doc: Updated security/vault to 0.11.2

(fhajny)

## 0.11.2 (October 2nd, 2018)

CHANGES:

- `sys/seal-status` now includes an `initialized` boolean in the
  output. If Vault is not initialized, it will return a `200` with
  this value set `false` instead of a `400`.
- `passthrough_request_headers` will now deny certain headers from
  being provided to backends based on a global denylist.

FEATURES:

- AWS Secret Engine Root Credential Rotation: The credential used by
  the AWS secret engine can now be rotated, to ensure that only Vault
  knows the credentials it is using.
- Storage Backend Migrator: A new `operator migrate` command allows
  offline migration of data between two storage backends.
- AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise):
  AliCloud KMS can now be used a support seal for  Auto Unseal and
  Seal Wrapping.

BUG FIXES:

- auth/okta: Fix reading deprecated `token` parameter if a token was
  previously set in the configuration
- core: Re-add deprecated capabilities information for now
- core: Fix handling of cyclic token relationships
- storage/mysql: Fix locking on MariaDB
- replication: Fix DR API when using a token
- identity: Ensure old group alias is removed when a new one is
  written
- storage/alicloud: Don't call uname on package init
- secrets/jwt: Fix issue where request context would be canceled too
  early
- ui: fix need to have update for aws iam creds generation
- ui: fix calculation of token expiry

IMPROVEMENTS:

- auth/aws: The identity alias name can now configured to be either
  IAM unique ID of the IAM Principal, or ARN of the caller identity
- auth/cert: Add allowed_organizational_units support
- cli: Format TTLs for non-secret responses
- identity: Support operating on entities and groups by their names
- plugins: Add `env` parameter when registering plugins to the catalog
  to allow operators to include environment variables during plugin
  execution.
- secrets/aws: WAL Rollback improvements
- secrets/aws: Allow specifying STS role-default TTLs
- secrets/pki: Add configuration support for setting NotBefore
- core: Support for passing the Vault token via an Authorization
  Bearer header
- replication: Reindex process now runs in the background and does not
  block other vault operations
- storage/zookeeper: Enable TLS based communication with Zookeeper
- ui: you can now init a cluster with a seal config
- ui: added the option to force promote replication clusters
- replication: Allow promotion of a secondary when data is syncing
  with a "force" flag

(fhajny)

doc: Updated mail/rspamd to 1.8.0

(fhajny)

mail/rspamd: Update to 1.8.0.

- [Feature] Add arguments schemas to processors and extractors
- [Feature] Add functional selectors library
- [Feature] Add generic selector to reputation module
- [Feature] Add more ratelimits: by digest, by attachments data, by
  filenames
- [Feature] Add preliminary stop words detection support
- [Feature] Add pure Lua debugm function
- [Feature] Add schema validation for Redis settings
- [Feature] Add selectors combine function
- [Feature] Add some recursion protection to lua logger
- [Feature] Add support for Lua API tracing
- [Feature] Allow to apply schema to arguments
- [Feature] Allow to get dkim signing data directly from HTTP headers
- [Feature] Allow to reuse existing authentication results
- [Feature] Cache selectors results in re runtime
- [Feature] Implement new text tokenizer based on libicu
- [Feature] Integrate selectors framework to multimap
- [Feature] Relax FORGED_RECIPIENTS
- [Feature] Support (almost) all html entities
- [Feature] Support adding and deletion of recipients in the milter
  block
- [Feature] Support gathering HTTP body from fragments in lua_http
- [Feature] Support multi flag in regexp and glob maps
- [Feature] Support selectors in ratelimit module
- [Feature] Support selectors in settings
- [Feature] Use khash in HTML parser
- [Feature] Use pure Lua debugm function
- [Fix] Add fail-safety for destroying sessions
- [Fix] Allow to add result-less fake DNS records
- [Fix] Another try to fix race conditions on config unload
- [Fix] Call Lua callback on DNS timeouts
- [Fix] Deprecate task:inc_dns_req as it is redundant
- [Fix] Do not allow events deletions on cleanup
- [Fix] Do not try to process skipped messages
- [Fix] Fix HTTP requests with no body
- [Fix] Fix another cleanup race condition
- [Fix] Fix bug in processing of pcre regexps
- [Fix] Fix byte array allocation in the pool
- [Fix] Fix crashes on task cleanup
- [Fix] Fix dynamic buckets in ratelimits
- [Fix] Fix endless loop when waiting for Rspamd to stop
- [Fix] Fix lua_util.str_split in case of delimiters set
- [Fix] Fix more issues with watching of async events
- [Fix] Fix stop words detection and loading logic
- [Fix] Fix various corner cases for language detection
- [Fix] Fix watchers in lua_tcp
- [Fix] Fix words decay algorithm
- [Fix] Implement watchers replacement to handle nested calls
- [Fix] Save faked code into fake dns record
- [Fix] Show the proper frame when using lua_util.debugm
- [Fix] Use fake dns records in tests
- [Fix] Use unicode replacements for HTML entities
- [Fix] fixed "cannot find dependency on symbol 1" issue when using
  replaced symbols in spamassassin rules
- [Fix] partition_id is not available in old versions of CH
- [Project] Add implicit conversion logic to selectors
- [Project] Add initial support for selectors in regexps
- [Project] Add method concept
- [Project] Further changes in unicode operations
- [Project] Implement Clickhouse migrations
- [Project] Implement implicit conversions to userdata
- [Project] Implement insert method
- [Project] Implement selectors registration for regular expressions
- [Project] Implement selectors support in re_cache
- [Project] Improve language detector: cleanup unused files,
  categorize
- [Project] Migrate CH data to a fat table
- [Project] Rework selectors logic
- [Project] Start Clickhouse utilities library
- [Project] Start unicode rework
- [Project] coroutine threaded model for API calls: thread pool
- [Rework] Move phishtank to a DNS based service
- [Rework] Rework Clickhouse plugin to use the new API
- [Rework] Rework language detector
- [Rework] Rework utf content processing in text parts
- [WebUI] Add progress bar for AJAX requests
- [WebUI] Avoid errors table reinitialization
- [WebUI] Avoid history table reinitialization
- [WebUI] Avoid throughput summary table reinitialization
- [WebUI] Destroy summary table on disconnect
- [WebUI] Fix "auth" request URL
- [WebUI] Fix disabling and hiding controls on page reload
- [WebUI] Fix maps loading from neighbours
- [WebUI] Fix symbols sorting by score
- [WebUI] Fix tables destroying
- [WebUI] Fix throughput data consolidation
- [WebUI] Fix upload buttons disabling

(fhajny)

doc: Updated net/py-lexicon to 2.7.9

(fhajny)

net/py-lexicon: Update to 2.7.9.

2.7.9
- Minor fixes

2.7.8
- Adding henet to supported providers

2.7.7
- Fix for cloudns

2.7.6
- Tests fixes

2.7.5
- Add support for inwx provider

2.7.4
- Add support for Plesk API

(fhajny)

doc: Updated lang/nodejs to 10.11.0

(fhajny)

lang/nodejs: Update to 10.11.0.

- fs
  - Fixed fsPromises.readdir `withFileTypes`.
- http2
  - Added `http2stream.endAfterHeaders` property.
- util
  - Added `util.types.isBoxedPrimitive(value)`.

(fhajny)

doc: Updated sysutils/rsyslog to 8.38.0

(fhajny)

sysutils/rsyslog*: Update to 8.38.0.

Version 8.38.0 [v8-stable] 2018-09-18
- AIX: make basic modules work again
- make rsyslog build on AIX again
- imfile: support for endmsg.regex
- imkafka: add parameter "parseHostName"
- im[p]tcp: improve error message on connect failure
- imkafka: implement multithreading support for kafka consumers.
- omelasticsearch: write all header metadata to $.omes for retries
- core: improve error message on module load fail
- core/queue: add error message if queue file cannot be accessed
- imtcp/imudp: new option preservecase for managing the case of
  FROMHOST value
- omprog: add feedback timeout and keep-alive feature
- omprog: fix forceSingleInstance configuration option
- imfile: implement file-id, used in state file
- imfile: experimental input throtteling feature
- core: emit TZ warning on startup not on Linux non-container
- omkafka:
  - better debug information
  - Fixed minor issue in omkafka producing wrong kafka timestamps when
    msgTimestamp was NULL.
  - Setting RD_KAFKA_V_KEY(NULL, 0) in rd_kafka_producev now when KEY
    is not configured.
  - Fixed minor issue when rsyslog is compiled with --enable-debug and
    librdkafka is too old.
- omfile bugfix: errant error message when dynafile param needed
- omhttp: new contribued module
- mmkubertnetes: action fails preparation cycle if kubernetes API
  destroys resource during bootup sequence
- bugfix pmnormalize/core: several memory leaks, invld property
  handling
- bugfix imptcp: fixed pointers for session counting
- bugfix omprog: invalid memory access on partial writes to pipe
- bugfix omprog: rsyslog's environment was not passed to script
- bugfix omprog: severity of some log messages in waitForChild
  corrected
- bugfix imfile: files which were loaded via symlink were not always
  followed
- bugfix imfile: potential misadressing when processing symlinks
- bugfix ommongodb: build issue if mongo-c-driver is not compiled with
  TLS

(fhajny)

doc: Updated misc/mbuffer to 20180625

(fhajny)

misc/mbuffer: Update to 20180625.

20180625:
- linking of available hash libraries during runtime

20180505:
- fix typo in summary
- fix potential hang with small input size
- testing fix for BSD
- configure enhancement: objdump may be named gobjdump
- fix tape end of file marker may be ignored
- removed obsolete alpha code

20180410:
- build fix for hashing library variants
- support tapetest on systems with name variants of open and write
- run only network tests for supported address families
  (patch supplied by Peter Pentchev)
- code update for hashing infrastructure
- make idev tests usable on more platforms
- determine amount of available memory via procfs
- option -d unintentionally consumes an argument
- idev.c should use libc's names
- support use of autoreconf

20180318:
- performance optimized defaults
- stricter arguments checking of mbuffer.rc
- handle FreeBSD's maximum semaphore value transparently
- print base 2 dimensions correctly (ki,Mi,Gi,Ti)
- FreeBSD patches by Eric Borisch

20171011:
- use $(etcdir) consistently for installation
- use AC_COMPILE_IF instead of AC_RUN_IF to support cross-compiling
- remove forward typedef for dest_t to support older compilers
- build fix for Solaris
- updated test infrastructure
- print pid on every message with --pid
- fix: potential hang, when one output fails to open

20170921:
- added jumpbuffer reading mode for inconsistent block sizes
- code separation into more files for enhanced readability
- some cleanup work for global variables
- fixed regression in sanity checks
- fix: option -f should truncate output file
- fix: failed opening of network output should not redirect to stdout
- fix: summary printout should respect quiet options

20170806:
- add support for libgcrypt
- add support for tape aware out-of-space handling
- support setting verbosity in config file
- suppress gcc's unused result warnings - all have been manually
  checked
- updated install-sh, config.sub, and config.guess
- exit cleanly if all outputs failed to open but hashers are left
- minor fixes and enhancements
- minor code refactoring for clearer structure
- some code hardening
- build fix for OpenBSD
- work around mhash_get_hash_name_static crashing

20170515:
- fix false warning on comments in config files
- code update for config parsing
- makefile compatibility update

20170514:
- update: configure update for latest cygwin
- fix: detect missing md5.h in configure
- enhancement: adjust some messages to avoid line-wrapping
- enhancement: print status message to log if suppressed on console
- enhancement: also read config files in /etc and ${prefix}/etc
- enhancement: simplified memory conifguration detection scheme
- added an example config file, with documentation of all options
- added parameter StatusInterval
- fix for handling empty lines in config files
- fix: --append rejects existing files
- fix warnings related to thread status return code

20161115:
- enhancement: report percent done, when input size is known (is a
  file)
- enhancement: watchdog raises SIGKILL if SIGINT had no effect
- change: start watchdog when parsing option -W or after parsing all
  options when activated via defaults file
- fix: use thread-safe mt_usleep instead of sleep(3) for watchdog
  timing
- change: adjusted interface of mt_usleep to accept 64bit arguments

20160613:
- fix: fix potential assertion triggered by interrupted system call
- enhancement: ignore EINTR for I/O syscalls

20160228:
- fix: fix listen's backlog argument, which can cause issues on Linux
  4.4

(fhajny)

doc: Updated databases/mariadb-connector-c to 3.0.6

(fhajny)

databases/mariadb-connector-c: Update to 3.0.6.

3.0.6
- Revert "Bumped version number to 3.0.7"

3.0.5
- Windows build fix

3.0.4
- MDEV-15655: abstract socket support - limit length

(fhajny)

doc: Updated net/rabbitmq to 3.7.7

(fhajny)

net/rabbitmq: Update to 3.7.7.

3.7.7
- Erlang 21 compatibility
- Bug fixes
- Usability improvements

3.7.6
- Bug fixes
- Usability improvements

(fhajny)

doc: Updated databases/percona-toolkit to 3.0.12

(fhajny)

databases/percona-toolkit: Update to 3.0.12.

v3.0.12 released 2018-09-13

- Fixed bug  PT-1611: pt-archiver fails with UTF-8 chars
- Fixed bug  PT-1574: pt-online-schema-change fails on UK and NULLs
- Fixed bug  PT-1572: Better usage of ENUM fields in keys in
  NibbleIterator
- Fixed bug  PT-1422: pt-mysql-summary may get stuck when Time: NULL
  in processlist
- Improvement PT-1321: Add required MySQL privileges to
  pt-online-schema-change documentation

v3.0.11 released 2018-07-06

- Improvement PT-1571 : Improved hostname recognition in
  pt-secure-collect
- Fixed bug  PT-1570 : pt-archiver fails to detect columns with the
  word GENERATED as part of the comment
- Improvement PT-1569 : Disabled --alter-foreign-keys-method=drop_swap
  in pt-osc
- Fixed bug  PT-1563 : Fixed pt-show-grants for MySQL 5.6
- Improvement PT-1562 : pt-mysql-summary: Fix mysqld command for
  Travis
- Fixed bug  PT-1551 : pt-table-checksum fails on MySQL 8.0.11
- Improvement  PT-242 : (pt-stalk) Include SHOW SLAVE STATUS on 5.7
- Fixed bug    PT-241 : (pt-stalk) Slave queries doesn't run on 5.7

v3.0.10 released 2018-05-21

- Fixed bug  PT-1556 : pt-table-checksum 3.0.9 doesn't change
  binlog_format to statement anymore
- Improvement PT-1546 : Improved support of MySQL 8 roles
- Improvement PT-1543 : Encrypted table status query causes high load
  over multiple minutes
- Improvement PT-1536 : Add info about encrypted tablespaces in
  pt-mysql-summary
- Feature      PT-131 : Make pt-table checksum to disable QRT plugin
- Feature      PT-118 : pt-table-checksum report the number of rows of
  difference between master and slave

v3.0.9 released 2018-04-17

- Feature    PT-1530 : Add support for encryption status to
  mysql-summary
- Feature    PT-1526 : Add ndb status to pt-mysql-summary
- Feature    PT-1525 : Added support for MySQL 8 roles into
  pt-mysql-summary
- Feature    PT-1509 : Only set binlog_format when necessary
- Feature    PT-1508 : Adding --read-only-interval flag, and
  read-only check on wake-up
- Improvement PT-1507 : pt-summary does not reliably read in the
  transparent huge pages setting
- New tool    PT-1501 : pt-secure-collect - New tool to collect and
  sanitize pt-tools outputs
- Feature      PT-243 : Adding --max-hostname-length and
  --max-line-length to pt-query-digest

v3.0.8 released 2018-03-13

- Feature    PT-1500 : add --secure-slowlog option to pt-query digest

v3.0.7 released 2018-03-01

- Fixed Bug    PT-244 : pt-online-schema-change --data-dir option
  broken for partitioned table
- Feature      PT-633 : Added --mysql-only option to pt-stalk for RDS
- Fixed bug    PT-1256: pt-table-sync does not use the character set
  for the table it is synchronizing
- Fixed bug    PT-1455: pt-osc is stuck when the table that is being
  altered is filtered out in the slave
- Fixed bug    PT-1485: pt-mysql-summary has broken Security section
  in versions bigger then 5.6
- Fixed bug  PMM-1905: Explain fails if encounters negative
  "ntoreturn"

(fhajny)

doc: Updated net/py-lexicon to 2.7.3

(fhajny)

net/py-lexicon: Update to 2.7.3.

- Correct mocking in ovh test units during authentication phase.
- Re-add requirements.txt.

(fhajny)

doc: Updated sysutils/consul to 1.2.3

(fhajny)

sysutils/consul: Update to 1.2.3.

FEATURES:

- agent: New Cloud Auto-join provider: Kubernetes (K8S)
- http: Added support for "Authorization: Bearer" head in addition to
  the X-Consul-Token header.
- dns: Added a way to specify SRV weights for each service instance to
  allow weighted DNS load-balancing.
- dns: Include EDNS-ECS options in EDNS responses where appropriate:
  see RFC 7871
- ui: Add markers/icons for external sources

IMPROVEMENTS:

- ui: Switch to fullscreen layout for lists and detail, left aligned
  forms
- connect: TLS certificate readiness now performs x509 certificate
  verification to determine whether the cert is usable.
- ui: The syntax highlighting/code editor is now on by default
- ui: Fallback to showing `Node.Address` if `Service.Address` is not
  set
- gossip: Improvements to Serf and memberlist improving gossip
  stability on very large clusters (over 35k tested)

BUG FIXES:
- agent: Avoid returning empty data on startup of a non-leader server
- agent: Fixed a panic when serf_wan port was -1 but a
  reconnect_timeout_wan value was set.
- agent: Fixed a problem where errors regarding DNS server creation
  where never shown.
- agent: Start with invalid http configuration again, even though the
  build-in proxy for connect won't start in that case.
- catalog: Allow renaming nodes with IDs.
- dns: Fixes a bug with the DNS recursor, where we would not move onto
  the next provided recursor if we encounter a SERVFAIL or REFUSED
  status.
- server: Fixed a memory leak in blocking queries against /event/list.
- snapshot: Fixed a bug where node metadata wasn't being included in
  or restored from the snapshots.
- connect: Fixed a bug where managed proxy instances registered for
  instances with different name and ID and with restrictive ACL would
  not be allowed.
- connect: Fixed a bug where built-in CA state was not correctly
  restored from a snapshot
- connect: Fixed a bug where Checks with
  `deregister_critical_service_after` would deregister the service but
  not remove the managed proxy
- connect: Fixed a bug that would output an error about pruning CAs
  every hour on the leader and might cause some CA configurations not
  to be pruned correctly
- raft: Update raft vendoring to pull in a fix for a potential memory
  leak.
- license: (Consul Enterprise) Fix an issue with the license not being
  reloaded from snapshots.
- license: (Consul Enterprise) Fix an issue with encoding/decoding of
  the license package type from the /v1/operator/license endpoint.
- cli: Correctly exit with error code 1 when failing to list DCs with
  the catalog command
- ui: Improve layout on screens of a large portrait orientation
- ui: Various browser layout bugs for various vendors/setups

(fhajny)

doc: Updated archivers/lz4 to 1.8.3

(fhajny)

archivers/lz4: Update to 1.8.3.

- perf: minor decompression speed improvement (~+2%) with gcc
- fix : corruption in v1.8.2 at level 9 for files > 64KB under rare
  conditions (#560)
- cli : new command --fast, by @jennifermliu
- api : LZ4_decompress_safe_partial() now decodes exactly the nb of
  bytes requested (feature request #566)
- build : added Haiku target, by @fbrosson, and MidnightBSD, by @laffer1
- doc : updated documentation regarding dictionary compression

(fhajny)

devel/git-lfs: Add support for SunOS.

(fhajny)

lang/go: Add SYS_IOCTL on SunOS. Bump PKGREVISION.

(fhajny)

textproc/link-grammar: Force disable the optional Java bindings. Needs c99.

(fhajny)

doc: Added devel/rebar3 version 3.6.1

(fhajny)

devel/rebar3: Import rebar 3.6.1 as devel/rebar3.

Rebar3 is an Erlang tool that makes it easy to create, develop,
and release Erlang libraries, applications, and systems in
a repeatable manner.

(fhajny)

lang/erlang: Fix patch file, __STDC_VERSION__ might not be defined.

(fhajny)

doc: Updated devel/gradle to 4.10.1

(fhajny)

devel/gradle: Update to 4.10.1.

This bug-fix release addresses 6 regressions in Gradle 4.10:

- FileTreeElement.getPath() returns absolute system dependent
  filepath.
- Up-to-date checks for missing files can be incorrect
- Gradle fails when no incremental compile snapshot data
  available.
- Gradle 4.10 incorrect ordering between dependencies of
  dependent tasks.
- tasks.withType(ScalaCompile::class.java).configureEach fails
  on multi-project builds.
- Double deprecation message when using publishing plugin.

(fhajny)

doc: Updated security/openssl to 1.0.2p

(fhajny)

security/openssl: Update to 1.0.2p.

- Client DoS due to large DH parameter

  During key agreement in a TLS handshake using a DH(E) based ciphersuite a
  malicious server can send a very large prime value to the client. This will
  cause the client to spend an unreasonably long period of time generating a
  key for this prime resulting in a hang until the client has finished. This
  could be exploited in a Denial Of Service attack.

  This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
  (CVE-2018-0732)
  [Guido Vranken]

- Cache timing vulnerability in RSA Key Generation

  The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
  a cache timing side channel attack. An attacker with sufficient access to
  mount cache timing attacks during the RSA key generation process could
  recover the private key.

  This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
  Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
  (CVE-2018-0737)
  [Billy Brumley]

- Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
  parameter is no longer accepted, as it leads to a corrupt table.  NULL
  pem_str is reserved for alias entries only.
  [Richard Levitte]

- Revert blinding in ECDSA sign and instead make problematic addition
  length-invariant. Switch even to fixed-length Montgomery multiplication.
  [Andy Polyakov]

- Change generating and checking of primes so that the error rate of not
  being prime depends on the intended use based on the size of the input.
  For larger primes this will result in more rounds of Miller-Rabin.
  The maximal error rate for primes with more than 1080 bits is lowered
  to 2^-128.
  [Kurt Roeckx, Annie Yousar]

- Increase the number of Miller-Rabin rounds for DSA key generating to 64.
  [Kurt Roeckx]

- Add blinding to ECDSA and DSA signatures to protect against side channel
  attacks discovered by Keegan Ryan (NCC Group).
  [Matt Caswell]

- When unlocking a pass phrase protected PEM file or PKCS#8 container, we
  now allow empty (zero character) pass phrases.
  [Richard Levitte]

- Certificate time validation (X509_cmp_time) enforces stricter
  compliance with RFC 5280. Fractional seconds and timezone offsets
  are no longer allowed.
  [Emilia K辰sper]

(fhajny)

doc: Updated lang/nodejs8 to 8.12.0

(fhajny)

lang/nodejs8: Update to 8.12.0.

- async_hooks:
  - rename PromiseWrap.parentId
  - remove runtime deprecation
  - deprecate unsafe emit{Before,After}
- cluster:
  - add cwd to cluster.settings
  - support windowsHide option for workers
- crypto:
  - allow passing null as IV unless required
- deps:
  - upgrade npm to 6.4.1
  - upgrade libuv to 1.19.2
  - Upgrade node-inspect to 1.11.5
- fs,net:
  - support as and as+ flags in stringToFlags()
  - emit 'ready' for fs streams and sockets
- http, http2:
  - add options to http.createServer()
  - add 103 Early Hints status code
  - add http fallback options to .createServer
- n-api:
  - take n-api out of experimental
- perf_hooks:
  - add warning when too many entries in the timeline
- src:
  - add public API for managing NodePlatform
  - allow --perf-(basic-)?prof in NODE\_OPTIONS
  - node internals' postmortem metadata
- tls:
  - expose Finished messages in TLSSocket
- trace_events:
  - add file pattern cli option
- util:
  - implement util.getSystemErrorName()

(fhajny)

geography/libmaxminddb: Add buildlink3.mk

(fhajny)

doc: Added geography/libmaxminddb version 1.3.2

(fhajny)

geography/libmaxminddb: Import libmaxminddb 1.3.2.

The libmaxminddb library provides a C library for reading MaxMind
DB files, including the GeoIP2 databases from MaxMind.

(fhajny)

doc: Updated fonts/fntsample to 5.2

(fhajny)

fonts/fntsample: Update to 5.2.

Changes in version 5.2
- Fix handling of non-ASCII characters in pdfoutline

Changes in version 5.1
- Make writing outlines with Cairo actually work
- Fix typos

Changes in version 5.0
- Add command line flag that allows to use pango for text layout
- Add possiblility to create PDF outline directly using cairo
- Switch to CMake as build system
- Add command line flag for loading Unicode blocks file during runtime.

(fhajny)

doc: Added devel/xxhash version 0.6.5

(fhajny)

devel/xxhash: Import xxhash 0.6.5.

xxHash is an Extremely fast Hash algorithm, running at RAM speed
limits. It successfully completes the SMHasher test suite which
evaluates collision, dispersion and randomness qualities of hash
functions.

(fhajny)

doc: Updated databases/py-cassandra-driver to 3.15.1

(fhajny)

databases/py-cassandra-driver: Update to 3.15.1.

- C* 4.0 schema-parsing logic breaks running against DSE 6.0.X

(fhajny)

doc: Updated net/py-lexicon to 2.7.2

(fhajny)

net/py-lexicon: Update to 2.7.2.

2.7.2
- Update online cassette
- online api change: domain_id became simply domain name

2.7.1
- Remove route53 tests, boto recordings no longer work.
- Create a library unit test suite
- [Gehirn Web Service] fix 400 response on GET request
- Update setup.py adding cryptography to the setup.py file
- Use ImportError instead of subclass ModuleNotFoundError, which is
  supported only by python 3.6

(fhajny)

doc: Updated security/hitch to 1.4.8

(fhajny)

security/hitch: Update to 1.4.8.

hitch-1.4.8 (2018-04-19)
------------------------

- Reworked the dynamic backend bits.
- Update docs to recommend running Hitch as a separate non-privileged
  user.

hitch-1.4.7 (2018-01-11)
------------------------

- Massive test suite refactor and update.
- Fix OpenBSD/FreeBSD/POSIX portability issues: restrict fstat(1) to
  OpenBSD, bring sockstat(1) support back, drop pathchk(1) usage in
  the test suite, switch from sockstat(1) to fstat(1)
- Add an OCSP refresh timeout parameter
- Autotools polish
- Random usage of config section if reduntant
- Support for separate key files
- Fix logging to syslog even when set to syslog = off
- Making log-filename, recv-bufsize and send-bufsize parameters
  available though command line and config file.
- Fix: global backaddr is assumed to be static
- Add support for session-cache in config file and as cmdline option
- Plug file descriptor leak: killing worker processes would leave the
  pipe's write end open, leaking one file descriptor per worker upon
  reload

(fhajny)

mail/rspamd: Clean up temp testing flags

(fhajny)

doc: Updated lang/npm to 6.4.1

(fhajny)

lang/npm: Update to 6.4.1.

6.4.1

BUGFIXES

- Prevent blowing up on malformed responses from the npm audit
  endpoint, such as with third-party registries.
- Fix NO_PROXY support by renaming npm-side config to --noproxy. The
  environment variable should still work.
- Disable update-notifier checks when a CI environment is detected.
- Fix issue where postpack scripts would break if pack was used with
  --dry-run.

DEPENDENCY BUMPS

- figgy-pudding@3.4.1
- cacache@11.2.0
- npm-packlist@1.1.11
- libcipm@2.0.2
- JSONStream@1.3.4
- npm-lifecycle@2.1.0
- npm-registry-client@8.6.0
- opener@1.5.0
- request@2.88.0
- tacks@1.2.7
- ci-info@1.4.0
- marked@0.5.0

DOCUMENTATION

- Mention registry terms of use in manpage and registry docs and
  update language in README for it.
- Add documentation for --dry-run in install and pack docs.
- Update republish time and lightly reorganize republish info.
- Correct npm@6.4.0 release date in changelog.
- Align command descriptions in help text.

6.4.0

NEW FEATURES

- Search for authentication token defined by environment variables by
  preventing the translation layer from env variable to npm option
  from breaking :_authToken.
- Stop filtering out non-IPv4 addresses from local-addrs, making npm
  actually use IPv6 addresses when it must.
- Configurable audit level for non-zero exit npm audit currently exits
  with exit code 1 if any vulnerabilities are found of any level. Add
  a flag of --audit-level to npm audit to allow it to pass if only
  vulnerabilities below a certain level are found. Example: npm audit
  --audit-level=high will exit with 0 if only low or moderate level
  vulns are detected.

BUGFIXES

- Don't check for updates to npm when we are updating npm itself.

(fhajny)

doc: Updated lang/nodejs to 10.10.0

(fhajny)

lang/nodejs: Update to 10.10.0.

- child_process:
  - `TypedArray` and `DataView` values are now accepted as input by
    `execFileSync` and `spawnSync`.
- coverage:
  - Native V8 code coverage information can now be output to disk by
    setting the environment variable `NODE_V8_COVERAGE` to a directory.
- fs:
  - The methods `fs.read`, `fs.readSync`, `fs.write`, `fs.writeSync`,
    `fs.writeFile` and `fs.writeFileSync` now all accept `TypedArray`
    and `DataView` objects.
  - A new boolean option, `withFileTypes`, can be passed to to
    `fs.readdir` and `fs.readdirSync`. If set to true, the methods
    return an array of directory entries. These are objects that can
    be used to determine the type of each entry and filter them based
    on that without calling `fs.stat`.
- http2:
  - The `http2` module is no longer experimental.
- os:
  - Added two new methods: `os.getPriority` and `os.setPriority`,
    allowing to manipulate the scheduling priority of processes.
- process:
  - Added `process.allowedNodeEnvironmentFlags`. This object can be
    used to programmatically validate and list flags that are allowed
    in the `NODE_OPTIONS` environment variable.
- src:
  - Deprecated option variables in public C++ API.
  - Refactored options parsing.
- vm:
  - Added `vm.compileFunction`, a method to create new JavaScript
    functions from a source body, with options similar to those of
    the other `vm` methods.

(fhajny)

doc: Updated mail/rspamd to 1.7.9

(fhajny)

mail/rspamd: Update to 1.7.9.

- Fix missing config files (pkg/53577).

The most important features and fixes

- Ratelimits are reworked and now work as intended (and documented)
- Clickhouse module supports data retention policies
- Reworked C modules to avoid global contexts (simplifies leaks
  detection on reload)
- Reputation plugin now supports SPF records reputation
- WebUI code is now even more conformant to the modern JS standards
- Maps are now distributed remotely with local file safety fallback to
  allow faster maps update without waiting for a new release
- Antivirus module checks attachments only (as decoded content) in
  attachments_only mode to improve AV performance by hiding the mime
  content from them

Full list of the meaningful changes

- [CritFix] Fix caseless comparison of equal length strings
- [Feature] Add HTTP basic auth support to elastic and clickhouse
  plugins
- [Feature] Add SPF selector to reputation
- [Feature] Add support of the fallback backends for HTTP maps
- [Feature] Allow to print full mime structure when extracting mime
  data
- [Feature] Allow to split symbols in reputation plugin
- [Feature] Check attachments only on AV scanners in attachments_only
  mode
- [Feature] Disable all SSL checks if ssl_no_verify flag is set
- [Feature] Implement parsing of scoped IPv6 addresses
- [Feature] Improve rspamc counters output
- [Fix] Add sanity checks when expanding SPF macros
- [Fix] Allow to parse SA rules with no spaces around =~ (dirty hack)
- [Fix] Avoid one extra byte writing
- [Fix] Deal with direct hash table
- [Fix] Detect empty text part as text, not HTML
- [Fix] Do not reduce map watch timeout for mixed http/file maps
- [Fix] Fix HTML part detection heuristic
- [Fix] Fix double free in redirectors cleanup
- [Fix] Fix legacy history handling in the controller
- [Fix] Fix messages insertion
- [Fix] Fix sending string method
- [Fix] Fix statconver command line arguments
- [Fix] Fixed argument checking for being null
- [Fix] Fixed issues reported by luacheck
- [Fix] Freeze updates queue when do actual storage update
- [Fix] HTTP map hash is per-backend and not per-map
- [Fix] Plug memory leak in fuzzy updates
- [Fix] Prefer 'MTA-Name' when producing authentication results
- [Fix] Replace bad unicode sequences instead of stopping on them
- [Fix] Set classifier version on learning
- [Project] Reworked ratelimits
- [Project] Apply topological sorting for symbols in Rspamd
- [Project] Remove global contexts from C modules
- [Project] Move performance critical hash tables to khash
- [WebUI] Avoid unused indexes
- [WebUI] Do not execute on_success callback
- [WebUI] Fix history reset for "All SERVERS" (#2346)
- [WebUI] Fix query URL for selected server
- [WebUI] Fix symbols display in legacy history,
- [WebUI] Hide symbols order selector for legacy history
- [WebUI] Refactor query functions into one
- [WebUI] Remove previously-attached event handlers
- [WebUI] Save symbols to the selected server
- [WebUI] Unify arguments of query functions
- [WebUI] Use common query functions to get graph data
- [WebUI] Use common query functions to save symbols

(fhajny)

doc: Updated security/vault to 0.11.1

(fhajny)

security/vault: Update to 0.11.1.

SECURITY:

- Random Byte Reading in Barrier: Prior to this release, Vault was not
  properly checking the error code when reading random bytes for the IV for
  AES operations in its cryptographic barrier. Specifically, this means that
  such an IV could potentially be zero multiple times, causing nonce re-use
  and weakening the security of the key. On most platforms this should never
  happen because reading from kernel random sources is non-blocking and always
  successful, but there may be platform-specific behavior that has not been
  accounted for. (Vault has tests to check exactly this, and the tests have
  never seen nonce re-use.)

FEATURES:

- AliCloud Agent Support: Vault Agent can now authenticate against the
  AliCloud auth method.
- UI: Enable AliCloud auth method and Azure secrets engine via the UI.

IMPROVEMENTS:

- core: Logging level for most logs (not including secrets/auth plugins) can
  now be changed on-the-fly via `SIGHUP`, reading the desired value from
  Vault's config file

BUG FIXES:

- core: Ensure we use a background context when stepping down
- core: Properly check error return from random byte reading
- core: Re-add `sys/` top-route injection for now
- core: Properly store the replication checkpoint file if it's larger than the
  storage engine's per-item limit
- identity: Update MemDB with identity group alias while loading groups
- secrets/database: Fix nil pointer when revoking some leases
- secrets/pki: Fix sign-verbatim losing extra Subject attributes
- secrets/pki: Remove certificates from store when tidying revoked
  certificates and simplify API
- ui: JSON editor will not coerce input to an object, and will now show an
  error about Vault expecting an object
- ui: authentication form will now default to any methods that have been tuned
  to show up for unauthenticated users

(fhajny)

doc: Updated security/py-certbot to 0.27.0

(fhajny)

security/py-certbot-dns-rfc2136: Fix EGG_NAME.

(fhajny)

py-{acme,certbot}: Update to 0.27.0.

## 0.27.0 - 2018-09-05

### Added

- The Apache plugin now accepts the parameter --apache-ctl which can
  be used to configure the path to the Apache control script.

### Changed

- When using `acme.client.ClientV2` (or
`acme.client.BackwardsCompatibleClientV2` with an ACME server that
supports a newer version of the ACME protocol), an
`acme.errors.ConflictError` will be raised if you try to create
an ACME account with a key that has already been used. Previously,
a JSON parsing error was raised in this scenario when using the
library with Let's Encrypt's ACMEv2 endpoint.

### Fixed

- When Apache is not installed, Certbot's Apache plugin no longer
  prints messages about being unable to find apachectl to the
  terminal when the plugin is not selected.
- If you're using the Apache plugin with the --apache-vhost-root flag
  set to a directory containing a disabled virtual host for the
  domain you're requesting a certificate for, the virtual host will
  now be temporarily enabled if necessary to pass the HTTP challenge.
- The documentation for the Certbot package can now be built using
  Sphinx 1.6+.
- You can now call `query_registration` without having to first call
  `new_account` on `acme.client.ClientV2` objects.
- The requirement of `setuptools>=1.0` has been removed from
  `certbot-dns-ovh`.
- Names in certbot-dns-sakuracloud's tests have been updated to refer
  to Sakura Cloud rather than NS1 whose plugin certbot-dns-sakuracloud
  was based on.

## 0.26.1 - 2018-07-17

### Fixed

- Fix a bug that was triggered when users who had previously manually
  set `--server` to get ACMEv2 certs tried to renew ACMEv1 certs.

(fhajny)

doc: Updated databases/elasticsearch to 6.4.0

(fhajny)

databases/elasticsearch: Update to 6.4.0.

6.4.0 release highlights

Analysis
- Option to index phrases on text fields
- Korean analysis tools
- Add multiplexing token filter

Machine learning
- Improve your machine learning results with custom rules
- The {ml} analytics can now detect specific change points in a time
  series

Mappings
- alias field type
- _ignored meta field

Rank Eval API
- Expected Reciprocal Rank metric for Rank Eval API

Search
- Cross Cluster Search will no longer use dedicated master nodes as
  gateway nodes
- Format option for doc_value fields
- Support second level of field collapse

Security
- Kerberos authentication support is now available
- {es} now offers a FIPS 140-2 compliant mode

6.3.0 release highlights

- SQL: This experimental feature enables users who are familiar with
  SQL to use SQL statements to query {es} indices.
- Rollups: This experimental feature enables you to summarize and
  store historical data so that is still available for analysis, but
  consumes significantly less storage space.
- Java 10 Support

For full releases since 6.2.4 please see

https://www.elastic.co/guide/en/elasticsearch/reference/6.4/release-notes-6.3.1.html
https://www.elastic.co/guide/en/elasticsearch/reference/6.4/release-notes-6.3.2.html
https://www.elastic.co/guide/en/elasticsearch/reference/6.4/release-notes-6.3.0.html
https://www.elastic.co/guide/en/elasticsearch/reference/6.4/release-notes-6.4.0.html

(fhajny)

doc: Updated security/duo-unix to 1.10.4

(fhajny)

security/duo-unix: Update to 1.10.4.

duo_unix-1.10.4:

- Removed failmode decision from auth endpoint and moved it to only
  preauth according to standards in our other integrations
- Updated Duo Unix to speak up to TLS 1.2
- Support for LibreSSL 2.7.0 and up
- Minor memory leak fixes
- Output message when user is locked out

duo_unix-1.10.3:

- Added support for http_proxy with SELinux enabled

duo_unix-1.10.2:

- Added default failmode values in config files

(fhajny)

doc: Updated devel/gradle to 4.10

(fhajny)

devel/gradle: Update to 4.10.0.

- Improved incremental Java compiler.
- Periodically clean up unused /caches under GRADLE_USER_HOME and
  project root directories.
- Kotlin DSL version 1.0 RC3.
- Configuration avoidance, buildSrc refactoring propagation to the
  IDE, and lots of DSL polish.
- You can now use SNAPSHOT plugin versions with the plugins {} and
  pluginManagement {} blocks.
- Included builds can now be nested.

(fhajny)

doc: Updated lang/elixir to 1.7.3

(fhajny)

lang/elixir: Update to 1.7.3.

v1.7.3
======

1. Bug fixes

ExUnit
- [ExUnit.Assertions] Do not attempt to expand `try/1` as it is a
  special form

Mix
- [mix compile.app] Do not include applications with `runtime: false`
  as a runtime dependency for applications coming from Hex

v1.7.2
======

1. Bug fixes

Elixir
- [DateTime] Take negative years into account in
  `DateTime.from_iso8601/1`
- [Kernel] Do not emit warnings for repeated docs over different
  clauses due to false positives

Mix
- [mix compile] Properly mark top-level dependencies as optional and
  as runtime. This fixes a bug where Mix attempted to start optional
  dependencies of a package when those optional dependencies were not
  available
- [mix compile] Avoid deadlock when a config has a timestamp later
  than current time
- [mix help] Show task and alias help when both are available
- [mix test] Do not fail suite if there are no test files

v1.7.1
======

1. Bug fixes

Elixir
- [Calendar] Work-around a Dialyzer bug that causes it to loop for a
  long time, potentially indefinitely

v1.7.0
======

1. Enhancements

Elixir
- [Calendar.ISO] Support negative dates in `Calendar.ISO`
- [Calendar] Add `Calendar.months_in_year/1` callback
- [Code] Add `Code.compile_file/2` that compiles files without leaving
  footprints on the system
- [Code] Add `Code.purge_compiler_modules/0` that purges any compiler
  module left behind. This is useful for live systems dynamically
  compiling code
- [Code] Add `Code.fetch_docs/1` that returns docs in the [EEP
  48](http://erlang.org/eep/eeps/eep-0048.html) format
- [Date] Add `Date.months_in_year/1` function
- [DynamicSupervisor] Use the name of the `DynamicSupervisor` as the
  ID whenever possible
- [Exception] Provide "did you mean" suggestions on KeyError
- [Exception] Provide more information on ArithmeticError on
  Erlang/OTP 21+
- [Function] Add `Function` module with `capture/3`, `info/1` and
  `info/2` functions
- [GenServer] Support the new `handle_continue/2` callback on
  Erlang/OTP 21+
- [IO.ANSI] Add cursor movement to `IO.ANSI`
- [Kernel] Support adding arbitrary documentation metadata by passing
  a keyword list to `@doc`, `@moduledoc` and `@typedoc`
- [Kernel] Introduce `__STACKTRACE__` to retrieve the current
  stacktrace inside `catch`/`rescue` (this will be a requirement for
  Erlang/OTP 21+)
- [Kernel] Raise on unsafe variables in order to allow us to better
  track unused variables
- [Kernel] Warn when using `length` to check if a list is not empty on
  guards
- [Kernel] Add hints on mismatched `do`/`end` and others pairs
- [Kernel] Warn when comparing structs using the `>`, `<`, `>=` and
  `<=` operators
- [Kernel] Warn on unsupported nested comparisons such as `x < y < z`
- [Kernel] Warn if redefining documentation across clauses of the same
  definition
- [Kernel] Warn on unnecessary quotes around atoms, keywords and calls
- [Macro] Add `Macro.special_form?/2` and `Macro.operator?/2` that
  returns `true` if the given name/arity is a special form or operator
  respectively
- [Macro.Env] Add `Macro.Env.vars/1` and `Macro.Env.has_var?/2` that
  gives access to environment data without accessing private fields
- [Regex] Include endianness in the regex version. This allows regexes
  to be recompiled when an archive is installed in a system with a
  different endianness
- [Registry] Add `Registry.count/1` and `Registry.count_match/4`
- [String] Update to Unicode 11
- [StringIO] Add `StringIO.open/3`
- [System] Use ISO 8601 in `System.build_info/0`

ExUnit
- [ExUnit.Assertion] Print the arguments in error reports when
  asserting on a function call. For example, if `assert is_list(arg)`
  fails, the argument will be shown in the report
- [ExUnit.Diff] Improve diffing of lists when one list is a subset of
  the other
- [ExUnit.DocTest] Show colored diffs on failed doctests
- [ExUnit.Formatter] Excluded tests, via the `--exclude` and `--only`
  flags, are now shown as "Excluded" in reports. Tests skipped via
  `@tag :skip` are now exclusively shown as "Skipped" and in yellow

IEx
- [IEx.Helpers] Add `use_if_available/2`
- [IEx.Helpers] Allow `force: true` option in `recompile/1`
- [IEx.Helpers] Add `:allocators` pane to `runtime_info/1`
- [IEx.Helpers] Show documentation metadata in `h/1` helpers

Logger
- [Logger] Ensure nil metadata is always pruned
- [Logger] Only evaluate Logger macro arguments when the message will
  be logged
- [Logger] Add `:compile_time_purge_matching` to purge logger calls
  that match certain compile time metadata, such as module names and
  application names
- [Logger] Log to `:stderr` if a backend fails and there are no other
  backends
- [Logger] Allow translators to return custom metadata
- [Logger] Return `:crash_reason`, `:initial_call` and
  `:registered_name` as metadata in crash reports coming from
  Erlang/OTP

Mix
- [mix archive.install] Add support for the Hex organization via
  `--organization`
- [mix archive.uninstall] Support `--force` flag
- [mix compile] Improve support for external build tools such as
  `rebar`
- [mix deps] Include `override: true` in rebar dependencies to make
  the behaviour closer to how rebar3 works (although diverged deps are
  still marked as diverged)
- [mix escript.install] Add support for the Hex organization via
  `--organization`
- [mix escript.uninstall] Support `--force` flag
- [mix help] Also list aliases
- [mix local] Use ipv6 with auto fallback to ipv4 when downloading
  data
- [mix profile] Allow all profiling tasks to run programatically
- [mix test] Add `--failed` option that only runs previously failed
  tests
- [mix test] Print coverage summary by default when the `--cover` flag
  is given
- [Mix.Project] Add `Mix.Project.clear_deps_cache/0`
- [Mix.Project] Add `Mix.Project.config_mtime/0` that caches the
  config mtime values to avoid filesystem access

2. Bug fixes

Elixir
- [IO.ANSI.Docs] Fix table column alignment when converting docs to
  ANSI escapes
- [Code] Ensure `string_to_quoted` returns error tuples instead of
  raising in certain constructs
- [Code.Formatter] Consistently format keyword lists in function calls
  with and without parens
- [Code.Formatter] Do not break after `->` when there are only
  comments and one-line clauses
- [File] Allow the `:trim_bom` option to be used with `:encoding`
- [Kernel] Raise on unsafe variables as some of the code emitted with
  unsafe variables would not correctly propagate variables or would
  disable tail call optimization semantics
- [Kernel] Do not crash on dynamic sizes in binary generators with
  collectable into in comprehensions
- [Kernel] Do not crash on literals with non-unary size in binary
  generators with collectable into in comprehensions
- [Task] Improve error reports and exit reasons for failed tasks on
  Erlang/OTP 20+

ExUnit
- [ExUnit.Case] Raise proper error if `@tag` and `@moduletag` are used
  before `use ExUnit.Case`
- [ExUnit.Case] Raise proper error if `@describetag` is used outside
  of `describe/2` blocks
- [ExUnit.DocTest] Emit proper assertion error on doctests with
  invalid UTF-8

Mix
- [mix archive.install] Fetch optional dependencies when installing an
  archive from Git/Hex
- [mix compile] Properly track config files in umbrella projects and
  recompile when any relevant umbrella configuration changes
- [mix deps] Ensure the same dependency from different SCMs are tagged
  as diverged when those SCMs are remote and non-remote
- [mix deps] Ensure we re-run dependency resolution when overriding a
  skipped dep in umbrella
- [mix deps.compile] Perform clean builds for dependencies on outdated
  locks to avoid old modules from affecting future compilation
- [mix escript.install] Fetch optional dependencies when installing an
  escript from Git/Hex

3. Soft-deprecations (no warnings emitted)

Elixir
- [Code] Deprecate `Code.load_file/2` in favor of
  `Code.compile_file/2`
- [Code] Deprecate `Code.loaded_files/0` in favor of
  `Code.required_files/0`
- [Code] Deprecate `Code.unload_files/1` in favor of
  `Code.unrequire_files/1`

Logger
- [Logger] `compile_time_purge_level` is deprecated in favor of
  `compile_time_purge_matching`

4. Hard-deprecations

Elixir
- [Code] `Code.get_docs/2` is deprecated in favor of
  `Code.fetch_docs/1`
- [Enum] `Enum.chunk/2/3/4` is deprecated in favor of
  `Enum.chunk_every/2/3/4` - notice `chunk_every` does not discard
  incomplete chunks by default
- [GenServer] Warn if `super` is used in any of the GenServer
  callbacks
- [Kernel] `not left in right` is ambiguous and is deprecated in favor
  of `left not in right`
- [Kernel] Warn on confusing operator sequences, such as `1+++1`
  meaning `1 ++ +1` or `........` meaning `... .. ...`
- [OptionParser] Deprecate dynamic option parser mode that depended on
  atoms to be previously loaded and therefore behaved inconsistently
- [Stream] `Stream.chunk/2/3/4` is deprecated in favor of
  `Stream.chunk_every/2/3/4` - notice `chunk_every` does not discard
  incomplete chunks by default

(fhajny)

doc: Updated databases/py-cassandra-driver to 3.15.0

(fhajny)

databases/py-cassandra-driver: Update to 3.15.0

Features
--------
- Parse Virtual Keyspace Metadata

Bug Fixes
---------
- Tokenmap.get_replicas returns the wrong value if token coincides
  with the end of the range
- Python Driver fails with "more than 255 arguments" python exception
  when > 255 columns specified in query response
- Hang in
  integration.standard.test_cluster.ClusterTests.test_set_keyspace_twice
- Asyncore reactors should use a global variable instead of a class
  variable for the event loop

Other
-----
- Use global variable for libev loops so it can be subclassed
- Update SchemaParser for V4
- Bump Cython dependency version to 0.28

(fhajny)

doc: Updated net/powerdns-recursor to 4.1.4

(fhajny)

net/powerdns-recursor: Update to 4.1.4.

Improvements

- Split pdns_enable_unit_tests.
- Add a new max-udp-queries-per-round setting.
- Fix warnings reported by gcc 8.1.0.
- Tests: replace awk command by perl.
- Allow the snmp thread to retrieve statistics.

Bug Fixes

- Don窶冲 account chained queries more than once.
- Make rec_control respect include-dir.
- Load lua scripts only in worker threads.
- Purge all auth/forward zone data including subtree.

(fhajny)

doc: Updated net/powerdns to 4.1.4

(fhajny)

net/powerdns: Update to 4.1.4.

Improvements

- Fix warnings reported by gcc 8.1.0.
- Make the gmysql backend future-proof.
- Initialize some missed qtypes.

Bug Fixes

- Avoid concurrent records/comments iteration from running out of
  sync.
- Fix a crash in the API when adding records.
- pdns_control notify: handle slave without renotify properly.
- Reset the TSIG state between queries.
- Remove SOA-check backoff on incoming notify and fix lock handling.
- Fix an issue where updating a record via DNS-UPDATE in a child zone
  that also exists in the parent zone, we would incorrectly apply the
  update to the parent zone.
- Geoipbackend: check geoip_id_by_addr_gl and geoip_id_by_addr_v6_gl
  return value.

(fhajny)

doc: Updated security/vault to 0.11.0

(fhajny)

security/vault: Update to 0.11.0.

DEPRECATIONS/CHANGES:

- Request Timeouts: A default request timeout of 90s is now enforced. This
  setting can be overwritten in the config file. If you anticipate requests
  taking longer than 90s this setting should be updated before upgrading.
- (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There
  will be some further guidelines around when this will be removed again.)
  * `sys/` Top Level Injection: For the last two years for backwards
  compatibility data for various `sys/` routes has been injected into both the
  Secret's Data map and into the top level of the JSON response object.
  However, this has some subtle issues that pop up from time to time and is
  becoming increasingly complicated to maintain, so it's finally being
  removed.
- Path Fallback for List Operations: For a very long time Vault has
  automatically adjusted `list` operations to always end in a `/`, as list
  operations operates on prefixes, so all list operations by definition end
  with `/`. This was done server-side so affects all clients. However, this
  has also led to a lot of confusion for users writing policies that assume
  that the path that they use in the CLI is the path used internally. Starting
  in 0.11, ACL policies gain a new fallback rule for listing: they will use a
  matching path ending in `/` if available, but if not found, they will look
  for the same path without a trailing `/`. This allows putting `list`
  capabilities in the same path block as most other capabilities for that
  path, while not providing any extra access if `list` wasn't actually
  provided there.
- Performance Standbys On By Default: If you flavor/license of Vault
  Enterprise supports Performance Standbys, they are on by default. You can
  disable this behavior per-node with the `disable_performance_standby`
  configuration flag.
- AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about
  the type of AWS credential they are generating; this reduces reduce
  ambiguity that existed previously as well as enables new features for
  specific credential types. Writing role data and generating credentials
  remain backwards compatible; however, the data returned when reading a
  role's configuration has changed in backwards-incompatible ways. Anything
  that depended on reading role data from the AWS secret engine will break
  until it is updated to work with the new format.

FEATURES:

- Namespaces (Enterprise): A set of features within Vault Enterprise
  that allows Vault environments to support *Secure Multi-tenancy* within a
  single Vault Enterprise infrastructure. Through namespaces, Vault
  administrators can support tenant isolation for teams and individuals as
  well as empower those individuals to self-manage their own tenant
  environment.
- Performance Standbys (Enterprise): Standby nodes can now service
  requests that do not modify storage. This provides near-horizontal scaling
  of a cluster in some workloads, and is the intra-cluster analogue of
  the existing Performance Replication feature, which replicates to distinct
  clusters in other datacenters, geos, etc.
- AliCloud OSS Storage: AliCloud OSS can now be used for Vault storage.
- AliCloud Auth Plugin: AliCloud's identity services can now be used to
  grant access to Vault. See the plugin repository for more information.
- Azure Secrets Plugin: There is now a plugin (pulled in to Vault) that
  allows generating credentials to allow access to Azure. See the plugin
  repository for more information.
- HA Support for MySQL Storage: MySQL storage now supports HA.
- ACL Templating: ACL policies can now be templated using identity Entity,
  Groups, and Metadata.
- UI Onboarding wizards: The Vault UI can provide contextual help and
  guidance, linking out to relevant links or guides on vaultproject.io for
  various workflows in Vault.

IMPROVEMENTS:

- agent: Add `exit_after_auth` to be able to use the Agent for a single
  authentication
- auth/approle: Add ability to set token bound CIDRs on individual Secret IDs
- cli: Add support for passing parameters to `vault read` operations
- secrets/aws: Make credential types more explicit
- secrets/nomad: Support for longer token names
- secrets/pki: Allow disabling CRL generation
- storage/azure: Add support for different Azure environments
- storage/file: Sort keys in list responses
- storage/mysql: Support special characters in database and table names.

BUG FIXES:

- auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set
  (IOW, error in this case)
- core: Prevent Go's HTTP library from interspersing logs in a different
  format and/or interleaved
- identity: Properly populate `mount_path` and `mount_type` on group lookup
- identity: Fix persisting alias metadata
- identity: Fix carryover issue from previously fixed race condition that
  could cause Vault not to start up due to two entities referencing the same
  alias. These entities are now merged.
- replication: Fix issue causing some pages not to flush to storage
- secrets/database: Fix inability to update custom SQL statements on
  database roles.
- secrets/pki: Disallow putting the CA's serial on its CRL. While technically
  legal, doing so inherently means the CRL can't be trusted anyways, so it's
  not useful and easy to footgun.
- storage/gcp,spanner: Fix data races

(fhajny)

doc: Updated textproc/py-xlsxwriter to 1.1.0

(fhajny)

doc: Updated www/nghttp2 to 1.33.0

(fhajny)

www/nghttp2: Update to 1.33.0.

- lib: Tweak nghttp2_session_set_stream_user_data
- lib: Fix handling of SETTINGS_MAX_CONCURRENT_STREAMS.
- lib: Implement ORIGIN frame
- asio: support definition of local endpoint for cleartext client
  session
- integration: Remove remaining SPDY code from the integration tests.
- nghttpx: Fix worker process crash with neverbleed write error
- nghttpx: Support per-backend mruby script
- nghttpx: Fix stream reset if data from client is arrived before dconn
  is attached

(fhajny)

Remove duplicate SunOS-only items from PLIST. Fixes non-SunOS builds.

(fhajny)

doc: Updated devel/php-gearman to 2.0.5

(fhajny)

devel/php-gearman: Update to 2.0.5.

Based on a PR by @mmoll, see NetBSD/pkgsrc#30

Version 2.0.5
-------------
- fixing incorrect number of required parameters for
  GearmanClient::addServer and GearmanClient::addServers, along with
  proceduralequivalents

Version 2.0.4
-------------
- fix "Param to skip exception handling setup in addServer/addServers
  in GearmanClient class"

(fhajny)

doc: Updated devel/gearmand to 1.1.18

(fhajny)

devel/gearmand: Update to 1.1.18.

Based on a PR by @mmoll, see NetBSD/pkgsrc#31

Upstream changelog
==================

1.1.18
- HTTP protocol bug fix
- configure.sh accepts -o flag
- Build and test cleanly on OS X with latest xcode

1.1.17
- Redis fixed for items larger than 64 bytes
- Various memcached plugin bugfixes
- Shellcheck passes for bootstrap.sh

1.1.16
- Fixes to HTTP protocol plugin and background jobs
- Redis queue plugin refactored
- TCP Keepalive settings are properly respected
- Various fixes for stricter C++11 compilation
- Changed from CYaSSL to WolfSSL
- Various fixes to memcached queue plugin

1.1.15
- Added "prioritystatus" command to display queued jobs broken down by
  priority.
- Turn on artifact storage
- Use _exit() in fork test to fix race
- add "redis-password" option to redis

1.1.14
- This includes significant fixes for the redis queue backend, and
  various minor bug fixes.

1.1.12 Sun Feb  9 04:27:38 PST 2014
- GEARMAN_SERVERS environmental variable for libgearman to pick up
  servers to communicate with. This means that any driver now linked
with libgearman will be able to handle multiple servers.
- Add INFO level messages for queue creation.

1.1.11 Thu Oct  3 04:38:47 EDT 2013
- Workers which return a bad gearman_return_t will be counted as an
  error by the server and not a final (i.e. they will be retried).
- Fixed possible bug where the server would over count the number of
  NOOP sent if NOOP messages did not get sent.

1.1.10 Mon Sep 16 04:20:13 CDT 2013
- Added gearman_job_use_client()
- Improve compile time.
- Fix for NOOP failure (bad worker causes early exit of loop).
- Fix for postgres (use INFORMATION_SCHEMA).
- Added gearman_client_has_active_tasks() so that you can see if a
  client has active tasks that it is working on.

1.1.9 Fri Aug  2 02:39:25 EDT 2013
- Added gearman_task_is_finished()
- Improved SSL support.
- Exceptions are now supported.
- gearmand excepts its root CA via the environmental variable
  GEARMAND_PORT.
- libgearman will now except GEARMAND_CA_CERTIFICATE,
  GEARMAN_CLIENT_PEM, and GEARMAN_CLIENT_KEY

1.1.8 Thu Jun  6 18:47:01 EDT 2013
- Postgres test case now passes.
- SSL support added.
- OSX fixes.

1.1.7 Mon May  6 06:46:20 EDT 2013
- Cleanup of error codes returned by gearmand.
- gearmand will now set its port from the env variable GEARMAND_PORT.
- Fix issue where identifier might not be set correctly on reconnect.

1.1.6 Tue Apr 16 03:29:57 EDT 2013
- Merge of 1.0.4 tree
- Added support for gearadmin to "cancel" a job.
- Keep-alive support for gearmand has been extended (more options to
  control behavior).
- Fixed issues related to clients who didn't really support exceptions
  being passed exceptions.

1.1.5 Mon Feb  4 00:59:19 EST 2013
- Rollup of bug fixes for 1.0.3
- --threads=0 for gearmand will now result in gearmand using all
  available cores.

1.1.4 Mon Dec 17 21:24:16 EST 2012
- Add GEARMAN_CLIENT_GENERATE_UNIQUE, with default set to not
  generate.
- Experimental addition to queue service which will allow a queue to
  be stored on shutdown (--libsqlite3-store-on-shutdown).
- Rollup of all changes in 1.0.2

1.1.3 Wed Nov  7 22:48:21 EST 2012
- Merge with 1.0.1

1.1.2 Fri Oct 12 05:34:29 EDT 2012
- Merge with 0.41

1.1.1 Wed Sep 19 22:04:56 EDT 2012
- Merge with 0.39

1.1.0 Wed Sep  5 08:33:37 PDT 2012
- Fix for ABI compatibility issues.

(fhajny)

Revert duplicate entry

(fhajny)

doc: Updated textproc/py-xlsxwriter to 1.0.7

(fhajny)

doc: Updated lang/nodejs6 to 6.14.4

(fhajny)

lang/nodejs6: Update to 6.14.4.

- buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2
  encoding (CVE-2018-12115)

(fhajny)

doc: Updated lang/nodejs8 to 8.11.4

(fhajny)

lang/nodejs8: Update 8.11.4.

- buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2
  encoding (CVE-2018-12115)

(fhajny)

doc: Updated lang/nodejs to 10.9.0

(fhajny)

lang/nodejs: Update to 10.9.0.

- buffer:
  - Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2
    encoding (CVE-2018-12115)
  - Fix unintentional exposure of uninitialized memory in
    `Buffer.alloc()` (CVE-2018-7166)
- deps:
  - Upgrade to OpenSSL 1.1.0i, fixing:
    - Client DoS due to large DH parameter (CVE-2018-0732)
    - ECDSA key extraction via local side-channel (CVE not assigned)
  - Upgrade V8 from 6.7 to 6.8
    - Memory reduction and performance improvements
- http: `http.get()` and `http.request()` (and `https` variants) can
  now accept three arguments to allow for a `URL` _and_ an `options`
  object

(fhajny)

doc: Updated sysutils/syslog-ng to 3.17.2

(fhajny)

sysutils/syslog-ng: Update to 3.17.2.

3.17.2
======

## Bugfixes

- Fix a bug in flow-control
- Fix template function evaluation in debugger

3.17.1
======

## Features

- Client side failback mode
- New linux-audit() source as SCL
- Decorating generated configuration
- Introduce ewmm() source
- Add parsing of Cisco unified call manager
- Mandatory parameters for cfg-block (SCL)

## Bugfixes

- dqtool cat print backlog items
- Rewind backlog in case of stateless LogProtoClient
- Filter out incorrectly parsed sudo logs
- Minor fixes related to client-lib-dir, loggen and eventlog
- Minor stats-query fixes and refactor
- Reliable disk buffer non-empty backlog
- Fix pip package versions on older distro releases (dbld)
- Fix a groupset/groupunset and map-value-pairs() crash
- Make g_atomic_counter_set() atomic and update minimum glib version
  to 2.26
- Aligning java related SCLs with mandatory parameters
- Loggen minor fixes
- grab-logging should be installed as a header
- Fix possible underflow of memory_usage (afsql, logqueue-fifo)
- Fix SELinux module version inconsistency
- Fix CMake unit test compilation (no-pie)
- Fix possible crash in syslog-parser()
- Disable ack for mark mode
- Fixing a Telegram destination bug with bot id
- All drivers should support inner destination or source plugins
- Fix default file and directory creation ownership
- Fix global "center;;received" counter when systemd-journal() is used
- Link everything to libsecret-storage
- Inform about the right dns-cache() configuration (warning message
  typo)
- Adjusting window size for internal mark mode
- Fix memory leaks in disk-buffer()
- Fix undefined behavior in log multiplexer
- Fix static linking mode (autotools)
- Fix internal mark mode infinite loop with old ivykis
- Fix missing normalize flags
- Keep JVM running on reload if once configured
- Fix a race condition (suspend) in LogSource
- Add `@requires json-plugin` to the cim() parser
- Added exclude_kmsg option to system source
- Fix padding template function
- Leak & invalid memory access
- FreeBSD 11.2 builderror SOCK_STREAM
- Add ref-counted TLSVerifier struct (use after free fix)

## Other changes

- Improve loggen's file message parser
- syslog-ng-debun improvements
- Goodbye "goto relex" (refactor)
- Refactor the callback registration mechanism of WildcardFileReader
- Extended Linux capabilities detection (pkg-config)
- Add atomic gssize
- Lower the message level of `@requires` to debug
- macOS warning elimination
- Remove a misleading rewrite-related debug message
- Minor updates to SELinux policy installer script
- More robust GLib detection (CMake)
- Logthreaded nonfunctional changes
- Confgen and pragma improvements
- Flush before stopping syslog-ng (functional tests)
- Port unit tests into criterion (test_filters_netmask6, test_findeom,
  csv_parser, patternDB)
- Libtest refactors
- Add missing files to the source tarball
- Better python binary detection

(fhajny)

doc: Updated databases/pgbouncer to 1.9.0

(fhajny)

databases/pgbouncer: Update to 1.9.0.

Features

- RECONNECT command
- WAIT_CLOSE command
- Fast close - Disconnect a server in session pool mode immediately
  if it is in "close_needed" (reconnect) mode.
- Add close_needed column to SHOW SERVERS

Fixes

- Avoid double-free in parse_filename
- Avoid NULL pointer deref in parse_line

Cleanups

- Port mkauth.py to Python 3
- Improve signals documentation
- Improve quick start documentation
- Document SET command
- Correct list of required software
- Fix -Wimplicit-fallthrough warnings
- Add missing documentation for various SHOW fields
- Document reconnect behavior on reload and DNS change
- Document that KILL requires RESUME afterwards
- Clarify documentation of server_lifetime
- Typos and capitalization fixes in messages and docs
- Fix psql invocation in tests
- Various other test setup improvements

(fhajny)

net/dnsdist: Fix build on SunOS, clean up args, disable optional SNMP.

(fhajny)

doc: Updated lang/npm to 6.3.0

(fhajny)

lang/npm: Update tp 6.3.0.

## v6.3.0 (2018-08-01):

- `figgy-pudding@3.2.0`
- `cacache@11.1.0`

## v6.3.0-next.0 (2018-07-25):

### NEW FEATURES

- `npm version` now supports a `--preid` option to specify the preid
  for prereleases. For example, `npm version premajor --preid rc` will tag
  a version like `2.0.0-rc.0`.

### MESSAGING IMPROVEMENTS

- Make `npm audit fix` message provide better instructions for
  vulnerabilities that require manual review.
- Fix missing colon next to tarball url in new `npm view` output.
- Use the defaut OTP explanation everywhere except when the context is
  "OTP-aware" (like when setting double-authentication). This improves
  the overall CLI messaging when prompting for an OTP code.

### MISC

- Use the extracted `stringify-package` package.
- `wrappy` was previously added to dependencies in order to flatten
  it, but we no longer do legacy-style for npm itself, so it has been
  removed from `package.json`.

## v6.2.0 (2018-07-13):

### FEATURES

- Add support for tab-separated output for `npm audit` data with the
  `--parseable` flag.
- Add new `sign-git-commit` config to control whether the git commit
  itself gets signed, or just the tag (which is the default).

### FIXES

- Do not use `SET` to fetch the env in git-bash or Cygwin.

### DEPENDENCY BUMPS

- `request@2.81.0`: Downgraded to allow better deduplication. This
  does introduce a bunch of `hoek`-related audit reports, but they don't
  affect npm itself so we consider it safe. We'll upgrade `request` again
  once `node-gyp` unpins it.
- `node-gyp@3.7.0`
_ `cli-table3@0.5.0`: `cli-table2` is unmaintained and required
  `lodash`. With this dependency bump, we've removed `lodash` from our tree,
  which cut back tarball size by another 300kb.
- `npm-audit-report@1.3.1`
- Add `cli-table3` to bundleDeps.
- Make `standard` happy.

## v6.2.0-next.1 (2018-07-05):

- Remove postinstall script that depended on source files, thus
  preventing `npm@next` from being installable from the registry.

## v6.2.0-next.0 (2018-06-28):

### NEW FEATURES

- You can now disable the update notifier entirely by using
  `--no-update-notifier` or setting it in your config with `npm config
  set update-notifier false`.
- When `npm run-script <script>` fails due to a typo or missing
  script, npm will now do a "did you mean?..." for scripts that do exist.

### BUGFIXES

- Fix the regular expression matching in `xcode_emulation` in
  `node-gyp` to also handle version numbers with multiple-digit major
  versions which would otherwise break under use of XCode 10.
- Stop trying to hoist/dedupe bundles dependencies.
- Add synopsis to brief help for `npm audit` and suppress trailing
  newline.
- Exclude /.github directory from npm tarball.
- Add suggestion to use a temporary cache instead of `npm cache clear
  --force`.

### DEPENDENCY SHUFFLE!

We did some reshuffling and moving around of npm's own dependencies.
This significantly reduces the total bundle size of the npm pack,
from 8MB to 4.8MB for the distributed tarball! We also moved around
what we actually commit to the repo as far as devDeps go.

- Flatten and dedupe our dependencies!
- Remove unused direct dependency `ansi-regex`.
- Reshuffle ansi-regex for better deduping.
- Reshuffle strip-ansi for better deduping.
- Reshuffle is-fullwidth-code-point for better deduping.
- Add fake-registry, npm-registry-mock replacement.

### DEPENDENCIES

- `tar@4.4.3`
- `pacote@8.1.6`
- `libcipm@2.0.0`
- `request@2.87.0`
- `which@1.3.1`
- `tar@4.4.4`
- `JSONStream@1.3.3`
- `is-cidr@2.0.6`
- `marked@0.4.0`
- `tap@12.0.1`
- `npm-profile@3.0.2`
- `uuid@3.3.2`

(fhajny)

doc: Updated lang/nodejs to 10.8.0

(fhajny)

lang/nodejs: Update to 10.8.0.

No notable changes besides update to npm 6.2.0, which we do not
bundle.

(fhajny)

doc: Updated sysutils/consul to 1.2.2

(fhajny)

sysutils/consul: Update to 1.2.2

## 1.2.2 (July 30, 2018)

SECURITY:
- acl: Fixed an issue where writes operations on the Keyring and
  Operator were being allowed with a default allow policy even when
  explicitly denied in the policy.

FEATURES:

- **Alias Checks:** Alias checks allow a service or node to alias the
  health status of another service or node in the cluster.
- agent: New Cloud Auto-join providers: vSphere and Packet.net.
- cli: Added `-serf-wan-port`, `-serf-lan-port`, and `-server-port`
  flags to CLI for cases where these can't be specified in config
  files and `-hcl` is too cumbersome.
- connect: The TTL of leaf (service) certificates in Connect is now
  configurable.

IMPROVEMENTS:

- proxy: With `-register` flag, heartbeat failures will only log once
  service registration succeeds.
- http: 1.0.3 introduced rejection of non-printable chars in HTTP URLs
  due to a security vulnerability. Some users who had keys written
  with an older version which are now dissallowed were unable to delete
  them. A new config option disable_http_unprintable_char_filter is
  added to allow those users to remove the offending keys. Leaving this
  new option set long term is strongly discouraged as it bypasses
  filtering necessary to prevent some known vulnerabilities.
- agent: Allow for advanced configuration of some gossip related
  parameters.
- agent: Make some Gossip tuneables configurable via the config file
- ui: Included searching on `.Tags` when using the freetext search
  field.
- ui: Service.ID's are now shown in the Service detail page and (only
  if it is different from the service name) the Node Detail >
  [Services] tab.

BUG FIXES:

- acl/connect: Fix an issue that was causing managed proxies not to
  work when ACLs were enabled.
- connect: Fix issue with managed proxies and watches attempting to
  use a client addr that is 0.0.0.0 or ::
- connect: Allow Native and Unmanaged proxy configurations via config
  file
- connect: Fix bug causing 100% CPU on agent when Connect is disabled
  but a proxy is still running
- proxy: Don't restart proxies setup in a config file when Consul
  restarts
- ui: Display the Service.IP address instead of the Node.IP address in
  the Service detail view.
- ui: Watch for trailing slash stripping 301 redirects and forward the
  user to the correct location.
- connect: Fixed an issue in the connect native HTTP client where it
  failed to resolve service names.

## 1.2.1 (July 12, 2018)

IMPROVEMENTS:

- acl: Prevented multiple ACL token refresh operations from occurring
  simultaneously.
- acl: Add async-cache down policy mode to always do ACL token
  refreshes in the background to reduce latency.
- proxy: Pass through HTTP client env vars to managed proxies so that
  they can connect back to Consul over HTTPs when not serving HTTP.
- connect: Persist intermediate CAs on leader change.

BUG FIXES:

- api: Intention APIs parse error response body for error message.
- agent: Intention read endpoint returns a 400 on invalid UUID
- agent: Service registration with "services" does not error on
  Connect upstream configuration.
- dns: Ensure that TXT RRs dont get put in the Answer section for
  A/AAAA queries.
- dns: Ensure that only 1 CNAME is returned when querying for services
  that have non-IP service addresses.
- api: Fixed issue where `Lock` and `Semaphore` would return earlier
  than their requested timeout when unable to acquire the lock.
- watch: Fix issue with HTTPs only agents not executing watches
  properly
- agent: Managed proxies that bind to 0.0.0.0 now get a health check
  on a sane IP
- server: (Consul Enterprise) Fixed an issue causing Consul to panic
  when network areas were used
- license: (Consul Enterprise) Fixed an issue causing the snapshot
  agent to log erroneous licensing errors

(fhajny)

doc: Updated mail/rspamd to 1.7.8

(fhajny)

mail/rspamd: Update to 1.7.8

1.7.8: 12 Jul 2018
- [Feature] Add more extended statistics about fuzzy updates
- [Feature] Add more non-conformant Received headers support
- [Feature] Add preliminary function to get fuzzy hashes from text in
  Lua
- [Feature] Allow to configure AV module rejection message
- [Feature] Implement fuzzy hashes extraction in mime tool
- [Feature] Improve WHITE_ON_WHITE rule
- [Feature] Improve integer -> string conversion
- [Feature] Reuse maps in multimap module more aggressively
- [Fix] Avoid race condition in skip map as pool lifetime is not
  enough
- [Fix] Eliminate all specific C plugins pools
- [Fix] Fix DKIM check rule if DNS is unavailable
- [Fix] Fix build where ucontext is defined in ucontext.h
- [Fix] Fix crash in base url handling
- [Fix] Fix descriptors leak in sqlite3 locking code
- [Fix] Fix messages quarantine
- [Fix] Fix padded numbers printing
- [Fix] Fix race condition on maps reinit
- [Fix] Fix regexp functions when no data is passed
- [Fix] Fix specific urls extraction
- [Fix] Fix styles propagation
- [Fix] Improve resetting of the limit buckets
- [Fix] Initialize sqlite3 properly
- [Fix] Work with broken resolvers in resolv.conf
- [Project] Implement HTTP maps caching
- [Project] Refresh fuzzy hashes when matched
- [Project] Add logic to deduplicate fuzzy updates queue
- [WebUI] Add missed declarations
- [WebUI] Avoid using "undefined" property
- [WebUI] Do not accept passwords containing control characters
- [WebUI] Do not redeclare variables
- [WebUI] Enable strict mode,
- [WebUI] Fix variable assignment
- [WebUI] Initialize variables at declaration
- [WebUI] Remove duplicated path from RequireJS config
- [WebUI] Remove unused block
- [WebUI] Remove unused variable
- [WebUI] Remove unused variables
- [WebUI] Use self-explanatory notation
- [WebUI] Use type-safe equality operators

1.7.7: 02 Jul 2018
- [CritFix] Check NM part of pubkey to match it with rotating keypairs
- [CritFix] Do not overwrite PID of the main process
- [CritFix] Fix maps after reload
- [CritFix] Fix maps race conditions on reload
- [CritFix] Fix shmem leak in encrypting proxy mode
- [Feature] Add a concept of ignored symbols to avoid race conditions
- [Feature] Add ability to print bayes tokens in rspamadm mime
- [Feature] Add method to get statistical tokens in Lua API
- [Feature] Add preliminary mime stat command
- [Feature] Add rspamadm mime tool
- [Feature] Add urls extraction tool
- [Feature] Address ZeroFont exploit
- [Feature] Allow rspamadm mime to process multiple files
- [Feature] Allow to extract words in `rspamadm mime`
- [Feature] Allow to print mime part data
- [Feature] Allow to show HTML structure on extraction
- [Feature] Distinguish IP failures from connection failures
- [Feature] Improve output for mime command
- [Feature] Improve styles propagation
- [Feature] Main process crash will now cleanup all children
- [Feature] Preload file and static maps in main process
- [Feature] Print stack trace on crash
- [Feature] Process font size in HTML parser
- [Feature] Propagate content length of invisible tags
- [Feature] Read ordinary file maps in chunks to be more safe on
  rewrites
- [Feature] Support base tag in HTML
- [Feature] Support more size suffixes when parsing HTML styles
- [Feature] Support opacity style
- [Fix] Another fix for nested composites
- [Fix] Fill nm id in keypairs cache code
- [Fix] Fix colors alpha channel handling
- [Fix] Fix destruction logic
- [Fix] Fix double free
- [Fix] Fix maps preload logic
- [Fix] Fix nested composites process
- [Fix] Fix proxying of Exim connections
- [Fix] Fix reload crash
- [Fix] Fix rspamadm -l command
- [Fix] Update ed25519 signing schema
- [WebUI] Stop using "const" declaration
- [WebUI] Update RequireJS to 2.3.5

1.7.6: 15 Jun 2018
- [CritFix] Fix multiple neural networks support
- [Feature] Add decryption function to keypair command
- [Feature] Add gzip compression for HTTP requests in elastic module
- [Feature] Add gzip methods to lua util
- [Feature] Add maps based on Top Level Domains
- [Feature] Add pubkey checks for dkim_signing
- [Feature] Add support of fake DNS records
- [Feature] Add tool to encrypt files
- [Feature] Allow to add symbols using settings directly
- [Feature] Allow to match private and public keys for DKIM signatures
- [Feature] Allow to set task flags via settings
- [Feature] Allow to specify fake DNS address from the config
- [Feature] Implement signatures verification using rspamadm keypair
- [Feature] Implement signing using `rspamadm keypair`
- [Feature] Improve error reporting for DKIM key access issues
- [Feature] Provide $HOSTNAME variable in UCL
- [Feature] Rework levenshtein distance computation
- [Feature] Split message parsing and processing
- [Feature] Support ED25519 DKIM signatures
- [Feature] Support encrypted configs in UCL
- [Feature] Suppress duplicate warning on very large radix tries
- [Feature] Use OSB to combine header names
- [Fix] Cleanup maps data on shutdown
- [Fix] Fix '~' behaviour in composites
- [Fix] Fix HTTP maps updates
- [Fix] Fix NIST signatures
- [Fix] Fix RFC822 comments when processing a mime address
- [Fix] Fix double free
- [Fix] Fix dynamic settings application
- [Fix] Fix for CommuniGate Pro maillist
- [Fix] Fix keypair creation method to actually create keypair...
- [Fix] Fix matching patterns with no paths
- [Fix] Fix memory leak in parsing comments
- [Fix] Fix parsing of urls with numeric password
- [Fix] Fix plugins intialisation in configwizard
- [Fix] Fix potential crash on reload
- [Fix] Fix potential race condition for a finished HTTP connections
- [Fix] Fix race-condition leak on processes reload
- [Fix] Fix signing in openssl mode
- [Fix] Free language detector structures
- [Fix] Relax alignment requirements
- [Fix] Send DMARC reports compressed
- [Fix] Try to fix leak in dmarc module
- [Fix] Try to plug memory leak in metric exporter
- [Project] Convert rspamadm subcommands to Lua
- [WebUI] Display smtp sender/recipient in history
- [WebUI] Fix elements disabling in "Symbols" tab
- [WebUI] Limit recipients list in history column to 3
- [WebUI] Match envelope and mime addresses following in arbitrary
  order
- [WebUI] Update column header
- [WebUI] Wrap addresses in history

1.7.5: 18 May 2018
- [Conf] Add MSBL proposed return codes
- [Conf] Add additional groups for policies
- [CritFix] Do not use volatile Lua strings as UCL keys
- [Feature] Add ability to add fuzzy hashes to headers
- [Feature] Add function to extract most meaningful urls
- [Feature] Add rule to block mixed text and encrypted parts
- [Feature] Allow multiple groups for symbols
- [Feature] Allow to disable lua squeezing logic
- [Feature] Allow to get multipart children in Lua
- [Feature] Allow to insert multiple headers from milter headers
- [Feature] Allow to print scores in subject and further extensions
- [Feature] Be more error-prone in squeezed rules
- [Feature] Support multiple return codes in emails module
- [Feature] Use EMA for calculating averages
- [Feature] Use common jit cache for all regexps
- [Feature] support for CommuniGate Pro self-generated messages
- [Fix] Allow to have multiple values for headers as arrays
- [Fix] Do not open sockets for disabled workers
- [Fix] Fix AuthservId
- [Fix] Fix base64 folding in Lua API
- [Fix] Fix build on non-x86 platforms
- [Fix] Fix cached maps logic
- [Fix] Fix compatibility with old maps query logic
- [Fix] Fix crash if skip_map is used
- [Fix] Fix importing static maps from UCL
- [Fix] Fix parsing of unix sockets
- [Fix] Fix raw_mime regexp on HTML part with no text content
- [Fix] Fix tables logging
- [Fix] Fix vertical tab handling in libucl
- [Fix] Try to fix frequency counters
- [Fix] Use better sharding for ip_score
- [Fix] Use multiple results from SURBL DNS reply
- [Fix] When doing AV scan select a different server for retransmit

(fhajny)

doc: Updated lang/nodejs to 10.7.0

(fhajny)

lang/nodejs: Update to 10.7.0.

- console:
  - The `console.timeLog()` method has been implemented.
- deps:
  - Upgrade to libuv 1.22.0.
  - Upgrade to ICU 62.1 (Unicode 11, CLDR 33.1).
- http:
  - Added support for passing both `timeout` and `agent` options to
    `http.request`.
- inspector:
  - Expose the original console API in `require('inspector').console`.
- napi:
  - Added experimental support for functions dealing with bigint
    numbers.
- process:
  - The `process.hrtime.bigint()` method has been implemented.
  - Added the `--title` command line argument to set the process title
    on startup.
- trace_events:
  - Added process\_name metadata.

(fhajny)

doc: Updated chat/ejabberd to 18.06

(fhajny)

chat/ejabberd: Update to 18.06.

Admin
- Stop ejabberd initialization on invalid/unknown options
- Add new options for OOM watchdog: oom_watermark and oom_queue
- Add ability to modify version string
- Add option ext_api_headers to define REST API custom headers
- Fix Erlang limits in ejabberdctl.cfg.example to reflect current
  situation
- Make trusted_proxied ejabberd_http option accept ip masks
- Teach acl ip matching about ipv4 mapped ipv6 addresses
- Removed watchdog_admins option from config, as has no effect anymore
- Improve logging of external authentication failures
- ejabberd_auth: Don't use cache if the option is disabled
- Make connected_users_info and user_sessions_info DB-agnostic

Core
- Support SASL PLAIN by xmpp_stream_out
- Add Resource Binding support to xmpp_stream_out
- Improve robustness of external authentication backends
- Don't use 'unsupported-version' inside SM element
- Generate SASL failures on unencrypted connections only for s2s
- Fix reset_stream in websocket using pre-rfc protocol
- Don't crash in bosh when we receive request with RID < prev_rid
- Get rid of all calls to jlib.erl module
- Support IPv6 connections for PostgreSQL, MySQL and LDAP
- Fix authentication for usernames containing uppercase characters
- Optimize HTTP requests memory usage
- PKIX: Just warn instead of ignore a certificate containing no domain
  names
- PKIX: Don't replace valid certificates with invalid ones

Modules
- Log modules startup
- mod_disco: Advertise disco#info and disco#items features
- mod_irc: is moved away from ejabberd repo to ejabberd-contrib
- mod_mam: Don't replace existing stanza ID
- HTTP upload: Generate HTTP Upload form using xdata codec
- HTTP upload: Improve error formatting
- HTTP upload: Return detailed error if HTTP upload is too large

MUC
- Always display room's xdata in disco#info
- Display muc#roomconfig_changesubject in room's disco#info
- Render roomname, allowinvites and allowpm in room disco#info
- Support for roomconfig_lang/roominfo_lang
- mod_muc_sql: Fix export to SQL

Push
- Omit summary for outgoing messages
- Further improve handling of carbons
- Also include sender/body for carbons
- Include a static body text by default
- keepalive: Increase default timeout to 3 days
- SQL: Check 'max_user_sessions' limit

(fhajny)

security/erlang-jose: Provide workaround to build on erlang>=21.

(fhajny)

doc: Updated graphics/erlang-eimp to 1.0.6

(fhajny)

graphics/erlang-eimp: Update to 1.0.6.

- Updating p1_utils to version 1.0.12.

(fhajny)

doc: Updated net/erlang-esip to 1.0.24

(fhajny)

net/erlang-esip: Update to 1.0.24.

- Updating fast_tls to version 1.0.23.
- Updating stun to version 1.0.23.
- Updating p1_utils to version 1.0.12.

(fhajny)

doc: Updated net/erlang-xmpp to 1.2.2

(fhajny)

net/erlang-xmpp: Update to 1.2.2.

Version 1.2.2
- Updating fast_xml to version 1.1.32.
- Fix crash when trying to encode xmlcdata
- Add missing files to hex package

Version 1.2.1
- Updating p1_utils to version 1.0.12.
- Updating fast_xml to version 1.1.31.
- Updating stringprep to version 1.0.12.

Version 1.2.0
- Support XEP-0377: Spam Reporting
- New xmpp_lang module to validate language tags
- Improve muc#roominfo and muc#roomconfig data forms
- XEP-0363: support and tags
- XEP-0363: data form support
- Add more functions to format errors
- Change arity of err_gone(), err_redirect() and serr_see_other_host()
  THIS CHANGE INTRODUCES API INCOMPATIBILITY: use xref to check the code
- Support multiple namespaces for the same data form

(fhajny)

doc: Updated net/erlang-stun to 1.0.23

(fhajny)

net/erlang-stun: Update to 1.0.23.

- Updating fast_tls to version 1.0.23.
- Updating p1_utils to version 1.0.12.
- Use p1_fsm instead of gen_fsm
- Remove unused dependency on port compiler

(fhajny)

doc: Updated textproc/erlang-stringprep to 1.0.12

(fhajny)

textproc/erlang-stringprep: Update to 1.0.12.

- Updating p1_utils to version 1.0.12.

(fhajny)

doc: Updated databases/erlang-p1_pgsql to 1.1.6

(fhajny)

databases/erlang-p1_pgsql: Update to 1.1.6.

- Add support for ipv6 connections

(fhajny)

doc: Updated databases/erlang-p1_mysql to 1.0.6

(fhajny)

databases/erlang-p1_mysql: Update to 1.0.6.

- Add support for ipv6 connections

(fhajny)

doc: Updated converters/erlang-iconv to 1.0.8

(fhajny)

converters/erlang-iconv: Update to 1.0.8.

- Updating p1_utils to version 1.0.12.

(fhajny)

doc: Updated textproc/erlang-fast_yaml to 1.0.15

(fhajny)

textproc/erlang-fast_yaml: Update to 1.0.15.

- Updating p1_utils to version 1.0.12.

(fhajny)

doc: Updated textproc/erlang-fast_xml to 1.1.32

(fhajny)

textproc/erlang-fast_xml: Update to 1.1.32.

Version 1.1.32
- Don't crash when trying to encode xmlcdata

Version 1.1.31
- Updating p1_utils to version 1.0.12.

(fhajny)

doc: Updated security/erlang-fast_tls to 1.0.23

(fhajny)

security/erlang-fast_tls: Update to 1.0.23.

- Updating p1_utils to version 1.0.12.
- Add ability to get cipher user by connection

(fhajny)

doc: Updated devel/erlang-cache_tab to 1.0.14

(fhajny)

devel/erlang-cache_tab: Update 1.0.14.

- Updating p1_utils to version 1.0.12.

(fhajny)

doc: Updated misc/erlang-p1_utils to 1.0.12

(fhajny)

misc/erlang-p1_utils: Update to 1.0.12.

- Don't fetch generic_debug option from init.

(fhajny)

doc: Updated devel/gradle to 4.9

(fhajny)

devel/gradle: Update to 4.9.

- Projects that publish auxiliary publications through maven-publish
  and ivy-publish can now be depended upon by other projects in the
  same build.
- In addition to lazy tasks use, Kotlin DSL build scripts are
  evaluated faster with version 0.18.4.
- You can now pass arguments to JavaExec tasks directly from the
  command-line using --args.
- Improved dependency insight report.

(fhajny)

doc: Updated www/yaws to 2.0.6

(fhajny)

www/yaws: Update to 2.0.6.

- Add support for Erlang/OTP 21.0
- Fix missing space in yaws_server:handle_out_reply/5
- recognize '?' in conf strings

(fhajny)

doc: Updated security/py-certbot to 0.26.0

(fhajny)

net/py-{acme,certbot}: Update to 0.26.0.

### Added

- A new security enhancement which we're calling AutoHSTS has been
  added to Certbot's Apache plugin. This enhancement configures your
  webserver to send a HTTP Strict Transport Security header with a low
  max-age value that is slowly increased over time. The max-age value is
  not increased to a large value until you've successfully managed to
  renew your certificate. This enhancement can be requested with the
  --auto-hsts flag.
- New official DNS plugins have been created for Gehirn Infrastracture
  Service, Linode, OVH, and Sakura Cloud. These plugins can be found
  on our Docker Hub page at https://hub.docker.com/u/certbot and on
  PyPI.
- The ability to reuse ACME accounts from Let's Encrypt's ACMEv1
  endpoint on Let's Encrypt's ACMEv2 endpoint has been added.
- Certbot and its components now support Python 3.7.
- Certbot's install subcommand now allows you to interactively choose
  which certificate to install from the list of certificates managed
  by Certbot.
- Certbot now accepts the flag `--no-autorenew` which causes any
  obtained certificates to not be automatically renewed when it
  approaches expiration.
- Support for parsing the TLS-ALPN-01 challenge has been added back to
  the acme library.

### Changed

- Certbot's default ACME server has been changed to Let's Encrypt's
  ACMEv2 endpoint. By default, this server will now be used for both
  new certificate lineages and renewals.
- The Nginx plugin is no longer marked labeled as an "Alpha" version.
- The `prepare` method of Certbot's plugins is no longer called before
  running "Updater" enhancements that are run on every invocation of
  `certbot renew`.

(fhajny)

doc: Updated net/py-lexicon to 2.7.0

(fhajny)

net/py-lexicon: Update to 2.7.0.

2.7.0.
- Subreg.cz: Use Zeep instead of PySimpleSOAP library

2.6.0
- Improvements to argument handling

2.5.0
- Add Google Cloud DNS provider

2.4.7
- Add Zeit provider

2.4.6
- Fixes to dnsimple

2.4.5
- Add support for Exoscale

2.4.4
- Add support for online.net

2.4.3
- Test fixes

2.4.2
- Minor fixes to OVH provider

2.4.1
- add support for Gandi LiveDNS API

(fhajny)

doc: Updated lang/nodejs to 10.6.0

(fhajny)

lang/nodejs: Update to 10.6.0.

- dns: An experimental promisified version of the dns module is now
  available. Give it a try with `require('dns').promises`.
- fs: `fs.lchown` has been undeprecated now that libuv supports it.
- lib: `Atomics.wake` is being renamed to `Atomics.notify` in the
  ECMAScript specification. Since Node.js now has experimental support
  for worker threads, we are being proactive and added a `notify` alias,
  while emitting a warning if `wake` is used.
- n-api: Add API for asynchronous functions.
- util: `util.inspect` is now able to return a result instead of
  throwing when the maximum call stack size is exceeded during
  inspection.
- vm: Add `script.createCachedData()`. This API replaces the
  `produceCachedData` option of the `Script` constructor that is now
  deprecated.
- worker: Support for relative paths has been added to the `Worker`
  constructor. Paths are interpreted relative to the current working
  directory.

(fhajny)

doc: Updated sysutils/rsyslog to 8.36.0

(fhajny)

sysutils/rsyslog*: Update to 8.36.0.

- This version disables liblogging-stdlog by default. We now also
  emit a warning message ("liblogging-stdlog will go away") so that
  users know what is going on and my react.
- add openssl driver alongside GnuTLS one for TLS (experimental)
- GnuTLS TLS driver: support intermediate certificates
- omelasticsearch: write op types; bulk rejection retries
- lookup tables: reload message now with "info" severity (was "error")
- imptcp: add support for regex-based framing
- imjournal: add statistics counter
- config: permit 4-digit file creation modes
- ommongodb: add possibility to ignore some insertion error code
- omprog: simplify 'plugin-with-feedback.py' example
- core: misadressing when writing disk queue files
- core: fix message loss on target unavailibility during shutdown
- imrelp bugfix: error message "librelp too old" is always emitted ...
- imrelp: segfault on startup when cert without priv key is configured
- omrelp bugfix: segfault on first message sent when authmode was
  wrong
- imfile bugfix: double-free on module shutdown
- imfile/core bugfix: potential misadressing in string copy routine
- imfile bugfix: if freshStartTail is set some initial file lines
  missing
- core: fix undefined behaviour (unsigned computation may lead to
  value < 0)

(fhajny)

doc: Updated www/passenger to 5.3.3

(fhajny)

www/*passenger: Update to 5.3.3.

- [Apache, Nginx] Fixes the passenger-install-*-module scripts.
- [Nginx] Fixed nginx module building on CentOS 6.

(fhajny)

Updated sysutils/consul

(fhajny)

sysutils/consul: Update to 1.2.0.

FEATURES:

- Connect Feature Beta: This version includes a major new feature for
  Consul named Connect. Connect enables secure service-to-service
  communication with automatic TLS encryption and identity-based
  authorization.
  - Connect must be enabled explicitly in configuration so upgrading a
    cluster will not affect any existing functionality until it's
    enabled.
  - This is a Beta feature, we don't recommend enabling this in
    production yet. Please see the documentation for more information.
- dns: Enable PTR record lookups for services with IPs that have no
  registered node
- ui: Default to serving the new UI. Setting the `CONSUL_UI_LEGACY`
  environment variable to `1` or `true` will revert to serving the old
UI

IMPROVEMENTS:

- agent: A Consul user-agent string is now sent to providers when
  making retry-join requests
- client: Add metrics for failed RPCs
- agent: Add configuration entry to control including TXT records for
  node meta in DNS responses
- client: Make RPC rate limit configuration reloadable

BUG FIXES:

- agent: Fixed an issue where watches were being duplicated on reload.
- agent: Fixed an issue with Agent watches on a HTTPS only agent would
  fail to use TLS.
- agent: Fixed bug that would cause unnecessary and frequent logging
  yamux keepalives
- dns: Re-enable full DNS compression

(fhajny)

doc: Updated lang/erlang to 21.0

(fhajny)

lang/erlang*: Update to 21.0

Potential Incompatibilities
- All Corba applications are now moved from the OTP repository
- A new Corba repository will be created https://github.com/erlang
- New applications ftp and tftp, moved from inets
- ssl no longer supports 3_DES cipher suites or RSA-key exchange
  cipher suites by default
- Erlang:monitor on a primitive node (erl_interface, jinterface, etc)
  will no longer fail with badarg exception. Instead a monitor will be
  created, but it will only supervise the connection to the node.

Erts:
- Enhanced IO scalability
- Support for usage of distribution controller processes for
  alternative transports, routing etc
- compact instructions on 64bit systems for code below 4GB 20% less
  memory for loaded code
- Rewrite of the efile-driver with NIFs and "Dirty schedulers"
  resulting in faster file operations
- non-smp VM removed
- link and monitor optimized for scalability
- os:getenv/putenv now work on thread-safe emulation. No longer in
  sync with libc getenv(3). Manual synchronization will be needed.

Compiler:
- Misc compiler optimizations including contributions from the Elixir
  team resulting in 10% improvements in benchmarks
- "Tuple calls" have been removed from the run-time system.
- Code such as f({ok, Val}) -> {ok, Val} is now automatically
  rewritten to f({ok, Val} = Tuple) -> Tuple. this reduces code size,
  execution time, and removed GC pressure.
- More information in stacktrace from a number of operators
- erlang:get_stacktrace/0 deprecated to be replaced with try ... catch
  C:R:Stacktrace -> ...
- Creation of small maps with literal keys optimized.
- A new predefined macro OTP_RELEASE and preprocessor directives -if
  and -elif

Security:
- DTLS is now supported in the SSL application
- Enhanced support for distribution over TLS
- "unsecure" ciphers removed from defaults in SSL and SSH.
- A new option value defined to facilitate implementing exec servers.
  Old option kept for compatibility, but now gives errors on stderror.

Standard libraries:
- New API for logging, logger
- New uri_string module for parsing URIs according to "The standard"
- New function lists:search(list,fun/1) -> {ok, Value} | false
- Changed default behaviour of .erlang loading. escript, erlc,
  dialyzer and typer no longer load an .erlang at all.

(fhajny)

devel/py-hash: Fix build with versioned boost_python lib.

(fhajny)

lang/npm: Set proper env for build/install, ensure FAKEHOME is used.

(fhajny)

doc: Updated sysutils/syslog-ng to 3.16.1

(fhajny)

sysutils/syslog-ng*: Update to 3.16.1.

Features
- Telegram destination and $(urlencode) template function
- Error reporting on misspelled block args
- New ignore_tns_config Oracle SQL destination config option
- Per-source "src.host" and "src.sender" counters

Bugfixes
- Fix possible loss of log messages in the systemd-journal() source
- Fix file source location information in internal logs
- Fix SDATA deserialization (disk-buffer crash)
- Fix unaccepted embedded 'file' keyword (file source and destination)
- Fix memory leaks in appmodel and varargs
- Fix a bug in the old LogMessage deserialization
- Fix reading the output of the confgen program
- Add safer mem_zero() to secret-storage
- Fix undefined behavior in syslog-ng-ctl query
- Fix lloc tracking for multi line blockrefs
- Added missing 'else {};' to default-network-drivers() to forward
  unparsable messages
- Fix mixed linking
- Fix compilation of evtlog on FreeBSD
- Fix thread_id allocation for more than 32 CPUs (crash)
- Add safe logging of errno
- Fix warnings related to floating point operations
- Partial revert of plugin discovery to bring back valgrind
- Fix connection close in network sources
- Fix file deletion in the wildcard-file() source
- Disable the DNS cache if use-dns(no) is used
- Fix compiler error for gcc 4.4
- Fix emitted warnings due to -no-pie detection for gcc 4.4
- Fix date format in functional tests
- Dbld fixes
- Rename PAGESIZE variables to pagesize in secret-storage (compilation
  fix)
- Fix the lifetime of TLSContext to prevent crash on reload
- Fix reaping program() source and destination when a Java-based
  destination is used

Other changes
- Add debug message to program source/destination about successful
  start
- Report memory exhaustion errors during config parsing
- Improved debug logs
- Dbld coverage
- LogTransportMock enhancement
- Modify the license of loggen from GPL to LGPL
- Loggen refactor
- Update RPM generation
- Support ENABLE_EXTRA_WARNINGS with CMake
- Rewrite unit tests based on Criterion
- Lexer test coverage improvements
- preparation for 3.16 OSE rhel/packaging

(fhajny)

Enable pngquant

(fhajny)

doc: Added graphics/pngquant version 2.12.0

(fhajny)

graphics/pngquant: Import pngquant 2.12.0.

pngquant is a command-line utility for lossy compression of PNG images.

(fhajny)

doc: Updated lang/nodejs to 10.5.0

(fhajny)

lang/nodejs: Update to 10.5.0.

crypto:
- Support for crypto.scrypt() has been added.

fs:
- BigInt support has been added to fs.stat and fs.watchFile.
- APIs that take mode as arguments no longer throw on values larger
  than 0o777.
- Fix crashes in closed event watchers.

Worker Threads:
- Support for multi-threading has been added behind the
  --experimental-worker flag in the worker_threads module. This
  feature is experimental and may receive breaking changes at any time.

(fhajny)

lang/guile: Add search path to default extensions for lt_dlopenext.

Fixes usage with packages like print/lilypond on at least Darwin and SunOS, where dynamically loaded guile extensions cannot be found without resorting to LTDL_LIBRARY_PATH quirks.

(fhajny)

print/lilypond: Fix patch by removing an empty if/fi block.

(fhajny)

doc: Updated devel/zookeeper to 3.4.12

(fhajny)

devel/zookeeper: Update to 3.4.12.

Version 3.4.12

Bug

- CRC check failed when preAllocSize smaller than node data
- Update documentation source for ZOOKEEPER-2574
- Flaky test:
  org.apache.zookeeper.server.quorum.FLEBackwardElectionRoundTest.testBackwardElectionRound
- Data inconsistency issue due to retain database in leader election
- very poor choice of logging if client fails to connect to server
- The comment of the variable matchSyncs in class CommitProcessor has
  a mistake.
- Flaky Test:
  org.apache.zookeeper.test.LoadFromLogTest.testRestoreWithTransactionErrors
- WriteLock recipe: incorrect znode ordering when the sessionId is
  part of the znode name
- Duplicate Keys in log4j.properties config files
- Specify correct overflow value
- Failing c unit tests on apache jenkins
- zkServer.cmd does not start when JAVA_HOME ends with a \
- Flaky Test: testNoLogBeforeLeaderEstablishment
- The dataDir and dataLogDir are used opposingly
- Fix testElectionFraud Flakyness
- fix potential null pointer exception when deleting node
- The eclipse build target fails due to protocol redirection:
  http->https

Improvement

- Add keys for the Zxid from the stat command to check_zookeeper.py
- Upgrade third party libraries to address vulnerabilities
- The function queueEmpty() in FastLeaderElection.Messenger is not
  used, should be removed.
- Add check to validate dataDir and dataLogDir parameters at startup

Wish

- Change log level for "ZKShutdownHandler is not registered" error
  message

Version 3.4.11

Sub-task

- Fix "Unexpected bean exists!" issue in WatcherTests
- Cleanup findbug warnings in branch-3.4: Correctness Warnings
- Cleanup findbug warnings in branch-3.4: Disable Internationalization
  Warnings
- Cleanup findbug warnings in branch-3.4: Malicious code vulnerability
  Warnings
- Cleanup findbug warnings in branch-3.4: Performance Warnings
- Cleanup findbug warnings in branch-3.4: Dodgy code Warnings
- Cleanup findbug warnings in branch-3.4: Experimental Warnings
- Set up Apache Jenkins job that runs the flaky test analyzer script.
- Multithreaded correctness Warnings
- ZOOKEEPER-2355 fix for branch-3.4

Bug

- Windows: fetch_and_add not 64bit-compatible, may not be correct
- Update documentation for snapCount
- Ephemeral node is never deleted if follower fails while reading the
  proposal packet
- Port ZOOKEEPER-1576 to branch3.4
- recreateSocketAddresses may recreate the unreachable IP address
- Flaky Test:
  org.apache.zookeeper.test.ReadOnlyModeTest.testSessionEstablishment
- Clean up findbug warnings in branch-3.4
- Port ZOOKEEPER-2737 to branch-3.4
- Netty connection leaks JMX connection bean upon connection close in
  certain race conditions.
- Typo: transasction --> transaction
- Flaky test:
  org.apache.zookeeper.server.quorum.QuorumCnxManagerTest.testNoAuthLearnerConnectToAuthRequiredServerWithHigherSid
- Ephemeral znode will not be removed when sesstion timeout, if the
  system time of ZooKeeper node changes unexpectedly.
- ZK Client not able to connect with Xid out of order error
- There is a typo in zk.py which prevents from using/compiling it.
- follower disconnects and cannot reconnect
- Server inappropriately throttles connections under load before SASL
  completes
- Flaky test:
  org.apache.zookeeper.test.ClientTest.testNonExistingOpCode
- Fix flaky test:
  org.apache.zookeeper.test.ReadOnlyModeTest.testConnectionEvents
- Unnecessary stack-trace in server when the client disconnect
  unexpectedly
- PurgeTxnLog#validateAndGetFile: return tag has no arguments.
- Improve the ZooKeeper#setACL java doc
- ZooKeeper public include files leak porting changes
- CMake build doesn't support OS X
- Main-Class JAR manifest attribute is incorrect
- Windows Debug builds don't link with `/MTd`
- Local automatic variable is left uninitialized and then freed.
- Don't include `config.h` in `zookeeper.h`
- The OWASP dependency check jar should not be included in the default
  classpath
- quorum.auth.MiniKdcTest.testKerberosLogin failing with NPE on java 9
- Create ant task to generate ivy dependency reports
- compiler warning using java 9

Improvement

- Operations to server will be timed-out while thousands of sessions
  expired same time
- TCP keepalive for leader election connections
- The define of MAX_CONNECTION_ATTEMPTS in QuorumCnxManager.java seems
  useless, should it be removed?
- ZooKeeperSaslClient#respondToServer should log exception message of
  SaslException
- Add script to run a java api compatibility tool
- Improve the efficiency of AtomicFileOutputStream
- Rename README.txt to README.md
- define dependency versions in build.xml to be easily overridden in
  build.properties

New Feature

- Please add instructions for running the tutorial
- Add ant task for running OWASP dependency report

Test

- Flaky Test: org.apache.zookeeper.test.WatcherTest.

(fhajny)

doc: Updated devel/apache-ivy to 2.4.0

(fhajny)

devel/apache-ivy: Update to 2.4.0.

2.4.0
- some new Ant tasks
- improved OSGI support
- a Bintray resolver
- numerous bug fixes as documented in Jira and in the release notes

2.3.0
- improved Ant support with some new Ant tasks and enhancements to
  existing tasks
- improved Maven2 compatibility
- some new resolvers
- numerous bug fixes as documented in Jira and in the release notes

(fhajny)

doc: Updated lang/nodejs to 10.4.1

(fhajny)

lang/nodejs: Update to 10.4.1.

- Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced
  in 9.7.0 that increases the memory consumed when reading from the
  network into JavaScript using the net.Socket object directly as a
  stream.
- http2
  - (CVE-2018-7161): Fixes Denial of Service vulnerability by updating
    the http2 implementation to not crash under certain circumstances
    during cleanup
  - (CVE-2018-1000168): Fixes Denial of Service vulnerability by
    upgrading nghttp2 to 1.32.0
- tls (CVE-2018-7162): Fixes Denial of Service vulnerability by
  updating the TLS implementation to not crash upon receiving
- n-api: Prevent use-after-free in napi_delete_async_work

(fhajny)

doc: Updated lang/nodejs8 to 8.11.3

(fhajny)

lang/nodejs8: Update to 8.11.3.

- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where
  calling Buffer.fill() could hang
- http2:
  - (CVE-2018-7161): Fixes Denial of Service vulnerability by updating
    the http2 implementation to not crash under certain circumstances
    during cleanup
  - (CVE-2018-1000168): Fixes Denial of Service vulnerability by
    upgrading nghttp2 to 1.32.0

(fhajny)

doc: Updated lang/nodejs6 to 6.14.3

(fhajny)

lang/nodejs6: Update to 6.14.3.

- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where
  calling Buffer.fill() could hang

(fhajny)

doc: Updated www/nghttp2 to 1.32.0

(fhajny)

www/nghttp2: Update to 1.32.0.

- lib: Ignore all input after calling session_terminate_session
- lib: Fix treatment of padding
- lib: Don't allow 101 HTTP status code because HTTP/2 removes
  HTTP Upgrade
- build: add ENABLE_STATIC_LIB option to build static lib
- third-party: Upgrade neverbleed to the latest master
- asio: Support client side SNI
- src: Compile with libressl 2.7.2
- src: Allow building without NPN
- h2load: -r and --duration are mutually exclusive

(fhajny)

doc: Updated sysutils/beats to 6.3.0

(fhajny)

doc: Updated www/passenger to 5.3.2

(fhajny)

www/passenger: Update to 5.3.2.

- [Nginx] Fixes CVE-2018-12029, a local privilege escalation
  vulnerability in the Nginx module that occurs when
  `passenger_instance_registry_dir` is configured to a directory
  with insufficiently strict permissions.
- Fixes CVE-2018-12026, 12027, and 12028. These are local denial of
  service, local information disclosure and local privilege escalation
  vulnerabilities that could be exploited by malicious applications or
  malicious users on the system.
- Fixes Meteor support in non-bundled mode (regression from 5.3.0).
- Fixes the fact that the error page (which is shown when an app fails
  to spawn) sometimes contains unsufficient analysis details about the
  app.
- [Apache] Fixes PassengerMaxInstancesPerApp not being respected
  (regression from config refactor in 5.2.0).
- [Enterprise, Apache] Fixes PassengerMaxInstances not being respected
  (regression from config refactor in 5.2.0).
- [Enterprise] Fixes passenger-irb being unable to connect to an app
  process (regression from 5.3.0).

(fhajny)

doc: Updated security/py-certbot to 0.25.0

(fhajny)

security/py-{acme,certbot}: Update to 0.25.0.

### Added

- Support for the ready status type was added to acme. Without this change,
  Certbot and acme users will begin encountering errors when using Let's
  Encrypt's ACMEv2 API starting on June 19th for the staging environment and
  July 5th for production. See
  https://community.letsencrypt.org/t/acmev2-order-ready-status/62866 for more
  information.
- Certbot now accepts the flag --reuse-key which will cause the same key to be
  used in the certificate when the lineage is renewed rather than generating a
  new key.
- You can now add multiple email addresses to your ACME account with Certbot by
  providing a comma separated list of emails to the --email flag.
- Support for Let's Encrypt's upcoming TLS-ALPN-01 challenge was added to acme.
  For more information, see
  https://community.letsencrypt.org/t/tls-alpn-validation-method/63814/1.
- acme now supports specifying the source address to bind to when sending
  outgoing connections. You still cannot specify this address using Certbot.
- If you run Certbot against Let's Encrypt's ACMEv2 staging server but don't
  already have an account registered at that server URL, Certbot will
  automatically reuse your staging account from Let's Encrypt's ACMEv1 endpoint
  if it exists.
- Interfaces were added to Certbot allowing plugins to be called at additional
  points. The `GenericUpdater` interface allows plugins to perform actions
  every time `certbot renew` is run, regardless of whether any certificates are
  due for renewal, and the `RenewDeployer` interface allows plugins to perform
  actions when a certificate is renewed. See `certbot.interfaces` for more
  information.

### Changed

- When running Certbot with --dry-run and you don't already have a staging
  account, the created account does not contain an email address even if one
  was provided to avoid expiration emails from Let's Encrypt's staging server.
- certbot-nginx does a better job of automatically detecting the location of
  Nginx's configuration files when run on BSD based systems.
- acme now requires and uses pytest when running tests with setuptools with
  `python setup.py test`.
- `certbot config_changes` no longer waits for user input before exiting.

### Fixed

- Misleading log output that caused users to think that Certbot's standalone
  plugin failed to bind to a port when performing a challenge has been
  corrected.
- An issue where certbot-nginx would fail to enable HSTS if the server block
  already had an `add_header` directive has been resolved.
- certbot-nginx now does a better job detecting the server block to base the
  configuration for TLS-SNI challenges on.

(fhajny)

doc: Updated lang/nodejs to 10.4.0

(fhajny)

lang/nodejs: Update to 10.4.0.

- deps: update V8 to 6.7.288.43
- stream: ensure Stream.pipeline re-throws errors without callback

(fhajny)

doc: Updated net/py-lexicon to 2.4.0

(fhajny)

net/py-lexicon: Upddate to 2.4.0.

- Handle namespace variations of DnsEntry in transip provider
- Allow to toggle live tests using LEXICON_LIVE_TESTS env variable.
  Tests are offline by default.
- GoDaddy provider improvements

(fhajny)

graphics/tesseract: Revert update to data version 4.00. Using version 4 data with version 3 program is not supported. Fixes https://github.com/joyent/pkgsrc/issues/113.

(fhajny)

devel/intellij-idea-ce: Fix snappy-java10 dependency after changes to said.

(fhajny)

databases/apache-cassandra2: Modify to work with the latest devel/snappy-java10. PKGREVISION++

(fhajny)

doc: Updated devel/snappy-java10 to 1.0.5.4

(fhajny)

devel/snappy-java10: Update to the latest 1.0.5.4 (no code changes). Change PKGBASE to just snappy-java. Remove precompiled binaries. Fix fetching, simplifiy installation.

(fhajny)

doc: Updated databases/apache-cassandra to 3.11.2

(fhajny)