
      condition decode tables also, with similar effect.

JH/26 Fix problem with one_time used on a redirect router which returned the
      parent address unchanged.  A retry would see the parent address marked as
      delivered, so not attempt the (identical) child.  As a result mail would
      be lost.

JH/27 Fix a possible security hole, wherein a process operating with the Exim
      UID can gain a root shell.  Credit to http://www.halfdog.net/ for
      discovery and writeup.  Ubuntu bug 1580454; no bug raised against Exim
      itself :(

JH/28 Enable {spool,log} filesystem space and inode checks as default.
      Main config options check_{log,spool}_{inodes,space} are now
      100 inodes, 10MB unless set otherwise in the configuration.

JH/29 Fix the connection_reject log selector to apply to the connect ACL.
      Previously it only applied to the main-section connection policy
      options.

JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.

PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
      by me.  Added RFC7919 DH primes as an alternative.

PP/02 Unbreak build via pkg-config with new hash support when crypto headers
      are not in the system include path.

JH/31 Fix longstanding bug with aborted TLS server connection handling.  Under
      GnuTLS, when a session startup failed (eg because the client disconnected)
      Exim did stdio operations after fclose.  This was exposed by a recent
      change which nulled out the file handle after the fclose.

JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is
      signed directly by the cert-signing cert, rather than an intermediate
      OCSP-signing cert.  This is the model used by LetsEncrypt.

JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT.

HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on
      an incoming connection.

HS/02 Bug 1802: Do not half-close the connection after sending a request
      to rspamd.

HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
      fallback to "prime256v1".

JH/34 SECURITY: Use proper copy of DATA command in error message.
      Could leak key material.  Remotely explaoitable.  CVE-2016-9963.

ok wiz@

(wiedi)

+ ImageMagick-7.0.4.0, abcm2ps-8.13.2, ffmpeg2-2.8.10, global-6.5.6,
  graphviz-2.40.1, libgcrypt-1.7.5, libgpg-error-1.26, lighttpd-1.4.44,
  notmuch-0.23.4, p5-DBD-SQLite-1.54, p5-Scalar-List-Utils-1.47,
  p5-YAML-1.21, py-dulwich-0.16.0, py-hypothesis-3.6.1, py-idna-2.2,
  py-lxml-3.7.1, py-numpy-1.11.3, qemu-2.8.0, tor-0.2.9.8,
  unifont-9.0.06, x264-devel-20161224.

(wiz)