doc: Updated security/openssh to 9.5p1

(wiz)

openssh: update to 9.5p1.

pkgsrc change: enable fido2 support by default, to match NetBSD base.

Changes since OpenSSH 9.4
=========================

This release fixes a number of bugs and adds some small features.

Potentially incompatible changes
--------------------------------

* ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
  are very convenient due to their small size. Ed25519 keys are
  specified in RFC 8709 and OpenSSH has supported them since version 6.5
  (January 2014).

* sshd(8): the Subsystem directive now accurately preserves quoting of
  subsystem commands and arguments. This may change behaviour for exotic
  configurations, but the most common subsystem configuration
  (sftp-server) is unlikely to be affected.

New features
------------

* ssh(1): add keystroke timing obfuscation to the client. This attempts
  to hide inter-keystroke timings by sending interactive traffic at
  fixed intervals (default: every 20ms) when there is only a small
  amount of data being sent. It also sends fake "chaff" keystrokes for
  a random interval after the last real keystroke. These are
  controlled by a new ssh_config ObscureKeystrokeTiming keyword.

* ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
  a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
  implement a ping capability. These messages use numbers in the "local
  extensions" number space and are advertised using a "ping@openssh.com"
  ext-info message with a string version number of "0".

* sshd(8): allow override of Subsystem directives in sshd Match blocks.

Bugfixes
--------

* scp(1): fix scp in SFTP mode recursive upload and download of
  directories that contain symlinks to other directories. In scp mode,
  the links would be followed, but in SFTP mode they were not. bz3611

* ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
  sshsig signature files.

* ssh(1): interactive mode for ControlPersist sessions if they
  originally requested a tty.

* sshd(8): make PerSourceMaxStartups first-match-wins

* sshd(8): limit artificial login delay to a reasonable maximum (5s)
  and don't delay at all for the "none" authentication mechanism.cw
    bz3602

* sshd(8): Log errors in kex_exchange_identification() with level
  verbose instead of error to reduce preauth log spam. All of those
  get logged with a more generic error message by sshpkt_fatal().

* sshd(8): correct math for ClientAliveInterval that caused the probes
    to be sent less frequently than configured.

* ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
  multiplexed sessions to ignore SIGINT under some circumstances.

Changes since OpenSSH 9.3p2
===========================

This release fixes a number of bugs and adds some small features.

Potentially incompatible changes
--------------------------------

* This release removes support for older versions of libcrypto.
  OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
  Note that these versions are already deprecated by their upstream
  vendors.

* ssh-agent(1): PKCS#11 modules must now be specified by their full
  paths. Previously dlopen(3) could search for them in system
  library directories.

New features
------------

* ssh(1): allow forwarding Unix Domain sockets via ssh -W.

* ssh(1): add support for configuration tags to ssh(1).
  This adds a ssh_config(5) "Tag" directive and corresponding
  "Match tag" predicate that may be used to select blocks of
  configuration similar to the pf.conf(5) keywords of the same
  name.

* ssh(1): add a "match localnetwork" predicate. This allows matching
  on the addresses of available network interfaces and may be used to
  vary the effective client configuration based on network location.

* ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
  extensions.  This defines wire formats for optional KRL extensions
  and implements parsing of the new submessages. No actual extensions
  are supported at this point.

* sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
  accept two additional %-expansion sequences: %D which expands to
  the routing domain of the connected session and %C which expands
  to the addresses and port numbers for the source and destination
  of the connection.

* ssh-keygen(1): increase the default work factor (rounds) for the
  bcrypt KDF used to derive symmetric encryption keys for passphrase
  protected key files by 50%.

Bugfixes
--------

* ssh-agent(1): improve isolation between loaded PKCS#11 modules
  by running separate ssh-pkcs11-helpers for each loaded provider.

* ssh(1): make -f (fork after authentication) work correctly with
  multiplexed connections, including ControlPersist. bz3589 bz3589

* ssh(1): make ConnectTimeout apply to multiplexing sockets and not
  just to network connections.

* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
  modules being loaded by checking that the requested module
  contains the required symbol before loading it.

* sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
  appears before it in sshd_config. Since OpenSSH 8.7 the
  AuthorizedPrincipalsCommand directive was incorrectly ignored in
  this situation. bz3574

* sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
  signatures When the KRL format was originally defined, it included
  support for signing of KRL objects. However, the code to sign KRLs
  and verify KRL signatues was never completed in OpenSSH. This
  release removes the partially-implemented code to verify KRLs.
  All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
  KRL files.

* All: fix a number of memory leaks and unreachable/harmless integer
  overflows.

* ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
  modules; GHPR406

* sshd(8), ssh(1): better validate CASignatureAlgorithms in
  ssh_config and sshd_config. Previously this directive would accept
  certificate algorithm names, but these were unusable in practice as
  OpenSSH does not support CA chains. bz3577

* ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
  algorithms that are valid for CA signing. Previous behaviour was
  to list all signing algorithms, including certificate algorithms.

* ssh-keyscan(1): gracefully handle systems where rlimits or the
  maximum number of open files is larger than INT_MAX; bz3581

* ssh-keygen(1): fix "no comment" not showing on when running
  `ssh-keygen -l` on multiple keys where one has a comment and other
  following keys do not. bz3580

* scp(1), sftp(1): adjust ftruncate() logic to handle servers that
  reorder requests. Previously, if the server reordered requests then
  the resultant file would be erroneously truncated.

* ssh(1): don't incorrectly disable hostname canonicalization when
  CanonicalizeHostname=yes and ProxyJump was expicitly set to
  "none". bz3567

* scp(1): when copying local->remote, check that the source file
  exists before opening an SFTP connection to the server. Based on
  GHPR#370

(wiz)

doc: Updated devel/git-cliff to 1.3.1nb1

(pin)

devel/git-cliff: remove patch

Fix build with new libgit2.

(pin)

doc: Updated editors/tp-note to 1.22.8

(pin)

editors/tp-note: update to 1.22.8

Viewer renderer: resolve shorthand links to their link text

* Viewer: When viewing documents, shortcut links are resolved to their title.
  For example: a shorthand link `tpnote:docs/20230513` that targets the file
  `docs/20230513-Animals.md` is shown as a hyperlink with the link text
  "Animals" in the browser.

* Viewer: hyperlinks with embedded images are now supported.

* The `.txtnote` renderer now parses inline images and hyperlinks with inline
  images.

(pin)

doc: Updated net/ipget to 0.10.0

(bsiegert)

ipget: update to 0.10.0

- bring in line with latest kubo, boxo, libp2p
- upgrade to Go 1.21

(bsiegert)

doc: Updated net/dhcpcd to 10.0.4

(roy)

Import dhcpcd-10.0.4 with the following changes:

* privsep: allow __NR_mmap2
* privsep: allow __NR_clock_gettime32
* compat/arc4random.c: use memset instead of explicit_bzero
* privsep: avoid SIGPIPE errors when scripts write to stderr/stdout
  after dhcpcd is daemonised

(roy)

doc: Updated filesystems/kubo to 0.23.0

(bsiegert)

kubo: update to 0.23.0

Now works with Go 1.21.

Changes:

Mplex deprecation
Gateway: meaningful CAR responses on Not Found errors
Gateway: added Gateway.DisableHTMLErrors configuration option
Trustless Gateway Over Libp2p Experiment
Removal of /quic (Draft 29) support
Better Caching of multiaddresses for providers in DHT servers
Fixed FUSE multiblock structures

(bsiegert)

cargo-c: try to mend libgit2 update fallout

(tnn)

doc: Added www/esbuild version 0.19.5

(bsiegert)

New package for esbuild, from wip

The main goal of the esbuild bundler project is to bring about a new era
of build tool performance, and create an easy-to-use modern bundler
along the way.

Major features:

* Extreme speed without needing a cache
* ES6 and CommonJS modules
* Tree shaking of ES6 modules
* An API for JavaScript and Go
* TypeScript and JSX syntax
* Source maps
* Minification
* Plugins

(bsiegert)

doc/TODO: + mold-2.3.

(wiz)

doc: pkg-vulnerabilities: add more for CVE-2023-44487

(wiz)

doc: Updated devel/libgit2 to 1.7.1

(wiz)

libgit2: update to 1.7.1.

1.7.1

Bug fixes

    proxy: Return an error for invalid proxy URLs instead of crashing. by @lrm29 in #6597
    ssh: fix known_hosts leak in _git_ssh_setup_conn by @steven9724 in #6599
    repository: make cleanup safe for re-use with grafts by @carlosmn in #6600
    fix: Add missing include for oidarray. by @dvzrv in #6608
    Revert "CMake: Search for ssh2 instead of libssh2." by @ethomson in #6619

Compatibility improvements

    stransport: macOS: replace errSSLNetworkTimeout, with hard-coded value by @mascguy in #6610

1.7.0

This is release v1.7.0, "Kleine Raupe Nimmersatt". This release
adds shallow clone support, completes the experimental SHA256
support, adds Schannel support for Windows, and includes many other
new features and bugfixes.

(wiz)

doc: Updated shells/oh-my-posh to 18.15.0

(pin)

shells/oh-my-posh: update to 18.15.0

Features
- nu: transient prompt (1bde6f9)

(pin)

xymonclient: fix packaging so it reflects PKGREVISION values

Direct setting of PKGVERSION was confusing the tooling at points so it
did not reflect that a PKGREVISION value was set. Fix this by setting
the version in DISTNAME and making a substition in PKGNAME instead.
Addresses PR pkg/57668 from Jason White.

(gutteridge)

firefox: 118 requires nss>=3.93

(gutteridge)

nextcloud26: Drop stray p prefixing php in PKGNAME

(gdt)

doc: Updated x11/lxqt-panel to 1.3.0nb5

(bacon)

x11/lxqt-panel: Enable pulseaudio by default on NetBSD

Prevents crashes on NetBSD 10-BETA

(bacon)

TODO: c4 no longer in pkgsrc tree

(triaxx)

Updated graphics/libjpeg-turbo, emulators/qemu

(adam)

qemu: updated to 8.1.2

8.1.2
Bug fixes

(adam)

libjpeg-turbo: updated to 3.0.1

3.0.1

The x86-64 SIMD functions now use a standard stack frame, prologue, and epilogue so that debuggers and profilers can reliably capture backtraces from within the functions.

Fixed two minor issues in the interblock smoothing algorithm that caused mathematical (but not necessarily perceptible) edge block errors when decompressing progressive JPEG images exactly two MCU blocks in width or that use vertical chrominance subsampling.

Fixed a regression introduced by 3.0 beta2[6] that, in rare cases, caused the C Huffman encoder (which is not used by default on x86 and Arm CPUs) to generate incorrect results if the Neon SIMD extensions were explicitly disabled at build time (by setting the WITH_SIMD CMake variable to 0) in an AArch64 build of libjpeg-turbo.

(adam)

Updated security/pcsc-tools, devel/py-test-datadir

(adam)

py-test-datadir: updated to 1.5.0

1.5.0 (2023-10-02)
- Added support for Python 3.11 and 3.12.
- Dropped support for Python 3.7.
- Fix handling of UNC paths on Windows

(adam)

pcsc-tools: updated to 1.7.0

1.7.0
Fix make distclean
Do not fail if the po/*.gmo files do not exist.
11 new ATRs
Update pcsc_scan manpage
Document -c, -d and -p arguments
configure: do not fail if gettext is not found
If gettext is not installed then just do not use it.

(adam)

doc: Updated biology/bowtie2 to 2.5.2

(bacon)

biology/bowtie2: Update to 2.5.2

Numerous bug fixes and enhancements since 2.4.4
Changes: https://github.com/BenLangmead/bowtie2/releases

(bacon)

Updated lang/py-mypy, databases/redis

(adam)

redis: updated to 7.2.2

Redis 7.2.2
===========

Upgrade urgency SECURITY: See security fixes below.

Security fixes
==============

* (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
  race condition that can be used by another process to bypass desired Unix
  socket permissions on startup.

Platform / toolchain support related changes
=================================================

* Fix compilation error on MacOS 13

Bug fixes
=========

* WAITAOF could timeout in the absence of write traffic in case a new AOF is
  created and an AOF rewrite can't immediately start

Redis cluster
=============

* Fix crash when running rebalance command in a mixed cluster of 7.0 and 7.2
  nodes
* Fix the return type of the slot number in cluster shards to integer, which
  makes it consistent with past behavior
* Fix CLUSTER commands are called from modules or scripts to return TLS info
  appropriately

Changes in CLI tools
====================

* redis-cli, fix crash on reconnect when in SUBSCRIBE mode

Module API changes
==================

* Fix overflow calculation for next timer event

(adam)

py-mypy: updated to 1.6.1

Mypy 1.6

This release includes new features, performance improvements and bug fixes.

(adam)

Updated devel/memcached, sysutils/py-psutil, devel/py-uvloop, devel/py-anyio

(adam)

py-anyio: updated to 4.0.0

**4.0.0**

- **BACKWARDS INCOMPATIBLE** Replaced AnyIO's own ``ExceptionGroup`` class with the PEP
  654 ``BaseExceptionGroup`` and ``ExceptionGroup``
- **BACKWARDS INCOMPATIBLE** Changes to cancellation semantics:

  - Any exceptions raising out of a task groups are now nested inside an
    ``ExceptionGroup`` (or ``BaseExceptionGroup`` if one or more ``BaseException`` were
    included)
  - Fixed task group not raising a cancellation exception on asyncio at exit if no child
    tasks were spawned and an outer cancellation scope had been cancelled before
  - Ensured that exiting a ``TaskGroup`` always hits a yield point, regardless of
    whether there are running child tasks to be waited on
  - On asyncio, cancel scopes will defer cancelling tasks that are scheduled to resume
    with a finished future
  - On asyncio and Python 3.9/3.10, cancel scopes now only suppress cancellation
    exceptions if the cancel message matches the scope
  - Task groups on all backends now raise a single cancellation exception when an outer
    cancel scope is cancelled, and no exceptions other than cancellation exceptions are
    raised in the group
- **BACKWARDS INCOMPATIBLE** Changes the pytest plugin to run all tests and fixtures in
  the same task, allowing fixtures to set context variables for tests and other fixtures
- **BACKWARDS INCOMPATIBLE** Changed ``anyio.Path.relative_to()`` and
  ``anyio.Path.is_relative_to()`` to only accept one argument, as passing multiple
  arguments is deprecated as of Python 3.12
- **BACKWARDS INCOMPATIBLE** Dropped support for spawning tasks from old-style coroutine
  functions (``@asyncio.coroutine``)
- **BACKWARDS INCOMPATIBLE** The ``policy`` option on the ``asyncio`` backend was
  changed to ``loop_factory`` to accommodate ``asyncio.Runner``
- Changed ``anyio.run()`` to use ``asyncio.Runner`` (or a back-ported version of it on
  Pythons older than 3.11) on the ``asyncio`` backend
- Dropped support for Python 3.7
- Added support for Python 3.12
- Bumped minimum version of trio to v0.22
- Added the ``anyio.Path.is_junction()`` and ``anyio.Path.walk()`` methods
- Added ``create_unix_datagram_socket`` and ``create_connected_unix_datagram_socket`` to
  create UNIX datagram sockets (PR by Jean Hominal)
- Fixed ``from_thread.run`` and ``from_thread.run_sync`` not setting sniffio on asyncio.
  As a result:

  - Fixed ``from_thread.run_sync`` failing when used to call sniffio-dependent functions
    on asyncio
  - Fixed ``from_thread.run`` failing when used to call sniffio-dependent functions on
    asyncio from a thread running trio or curio
  - Fixed deadlock when using ``from_thread.start_blocking_portal(backend="asyncio")``
    in a thread running trio or curio (PR by Ganden Schaffner)
- Improved type annotations:

  - The ``item_type`` argument of ``create_memory_object_stream`` was deprecated.
    To indicate the item type handled by the stream, use
    ``create_memory_object_stream[T_Item]()`` instead. Type checking should no longer
    fail when annotating memory object streams with uninstantiable item types (PR by
    Ganden Schaffner)
- Added the ``CancelScope.cancelled_caught`` property which tells users if the cancel
  scope suppressed a cancellation exception
- Fixed ``fail_after()`` raising an unwarranted ``TimeoutError`` when the cancel scope
  was cancelled before reaching its deadline
- Fixed ``MemoryObjectReceiveStream.receive()`` causing the receiving task on asyncio to
  remain in a cancelled state if the operation was cancelled after an item was queued to
  be received by the task (but before the task could actually receive the item)
- Fixed ``TaskGroup.start()`` on asyncio not responding to cancellation from the outside
- Fixed tasks started from ``BlockingPortal`` not notifying synchronous listeners
  (``concurrent.futures.wait()``) when they're cancelled
- Removed unnecessary extra waiting cycle in ``Event.wait()`` on asyncio in the case
  where the event was not yet set
- Fixed processes spawned by ``anyio.to_process()`` being "lost" as unusable to the
  process pool when processes that have idled over 5 minutes are pruned at part of the
  ``to_process.run_sync()`` call, leading to increased memory consumption

(adam)

py-uvloop: updated to 0.18.0

v0.18.0

Fixes

CI fixes
Make extract_stack resilient to lacking frames.
Port uvloop to Python 3.12

(adam)

py-psutil: updated to 5.9.6

5.9.6
=====

2023-10-14

**Enhancements**

- 1703_: `cpu_percent()`_ and `cpu_times_percent()`_ are now thread safe,
  meaning they can be called from different threads and still return
  meaningful and independent results. Before, if (say) 10 threads called
  ``cpu_percent(interval=None)`` at the same time, only 1 thread out of 10
  would get the right result.
- 2266_: if `Process`_ class is passed a very high PID, raise `NoSuchProcess`_
  instead of OverflowError.  (patch by Xuehai Pan)
- 2246_: drop python 3.4 & 3.5 support.  (patch by Matthieu Darbois)
- 2290_: PID reuse is now pre-emptively checked for `Process.ppid()`_  and
  `Process.parents()`_.
- 2312_: use ``ruff`` Python linter instead of ``flake8 + isort``. It's an
  order of magnitude faster + it adds a ton of new code quality checks.

**Bug fixes**

- 2195_, [Linux]: no longer print exception at import time in case /proc/stat
  can't be read due to permission error. Redirect it to ``PSUTIL_DEBUG``
  instead.
- 2241_, [NetBSD]: can't compile On NetBSD 10.99.3/amd64.  (patch by Thomas
  Klausner)
- 2245_, [Windows]: fix var unbound error on possibly in `swap_memory()`_
  (patch by student_2333)
- 2268_: ``bytes2human()`` utility function was unable to properly represent
  negative values.
- 2252_, [Windows]: `disk_usage()`_ fails on Python 3.12+.  (patch by
  Matthieu Darbois)
- 2284_, [Linux]: `Process.memory_full_info()`_ may incorrectly raise
  `ZombieProcess`_ if it's determined via ``/proc/pid/smaps_rollup``. Instead
  we now fallback on reading ``/proc/pid/smaps``.
- 2287_, [OpenBSD], [NetBSD]: `Process.is_running()`_ erroneously return
  ``False`` for zombie processes, because creation time cannot be determined.
- 2288_, [Linux]: correctly raise `ZombieProcess`_ on `Process.exe()`_,
  `Process.cmdline()`_ and `Process.memory_maps()`_ instead of returning a
  "null" value.
- 2290_: differently from what stated in the doc, PID reuse is not
  pre-emptively checked for `Process.nice()`_ (set), `Process.ionice()`_,
  (set), `Process.cpu_affinity()`_ (set), `Process.rlimit()`_
  (set), `Process.parent()`_.
- 2308_, [OpenBSD]: `Process.threads()`_ always fail with AccessDenied (also as
  root).

(adam)

mk/compiler: Improve clang CC_VERSION setting.

Use -dumpversion, supported in all modern versions, rather than digging out the
version with sed.  Allow CC_VERSION to be preset by the user, and set the
obsolete CC_VERSION_STRING variable to be the same as CC_VERSION rather than
setting it to the verbose version output.

Default to "clang-0" rather than just "clang" if CCPATH is not available so
that matching elsewhere can be more uniform.

With CC_VERSION preset this improves speed of 'make pbulk-index' in simple
packages by around 30%, and reduces system time by 50%.

(jperkin)

memcached: updated to 1.6.22

Memcached 1.6.22

Contains important security fixes for users of the proxy, please upgrade at your earliest convenience. This does not affect you unless you build with --enable-proxy and enable the proxy at start time.

Contains many fixes and optimizations foe the proxy subsystem, along with a few small fixes to various things.

(adam)

Updated www/py-urllib3, textproc/py-black, net/py-unearth, graphics/py-pillow_heif

(adam)

py-pillow_heif: updated to 0.13.1

0.13.1

Added

- Returned `PyPy 3.8` wheels.

Changed

- Linux: `libaom` updated to `3.6.1`, `musllinux` builds switched to `musllinux_1_2` tag.

Fixed

- When building from source, the installer additionally searches for `libheif` using `pkg-config`.

(adam)

py-unearth: updated to 0.11.2

0.11.2

Bug Fixes
security: Validate the package name extracted from the part before the last hyphen

(adam)

py-black: updated to 23.10.0

23.10.0

Stable style

- Fix comments getting removed from inside parenthesized strings

Preview style

- Fix long lines with power operators getting split before the line length
- Long type hints are now wrapped in parentheses and properly indented when split across
multiple lines
- Magic trailing commas are now respected in return types.
- Require one empty line after module-level docstrings.
- Treat raw triple-quoted strings as docstrings

Configuration

- Fix cache versioning logic when `BLACK_CACHE_DIR` is set

Parser

- Fix bug where attributes named `type` were not acccepted inside `match` statements

- Add support for PEP 695 type aliases containing lambdas and other unusual expressions

Output

- Black no longer attempts to provide special errors for attempting to format Python 2
code
- Black will more consistently print stacktraces on internal errors in verbose mode

Integrations

- The action output displayed in the job summary is now wrapped in Markdown

(adam)

py-urllib3: updated to 2.0.7

2.0.7 (2023-10-17)
* Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

(adam)

doc: Updated shells/nushell to 0.86.0

(pin)

shells/nushell: update to 0.86.0

Learn more about this release and changes at https://www.nushell.sh/blog/2023-10-17-nushell_0_86.html

The ChangeLog is too long to reproduce here.

(pin)

dbus: remove reference to MESSAGE.rcd to fix build

(wiz)

doc: Updated security/chkrootkit to 0.58b

(triaxx)

chkrootkit: Update to 0.58b

pkgsrc changes:
---------------
  * Update to latest release.
  * Update MASTER_SITES.

upstream changes:
-----------------
10/13/2016 - Version 0.51 Mumblehard backdoor/botnet detection
  Linux.Xor.DDoS Malware
  Malicious TinyDNS detection
  Backdoors.Linux.Mokes.a detection
  Minor bug fixes

13/03/2017 - Version 0.52 Linux.Proxy.10 detection
  strings.c & chkutmp.c bug fixes

01/25/2019 - Version 0.53 Rocke Monero Miner detection
  Added ss support
  ifconfig.c bug fixes
  Minor bug fixes

12/24/2020 - Version 0.54 PWNLNX4 and 6 Rootkits detection
  BTRFS bug fix
  Fedora bug fix
  Bug fix release

06/10/2021 - Version 0.55 Umbreon Linux Rootkit detection
  Kinsing.A Backdoor
  RotaJakito Backdoor
  Minor bug fixes

12/22/2022 - Version 0.56 Kovid rootkit
  Syslogk rootkit
  Minor bug fixes

01/13/2023 - Version 0.57 bug fix release

06/29/2023 - Version 0.58
  New option to avoid scanning network filesystems (-T)
  Linux BPFDoor Malware
  Minor buf fixes

(triaxx)

procmail: Drop MESSAGE

The contents of MESSAGE are in the man page.

(gdt)

Updated security/crudesaml to 1.11

This release works around a memory management problem in libgobject that
caused the process to crash in liblasso after pam_saml.so had been
unloaded and reloaded.

The fix is to link pam_saml.so with -z nodelete so that it is never
unloaded. A configure test checks that this option does not choke
a non GNU loader, and avoids using it if it does.

(manu)

doc: Updated textproc/py-cmudict to 1.0.15

(gutteridge)

py-cmudict: update to 1.0.15

(1.0.13 and 1.0.15 have no relevant changes for consumers of this
package, only 1.0.14 is useful: an underlying update of the CMU
dictionary content itself.)

## v1.0.14 (2023-10-13)

### Fix

- **deps**: bump src/cmudict/data from `697cd89` to `7cd8fb5` (#35)

(gutteridge)

doc: Update mail/roundcube and related packages to 1.6.4

mail/roundcube
mail/roundcube-plugin-enigma
mail/roundcube-plugin-password
mail/roundcube-plugin-zipdownload

(taca)

mail/roundcube: update to 1.6.4

1.6.4 (2023-10-16)

Security update.

- Fix PHP8 warnings (#9142, #9160)
- Fix default 'mime.types' path on Windows (#9113)
- Managesieve: Fix javascript error when relational or spamtest
  extension is not enabled (#9139)
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in
  HTML messages (#9168)

(taca)

Removed sysutils/xenkernel413
Removed sysutils/xentools413

(bouyer)

As planned remove xenkernel413 and xentools413. EOL'ed upstream

(bouyer)

doc: update exim fixed version for remaining 2 of the CVEs in
https://exim.org/static/doc/security/CVE-2023-zdi.txt

(prlw1)

doc: Updated devel/cargo-modules to 0.10.0

(pin)

devel/cargo-modules: update to 0.10.0

[0.10.0] - 2023-10-12
Added
- Added support for type and trait aliases.
- Added support for extracting "uses" edges for a type's field dependencies.

Changed
- Refactored project, giving each generate command its own independent
  implementation
- Refactored and simplified orphan detection logic
- Updated dependencies:
    - insta from 1.33.0 to 1.34.0
    - proc-macro2 from 1.0.67 to 1.0.69
    - rust-analyzer from 0.0.177 to 0.0.178

Removed
- Support for --orphans/--no-orphans for generate graph command

(pin)

doc: Updated shells/oh-my-posh to 18.14.0

(pin)

shells/oh-my-posh: update to 18.14.0

Bug Fixes
- git: do not convert path when using native_fallback in WSL (0cfe9a7)

Features
- shell: allow user to specify the cache path with OMP_CACHE_DIR (e15a797),
  closes #4321

(pin)

libatomic: tweak USE_LANGUAGES (USE_CC_FEATURES in use already)

(gutteridge)

doc: Updated devel/libatomic to 13.2.0

(gutteridge)

libatomic: update to 13.2.0

This has one libatomic-related change:
104338 RISC-V: Subword atomics result in library calls

(gutteridge)

libatomic: fix aarch64 builds on NetBSD 9.x

For aarch64, GCC expects a recent version of itself that accepts
-mno-outline-atomics. Some packages pull in libatomic for aarch64,
e.g., net/haproxy for __atomic_compare_exchange_16. (haproxy was
compile tested after applying this fix.)

(gutteridge)

py-cython: correct grammar in a comment

(gutteridge)

doc: Updated meta-pkgs/xfce4 to 4.18.1nb1

(gutteridge)

xfce4: bump for xfce4-terminal 1.1.1

(gutteridge)

doc: Updated x11/xfce4-terminal to 1.1.1

(gutteridge)

xfce4-terminal: update to 1.1.1

Change log:

1.1.1 (2023-10-14)
=====
- build: Simplify and clarify X11/Wayland distinction
- Fix xfce_titled_dialog_create_action_area() deprecation
- build: Define our own windowing macro instead of extending GDK's
- wayland: Fix drop-down keep-above for non-prefs dialogs
- wayland: Fix drop-down terminal keep-above
- wayland: Fix window activation
- wayland: Fix drop-down terminal positioning (Fixes #141)
- wayland: Fix new window size
- Replace XDT_CHECK_LIBX11 and use HAVE_LIBX11 when appropriate
- Use the same windowing environment test everywhere
- Fix build when X11 is disabled
- drop-down: Make settings easier to understand
- drop-down: Fix allocation warnings
- Apply 7 suggestion(s) to 2 file(s)
- Save and restore terminal window workspace in X11 session
- doc: Remove reference to terminalrc
- app: Put GtkSettings:gtk-menu-bar-accel overwrite back in place
- Translation Updates:
  Albanian, Bulgarian, Catalan, Chinese (China), Chinese (Taiwan),
  Czech, Danish, Dutch, English (United Kingdom), Estonian, French,
  German, Greek, Hebrew, Indonesian, Italian, Japanese, Kazakh, Korean,
  Lithuanian, Norwegian Bokm奪l, Persian (Iran), Polish, Portuguese,
  Portuguese (Brazil), Russian, Serbian, Slovak, Slovenian, Spanish,
  Swedish, Turkish, Ukrainian

(gutteridge)

doc: Updated devel/goredo to 2.2.0

(schmonz)

goredo: update to 2.2.0. From the changelog:

* Prefix target's output lines with the name of the target.

(schmonz)

lintpkgsrc, regress: update references to pkglint files

The source code of pkglint is no longer stored in pkgsrc itself.

(rillig)

lintpkgsrc: fix typo in usage message

(rillig)

doc: Updated security/chkrootkit to 0.50nb2

(triaxx)

chkrootkit: Fix build on Darwin

(triaxx)

git-base: Drop MESSAGE

It merely suggests that if you want to do something not part of basic
git that you install the not-confusingly-named git-foo for that kind
of foo.

(gdt)

Updated graphics/libimagequant, graphics/py-Pillow

(adam)

py-Pillow: updated to 10.1.0

10.1.0 (2023-10-15)

- Added TrueType default font to allow for different sizes
- Fixed invalid argument warning
- Added ImageOps cover method
- Catch struct.error from truncated EXIF when reading JPEG DPI
- Consider default image when selecting mode for PNG save_all
- Support BGR;15, BGR;16 and BGR;24 access, unpacking and putdata
- Added CMYK to RGB unpacker
- Improved flexibility of XMP parsing
- Support reading 8-bit YCbCr TIFF images
- Allow saving I;16B images as PNG
- Corrected drawing I;16 points and writing I;16 text
- Set blue channel to 128 for BC5S
- Increase flexibility when reading IPTC fields
- Set C palette to be empty by default
- Added gs_binary to control Ghostscript use on all platforms
- Read bounding box information from the trailer of EPS files if specified
- Added reading 8-bit color DDS images
- Added has_transparency_data
- Fixed bug when reading BC5S DDS images
- Prevent TIFF orientation from being applied more than once
- Use previous pixel alpha for QOI_OP_RGB
- Added BC5U reading
- Allow getpixel() to accept a list
- Allow GaussianBlur and BoxBlur to accept a sequence of x and y radii
- Expand JPEG buffer size when saving optimized or progressive
- Added session type check for Linux in ImageGrab.grabclipboard()
- Allow "loop=None" when saving GIF images
- Fixed transparency when saving P mode images to PDF
- Added saving LA images as PDFs
- Set SMaskInData to 1 for PDFs with alpha
- Changed Image mode property to be read-only by default
- Silence exceptions in _repr_jpeg_ and _repr_png_
- Do not use transparency when saving GIF if it has been removed when normalizing mode
- Fix missing symbols when libtiff depends on libjpeg

(adam)

libimagequant: updated to 4.2.2

4.2.2
Bug fixes

(adam)

Updated www/nghttp3, net/ngtcp2, lang/nodejs, lang/nodejs18

(adam)

nodejs18: updated to 18.18.2

Version 18.18.2 'Hydrogen' (LTS)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

* CVE-2023-44487: `nghttp2` Security Release (High)
* CVE-2023-45143: `undici` Security Release (High)
* CVE-2023-38552:  Integrity checks according to policies can be circumvented (Medium)
* CVE-2023-39333: Code injection via WebAssembly export names (Low)

(adam)

nodejs: updated to 20.8.1

Version 20.8.1 (Current)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
CVE-2023-39331: Permission model improperly protects against path traversal (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)

(adam)

ngtcp2: updated to 1.0.0

Simplify std::unique_ptr get and release
Fix assertion failure
Reset ppe pending state explicitly
Print a correct program name after usage
Rename all occurrences of bbr2 to bbrv2
Fix compile error with libressl
Add dependabot to update actions
Bump actions/checkout from 3 to 4
Bump docker/login-action from 2 to 3
Bump docker/setup-buildx-action from 2 to 3
Bump docker/build-push-action from 4 to 5
docker: Bump base image to debian 12
Add release script
qlog: Support STREAMS_BLOCKED frame
qlog: Add missing stream_id to stream_data_blocked
Add tests for ngtcp2_qlog_write_frame
Merge ngtcp2_crypto into ngtcp2_stream
Bump quictls
Bbrv2 tweak
Support latest bbr only
Add log event filter
Add NGTCP2_LOG_EVENT_CC
Simplify *pfrc == NULL and rv != NGTCP2_ERR_NOBUF conditions
Simplify ngtcp2_vec_merge
Log event cc fix
ngtcp2_crypto_verify_retry_token: Return -1 if cil validation fails
Rename NGTCP2_LOG_EVENT_RCV to NGTCP2_LOG_EVENT_LDC
Shutdown stream between write stream calls
Fix assertion failure
Fix missing prefix for AF_INET macros in ngtcp2_crypto.c
Rework how network families are defined with generic sock addr
Refactor path validation
Write MAX_STREAMS after RESET_STREAM as the original comment suggests
Send RESET_STREAM if stream is reset by client
Bump quictls to 3.1.3
Bump boringssl
Bump picotls
Not early anymore
Fix uninitialized variables
Check return values from openssl functions
cmake: speed up warning option detection
cmake: delete unused detections, add missing #defines
Update examples/.gitignore
cmake: Enable werror
Require nghttp3 v1.0.0

(adam)

nghttp3: updated to 1.0.0

nghttp3 v1.0.0

Add dependabot to update actions
Bump actions/checkout from 3 to 4
Add release script
cmake: speed up warning option detection
cmake: delete unused detections, add missing #define
Replace the deprecated std::result_of with std::invoke_result
Use sphinx_rtd_theme
Remove ExtractValidFlags as we did in ngtcp2
cmake: Enable werror

(adam)

doc: Updated archivers/innoextract to 1.9nb8

(triaxx)

innoextract: Use devel/cmake/build.mk instead

(triaxx)

doc: fix tiff version number

(wiz)

tiff: reset PKGREVISION after update

(wiz)

doc: Updated graphics/tiff to 4.6.0nb1

(gdt)

graphics/tiff: Update to 4.6.0

Following upstream guidance, tools that are no longer supported are
not built by the package.  As raised on tech-pkg on October 2, with no
objections or even comments.

Upstream NEWS content:

This version removes a big number of utilities that have suffered from
lack of maintenance over the years and were the source of various
reported security issues. See "Removed functionality" below for the
list of removed utilities. Starting with libtiff v4.6.0, the source
code for most TIFF tools (except tiffinfo, tiffdump, tiffcp and
tiffset) was discontinued, due to the lack of contributors able to
address reported security issues. tiff2ps and tiff2pdf source code has
been moved in a unsupported category, no longer built by default, but
are still part of the the source distribution. Other retired utilities
are in a archive/ directory, only available in the libtiff git
repository. Issues related to unsupported and archived tools will no
longer be accepted in the libtiff bug tracker.

The usual bugfixes.

(gdt)

doc: Updated mail/exim to 4.96.2

(prlw1)

Update exim to 4.96.2

Security fixes:

JH/01 Bug 3033: Harden dnsdb lookups against crafted DNS responses.
      CVE-2023-42219

HS/01 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031)

(prlw1)

abiword: Fix linking errors

(ryoon)

audio: Enable festival-freebsoft-utils

(ryoon)

doc: Added audio/festival-freebsoft-utils version 0.10

(ryoon)