Pullup tickets #5042, #5049, #5050, #5051, #5052.

(bsiegert)

Pullup ticket #5052 - requested by taca
lang/php70: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.141
- lang/php70/Makefile                                          1.4
- lang/php70/Makefile.php                                      1.2
- lang/php70/distinfo                                          1.14

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri Jun 24 15:27:57 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php70: Makefile Makefile.php distinfo

  Log Message:
  Update php70 to 7.0.8 (PHP 7.0.8), including security fixes.

  pkgsrc change:
  * remove confiugre from SUBST_FILES.path.
  * Remove --with-regex=3Dsystem and --without-mysql from CONFIGURE_ARGS.=

  * Add --without-mysqli to CONFIGURE_ARGS.

  23 Jun 2016 PHP 7.0.8

  - Core:
    . Fixed bug #72218 (If host name cannot be resolved then PHP 7 crashe=
  s).
      (Esminis at esminis dot lt)
    . Fixed bug #72221 (segfault, past-the-end access). (Lauri Kentt=E4)
    . Fixed bug #72268 (Integer Overflow in nl2br()). (Stas)
    . Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/
      json_utf8_to_utf16()). (Stas)
    . Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Sta=
  s)
    . Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL).=
    (Stas)

  - FPM:
    . Fixed bug #72308 (fastcgi_finish_request and logging environment
      variables). (Laruence)

  - GD:
    . Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
    . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
    . Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
      heap overflow). (Pierre)
    . Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)=

  - Intl:
    . Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol)

  - mbstring:
    . Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (=
  Stas)

  - mcrypt:
      . Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)

  - PCRE:
    . Fixed bug #72143 (preg_replace uses int instead of size_t). (Joe)

  - PDO_pgsql:
    . Fixed bug #71573 (Segfault (core dumped) if paramno beyond bound).
      (Laruence)
    . Fixed bug #72294 (Segmentation fault/invalid pointer in connection
      with pgsql_stmt_dtor). (Anatol)

  - Phpdbg:
    . Fixed bug #72284 (phpdbg fatal errors with coverage). (Bob)

  - Postgres:
    . Fixed bug #72195 (pg_pconnect/pg_connect cause use-after-free). (La=
  ruence)
    . Fixed bug #72197 (pg_lo_create arbitrary read). (Anatol)

  - SPL:
    . Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (S=
  tas)
    . Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorith=
  m and
      unserialize). (Dmitry)

  - Standard:
    . Fixed bug #72017 (range() with float step produces unexpected resul=
  t).
      (Thomas Punt)
    . Fixed bug #72193 (dns_get_record returns array containing elements =
  of
      type 'unknown'). (Laruence)
    . Fixed bug #72229 (Wrong reference when serialize/unserialize an obj=
  ect).
      (Laruence)
    . Fixed bug #72300 (ignore_user_abort(false) has no effect). (Laruenc=
  e)

  - XML:
    . Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem). (Jo=
  e)

  - XMLRPC:
    . Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type).
      (Joe, Laruence)

  - WDDX:
    . Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (St=
  as)

  - Zip:
    . Fixed ug #72258 (ZipArchive converts filenames to unrecoverable for=
  m).
      (Anatol)
    . Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in =
  PHP's GC
      algorithm and unserialize). (Dmitry)

(bsiegert)

Pullup ticket #5051 - requested by taca
lang/php56: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.140
- lang/php56/Makefile                                          1.12
- lang/php56/distinfo                                          1.28

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri Jun 24 15:25:21 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php56: Makefile distinfo

  Log Message:
  Update php56 to 5.6.23 (PHP 5.6.23), including security fixes.

  pkgsrc change: remove confiugre from SUBST_FILES.path.

  23 Jun 2016, PHP 5.6.23

  - Core:
    . Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/
      json_utf8_to_utf16()). (Stas)
    . Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Stas)
    . Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL). (Stas)

  - GD:
    . Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
    . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
    . Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
      heap overflow). (Pierre)
    . Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
    . Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
      in heap overflow). (Pierre)

  - Intl:
    . Fixed bug #70484 (selectordinal doesn't work with named parameters).
      (Anatol)

  - mbstring:
      . Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)

  - mcrypt:
      . Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)

  - Phar:
    . Fixed bug #72321 (invalid free in phar_extract_file()).
      (hji at dyntopia dot com)

  - SPL:
    . Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (Stas)
    . Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and
      unserialize). (Dmitry)

  - OpenSSL:
    . Fixed bug #72140 (segfault after calling ERR_free_strings()).
      (Jakub Zelenka)

  - WDDX:
    . Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (Stas)

  - zip:
    . Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC
      algorithm and unserialize). (Dmitry)

(bsiegert)

Pullup ticket #5050 - requested by taca
lang/php55: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.139
- lang/php55/Makefile                                          1.27
- lang/php55/distinfo                                          1.54

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri Jun 24 15:23:00 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php55: Makefile distinfo

  Log Message:
  Update php55 to 5.5.37 (PHP 5.5.37), including security fixes.

  pkgsrc change: remove confiugre from SUBST_FILES.path.

  23 Jun 2016, PHP 5.5.37

  - Core:
    . Fixed bug #72268 (Integer Overflow in nl2br()). (Stas)
    . Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/
      json_utf8_to_utf16()). (Stas)
    . Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Stas)
    . Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL). (Stas)

  - GD:
    . Fixed bug #66387 (Stack overflow with imagefilltoborder) (CVE-2015-8874).
      (cmb)
    . Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
    . Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
      heap overflow). (Pierre)
    . Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
    . Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
      in heap overflow). (Pierre)

  - mbstring:
      . Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)

  - mcrypt:
      . Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)

  - SPL:
    . Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (Stas)
    . Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and
      unserialize). (Dmitry)

  - WDDX:
    . Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (Stas)

  - zip:
    . Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC
      algorithm and unserialize). (Dmitry)

(bsiegert)

Pullup ticket #5049 - requested by taca
graphics/optipng: security fix

Revisions pulled up:
- graphics/optipng/Makefile                                    1.33
- graphics/optipng/distinfo                                    1.29
- graphics/optipng/patches/patch-src_optipng_osys.c            deleted

---
  Module Name: pkgsrc
  Committed By: adam
  Date: Fri Jun 17 14:03:10 UTC 2016

  Modified Files:
  pkgsrc/graphics/optipng: Makefile distinfo
  Removed Files:
  pkgsrc/graphics/optipng/patches: patch-src_optipng_osys.c

  Log Message:
  Version 0.7.6
  -------------
    * Upgraded libpng to version 1.6.21.
    ! Fixed an assertion failure in the image reduction code.
  !! Fixed various security-sensitive defects in the BMP decoder.
    ! Fixed a benign uninitialized memory read in the GIF decoder.
    ! Fixed a build failure occurring under the Estonian (et_EE) locale.
    ! Fixed a build failure occurring on Mac OS X, FreeBSD, and possibly
      other systems that lack POSIX-compliant high-resolution timestamps.
    ! Fixed a typo causing build failures in 32-bit ANSI C compilation.

(bsiegert)

Pullup ticket #5047 - requested by sevan
multimedia/adobe-flash-plugin: security fix

Revisions pulled up:
- multimedia/adobe-flash-plugin11/Makefile                      1.61
- multimedia/adobe-flash-plugin11/distinfo                      1.58

---
  Module Name:    pkgsrc
  Committed By:  tsutsui
  Date:          Thu Jun 16 16:30:06 UTC 2016

  Modified Files:
          pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo

  Log Message:
  Update adobe-flash-plugin11 to 11.2.202.626.

  Upstream announcement:

    https://helpx.adobe.com/security/products/flash-player/apsb16-18.html

  Adobe Security Bulletin

  Security updates available for Adobe Flash Player

  Release date: June 16, 2016

  Vulnerability identifier: APSB16-18

  CVE number: CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125,
    CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131,
    CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136,
    CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141,
    CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146,
    CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151,
    CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156,
    CVE-2016-4166, CVE-2016-4171

  Platform: Windows, Macintosh, Linux and ChromeOS

(bsiegert)

Pullup ticket #5042 - requested by joerg
lang/php70: build fix

Revisions pulled up:
- lang/php70/distinfo                                          1.13
- lang/php70/patches/patch-sapi_cli_Makefile.frag              1.3

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Tue Jun  7 19:23:50 UTC 2016

  Modified Files:
  pkgsrc/lang/php70: distinfo
  pkgsrc/lang/php70/patches: patch-sapi_cli_Makefile.frag

  Log Message:
  Unbreak unprivileged build. Actually test for executable.

(bsiegert)

Pullup ticket #5046.

(bsiegert)

Pullup ticket #5046 - requested by taca
www/drupal7: security fix

Revisions pulled up:
- www/drupal7/Makefile                                          1.39
- www/drupal7/distinfo                                          1.30

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Jun 16 23:20:16 UTC 2016

  Modified Files:
  pkgsrc/www/drupal7: Makefile distinfo

  Log Message:
  Update drupal7 to 7.44 (Drupal 7.44).

  Drupal 7.44, 2016-06-15
  -----------------------
  - Fixed security issues (privilege escalation). See SA-CORE-2016-002.

(bsiegert)

#5043

(spz)

Pullup ticket #5043 - requested by jperkin
multimedia/xine-lib: dependency fix

Revisions pulled up:
- multimedia/xine-lib/Makefile                                  1.140
- multimedia/xine-lib/PLIST.common                              1.39
- multimedia/xine-lib/options.mk                                1.1-1.2

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: jperkin
  Date: Tue Apr 19 10:41:14 UTC 2016

  Modified Files:
  pkgsrc/multimedia/xine-lib: Makefile
  Added Files:
  pkgsrc/multimedia/xine-lib: options.mk

  Log Message:
  Remove dependency on audio/faac (appears unused) and move audio/libdca
  dependency to options.mk, defaulting to disabled.  Both these packages
  are marked NO_BIN_ON_* so xine-lib couldn't previously be distributed
  in binary package sets.

  Bump PKGREVISION.

  To generate a diff of this commit:
  cvs rdiff -u -r1.139 -r1.140 pkgsrc/multimedia/xine-lib/Makefile
  cvs rdiff -u -r0 -r1.1 pkgsrc/multimedia/xine-lib/options.mk

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: jperkin
  Date: Tue Apr 19 13:48:31 UTC 2016

  Modified Files:
  pkgsrc/multimedia/xine-lib: PLIST.common options.mk

  Log Message:
  Handle dts PLIST entries correctly.

  To generate a diff of this commit:
  cvs rdiff -u -r1.38 -r1.39 pkgsrc/multimedia/xine-lib/PLIST.common
  cvs rdiff -u -r1.1 -r1.2 pkgsrc/multimedia/xine-lib/options.mk

(spz)

#5044

(spz)

Pullup ticket #5044 - requested by bsiegert
security/libksba: security update

Revisions pulled up:
- security/libksba/Makefile                                    1.32
- security/libksba/distinfo                                    1.20

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  bsiegert
  Date:          Sat Jun 18 07:25:13 UTC 2016

  Modified Files:
          pkgsrc/security/libksba: Makefile distinfo

  Log Message:
  Update libksba to 1.3.4, fixing several vulnerabilities.

  Noteworthy changes in version 1.3.4 (2016-05-03) [C19/A11/R4]
  ------------------------------------------------

    * Fixed two OOB read access bugs which could be used to force a DoS.

    * Fixed a crash due to faulty curve OID lookup code.

    * Synced the list of supported curves with those of Libgcrypt.

    * New configure option --enable-build-timestamp; a build timestamp is
      not anymore used by default.

  To generate a diff of this commit:
  cvs rdiff -u -r1.31 -r1.32 pkgsrc/security/libksba/Makefile
  cvs rdiff -u -r1.19 -r1.20 pkgsrc/security/libksba/distinfo

(spz)

5038, 5039, 5041

(spz)

Pullup ticket #5039 - requested by taca
devel/libthrift: build fix

Revisions pulled up:
- devel/libthrift/distinfo                                      1.12-1.14
- devel/libthrift/options.mk                                    1.8
- devel/libthrift/patches/patch-lib__rb__setup.rb              1.2
- devel/libthrift/patches/patch-lib_rb_Makefile.in              1.1

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon May 30 09:22:58 UTC 2016

  Modified Files:
  pkgsrc/devel/libthrift: distinfo
  pkgsrc/devel/libthrift/patches: patch-lib__rb__setup.rb

  Log Message:
  Fix build problem with Ruby 2.2 and later.

  To generate a diff of this commit:
  cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/libthrift/distinfo
  cvs rdiff -u -r1.1 -r1.2 \
      pkgsrc/devel/libthrift/patches/patch-lib__rb__setup.rb

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon May 30 16:03:13 UTC 2016

  Modified Files:
  pkgsrc/devel/libthrift: distinfo options.mk
  Added Files:
  pkgsrc/devel/libthrift/patches: patch-lib_rb_Makefile.in

  Log Message:
  More build fixes:

  * Explict specify ruby's path to avoid path in WRKDIR.
  * Do not build again on install stage to fix rpath problem.

  To generate a diff of this commit:
  cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/libthrift/distinfo
  cvs rdiff -u -r1.7 -r1.8 pkgsrc/devel/libthrift/options.mk
  cvs rdiff -u -r0 -r1.1 \
      pkgsrc/devel/libthrift/patches/patch-lib_rb_Makefile.in

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon May 30 16:09:07 UTC 2016

  Modified Files:
  pkgsrc/devel/libthrift: distinfo

  Log Message:
  Update distinfo.

  To generate a diff of this commit:
  cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/libthrift/distinfo

(spz)

Pullup ticket #5038 - requested by joerg
www/nginx: security patch
www/nginx-devel: security patch

Revisions pulled up:
- www/nginx-devel/Makefile                                      1.20
- www/nginx-devel/distinfo                                      1.20
- www/nginx-devel/patches/patch-src_os_unix_ngx__files.c        1.1
- www/nginx/Makefile                                            1.64
- www/nginx/patches/patch-src_os_unix_ngx__files.c              1.1

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: joerg
  Date: Tue May 31 19:44:47 UTC 2016

  Modified Files:
  pkgsrc/www/nginx: Makefile
  Added Files:
  pkgsrc/www/nginx/patches: patch-src_os_unix_ngx__files.c

  Log Message:
  Avoid CVE-2016-4450 (NULL dereference while saving client body to
  temporary file). Bump revision.

  To generate a diff of this commit:
  cvs rdiff -u -r1.63 -r1.64 pkgsrc/www/nginx/Makefile
  cvs rdiff -u -r0 -r1.1 \
      pkgsrc/www/nginx/patches/patch-src_os_unix_ngx__files.c

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: joerg
  Date: Tue May 31 19:54:43 UTC 2016

  Modified Files:
  pkgsrc/www/nginx-devel: Makefile distinfo
  Added Files:
  pkgsrc/www/nginx-devel/patches: patch-src_os_unix_ngx__files.c

  Log Message:
  Avoid CVE-2016-4450 (NULL dereference while saving client body to
  temporary file). Bump revision.

  To generate a diff of this commit:
  cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/nginx-devel/Makefile \
      pkgsrc/www/nginx-devel/distinfo
  cvs rdiff -u -r0 -r1.1 \
      pkgsrc/www/nginx-devel/patches/patch-src_os_unix_ngx__files.c

(spz)

Pullup ticket #5041 - requested by taca
security/openssh: security patch

Revisions pulled up:
- security/openssh/Makefile                                    1.244
- security/openssh/distinfo                                    1.101
- security/openssh/patches/patch-session.c                      1.6

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon Jun  6 08:55:35 UTC 2016

  Modified Files:
  pkgsrc/security/openssh: Makefile distinfo
  pkgsrc/security/openssh/patches: patch-session.c

  Log Message:
  Add fix for CVE-2015-8325 from upstream.

  Bump PKGREVISION.

  To generate a diff of this commit:
  cvs rdiff -u -r1.243 -r1.244 pkgsrc/security/openssh/Makefile
  cvs rdiff -u -r1.100 -r1.101 pkgsrc/security/openssh/distinfo
  cvs rdiff -u -r1.5 -r1.6 pkgsrc/security/openssh/patches/patch-session.c

(spz)

5037 and 5040 in close succession (should have been the other way round,
but hopefully noone updated in the meantime).

(spz)

Pullup ticket #5040 - requested by taca
net/ntp4: package build fixes

Revisions pulled up:
- net/ntp4/Makefile                                            1.93-1.94
- net/ntp4/PLIST                                                1.22
- net/ntp4/options.mk                                          1.3

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: bsiegert
  Date: Fri May 13 15:50:13 UTC 2016

  Modified Files:
  pkgsrc/net/ntp4: Makefile PLIST

  Log Message:
  Fix package installation for Darwin, which installs tickadj and ntpsnmpd.

  Not sure what the snmp thing is about; is it picking up a dependency from
  the base system? Why does no other OS build it?

  To generate a diff of this commit:
  cvs rdiff -u -r1.92 -r1.93 pkgsrc/net/ntp4/Makefile
  cvs rdiff -u -r1.21 -r1.22 pkgsrc/net/ntp4/PLIST

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: bsiegert
  Date: Sat May 14 08:13:49 UTC 2016

  Modified Files:
  pkgsrc/net/ntp4: Makefile options.mk

  Log Message:
  Do SNMP support properly, as a package option, default disabled.

  To generate a diff of this commit:
  cvs rdiff -u -r1.93 -r1.94 pkgsrc/net/ntp4/Makefile
  cvs rdiff -u -r1.2 -r1.3 pkgsrc/net/ntp4/options.mk

(spz)

Pullup ticket #5037 - requested by bsiegert
net/ntp4: security update

Revisions pulled up:
- net/ntp4/Makefile                                            1.95
- net/ntp4/distinfo                                            1.27

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  taca
  Date:          Fri Jun  3 09:45:09 UTC 2016

  Modified Files:
          pkgsrc/net/ntp4: Makefile distinfo

  Log Message:
  Update ntp4 package to 4.2.8p8, security fix.

  (4.2.8p8) 2016/06/02 Released by Harlan Stenn <stenn@ntp.org>

  * [Sec 3042] Broadcast Interleave.  HStenn.
  * [Sec 3043] Autokey association reset.  perlinger@ntp.org, =
  stenn@ntp.org
    - validate origin timestamps on bad MACs, too.  stenn@ntp.org
  * [Sec 3044] Spoofed server packets are partially processed.  HStenn.
  * [Sec 3045] Bad authentication demobilizes ephemeral associations. =
  JPerlinger.
  * [Sec 3046] CRYPTO_NAK crash.  stenn@ntp.org
  * [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
    - provide build environment
    - 'wint_t' and 'struct timespec' defined by VS2015
    - fixed print()/scanf() format issues
  * [Bug 3052] Add a .gitignore file.  Edmund Wong.
  * [Bug 3054] miscopt.html documents the allan intercept in seconds. =
  SWhite.
  * [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian =
  Utterback,
    JPerlinger, HStenn.
  * Update the NEWS file for 4.2.8p8.  HStenn.
  * Fix typo in ntp-wait and plot_summary.  HStenn.
  * Make sure we have an "author" file for git imports.  HStenn.
  * Update the sntp problem tests for MacOS.  HStenn.

  To generate a diff of this commit:
  cvs rdiff -u -r1.94 -r1.95 pkgsrc/net/ntp4/Makefile
  cvs rdiff -u -r1.26 -r1.27 pkgsrc/net/ntp4/distinfo

(spz)

Pullup tickets #5032 to #5037.

(bsiegert)

Pullup ticket #5036 - requested by taca
lang/php70: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.138
- lang/php70/distinfo                                          1.10-1.12
- lang/php70/patches/patch-sapi_cli_Makefile.frag              1.1-1.2

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri May 27 13:29:58 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php70: distinfo

  Log Message:
  Update php70 to 7.0.7 (PHP 7.0.7), including security fix.

  26 May 2016 PHP 7.0.7

  - Core:
    . Fixed bug #72162 (use-after-free - error_reporting). (Laruence)
    . Add compiler option to disable special case function calls. (Joe)
    . Fixed bug #72101 (crash on complex code). (Dmitry)
    . Fixed bug #72100 (implode() inserts garbage into resulting string when
      joins very big integer). (Mikhail Galanin)
    . Fixed bug #72057 (PHP Hangs when using custom error handler and typehint).
      (Nikita Nefedov)
    . Fixed bug #72038 (Function calls with values to a by-ref parameter don't
      always throw a notice). (Bob)
    . Fixed bug #71737 (Memory leak in closure with parameter named $this).
      (Nikita)
    . Fixed bug #72059 (?? is not allowed on constant expressions). (Bob, Marcio)
    . Fixed bug #72159 (Imported Class Overrides Local Class Name). (Nikita)

  - Curl:
    . Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE). (Pierrick)

  - DBA:
    . Fixed bug #72157 (use-after-free caused by dba_open). (Shm, Laruence)

  - GD:
    . Fixed bug #72227 (imagescale out-of-bounds read). (Stas)

  - Intl:
    . Fixed #72241 (get_icu_value_internal out-of-bounds read). (Stas)

  - JSON:
    . Fixed bug #72069 (Behavior \JsonSerializable different from json_encode).
      (Laruence)

  - Mbstring:
    . Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace). (Laruence)

  - OCI8:
    . Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight
      columns). (Tian Yang)

  - Opcache:
    . Fixed bug #72014 (Including a file with anonymous classes multiple times
      leads to fatal error). (Laruence)

  - OpenSSL:
    . Fixed bug #72165 (Null pointer dereference - openssl_csr_new). (Anatol)

  - PCNTL:
    . Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure
      overwrite). (Laruence)

  - POSIX:
    . Fixed bug #72133 (php_posix_group_to_array crashes if gr_passwd is NULL).
      (esminis at esminis dot lt)

  - Postgres:
    . Fixed bug #72028 (pg_query_params(): NULL converts to empty string).
      (Laruence)
    . Fixed bug #71062 (pg_convert() doesn't accept ISO 8601 for datatype
      timestamp). (denver at timothy dot io)
    . Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol)

  - Reflection:
    . Fixed bug #72174 (ReflectionProperty#getValue() causes __isset call).
      (Nikita)

  - Session:
    . Fixed bug #71972 (Cyclic references causing session_start(): Failed to
      decode session object). (Laruence)

  - Sockets:
    . Added socket_export_stream() function for getting a stream compatible
      resource from a socket resource. (Chris Wright, Bob)

  - SPL:
    . Fixed bug #72051 (The reference in CallbackFilterIterator doesn't work as
      expected). (Laruence)

  - SQLite3:
    . Fixed bug #68849 (bindValue is not using the right data type). (Anatol)

  - Standard:
    . Fixed bug #72075 (Referencing socket resources breaks stream_select).
      (Laruence)
    . Fixed bug #72031 (array_column() against an array of objects discards all
      values matching null). (Nikita)

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Sat May 28 08:02:26 UTC 2016

  Modified Files:
  pkgsrc/lang/php70: distinfo
  Added Files:
  pkgsrc/lang/php70/patches: patch-sapi_cli_Makefile.frag

  Log Message:
  Mark php binary with paxctl +m because of JIT code.

  Needed on NetBSD-current with PaX MPROTECT.

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Sat May 28 08:13:15 UTC 2016

  Modified Files:
  pkgsrc/lang/php70: distinfo
  pkgsrc/lang/php70/patches: patch-sapi_cli_Makefile.frag

  Log Message:
  Add upstream bug report URL.

(bsiegert)

Pullup ticket #5035 - requested by taca
lang/php56: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.137
- lang/php56/DESCR                                              1.2
- lang/php56/distinfo                                          1.27

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon May 16 04:13:59 UTC 2016

  Modified Files:
  pkgsrc/lang/php56: DESCR

  Log Message:
  This package is not for PHP 5.5.x but 5.6.x.  Noted by Edgar Fu_ via
  privaet E-mail.

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri May 27 13:28:07 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php56: distinfo

  Log Message:
  Update php56 to 5.6.22 (PHP 5.6.22), including security fix.

  26 May 2016, PHP 5.6.22

  - Core:
    . Fixed bug #72172 (zend_hex_strtod should not use strlen).
      (bwitz at hotmail dot com )
    . Fixed bug #72114 (Integer underflow / arbitrary null write in
      fread/gzread). (Stas)
    . Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas)

  - GD:
    . Fixed bug #72227 (imagescale out-of-bounds read). (Stas)

  - Intl
    . Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol)
    . Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas)

  - Postgres:
    . Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol)

(bsiegert)

Pullup ticket #5034 - requested by taca
lang/php55: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.136
- lang/php55/distinfo                                          1.53

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri May 27 13:25:44 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php55: distinfo

  Log Message:
  Update php55 to 5.5.36 (PHP 5.5.36), including security fix.

  26 May 2016, PHP 5.5.36

  - Core:
    . Fixed bug #72114 (Integer underflow / arbitrary null write in
      fread/gzread). (Stas)
    . Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas)

  - GD:
      . Fixed bug #72227 (imagescale out-of-bounds read). (Stas)

  - Intl:
      . Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas)

  - Phar:
    . Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()).
      (CVE-2016-4343) (Stas)

(bsiegert)

Pullup ticket #5033 - requested by taca
mail/roundcube: security fix

Revisions pulled up:
- mail/roundcube/Makefile                                      1.81-1.83
- mail/roundcube/PLIST                                          1.40-1.41
- mail/roundcube/distinfo                                      1.49-1.51
- mail/roundcube/patches/patch-config.inc.php                  deleted
- mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect 1.1
- mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php 1.3

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu May 26 03:20:37 UTC 2016

  Modified Files:
  pkgsrc/mail/roundcube: Makefile PLIST distinfo
  Removed Files:
  pkgsrc/mail/roundcube/patches: patch-config.inc.php

  Log Message:
  Update roundcube to 1.1.5, including security fix.

  RELEASE 1.1.5
  -------------
  - Plugin API: Add html2text hook
  - Plugin API: Added addressbook_export hook
  - Fix missing emoticons on html-to-text conversion
  - Fix random "access to this resource is secured against CSRF" message at logout (#4956)
  - Fix missing language name in "Add to Dictionary" request in HTML mode (#4951)
  - Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955)
  - Fix XSS issue in SVG images handling (#4949)
  - Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#4958)
  - Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961)
  - Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964)
  - Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966)
  - Hide DSN option in Preferences when smtp_server is not used (#4967)
  - Protect download urls against CSRF using unique request tokens (#4957)
  - newmail_notifier: Refactor desktop notifications
  - Fix so contactlist_fields option can be set via config file
  - Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782)
  - Fix performance in reverting order of THREAD result
  - Fix converting mail addresses with @www. into mailto links (#5197)

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu May 26 03:23:39 UTC 2016

  Added Files:
  pkgsrc/mail/roundcube/patches:
      patch-plugins_password_helpers_passwd-expect

  Log Message:
  Oops, forgot to add a patch file for NetBSD (and perhaps for *BSD) to
  make password plugin work.

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu May 26 23:22:17 UTC 2016

  Modified Files:
  pkgsrc/mail/roundcube: Makefile distinfo
  Added Files:
  pkgsrc/mail/roundcube/patches:
      patch-program_lib_Roundcube_rcube__washtml.php

  Log Message:
  Update security path for CVE-2016-5103 (XSS) from upstream.

  Bump PKGREVISION.

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sun May 29 15:46:59 UTC 2016

  Modified Files:
  pkgsrc/mail/roundcube: Makefile PLIST distinfo

  Log Message:
  Switch to get distfiles from GitHub, noted by David Brownlee via private
  e-mail.

  And some installed files are changed, bump PKGREVISION.

(bsiegert)

Pullup ticket #5032 - requested by taca
www/typo3_62: security fix

Revisions pulled up:
- www/typo3_62/Makefile                                        1.16
- www/typo3_62/PLIST                                            1.12
- www/typo3_62/distinfo                                        1.14

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Tue May 24 12:55:17 UTC 2016

  Modified Files:
  pkgsrc/www/typo3_62: Makefile PLIST distinfo

  Log Message:
  Update typo3_62 to 6.2.25 (TYPO3 6.2.25), including security fix.

  2016-05-24  8926699                  [RELEASE] Release of TYPO3 6.2.25 (TYPO3 Release Team)
  2016-05-24  f18b990  #76278          [BUGFIX] Allow non critical request arguments with @ (Helmut Hummel)
  2016-05-24  8e766a8                  [TASK] Set TYPO3 version to 6.2.25-dev (TYPO3 Release Team)

  2016-05-24  29df864                  [RELEASE] Release of TYPO3 6.2.24 (TYPO3 Release Team)
  2016-05-24  c10db60  #76231,#76256  [SECURITY] Validate complete referring request (Helmut Hummel)
  2016-05-17  070e747                  [TASK] Set TYPO3 version to 6.2.24-dev (TYPO3 Release Team)

  2016-05-17  80a1f39                  [RELEASE] Release of TYPO3 6.2.23 (TYPO3 Release Team)
  2016-05-17  1b58942  #75721          [BUGFIX] Use push parser instead of pull parser on fetching extension list (Oliver Hader)
  2016-05-17  6a038ac                  Revert "[BUGFIX] Load XML files of Extension Manager properly" (Oliver Hader)
  2016-05-06  8713065  #76066,#76064  [TASK] Make .htaccess Apache 2.4 suitable (Marc von Schalscha-Ehrenfeld)
  2016-05-05  31bb6be  #75934          [TASK] Disallow access to documentation folders (Markus Klein)
  2016-05-01  9100aae  #75947          [BUGFIX] Allow maxitem=1 in TCA treeSelect again (Alexander Bigga)
  2016-04-26  034e97b                  [TASK] Set TYPO3 version to 6.2.23-dev (TYPO3 Release Team)

(bsiegert)

#5029 #5030

(spz)

Pullup ticket #5030 - requested by bsiegert
graphics/librsvg: security update

Revisions pulled up:
- graphics/librsvg/Makefile                                    1.86
- graphics/librsvg/PLIST                                        1.13
- graphics/librsvg/distinfo                                    1.34

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  ryoon
  Date:          Sat May 21 13:43:42 UTC 2016

  Modified Files:
          pkgsrc/graphics/librsvg: Makefile PLIST distinfo

  Log Message:
  Update to 2.40.15

  Changelog:
  Version 2.40.15
  - Apologies for the lack of 2.40.14.  I mistakenly tagged the
    repository before updating the NEWS file.
  - librsvg now uses the Contributor Covenant Code of Conduct,
    version 1.4, to which all contributors and maintainers are expected
    to abide. Please see the code_of_conduct.md file for details.
  - Chun-wei Fan fixed builds on Visual Studio pre-2012.
  - Fixed bgo#759084 - Don't crash when filters don't actually exist
    Fix by Benjamin Otte.
  - Javier Jard=F3n updated our autogen.sh to use modern autotools.
  - Fixed bgo#761728 - Memory leak in the PrimitiveComponentTransfer
    filter.  Fix by Ron Hopper.

  To generate a diff of this commit:
  cvs rdiff -u -r1.85 -r1.86 pkgsrc/graphics/librsvg/Makefile
  cvs rdiff -u -r1.12 -r1.13 pkgsrc/graphics/librsvg/PLIST
  cvs rdiff -u -r1.33 -r1.34 pkgsrc/graphics/librsvg/distinfo

(spz)

Pullup ticket #5029 - requested by bsiegert
www/moodle: security update

Revisions pulled up:
- www/moodle/Makefile                                          1.46
- www/moodle/distinfo                                          1.35

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  wen
  Date:          Sun Apr 10 03:08:56 UTC 2016

  Modified Files:
          pkgsrc/www/moodle: Makefile distinfo

  Log Message:
  Update to 3.0.3

  Upstream changes:
  Moodle 3.0.3 release notes

  Releases > Moodle 3.0.3 release notes

  Release date: 14 March 2016

  Here is the full list of fixed issues in 3.0.3.
  Contents

      1 Highlights
      2 Fixes and improvements
      3 Security issues
      4 See also

  Highlights

      MDL-48778 - Fixed problems with assign quick grading in case of multiple attempts
      MDL-21912 - New setting 'Allow admin conflict resolution' for restoring a course from a different Moodle site
      MDL-31635 - Course completion "grade" criteria now correctly shows grades as points and not percents
      MDL-51702 - Restored ability to assign roles to blocks in Default dashboard and My home
      MDL-49807 - Wiki table of contents correctly displays headers created in Atto editor

  Fixes and improvements

      MDL-48015 - Fixed misalignment in gradebook when category has no total and items
      MDL-52566 - Releasing assignment with team submission now releases grades to all group members
      MDL-52486 - Fixed javascript errors in languages with _ in the name such as en_us (for example when editing user interests)
      MDL-52249 - Custom menus with subitems now work correctly on touch screen devices
      MDL-51723 - Fixed bug with unenrolling users on login under LDAP auth with Active Directory
      MDL-38020 - Corrected user enrollment workflow through Participant list using Edit Icon
      MDL-41531 - Fixed irregular characters in course name interfering with PayPal enrolment
      MDL-51075 - Centered positioning of glossary popup
      MDL-52217 - Cleaning temporary download directory for dropbox repository
      MDL-52637 - Fixed problems with connection to SMTP mail in some configurations
      MDL-52589 - Allow non-default cache stores to be uninstalled
      MDL-50083 - Unlock submissions when reopening locked assignment
      MDL-43620 - Allow to reset the course start date when having a chat activity
      MDL-49338 - Fixed bug when quiz statistics report displays the preview icons to the wrong variant
      MDL-52763 - Users with the mod/assign:viewblinddetails capability are able to cross reference users with their blind identities
      MDL-52435 - Plagiarism prevention links are moved to the top of the submission text
      MDL-52814 - Fixed overlapping of redo button in Quiz
      MDL-53012 - Behat: Add step to run scheduled task
      MDL-50218 - If there is no grade, an external tool (LTI) module will now return a grade of '' instead of 0 to the LTI tool producer

  Security issues

      MSA-16-0003 Incorrect capability check when displaying users emails in Participants list
      MSA-16-0004 XSS from profile fields from external db
      MSA-16-0005 Reflected XSS in mod_data advanced search
      MSA-16-0006 Hidden courses are shown to students in Event Monitor
      MSA-16-0007 Non-Editing Instructor role can edit exclude checkbox in Single View
      MSA-16-0008 External function get_calendar_events return events that pertains to hidden activities
      MSA-16-0009 CSRF in Assignment plugin management page
      MSA-16-0010 Enumeration of category details possible without authentication
      MSA-16-0011 Add no referrer to links with _blank target attribute
      MSA-16-0012 External function mod_assign_save_submission does not check due dates

  To generate a diff of this commit:
  cvs rdiff -u -r1.45 -r1.46 pkgsrc/www/moodle/Makefile
  cvs rdiff -u -r1.34 -r1.35 pkgsrc/www/moodle/distinfo

(spz)

#5028

(spz)

Pullup ticket #5028 - requested by he
textproc/libxml2: security update

Revisions pulled up:
- textproc/libxml2/Makefile                                    1.141
- textproc/libxml2/distinfo                                    1.110-1.112
- textproc/libxml2/patches/patch-aa                            1.29
- textproc/libxml2/patches/patch-ab                            1.29-1.30
- textproc/libxml2/patches/patch-ac                            1.9
- textproc/libxml2/patches/patch-ad                            1.19
- textproc/libxml2/patches/patch-ae                            1.15
- textproc/libxml2/patches/patch-ag                            deleted
- textproc/libxml2/patches/patch-encoding.c                    added at 1.2
- textproc/libxml2/patches/patch-runtest.c                      added at 1.2
- textproc/libxml2/patches/patch-testlimits.c                  added at 1.2
- textproc/libxml2/patches/patch-timsort.h                      added at 1.2
- textproc/libxml2/patches/patch-xmlIO.c                        added at 1.2

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: he
  Date: Tue May 24 12:00:08 UTC 2016

  Modified Files:
  pkgsrc/textproc/libxml2: Makefile distinfo
  pkgsrc/textproc/libxml2/patches: patch-aa patch-ab patch-ac patch-ad
      patch-ae
  Added Files:
  pkgsrc/textproc/libxml2/patches: patch-encoding.c patch-runtest.c
      patch-testlimits.c patch-timsort.h patch-xmlIO.c
  Removed Files:
  pkgsrc/textproc/libxml2/patches: patch-ag

  Log Message:
  Update libxml2 to 2.9.4.

  Pkgsrc changes:
    * Add some casts to match types and format strings, plus
      fix value range of toupper() operation.
    * Merge patch-ag into the new patch-encoding.c.
    * Add comments to existing patches which lacked comments.

  Upstream changes to libxml2-2.9.4: May 23 2016

  Security:

      CVE-2016-3627 Avoid building recursive entities
      CVE-2016-1833 Heap-based buffer overread in htmlCurrentChar
      CVE-2016-1835 Heap use-after-free in xmlSAX2AttributeNs
      CVE-2016-1837 Heap use-after-free in htmlParsePubidLiteral
            and htmlParseSystemiteral
      CVE-2016-1836 Bug 759398: Heap use-after-free in xmlDictComputeFastKey
      CVE-2016-1839 Bug 758605: Heap-based buffer overread in xmlDictAddString
      CVE-2016-1838 Bug 758588: Heap-based buffer overread in
        xmlParserPrintFileContextInternal
      CVE-2016-1840 Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
      CVE-2016-4483 Avoid an out of bound access when serializing
      malformed strings
      CVE-2016-1834 Bug 763071: heap-buffer-overflow in xmlStrncat
      CVE-2016-3705 Add missing increments of recursion depth counter to
      XML parser.
      CVE-2016-1762 Heap-based buffer overread in xmlNextChar

      More format string warnings with possible format string vulnerability
      Heap-based buffer-underreads due to xmlParseName
      Fix some format string warnings with possible format string vulnerability
      Unsigned addition may overflow in xmlMallocAtomicLoc()

  Other bugfixes:

      Detect change of encoding when parsing HTML names
      Fix inappropriate fetch of entities content
      Correct the usage of LDFLAGS
      Revert the use of SAVE_LDFLAGS in configure.ac
      libxml2 hardcodes -L/lib in zlib/lzma tests which breaks cross-compiles
      Add more debugging info to runtest
      Implement "runtest -u" mode
      Integer signed/unsigned type mismatch in xmlParserInputGrow()
      Integer overflow parsing port number in URI
      Fix apibuild for a recently added constructv2.9.4-rc2
      Use pkg-config to locate zlib when possible
      Use pkg-config to locate ICU when possible
      Fix an error with regexp on nullable counted char transition
      Fix memory leak with XPath namespace nodes
      Fix namespace axis traversal
      Add a make rule to rebuild for ASAN
      Fix null pointer deref in docs with no root element
      Portability to non C99 compliant compilers
      dict.h: Move xmlDictPtr definition before includes to allow direct
        inclusion.
      Fix XSD validation of URIs with ampersands
      xmlschemastypes.c: accept endOfDayFrag Times set to "24:00:00" mean
        "end of day" and should not cause an error. v2.9.4-rc1
      os400: tell about xmllint and xmlcatalog in README400.
      os400: properly process SGML add in XMLCATALOG command.
      os400: implement CL command XMLCATALOG.
      os400: compile and install program xmlcatalog (qshell-only).
      xmlcatalog: flush stdout before interactive shell input.
      os400: expand tabs in sources, strip trailing blanks.
      os400: implement CL command XMLLINT.
      os400: compile and install program xmllint (qshell-only).
      os400: initscript make_module(): Use options instead of
        positional parameters.
      xmllint: flush stdout before interactive shell input.
      os400: c14n.rpgle: allow *omit for nullable reference parameters.
      os400: use like() for double type.
      os400: use like() for int type.
      os400: use like() for unsigned int type.
      os400: use like() for enum types.
      Add xz to xml2-config --libs output
      Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression
      Fix namespace::node() XPath expression
      Fix OOB write in xmlXPathEmptyNodeSet
      Fix parsing of NCNames in XPath
      Fix OOB read with invalid UTF-8 in xmlUTF8Strsize
      Do normalize string-based datatype value in RelaxNG facet checking
      Fix typo: s{ ec -> cr }cipt
      Fix typos: dictio{ nn -> n }ar{y,ies}
      Fix typos: PATH_{ SEAPARATOR -> SEPARATOR }
      Correct a typo.
      Bug 760921: REGRESSION (8eb55d78): doc/examples/io1 test fails after fix
        for "xmlSaveUri() incorrectly recomposes URIs with rootless paths"
      Bug 760861: REGRESSION (bf9c1dad): Missing results for
        test/schemas/regexp-char-ref_[01].xsd
      error.c: *input->cur == 0 does not mean no error
      Add missing RNG test files
      Bug 760190: configure.ac should be able to build --with-icu without
        icu-config tool
      Bug 760183: REGRESSION (v2.9.3): XML push parser fails with bogus
        UTF-8 encoding error when multi-byte character in large CDATA
        section is split across buffer
      Bug 758572: ASAN crash in make check
      Bug 721158: Missing ICU string when doing --version on xmllint
      python 3: libxml2.c wrappers create Unicode str already
      win32\VC10\config.h and VS 2015
      Add autogen.sh to distrib
      Add configure maintainer mode

  To generate a diff of this commit:
  cvs rdiff -u -r1.140 -r1.141 pkgsrc/textproc/libxml2/Makefile
  cvs rdiff -u -r1.109 -r1.110 pkgsrc/textproc/libxml2/distinfo
  cvs rdiff -u -r1.28 -r1.29 pkgsrc/textproc/libxml2/patches/patch-aa \
      pkgsrc/textproc/libxml2/patches/patch-ab
  cvs rdiff -u -r1.8 -r1.9 pkgsrc/textproc/libxml2/patches/patch-ac
  cvs rdiff -u -r1.18 -r1.19 pkgsrc/textproc/libxml2/patches/patch-ad
  cvs rdiff -u -r1.14 -r1.15 pkgsrc/textproc/libxml2/patches/patch-ae
  cvs rdiff -u -r1.12 -r0 pkgsrc/textproc/libxml2/patches/patch-ag
  cvs rdiff -u -r0 -r1.1 pkgsrc/textproc/libxml2/patches/patch-encoding.c \
      pkgsrc/textproc/libxml2/patches/patch-runtest.c \
      pkgsrc/textproc/libxml2/patches/patch-testlimits.c \
      pkgsrc/textproc/libxml2/patches/patch-timsort.h \
      pkgsrc/textproc/libxml2/patches/patch-xmlIO.c

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: wiz
  Date: Tue May 24 21:08:21 UTC 2016

  Modified Files:
  pkgsrc/textproc/libxml2: distinfo
  pkgsrc/textproc/libxml2/patches: patch-encoding.c patch-runtest.c
      patch-testlimits.c patch-timsort.h patch-xmlIO.c

  Log Message:
  Add upstream bug report URLs (from he@).

  To generate a diff of this commit:
  cvs rdiff -u -r1.110 -r1.111 pkgsrc/textproc/libxml2/distinfo
  cvs rdiff -u -r1.1 -r1.2 pkgsrc/textproc/libxml2/patches/patch-encoding.c \
      pkgsrc/textproc/libxml2/patches/patch-runtest.c \
      pkgsrc/textproc/libxml2/patches/patch-testlimits.c \
      pkgsrc/textproc/libxml2/patches/patch-timsort.h \
      pkgsrc/textproc/libxml2/patches/patch-xmlIO.c

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: he
  Date: Wed May 25 07:16:36 UTC 2016

  Modified Files:
  pkgsrc/textproc/libxml2: distinfo
  pkgsrc/textproc/libxml2/patches: patch-ab

  Log Message:
  Submit the typo part of configure upstream, note the bug-ID.

  To generate a diff of this commit:
  cvs rdiff -u -r1.111 -r1.112 pkgsrc/textproc/libxml2/distinfo
  cvs rdiff -u -r1.29 -r1.30 pkgsrc/textproc/libxml2/patches/patch-ab

(spz)

Pullup tickets #4990 to #5008 and #5021 to #5025, all from joerg.

(bsiegert)

Pullup ticket #5025 - requested by joerg
sysutils/xenkernel33: build fix

Revisions pulled up:
- sysutils/xenkernel3/Makefile                                  1.31
- sysutils/xenkernel33/Makefile                                1.30
- sysutils/xentools3/Makefile                                  1.47

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Wed May 18 21:25:06 UTC 2016

  Modified Files:
  pkgsrc/sysutils/xenkernel3: Makefile
  pkgsrc/sysutils/xenkernel33: Makefile
  pkgsrc/sysutils/xentools3: Makefile

  Log Message:
  Make some GCC warnings non-fatal.

(bsiegert)

Pullup ticket #5024 - requested by joerg
sysutils/xentools33: build fix

Revisions pulled up:
- sysutils/xentools33/Makefile                                  1.50
- sysutils/xentools33/distinfo                                  1.32
- sysutils/xentools33/patches/patch-fs-back_Makefile            1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Wed May 18 21:24:44 UTC 2016

  Modified Files:
  pkgsrc/sysutils/xentools33: Makefile distinfo
  Added Files:
  pkgsrc/sysutils/xentools33/patches: patch-fs-back_Makefile

  Log Message:
  Add missing rpath. Make a bunch of GCC warnings non-fatal. Bump
  revision.

(bsiegert)

Pullup ticket #5023 - requested by joerg
devel/tvision: build fix

Revisions pulled up:
- devel/tvision/distinfo                                        1.9
- devel/tvision/patches/patch-lib_TWindow_cc                    1.2
- devel/tvision/patches/patch-lib_colorsel_cc                  1.2
- devel/tvision/patches/patch-lib_tobjstrm_h                    1.2

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Wed May 18 20:19:46 UTC 2016

  Modified Files:
  pkgsrc/devel/tvision: distinfo
  pkgsrc/devel/tvision/patches: patch-lib_TWindow_cc
      patch-lib_colorsel_cc patch-lib_tobjstrm_h

  Log Message:
  Don't assume intptr_t is magically defined, but request it when
  necessary.

(bsiegert)

Pullup ticket #5022 - requested by joerg
devel/libbson: build fix

Revisions pulled up:
- devel/libbson/distinfo                                        1.18
- devel/libbson/patches/patch-Makefile.in                      1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Wed May 18 20:19:11 UTC 2016

  Modified Files:
  pkgsrc/devel/libbson: distinfo
  Added Files:
  pkgsrc/devel/libbson/patches: patch-Makefile.in

  Log Message:
  Help linking the test program by providing all internal libraries.

(bsiegert)

Pullup ticket #5021 - requested by joerg
cross/uisp: build fix

Revisions pulled up:
- cross/uisp/distinfo                                          1.7
- cross/uisp/patches/patch-src_AvrAtmel.C                      1.1
- cross/uisp/patches/patch-src_AvrDummy.C                      1.1
- cross/uisp/patches/patch-src_Stk500.C                        1.2

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Wed May 18 20:18:32 UTC 2016

  Modified Files:
  pkgsrc/cross/uisp: distinfo
  pkgsrc/cross/uisp/patches: patch-src_Stk500.C
  Added Files:
  pkgsrc/cross/uisp/patches: patch-src_AvrAtmel.C patch-src_AvrDummy.C

  Log Message:
  Under C++11 it is invalid to implicitly cast from a larger type to a
  smaller type in an initializer. Adjust various places accordingly.
  Avoid set-but-not-used warnings in some other places for newer GCC.

(bsiegert)

Pullup ticket #5008 - requested by joerg
wm/fluxconf: build fix

Revisions pulled up:
- wm/fluxconf/Makefile                                          1.30

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:11:15 UTC 2016

  Modified Files:
  pkgsrc/wm/fluxconf: Makefile

  Log Message:
  Disable noisy GCC warnings.

(bsiegert)

Pullup ticket #5007 - requested by joerg
sysutils/tarsnap-gui: build fix

Revisions pulled up:
- sysutils/tarsnap-gui/Makefile                                1.3
- sysutils/tarsnap-gui/distinfo                                1.2
- sysutils/tarsnap-gui/patches/patch-Tarsnap.pro                1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:10:46 UTC 2016

  Modified Files:
  pkgsrc/sysutils/tarsnap-gui: Makefile distinfo
  Added Files:
  pkgsrc/sysutils/tarsnap-gui/patches: patch-Tarsnap.pro

  Log Message:
  Instruct qmake to include the X11BASE rpath.

(bsiegert)

Pullup ticket #5006 - requested by joerg
sysutils/open-vm-tools: build fix

Revisions pulled up:
- sysutils/open-vm-tools/Makefile                              1.56
- sysutils/open-vm-tools/distinfo                              1.11
- sysutils/open-vm-tools/patches/patch-lib_user_util.c          1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:10:09 UTC 2016

  Modified Files:
  pkgsrc/sysutils/open-vm-tools: Makefile distinfo
  Added Files:
  pkgsrc/sysutils/open-vm-tools/patches: patch-lib_user_util.c

  Log Message:
  Disable noisy warnings. Add an explicit cast to deal with expected
  interface differences.

(bsiegert)

Pullup ticket #5005 - requested by joerg
sysutils/fscd: build fix

Revisions pulled up:
- sysutils/fscd/Makefile                                        1.6

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:09:24 UTC 2016

  Modified Files:
  pkgsrc/sysutils/fscd: Makefile

  Log Message:
  Silence noisy GCC warning.

(bsiegert)

Pullup ticket #5004 - requested by joerg
security/php-oauth: build fix

Revisions pulled up:
- security/php-oauth/Makefile                                  1.7

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:09:07 UTC 2016

  Modified Files:
  pkgsrc/security/php-oauth: Makefile

  Log Message:
  Requires PCRE to build.

(bsiegert)

Pullup ticket #5003 - requested by joerg
print/LPRng-core: build fix

Revisions pulled up:
- print/LPRng-core/Makefile                                    1.40

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:08:49 UTC 2016

  Modified Files:
  pkgsrc/print/LPRng-core: Makefile

  Log Message:
  Generally drop -Werror.

(bsiegert)

Pullup ticket #5002 - requested by joerg
pkgtools/pkg_select: build fix

Revisions pulled up:
- pkgtools/pkg_select/Makefile                                  1.23

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:08:30 UTC 2016

  Modified Files:
  pkgsrc/pkgtools/pkg_select: Makefile

  Log Message:
  Disable noisy warning for GCC.

(bsiegert)

Pullup ticket #5001 - requested by joerg
net/openwbem: build fix

Revisions pulled up:
- net/openwbem/distinfo                                        1.8
- net/openwbem/patches/patch-src_common_OW__CommonFwd.hpp      1.2

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:08:07 UTC 2016

  Modified Files:
  pkgsrc/net/openwbem: distinfo
  pkgsrc/net/openwbem/patches: patch-src_common_OW__CommonFwd.hpp

  Log Message:
  Include the right header for std::less.

(bsiegert)

Pullup ticket #5000 - requested by joerg
net/gkrellm: build fix

Revisions pulled up:
- net/gkrellm-multiping/distinfo                                1.7
- net/gkrellm-multiping/patches/patch-aa                        1.4

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:07:39 UTC 2016

  Modified Files:
  pkgsrc/net/gkrellm-multiping: distinfo
  pkgsrc/net/gkrellm-multiping/patches: patch-aa

  Log Message:
  Drop use of -Wl without actual argument.

(bsiegert)

Pullup ticket #4999 - requested by joerg
multimedia/gopchop: build fix

Revisions pulled up:
- multimedia/gopchop/distinfo                                  1.9
- multimedia/gopchop/patches/patch-src_Main.cpp                1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:07:15 UTC 2016

  Modified Files:
  pkgsrc/multimedia/gopchop: distinfo
  Added Files:
  pkgsrc/multimedia/gopchop/patches: patch-src_Main.cpp

  Log Message:
  Don't use C99 designators in C++.

(bsiegert)

Pullup ticket #4998 - requested by joerg
misc/rocs: build fix

Revisions pulled up:
- misc/rocs/Makefile                                            1.40
- misc/rocs/distinfo                                            1.12
- misc/rocs/patches/patch-RocsCore_DataStructures_Graph_GraphStructure.cpp 1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:06:40 UTC 2016

  Modified Files:
  pkgsrc/misc/rocs: Makefile distinfo
  Added Files:
  pkgsrc/misc/rocs/patches:
      patch-RocsCore_DataStructures_Graph_GraphStructure.cpp

  Log Message:
  With newer Boost, this now must be built as C++11. Unrestrict make_pair
  to help GCC 4.8 figure out the right template of make_pair.

(bsiegert)

Pullup ticket #4997 - requested by joerg
misc/kchmviewer: build fix

Revisions pulled up:
- misc/kchmviewer/Makefile                                      1.57
- misc/kchmviewer/distinfo                                      1.14
- misc/kchmviewer/patches/patch-src_src.pro                    1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:05:22 UTC 2016

  Modified Files:
  pkgsrc/misc/kchmviewer: Makefile distinfo
  Added Files:
  pkgsrc/misc/kchmviewer/patches: patch-src_src.pro

  Log Message:
  Instruct qmake to include X11BASE rpath. Bump revision.

(bsiegert)

Pullup ticket #4996 - requested by joerg
misc/gkrellm-launch: build fix

Revisions pulled up:
- misc/gkrellm-launch/distinfo                                  1.4
- misc/gkrellm-launch/patches/patch-aa                          1.2

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:04:43 UTC 2016

  Modified Files:
  pkgsrc/misc/gkrellm-launch: distinfo
  pkgsrc/misc/gkrellm-launch/patches: patch-aa

  Log Message:
  Drop linker argument without argument.

(bsiegert)

Pullup ticket #4995 - requested by joerg
math/superlu: build fix

Revisions pulled up:
- math/superlu/Makefile                                        1.25

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:04:14 UTC 2016

  Modified Files:
  pkgsrc/math/superlu: Makefile

  Log Message:
  Not MAKE_JOBS_SAFE.

(bsiegert)

Pullup ticket #4994 - requested by joerg
math/snns: build fix

Revisions pulled up:
- math/snns/Makefile                                            1.26
- math/snns/distinfo                                            1.8
- math/snns/patches/patch-ac                                    1.3
- math/snns/patches/patch-configure                            1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:04:00 UTC 2016

  Modified Files:
  pkgsrc/math/snns: Makefile distinfo
  pkgsrc/math/snns/patches: patch-ac
  Added Files:
  pkgsrc/math/snns/patches: patch-configure

  Log Message:
  Fix missing X11BASE rpath. Bump revision.

(bsiegert)

Pullup ticket #4993 - requested by joerg
math/pari: build fix

Revisions pulled up:
- math/pari/Makefile                                            1.68
- math/pari/distinfo                                            1.25
- math/pari/patches/patch-config_Makefile.SH                    1.2

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:03:25 UTC 2016

  Modified Files:
  pkgsrc/math/pari: Makefile distinfo
  pkgsrc/math/pari/patches: patch-config_Makefile.SH

  Log Message:
  Fix gp linking to not include the temporary DESTDIR. Bump revision.

(bsiegert)

Pullup ticket #4992 - requested by joerg
mail/smtp-vilter: build fix

Revisions pulled up:
- mail/smtp-vilter/Makefile                                    1.9

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:02:28 UTC 2016

  Modified Files:
  pkgsrc/mail/smtp-vilter: Makefile

  Log Message:
  Disable noisy GCC warnings.

(bsiegert)

Pullup ticket #4991 - requested by joerg
lang/ghc7: build fix

Revisions pulled up:
- lang/ghc7/Makefile                                            1.25
- lang/ghc7/distinfo                                            1.14
- lang/ghc7/patches/patch-libffi_ghc.mk                        1.1
- lang/ghc7/patches/patch-rts_ghc.mk                            1.6

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:02:06 UTC 2016

  Modified Files:
  pkgsrc/lang/ghc7: Makefile distinfo
  pkgsrc/lang/ghc7/patches: patch-rts_ghc.mk
  Added Files:
  pkgsrc/lang/ghc7/patches: patch-libffi_ghc.mk

  Log Message:
  Fix libffi linkage, so that it actually picks up the right version and
  includes the rpath. Seen by a not so happy devel/happy. Bump revision.

(bsiegert)

Pullup ticket #4990 - requested by joerg
graphics/ruby-gd: build fix

Revisions pulled up:
- graphics/ruby-gd/Makefile                                    1.46

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 10:00:59 UTC 2016

  Modified Files:
  pkgsrc/graphics/ruby-gd: Makefile

  Log Message:
  Tell gem build to include rpath for X11BASE. Bump revision.

(bsiegert)

More security fixes.

(bsiegert)

Pullup ticket #5027 - requested by wen
www/mediawiki: security fix

Revisions pulled up:
- www/mediawiki/Makefile                                        1.59
- www/mediawiki/PLIST                                          1.28
- www/mediawiki/distinfo                                        1.45

---
  Module Name:    pkgsrc
  Committed By:  wen
  Date:          Sat May 21 11:58:12 UTC 2016

  Modified Files:
          pkgsrc/www/mediawiki: Makefile PLIST distinfo

  Log Message:
  Update to 1.26.3

  Upstream changes:
  MediaWiki 1.26.3

  This is a maintenance release of the MediaWiki 1.26 branch.
  Changes since 1.26.2

      (bug T116266) Fixed undefined property notices in DairikiDiff under HHVM.
      (bug T123166) Fix fatal error when importing pages to titles which
  cannot be created, such as invalid titles or titles the user is not
  allowed to edit.
      (bug T122056) Old tokens are remaining valid within a new session
      (bug T127114) Login throttle can be tricked using
  non-canonicalized usernames
      (bug T123653) Cross-domain policy regexp is too narrow
      (bug T123071) Incorrectly identifying http link in a's href
  attributes, due to m modifier in regex
      (bug T129506) MediaWiki:Gadget-popups.js isn't renderable
      (bug T125283) Users occasionally logged in as different users
  after SessionManager deployment
      (bug T103239) Patrol allows click catching and patrolling of any page
      (bug T122807) [tracking] Check php crypto primatives
      (bug T98313) Graphs can leak tokens, leading to CSRF
      (bug T130947) Diff generation should use PoolCounter
      (bug T133507) Careless use of $wgExternalLinkTarget is insecure
      (bug T132874) API action=move is not rate limited
      (bug T110143) strip markers can be used to get around html
  attribute escaping in (bug many?) parser tags
      (bug T116030) Increase pbkdf2 parameter strengths
      (bug T127420) Pbkdf2Password does not check if hash_pbkdf2(bug ) succeeded
      (bug T126685) Globally throttle password attempts

(bsiegert)

Pullup ticket #5026 - requested by drochner
textproc/expat: security fix

Revisions pulled up:
- textproc/expat/Makefile                                      1.32
- textproc/expat/distinfo                                      1.25
- textproc/expat/patches/patch-CVE-2016-0718-1                  1.1
- textproc/expat/patches/patch-CVE-2016-0718-2                  1.1
- textproc/expat/patches/patch-CVE-2016-0718-3                  1.1
- textproc/expat/patches/patch-CVE-2016-0718-4                  1.1

---
  Module Name:    pkgsrc
  Committed By:  drochner
  Date:          Tue May 17 19:15:01 UTC 2016

  Modified Files:
          pkgsrc/textproc/expat: Makefile distinfo
  Added Files:
          pkgsrc/textproc/expat/patches: patch-CVE-2016-0718-1
              patch-CVE-2016-0718-2 patch-CVE-2016-0718-3 patch-CVE-2016-0718-4

  Log Message:
  add patches from upstream to fix possible crashes and memory corruption
  on malformed input (CVE-2016-0718)
  Description: The Expat XML parser mishandles certain kinds of malformed
  input documents, resulting in buffer overflows during processing and
  error reporting. The overflows can manifest as a segmentation fault or
  as memory corruption during a parse operation. The bugs allow for a
  denial of service attack in many applications by an unauthenticated
  attacker, and could conceivably result in remote code execution.

  bump PKGREV

  also add an improvement to the fix for CVE-2015-1283 which was part
  of the 2.1.1 release -- don't rely on defined behaviour on overflows
  of signed integer operations, from upstream git:
  https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/

  pkgsrc change: add a hint how to run the pkg's selftest (not enabled
  permanently because this would add a dependency on C++)

(bsiegert)

Pullup ticket #5020 - requested by sevan
www/ikiwiki: security fix

Revisions pulled up:
- www/ikiwiki/Makefile                                          1.139
- www/ikiwiki/distinfo                                          1.112
- www/ikiwiki/patches/patch-t_cvs.t                            deleted

---
  Module Name:    pkgsrc
  Committed By:  schmonz
  Date:          Sat May  7 05:58:54 UTC 2016

  Modified Files:
          pkgsrc/www/ikiwiki: Makefile distinfo
  Removed Files:
          pkgsrc/www/ikiwiki/patches: patch-t_cvs.t

  Log Message:
  Update to 3.20160506. From the changelog:

    [ Simon McVittie ]
    * img: stop ImageMagick trying to be clever if filenames contain a colon,
      avoiding mis-processing
    * HTML-escape error messages, in one case avoiding potential cross-site
      scripting (OVE-20160505-0012)
    * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
      - img: force common Web formats to be interpreted according to extension,
        so that "allowed_attachments: '*.jpg'" does what one might expect
      - img: restrict to JPEG, PNG and GIF images by default, again mitigating
        CVE-2016-3714 and similar vulnerabilities
      - img: check that the magic number matches what we would expect from
        the extension before giving common formats to ImageMagick
    * d/control: use https for Homepage
    * d/control: add Vcs-Browser

    [ Joey Hess ]
    * img: Add back support for SVG images, bypassing ImageMagick and
      simply passing the SVG through to the browser, which is supported by all
      commonly used browsers these days.
      SVG scaling by img directives has subtly changed; where before
      size=wxh would preserve aspect ratio, this cannot be done when passing
      them through and so specifying both a width and height can change
      the SVG's aspect ratio.
    * loginselector: When only openid and emailauth are enabled, but
      passwordauth is not, avoid showing a "Other" box which opens an
      empty form.

    [ Amitai Schlair ]
    * mdwn: Process .md like .mdwn, but disallow web creation.

    [ Florian Wagner ]
    * git: Correctly handle filenames starting with a dash in add/rm/mv.

    -- Simon McVittie <smcv%debian.org@localhost>  Fri, 06 May 2016 07:54:26 +0100

(bsiegert)

Pullup ticket #5019 - requested by sevan
multimedia/adobe-flash-plugin11: security fix

Revisions pulled up:
- multimedia/adobe-flash-plugin11/Makefile                      1.59-1.60
- multimedia/adobe-flash-plugin11/distinfo                      1.56-1.57

---
  Module Name:    pkgsrc
  Committed By:  tsutsui
  Date:          Sat Apr  9 12:23:04 UTC 2016

  Modified Files:
          pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo

  Log Message:
  Update adobe-flash-plugin11 to 11.2.202.616.

  Upstream announcement:

    https://helpx.adobe.com/security/products/flash-player/apsb16-10.html

  Adobe Security Bulletin

  Security updates available for Adobe Flash Player

  Release date: April 7, 2016

  Vulnerability identifier: APSB16-10

  CVE number: CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013,
    CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018,
    CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023,
    CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,
    CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033

  Platform: Windows, Macintosh, Linux and ChromeOS

---
  Module Name:    pkgsrc
  Committed By:  tsutsui
  Date:          Thu May 12 15:36:34 UTC 2016

  Modified Files:
          pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo

  Log Message:
  Update adobe-flash-plugin11 to 11.2.202.621.

  Upstream announcement:

    https://helpx.adobe.com/security/products/flash-player/apsb16-15.html

  Adobe Security Bulletin

  Security updates available for Adobe Flash Player

  Release date: May 12, 2016

  Vulnerability identifier: APSB16-15

  CVE number: CVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099,
    CVE-2016-1100, CVE-2016-1101, CVE-2016-1102, CVE-2016-1103, CVE-2016-1104,
    CVE-2016-1105, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109,
    CVE-2016-1110, CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111,
    CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4116,
    CVE-2016-4117

  Platform: Windows, Macintosh, Linux and ChromeOS

(bsiegert)

Pullup ticket #5017 - requested by sevan
sysutils/xenkernel45: security fix
sysutils/xentools45: security fix

Revisions pulled up:
- sysutils/xenkernel45/Makefile                                1.14
- sysutils/xenkernel45/distinfo                                1.14
- sysutils/xenkernel45/patches/patch-CVE-2015-5307              deleted
- sysutils/xenkernel45/patches/patch-CVE-2015-8339              deleted
- sysutils/xenkernel45/patches/patch-CVE-2015-8555              deleted
- sysutils/xenkernel45/patches/patch-XSA-166                    deleted
- sysutils/xenkernel45/patches/patch-XSA-172                    1.1
- sysutils/xenkernel45/patches/patch-XSA-173                    1.1
- sysutils/xentools45/Makefile                                  1.32
- sysutils/xentools45/distinfo                                  1.22
- sysutils/xentools45/patches/patch-CVE-2015-8341              deleted
- sysutils/xentools45/patches/patch-CVE-2015-8550              deleted
- sysutils/xentools45/patches/patch-CVE-2015-8554              deleted
- sysutils/xentools45/patches/patch-XSA-179                    1.1

---
  Module Name:    pkgsrc
  Committed By:  bouyer
  Date:          Thu May 12 15:42:58 UTC 2016

  Modified Files:
          pkgsrc/sysutils/xenkernel45: Makefile distinfo
          pkgsrc/sysutils/xentools45: Makefile distinfo
  Added Files:
          pkgsrc/sysutils/xenkernel45/patches: patch-XSA-172 patch-XSA-173
          pkgsrc/sysutils/xentools45/patches: patch-XSA-179
  Removed Files:
          pkgsrc/sysutils/xenkernel45/patches: patch-CVE-2015-5307
              patch-CVE-2015-8339 patch-CVE-2015-8555 patch-XSA-166
          pkgsrc/sysutils/xentools45/patches: patch-CVE-2015-8341
              patch-CVE-2015-8550 patch-CVE-2015-8554

  Log Message:
  Update xenkernel45 and xentools45 to 4.5.3.
  While there also add patches for security issues XSA-172, XSA-173 and XSA-179
  (others between 170 and 179 are either not yet public, or linux-only).
  Upstream changes since 4.5.2:
  - security issues up to XSA-170 are fixed (these were already patched
    in pkgsrc).
  - other minor performances and functionality fixes.
  full changelog at:
  http://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-453.html

(bsiegert)

#4965

(spz)

Pullup ticket #4965 - requested by bsiegert
www/h2o: security update

Revisions pulled up:
- www/h2o/Makefile                                              1.8
- www/h2o/PLIST                                                1.3
- www/h2o/distinfo                                              1.4

NOTE: the branch excludes the www/wslay dependency

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  adam
  Date:          Sat Apr 23 18:41:29 UTC 2016

  Modified Files:
          pkgsrc/www/h2o: Makefile PLIST distinfo

  Log Message:
  Changes 1.7.1:
  - [core] fix incorrect line no. reported in case of YAML syntax error
  - [core] fix build issue / memory leak when the poll backend is used
  - [core] when building, repect `EXTRA_LIBS` passed from command line
  - [core] fix memory leaks during start-up
  - [core] fix stability issue when receiving a signal
  - [fastcgi] fix off-by-one buffer overflow
  - [fastcgi][mruby] install missing script files
  - [mruby] truncate body to the size specified by `content-length`
  - [mruby] fix error when reading a ruby script >= 64K
  - [proxy] fix I/O error when transferring files over 2GB on FreeBSD / OS X
  - [ssl] bugfix: use of session ticket not disabled even when configured to
  - [libh2o] provide pkg-config .pc files
  - [libh2o] include version numbers in the .so filename
  - [doc] refine documentation

  To generate a diff of this commit:
  cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/h2o/Makefile
  cvs rdiff -u -r1.2 -r1.3 pkgsrc/www/h2o/PLIST
  cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/h2o/distinfo

(spz)

Pullup tickets #5014 to #5016.

(bsiegert)

Pullup ticket #5016 - requested by sevan
emulators/qemu: security fix

Revisions pulled up:
- emulators/qemu/Makefile                                      1.149
- emulators/qemu/PLIST                                          1.46
- emulators/qemu/distinfo                                      1.115
- emulators/qemu/patches/patch-configure                        1.13
- emulators/qemu/patches/patch-default-configs_pci.mak          1.2
- emulators/qemu/patches/patch-hw_misc_ivshmem.c                1.1
- emulators/qemu/patches/patch-hw_ppc_mac__newworld.c          1.3
- emulators/qemu/patches/patch-hw_ppc_mac__oldworld.c          1.3
- emulators/qemu/patches/patch-memory.c                        1.10
- emulators/qemu/patches/patch-slirp_tcp__subr.c                1.7

---
  Module Name:    pkgsrc
  Committed By:  ryoon
  Date:          Sun May 15 01:25:15 UTC 2016

  Modified Files:
          pkgsrc/emulators/qemu: Makefile PLIST distinfo
          pkgsrc/emulators/qemu/patches: patch-configure
              patch-default-configs_pci.mak patch-hw_ppc_mac__newworld.c
              patch-hw_ppc_mac__oldworld.c patch-memory.c patch-slirp_tcp__subr.c
  Added Files:
          pkgsrc/emulators/qemu/patches: patch-hw_misc_ivshmem.c

  Log Message:
  Update to 2.6.0

  Changelog:
  System emulation
  Incompatible changes

      The aio=native option to "-drive" now requires the cache=none option, instead of silently disabling itself for other cache modes. The newly invalid combination had been warning since QEMU 2.3.
      Specifying block device parameter aio=native is now an error on POSIX systems if qemu is compiled without libaio support. The newly invalid combination had been warning since QEMU 2.3.
      The experimental x-drive option for the sdhci-pci device has been removed. Instead of passing a drive directly to the SD controller device you now must create an SD card object (which will
  automatically be plugged into the SD controller), so "-device sdhci-pci,x-drive=mydrive -drive id=mydrive,[...]" becomes "-device sdhci-pci -device sd-card,drive=mydrive -drive id=mydrive,[...]".
      The s390-virtio machine has been removed.
      Machine types pc-q35-1.4, pc-q35-1.5, pc-q35-1.6, pc-q35-1.7, pc-q35-2.0, pc-q35-2.1, pc-q35-2.2 and pc-q35-2.3 have been removed.
      The "virt" machine type's flash device has changed when TrustZone is active ("-machine virt,secure=on"). The first flash device is only available in secure memory, while the second is available
  in non-secure memory too.

  Future incompatible changes

      Three options are using different names on the command line and in configuration file. In particular:
          The "acpi" configuration file section matches command-line option "acpitable";
          The "boot-opts" configuration file section matches command-line option "boot";
          The "smp-opts" configuration file section matches command-line option "smp".

      -readconfig will standardize on the name for the command line option.

      Behavior of automatic calculation of SMP topology when some SMP topology options for -smp are omitted (sockets, cores, threads) will change in the future. If guest ABI needs to be preserved on
  upgrades while using the SMP topology options, users should either set set all options explicitly (sockets, cores, threads), or omit all of them.
      The original qcow2 image encryption is fatally flawed, and support for it will be disabled entirely from the system emulators. It'll remain available only in command line tools qemu-img, qemu-io,
  qemu-nbd to facilitate data liberation. It is recommended to use 'qemu-img convert' to convert qcow2 encrypted images to uncrypted ones. The new LUKS encryption driver can provide a secure
  replacement if raw files are acceptable, while a future release will integrate luks into qcow2 natively.
      A few devices will be configured with explicit properties instead of implicitly. Unlikely to affect users; for the full list, see the 2.3 ChangeLog.
      QMP command blockdev-add is still a work in progress. It doesn't support all block drivers, it lacks a matching blockdev-del, and more. It might change incompatibly.

  ARM

      Support for a separate EL3 address space
      System mode supports BE8 and BE32. Note that qemu-system-arm can emulate both big-endian and little-endian guests (unlike user-mode emulation which has separate qemu-arm and qemu-armeb binaries).
      Support for the SETEND instruction, used most notably on Raspbian through the arm-mem library (previously known as libcofi).
      Faster boot thanks to DMA support in fw_cfg
      The "virt" machine type supports a virtual power button and the "system_powerdown" monitor command
      The "virt" machine type supports configuring network cards with -nic in addition to -netdev
      The RAM limit for the "virt" machine type is now 255GB
      The "xlnz-zynqmp" machine type now includes SPI controllers
      The "xlnx-ep108" machine type now supports SPI flash
      New partial Raspberry Pi 2 emulation with "raspi2" machine type. For now, it can boot older releases of Windows and Raspbian, but lacks a number of devices including USB.
      New palmetto-bmc machine type using the new, partial ASPEED AST2400 SoC implementation

  KVM

      Support for guest debugging (software and hardware breakpoints, single step) on AArch64

  MIPS

      Support for FPU and MSA in KVM guests
      Support for R6 Virtual Processors
      Initial support for Cluster Power Controller and Global Configuration Registers allowing the guest to control the start of Virtual Processors
      Support for Inter-Thread Communication Unit
      Support for MAAR registers in P5600 CPU

  PowerPC

      Improved support for migration of g3beige and mac99 machines
      Fix serial ports for g3beige and mac99 machines (OpenBIOS)
      The gdb stub supports the VSX instruction set extensions

  pSeries

      pSeries machine types starting at pseries-2.6 use XHCI as the USB host controller instead of OHCI
      Support for more hypercalls (H_SET_SPRG0, H_SET_DABR, H_SET_XDABR and H_PAGE_INIT)
      Support for EEH on assigned PCI devices can use the normal spapr-pci-host-bridge instead of the special spapr-pci-vfio-host-bridge.

  s390

      Fixes and improvements in s390x PCI support
      Support for hotplug of s390x cpus via cpu-add
      Support for booting from virtio-scsi devices in the s390-ccw bios

  SH
  SPARC

      sun4m: Fix for ldstub instruction resolves several 32-bit Solaris bugs (MUTEX_HELD hang, libC error, Java WebStart segfault)
      sun4u: FreeBSD 10.3+ can now run under qemu-system-sparc64 in -nographic mode

  TileGX
  Tricore

      Support for context management, illegal opcode and opd traps
      Support for FPU instructions

  x86
  TCG

      Support for the XSAVE/XSAVEOPT, MPX, FSGSBASE and PKE features

  KVM

      Support for "split irqchip". In this mode, QEMU emulates the IOAPIC, PIC (i8259) and PIT (i8254) devices while leaving the local APIC emulation to the kernel. This mode reduces the attack surface
  of KVM.
      Support for the new PKU feature found in some Skylake processors
      Support for migrating the TSC rate

  Xen
  Q35

      Support resume (S3)
      Support for legacy Windows guests (XP/2003)

  Device emulation and assignment

      New IPMI emulation subsystem. QEMU can now emulate an internal BMC or attach to an external BMC simulator such as OpenIPMI's lanserv. IPMI however is not yet exposed in SMBIOS and ACPI tables (do
  we want to docume?)
      FIXME: what's the state of nvdimm?

  ACPI

      The floppy disk controller's characteristics are now exposed in the ACPI tables, which makes it possible to use floppies on Windows together with UEFI firmware.

  Block devices

      The floppy disk consk or an empty disk to a 2.88 MB disk
      Improved compatibility of the SD device model with various operating systems and firmwares
      The NVMe device supports the "bootindex" property.
      The SDHCI device supports reset.

    ivshmem

      No longer available on hosts lacking eventfd(2), because inter-vm interrupts don't work there
      New devices ivshmem-plain and ivshmem-doorbell, fully backwards compatible for guests, notable differences to ivshmem:
          PCI revision is 1 instead of 0
          ivshmem role=master becomes master=on, role=peer becomes master=off
          ivshmem x-memdev=ID becomes ivshmem-plain memdev=ID
          ivshmem shm=NAME,size=SZ becomes ivshmem-plain memdev=ID, with -object memory-backend-file,id=ID,mem-path=/dev/mem/NAME,size=SZ,share
          ivshmem chardev=ID becomes ivshmem-doorbell,chardev=ID
          Property ioeventfd defaults to on instead of off
          ivshmem-plain never has MSI-X capability, and ivshmem-doorbell always has MSI-X capability
      Device ivshmem is deprecated, and its experimental property x-memdev is gone
      Interrupting a peer that reuses an unplugged peer's ID works again (broken in v1.2.0)
      Unplug no longer destroys the character device, for consistency with other devices
      The funny "no shared memory, yet" state is no longer guest-visible, and can no longer fail or mess up migration
          Guests may require PCI revision 1 to make sure they're not exposed to the funny state
      docs/specs/ivshmem-spec.txt rewritten for completeness and accuracy.

  SCSI

      Support for the LSI SAS1068 HBA (also known as "MPT Fusion"). Note that some operating systems will not recognize disks attached to this adapter, unless the disks are assigned a world-wide name
  (WWN).

  PCI/PCIe

      PCIe Multi-root support (using the new pxb-pcie root-compex)

  USB

      MTP: initial support for events

  VFIO

      Support for AMD XGBE platform passthrough
      New sysfsdev property provides a more general way to specify the device to attach to.
      Provided PCI option ROMs are fixed to include the same vendor and device id as the device exposed to the guest. This facilitates changing the ids of the devices.

  virtio

      Performance improvements via optimized vring accesses
      The balloon driver statistics now include the amount of available memory (corresponding to "Available" in /proc/meminfo for Linux guests).

  Character devices

      The socket character device backend can now enable TLS over TCP connections, acting either as a TLS server:

  $QEMU -object tls-creds-x509,id=tls0,dir=$HOME/.pki/qemutls,endpoint=server \
        -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-creds=tls0,server \
        -device isa-serial,chardev=s0 \
        ...other args...

  or a TLS client:

  $QEMU -object tls-creds-x509,id=tls0,dir=$HOME/.pki/qemutls,endpoint=client \
        -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-creds=tls0 \
        -device isa-serial,chardev=s0 \
        ...other args...

  If operating in server mode, the same set of TLS credentials can be used for both character devices and the VNC server

      All character devices can have their output logged to a plain file

  $QEMU -chardev stdio,id=mon0,logfile=monitor.log \
        -mon chardev=mon0 \
        ...other args...

  will result in logging of all output on the HMP monitor. The logappend parameter controls whether the file is truncated at startup, defaulting to append.
  GUI

      SDL2 and SPICE now support OpenGL and virgl. For SPICE, Unix sockets are the only usable transport when OpenGL is enabled.
      The "-vnc" and "-display vnc" options support ipv4=off and ipv6=off. Previously, only "ipv4" and "ipv6" were available.
      Support getting input events directly from linux evdev devices, using "-object input-linux,id=$name,evdev=/dev/input/event$nr"
      Support for ncurses on Windows.

  Monitor

      Support for a new "detach" option to "dump-guest-memory". The option dumps memory in the background. Progress can be queried using the new commands "info dump" (human monitor) and "query-dump"
  (QMP), as well as through the QMP event DUMP_COMPLETED.
      Support for a new command "input-send-event" replacing the previous experimental command "x-input-send-event".
      The human monitor command "drive_add -n" allows creating block devices that do not have a BlockBackend (similar to QMP blockdev-add).

  Migration

      Postcopy is not experimental anymore; the x-postcopy-ram capability was renamed to postcopy-ram.

  Network

      SLIRP now supports IPv6 for ICMP, UDP, TCP and TFTP.
      mirror filter which can mirror traffic from netdev to socket chardev, vice versa.
      redirector filter which can redirect traffic from netdev to socket chardev, vice versa.

  Secret passing system

  There is a new standard mechanism for securely passing secret credentials to QEMU, which will be used in combination with other subsystems. For example, network block device passwords, block device
  decryption passphrases, or TLS private key passwords can all use the same mechanism.

      Passing credentials inline (insecure, only for developer testing)

  $QEMU -object secret,id=sec0,data=letmein

      Passing credentials via a plain file

  $QEMU -object secret,id=sec0,file=mypassword.txt

      Passing credentials via a base64 encoded file

  $QEMU -object secret,id=sec0,file=mypassword.txt,format=base64

      Passing credentials inline, encrypted with a master key (recommended for management apps)

    $QEMU -object secret,id=master0,file=mykey.b64,format=base64 \
          -object secret,id=sec0,data=[base64 ciphertext],\
                  keyid=master0,iv=[base64 IV],format=base64

  TLS credential handling

  It is now possible to use encrypted TLS private keys with credentials for TLS servers/clients in QEMU. The password for unlocking the private key is provided by a secret object whose id is specified
  via the passwordid' property

  $QEMU -object secret,id=tlskey0,file=mypassword.txt \
        -object tls-creds-x509,id=tls0,dir=$HOME/.pki/qemutls,endpoint=server,passwordid=tlskey0 \
        ...other args...

  Block devices

      Block device throttling now support specifying a burst length as well. While previously the burst could only be specified as a total number of IOPS (e.g. 10000 IOPS), more complex specifications
  such as "10000 IOPS for 10 seconds" are now possible. Note that, because of the implementation of the algorithm, a guest that is allowed "10000 IOPS for 10 seconds" will also be allowed to perform
  for example 5000 IOPS for 20 seconds.
      The curl block device driver now supports HTTP authentication and HTTP proxy authentication via the new properties 'username', 'password-secret', 'proxy-username' and 'proxy-password-secret'.

  $QEMU -object secret,id=sec0,file=password.txt \
        -object secret,id=sec1,file=proxy-password.txt \
        -drive driver=http,host=localhost,port=443,username=fred,password-secret=sec0,proxy-username=bob,proxy-password-secret=sec1 \
        ...other args...

      The RBD block device driver can now use the secret object type to securely receive the authentication password without exposing it in the command line args

  $QEMU -object secret,id=sec0,file=password.b64,format=base64 \
        -drive driver=rbd,filename=rbd:pool/image:id=myname:auth_supported=cephx,password-secret=sec0 \
        ...other args...

      The iSCSI block device driver can now use the secret object type to securely receive the authentication password without exposing it in the command line args

  $QEMU -object secret,id=sec0,file=password.txt \
        -iscsi user=fred,password-secret=sec0 \
        -drive file=iscsi://192.168.122.1:3260/iqn.2013-12.com.example%3Aiscsi-chap-netpool/1

  NB this syntax requires that all iSCSI backed drives use the same password

      The qemu-io tool gained support for new '--object' and '--image-opts' arguments. The --object argument allows 'secret' and 'tls-creds-x509' objects to be defined for use in association with a
  block device backend. The '--image-opts' argument instructs qemu-io to parse the image string as a set of image options, instead of a plain filename. For example, to connect qemu-io to an NBD server
  using TLS

  qemu-io -c "read 0 512" \
          --object tls-creds-x509,id=tls0,dir=$HOME/.pki/qemutls,endpoint=client \
          --image-opts driver=nbd,host=localhost,port=10809,tls-creds=tls0

      The qemu-nbd tool gained support for new '--object' and '--image-opts' arguments. The --object argument allows 'secret' and 'tls-creds-x509' objects to be defined for use in association with a
  block device backend or the NBD server. The '--image-opts' argument instructs qemu-io to parse the image string as a set of image options, instead of a plain filename. For example, to connect
  qemu-nbd to an HTTP server with authentication and export it over NBD using TLS

  qemu-nbd --readonly \
            --object secret,id=sec0,file=passwd.txt \
            --object tls-creds-x509,id=tls0,dir=$HOME/.pki/qemutls,endpoint=server \
            --image-opts driver=http,url=http://some.random.host/some/image,username=fred,password-secret=sec0

      The qemu-img tool gained support for new '--object' and '--image-opts' arguments. The --object argument allows 'secret' and 'tls-creds-x509' objects to be defined for use in association with a
  block device backend or the NBD server. The '--image-opts' argument instructs qemu-io to parse the image string as a set of image options, instead of a plain filename. For example, to a remote HTTP
  server with authentication

  qemu-img info --object secret,id=sec0,file=passwd.txt \
                --image-opts driver=http,url=http://some.random.host/some/image,username=fred,password-secret=sec0

      Support for deleting snapshots on Sheepdog devices.
      The NBD client and server now support use of TLS. When enabled, the server will mandate that the client also enable TLS and drop any client which attempts to continue in plain text. To run a
  qemu-nbd server with TLS:

  qemu-nbd --object tls-creds-x509,id=tls0,dir=$HOME/.pki/qemutls,endpoint=server \
            --tls-creds tls0 \
            /path/to/disk/image

  To connect to a server that requires TLS with qemu-img:

  qemu-img info --object tls-creds-x509,id=tls0,dir=$HOME/.pki/qemutls,endpoint=client \
                --image-opts driver=nbd,host=localhost,port=10809,tls-creds=tls0

  To start a VM pointing to the NBD server

  $QEMU -object tls-creds-x509,id=tls0,dir=$HOME/.pki/qemutls,endpoint=client \
        -drive driver=nbd,host=localhost,port=10809,tls-creds=tls0 \
        ...other args...

      The NBD server gained support for specifying an export name. When the client negotiates use of the new style NBD protocol the default export name is "". The --exportname argument allows this to
  be customized:

  qemu-nbd --exportname myvol  /path/to/myvol.qcow2

      QEMU gained support for volumes formatted with the LUKSv1 data format. To format a new LUKS volume

  qemu-img create -f luks \
                  --object secret,id=sec0,file=passphrase.txt \
                  -o key-secret=sec0 \
                  demo.luks 10G

  To boot a guest from a LUKS volume:

  $QEMU -object secret,id=sec0,file=passphrase.txt \
        -drive driver=luks,key-secret=sec0,file=demo.luks \
        ...other args...

  The LUKS implementation is intended to be compatible with that used by cryptsetup/dm-crypt, so it should be possible to use disk images interchangeably between them. The only caveat is that some less
  common cipher/hash algorithms are not yet supported by QEMU. It is also not yet possible to manage key-slots with qemu-img.
  TCG

      Record/replay support extended to cover character devices.

  Tracing

      The "stderr" tracing backend was replaced by the "log" tracing backend, which is now the default. This backend prints tracing messages to the destination specified with the "-D" option.
      In addition to the existing "-trace file=...", tracepoints can be enabled using "-trace [enable=]...". The new option also supports globbing, as in "-trace bdrv_aio_*".
      In addition to the existing "-trace file=...", tracepoints can be enabling using "-d trace:...". This option also supports globbing, as in "-d trace:bdrv_aio_*".
      When using "-daemonize", the "-D" option also provides the file to which QEMU's stderr output will be redirected.
      TCG supports a new "-dfilter" option to limit exec, out_asm, op and op_opt logging to a range of guest physical addresses. ARM also applies the filter to in_asm logging; this will be extended to
  other targets in future releases (FIXME: probably should do it now instead...)
      A "%d" substring in the log file name is replaced with QEMU's pid.

  User-mode emulation

      The default CPU for ppc64 and ppc64le is now POWER8

(bsiegert)

Pullup ticket #5015 - requested by sevan
www/firefox: security fix

Revisions pulled up:
- www/firefox/Makefile                                          1.249-1.250
- www/firefox/PLIST                                            1.105-1.106
- www/firefox/distinfo                                          1.242-1.243
- www/firefox/mozilla-common.mk                                1.73
- www/firefox/patches/patch-aa                                  1.45
- www/firefox/patches/patch-config_external_moz.build          1.11
- www/firefox/patches/patch-config_system-headers              1.18
- www/firefox/patches/patch-dom_media_gstreamer_GStreamerAllocator.cpp deleted
- www/firefox/patches/patch-dom_media_moz.build                1.3
- www/firefox/patches/patch-gfx_skia_generate__mozbuild.py      1.4
- www/firefox/patches/patch-gfx_skia_moz.build                  1.11
- www/firefox/patches/patch-gfx_skia_skia_src_core_SkUtilsArm.cpp 1.2
- www/firefox/patches/patch-gfx_skia_skia_src_opts_SkBitmapProcState__opts__arm.cpp deleted
- www/firefox/patches/patch-gfx_skia_skia_src_opts_memset.arm.S deleted
- www/firefox/patches/patch-gfx_thebes_moz.build                1.3
- www/firefox/patches/patch-media_libcubeb_src_cubeb.c          1.3
- www/firefox/patches/patch-media_libcubeb_src_cubeb__alsa.c    1.14
- www/firefox/patches/patch-media_libcubeb_src_moz.build        1.7
- www/firefox/patches/patch-media_libtheora_moz.build          1.5
- www/firefox/patches/patch-pb                                  deleted
- www/firefox/patches/patch-pc                                  deleted
- www/firefox/patches/patch-toolkit_library_moz.build          1.5
- www/firefox/patches/patch-xpcom_reflect_xptcall_md_unix_moz.build 1.5

---
  Module Name:    pkgsrc
  Committed By:  ryoon
  Date:          Wed Apr 13 20:37:33 UTC 2016

  Modified Files:
          pkgsrc/www/firefox: Makefile PLIST distinfo

  Log Message:
  Update to 45.0.2

  Changelog:
  Fixed:
      Fix an issue impacting the cookie header when third-party cookies are blocked (1257861)
      Fix a web compatibility regression impacting the srcset attribute of the image tag (1259482)
      Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (1254980)
      Fix a crash impacting the video playback with Media Source Extension (1258562)
      Fix a regression impacting some specific uploads (1255735)

---
  Module Name:    pkgsrc
  Committed By:  ryoon
  Date:          Wed Apr 27 16:22:40 UTC 2016

  Modified Files:
          pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk
          pkgsrc/www/firefox/patches: patch-aa patch-config_external_moz.build
              patch-config_system-headers patch-dom_media_moz.build
              patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build
              patch-gfx_skia_skia_src_core_SkUtilsArm.cpp
              patch-gfx_thebes_moz.build patch-media_libcubeb_src_cubeb.c
              patch-media_libcubeb_src_cubeb__alsa.c
              patch-media_libcubeb_src_moz.build patch-media_libtheora_moz.build
              patch-toolkit_library_moz.build
              patch-xpcom_reflect_xptcall_md_unix_moz.build

  Removed Files:
          pkgsrc/www/firefox/patches:
              patch-dom_media_gstreamer_GStreamerAllocator.cpp
              patch-gfx_skia_skia_src_opts_SkBitmapProcState__opts__arm.cpp
              patch-gfx_skia_skia_src_opts_memset.arm.S patch-pb patch-pc

  Log Message:
  Update to 46.0

  * Drop buildlink to gstreamer1

  Changelog:
  New
      Improved security of the JavaScript Just In Time (JIT) Compiler
      GTK3 integration (GNU/Linux only)

  Fixed
      Correct rendering for scaled SVGs that use a clip and a mask
      Various security fixes
      Screen reader behavior with blank spaces in Google Docs corrected

  Changed
      WebRTC fixes to improve performance and stability

  Developer
      Display dominator trees in Memory tool
      Allocation and garbage collection pause profiling in the performance panel
      Launch responsive mode from the Style Editor @media sidebar

  HTML5
      Added support for document.elementsFromPoint
      Added HKDF support for Web Crypto API

  Fixed in Firefox 46
      2016-48 Firefox Health Reports could accept events from untrusted domains
      2016-47 Write to invalid HashMap entry through JavaScript.watch()
      2016-46 Elevation of privilege with chrome.tabs.update API in web extensions
      2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
      2016-44 Buffer overflow in libstagefright with CENC offsets
      2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors
      2016-42 Use-after-free and buffer overflow in Service Workers
      2016-41 Content provider permission bypass allows malicious application to access data
      2016-40 Privilege escalation through file deletion by Maintenance Service updater
      2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

(bsiegert)

Pullup ticket #5014 - requested by sevan
devel/xulrunner38: security fix
www/firefox38: security fix

Revisions pulled up:
- devel/xulrunner38/Makefile                                    1.8
- devel/xulrunner38/PLIST                                      1.2
- www/firefox38/Makefile                                        1.19
- www/firefox38/distinfo                                        1.17

---
  Module Name:    pkgsrc
  Committed By:  ryoon
  Date:          Wed Apr 27 21:21:18 UTC 2016

  Modified Files:
          pkgsrc/www/firefox38: Makefile distinfo

  Log Message:
  Update to 38.8.0

  Changelog:
  Fixed in Firefox ESR 38.8
      2016-47 Write to invalid HashMap entry through JavaScript.watch()
      2016-44 Buffer overflow in libstagefright with CENC offsets
      2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
      2016-36 Use-after-free during processing of DER encoded keys in NSS
      2016-29 Same-origin policy violation using performance.getEntries and history navigation with session restore
      2016-15 Use-after-free in NSS during SSL connections in low memory
      2016-07 Errors in mp_div and mp_exptmod cryptographic functions in NSS

---
  Module Name:    pkgsrc
  Committed By:  ryoon
  Date:          Wed May  4 09:56:26 UTC 2016

  Modified Files:
          pkgsrc/devel/xulrunner38: Makefile PLIST

  Log Message:
  Update to 38.8.0

  * Sync with firefox38-38.8.0

(bsiegert)

Pullup tickets #5009 to #5012.

(bsiegert)

Pullup ticket #5012 - requested by taca
www/typo3_62: security fix

Revisions pulled up:
- www/typo3_62/Makefile                                        1.15
- www/typo3_62/PLIST                                            1.11
- www/typo3_62/distinfo                                        1.13

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat May  7 03:12:38 UTC 2016

  Modified Files:
  pkgsrc/www/typo3_62: Makefile PLIST distinfo

  Log Message:
  Update typo3_62 package to 6.2.22 (TYPO3 6.2.22 LTS).
  6.2.20 contains security fix.

  2016-04-26  412080d                  [RELEASE] Release of TYPO3 6.2.22 (TYPO3 Release Team)
  2016-04-26  1adf60b  #75860          [BUGFIX] Double encoding in image title-tag (Frank Naegler)
  2016-04-25  ec7b229  #75519          [BUGFIX] Remember not rendered checkboxes in TCA treeSelect (Frans Saris)
  2016-04-20  576677d  #73735          [BUGFIX] Check if folder is within the filemount (Frans Saris)
  2016-04-18  8513140  #75548          [BUGFIX] RTE: Show content of link style dropdown again (Markus Klein)
  2016-04-18  aed3061  #73567          [BUGFIX] Ignore cURL proxy header block (Albrecht Köhnlein)
  2016-04-12  0dd0ce1                  [TASK] Set TYPO3 version to 6.2.22-dev (TYPO3 Release Team)

  2016-04-12  cd53673                  [RELEASE] Release of TYPO3 6.2.21 (TYPO3 Release Team)
  2016-04-12  5645614  #75541          [BUGFIX] Add missing bracket in EXT:rtehtmlarea to fix syntax error (Andreas Fernandez)
  2016-04-12  c236b4d                  [TASK] Set TYPO3 version to 6.2.21-dev (TYPO3 Release Team)

  2016-04-12  efbf8a9                  [RELEASE] Release of TYPO3 6.2.20 (TYPO3 Release Team)
  2016-04-12  1fcfd5b  #75055          [SECURITY] Disallow login with empty password (Nicole Cordes)
  2016-04-12  5a8e0a1  #28175          [SECURITY] Limit user access in workspace previews (Nicole Cordes)
  2016-04-12  c6dcf83  #51908          [SECURITY] Prevent XSS in ElementBrowser (Markus Klein)
  2016-04-12  ef368ac  #75164          [SECURITY] Prevent XSS in SelectMultipleSideBySideElement (Nicole Cordes)
  2016-04-12  e7ca585  #73459          [SECURITY] Fix arbitrary file disclosure in form extension (Steffen Müller)
  2016-04-12  ab32091  #75022          [BUGFIX] Load XML files of Extension Manager properly (Andreas Fernandez)
  2016-04-07  ab3cc83  #74131          [BUGFIX] WinCache 2.0 and newer have no opcode cache (Alexander Opitz)
  2016-04-06  f5219a6  #75423          [TASK] Allow installation of composer installers 1.2.x (Helmut Hummel)
  2016-04-04  08ef6cd  #69773          [BUGFIX] Warning when clearing all caches from within install tool (Bernhard Kraft)
  2016-03-31  d5d3832  #75273          [TASK] Loosen version constraint for TYPO3 CMS Composer Installers (Christian Opitz)
  2016-03-31  ccea306  #73631          [BUGFIX] only trim leading slash from section name (Daniel Neugebauer)
  2016-03-30  c36eb54  #75156          [BUGFIX] Add reference count to delete message (Gianluigi Martino)
  2016-03-29  4b2594f  #75283          [BUGFIX] Use proper quotation in phpdoc of ExtensionManagementUtility::addService() (Andreas Fernandez)
  2016-03-29  d767d59  #75287          [BUGFIX] Fix typo in BooleanNode exception message (Sascha Egerer)
  2016-03-23  297a828  #75242          [BUGFIX] Use `modTSconfig` for default language label, if set (Andreas Fernandez)
  2016-03-12  c5cec73  #72606          [BUGFIX] Prevent TYPO3.settings in ajax requests (Nicole Cordes)
  2016-03-11  e9c6fb9  #74815          [TASK] Add unit tests for TYPO3SEARCH markers (Tymoteusz Motylewski)
  2016-03-10  7e934ec  #74508          [BUGFIX] Load XML files of t3editor properly (Andreas Fernandez)
  2016-03-06  25ee28e  #72225          [BUGFIX] Workspace page previews collide with generated preview links (Oliver Hader)
  2016-03-05  9db88b5  #74127          [BUGFIX] Ensure t3d compatibility for supported TYPO3 version (Nicole Cordes)
  2016-03-04  3fbe9cd  #70373          [BUGFIX] Adjust UserAgent checks in RTE to detect Edge correctly (Benjamin Kott)
  2016-03-04  54e3a4d  #71094          [TASK] Keep selected page active after save & close (Gianluigi Martino)
  2016-03-04  5ecde7c  #69346          [TASK] EXT:form - Update and optimize documentation (Björn Jacob)
  2016-03-03  b389089  #72886          [TASK] Add info about Apache version when using mod_filter (Eric Chavaillaz)
  2016-02-25  8060388  #73243          [BUGFIX] Stage buttons shown in frontend without user being repsonsible (Oliver Hader)

(bsiegert)

Pullup ticket #5011 - requested by taca
net/samba4: security fix

Revisions pulled up:
- net/samba4/Makefile                                          1.18
- net/samba4/PLIST                                              1.7
- net/samba4/distinfo                                          1.10
- net/samba4/patches/patch-lib_nss__wrapper_wscript            deleted

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat May  7 03:09:33 UTC 2016

  Modified Files:
  pkgsrc/net/samba4: Makefile PLIST distinfo
  Removed Files:
  pkgsrc/net/samba4/patches: patch-lib_nss__wrapper_wscript

  Log Message:
  Update samba4 to 4.3.8, which contains security fix.

  This release fixes some regressions introduced by the last security fixes.
  Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of
  bugs addressing these regressions and more information.

  Changes since 4.3.8:
  --------------------

  o  Jeremy Allison <jra@samba.org>
    * BUG 11742: lib: tevent: Fix memory leak when old signal action restored.
    * BUG 11771: lib: tevent: Fix memory leak when old signal action restored.
    * BUG 11822: s3: libsmb: Fix error where short name length was read as 2
      bytes, should be 1.

  o  Andrew Bartlett <abartlet@samba.org>
    * BUG 11780: smbd: Only check dev/inode in open_directory, not the full
      stat().
    * BUG 11789: pydsdb: Fix returning of ldb.MessageElement.

  o  Berend De Schouwer <berend.de.schouwer@gmail.com>
    * BUG 11643: docs: Add example for domain logins to smbspool man page.

  o  G端nther Deschner <gd@samba.org>
    * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build.

  o  Alberto Maria Fiaschi <alberto.fiaschi@estar.toscana.it>
    * BUG 8093: access based share enum: Handle permission set in configuration
        files.

  o  Volker Lendecke <vl@samba.org>
    * BUG 11816: nwrap: Fix the build on Solaris.
    * BUG 11827: vfs_catia: Fix memleak.
    * BUG 11878: smbd: Avoid large reads beyond EOF.

  o  Stefan Metzmacher <metze@samba.org>
    * BUG 11622: libcli/smb: Make sure we have a body size of 0x31 before
      dereferencing an ioctl response.
    * BUG 11623: libcli/smb: Fix BUFFER_OVERFLOW handling in tstream_smbXcli_np.
    * BUG 11755: s3:libads: Setup the msDS-SupportedEncryptionTypes attribute on
      ldap_add.
    * BUG 11771: tevent: Version 0.9.28. Fix memory leak when old signal action
      restored.
    * BUG 11782: s3:winbindd: Don't include two '\0' at the end of the domain
      list.
    * BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
    * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share.
    * BUG 11847: Only validate MIC if "map to guest" is not being used.
    * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego
      option for testing.
    * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
    * BUG 11858: Allow anonymous smb connections.
    * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
    * BUG 11872: Fix 'wbinfo -u' and 'net ads search'.

  o  Noel Power <noel.power@suse.com>
    * BUG 11738: libcli: Fix debug message, print sid string for new_ace trustee.

  o  Garming Sam <garming@catalyst.net.nz>
    * BUG 11789: build: Mark explicit dependencies on pytalloc-util.

  o  Partha Sarathi <partha@exablox.com>
    * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA
      infolevel.

  o  Jorge Schrauwen <sjorge@blackdot.be>
    * BUG 11816: configure: Don't check for inotify on illumos.

  o  Uri Simchoni <uri@samba.org>
    * BUG 11691: winbindd: Return trust parameters when listing trusts.
    * BUG 11753: smbd: Ignore SVHDX create context.
    * BUG 11763: passdb: Add linefeed to debug message.
    * BUG 11788: build: Fix disk-free quota support on Solaris 10.
    * BUG 11798: build: Fix build when '--without-quota' specified.
    * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls"
      is set.
    * BUG 11852: libads: Record session expiry for spnego sasl binds.

  o  Hemanth Thummala <hemanth.thummala@nutanix.com>
    * BUG 11740: Real memory leak(buildup) issue in loadparm.
    * BUG 11840: Mask general purpose signals for notifyd.

(bsiegert)

Pullup ticket #5010 - requested by taca
net/ntp4: security fix

Revisions pulled up:
- net/ntp4/Makefile                                            1.92
- net/ntp4/PLIST                                                1.21
- net/ntp4/distinfo                                            1.26

---
  Module Name: pkgsrc
  Committed By: wen
  Date: Wed Apr 27 15:59:19 UTC 2016

  Modified Files:
  pkgsrc/net/ntp4: Makefile PLIST distinfo

  Log Message:
  Update to 4.2.8p7

  Upstream changes:
  (4.2.8p7) 2016/04/26 Released by Harlan Stenn <stenn@ntp.org>

  * [Sec 2901] KoD packets must have non-zero transmit timestamps.  HStenn.
  * [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve
    time. Include passive servers in this check. HStenn.
  * [Sec 2945] Additional KoD packet checks.  HStenn.
  * [Sec 2978] Interleave can be partially triggered.  HStenn.
  * [Sec 3007] Validate crypto-NAKs.  Danny Mayer.
  * [Sec 3008] Always check the return value of ctl_getitem().
    - initial work by HStenn
    - Additional cleanup of ctl_getitem by perlinger@ntp.org
  * [Sec 3009] Crafted addpeer with hmode > 7 causes OOB error. perlinger@ntp.org
    - added more stringent checks on packet content
  * [Sec 3010] remote configuration trustedkey/requestkey values
    are not properly validated. perlinger@ntp.org
    - sidekick: Ignore keys that have an unsupported MAC algorithm
      but are otherwise well-formed
  * [Sec 3011] Duplicate IPs on unconfig directives will cause an assertion botch
    - graciously accept the same IP multiple times. perlinger@ntp.org
  * [Sec 3020] Refclock impersonation.  HStenn.
  * [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
    - fixed yet another race condition in the threaded resolver code.
  * [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
  * [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
    - integrated patches by Loganaden Velvidron <logan@ntp.org>
      with some modifications & unit tests
  * [Bug 2952] Symmetric active/passive mode is broken.  HStenn.
  * [Bug 2960] async name resolution fixes for chroot() environments.
    Reinhard Max.
  * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
  * [Bug 2995] Fixes to compile on Windows
  * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
  * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
    - Patch provided by Ch. Weisgerber
  * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
    - A change related to [Bug 2853] forbids trailing white space in
      remote config commands. perlinger@ntp.org
  * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
    - report and patch from Aleksandr Kostikov.
    - Overhaul of Windows IO completion port handling. perlinger@ntp.org
  * [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
    - fixed memory leak in access list (auth[read]keys.c)
    - refactored handling of key access lists (auth[read]keys.c)
    - reduced number of error branches (authreadkeys.c)
  * [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
  * [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
  * [Bug 3031] ntp broadcastclient unable to synchronize to an server
              when the time of server changed. perlinger@ntp.org
    - Check the initial delay calculation and reject/unpeer the broadcast
      server if the delay exceeds 50ms. Retry again after the next
      broadcast packet.
  * [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
  * Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
  * Update html/xleave.html documentation.  Harlan Stenn.
  * Update ntp.conf documentation.  Harlan Stenn.
  * Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
  * Fix typo in html/monopt.html.  Harlan Stenn.
  * Add README.pullrequests.  Harlan Stenn.
  * Cleanup to include/ntp.h.  Harlan Stenn.

  ---
  (4.2.8p6) 2016/01/20 Released by Harlan Stenn <stenn@ntp.org>

  * [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode. HStenn.
  * [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
  * [Sec 2937] ntpq: nextvar() missing length check. perlinger@ntp.org
  * [Sec 2938] ntpq saveconfig command allows dangerous characters
    in filenames. perlinger@ntp.org
  * [Sec 2939] reslist NULL pointer dereference.  perlinger@ntp.org
  * [Sec 2940] Stack exhaustion in recursive traversal of restriction
    list. perlinger@ntp.org
  * [Sec 2942]: Off-path DoS attack on auth broadcast mode.  HStenn.
  * [Sec 2945] Zero Origin Timestamp Bypass. perlinger@ntp.org
  * [Sec 2948] Potential Infinite Loop in ntpq ( and ntpdc) perlinger@ntp.org
  * [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
  * [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
    - applied patch by shenpeng11@huawei.com with minor adjustments
  * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
  * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
  * [Bug 2892] Several test cases assume IPv6 capabilities even when
              IPv6 is disabled in the build. perlinger@ntp.org
    - Found this already fixed, but validation led to cleanup actions.
  * [Bug 2905] DNS lookups broken. perlinger@ntp.org
    - added limits to stack consumption, fixed some return code handling
  * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
    - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
    - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
  * [Bug 2980] reduce number of warnings. perlinger@ntp.org
    - integrated several patches from Havard Eidnes (he@uninett.no)
  * [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
    - implement 'auth_log2()' using integer bithack instead of float calculation
  * Make leapsec_query debug messages less verbose.  Harlan Stenn.
  * Disable incomplete t-ntp_signd.c test.  Harlan Stenn.

(bsiegert)

Pullup ticket #5009 - requested by taca
www/squid3: security fix, build fix

Revisions pulled up:
- www/squid3/Makefile                                          1.65
- www/squid3/distinfo                                          1.51
- www/squid3/patches/patch-src_eui_Eui48.cc                    deleted

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sun May  8 23:29:19 UTC 2016

  Modified Files:
  pkgsrc/www/squid3: Makefile distinfo
  Removed Files:
  pkgsrc/www/squid3/patches: patch-src_eui_Eui48.cc

  Log Message:
  Update squid3 to 3.5.19, 3.5.18 contains security fix.

  Changes to squid-3.5.19 (09 May 2016):

  - Regression Bug 4515: interception proxy hangs

  Changes to squid-3.5.18 (06 May 2016):

  - Bug 4510: stale comment about 32KB limit on shared memory cache entries
  - Bug 4509: EUI compile error on NetBSD
  - Bug 4501: HTTP/1.1: normalize Host header
  - Bug 4498: URL-unescape the login-info after extraction from URI
  - Bug 4455: SegFault from ESIInclude::Start
  - Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program
  - Fix TLS/SSL server handshake alert handling

(bsiegert)

Pullup tickets #4982 to #4989.

(bsiegert)

Pullup ticket #4989 - requested by joerg
graphics/skencil: build fix

Revisions pulled up:
- graphics/skencil/Makefile                                    1.35
- graphics/skencil/distinfo                                    1.7
- graphics/skencil/patches/patch-ab                            1.4
- graphics/skencil/patches/patch-ad                            1.2

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:59:27 UTC 2016

  Modified Files:
  pkgsrc/graphics/skencil: Makefile distinfo
  pkgsrc/graphics/skencil/patches: patch-ab patch-ad

  Log Message:
  Fix rpath for X11 libraries. Bump revision.

(bsiegert)

Pullup ticket #4988 - requested by joerg
graphics/gdchart: build fix

Revisions pulled up:
- graphics/gdchart/Makefile                                    1.39
- graphics/gdchart/distinfo                                    1.13
- graphics/gdchart/patches/patch-ac                            1.9

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:58:49 UTC 2016

  Modified Files:
  pkgsrc/graphics/gdchart: Makefile distinfo
  pkgsrc/graphics/gdchart/patches: patch-ac

  Log Message:
  Fix rpath for X libraries.

(bsiegert)

Pullup ticket #4986 - requested by joerg
games/xevil: build fix

Revisions pulled up:
- games/xevil/distinfo                                          1.11
- games/xevil/patches/patch-ah                                  1.3
- games/xevil/patches/patch-ai                                  1.3
- games/xevil/patches/patch-ao                                  1.4

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:57:54 UTC 2016

  Modified Files:
  pkgsrc/games/xevil: distinfo
  pkgsrc/games/xevil/patches: patch-ah patch-ai patch-ao

  Log Message:
  Ensure intptr_t is defined in various places.

(bsiegert)

Pullup ticket #4987 - requested by joerg
games/darktable: build fix

Revisions pulled up:
- graphics/darktable/Makefile                                  1.62

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:58:25 UTC 2016

  Modified Files:
  pkgsrc/graphics/darktable: Makefile

  Log Message:
  Allow use of deprecated interfaces.

(bsiegert)

Pullup ticket #4985 - requested by joerg
games/wormz: build fix

Revisions pulled up:
- games/wormz/Makefile                                          1.26

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:57:17 UTC 2016

  Modified Files:
  pkgsrc/games/wormz: Makefile

  Log Message:
  Not MAKE_JOBS_SAFE.

(bsiegert)

Pullup ticket #4984 - requested by joerg
games/flightgear: build fix

Revisions pulled up:
- games/flightgear/distinfo                                    1.7
- games/flightgear/patches/patch-src_Canvas_ShivaVG_src_shDefs.h 1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:56:57 UTC 2016

  Modified Files:
  pkgsrc/games/flightgear: distinfo
  Added Files:
  pkgsrc/games/flightgear/patches: patch-src_Canvas_ShivaVG_src_shDefs.h

  Log Message:
  Disable legacy request as it actually breaks with semi-modern Mesa
  version.

(bsiegert)

Pullup ticket #4983 - requested by joerg
devel/anjuta: build fix

Revisions pulled up:
- devel/anjuta/Makefile                                        1.125
- devel/anjuta/distinfo                                        1.28
- devel/anjuta/patches/patch-plugins_build-basic-autotools_build.c 1.3
- devel/anjuta/patches/patch-plugins_cvs-plugin_cvs-callbacks.c 1.1
- devel/anjuta/patches/patch-plugins_cvs-plugin_cvs-execute.c  1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:55:21 UTC 2016

  Modified Files:
  pkgsrc/devel/anjuta: Makefile distinfo
  pkgsrc/devel/anjuta/patches:
      patch-plugins_build-basic-autotools_build.c
  Added Files:
  pkgsrc/devel/anjuta/patches: patch-plugins_cvs-plugin_cvs-callbacks.c
      patch-plugins_cvs-plugin_cvs-execute.c

  Log Message:
  Drop extra format string arguments. Disable zero length format string
  warning from GCC.

(bsiegert)

Pullup ticket #4982 - requested by joerg
devel/xulrunner10: build fix

Revisions pulled up:
- devel/xulrunner10/distinfo                                    1.20
- devel/xulrunner10/patches/patch-config_system-headers        1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:54:34 UTC 2016

  Modified Files:
  pkgsrc/devel/xulrunner10: distinfo
  Added Files:
  pkgsrc/devel/xulrunner10/patches: patch-config_system-headers

  Log Message:
  Wrap tttables as seen on netbsd-7.

(bsiegert)

Pullup tickets #4979, #4980, #4981 and #5013.

(bsiegert)

Pullup ticket #5013 - requested by taca
security/openssl: security fix

Revisions pulled up:
- security/openssl/Makefile                                    1.223
- security/openssl/PLIST.common                                1.29
- security/openssl/distinfo                                    1.122

---
  Module Name: pkgsrc
  Committed By: jperkin
  Date: Tue May  3 14:51:17 UTC 2016

  Modified Files:
  pkgsrc/security/openssl: Makefile PLIST.common distinfo

  Log Message:
  Update security/openssl to version 1.0.2h.

  Changes between 1.0.2g and 1.0.2h [3 May 2016]

  *) Prevent padding oracle in AES-NI CBC MAC check

    A MITM attacker can use a padding oracle attack to decrypt traffic
    when the connection uses an AES CBC cipher and the server support
    AES-NI.

    This issue was introduced as part of the fix for Lucky 13 padding
    attack (CVE-2013-0169). The padding check was rewritten to be in
    constant time by making sure that always the same bytes are read and
    compared against either the MAC or padding bytes. But it no longer
    checked that there was enough data to have both the MAC and padding
    bytes.

    This issue was reported by Juraj Somorovsky using TLS-Attacker.
    (CVE-2016-2107)
    [Kurt Roeckx]

  *) Fix EVP_EncodeUpdate overflow

    An overflow can occur in the EVP_EncodeUpdate() function which is used for
    Base64 encoding of binary data. If an attacker is able to supply very large
    amounts of input data then a length check can overflow resulting in a heap
    corruption.

    Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
    the PEM_write_bio* family of functions. These are mainly used within the
    OpenSSL command line applications, so any application which processes data
    from an untrusted source and outputs it as a PEM file should be considered
    vulnerable to this issue. User applications that call these APIs directly
    with large amounts of untrusted data may also be vulnerable.

    This issue was reported by Guido Vranken.
    (CVE-2016-2105)
    [Matt Caswell]

  *) Fix EVP_EncryptUpdate overflow

    An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
    is able to supply very large amounts of input data after a previous call to
    EVP_EncryptUpdate() with a partial block then a length check can overflow
    resulting in a heap corruption. Following an analysis of all OpenSSL
    internal usage of the EVP_EncryptUpdate() function all usage is one of two
    forms. The first form is where the EVP_EncryptUpdate() call is known to be
    the first called function after an EVP_EncryptInit(), and therefore that
    specific call must be safe. The second form is where the length passed to
    EVP_EncryptUpdate() can be seen from the code to be some small value and
    therefore there is no possibility of an overflow. Since all instances are
    one of these two forms, it is believed that there can be no overflows in
    internal code due to this problem. It should be noted that
    EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
    Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
    of these calls have also been analysed too and it is believed there are no
    instances in internal usage where an overflow could occur.

    This issue was reported by Guido Vranken.
    (CVE-2016-2106)
    [Matt Caswell]

  *) Prevent ASN.1 BIO excessive memory allocation

    When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
    a short invalid encoding can casuse allocation of large amounts of memory
    potentially consuming excessive resources or exhausting memory.

    Any application parsing untrusted data through d2i BIO functions is
    affected. The memory based functions such as d2i_X509() are *not* affected.
    Since the memory based functions are used by the TLS library, TLS
    applications are not affected.

    This issue was reported by Brian Carpenter.
    (CVE-2016-2109)
    [Stephen Henson]

  *) EBCDIC overread

    ASN1 Strings that are over 1024 bytes can cause an overread in applications
    using the X509_NAME_oneline() function on EBCDIC systems. This could result
    in arbitrary stack data being returned in the buffer.

    This issue was reported by Guido Vranken.
    (CVE-2016-2176)
    [Matt Caswell]

  *) Modify behavior of ALPN to invoke callback after SNI/servername
    callback, such that updates to the SSL_CTX affect ALPN.
    [Todd Short]

  *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
    default.
    [Kurt Roeckx]

  *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
    methods are enabled and ssl2 is disabled the methods return NULL.
    [Kurt Roeckx]

(bsiegert)

Pullup ticket #4981 - requested by joerg
devel/xulrunner192: build fix

Revisions pulled up:
- devel/xulrunner192/distinfo                                  1.22
- devel/xulrunner192/patches/patch-config_system-headers        1.1
- devel/xulrunner192/patches/patch-nsprpub_config_make-system-wrappers.pl deleted

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:54:16 UTC 2016

  Modified Files:
  pkgsrc/devel/xulrunner192: distinfo
  Added Files:
  pkgsrc/devel/xulrunner192/patches: patch-config_system-headers
  Removed Files:
  pkgsrc/devel/xulrunner192/patches:
      patch-nsprpub_config_make-system-wrappers.pl

  Log Message:
  Drop old system wrapper script hack. Adjust wrapper list to include
  tttable as seen on netbsd-7.

(bsiegert)

Pullup ticket #4980 - requested by joerg
devel/elftoolchain: build fix

Revisions pulled up:
- devel/elftoolchain/Makefile                                  1.11

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:52:44 UTC 2016

  Modified Files:
  pkgsrc/devel/elftoolchain: Makefile

  Log Message:
  Disable various noisy warnings for GCC too. Adjust clang handling to
  also work directly with bootstrap-mk-files.

(bsiegert)

Pullup ticket #4979 - requested by joerg
audio/ibniz: build fix

Revisions pulled up:
- audio/ibniz/Makefile                                          1.3
- audio/ibniz/distinfo                                          1.3
- audio/ibniz/patches/patch-Makefile                            1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:48:57 UTC 2016

  Modified Files:
  pkgsrc/audio/ibniz: Makefile distinfo
  Added Files:
  pkgsrc/audio/ibniz/patches: patch-Makefile

  Log Message:
  Needs X11BASE/lib in rpath. Bump revision.

(bsiegert)

Pullup requests up to #4978.

(bsiegert)

Pullup ticket #4978 - requested by joerg
time/fet: build fix

Revisions pulled up:
- time/fet/Makefile                                            1.14
- time/fet/distinfo                                            1.7
- time/fet/patches/patch-src_src.pro                            1.1

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:46:14 UTC 2016

  Modified Files:
  pkgsrc/time/fet: distinfo
  Added Files:
  pkgsrc/time/fet/patches: patch-src_src.pro

  Log Message:
  Add X11 rpath to qmake configuration.

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 09:46:37 UTC 2016

  Modified Files:
  pkgsrc/time/fet: Makefile

  Log Message:
  Bump revision for rpath fix.

(bsiegert)

Pullup ticket #4977 - requested by joerg
www/aws-demos: build fix

Revisions pulled up:
- www/aws-demos/Makefile                                        1.16
- www/aws/buildlink3.mk                                        1.2

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat May  7 03:49:21 UTC 2016

  Modified Files:
  pkgsrc/www/aws: buildlink3.mk
  pkgsrc/www/aws-demos: Makefile

  Log Message:
  Use build option framework to not randomly vomit on the console.

(bsiegert)

Pullup ticket #4976 - requested by joerg
chat/ktp-contact-runner: build fix
chat/ktp-filetransfer-handler: build fix
chat/ktp-kded-integration-module: build fix
chat/ktp-send-file: build fix

Revisions pulled up:
- chat/ktp-contact-runner/Makefile                              1.4
- chat/ktp-filetransfer-handler/Makefile                        1.4
- chat/ktp-kded-integration-module/Makefile                    1.4
- chat/ktp-send-file/Makefile                                  1.4

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Fri May  6 11:49:08 UTC 2016

  Modified Files:
  pkgsrc/chat/ktp-contact-runner: Makefile
  pkgsrc/chat/ktp-filetransfer-handler: Makefile
  pkgsrc/chat/ktp-kded-integration-module: Makefile
  pkgsrc/chat/ktp-send-file: Makefile

  Log Message:
  Requires msgfmt to build.

(bsiegert)

Pullup ticket #4974 - requested by taca
lang/php70: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.135
- lang/php70/distinfo                                          1.9
- lang/php70/patches/patch-configure                            1.3
- lang/php70/patches/patch-ext_opcache_config.m4                deleted
- lang/php70/patches/patch-ext_standard_php__dns.h              1.2

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon May  2 13:09:49 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php70: distinfo
  pkgsrc/lang/php70/patches: patch-configure
      patch-ext_standard_php__dns.h
  Removed Files:
  pkgsrc/lang/php70/patches: patch-ext_opcache_config.m4

  Log Message:
  Update php70 to 7.0.6.

  pkgsrc change: Fix build problem on Linux noted by Matthias Ferdinand on
  pkgsrc-users@.

  28 Apr 2016 PHP 7.0.6

  - Core:
    . Fixed bug #71930 (_zval_dtor_func: Assertion `(arr)->gc.refcount <= 1'
      failed). (Laruence)
    . Fixed bug #71922 (Crash on assert(new class{})). (Nikita)
    . Fixed bug #71914 (Reference is lost in "switch"). (Laruence)
    . Fixed bug #71871 (Interfaces allow final and abstract functions). (Nikita)
    . Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced
      memory, crashing). (Laruence)
    . Fixed bug #71841 (EG(error_zval) is not handled well). (Laruence)
    . Fixed bug #71750 (Multiple Heap Overflows in php_raw_url_encode/
      php_url_encode). (Stas)
    . Fixed bug #71731 (Null coalescing operator and ArrayAccess). (Nikita)
    . Fixed bug #71609 (Segmentation fault on ZTS with gethostbyname). (krakjoe)
    . Fixed bug #71428 (inheritance and allow_null). (krakjoe)
    . Fixed bug #71414 (Inheritance, traits and interfaces). (krakjoe)
    . Fixed bug #71359 (Null coalescing operator and magic). (krakjoe)
    . Fixed bug #71334 (Cannot access array keys while uksort()). (Nikita)
    . Fixed bug #69659 (ArrayAccess, isset() and the offsetExists method).
      (Nikita)
    . Fixed bug #69537 (__debugInfo with empty string for key gives error).
      (krakjoe)
    . Fixed bug #62059 (ArrayObject and isset are not friends). (Nikita)
    . Fixed bug #71980 (Decorated/Nested Generator is Uncloseable in Finally).
      (Nikita)

  - BCmath:
    . Fixed bug #72093 (bcpowmod accepts negative scale and corrupts
      _one_ definition). (Stas)

  - Curl:
    . Fixed bug #71831 (CURLOPT_NOPROXY applied as long instead of string).
      (Michael Sierks)

  - Date:
    . Fixed bug #71889 (DateInterval::format Segmentation fault). (Thomas Punt)

  - EXIF:
    . Fixed bug #72094 (Out of bounds heap read access in exif header processing). (Stas)

  - GD:
    . Fixed bug #71912 (libgd: signedness vulnerability). (Stas)

  - Intl:
    . Fixed bug #71516 (IntlDateFormatter looses locale if pattern is set via
      constructor). (Anatol)
    . Fixed bug #70455 (Missing constant: IntlChar::NO_NUMERIC_VALUE). (Anatol)
    . Fixed bug #70451, #70452 (Inconsistencies in return values of IntlChar
      methods). (Daniel Persson)
    . Fixed bug #68893 (Stackoverflow in datefmt_create). (Anatol)
    . Fixed bug #66289 (Locale::lookup incorrectly returns en or en_US if locale
      is empty). (Anatol)
    . Fixed bug #70484 (selectordinal doesn't work with named parameters).
      (Anatol)
    . Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
      offset). (Stas)

  - ODBC:
    . Fixed bug #63171 (Script hangs after max_execution_time). (Remi)

  - Opcache:
    . Fixed bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER).
      (Laruence)

  - PDO:
    . Fixed bug #52098 (Own PDOStatement implementation ignore __call()).
      (Daniel kalaspuffar, Julien)
    . Fixed bug #71447 (Quotes inside comments not properly handled). (Matteo)

  - PDO_DBlib:
    . Fixed bug #71943 (dblib_handle_quoter needs to allocate an extra byte).
      (Adam Baratz)
    . Add DBLIB-specific attributes for controlling timeouts. (Adam Baratz)

  - PDO_pgsql:
    . Fixed bug #62498 (pdo_pgsql inefficient when getColumnMeta() is used).
      (Joseph Bylund)

  - Postgres:
    . Fixed bug #71820 (pg_fetch_object binds parameters before call
      constructor). (Anatol)
    . Fixed bug #71998 (Function pg_insert does not insert when column
      type = inet). (Anatol)

  - SOAP:
    . Fixed bug #71986 (Nested foreach assign-by-reference creates broken
      variables). (Laruence)

  - SPL:
    . Fixed bug #71838 (Deserializing serialized SPLObjectStorage-Object can't
      access properties in PHP). (Nikita)
    . Fixed bug #71735 (Double-free in SplDoublyLinkedList::offsetSet). (Stas)
    . Fixed bug #67582 (Cloned SplObjectStorage with overwritten getHash fails
      offsetExists()). (Nikita)
    . Fixed bug #52339 (SPL autoloader breaks class_exists()). (Nikita)

  - Standard:
    . Fixed bug #71995 (Returning the same var twice from __sleep() produces
      broken serialized data). (Laruence)
    . Fixed bug #71940 (Unserialize crushes on restore object reference).
      (Laruence)
    . Fixed bug #71969 (str_replace returns an incorrect resulting array after
      a foreach by reference). (Laruence)
    . Fixed bug #71891 (header_register_callback() and
      register_shutdown_function()). (Laruence)
    . Fixed bug #71884 (Null pointer deref (segfault) in
      stream_context_get_default). (Laruence)
    . Fixed bug #71840 (Unserialize accepts wrongly data). (Ryat, Laruence)
    . Fixed bug #71837 (Wrong arrays behaviour). (Laruence)
    . Fixed bug #71827 (substr_replace bug, string length). (krakjoe)
    . Fixed bug #67512 (php_crypt() crashes if crypt_r() does not exist or
      _REENTRANT is not defined). (Nikita)
    . Fixed bug #72116 (array_fill optimization breaks implementation). (Bob)

  - XML:
    . Fixed bug #72099 (xml_parse_into_struct segmentation fault). (Stas)

  - Zip:
    . Fixed bug #71923 (integer overflow in ZipArchive::getFrom*). (Stas)

(bsiegert)

Pullup ticket #4973 - requested by taca
lang/php56: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.134
- lang/php56/distinfo                                          1.26
- lang/php56/patches/patch-configure                            1.3
- lang/php56/patches/patch-ext_opcache_config.m4                deleted
- lang/php56/patches/patch-ext_standard_php__dns.h              1.2

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon May  2 13:08:00 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php56: distinfo
  pkgsrc/lang/php56/patches: patch-configure
      patch-ext_standard_php__dns.h
  Removed Files:
  pkgsrc/lang/php56/patches: patch-ext_opcache_config.m4

  Log Message:
  Update php56 to 5.6.21.

  pkgsrc change: Fix build problem on Linux noted by Matthias Ferdinand on
  pkgsrc-users@.

  28 Apr 2016, PHP 5.6.21

  - Core:
    . Fixed bug #69537 (__debugInfo with empty string for key gives error).
      (krakjoe)
    . Fixed bug #71841 (EG(error_zval) is not handled well). (Laruence)

  - BCmath:
    . Fixed bug #72093 (bcpowmod accepts negative scale and corrupts
      _one_ definition). (Stas)

  - Curl:
    . Fixed bug #71831 (CURLOPT_NOPROXY applied as long instead of string).
      (Michael Sierks)

  - Date:
    . Fixed bug #71889 (DateInterval::format Segmentation fault). (Thomas Punt)

  - EXIF:
    . Fixed bug #72094 (Out of bounds heap read access in exif header processing). (Stas)

  - GD:
    . Fixed bug #71952 (Corruption inside imageaffinematrixget). (Stas)
    . Fixed bug #71912 (libgd: signedness vulnerability). (Stas)

  - Intl:
    . Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
      offset). (Stas)

  - OCI8:
    . Fixed bug #71422 (Fix ORA-01438: value larger than specified precision
      allowed for this column). (Chris Jones)

  - ODBC:
    . Fixed bug #63171 (Script hangs after max_execution_time). (Remi)

  - Opcache:
    . Fixed bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER).
      (Laruence)

  - PDO:
    . Fixed bug #52098 (Own PDOStatement implementation ignore __call()).
      (Daniel Kalaspuffar, Julien)
    . Fixed bug #71447 (Quotes inside comments not properly handled). (Matteo)

  - Postgres:
    . Fixed bug #71820 (pg_fetch_object binds parameters before call
      constructor). (Anatol)

  - SPL:
    . Fixed bug #67582 (Cloned SplObjectStorage with overwritten getHash fails
      offsetExists()). (Nikita)

  - Standard:
    . Fixed bug #71840 (Unserialize accepts wrongly data). (Ryat, Laruence)
    . Fixed bug #67512 (php_crypt() crashes if crypt_r() does not exist or
      _REENTRANT is not defined). (Nikita)

  - XML:
    . Fixed bug #72099 (xml_parse_into_struct segmentation fault). (Stas)

(bsiegert)

Pullup tickets #4971 and #4972.

(bsiegert)

Pullup ticket #4972 - requested by taca
lang/php55: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.132-1.133
- lang/php55/distinfo                                          1.52
- lang/php55/patches/patch-ext_standard_php__dns.h              1.2

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Fri Apr 22 09:46:50 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk

  Log Message:
  Detect php-7.0 (define _PHP_VERSION_70_INSTALLED).

  Addresses PR 50957.

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon May  2 13:06:21 UTC 2016

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php55: distinfo
  pkgsrc/lang/php55/patches: patch-ext_standard_php__dns.h

  Log Message:
  Update php55 to 5.5.35.

  pkgsrc change: Fix build problem on Linux noted by Matthias Ferdinand on
  pkgsrc-users@.

  28 Apr 2016, PHP 5.5.35

  - BCMath:
    . Fix bug #72093 (bcpowmod accepts negative scale and corrupts _one_
      definition). (Stas)

  - Exif:
    . Fix bug #72094 (Out of bounds heap read access in exif header
      processing). (Stas)

  - GD:
    . Fix bug #71912 (libgd: signedness vulnerability). (Stas)

  - Intl:
    . Fix bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
      offset). (Stas)

  - XML:
    . Fix bug #72099 (xml_parse_into_struct segmentation fault). (Stas)

(bsiegert)

Pullup ticket #4971 - requested by taca
www/squid3: security fix

Revisions pulled up:
- www/squid3/Makefile                                          1.64
- www/squid3/distinfo                                          1.49-1.50
- www/squid3/patches/patch-src_eui_Eui48.cc                    1.1

---
  Module Name: pkgsrc
  Committed By: adam
  Date: Fri Apr 22 15:14:22 UTC 2016

  Modified Files:
  pkgsrc/www/squid3: Makefile distinfo

  Log Message:
  Changes 3.5.17:
  * nullptr is a C++11 feature
  * Fix several ESI element construction issues
  * SourceFormat Enforcement
  * cachemgr.cgi: use dynamic MemBuf for internal content generation
  * Add chained certificates and signing certificate to peek-then-bumped connections.
  * Handshake Error: ccs received early: fix typo
  * Avoid startup/shutdown crashes [by avoiding static non-POD globals].
  * Bugs fixed.

---
  Module Name: pkgsrc
  Committed By: adam
  Date: Tue Apr 26 10:36:48 UTC 2016

  Modified Files:
  pkgsrc/www/squid3: distinfo
  Added Files:
  pkgsrc/www/squid3/patches: patch-src_eui_Eui48.cc

  Log Message:
  Fix build on NetBSD >=7.99.27 due route(4) change (deprecation of RTF_LLINFO). Courtesy of leot.

(bsiegert)

Pullup tickets #4966, #4968 and #4969.

(bsiegert)

Pullup ticket #4969 - requested by joerg
x11/qt4-libs: bugfix

Revisions pulled up:
- x11/qt4-libs/Makefile                                        1.111
- x11/qt4-libs/distinfo                                        1.107
- x11/qt4-libs/patches/patch-src_corelib_thread_qthread__unix.cpp 1.2

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Thu May  5 22:04:34 UTC 2016

  Modified Files:
  pkgsrc/x11/qt4-libs: Makefile distinfo
  pkgsrc/x11/qt4-libs/patches: patch-src_corelib_thread_qthread__unix.cpp

  Log Message:
  Fix TLS condition on NetBSD to correctly avoid using pthread_specific.
  Bump revision.

(bsiegert)

Pullup ticket #4968 - requested by wiz
x11/py-qt5: build fix

Revisions pulled up:
- x11/py-qt5/Makefile                                          1.11
- x11/py-qt5/distinfo                                          1.4
- x11/py-qt5/patches/patch-configure.py                        1.4
- x11/py-qt5/patches/patch-designer_designer.pro-in            1.1
- x11/py-qt5/patches/patch-qmlscene_qmlscene.pro-in            1.1

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Sat Apr 23 07:38:38 UTC 2016

  Modified Files:
  pkgsrc/x11/py-qt5: Makefile distinfo
  pkgsrc/x11/py-qt5/patches: patch-configure.py
  Added Files:
  pkgsrc/x11/py-qt5/patches: patch-designer_designer.pro-in
      patch-qmlscene_qmlscene.pro-in

  Log Message:
  Fix rpath for X11=native case.

  From Olaf 'Rhialto' Seibert in PR 50876.

  Bump PKGREVISION.

(bsiegert)

Pullup ticket #4966 - requested by joerg
chat/atheme: build fix
devel/libmcs: build fix
devel/libmowgli: build fix

Revisions pulled up:
- chat/atheme/Makefile                                          1.14
- devel/libmcs/Makefile                                        1.6
- devel/libmowgli/Makefile                                      1.8

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sat Apr 30 20:57:23 UTC 2016

  Modified Files:
  pkgsrc/chat/atheme: Makefile

  Log Message:
  Drop MASTERSITE, requires authentication now.

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sun May  1 12:28:43 UTC 2016

  Modified Files:
  pkgsrc/devel/libmcs: Makefile

  Log Message:
  Comment out MASTER_SITE, it requires authentication now.

---
  Module Name: pkgsrc
  Committed By: joerg
  Date: Sun May  1 14:34:29 UTC 2016

  Modified Files:
  pkgsrc/devel/libmowgli: Makefile

  Log Message:
  Drop distfiles.atheme.org, requires authentication.

(bsiegert)

Pullup ticket #4964.

(bsiegert)

Pullup ticket #4964 - requested by sevan
databases/postgresql95: security fix

Revisions pulled up:
- databases/postgresql95-adminpack/Makefile                    1.3
- databases/postgresql95-client/Makefile                        1.3
- databases/postgresql95-client/PLIST                          1.2
- databases/postgresql95-datatypes/Makefile                    1.3
- databases/postgresql95-dblink/Makefile                        1.3
- databases/postgresql95-docs/PLIST                            1.2
- databases/postgresql95-fuzzystrmatch/Makefile                1.3
- databases/postgresql95-monitoring/Makefile                    1.3
- databases/postgresql95-pgcrypto/Makefile                      1.3
- databases/postgresql95-plperl/Makefile                        1.3
- databases/postgresql95-plpython/Makefile                      1.3
- databases/postgresql95-pltcl/Makefile                        1.3
- databases/postgresql95-replicationtools/Makefile              1.3
- databases/postgresql95-server/Makefile                        1.4
- databases/postgresql95-server/PLIST                          1.2
- databases/postgresql95/Makefile                              1.3
- databases/postgresql95/Makefile.common                        1.2
- databases/postgresql95/distinfo                              1.2

---
  Module Name:    pkgsrc
  Committed By:  adam
  Date:          Sat Apr  9 12:51:50 UTC 2016

  Modified Files:
          pkgsrc/databases/postgresql91: Makefile Makefile.common distinfo
          pkgsrc/databases/postgresql91-adminpack: Makefile
          pkgsrc/databases/postgresql91-client: Makefile
          pkgsrc/databases/postgresql91-datatypes: Makefile
          pkgsrc/databases/postgresql91-dblink: Makefile
          pkgsrc/databases/postgresql91-docs: PLIST
          pkgsrc/databases/postgresql91-fuzzystrmatch: Makefile
          pkgsrc/databases/postgresql91-monitoring: Makefile
          pkgsrc/databases/postgresql91-pgcrypto: Makefile
          pkgsrc/databases/postgresql91-plperl: Makefile
          pkgsrc/databases/postgresql91-plpython: Makefile
          pkgsrc/databases/postgresql91-pltcl: Makefile
          pkgsrc/databases/postgresql91-replicationtools: Makefile
          pkgsrc/databases/postgresql91-server: Makefile PLIST
          pkgsrc/databases/postgresql91-upgrade: Makefile
          pkgsrc/databases/postgresql92: Makefile Makefile.common distinfo
          pkgsrc/databases/postgresql92-adminpack: Makefile
          pkgsrc/databases/postgresql92-client: Makefile
          pkgsrc/databases/postgresql92-datatypes: Makefile
          pkgsrc/databases/postgresql92-dblink: Makefile
          pkgsrc/databases/postgresql92-docs: PLIST
          pkgsrc/databases/postgresql92-fuzzystrmatch: Makefile
          pkgsrc/databases/postgresql92-monitoring: Makefile
          pkgsrc/databases/postgresql92-pgcrypto: Makefile
          pkgsrc/databases/postgresql92-plperl: Makefile
          pkgsrc/databases/postgresql92-plpython: Makefile
          pkgsrc/databases/postgresql92-pltcl: Makefile
          pkgsrc/databases/postgresql92-replicationtools: Makefile
          pkgsrc/databases/postgresql92-server: Makefile PLIST
          pkgsrc/databases/postgresql92-upgrade: Makefile
          pkgsrc/databases/postgresql93: Makefile Makefile.common distinfo
          pkgsrc/databases/postgresql93-adminpack: Makefile
          pkgsrc/databases/postgresql93-client: Makefile
          pkgsrc/databases/postgresql93-datatypes: Makefile
          pkgsrc/databases/postgresql93-dblink: Makefile
          pkgsrc/databases/postgresql93-docs: PLIST
          pkgsrc/databases/postgresql93-fuzzystrmatch: Makefile
          pkgsrc/databases/postgresql93-monitoring: Makefile
          pkgsrc/databases/postgresql93-pgcrypto: Makefile
          pkgsrc/databases/postgresql93-plperl: Makefile
          pkgsrc/databases/postgresql93-plpython: Makefile
          pkgsrc/databases/postgresql93-pltcl: Makefile
          pkgsrc/databases/postgresql93-replicationtools: Makefile
          pkgsrc/databases/postgresql93-server: Makefile PLIST
          pkgsrc/databases/postgresql93-upgrade: Makefile
          pkgsrc/databases/postgresql94: Makefile Makefile.common distinfo
          pkgsrc/databases/postgresql94-adminpack: Makefile
          pkgsrc/databases/postgresql94-client: Makefile
          pkgsrc/databases/postgresql94-datatypes: Makefile
          pkgsrc/databases/postgresql94-dblink: Makefile
          pkgsrc/databases/postgresql94-docs: PLIST
          pkgsrc/databases/postgresql94-fuzzystrmatch: Makefile
          pkgsrc/databases/postgresql94-monitoring: Makefile
          pkgsrc/databases/postgresql94-pgcrypto: Makefile
          pkgsrc/databases/postgresql94-plperl: Makefile
          pkgsrc/databases/postgresql94-plpython: Makefile
          pkgsrc/databases/postgresql94-pltcl: Makefile
          pkgsrc/databases/postgresql94-replicationtools: Makefile
          pkgsrc/databases/postgresql94-server: Makefile PLIST
          pkgsrc/databases/postgresql94-upgrade: Makefile
          pkgsrc/databases/postgresql95: Makefile Makefile.common distinfo
          pkgsrc/databases/postgresql95-adminpack: Makefile
          pkgsrc/databases/postgresql95-client: Makefile PLIST
          pkgsrc/databases/postgresql95-datatypes: Makefile
          pkgsrc/databases/postgresql95-dblink: Makefile
          pkgsrc/databases/postgresql95-docs: PLIST
          pkgsrc/databases/postgresql95-fuzzystrmatch: Makefile
          pkgsrc/databases/postgresql95-monitoring: Makefile
          pkgsrc/databases/postgresql95-pgcrypto: Makefile
          pkgsrc/databases/postgresql95-plperl: Makefile
          pkgsrc/databases/postgresql95-plpython: Makefile
          pkgsrc/databases/postgresql95-pltcl: Makefile
          pkgsrc/databases/postgresql95-replicationtools: Makefile
          pkgsrc/databases/postgresql95-server: Makefile PLIST

  Log Message:
  The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.5.2, 9.4.7, 9.3.12, 9.2.16, and 9.1.21. This release fixes two security
  issues and one index corruption issue in version 9.5. It also contains a variety of bug fixes for earlier versions. Users of PostgreSQL 9.5.0 or 9.5.1 should update as soon as possible.

  This release closes security hole CVE-2016-2193, where a query plan might get reused for more than one ROLE in the same session. This could cause the wrong set of Row Level Security (RLS) policies to
  be used for the query.

  The update also fixes CVE-2016-3065, a server crash bug triggered by using pageinspect with BRIN index pages. Since an attacker might be able to expose a few bytes of server memory, this crash is
  being treated as a security issue.

(bsiegert)

Pullup ticket #4963.

(bsiegert)

Pullup ticket #4963 - requested by he
x11/pixman: build fix

Revisions pulled up:
- x11/pixman/distinfo                                          1.59
- x11/pixman/patches/patch-pixman_pixman-vmx.c                  1.1

---
  Module Name: pkgsrc
  Committed By: he
  Date: Thu Apr 21 21:39:36 UTC 2016

  Modified Files:
  pkgsrc/x11/pixman: distinfo
  Added Files:
  pkgsrc/x11/pixman/patches: patch-pixman_pixman-vmx.c

  Log Message:
  Add a patch so that this builds on NetBSD/powerpc with altivec.
  Without this, we get "subscripted value is neither array nor pointer"
  error from the compiler.
  Since this is a build fix for powerpc platforms, no PKGREVISION bump.

(bsiegert)

Pullup ticket #4962.

(bsiegert)

Pullup ticket #4962 - requested by sevan
lang/perl5: security fix

Revisions pulled up:
- lang/perl5/Makefile                                          1.237
- lang/perl5/distinfo                                          1.134
- lang/perl5/patches/patch-perl.c                              1.1

---
  Module Name:    pkgsrc
  Committed By:  sevan
  Date:          Tue Apr 19 22:14:39 UTC 2016

  Modified Files:
          pkgsrc/lang/perl5: Makefile distinfo
  Added Files:
          pkgsrc/lang/perl5/patches: patch-perl.c

  Log Message:
  Add patch to address CVE-2016-2381
  Bump pkgrev

  Reviewed by wiz@

(bsiegert)

#4961

(spz)

Pullup ticket #4961 - requested by mrg
www/bozohttpd: security-update

Revisions pulled up:
- www/bozohttpd/Makefile                                        1.86
- www/bozohttpd/distinfo                                        1.65
- www/bozohttpd/patches/patch-bozohttpd.c                      deleted

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  mrg
  Date:          Fri Apr 15 20:59:17 UTC 2016

  Modified Files:
          pkgsrc/doc: CHANGES-2016
          pkgsrc/www/bozohttpd: Makefile distinfo
  Removed Files:
          pkgsrc/www/bozohttpd/patches: patch-bozohttpd.c

  Log Message:
  update bozohttpd to 20160415.  changes include:

          o  add search-word support for CGI
          o  fix a security issue in CGI suffix handler support which would
              allow remote code execution, from shm%netbsd.org@localhost
          o  -C option supports now CGI scripts only
          o  add CGI support for ~user translation (-E switch)
          o  add redirects to ~user translation
          o  fix bugs around ~user translation
          o  add schema detection for absolute redirects
          o  fixed few memory leaks
          o  bunch of minor tweaks
          o  removed -r support
          o  smarter redirects

  To generate a diff of this commit:
  cvs rdiff -u -r1.1574 -r1.1575 pkgsrc/doc/CHANGES-2016
  cvs rdiff -u -r1.85 -r1.86 pkgsrc/www/bozohttpd/Makefile
  cvs rdiff -u -r1.64 -r1.65 pkgsrc/www/bozohttpd/distinfo
  cvs rdiff -u -r1.2 -r0 pkgsrc/www/bozohttpd/patches/patch-bozohttpd.c

(spz)

Pullup ticket #4959.

(bsiegert)

Pullup ticket #4959 - requested by hauke
sysutils/radmind: bugfix

Revisions pulled up:
- sysutils/radmind/Makefile                                    1.37
- sysutils/radmind/distinfo                                    1.21
- sysutils/radmind/patches/patch-command.c                      1.2

---
  Module Name:    pkgsrc
  Committed By:  hauke
  Date:          Thu Apr 14 11:17:31 UTC 2016

  Modified Files:
          pkgsrc/sysutils/radmind: Makefile distinfo
          pkgsrc/sysutils/radmind/patches: patch-command.c

  Log Message:
  Fix setting custom permission bits, user and group information from
  a special transcript. Late fallout from Radmind bug #221.

(bsiegert)

Pullup ticket #4958.

(bsiegert)

Pullup ticket #4958 - requested by manu
net/samba4: security fix

Revisions pulled up:
- net/samba4/Makefile                                          1.17
- net/samba4/PLIST                                              1.6
- net/samba4/distinfo                                          1.9

---
  Module Name:    pkgsrc
  Committed By:  manu
  Date:          Wed Apr 13 08:26:10 UTC 2016

  Modified Files:
          pkgsrc/net/samba4: Makefile PLIST distinfo

  Log Message:
  Update net/samba4 to 4.3.8

  This fixes the Badlock bug (CVE-2016-2118) and others vulnerabilities:
  o  CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
  o  CVE-2016-2115 (SMB IPC traffic is not integrity protected)
  o  CVE-2016-2114 ("server signing = mandatory" not enforced)
  o  CVE-2016-2113 (Missing TLS certificate validation)
  o  CVE-2016-2112 (LDAP client and server don't enforce integrity)
  o  CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
  o  CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
  o  CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
  o  CVE-2016-0771 (Out-of-bounds read in internal DNS server)
  o  CVE-2015-5370 (Multiple errors in DCE-RPC code)

(bsiegert)

Welcome to the pkgsrc-2016Q1 branch!

This is the fiftieth pkgsrc quarterly release.

(agc)