Pullup tickets #6763 to #6765

(bsiegert)

Pullup ticket #6765 - requested by nia
www/firefox102: security fix
www/firefox102-l10n: dependent update

Revisions pulled up:
- www/firefox102-l10n/Makefile                                  1.12
- www/firefox102-l10n/distinfo                                  1.11
- www/firefox102/Makefile                                      1.21
- www/firefox102/distinfo                                      1.13

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Sun Jun 25 16:07:08 UTC 2023

  Modified Files:
  pkgsrc/www/firefox102: Makefile distinfo
  pkgsrc/www/firefox102-l10n: Makefile distinfo

  Log Message:
  firefox102: update to 102.12

  Security Vulnerabilities fixed in Firefox ESR 102.12

      #CVE-2023-34414: Click-jacking certificate exceptions through rendering lag

      #CVE-2023-34416: Memory safety bugs fixed in Firefox 114 and Firefox ESR
      102.12

(bsiegert)

Pullup ticket #6764 - requested by taca
net/bind918: security fix

Revisions pulled up:
- net/bind918/Makefile                                          1.10-1.12
- net/bind918/PLIST                                            1.4
- net/bind918/distinfo                                          1.7-1.9
- net/bind918/options.mk                                        1.2

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon Apr 24 13:48:06 UTC 2023

  Modified Files:
  pkgsrc/net/bind918: Makefile PLIST distinfo options.mk

  Log Message:
  net/bind918: update to 9.18.14

  pkgsrc change: reduce some pkglint warnings.

  --- 9.18.14 released ---

  6145. [bug] Fix a possible use-after-free bug in the
  dns__catz_done_cb() function. [GL #3997]

  6143. [bug] A reference counting problem on the error path in
  the xfrin_connect_done() might cause an assertion
  failure on shutdown.  [GL #3989]

  6142. [bug] Reduce the number of dns_dnssec_verify calls made
  determining if revoked keys needs to be removed from
  the trust anchors. [GL #3981]

  6141. [bug] Fix several issues in nsupdate timeout handling and
  update the -t option's documentation. [GL #3674]

  6138. [doc] Fix the DF-flag documentation on the outgoing
  UDP packets. [GL #3710]

  6136. [cleanup] Remove the isc_fsaccess API in favor of creating
  temporary file first and atomically replace the key
  with non-truncated content. [GL #3982]

  6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967]

  6129. [cleanup] Value stored to 'source' during its initialization is
  never read. [GL #3965]

  6128. [bug] Fix an omission in an earlier commit to avoid a race
  between the 'dns__catz_update_cb()' and
  'dns_catz_dbupdate_callback()' functions. [GL #3968]

  6126. [cleanup] Deprecate zone type "delegation-only" and the
  "delegation-only" and "root-delegation-only"
  options. [GL #3953]

  6125. [bug] Hold a catz reference while the update process is
  running, so that the catalog zone is not destroyed
  during shutdown until the update process is finished or
  properly canceled by the activated 'shuttingdown' flag.
  [GL #3955]

  6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to
  an NSEC3 incapable DNSSEC algorithm using KASP the zone
  could sometimes be incompletely signed. [GL #3937]

  6121. [bug] Fix BIND and dig zone transfer hanging when
  downloading large zones over TLS from a primary server,
  especially over unstable connections. [GL #3867]

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Wed May 17 13:43:52 UTC 2023

  Modified Files:
  pkgsrc/net/bind918: Makefile distinfo

  Log Message:
  net/bind918: update to 9.18.15

  --- 9.18.15 released ---

  6164. [bug] Set the rndc idle read timeout back to 60 seconds,
  from the netmgr default of 30 seconds, in order to
  match the behavior of 9.16 and earlier. [GL #4046]

  6161. [bug] Fix log file rotation when using absolute path as
  file. [GL #3991]

  6157. [bug] When removing delegations in an OPTOUT range
  empty-non-terminal NSEC3 records generated by
  those delegations were not removed. [GL #4027]

  6156. [bug] Reimplement the maximum and idle timeouts for incoming
  zone tranfers. [GL #4004]

  6155. [bug] Treat ISC_R_INVALIDPROTO as a networking error
  in the dispatch code to avoid retrying with the
  same server. [GL #4005]

  6152. [bug] In dispatch, honour the configured source-port
  selection when UDP connection fails with address
  in use error.

  Also treat ISC_R_NOPERM same as ISC_R_ADDRINUSE.
  [GL #3986]

  6149. [test] As a workaround, include an OpenSSL header file before
  including cmocka.h in the unit tests, because OpenSSL
  3.1.0 uses __attribute__(malloc), conflicting with a
  redefined malloc in cmocka.h. [GL #4000]

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Wed Jun 21 14:42:23 UTC 2023

  Modified Files:
  pkgsrc/net/bind918: Makefile distinfo

  Log Message:
  net/bind918: update to 9.18.16

  9.18.16 (2023-06-21)

  Security release:

  - CVE-2023-2828
  - CVE-2023-2911

  6192. [security] A query that prioritizes stale data over lookup
  triggers a fetch to refresh the stale data in cache.
  If the fetch is aborted for exceeding the recursion
  quota, it was possible for 'named' to enter an infinite
  callback loop and crash due to stack overflow. This has
  been fixed. (CVE-2023-2911) [GL #4089]

  6190. [security] Improve the overmem cleaning process to prevent the
  cache going over the configured limit. (CVE-2023-2828)
  [GL #4055]

  6188. [performance] Reduce memory consumption by allocating properly
  sized send buffers for stream-based transports.
  [GL #4038]

  6186. [bug] Fix a 'clients-per-query' miscalculation bug. When the
  'stale-answer-enable' options was enabled and the
  'stale-answer-client-timeout' option was enabled and
  larger than 0, named was taking two places from the
  'clients-per-query' limit for each client and was
  failing to gradually auto-tune its value, as configured.
  [GL #4074]

  6185. [func] Add "ClientQuota" statistics channel counter, which
  indicates the number of the resolver's spilled queries
  due to reaching the clients per query quota. [GL !7978]

  6183. [bug] Fix a serve-stale bug where a delegation from cache
  could be returned to the client. [GL #3950]

  6182. [cleanup] Remove configure checks for epoll, kqueue and
  /dev/poll. [GL #4098]

  6181. [func] The "tkey-dhkey" option has been deprecated; a
  warning will be logged when it is used. In a future
  release, Diffie-Hellman TKEY mode will be removed.
  [GL #3905]

  6180. [bug] The session key object could be incorrectly added
  to multiple different views' keyrings. [GL #4079]

  6179. [bug] Fix an interfacemgr use-after-free error in
  zoneconf.c:isself(). [GL #3765]

  6176. [test] Add support for using pytest & pytest-xdist to
  execute the system test suite. [GL #3978]

  6174. [bug] BIND could get stuck on reconfiguration when a
  'listen' statement for HTTP is removed from the
  configuration. That has been fixed. [GL #4071]

  6173. [bug] Properly process extra "nameserver" lines in
  resolv.conf otherwise the next line is not properly
  processed. [GL #4066]

  6169. [bug] named could crash when deleting inline-signing zones
  with "rndc delzone". [GL #4054]

  6165. [bug] Fix a logic error in dighost.c which could call the
  dighost_shutdown() callback twice and cause problems
  if the callback function was not idempotent. [GL #4039]

(bsiegert)

Pullup ticket #6763 - requested by taca
net/bind916: security fix

Revisions pulled up:
- net/bind916/Makefile                                          1.56-1.58
- net/bind916/distinfo                                          1.47-1.49
- net/bind916/options.mk                                        1.5

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon Apr 24 13:45:10 UTC 2023

  Modified Files:
  pkgsrc/net/bind916: Makefile distinfo

  Log Message:
  net/bind916: update to 9.16.40

  --- 9.16.40 released ---

  6142. [bug] Reduce the number of dns_dnssec_verify calls made
  determining if revoked keys needs to be removed from
  the trust anchors. [GL #3981]

  6138. [doc] Fix the DF-flag documentation on the outgoing
  UDP packets. [GL #3710]

  6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967]

  6129. [cleanup] Value stored to 'source' during its initialization is
  never read. [GL #3965]

  6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to
  an NSEC3 incapable DNSSEC algorithm using KASP the zone
  could sometimes be incompletely signed. [GL #3937]

  5741. [bug] Log files with "timestamp" suffixes could be left in
  place after rolling, even if the number of preserved
  log files exceeded the configured "versions" limit.
  [GL #828] [GL #3959]

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Wed May 17 13:41:58 UTC 2023

  Modified Files:
  pkgsrc/net/bind916: Makefile distinfo

  Log Message:
  net/bind916: update to 9.16.41

  --- 9.16.41 released ---

  6157. [bug] When removing delegations in an OPTOUT range
  empty-non-terminal NSEC3 records generated by
  those delegations were not removed. [GL #4027]

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Wed Jun 21 14:40:43 UTC 2023

  Modified Files:
  pkgsrc/net/bind916: Makefile distinfo options.mk

  Log Message:
  net/bind916: update to 9.16.42

  pkgsrc change: reduce pkglint warnings.

  9.16.42 (2023-06-21)

  Security release:

  - CVE-2023-2828
  - CVE-2023-2911

  6192. [security] A query that prioritizes stale data over lookup
  triggers a fetch to refresh the stale data in cache.
  If the fetch is aborted for exceeding the recursion
  quota, it was possible for 'named' to enter an infinite
  callback loop and crash due to stack overflow. This has
  been fixed. (CVE-2023-2911) [GL #4089]

  6190. [security] Improve the overmem cleaning process to prevent the
  cache going over the configured limit. (CVE-2023-2828)
  [GL #4055]

  6183. [bug] Fix a serve-stale bug where a delegation from cache
  could be returned to the client. [GL #3950]

  6173. [bug] Properly process extra "nameserver" lines in
  resolv.conf otherwise the next line is not properly
  processed. [GL #4066]

  6169. [bug] named could crash when deleting inline-signing zones
  with "rndc delzone". [GL #4054]

(bsiegert)

Ticket #6762

(bsiegert)

Pullup ticket #6762 - requested by riastradh
security/heimdal: security fix

Revisions pulled up:
- security/heimdal/Makefile                                    1.160
- security/heimdal/distinfo                                    1.57
- security/heimdal/patches/patch-lib_krb5_store-int.c          1.1

---
  Module Name:    pkgsrc
  Committed By:  riastradh
  Date:          Mon Jun 19 19:13:03 UTC 2023

  Modified Files:
          pkgsrc/security/heimdal: Makefile distinfo
  Added Files:
          pkgsrc/security/heimdal/patches: patch-lib_krb5_store-int.c

  Log Message:
  security/heimdal: Patch CVE-2022-42898 away.

(bsiegert)

#6761

(spz)

Pullup ticket #6761 - requested by bsiegert
print/cups-base: security fix

Revisions pulled up:
- print/cups-base/Makefile                                      1.57
- print/cups-base/distinfo                                      1.33
- print/cups-base/patches/patch-cups_string.c                  1.1

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  wiz
  Date:          Thu Jun  1 11:39:33 UTC 2023

  Modified Files:
          pkgsrc/print/cups-base: Makefile distinfo
  Added Files:
          pkgsrc/print/cups-base/patches: patch-cups_string.c

  Log Message:
  cups-base: fix security problem.

  Bump PKGREVISION.

  To generate a diff of this commit:
  cvs rdiff -u -r1.56 -r1.57 pkgsrc/print/cups-base/Makefile
  cvs rdiff -u -r1.32 -r1.33 pkgsrc/print/cups-base/distinfo
  cvs rdiff -u -r0 -r1.1 pkgsrc/print/cups-base/patches/patch-cups_string.c

(spz)

Mention ticket #6760

(bsiegert)

Pullup ticket #6760 - requested by nia
www/firefox102: security fix
www/firefox102-l10n: dependent update

Revisions pulled up:
- www/firefox102-l10n/Makefile                                  1.11
- www/firefox102-l10n/distinfo                                  1.10
- www/firefox102/Makefile                                      1.20
- www/firefox102/distinfo                                      1.12

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Sun May 14 19:50:11 UTC 2023

  Modified Files:
  pkgsrc/www/firefox102: Makefile distinfo
  pkgsrc/www/firefox102-l10n: Makefile distinfo

  Log Message:
  firefox102: update to 102.11

  Security Vulnerabilities fixed in Firefox ESR 102.11

      #CVE-2023-32205: Browser prompts could have been obscured by popups

      #CVE-2023-32206: Crash in RLBox Expat driver

      #CVE-2023-32207: Potential permissions request bypass via clickjacking

      #CVE-2023-32211: Content process crash due to invalid wasm code

      #CVE-2023-32212: Potential spoof due to obscured address bar

      #CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()

      #CVE-2023-32214: Potential DoS via exposed protocol handlers

(bsiegert)

pullups 6756, 6757, 6758 and 6759

(spz)

Pullup ticket #6759 - requested by he
security/gnutls: build fix

Revisions pulled up:
- security/gnutls/Makefile                                      1.240

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: he
  Date: Sun May 14 08:11:51 UTC 2023

  Modified Files:
  pkgsrc/security/gnutls: Makefile

  Log Message:
  gnutls: require minimum gcc 6, and indicte use of c++11.

  The in-tree compiler on NetBSD/macppc 8.0 (gcc 5 based)
  fails to build this package, with what now looks like a
  bug in gcc 5.
  Bump PKGREVISION.

  To generate a diff of this commit:
  cvs rdiff -u -r1.239 -r1.240 pkgsrc/security/gnutls/Makefile

(spz)

Pullup ticket #6758 - requested by taca
www/drupal7: security update

Revisions pulled up:
- www/drupal7/Makefile                                          1.79
- www/drupal7/distinfo                                          1.63

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon May  1 14:34:00 UTC 2023

  Modified Files:
  pkgsrc/www/drupal7: Makefile distinfo

  Log Message:
  www/drupal7: update to 7.97

  7.96 (2023-04-19)

  This is a security release of the Drupal 7 series.

  This release fixes security vulnerabilities.  Sites are urged to update
  immediately after reading the notes below and the security announcements:

  * Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

  No other fixes are included.

  7.97 (2023-04-21)

  This is a "hotfix" release to address a PHP 5.x regression caused by
  SA-CORE-2023-005.

  Changes since 7.96:

  * #3355216 by poker10: Fix PHP 5.x regression caused by ::class constant

  To generate a diff of this commit:
  cvs rdiff -u -r1.78 -r1.79 pkgsrc/www/drupal7/Makefile
  cvs rdiff -u -r1.62 -r1.63 pkgsrc/www/drupal7/distinfo

(spz)

Pullup ticket #6757 - requested by dholland
archivers/zstd: build fix

Revisions pulled up:
- archivers/zstd/distinfo                                      1.36
- archivers/zstd/patches/patch-lib_decompress_huf__decompress__amd64.S 1.1

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: dholland
  Date: Sun Apr 30 01:39:20 UTC 2023

  Modified Files:
  pkgsrc/archivers/zstd: distinfo
  Added Files:
  pkgsrc/archivers/zstd/patches:
      patch-lib_decompress_huf__decompress__amd64.S

  Log Message:
  PR 57383 Mike Owens: zstd assembler bug on SPARC

  Put amd64 assembler directives inside the amd64 ifdefs so they don't
  get assembled on other targets.

  To generate a diff of this commit:
  cvs rdiff -u -r1.35 -r1.36 pkgsrc/archivers/zstd/distinfo
  cvs rdiff -u -r0 -r1.1 \
      pkgsrc/archivers/zstd/patches/patch-lib_decompress_huf__decompress__amd64.S

(spz)

Pullup ticket #6756 - requested by taca
devel/git-base: security update
devel/git: version update

Revisions pulled up:
- devel/git-base/Makefile                                      1.104
- devel/git-base/distinfo                                      1.133
- devel/git/Makefile.version                                    1.117

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: adam
  Date: Wed Apr 26 08:44:38 UTC 2023

  Modified Files:
  pkgsrc/devel/git: Makefile.version
  pkgsrc/devel/git-base: Makefile distinfo

  Log Message:
  git: updated to 2.40.1

  Git v2.40.1 Release Notes
  ============
  This release merges up the fix that appears in v2.30.9, v2.31.8,
  v2.32.7, v2.33.8, v2.34.8, v2.35.8, v2.36.6, v2.37.7, v2.38.5
  and v2.39.3 to address the security issues CVE-2023-25652,
  CVE-2023-25815, and CVE-2023-29007; see the release notes for these
  versions for details.

  To generate a diff of this commit:
  cvs rdiff -u -r1.116 -r1.117 pkgsrc/devel/git/Makefile.version
  cvs rdiff -u -r1.103 -r1.104 pkgsrc/devel/git-base/Makefile
  cvs rdiff -u -r1.132 -r1.133 pkgsrc/devel/git-base/distinfo

(spz)

Tickets #6754 and #6755

(bsiegert)

Pullup ticket #6754 - requested by nia
www/firefox102: security fix
www/firefox102-l10n: dependent update

Revisions pulled up:
- www/firefox102-l10n/Makefile                                  1.10
- www/firefox102-l10n/distinfo                                  1.9
- www/firefox102/Makefile                                      1.17
- www/firefox102/distinfo                                      1.11

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Fri Apr 14 08:53:12 UTC 2023

  Modified Files:
  pkgsrc/www/firefox102: Makefile distinfo
  pkgsrc/www/firefox102-l10n: Makefile distinfo

  Log Message:
  firefox102: Update to 102.10.0

  Security Vulnerabilities fixed in Firefox ESR 102.10

      #CVE-2023-29531: Out-of-bound memory access in WebGL on macOS
      #CVE-2023-29533: Fullscreen notification obscured
      #CVE-2023-29535: Potential Memory Corruption following Garbage Collector
      compaction
      #CVE-2023-29536: Invalid free from JavaScript code
      #CVE-2023-29539: Content-Disposition filename truncation leads to Reflected
      File Download
      #CVE-2023-29541: Files with malicious extensions could have been downloaded
      unsafely on Linux
      #CVE-2023-29542: Bypass of file download extension restrictions
      #CVE-2023-1945: Memory Corruption in Safe Browsing Code
      #CVE-2023-29548: Incorrect optimization result on ARM64
      #CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR
      102.10

(bsiegert)

Pullup ticket #6755 - requested by nia
sysutils/amanda-common

Revisions pulled up:
- sysutils/amanda-common/Makefile.common                        1.46
- sysutils/amanda-common/distinfo                              1.26
- sysutils/amanda-common/patches/patch-config_amanda_libs.m4    1.1

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Fri Apr 14 22:58:24 UTC 2023

  Modified Files:
  pkgsrc/sysutils/amanda-common: Makefile.common distinfo
  Added Files:
  pkgsrc/sysutils/amanda-common/patches: patch-config_amanda_libs.m4

  Log Message:
  amanda-common: Configure fixes

  The configure script creates massive amounts of spam when using NetBSD's
  sh due to the non-standard test(1) args.

  For some reason, the test for compiler flag -msse4.2 is failing, even
  though it's present in the cc -v --help output (is cwrappers doing
  something strange?). For now, commit a workaround. The package is actually
  doing runtime detection of SSE4.2 properly, but expects compiler support
  for -msse4.2 to be provided on x86.

  PR 57130

(bsiegert)

Note ticket #6753

(bsiegert)

Pullup ticket #6753 - requested by gutteridge
textproc/libxml2: security fix
textproc/py-libxml2: security fix

Revisions pulled up:
- textproc/libxml2/Makefile                                    1.169
- textproc/libxml2/Makefile.common                              1.20
- textproc/libxml2/distinfo                                    1.144
- textproc/py-libxml2/Makefile                                  1.85

---
  Module Name:    pkgsrc
  Committed By:  gutteridge
  Date:          Sat Apr 15 13:06:22 UTC 2023

  Modified Files:
          pkgsrc/textproc/libxml2: Makefile Makefile.common distinfo
          pkgsrc/textproc/py-libxml2: Makefile

  Log Message:
  libxml2 & py-libxml2: update to 2.10.4

  v2.10.4: Apr 11 2023

  ### Security

  - [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
  - [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
  - schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

  ### Regressions

  - SAX2: Ignore namespaces in HTML documents
  - io: Fix "buffer full" error with certain buffer sizes

(bsiegert)

#6750 and #6752

(bsiegert)

Pullup ticket #6752 - requested by wiz
print/a2ps: restore functionality

Revisions pulled up:
- print/a2ps/Makefile                                          1.93-1.96
- print/a2ps/distinfo                                          1.23-1.24

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Wed Mar 29 08:20:03 UTC 2023

  Modified Files:
  pkgsrc/print/a2ps: Makefile distinfo

  Log Message:
  a2ps: update to 4.15.2.

  * Noteworthy changes in release 4.15.2 (2023-03-19) [stable]
    * Bug fixes:
      - Fix old crash when using --stdin="".
    * Build
      - Make configure stop if libpaper is not found.
      - Enable building the manual for gnu.org.

---
  Module Name: pkgsrc
  Committed By: mrg
  Date: Thu Mar 30 05:34:10 UTC 2023

  Modified Files:
  pkgsrc/print/a2ps: Makefile

  Log Message:
  use ${PKG_SYSCONFBASE} instead of ${PREFIX}/etc

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Fri Apr  7 21:25:40 UTC 2023

  Modified Files:
  pkgsrc/print/a2ps: Makefile distinfo

  Log Message:
  a2ps: update to 4.15.3.

  * Noteworthy changes in release 4.15.3 (2023-03-26) [stable]
    * Bug fixes:
      - Fix fixps to use GhostScript窶冱 ps2write device instead of defunct
        pswrite.
    * Build:
      - Fix a problem building PDF version of manual.

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Sat Apr  8 23:18:51 UTC 2023

  Modified Files:
  pkgsrc/print/a2ps: Makefile

  Log Message:
  a2ps: depend on misc/getopt for a2ps-lpr-wrapper

  From John D. Baker.

  Fix some pkglint while here and bump PKGREVISION.

(bsiegert)

Pullup ticket #6750 - requested by taca
lang/ruby32-base: build fix

Revisions pulled up:
- lang/ruby32-base/options.mk                                  1.2

---
  Module Name: pkgsrc
  Committed By: he
  Date: Tue Apr  4 12:20:30 UTC 2023

  Modified Files:
  pkgsrc/lang/ruby32-base: options.mk

  Log Message:
  ruby32-base: default to yjit only on platforms supporting it.

  That would be x86_64, aarch64 and (possibly) aarch64be.

  OK'ed by taca@

(bsiegert)

#6745-#6749

(spz)

Pullup ticket #6749 - requested by taca
textproc/ruby-kramdown-rfc2629: dependency fix

Revisions pulled up:
- textproc/ruby-kramdown-rfc2629/Makefile                      1.20

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr  1 10:14:21 UTC 2023

  Modified Files:
  pkgsrc/textproc/ruby-kramdown-rfc2629: Makefile

  Log Message:
  textproc/ruby-kramdown-rfc2629: remove reference to json_pure gem

  Remove reference to json_pure gem and add json gem.

  The problem was reporeted by riastradh@ via private e-mail.

  Bump PKGREVISION.

  To generate a diff of this commit:
  cvs rdiff -u -r1.19 -r1.20 pkgsrc/textproc/ruby-kramdown-rfc2629/Makefile

(spz)

Pullup ticket #6748 - requested by taca
lang/ruby32-base: security update

Revisions pulled up:
- lang/ruby/rubyversion.mk                                      1.264
- lang/ruby32-base/PLIST                                        1.3
- lang/ruby32-base/distinfo                                    1.4

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr  1 09:26:58 UTC 2023

  Modified Files:
  pkgsrc/lang/ruby: rubyversion.mk
  pkgsrc/lang/ruby32-base: PLIST distinfo

  Log Message:
  lang/ruby32: update to 3.2.2

  Ruby 3.2.2 Released Posted by naruse on 30 Mar 2023

  Ruby 3.2.2 has been released.

  This release includes security fixes.  Please check the topics below for
  details.

  * CVE-2023-28755: ReDoS vulnerability in URI
  * CVE-2023-28756: ReDoS vulnerability in Time

  What's Changed

  * Backport [Bug #19158] for Ruby 3.2 by hsbt � Pull Request #7356
  * Bug #19415: Incorrect circularity warning for concurrent requires
  * Bug #19400: YJIT fails to boot on ARM64 systems with 64 KiB pages
  * Bug #19419: [BUG] try to mark T_NONE object in ibf_dump_mark
  * Bug #19444: YJIT String#+@ miscompilations
  * Bug #19445: Segmentation fault with Numeric#step
  * Bug #19439: Marshal.load doesn't load Regexp instance variables
  * Bug #19459: Is length of IO::Buffer#read required or optional?
  * Bug #19464: YJIT miscompiles BasicObject#__send__ to alias methods of send
  * Bug #19468: Ruby 3.2: net/http sets UTF-8 encoding for binary responses
  * Bug #19469: Crash when resizing generic iv list
  * Bug #19161: Cannot compile 3.0.5 or 3.1.3 on Red Hat Enterprise Linux 7
  * Bug #19467: Some linear_time regexp does not match in linear time
  * Bug #19476: Regexp unexpected partial match
  * Bug #19536: Frozen status loss when moving objects
  * Bug #19485: Unexpected behavior in squiggly heredocs
  * Bug #19471: Regexp::compile does not handle :timeout argument
  * Use URI-0.12.1 for Ruby 3.2 by hsbt � Pull Request #7603
  * Merge RubyGems-3.4.10 and Bundler-2.4.10 by hsbt � Pull Request #7479
  * Merge Time-0.2.2 by hsbt � Pull Request #7623

  Note: This list is automatically generated by tool/gen-github-release.rb.
  Because of this, some commits may be missing.

  To generate a diff of this commit:
  cvs rdiff -u -r1.263 -r1.264 pkgsrc/lang/ruby/rubyversion.mk
  cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/ruby32-base/PLIST
  cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/ruby32-base/distinfo

(spz)

Pullup ticket #6747 - requested by taca
lang/ruby31-base: security update

Revisions pulled up:
- lang/ruby/rubyversion.mk                                      1.263
- lang/ruby31-base/distinfo                                    1.10

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr  1 09:17:15 UTC 2023

  Modified Files:
  pkgsrc/lang/ruby: rubyversion.mk
  pkgsrc/lang/ruby31-base: distinfo

  Log Message:
  lang/ruby31: update to 3.1.4

  Ruby 3.1.4 Released Posted by nagachika on 30 Mar 2023

  Ruby 3.1.4 has been released.

  This release includes security fixes.  Please check the topics below for
  details.

  * CVE-2023-28755: ReDoS vulnerability in URI
  * CVE-2023-28756: ReDoS vulnerability in Time

  What's Changed

  * Bug #19187: Ruby 3.1.3 testsuite fails after timezone 2022g update is
    applied
  * Bug #19153: Since 2.7.7 CGI::Cookie raises ArgumentError when cookie
    domains is prefixed with a dot
  * Bug #18629: block args array splatting assigns to higher scope _ var
  * Bug #18765: Wrong description introduced by
    https://github.com/ruby/ruby/pull/4938/files
  * Bug #19189: Ruby 3.1.3/3.2.x can no longer find pkg-config if not present
    at buildtime
  * Bug #19292: Time object's wday, yday, and isdst returns broken value (and
    so does to_a) when kwarg in: 'UTC' was given
  * Bug #19305: TracePoint#parameters segfaults when certain method creation
    pattern is used
  * Bug #19319: Crash in rb_str_casemap
  * Bug #19316: YJIT crash in 3.2.0
  * Bug #19284: Integer overflow when using RUBY_GC_HEAP_INIT_SLOTS
    environment variable
  * Bug #19320: Crash during compaction while traversing the stack
  * Bug #19389: StringIO gets(..., chomp: true) behaves differently to File/IO.
  * Bug #19284: Integer overflow when using RUBY_GC_HEAP_INIT_SLOTS
    environment variable
  * Bug #19398: Memory leak in WeakMap
  * Bug #19403: Unable to Build Native Gems on Mac with Ruby 3.1.0+
  * Bug #19415: Incorrect circularity warning for concurrent requires
  * Bug #19419: [BUG] try to mark T_NONE object in ibf_dump_mark
  * Bug #19445: Segmentation fault with Numeric#step
  * Bug #19161: Cannot compile 3.0.5 or 3.1.3 on Red Hat Enterprise Linux 7
  * Bug #18989: Backport f229b36087f1b387d77af8f3fa50f9bffd2fd44e to ruby_3_1
  * Bug #18748: Range#cover? returns true for beginless range of different
    type
  * Bug #18827: __ENCODING__ is not set to the source encoding when saving
    script lines
  * Bug #19242: Circular cause by Marshal
  * Bug #19243: Windows: Dir.home returns string in wrong encoding
  * Bug #19115: RubyGems fails to detect OpenSSL in --with-static-linked-ext
    builds
  * Bug #18464: RUBY_INTERNAL_EVENT_NEWOBJ tracepoint causes an interpreter
    crash when combined with Ractors
  * Bug #19529: [BUG] ObjectSpace::WeakMap can segfault after compaction
  * Bug #19485: Unexpected behavior in squiggly heredocs

  Note: This list is automatically generated by tool/gen-github-release.rb.
  Because of this, some commits may be missing.

  To generate a diff of this commit:
  cvs rdiff -u -r1.262 -r1.263 pkgsrc/lang/ruby/rubyversion.mk
  cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/ruby31-base/distinfo

(spz)

Pullup ticket #6746 - requested by taca
lang/ruby30-base: security update

Revisions pulled up:
- lang/ruby/rubyversion.mk                                      1.262
- lang/ruby30-base/distinfo                                    1.12

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr  1 09:08:51 UTC 2023

  Modified Files:
  pkgsrc/lang/ruby: rubyversion.mk
  pkgsrc/lang/ruby30-base: distinfo

  Log Message:
  lang/ruby30: update to 3.0.6

  Ruby 3.0.6 Released Posted by usa on 30 Mar 2023

  Ruby 3.0.6 has been released.

  This release includes security fixes. Please check the topics below for
  details.

  * CVE-2023-28755: ReDoS vulnerability in URI
  * CVE-2023-28756: ReDoS vulnerability in Time

  This release also includes some bug fixes.  See the GitHub releases for
  further details.

  After this release, we end the normal maintenance phase of Ruby 3.0, and
  Ruby 3.0 enters the security maintenance phase.  This means that we will no
  longer backport any bug fixes to Ruby 3.0 except security fixes.

  The term of the security maintenance phase is scheduled for a year.  Ruby
  3.0 reaches EOL and its official support ends by the end of the security
  maintenance phase.  Therefore, we recommend that you start to plan upgrade
  to Ruby 3.1 or 3.2.

  To generate a diff of this commit:
  cvs rdiff -u -r1.261 -r1.262 pkgsrc/lang/ruby/rubyversion.mk
  cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/ruby30-base/distinfo

(spz)

Pullup ticket #6745 - requested by taca
lang/ruby27-base: security update

Revisions pulled up:
- lang/ruby/rubyversion.mk                                      1.261
- lang/ruby27-base/distinfo                                    1.12

-------------------------------------------------------------------
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr  1 08:59:44 UTC 2023

  Modified Files:
  pkgsrc/lang/ruby: rubyversion.mk
  pkgsrc/lang/ruby27-base: distinfo

  Log Message:
  lang/ruby27: update to 2.7.8

  Ruby 2.7.8 Released Posted by usa on 30 Mar 2023

  Ruby 2.7.8 has been released.

  This release includes security fixes. Please check the topics below for
  details.

  * CVE-2023-28755: ReDoS vulnerability in URI
  * CVE-2023-28756: ReDoS vulnerability in Time

  This release also includes some build problem fixes. See the GitHub releases
  for further details.

  After this release, Ruby 2.7 reaches EOL.  In other words, this is expected
  to be the last release of Ruby 2.7 series.  We will not release Ruby 2.7.9
  even if a security vulnerability is found (but could release if a severe
  regression is found).  We recommend all Ruby 2.7 users to start migration to
  Ruby 3.2, 3.1, or 3.0 immediately.

  To generate a diff of this commit:
  cvs rdiff -u -r1.260 -r1.261 pkgsrc/lang/ruby/rubyversion.mk
  cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/ruby27-base/distinfo

(spz)

Pullup tickets #6743 and #6744

(bsiegert)

Pullup ticket #6744 - requested by taca
net/samba4: security fix

Revisions pulled up:
- net/samba4/Makefile                                          1.161
- net/samba4/distinfo                                          1.91

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr  1 08:49:05 UTC 2023

  Modified Files:
  pkgsrc/net/samba4: Makefile distinfo

  Log Message:
  net/samba4: update to 4.17.7

                      ==============================
                      Release Notes for Samba 4.17.7
                              March 29, 2023
                      ==============================

  This is a security release in order to address the following defects:

  o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
                    but otherwise unprivileged users to delete this attribute from
                    any object in the directory.
                    https://www.samba.org/samba/security/CVE-2023-0225.html

  o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
                    remote LDAP server, will by default send new or reset
                    passwords over a signed-only connection.
                    https://www.samba.org/samba/security/CVE-2023-0922.html

  o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
                    Confidential attribute disclosure via LDAP filters was
                    insufficient and an attacker may be able to obtain
                    confidential BitLocker recovery keys from a Samba AD DC.
                    Installations with such secrets in their Samba AD should
                    assume they have been obtained and need replacing.
                    https://www.samba.org/samba/security/CVE-2023-0614.html

(bsiegert)

Pullup ticket #6743 - requested by taca
databases/ldb: dependent update

Revisions pulled up:
- databases/ldb/Makefile                                        1.34
- databases/ldb/distinfo                                        1.24
- databases/ldb/patches/patch-common_ldb__match.c              1.2

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr  1 08:47:37 UTC 2023

  Modified Files:
  pkgsrc/databases/ldb: Makefile distinfo
  pkgsrc/databases/ldb/patches: patch-common_ldb__match.c

  Log Message:
  databases/ldb: update to 2.6.2

  samba-4.17.7 require ldb 2.6.2.

  Changes from 2.6.1 are not available except commit log:
  <https://github.com/samba-team/samba/compare/ldb-2.6.1...ldb-2.6.2>.

(bsiegert)

#6742

(spz)

Pullup ticket #6742 - requested by bsiegert
graphics/openexr: security update

Revisions pulled up:
- graphics/openexr/Makefile                                    1.48
- graphics/openexr/PLIST                                        1.21
- graphics/openexr/distinfo                                    1.46

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  bsiegert
  Date:          Thu Mar 30 16:38:14 UTC 2023

  Modified Files:
          pkgsrc/graphics/openexr: Makefile PLIST distinfo

  Log Message:
  openexr: update to 3.1.6 (security)

  Patch release that address various bug/build issues and optimizations:

  - NEON optimizations for ZIP reading
  - Enable fast Huffman & Huffman zig-zag transform for Arm Neon
  - Support relative and absolute libdir/incluedir in pkg-config generation
  - Fix for reading memory mapped files with DWA compression
  - Enable SSE4 support on Windows
  - Fast huf decoder
  - CMake config for generating docs is now BUILD_DOC

  Also, this release includes a major update and reorganization of the repo
  documentation and the https://openexr.com website.

  In addition, numerous typos and misspellings in comments and doxygen content
  have been fixed via codespell.

  Specific OSS-fuzz issues address:

  - OSS-fuzz 52730 Heap-buffer-overflow in fasthuf_initialize
  - OSS-fuzz 49698 Heap-buffer-overflow in fasthuf_decode
  - OSS-fuzz 47517 Integer-overflow in reconstruct_chunk_table
  - OSS-fuzz 47503 Heap-buffer-overflow in uncompress_b44_impl
  - OSS-fuzz 47483 Heap-buffer-overflow in generic_unpack

  To generate a diff of this commit:
  cvs rdiff -u -r1.47 -r1.48 pkgsrc/graphics/openexr/Makefile
  cvs rdiff -u -r1.20 -r1.21 pkgsrc/graphics/openexr/PLIST
  cvs rdiff -u -r1.45 -r1.46 pkgsrc/graphics/openexr/distinfo

(spz)

Add CHANGES files for pkgsrc-2023Q1

(gdt)