net/drill: undo mistaken commit to branch.

(he)

net/drill: use ../ldns/version.mk, and thereby bump to 1.8.3.

(he)

math/openfst: add use of mk/atomic64.mk for the benefit of those who need it.

(he)

Pullup ticket #6800 - requested by taca
mail/roundcube: security fix

Revisions pulled up:
- mail/roundcube-plugin-enigma/Makefile                        1.16
- mail/roundcube-plugin-enigma/PLIST                            1.6
- mail/roundcube-plugin-password/Makefile                      1.22
- mail/roundcube-plugin-password/PLIST                          1.7
- mail/roundcube-plugin-password/distinfo                      1.32-1.33
- mail/roundcube-plugin-zipdownload/Makefile                    1.13
- mail/roundcube-plugin-zipdownload/PLIST                      1.6
- mail/roundcube/Makefile                                      1.98-1.99
- mail/roundcube/Makefile.common                                1.30-1.31
- mail/roundcube/PLIST                                          1.53-1.55
- mail/roundcube/distinfo                                      1.84-1.85

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri Jul  7 12:57:21 UTC 2023

  Modified Files:
  pkgsrc/mail/roundcube: Makefile.common PLIST distinfo
  pkgsrc/mail/roundcube-plugin-enigma: PLIST
  pkgsrc/mail/roundcube-plugin-password: PLIST distinfo
  pkgsrc/mail/roundcube-plugin-zipdownload: PLIST

  Log Message:
  mail/roundcube: update to 1.6.2

  1.6.2 (2023-07-02)

  * Add Uyghur localization
  * Fix regression in OAuth request URI caused by use of REQUEST_URI instead
    of SCRIPT_NAME as a default (#8878)
  * Fix bug where false attachment reminder was displayed on HTML mail with
    inline images (#8885)
  * Fix bug where a non-ASCII character in app.js could cause error in
    javascript engine (#8894)
  * Fix JWT decoding with url safe base64 schema (#8890)
  * Fix bug where .wav instead of .mp3 file was used for the new mail
    notification in Firefox (#8895)
  * Fix PHP8 warning (#8891)
  * Fix support for Windows-31J charset (#8869)
  * Fix so LDAP VLV option is disabled by default as documented (#8833)
  * Fix so an email address with name is supported as input to the managesieve
    notify :from parameter (#8918)
  * Fix Help plugin menu (#8898)
  * Fix invalid onclick handler on the logo image when using non-array
    skin_logo setting (#8933)
  * Fix duplicate recipients in "To" and "Cc" on reply (#8912)
  * Fix bug where it wasn't possible to scroll lists by clicking middle mouse
    button (#8942)
  * Fix bug where label text in a single-input dialog could be partially
    invisible in some locales (#8905)
  * Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
    in config (#8874)
  * Fix extra leading newlines in plain text converted from HTML (#8973)
  * Fix so recipients with a domain ending with .s are allowed (#8854)
  * Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and
    TYPE=INTERNET (#8838)
  * Fix QR code images for contacts with non-ASCII characters (#9001)
  * Fix PHP8 warnings when using list_flags and list_cols properties by
    plugins (#8998)
  * Fix bug where subfolders could loose subscription on parent folder rename
    (#8892)
  * Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
  * Fix insecure shell command params handling in cmd_learn driver of
    markasjunk plugin (#9005)
  * Fix bug where some mail headers didn't work in cmd_learn driver of
    markasjunk plugin (#9005)
  * Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
  * Fix so output of log_date_format with microseconds contains time in server
    time zone, not UTC

---
  Module Name: pkgsrc
  Committed By: abs
  Date: Thu Jul 27 08:18:00 UTC 2023

  Modified Files:
  pkgsrc/mail/roundcube: Makefile PLIST

  Log Message:
  Also install the "vendor/" contents to resolve guzzlehttp requirement

  Bump PKGREVISION

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Mon Sep 18 03:39:03 UTC 2023

  Modified Files:
  pkgsrc/mail/roundcube: Makefile Makefile.common PLIST distinfo
  pkgsrc/mail/roundcube-plugin-enigma: Makefile
  pkgsrc/mail/roundcube-plugin-password: Makefile distinfo
  pkgsrc/mail/roundcube-plugin-zipdownload: Makefile

  Log Message:
  mail/roundcube: update to 1.6.3

  From release announce:

  We just published a security update to the version 1.6 of Roundcube Webmail.
  It provides a fix to a recently reported XSS vulnerability:

  Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
  plain text messages, reported by Niraj Shivtarkar.  See the full changelog
  in the release notes in the release notes on the Github download page.

  We strongly recommend to update all productive installations of Roundcube
  1.6.x with this new version.

  1.6.3 (2023-09-15)

  * Fix bug where installto.sh/update.sh scripts were removing some essential
    options from the config file (#9051)

  * Update jQuery-UI to version 1.13.2 (#9041)

  * Fix regression that broke use_secure_urls feature (#9052)

  * Fix potential PHP fatal error when opening a message with message/rfc822
    part (#8953)

  * Fix bug where a duplicate `<title>` tag in HTML email could cause some
    parts being cut off (#9029)

  * Fix bug where a list of folders could have been sorted incorrectly (#9057)

  * Fix regression where LDAP addressbook 'filter' option was ignored (#9061)

  * Fix wrong order of a multi-folder search result when sorting by size
    (#9065)

  * Fix so install/update scripts do not require PEAR (#9037)

  * Fix regression where some mail parts could have been decoded incorrectly,
    or not at all (#9096)

  * Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
    non-binary FETCH (#9097)

  * Fix PHP8 deprecation warning in the reconnect plugin (#9083)

  * Fix "Show source" on mobile with x_frame_options = deny (#9084)

  * Fix various PHP warnings (#9098)

  * Fix deprecated use of ldap_connect() in password's ldap_simple driver
    (#9060)

  * Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
    plain text messages

(bsiegert)

Pullup ticket #6797 - requested by nia
multimedia/libva: NetBSD 8 build fix

Revisions pulled up:
- multimedia/libva/available.mk                                1.12

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Sat Aug  5 08:09:54 UTC 2023

  Modified Files:
  pkgsrc/multimedia/libva: available.mk

  Log Message:
  libva: Limited availability on NetBSD 8 these days

(bsiegert)

Pullup ticket #6799 - requested by bouyer
sysutils/xenkernel415: security fix

Revisions pulled up:
- sysutils/xenkernel415/Makefile                                1.11
- sysutils/xenkernel415/distinfo                                1.10
- sysutils/xenkernel415/patches/patch-XSA438                    1.1

---
  Module Name: pkgsrc
  Committed By: bouyer
  Date: Thu Sep 21 10:39:45 UTC 2023

  Modified Files:
  pkgsrc/sysutils/xenkernel415: Makefile distinfo
  Added Files:
  pkgsrc/sysutils/xenkernel415/patches: patch-XSA438

  Log Message:
  Apply upstream patch for security issue XSA438
  Bump PKGREVISION

(bsiegert)

Pullup ticket #6795 - requested by bouyer
sysutils/xenkernel415: security fix
sysutils/xenstoretools: security fix
sysutils/xentools415: security fix

Revisions pulled up:
- sysutils/xenkernel415/Makefile                                1.10
- sysutils/xenkernel415/distinfo                                1.9
- sysutils/xenstoretools/Makefile                              1.28
- sysutils/xentools415/Makefile                                1.26
- sysutils/xentools415/distinfo                                1.13
- sysutils/xentools415/patches/patch-.._seabios-rel-1.14.0_src_string.c deleted
- sysutils/xentools415/patches/patch-.._seabios-rel-1.16.0_src_string.c 1.1
- sysutils/xentools415/patches/patch-tools_firmware_Makefile    1.2
- sysutils/xentools415/version.mk                              1.4

---
  Module Name: pkgsrc
  Committed By: bouyer
  Date: Thu Aug 24 10:27:09 UTC 2023

  Modified Files:
  pkgsrc/sysutils/xenkernel415: Makefile distinfo
  pkgsrc/sysutils/xenstoretools: Makefile
  pkgsrc/sysutils/xentools415: Makefile distinfo version.mk
  pkgsrc/sysutils/xentools415/patches: patch-tools_firmware_Makefile
  Added Files:
  pkgsrc/sysutils/xentools415/patches:
      patch-.._seabios-rel-1.16.0_src_string.c
  Removed Files:
  pkgsrc/sysutils/xentools415/patches:
      patch-.._seabios-rel-1.14.0_src_string.c

  Log Message:
  Update xenkernel415, xentools415 and xenstoretools to Xen 4.15.5
  Chnages since 4.15.4:
  - includes patches for Xen Security Advisory up to XSA-436 (inclued)
  - update seabios to 1.16.0
  - better support on some hardware

  Complete changes here:
  https://xenproject.org/downloads/xen-project-archives/xen-project-4-15-series/xen-project-4-15-5/

(bsiegert)

Revert mistaken commit to the branch.

(he)

Note update of net/unbound to 1.18.0.

(he)

Pullup ticket #6794 - requested by bouyer
textproc/cjose: build fix for OpenSSL 3

Revisions pulled up:
- textproc/cjose/Makefile                                      1.4-1.5
- textproc/cjose/distinfo                                      1.4-1.5
- textproc/cjose/patches/patch-src_concatkdf.c                  1.1-1.2

---
  Module Name: pkgsrc
  Committed By: bouyer
  Date: Tue Aug 22 10:45:03 UTC 2023

  Added Files:
  pkgsrc/textproc/cjose/patches: patch-src_concatkdf.c

  Log Message:
  Switch from unmaintained github repo cisco/cjose/ to OpenIDC/cjose/ and
  update to 0.6.2.2, fixing build on netbsd-10 (and probably HEAD) after
  openssl upgrade.
  Changes are mostly build and bug fixes; support for newer openssl version
  and ciphers.

---
  Module Name: pkgsrc
  Committed By: bouyer
  Date: Tue Aug 22 10:50:00 UTC 2023

  Modified Files:
  pkgsrc/textproc/cjose: Makefile distinfo

  Log Message:
  Switch from unmaintained github repo cisco/cjose/ to OpenIDC/cjose/ and
  update to 0.6.2.2, fixing build on netbsd-10 (and probably HEAD) after
  openssl upgrade.
  Changes are mostly build and bug fixes; support for newer openssl version
  and ciphers.

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Tue Aug 22 11:50:03 UTC 2023

  Modified Files:
  pkgsrc/textproc/cjose: Makefile distinfo
  pkgsrc/textproc/cjose/patches: patch-src_concatkdf.c

  Log Message:
  cjose: clean up

(bsiegert)

Note pullup ticket #6793

(bsiegert)

Pullup ticket #6793 - requested by nia
graphics/tiff: build fix

Revisions pulled up:
- graphics/tiff/Makefile                                        1.159
- graphics/tiff/distinfo                                        1.106
- graphics/tiff/patches/patch-configure                        1.6

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Thu Aug 17 10:20:39 UTC 2023

  Modified Files:
  pkgsrc/graphics/tiff: Makefile distinfo
  Added Files:
  pkgsrc/graphics/tiff/patches: patch-configure

  Log Message:
  tiff: Use only libs_private to express a dependency on liblzma

  requires_private assumes the presence of a .pc file, which is not
  the case on NetBSD 9.x. This allows builds external from pkgsrc
  dependending on libtiff to not fire errors when they fail to find
  a corresponding .pc file for liblzma, but still acknowledge the
  liblzma dependency.

  PR pkg/57539

(bsiegert)

Note pullup ticket #6791

(bsiegert)

Pullup ticket #6791 - requested by manu
security/opensc: fix regression

Revisions pulled up:
- security/opensc/Makefile                                      1.41
- security/opensc/PLIST                                        1.15
- security/opensc/options.mk                                    1.7

---
  Module Name:    pkgsrc
  Committed By:  manu
  Date:          Mon Aug 14 16:08:32 UTC 2023

  Modified Files:
          pkgsrc/security/opensc: Makefile PLIST options.mk

  Log Message:
  Fix for security/opensc regression

  When security/opensc was updated to 0.23.0, it gained a
  --enable-notify configure flag.

  The feature adds a libopensc dependency on libglib, which in turns
  brings libpthread into the game.

  When using the opensc-pkcs11.so module with a non threaded program
  such as ssh(1), libopensc will load some thread-enabled glib function
  that attemps to initialize pthread stuff. That would require libpthread
  to be linked in, and if it is not the case, module load aborts.
  Here is the crash in action:

  Program received signal SIGABRT, Aborted.
  0x000072403899c46a in _lwp_kill () from /lib/libc.so.12
  (gdb) bt
  #0  0x000072403899c46a in _lwp_kill () from /lib/libc.so.12
  #1  0x0000724038849223 in __libc_thr_create_stub () from /lib/libc.so.12
  #2  0x0000724036a9c3ee in ?? ()
  #3  0x0000000000000000 in ?? ()

  This change turns the notify feature into a disabled by default
  option so that opensc-pkcs11.so can work agan with ssh(1).

(bsiegert)

Note pullup tickets up to #6790

(bsiegert)

Pullup ticket #6790 - requested by gdt
net/mosquitto: security fix

Revisions pulled up:
- net/mosquitto/Makefile                                        1.31
- net/mosquitto/distinfo                                        1.27

---
  Module Name: pkgsrc
  Committed By: gdt
  Date: Wed Aug 16 14:46:32 UTC 2023

  Modified Files:
  pkgsrc/net/mosquitto: Makefile distinfo

  Log Message:
  net/mosquitto: Update to 2.0.16

  upstream changes: micro release with bug and security fixes.

(bsiegert)

Pullup ticket #6789 - requested by gdt
chat/ejabberd: functionality fix

Revisions pulled up:
- chat/ejabberd/Makefile                                        1.99
- chat/ejabberd/distinfo                                        1.69
- chat/ejabberd/patches/patch-aa                                1.18

---
  Module Name: pkgsrc
  Committed By: manu
  Date: Fri Aug 11 13:50:30 UTC 2023

  Modified Files:
  pkgsrc/chat/ejabberd: Makefile distinfo
  pkgsrc/chat/ejabberd/patches: patch-aa

  Log Message:
  Fix the paths in ejabberdctl

  - Remove ${DESTDIR}
  - Use config from /usr/pkg/etc/ejabberd and not /usr/pkg/share/examples/ejabberd

(bsiegert)

Pullup ticket #6784 - requested by ryoon
www/php-nextcloud: update to latest,
required for migrating to version 27 in the next branch

Revisions pulled up:
- www/php-nextcloud/Makefile                                    1.68
- www/php-nextcloud/PLIST                                      1.54
- www/php-nextcloud/distinfo                                    1.57

---
  Module Name: pkgsrc
  Committed By: ryoon
  Date: Tue Aug  1 12:15:14 UTC 2023

  Modified Files:
  pkgsrc/www/php-nextcloud: Makefile PLIST distinfo

  Log Message:
  php-nextcloud: Update to 26.0.4

  Changelog:
  26.0.4:
  Changes:

      Move encrypt-all password email to EmailTemplate (server#37737)
      Store encrypted OAuth2 client secrets (server#38708)
      Generate user themed favicon and touchicon (server#38853)
      Fix confusion around mail settings and improve layout a bit (server#388=
  87)
      Fix(core): Do not invert app menu text color (server#38908)
      PruneOutdatedSyncTokens deletes all entries (server#38920)
      Adjust admin setup check to increase warning to configure https
  (server#38932)
      Add bruteforce protection in OauthApiController (server#38949)
      Fix(systemtags): Add missing systemtags index (server#38961)
      Perf: skip request without write permission (server#38972)
      Fix: expect interface, not a specific implementation (server#38977)
      Fix: Avoid failing to update the current version entry if there is none
  (server#39003)
      Use getsystemvalue-functions in Mailer.php (server#39006)
      Fix setup-check test (server#39014)
      Fix(l10n): Fix plural issue with different locale and language
  (server#39031)
      Fix creating events with old (< unix time) lastoccurence (server#39060)
      Fix(cypress): branch definition (server#39072)
      Fix(files): Only render the menu if there are actions to show
  (server#39080)
      Silent `imagecreatefromstring()` errors (server#39100)
      Ignore and log non integer versions (server#39117)
      Fix password confirmation (server#39143)
      Fix(sse): don=E2=80=99t update uncached files (server#39152)
      Update psalm-baseline.xml (server#39155)
      Fix(ocp): Fix reference of dashboard IAPIWidget::getItems from WidgetIt=
  em
  (server#39159)
      Fix(TagSearchProvider): Short circuit if no tag matches the query
  (server#39194)
      Fix(cypress): revert only toggle (server#39206)
      Use more efficient tag retrieval on DAV report request (server#39232)
      Fix(dav): Abort requests with 429 instead of waiting (server#39252)
      Fix(files_sharing): hide download permission for circle shares
  (server#39260)
      Display displayname on federated shares (server#39270)
      Add command do delete orphan shares (server#39285)
      Preload custom properties when propfinding folders (server#39293)
      Cibit): fix failing test setup (server#39335)
      Chore(CI): Sign .drone.yml file (server#39345)
      GetStorage before remove (server#39355)
      Fix: also run phpunit on `apps/theming/css` modified files (server#3937=
  5)
      Fix(db): no hardcoded table prefix is expected (server#39393)
      Feat: Add public event for missing indices (server#39397)
      Update psalm-baseline.xml (server#39406)
      Fix(core): Add password confirmation requirement for getapppassword
  (server#39418)
      Fix(apps): Fix loading info.xml file (server#39492)
      Modernize cypress tests (activity#1189)
      Fix npm audit (activity#1243)
      Update nextcloud/ocp dependency (activity#1249)
      Update 3rdparty dependencies (bruteforcesettings#467)
      Revert =E2=80=9CUpdate 3rdparty dependencies=E2=80=9D (bruteforcesettin=
  gs#478)
      Bump unzipper from 0.10.11 to 0.10.14 (files_pdfviewer#751)
      Fix npm audit (files_pdfviewer#766)
      Fix npm audit (again) (files_pdfviewer#773)
      Update phpunit workflows from master (files_pdfviewer#778)
      Replace =E2=80=9CUnselect=E2=80=9D with =E2=80=9CUnselect all=E2=80=9D =
  in right click menu
  (files_rightclick#171)
      Update nextcloud/ocp dependency (firstrunwizard#901)
      Fix npm audit (firstrunwizard#904)
      Fix npm audit (firstrunwizard#916)
      Update nextcloud/ocp dependency (logreader#914)
      Choreaudit dependencies (logreader#925)
      Update nextcloud/ocp dependency (nextcloud_announcements#210)
      Update nextcloud/ocp dependency (nextcloud_announcements#214)
      Update nextcloud/ocp dependency (notifications#1579)
      Fix(settings): Delete settings when a user is deleted (notifications#15=
  85)
      Choreaudit dependencies (notifications#1604)
      Update nextcloud/ocp dependency (notifications#1609)
      Reset selection state in route change (photos#1890)
      Update nextcloud/ocp dependency (photos#1894)
      Fix npm audit (photos#1902)
      Fix npm audit (photos#1913)
      Add unselect all (photos#1922)
      Adapt to SystemTags optimizations on server (photos#1927)
      Update nextcloud/ocp dependency (photos#1934)
      Fix npm audit (privacy#919)
      Fix npm audit (privacy#924)
      Fix npm audit (privacy#930)
      Update nextcloud/ocp dependency (related_resources#195)
      Update nextcloud/ocp dependency (serverinfo#467)
      Update nextcloud/ocp dependency (survey_client#179)
      Fix(deps): update highlight (text#4143)
      Fix(css): info callout box color to =E2=80=93color-info (text#4303)
      Update nextcloud/ocp dependency (text#4307)
      Fix/2708 pasting tables (text#4314)
      Bring back keyboard shortcuts to help modal on non-mobile (text#4319)
      Fix: Pass origin along the initial state update (text#4322)
      Fix: clickable zone of task list checkbox (text#4325)
      Chore(deps): update dependency prosemirror-test-builder to ^1.1.1
  (text#4342)
      Chore(deps): update dependency vue-demi to ^0.14.5 (text#4358)
      Fix(deps): update dependency @nextcloud/files to ^3.0.0-beta.10
  (text#4359)
      Fix(deps): update dependency @nextcloud/router to ^2.1.2 (text#4360)
      Fix(deps): update dependency lib0 to ^0.2.78 (text#4361)
      Chore(deps): update dependency cypress to ^12.15.0 (text#4365)
      Chore(deps): update dependency vite-plugin-commonjs to ^0.8.0 (text#436=
  6)
      Fix(deps): update dependency yjs to ^13.6.5 (text#4368)
      Fix(deps): update dependency @nextcloud/auth to ^2.1.0 (text#4369)
      Fix(deps): update dependency @nextcloud/dialogs to ^4.1.0 (text#4370)
      Fix(deps): update dependency @nextcloud/event-bus to ^3.1.0 (text#4371)
      Fix(deps): update dependency @nextcloud/vue to ^7.12.0 (text#4372)
      Fix(deps): update dependency @nextcloud/l10n to ^2.2.0 (text#4385)
      Fix(deps): update dependency yjs to ^13.6.6 (text#4388)
      Flaky CI fixes (text#4392)
      Chore(deps): update dependency @nextcloud/eslint-config to ^8.3.0-beta.2
  (text#4404)
      Chore(deps): update dependency cypress to ^12.16.0 (text#4405)
      Fix: remove redundant css (text#4408)
      Chore(ci): Run cypress against proper stable branch (text#4410)
      Ci(cypress): Revert show_hidden method for cypress interception
  (text#4413)
      Fix(frontend): Update last saved timestamp when document is saved
  (text#4416)
      Fix: hotkey ctrl-s (text#4418)
      Fix npm audit (text#4430)
      Fix(deps): update dependency @nextcloud/axios to ^2.4.0 (text#4433)
      Fix(deps): update dependency @nextcloud/files to ^3.0.0-beta.11
  (text#4450)
      Fix(deps): update dependency mitt to ^3.0.1 (text#4451)
      Chore(deps): update dependency cypress to ^12.17.0 (text#4455)
      Chore(deps): update dependency vite to ^4.4.2 (text#4456)
      Chore(deps): update jest to ^29.6.1 (text#4457)
      Update nextcloud/ocp dependency (text#4463)
      Fix npm audit (text#4465)
      Fix(frontend): Improve paste handler for table cells (text#4471)
      Fix: Delete inactive sessions in one query (text#4473)
      Chore(deps): update dependency cypress to ^12.17.1 (text#4478)
      Fix: Fetch attachment share permissions (text#4485)
      Fix sync errors after network issues (text#4487)
      Fix: Encode individual parts of the dav url as uri components (text#449=
  7)
      Fix: max width of editor container on mobile (text#4500)
      Fix: link preview width on mobile (text#4502)
      Fix(sync): only save on close if changes were made (text#4509)
      Fix: remove duplicated save key action (text#4515)
      Tests(cypress): Refactor reconnect test to be more reliable and add sec=
  ond
  test for actual reconnect (text#4518)
      Fix: Add index to session_id on text_steps table (text#4524)
      Fix: Use simple query and chunk in PHP to delete inactive sessions
  (text#4552)
      Fix(postgres): Use a unique index name (text#4554)
      Chore(deps-dev): Bump @types/dockerode from 3.3.18 to 3.3.19 (viewer#17=
  24)
      Fix: update npm scripts for visual regression snapshots update
  (viewer#1735)
      Fix npm audit (viewer#1753)
      Use the Node object as event payload (viewer#1755)
      Chore: update cypress.yml workflow from template (viewer#1765)
      Fix npm audit (viewer#1776)
      Chore(deps): Bump @nextcloud/files from 3.0.0-beta.10 to 3.0.0-beta.11
  (viewer#1789)
      Send CSRF token in rawStat (viewer#1799)
      Fix/video fullscreen iphone (viewer#1803)
      Fix/fullscreen ios stable26 (viewer#1822)

  26.0.3:

  Changes:

      Invalidate existing tokens when deleting an oauth client (server#37230)
      Adjust the value of the =E2=80=9Cmax-parts=E2=80=9D parameter of the ob=
  ject storage
  =E2=80=98ListPart=E2=80=99 interface to 1000 (server#37776)
      Allow storing multiple mounts for the same rootid in the mount cache
  (server#38023)
      Fix npm audit (server#38118)
      Use aria-expanded correctly on toggle user actions (server#38358)
      Show pending popover menu when password is enabled by default
  (server#38396)
      Fix loading custom logo image (server#38399)
      Fix: Catch Deadlock properly as execute throws Doctrine exceptions not =
  our
  wrapped ones (server#38479)
      Ungroup `placeholder` css rules (server#38487)
      Add fallback when a there is no preview for a version (server#38509)
      Fix: catch errors in id3parser library (server#38517)
      Fix initialisation of versions in the DB (server#38521)
      Update ca-cert bundle (server#38530)
      Redis: use atomic operations everywhere (server#38539)
      Reload filelist when adding or removing shares (server#38557)
      Fix app menu flicker (server#38564)
      Fix(trashbin): Truncate long filenames (server#38573)
      Fix(caldav): Ignore invalid events for reminder generation (server#3857=
  4)
      Increase from 100000 to 600000 iterations for hash_pbkdf2 (server#38583)
      Update psalm-baseline.xml (server#38598)
      Fix: Use proper link for navigating to files on click handler
  (server#38654)
      Fix(caldav): Close DB cursor in reminder index background job
  (server#38660)
      Improve oauth2 database migration from ownCloud (server#38672)
      Fix(caldav): Cast calendar objects id to int when building index
  (server#38677)
      Sharing: Do not show copy action when user doesn=E2=80=99t have permiss=
  ions
  (server#38684)
      Fix(actions): cypress (server#38698)
      Chore: update workflows from templates (server#38704)
      Create lint-eslint-when-unrelated.yml (server#38720)
      Fix npm audit (server#38741)
      Allow to specify upgrade.cli-upgrade-link in order to link to the corre=
  ct
  documentation (server#38752)
      Log failures to read certificates during listing (server#38757)
      Fix npm audit (server#38807)
      Make sure to show download button only one time (server#38818)
      Use source cache when listing folder during recursive copy (server#3889=
  2)
      Groupfolder activities on move/rename (activity#1204)
      Update nextcloud/ocp dependency (firstrunwizard#878)
      Chore(deps): Bump @nextcloud/vue from 7.7.1 to 7.7.2 (firstrunwizard#88=
  5)
      Fix npm audit (firstrunwizard#891)
      Chore(CI): Adjust testing matrix for Nextcloud 26 on stable26
  (logreader#844)
      Audit and update dependencies (logreader#860)
      Update nextcloud/ocp dependency (nextcloud_announcements#201)
      Update nextcloud/ocp dependency (notifications#1562)
      Chore: update workflows from templates (notifications#1586)
      Audit fix (password_policy#470)
      Update nextcloud/ocp dependency (photos#1747)
      Listen to more events for albums (photos#1846)
      Chore: update workflows from templates (photos#1848)
      Fix: properly handle public link share deletion (photos#1850)
      Fix: use owner instead of owner_id to delete photos by owner (photos#18=
  52)
      Update view when layout setting changes (photos#1858)
      Prevent progress bar overflow when uploading in album content
  (photos#1863)
      Make file list semantically correct (photos#1869)
      Fix npm audit (photos#1879)
      Fix npm audit (privacy#905)
      Chore(CI): Adjust testing matrix for Nextcloud 26 on stable26
  (recommendations#592)
      Chore(CI): Adjust testing matrix for Nextcloud 26 on stable26
  (suspicious_login#777)
      Chore: run npm audit fix (suspicious_login#805)
      Feat: update image view width and add title (text#4165)
      Chore(deps): update dependency vite to ^4.3.9 (text#4197)
      Fix(deps): update dependency @nextcloud/vue to ^7.11.6 (text#4198)
      Update nextcloud/ocp dependency (text#4215)
      Ci: Backport relevant action changes from main (text#4240)
      Fix(UserApiController): Fix warning during test run with PHP 8.2
  (text#4245)
      Don=E2=80=99t expect HTML element with ID `mimetype` in public share (t=
  ext#4257)
      Fix: paste multiple line to table issue (text#4265)
      Fix/4267 js tests (text#4271)
      Fix: handle non markdown files in conflicts (text#4273)
      Fix npm audit (text#4279)
      Fix: Catch unique constraint violation when creating new documents
  (text#4294)
      Chore: Bump composer autoloader for new composer version (text#4295)
      Fix 404 on blank.mp4 (viewer#1677)
      Chore(deps-dev): Bump @types/dockerode from 3.3.17 to 3.3.18 (viewer#16=
  87)
      Chore(deps-dev): Bump tslib from 2.5.0 to 2.5.3 (viewer#1702)
      Fix size of progress container (viewer#1714)
      Chore: update workflows from templates (viewer#1721)
      Fix npm audit (viewer#1732)

  26.0.2:

  Changes:

      Also unmark deleted ldap user when checking the ldap entry (server#3730=
  4)
      Fix DBAL exception handling in setValues (server#37549)
      Fix(dav): Use an icon with correct color for calendar user settings
  section (server#37601)
      Fix button text (server#37708)
      Handle not being able to write file for notify self-test (server#37740)
      Fix: Make sure that rollback hook is triggered on all version backends
  (server#37743)
      Really disable versions features when S3 versioning is enabled
  (server#37768)
      Handle reminders where calendar name is null (server#37785)
      Ungroup `placeholder` css rules to prevent browsers from removing all
  rules (server#37793)
      Fix event move issue (server#37812)
      Fix background color of external devices with errors on dark color theme
  (server#37833)
      Fix(files): Don=E2=80=99t throw an error when guests access the control=
  ler
  (server#37836)
      Sec(deps): Update guzzlehttp/psr7 (server#37845)
      Fix TypeError in Profiler (server#37849)
      Add the server roots and version info hash to apcu prefix (server#37872)
      Check free space only if source exists and is dir (server#37873)
      Ignore errors while trying to update parent storage_mtime (server#37875)
      Do not override stored credentials when login in with SAML (server#3790=
  0)
      Make grid toggle sticky (server#37907)
      Bump @nextcloud/vue from 7.8.0 to 7.10.0 (server#37910)
      Trap focus in dialogs (server#37911)
      Update crl after revoke shifts.csr (server#37922)
      Backport: Fix profile view edit button overlapping status text
  (server#37939)
      Fix(settings): Fix title of profile scope options (server#37941)
      Do not show Tags action when systemtag is disabled (server#37957)
      Fix npm audit (server#37973)
      Add command for getting fileinfo for debugging (server#38005)
      Fix: change maintenance mode info wording (server#38009)
      Fix multiple LDAP configuration support by fixing AccessFactory
  (server#38027)
      Update expire_date column of table comments (server#38037)
      Mutualize expireDate handling when creating and updating a share
  (server#38040)
      Fix: catch ManuallyLockedException and use app context (server#38043)
      Fix app overflow menu on bright color theme (server#38049)
      Fix: add workaround for oci and limit queries (server#38054)
      Fix(ocp): Add deprecation version to ILogFactory::getCustomLogger
  (server#38070)
      Fix =E2=80=9Cskip content=E2=80=9D-buttons on small screen sizes (serve=
  r#38076)
      Increase =E2=80=9CEdit your profile visibility button=E2=80=9D contrast=
    (server#38078)
      Fix weather app aria label (server#38079)
      Increase imaginary timeouts as for big files the processing could take
  very long (server#38081)
      Check return value and improve error handling on certificate manager
  (server#38091)
      Fix(theming): unwanted variables and colours calc fixes (server#38098)
      Fix: always use proper path on node api when calling the view
  (server#38128)
      Fix json_decode expecting a string (server#38130)
      Check if version entity is not null before delete (server#38153)
      Do not stop at the first PHP error/warning in files:scan (server#38154)
      Fix error on delete in ChunkingV2Plugin (server#38167)
      Fix(workflowengine): Fix multiple UI issues in workflow engine admin
  settings (server#38189)
      Make sure to never trigger files hooks on a null path (server#38204)
      Fix redirect on unsupported browser warning (server#38208)
      Update psalm-baseline.xml (server#38212)
      Fix: Check for wrapped retriable exceptions (server#38238)
      Fix(carddav): Mark system address book as read-only (server#38248)
      Check if version has entity before trying to access it (server#38254)
      Add command to summarize space usage (server#38255)
      Fix incosistent scrolling in Firefox (server#38257)
      Fix(deps): Bump @nextcloud/vue to 7.11.5 (server#38263)
      Fix(lostpassword): Also rate limit the setPassword endpoint (server#382=
  68)
      Fix(middleware): Also abort the request when reaching max delay in af=
  =E2=80=A6
  (server#38275)
      Check the username when doing external storage session auth (server#382=
  81)
      Get rid of more int casts in file size manipulations (server#38289)
      Fix generated avatars cache (server#38304)
      SystemTags endpoint to return tags used by a user with meta data
  (server#38307)
      Rename `numericStorageId` to `numericExternalStorageId` in
  PersonalMount.php (server#38317)
      Fix(search): fix load more (server#38318)
      Fix : Share Expire After N Days width (server#38319)
      Chore(deps): Bump @nextcloud/vue from 7.11.5 to 7.11.6 (server#38331)
      Revert =E2=80=9CUngroup `placeholder` css rules to prevent browsers fro=
  m removing
  all rules=E2=80=9D (server#38437)
      Sec(deps): Update guzzlehttp/psr7 (3rdparty#1387)
      Rename =E2=80=9Cuser=E2=80=9D to =E2=80=9Caccount=E2=80=9D in descripti=
  on (bruteforcesettings#455)
      App cfg from cli (circles#1295)
      Make changes to circle config synchroneous (circles#1309)
      Add npm-audit-fix (files_pdfviewer#732)
      Fix npm audit (files_pdfviewer#739)
      Update nextcloud/ocp dependency (firstrunwizard#842)
      Fix npm audit (firstrunwizard#862)
      Update nextcloud/ocp dependency (nextcloud_announcements#193)
      Chore(deps): Bump @nextcloud/vue from 7.7.1 to 7.7.2 (notifications#151=
  8)
      Fix(deps): Update webpack (notifications#1526)
      Fix header menu color by updating @nextcloud/vue to 7.10.0
  (notifications#1534)
      Update nextcloud/ocp dependency (notifications#1543)
      Do not allow deletion from public albums (photos#1750)
      Fix #1753: Media and Photos views are blank after upgrade to 26.0.1
  (photos#1759)
      Fix: hide upload button on public album shares (photos#1763)
      Expose DAV permissions on album and places photos (photos#1775)
      Do not silence error when setting a place (photos#1778)
      Fix folder view (photos#1779)
      Use display name instead of id for shared albums (photos#1783)
      Reset file list on upload in FilesPicker (photos#1792)
      Run npm audit fix (photos#1799)
      Revert using display name in shared albums=E2=80=99 name (photos#1801)
      Prevent progress bar overflow when uploading in Folders (photos#1803)
      Fix npm audit (privacy#888)
      Fix npm audit (recommendations#613)
      Fix(API): Add a log entry when an error occurs so the admin can pass =
  =E2=80=A6
  (related_resources#208)
      Fix npm audit (related_resources#223)
      Chore(deps): Bump @nextcloud/vue from 7.9.0 to 7.11.6
  (related_resources#232)
      Update nextcloud/ocp dependency (serverinfo#433)
      Fix Undefined Array key Family in DefaultOs (serverinfo#438)
      With FreeBSD jails, networkinfo->gateway can be empty (serverinfo#444)
      Update nextcloud/ocp dependency (serverinfo#446)
      Update nextcloud/ocp dependency (serverinfo#457)
      Chore(deps): update dependency eslint-plugin-cypress to ^2.13.3
  (text#4017)
      Fix(deps): update tiptap to ^2.0.3 (text#4055)
      Chore(deps): update dependency vue-demi to ^0.14.0 (text#4056)
      Fix: Only handle recent awareness messagess from sessions (text#4062)
      Adjust smart picker menu action (text#4065)
      Enh(log): use level warning for saving empty docs (text#4072)
      Fix(cypress): show hidden files request now uses PUT (text#4074)
      Chore(deps): update dependency @nextcloud/webpack-vue-config to ^5.5.1
  (text#4098)
      Pass data to `this.$parent.$emit` in `Editor.vue` (text#4103)
      Fix double readme files getting created on case-insensitive storages
  (text#4105)
      Fix npm audit (text#4110)
      Fix editing image description fails if enter isn=E2=80=99t pressed (tex=
  t#4114)
      Fix(Viewer): remove outdated fix from stable16. (text#4120)
      Fix: autofocus own rich workspaces only at freshly created (text#4125)
      Fix(conflict): resolve quickly with fast sync. (text#4127)
      Fix: pass file id for direct editing and fail y.js provider setup if no=
  ne
  was passed (text#4128)
      Chore(deps): update dependency @cypress/webpack-preprocessor to ^5.17.1
  (text#4133)
      Chore(deps): update dependency @vue/vue2-jest to ^29.2.4 (text#4134)
      Fix(deps): update dependency @nextcloud/files to ^3.0.0-beta.9 (text#41=
  35)
      Fix(deps): update dependency lib0 to ^0.2.74 (text#4136)
      Chore(deps): update dependency cypress to ^12.11.0 (text#4137)
      Chore(deps): update dependency vite to ^4.3.5 (text#4138)
      Chore(deps): update dependency vite-plugin-commonjs to ^0.7.0 (text#413=
  9)
      Fix(deps): update dependency @nextcloud/router to ^2.1.1 (text#4141)
      Fix(deps): update dependency @nextcloud/vue to ^7.11.2 (text#4142)
      Fix(deps): update dependency yjs to ^13.6.1 (text#4144)
      Update nextcloud/ocp dependency (text#4150)
      Fix(deps): update dependency @nextcloud/vue to ^7.11.3 (text#4159)
      Chore(deps): update dependency vue-demi to ^0.14.1 (text#4168)
      Fix(deps): update dependency path-normalize to ^6.0.12 (text#4172)
      Chore(deps): update dependency cypress to ^12.12.0 (text#4173)
      Fix(deps): update dependency @nextcloud/vue to ^7.11.4 (text#4175)
      Chore(deps): update dependency @nextcloud/eslint-config to ^8.3.0-beta.0
  (text#4180)
      Chore(deps): update dependency vite-plugin-commonjs to ^0.7.1 (text#418=
  8)
      Chore: v8.0.0 (twofactor_totp#1343)
      Fix(deps): Update vulnerable npm packages (twofactor_totp#1375)
      Chore(deps-dev): replace vue-jest with @vue/vue2-jest@27
  (twofactor_totp#1395)
      Chore(deps): Bump @skjnldsv/vue-plyr from 7.3.0 to 7.3.1 (viewer#1613)
      Chore(deps-dev): Bump @nextcloud/webpack-vue-config from 5.4.0 to 5.5.1
  (viewer#1621)
      Add npm-audit-fix (viewer#1623)
      Fix npm audit (viewer#1632)
      Fix: use left position of sidebar to set viewer width (viewer#1641)
      Chore(deps-dev): Bump @types/dockerode from 3.3.16 to 3.3.17 (viewer#16=
  44)
      Fix: remove undefined method call (viewer#1649)
      Use proper alt text for viewer app modal (viewer#1652)
      Override hardcoded save button width (viewer#1657)
      Increase z-index of SfxPopper instead of its children (viewer#1659)

  26.0.1:

  Changes:

      Update wording for disabled web updater (server#37052)
      Don=E2=80=99t try to hash a nonexisting password (server#37217)
      Use native tooltip for version=E2=80=99s date (server#37264)
      Set `h1` headings for navigation through files app (server#37273)
      Replace custom tooltips with native ones and add description to all e=
  =E2=80=A6
  (server#37275)
      Fix: add important to css hidden files class (server#37286)
      Add parent index on filecache (server#37318)
      Fix(security): Mark recording_servers key appconfig as private as it =
  =E2=80=A6
  (server#37336)
      Fix/36908 set aria hidden for default shipped widgets icons (server#373=
  38)
      Fix OC_Image: Prevent E_WARNING from getimagesize* (server#37368)
      Create `h3` headings for profile page. Replace `` which have=E2=80=A6
  (server#37389)
      Fix(mailer): remove value comparison for smtp_authtype as there is only
  one option (server#37391)
      Do onetime user setup before getting any mount from providers
  (server#37394)
      Backport/stable26/jerome herbinet/patch 15 (server#37431)
      Fix(files_sharing): Allow file actions other than download for hide
  download shares (server#37439)
      Fix(references): Do not log errors on 404 responses of opengraph image
  fetching (server#37440)
      Fix(docs): Fix RST parsing of the sample config (server#37441)
      Fix/36917 the statuses list was implemented semantically incorrectly
  (server#37449)
      Replace custom tooltips with native ones of entries in contacts menu.
  (server#37463)
      Add label for logo link (server#37471)
      Fix the avatar generation on Alpine Linux (server#37482)
      Change contactsmenu structure to a list (server#37485)
      Hide shared files located in group folder=E2=80=99s trash bin (server#3=
  7488)
      Fix default_language doc (server#37508)
      Improve handling of profile fields (server#37523)
      Stable25] Quota value as float for 32-bit systems (server#37533)
      Clear encrypted flag when moving away from encrypted storage
  (server#37537)
      Fix: Avoid scrolling the #content wrapper container (server#37545)
      Feat(security): Allow to opt-out of ratelimit protection, e.g. for te=
  =E2=80=A6
  (server#37551)
      Extend path-prefix optimizer to remove all cases of path_hash=3D when
  encountering a path prefix filter (server#37558)
      Update psalm-baseline.xml (server#37565)
      Migrate metadata JSON column to new value TEXT column (server#37571)
      Fix(initial-state): Log an error when initial-state can not be JSON e=
  =E2=80=A6
  (server#37576)
      Fix cypress tests for files_versions (server#37589)
      Fix: Always create user directory when transfering files to new users
  (server#37666)
      Doc(auth): Warn about disabled token passwords and LDAP logout
  (server#37684)
      Fix(dav): add string comparison for diff (server#37687)
      App type extended_authentication (server#37689)
      Handle not being able to write file for notify self-test (server#37701)
      Fix(translation): Fix several issues with the translations api
  (server#37705)
      Revert =E2=80=9Chandle not being able to write file for notify self-tes=
  t=E2=80=9D
  (server#37718)
      Update nextcloud/ocp dependency (activity#1144)
      Fix multiselect right-click options (files_rightclick#153)
      Fix-right-click multiselect in trash bin (files_rightclick#158)
      Update nextcloud/ocp dependency (nextcloud_announcements#175)
      Update nextcloud/ocp dependency (nextcloud_announcements#185)
      Update nextcloud/ocp dependency (notifications#1481)
      Deduplicate notifications (notifications#1485)
      Update nextcloud/ocp dependency (notifications#1499)
      Add object type as data attr to notification (notifications#1501)
      Update nextcloud/ocp dependency (notifications#1506)
      Feat(API): Add an endpoint to check for existance of notification ids
  (notifications#1509)
      Fix: null password handling in entry control logic (password_policy#454)
      Fix scrolling in large folders (photos#1706)
      Fix(settings): Debounce filepicker calls (photos#1712)
      Migrate to the new file_metadata column layout (photos#1736)
      Albums: check copy source owner is the current user and throw
  (photos#1737)
      Chore(deps): Bump @nextcloud/vue from 7.2.0 to 7.9.0
  (related_resources#205)
      Fix(deps): update dependency @hocuspocus/provider to ^1.1.1 (text#3896)
      Fix(deps): update dependency y-websocket to ^1.5.0 (text#3897)
      Fix(deps): update dependency yjs to ^13.5.51 (text#3898)
      Fix(deps): update dependency lib0 to ^0.2.72 (text#3914)
      Feat: Add Shift-Mod-C for copying the markdown source (text#3942)
      Chore(deps): update dependency cypress to ^12.8.1 (text#3948)
      Get mimeIconUrl for media attachments without a session (text#3955)
      Fix: split layout of conflict view (text#3959)
      Fix(deps): update dependency @nextcloud/vue to ^7.8.3 (text#3966)
      Chore(deps): update dependency @nextcloud/webpack-vue-config to ^5.5.0
  (text#3967)
      Update nextcloud/ocp dependency (text#3969)
      Chore(deps): update dependency vite to ^4.2.1 (text#3971)
      Revert composer autoload changes to PHP 8.1 version (text#3982)
      Emit events from editor when image nodes get added or deleted (text#398=
  3)
      Conflict fixes (text#3988)
      Fix(deps): update dependency @nextcloud/vue to ^7.8.4 (text#3992)
      Fix(deps): update dependency lib0 to ^0.2.73 (text#3993)
      Add table wrapper as scroll container for readonly tables (text#4000)
      Make saving indicator a button for force-save (text#4002)
      Fix: Ensure to not persist user put into the session for direct editing
  (text#4003)
      Fix(deps): update dependency @hocuspocus/provider to ^1.1.3 (text#4013)
      Fix(deps): update dependency @nextcloud/vue to ^7.9.0 (text#4014)
      Fix(deps): update tiptap to ^2.0.1 (text#4015)
      Chore(deps): update dependency cypress to ^12.9.0 (text#4016)
      Update nextcloud/ocp dependency (text#4022)
      Fix(deps): update dependency @nextcloud/files to ^3.0.0-beta.8 (text#40=
  32)
      Fix(deps): update dependency yjs to ^13.5.52 (text#4033)
      Fix(deps): update tiptap to ^2.0.2 (text#4034)
      Update nextcloud/ocp dependency (text#4036)
      Fix: scroll for outline (text#4038)
      Fix: Properly emit ready event on conflicts with the editor API
  (text#4040)
      Fix(deps): update dependency path-normalize to ^6.0.11 (text#4042)
      Fix(challenge): invert icon on light mode (twofactor_totp#1349)
      Chore(deps-dev): Bump dockerode and @types/dockerode (viewer#1583)
      Update vue to 7.6.1 (viewer#1594)
      Fix enter key in text input in image editor (viewer#1597)
      Bump @types/dockerode from 3.3.15 to 3.3.16 (viewer#1600)

(bsiegert)

Pullup ticket #6787 - requested by taca
lang/php82: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.402,1.405
- lang/php82/distinfo                                          1.9-1.11
- lang/php82/patches/patch-build_libtool.m4                    deleted
- lang/php82/patches/patch-configure                            1.9

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri Jul  7 12:49:17 UTC 2023

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php82: distinfo
  pkgsrc/lang/php82/patches: patch-configure

  Log Message:
  lang/php82: update to 8.2.8

  PHP 8.2.8 (2023-07-06)

  - CLI:
    . Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).
      (James Lucas)

  - Core:
    . Fixed build for the riscv64 architecture/GCC 12. (Daniil Gentili)

  - Curl:
    . Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).
      (nielsdos)

  - Date:
    . Fixed bug GH-11455 (Segmentation fault with custom object date properties).
      (nielsdos)

  - DOM:
    . Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions
      and segfaults with replaceWith). (nielsdos)
    . Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty
      attribute value). (nielsdos)
    . Fix return value in stub file for DOMNodeList::item. (divinity76)
    . Fix spec compliance error with '*' namespace for
      DOMDocument::getElementsByTagNameNS. (nielsdos)
    . Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
      (nielsdos)
    . Fixed bug GH-11347 (Memory leak when calling a static method inside an
      xpath query). (nielsdos)
    . Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile
      namespaces). (nielsdos)
    . Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node
      with itself). (nielsdos)
    . Fixed bug #77686 (Removed elements are still returned by getElementById).
      (nielsdos)
    . Fixed bug #70359 (print_r() on DOMAttr causes Segfault in
      php_libxml_node_free_list()). (nielsdos)
    . Fixed bug #78577 (Crash in DOMNameSpace debug info handlers). (nielsdos)
    . Fix lifetime issue with getAttributeNodeNS(). (nielsdos)
    . Fix "invalid state error" with cloned namespace declarations. (nielsdos)
    . Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation
      issues). (nielsdos)
    . Fixed bug #80332 (Completely broken array access functionality with
      DOMNamedNodeMap). (nielsdos)

  - Opcache:
    . Fix allocation loop in zend_shared_alloc_startup(). (nielsdos)
    . Access violation on smm_shared_globals with ALLOC_FALLBACK. (KoudelkaB)
    . Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem
      with opcache.file_cache_only=1 but it was never locked). (nielsdos)

  - OpenSSL:
    . Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in
      subjectAltNames (James Lucas, Jakub Zelenka).

  - PCRE:
    . Fix preg_replace_callback_array() pattern validation. (ilutov)

  - PGSQL:
    . Fixed intermittent segfault with pg_trace. (David Carlier)

  - Phar:
    . Fix cross-compilation check in phar generation for FreeBSD. (peter279k)

  - SPL:
    . Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one
      slash). (nielsdos)

  - Standard:
    . Fix access on NULL pointer in array_merge_recursive(). (ilutov)
    . Fix exception handling in array_multisort(). (ilutov)

  - SQLite3:
    . Fixed bug GH-11451 (Invalid associative array containing duplicate
      keys). (nielsdos)

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Aug  5 08:45:39 UTC 2023

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php82: distinfo
  Removed Files:
  pkgsrc/lang/php82/patches: patch-build_libtool.m4

  Log Message:
  lang/php82: update to 8.2.9

  03 Aug 2023, PHP 8.2.9

  - Build:
    . Fixed bug GH-11522 (PHP version check fails with '-' separator).
      (SVGAnimate)

  - CLI:
    . Fix interrupted CLI output causing the process to exit. (nielsdos)

  - Core:
    . Fixed oss-fuzz #60011 (Mis-compilation of by-reference nullsafe operator).
      (ilutov)
    . Fixed line number of JMP instruction over else block. (ilutov)
    . Fixed use-of-uninitialized-value with ??= on assert. (ilutov)
    . Fixed oss-fuzz #60411 (Fix double-compilation of arrow-functions). (ilutov)
    . Fixed build for FreeBSD before the 11.0 releases. (David Carlier)

  - Curl:
    . Fix crash when an invalid callback function is passed to
      CURLMOPT_PUSHFUNCTION. (nielsdos)

  - Date:
    . Fixed bug GH-11368 (Date modify returns invalid datetime). (Derick)
    . Fixed bug GH-11600 (Can't parse time strings which include (narrow)
      non-breaking space characters). (Derick)

  - DOM:
    . Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with
      DOMDocumentFragment but just deletes node or causes wrapping <></>
      depending on libxml2 version). (nielsdos)

  - Fileinfo:
    . Fixed bug GH-11298 (finfo returns wrong mime type for xz files). (Anatol)

  - FTP:
    . Fix context option check for "overwrite". (JonasQuinten)
    . Fixed bug GH-10562 (Memory leak and invalid state with consecutive
      ftp_nb_fget). (nielsdos)

  - GD:
    . Fix most of the external libgd test failures. (Michael Orlitzky)

  - Intl:
    . Fix memory leak in MessageFormatter::format() on failure. (Girgias)

  - Libxml:
    . Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading
      in XML without enabling it). (CVE-2023-3823) (nielsdos, ilutov)

  - MBString:
    . Fix GH-11300 (license issue: restricted unicode license headers).
      (nielsdos)

  - Opcache:
    . Fixed bug GH-10914 (OPCache with Enum and Callback functions results in
      segmentation fault). (nielsdos)
    . Prevent potential deadlock if accelerated globals cannot be allocated.
      (nielsdos)

  - PCNTL:
    . Fixed bug GH-11498 (SIGCHLD is not always returned from proc_open).
      (nielsdos)

  - PDO:
    . Fix GH-11587 (After php8.1, when PDO::ATTR_EMULATE_PREPARES is true
      and PDO::ATTR_STRINGIFY_FETCHES is true, decimal zeros are no longer
      filled). (SakiTakamachi)

  - PDO SQLite:
    . Fix GH-11492 (Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt).
      (KapitanOczywisty, CViniciusSDias)

  - Phar:
    . Add missing check on EVP_VerifyUpdate() in phar util. (nielsdos)
    . Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()).
      (CVE-2023-3824) (nielsdos)

  - PHPDBG:
    . Fixed bug GH-9669 (phpdbg -h options doesn't list the -z option). (adsr)

  - Session:
    . Removed broken url support for transferring session ID. (ilutov)

  - Standard:
    . Fix serialization of RC1 objects appearing in object graph twice. (ilutov)

  - Streams:
    . Fixed bug GH-11735 (Use-after-free when unregistering user stream wrapper
      from itself). (ilutov)

  - SQLite3:
    . Fix replaced error handling in SQLite3Stmt::__construct. (nielsdos)

  - XMLReader:
    . Fix GH-11548 (Argument corruption when calling XMLReader::open or
      XMLReader::XML non-statically with observer active). (Bob)

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sun Aug  6 04:05:06 UTC 2023

  Modified Files:
  pkgsrc/lang/php82: distinfo

  Log Message:
  lang/php82: fix distinfo

  Fix distinfo.  Maybe, I fetched pre-install version.

  No DIST_SUBDIR update with expecting no one fetched pre-official distinfo
  file.

(bsiegert)

Pullup ticket #6786 - requested by taca
lang/php81: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.403-1.404
- lang/php81/distinfo                                          1.25-1.26
- lang/php81/patches/patch-build_libtool.m4                    deleted
- lang/php81/patches/patch-configure                            1.2

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Fri Jul  7 12:51:19 UTC 2023

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php81: distinfo

  Log Message:
  lang/php81: update to 8.1.21

  PHP 8.1.21 (2023-07-06)

  - CLI:
    . Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).
      (James Lucas)

  - Core:
    . Fixed build for the riscv64 architecture/GCC 12. (Daniil Gentili)

  - Curl:
    . Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).
      (nielsdos)

  - DOM:
    . Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions
      and segfaults with replaceWith). (nielsdos)
    . Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty
      attribute value). (nielsdos)
    . Fix return value in stub file for DOMNodeList::item. (divinity76)
    . Fix spec compliance error with '*' namespace for
      DOMDocument::getElementsByTagNameNS. (nielsdos)
    . Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
      (nielsdos)
    . Fixed bug GH-11347 (Memory leak when calling a static method inside an
      xpath query). (nielsdos)
    . Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile
      namespaces). (nielsdos)
    . Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node
      with itself). (nielsdos)
    . Fixed bug #77686 (Removed elements are still returned by getElementById).
      (nielsdos)
    . Fixed bug #70359 (print_r() on DOMAttr causes Segfault in
      php_libxml_node_free_list()). (nielsdos)
    . Fixed bug #78577 (Crash in DOMNameSpace debug info handlers). (nielsdos)
    . Fix lifetime issue with getAttributeNodeNS(). (nielsdos)
    . Fix "invalid state error" with cloned namespace declarations. (nielsdos)
    . Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation
      issues). (nielsdos)
    . Fixed bug #80332 (Completely broken array access functionality with
      DOMNamedNodeMap). (nielsdos)

  - Opcache:
    . Fix allocation loop in zend_shared_alloc_startup(). (nielsdos)
    . Access violation on smm_shared_globals with ALLOC_FALLBACK. (KoudelkaB)
    . Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem
      with opcache.file_cache_only=1 but it was never locked). (nielsdos)

  - OpenSSL:
    . Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in
      subjectAltNames (James Lucas, Jakub Zelenka).

  - PGSQL:
    . Fixed intermittent segfault with pg_trace. (David Carlier)

  - Phar:
    . Fix cross-compilation check in phar generation for FreeBSD. (peter279k)

  - SPL:
    . Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one
      slash). (nielsdos)

  - Standard:
    . Fix access on NULL pointer in array_merge_recursive(). (ilutov)
    . Fix exception handling in array_multisort(). (ilutov)

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Aug  5 08:43:16 UTC 2023

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php81: distinfo
  pkgsrc/lang/php81/patches: patch-configure
  Removed Files:
  pkgsrc/lang/php81/patches: patch-build_libtool.m4

  Log Message:
  lang/php81: update to 8.1.22

  03 Aug 2023, PHP 8.1.22

  - Build:
    . Fixed bug GH-11522 (PHP version check fails with '-' separator).
      (SVGAnimate)

  - CLI:
    . Fix interrupted CLI output causing the process to exit. (nielsdos)

  - Core:
    . Fixed oss-fuzz #60011 (Mis-compilation of by-reference nullsafe operator).
      (ilutov)
    . Fixed use-of-uninitialized-value with ??= on assert. (ilutov)
    . Fixed build for FreeBSD before the 11.0 releases. (David Carlier)

  - Curl:
    . Fix crash when an invalid callback function is passed to
      CURLMOPT_PUSHFUNCTION. (nielsdos)

  - Date:
    . Fixed bug GH-11368 (Date modify returns invalid datetime). (Derick)

  - DOM:
    . Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with
      DOMDocumentFragment but just deletes node or causes wrapping <></>
      depending on libxml2 version). (nielsdos)

  - Fileinfo:
    . Fixed bug GH-11298 (finfo returns wrong mime type for xz files). (Anatol)

  - FTP:
    . Fix context option check for "overwrite". (JonasQuinten)
    . Fixed bug GH-10562 (Memory leak and invalid state with consecutive
      ftp_nb_fget). (nielsdos)

  - GD:
    . Fix most of the external libgd test failures. (Michael Orlitzky)

  - Hash:
    . Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options
      parameter in signature. (ilutov)

  - Intl:
    . Fix memory leak in MessageFormatter::format() on failure. (Girgias)

  - Libxml:
    . Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading
      in XML without enabling it). (CVE-2023-3823) (nielsdos, ilutov)

  - MBString:
    . Fix GH-11300 (license issue: restricted unicode license headers).
      (nielsdos)

  - Opcache:
    . Fixed bug GH-10914 (OPCache with Enum and Callback functions results in
      segmentation fault). (nielsdos)
    . Prevent potential deadlock if accelerated globals cannot be allocated.
      (nielsdos)

  - PCNTL:
    . Fixed bug GH-11498 (SIGCHLD is not always returned from proc_open).
      (nielsdos)

  - PCRE:
    . Mangle PCRE regex cache key with JIT option. (mvorisek)

  - PDO:
    . Fix GH-11587 (After php8.1, when PDO::ATTR_EMULATE_PREPARES is true
      and PDO::ATTR_STRINGIFY_FETCHES is true, decimal zeros are no longer
      filled). (SakiTakamachi)

  - PDO SQLite:
    . Fix GH-11492 (Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt).
      (KapitanOczywisty, CViniciusSDias)

  - Phar:
    . Add missing check on EVP_VerifyUpdate() in phar util. (nielsdos)
    . Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()).
      (CVE-2023-3824) (nielsdos)

  - PHPDBG:
    . Fixed bug GH-9669 (phpdbg -h options doesn't list the -z option). (adsr)

  - Session:
    . Removed broken url support for transferring session ID. (ilutov)

  - Standard:
    . Fix serialization of RC1 objects appearing in object graph twice. (ilutov)

  - SQLite3:
    . Fix replaced error handling in SQLite3Stmt::__construct. (nielsdos)

(bsiegert)

Pullup ticket #6785 - requested by taca
lang/php80: security fix (CVE-2023-3823, CVE-2024-3824)

Revisions pulled up:
- lang/php/phpversion.mk                                        1.406
- lang/php80/distinfo                                          1.31
- lang/php80/patches/patch-configure                            1.2

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sun Aug  6 04:28:24 UTC 2023

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php80: distinfo
  pkgsrc/lang/php80/patches: patch-configure

  Log Message:
  lang/php80: update to 8.0.30

  03 Aug 2023, PHP 8.0.30

  - Libxml:
    . Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading
      in XML without enabling it). (CVE-2023-3823) (nielsdos, ilutov)

  - Phar:
    . Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()).
      (CVE-2023-3824) (nielsdos)

(bsiegert)

Pullup ticket #6782 - requested by taca
net/samba4: security fix

Revisions pulled up:
- net/samba4/Makefile                                          1.166-1.167
- net/samba4/distinfo                                          1.94-1.95

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Wed Jul 19 15:33:28 UTC 2023

  Modified Files:
  pkgsrc/net/samba4: Makefile distinfo

  Log Message:
  samba: update to 4.18.4.

  Changes since 4.18.3
  --------------------

  o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
    * BUG 15404: Backport --pidl-developer fixes.

  o  Samuel Cabrero <scabrero@samba.org>
    * BUG 14030: Named crashes on DLZ zone update.

  o  Bj旦rn Jacke <bj@sernet.de>
    * BUG 2312: smbcacls and smbcquotas do not check // before the server.

  o  Volker Lendecke <vl@samba.org>
    * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers.
    * BUG 15391: smbclient leaks fds with showacls.
    * BUG 15402: smbd returns NOT_FOUND when creating files on a r/o filesystem.

  o  Stefan Metzmacher <metze@samba.org>
    * BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and
      causes test timeouts.

  o  Noel Power <noel.power@suse.com>
    * BUG 15384: net ads lookup (with unspecified realm) fails.

  o  Christof Schmitt <cs@samba.org>
    * BUG 15381: Register Samba processes with GPFS.

  o  Andreas Schneider <asn@samba.org>
    * BUG 15390: Python tarfile extraction needs change to avoid a warning
      (CVE-2007-4559 mitigation).
    * BUG 15398: The winbind child segfaults when listing users with `winbind
      scan trusted domains = yes`.

  o  Jones Syue <jonessyue@qnap.com>
    * BUG 15383: Remove comments about deprecated 'write cache size'.
    * BUG 15403: smbget memory leak if failed to download files recursively.

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Jul 20 01:28:34 UTC 2023

  Modified Files:
  pkgsrc/net/samba4: Makefile distinfo

  Log Message:
  net/samba4: update to 4.18.5

                    ==============================
                    Release Notes for Samba 4.18.5
                            July 19, 2023
                    ==============================

  This is a security release in order to address the following defects:

  o CVE-2022-2127:  When winbind is used for NTLM authentication, a maliciously
                    crafted request can trigger an out-of-bounds read in winbind
                    and possibly crash it.
                    https://www.samba.org/samba/security/CVE-2022-2127.html

  o CVE-2023-3347:  SMB2 packet signing is not enforced if an admin configured
                    "server signing = required" or for SMB2 connections to Domain
                    Controllers where SMB2 packet signing is mandatory.
                    https://www.samba.org/samba/security/CVE-2023-3347.html

  o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
                    Spotlight can be triggered by an unauthenticated attacker by
                    issuing a malformed RPC request.
                    https://www.samba.org/samba/security/CVE-2023-34966.html

  o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
                    Spotlight can be used by an unauthenticated attacker to
                    trigger a process crash in a shared RPC mdssvc worker process.
                    https://www.samba.org/samba/security/CVE-2023-34967.html

  o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
                    side absolute path of shares and files and directories in
                    search results.
                    https://www.samba.org/samba/security/CVE-2023-34968.html

  Changes since 4.18.4
  --------------------

  o  Ralph Boehme <slow@samba.org>
    * BUG 15072: CVE-2022-2127.
    * BUG 15340: CVE-2023-34966.
    * BUG 15341: CVE-2023-34967.
    * BUG 15388: CVE-2023-34968.
    * BUG 15397: CVE-2023-3347.

  o  Volker Lendecke <vl@samba.org>
    * BUG 15072: CVE-2022-2127.

  o  Stefan Metzmacher <metze@samba.org>
    * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.

(bsiegert)

Pullup ticket #6781 - requested by taca
textproc/ruby-sanitize: security fix (CVE-2023-36823)

Revisions pulled up:
- textproc/ruby-sanitize/Makefile                              1.3
- textproc/ruby-sanitize/distinfo                              1.3

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sun Jul  9 02:56:28 UTC 2023

  Modified Files:
  pkgsrc/textproc/ruby-sanitize: Makefile distinfo

  Log Message:
  textproc/ruby-sanitize: update to 6.0.2

  6.0.2 (2023-07-06)

  Bug Fixes

  * CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
    (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
    6.0.1.

    When using Sanitize's relaxed config or a custom config that allows
    <style> elements and one or more CSS at-rules, carefully crafted input
    could be used to sneak arbitrary HTML through Sanitize.

    See the following security advisory for additional details:
    GHSA-f5ww-cq3m-q3g7

    Thanks to @cure53 for finding this issue.

(bsiegert)

Pullup ticket #6783 - requested by leot
www/firefox102: Enable WebRTC X11 desktop capture
Pullup ticket #6788 - requested by nia
www/firefox102: security fix

Revisions pulled up:
- www/firefox102-l10n/Makefile                                  1.14
- www/firefox102-l10n/distinfo                                  1.13
- www/firefox102/Makefile                                      1.23-1.24
- www/firefox102/distinfo                                      1.15
- www/firefox102/files/replace-moz.build.awk                    1.2

---
  Module Name:    pkgsrc
  Committed By:  ryoon
  Date:          Wed Jul 26 15:52:05 UTC 2023

  Modified Files:
          pkgsrc/www/firefox102: Makefile
          pkgsrc/www/firefox102/files: replace-moz.build.awk

  Log Message:
  firefox102: Enable WebRTC X11 desktop capture

  Fix PR pkg/56955.
  Bump PKGREVISION.

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Tue Aug  8 15:46:58 UTC 2023

  Modified Files:
  pkgsrc/www/firefox102: Makefile distinfo
  pkgsrc/www/firefox102-l10n: Makefile distinfo

  Log Message:
  firefox102: Update to 102.14.0

  Security Vulnerabilities fixed in Firefox ESR 102.14

      #CVE-2023-4045: Offscreen Canvas could have bypassed cross-origin
      restrictions

      #CVE-2023-4046: Incorrect value used during WASM compilation

      #CVE-2023-4047: Potential permissions request bypass via clickjacking

      #CVE-2023-4048: Crash in DOMParser due to out-of-memory conditions

      #CVE-2023-4049: Fix potential race conditions when releasing platform
      objects

      #CVE-2023-4050: Stack buffer overflow in StorageManager

      #CVE-2023-4054: Lack of warning when opening appref-ms files

      #CVE-2023-4055: Cookie jar overflow caused unexpected cookie jar state

      #CVE-2023-4056: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
      Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14

(bsiegert)

#6776

(spz)

Pullup ticket #6776 - requested by bsiegert
print/ghostscript-agpl: security update

Revisions pulled up:
- print/ghostscript-agpl/Makefile                              1.77
- print/ghostscript-agpl/Makefile.common                        1.30
- print/ghostscript-agpl/distinfo                              1.45

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  adam
  Date:          Mon Jun 26 11:27:25 UTC 2023

  Modified Files:
          pkgsrc/print/ghostscript-agpl: Makefile Makefile.common distinfo

  Log Message:
  ghostscript-agpl: updated to 10.01.2

  Version 10.01.2 (2023-06-21)

  Highlights in this release include:

  We've continued to improve the performance of the PDF interpreter
  written in C and improve it's behaviour in edge and
  out-of-specification cases.
  Our efforts in code hygiene and maintainability continue.
  The usual round of bug fixes, compatibility changes, and incremental
  improvements.
  (9.53.0) We have added the capability to build with the Tesseract OCR
  engine. In such a build, new devices are available
  (pdfocr8/pdfocr24/pdfocr32) which render the output file to an image,
  OCR that image, and output the image "wrapped" up as a PDF file, with
  the OCR generated text information included as "invisible" text (in
  PDF terms, text rendering mode 3).

  To generate a diff of this commit:
  cvs rdiff -u -r1.76 -r1.77 pkgsrc/print/ghostscript-agpl/Makefile
  cvs rdiff -u -r1.29 -r1.30 pkgsrc/print/ghostscript-agpl/Makefile.common
  cvs rdiff -u -r1.44 -r1.45 pkgsrc/print/ghostscript-agpl/distinfo

(spz)

#6778 and #6780

(bsiegert)

Pullup ticket #6780 - requested by nia
www/firefox102: security fix
www/firefox102-l10n: dependent update

Revisions pulled up:
- www/firefox102-l10n/Makefile                                  1.13
- www/firefox102-l10n/distinfo                                  1.12
- www/firefox102/Makefile                                      1.22
- www/firefox102/distinfo                                      1.14

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Fri Jul  7 20:47:53 UTC 2023

  Modified Files:
  pkgsrc/www/firefox102: Makefile distinfo
  pkgsrc/www/firefox102-l10n: Makefile distinfo

  Log Message:
  firefox102: update to 102.13.0

  Security Vulnerabilities fixed in Firefox ESR 102.13

      #CVE-2023-37201: Use-after-free in WebRTC certificate generation

      #CVE-2023-37202: Potential use-after-free from compartment mismatch in
      SpiderMonkey

      #CVE-2023-37207: Fullscreen notification obscured

      #CVE-2023-37208: Lack of warning when opening Diagcab files

      #CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR
      102.13, and Thunderbird 102.13

(bsiegert)

Pullup ticket #6778 - requested by abs
www/arcticfox: sparc64 and alpha build fix

Revisions pulled up:
- www/arcticfox/Makefile                                        1.29

---
  Module Name:    pkgsrc
  Committed By:  abs
  Date:          Thu Jul  6 14:14:38 UTC 2023

  Modified Files:
          pkgsrc/www/arcticfox: Makefile

  Log Message:
  Put SSP_SUPPORTED=no before bsd.prefs.mk include

  >From Connor McLaughlan

  Should fix running on sparc64 & alpha

(bsiegert)

Pullup tickets up to #6777

(bsiegert)

Pullup ticket #6777 - requested by abs
x11/qt5-qtwebkit: build fix

Revisions pulled up:
- x11/qt5-qtwebkit/Makefile                                    1.113

---
  Module Name:    pkgsrc
  Committed By:  gdt
  Date:          Mon Jul  3 11:46:28 UTC 2023

  Modified Files:
          pkgsrc/x11/qt5-qtwebkit: Makefile

  Log Message:
  qt5-qtwebengine: bl3 on libxml2

  .so files installed by the package show NEEDED on libxml2.  While it
  is properly TOOL_DEPENDS also, it therefore needs to be bl3 also.

(bsiegert)

Pullup ticket #6775 - requested by nia
databases/mariadb106-client: security fix
databases/mariadb106-server: security fix

Revisions pulled up:
- databases/mariadb106-client/Makefile                          1.13
- databases/mariadb106-client/Makefile.common                  1.17
- databases/mariadb106-client/PLIST                            1.7
- databases/mariadb106-client/distinfo                          1.15
- databases/mariadb106-server/Makefile                          1.26

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Sat Jul  1 13:56:17 UTC 2023

  Modified Files:
  pkgsrc/databases/mariadb106-client: Makefile Makefile.common PLIST
      distinfo
  pkgsrc/databases/mariadb106-server: Makefile

  Log Message:
  mariadb106: update to 10.6.14

                            MariaDB 10.6.14 Release Notes

  Notable Items

    InnoDB

        * Server crashes in st_join_table::choose_best_splitting (MDEV-31403)
        * Crash with condition pushable into derived and containing outer
          reference (MDEV-31240)
        * InnoDB does not free UNDO after the fix of MDEV-30671 (MDEV-31234)
        * InnoDB hang fixes (MDEV-31158, MDEV-31343, MDEV-31350)
        * Innodb_buffer_pool_read_requests is not updated correctly (MDEV-31309)
        * InnoDB monitor trx_rseg_history_len was accidentally disabled by
          default (MDEV-31308)
        * Revert "MDEV-30473 : Do not allow GET_LOCK() / RELEASE_LOCK() in
          cluster"

    Optimizer

        * Crash with condition pushable into derived and containing outer
          reference (MDEV-31403 MDEV-31240)
        * Crash with EXPLAIN EXTENDED for multi-table update of system table
          (MDEV-31224)

                            MariaDB 10.6.13 Release Notes

  Notable Items

    InnoDB

        * Crash on ROLLBACK in a ROW_FORMAT=COMPRESSED table (MDEV-30882)
        * UNIQUE USING HASH accepts duplicate entries for tricky collations
          (MDEV-30034)
        * rec_get_offsets() is not optimal (MDEV-30567)
        * Performance regression in fil_space_t::try_to_close() introduced in
          MDEV-23855 (MDEV-30775)
        * InnoDB recovery hangs when buffer pool ran out of memory (MDEV-30551)
        * InnoDB undo log truncation fails to wait for purge of history
          (MDEV-30671
        * MariaDB crash due to DB_FAIL reported for a corrupted page
          (MDEV-30397)
        * Deadlock between INSERT and InnoDB non-persistent statistics update
          (MDEV-30638)
        * InnoDB hang on B-tree split or merge (MDEV-29835)
        * Performance regression in locking reads from secondary indexes
          (MDEV-30357)
        * Improve adaptive flushing (MDEV-26055)
        * Make page flushing even faster (MDEV-26827)
        * Purge misses a chance to free not-yet-reused undo pages (MDEV-29593)
        * InnoDB temporary tablespace: reclaiming of free space does not work
          (MDEV-26782)
        * Fix miscount of doublewrites by Innodb_data_written (MDEV-31124)

    Backup

        * mariadb-backup doesn't utilise innodb-undo-log-directory (if specified
          as a relative path) during copy-back operation (MDEV-28187)
        * mariabackup issues error messages during InnoDB tablespaces export on
          partial backup preparing (MDEV-29050)
        * mariadb-backup does not copy Aria logs if aria_log_dir_path is used
          (MDEV-30968)
        * Race condition between buffer pool flush and log file deletion in
          mariadb-backup --prepare (MDEV-30860)

    Replication

        * Fixed a deadlock on parallel slave involving full image Write event on
          the sequence engine (MDEV-29621)
        * Fixed an attempted out-of-order binlogging error on slave involving
          ALTER on the sequence engine (MDEV-31077)
        * Corrected non-versioned master to versioned slave replication on
          no-unique attribute table (MDEV-30430)
        * Mended encrypted binlog master to error out to gtid-mode slave when
          master could not decrypt a binlog file (MDEV-28798)
        * Refined optimistic parallel slave to error-exit without any hang
          (MDEV-30780)
        * Ensured SHOW-SLAVE-STATUS is processed on the parallel slave having a
          necessary mutex always intialized (MDEV-30620)
        * Fixed the slave applier to report a correct error when gtid_slave_pos
          insert fails for some (engine) reasons (MDEV-31038)
        * Made parallel slave reports in performance schema consistent with that
          of show-slave-status (MDEV-26071)

    Optimizer

        * Split Materialized optimization is improved to re-fill the
          materialized table only if necessary. The fewer number of table
          refills is taken into account when choosing query plan, too
          (MDEV-26301).
        * New optimizer_switch option, hash_join_cardinality, is added. It is
          off by default. When set to ON, the optimizer will produce tighter
          bounds for hash join output cardinality. (MDEV-30812)
        * Queries using SELECT DISTINCT some_expression(aggregate_function())
          could produce wrong query result. (MDEV-20057)
        * ANALYZE FORMAT=JSON now prints more information about Block Nested
          Loop joins: block-nl-join element now has r_loops, r_effective_rows
          and r_other_time_ms fields (MDEV-30806, MDEV-30972).
        * A GROUP BY query with MIN(primary_key) in select list and
          primary_key<>const in the WHERE could produce wrong result when
          executed with "Using index for group-by" strategy (MDEV-30605)
        * EXPLAIN could erroneously report that Rowid Filter optimization is
          used for partitioned tables. Partitioned tables do not support it.
          (MDEV-30596)
        * A bug in selectivity computations for SINGLE/DOUBLE_PREC_HB histograms
          could cause wrong estimates to be produced. This could cause the
          optimizer to pick sub-optimal query plans (MDEV-31067).

    Security

        * Fixes for the following security vulnerabilities:
            * CVE-2022-47015

(bsiegert)

Pullup ticket #6774 - requested by nia
databases-mariadb105-client: security fix
databases-mariadb105-server: security fix

Revisions pulled up:
- databases/mariadb105-client/Makefile                          1.16
- databases/mariadb105-client/Makefile.common                  1.21
- databases/mariadb105-client/PLIST                            1.7
- databases/mariadb105-client/distinfo                          1.19
- databases/mariadb105-client/patches/patch-include_mysql_service__encryption.h deleted
- databases/mariadb105-server/Makefile                          1.36

---
  Module Name: pkgsrc
  Committed By: nia
  Date: Sat Jul  1 16:02:04 UTC 2023

  Modified Files:
  pkgsrc/databases/mariadb105-client: Makefile Makefile.common PLIST
      distinfo
  pkgsrc/databases/mariadb105-server: Makefile
  Removed Files:
  pkgsrc/databases/mariadb105-client/patches:
      patch-include_mysql_service__encryption.h

  Log Message:
  mariadb105: update to 10.5.21

                            MariaDB 10.5.21 Release Notes

  Notable Items

    InnoDB

        * Server crashes in st_join_table::choose_best_splitting (MDEV-31403)
        * Crash with condition pushable into derived and containing outer
          reference (MDEV-31240)
        * InnoDB does not free UNDO after the fix of MDEV-30671 (MDEV-31234)
        * Revert "MDEV-30473 : Do not allow GET_LOCK() / RELEASE_LOCK() in
          cluster"

    Optimizer

        * Crash with condition pushable into derived and containing outer
          reference (MDEV-31403 MDEV-31240)
        * Crash with EXPLAIN EXTENDED for multi-table update of system table
          (MDEV-31224)

                            MariaDB 10.5.20 Release Notes

  Notable Items

    InnoDB

        * Crash on ROLLBACK in a ROW_FORMAT=COMPRESSED table (MDEV-30882)
        * UNIQUE USING HASH accepts duplicate entries for tricky collations
          (MDEV-30034)
        * rec_get_offsets() is not optimal (MDEV-30567)
        * Performance regression in fil_space_t::try_to_close() introduced in
          MDEV-23855 (MDEV-30775)
        * InnoDB recovery hangs when buffer pool ran out of memory (MDEV-30551)
        * InnoDB undo log truncation fails to wait for purge of history
          (MDEV-30671
        * Fix miscount of doublewrites by Innodb_data_written (MDEV-31124)

  Backup

        * mariadb-backup doesn't utilise innodb-undo-log-directory (if specified
          as a relative path) during copy-back operation (MDEV-28187)
        * mariabackup issues error messages during InnoDB tablespaces export on
          partial backup preparing (MDEV-29050)
        * mariadb-backup does not copy Aria logs if aria_log_dir_path is used
          (MDEV-30968)
        * Race condition between buffer pool flush and log file deletion in
          mariadb-backup --prepare (MDEV-30860)

    Replication

        * Fixed a deadlock on parallel slave involving full image Write event on
          the sequence engine (MDEV-29621)
        * Fixed an attempted out-of-order binlogging error on slave involving
          ALTER on the sequence engine (MDEV-31077)
        * Corrected non-versioned master to versioned slave replication on
          no-unique attribute table (MDEV-30430)
        * Mended encrypted binlog master to error out to gtid-mode slave when
          master could not decrypt a binlog file (MDEV-28798)
        * Refined optimistic parallel slave to error-exit without any hang
          (MDEV-30780)
        * Ensured SHOW-SLAVE-STATUS is processed on the parallel slave having a
          necessary mutex always intialized (MDEV-30620)
        * Fixed the slave applier to report a correct error when gtid_slave_pos
          insert fails for some (engine) reasons (MDEV-31038)

    Optimizer

        * Split Materialized optimization is improved to re-fill the
          materialized table only if necessary. The fewer number of table
          refills is taken into account when choosing query plan, too
          (MDEV-26301).
        * Queries using SELECT DISTINCT some_expression(aggregate_function())
          could produce wrong query result. (MDEV-20057)
        * A GROUP BY query with MIN(primary_key) in select list and
          primary_key<>const in the WHERE could produce wrong result when
          executed with "Using index for group-by" strategy (MDEV-30605)
        * EXPLAIN could erroneously report that Rowid Filter optimization is
          used for partitioned tables. Partitioned tables do not support it.
          (MDEV-30596)
        * A bug in selectivity computations for SINGLE/DOUBLE_PREC_HB histograms
          could cause wrong estimates to be produced. This could cause the
          optimizer to pick sub-optimal query plans (MDEV-31067).

    Security

        * Fixes for the following security vulnerabilities:
            * CVE-2022-47015

(bsiegert)

Note pullup tickets #6769 to #6772

(bsiegert)

Pullup ticket #6772 - requested by taca
www/ruby-actionpack60: security fix (CVE-2023-28362)

Revisions pulled up:
- www/ruby-actionpack60/Makefile                                1.6
- www/ruby-actionpack60/distinfo                                1.22
- www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb 1.1

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Jun 29 16:03:34 UTC 2023

  Modified Files:
  pkgsrc/www/ruby-actionpack60: Makefile distinfo
  Added Files:
  pkgsrc/www/ruby-actionpack60/patches:
      patch-lib_action__controller_metal_redirecting.rb

  Log Message:
  www/ruby-actionpack60: add fix for CVE-2023-28362

  Apply similar patch as Rails 6.1.7.4/7.0.5.1.

  Bump PKGREVISION.

(bsiegert)

Pullup ticket #6771 - requested by taca
www/ruby-actionpack52: security fix (CVE-2023-28362)

Revisions pulled up:
- www/ruby-actionpack52/Makefile                                1.4-1.5
- www/ruby-actionpack52/distinfo                                1.16
- www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb 1.1

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Jun 29 16:00:08 UTC 2023

  Modified Files:
  pkgsrc/www/ruby-actionpack52: Makefile distinfo
  Added Files:
  pkgsrc/www/ruby-actionpack52/patches:
      patch-lib_action__controller_metal_redirecting.rb

  Log Message:
  www/ruby-actionpack52: add fix for CVE-2023-28362

  Apply similar patch as Rails 6.1.7.4/7.0.5.1.

  Bump PKGREVISION.

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Jun 29 16:01:04 UTC 2023

  Modified Files:
  pkgsrc/www/ruby-actionpack52: Makefile

  Log Message:
  www/ruby-actionpack60: decrement PKGREVISION.

  PKGREVISION++ is enough...

(bsiegert)

Pullup ticket #6770 - requested by taca
lang/ruby32-base: security fix

Revisions pulled up:
- lang/ruby/rubyversion.mk                                      1.268
- lang/ruby32-base/Makefile                                    1.3
- lang/ruby32-base/distinfo                                    1.5
- lang/ruby32-base/patches/patch-lib_uri_rfc2396__parser.rb    1.1
- lang/ruby32-base/patches/patch-lib_uri_rfc3986__parser.rb    1.1
- lang/ruby32-base/patches/patch-lib_uri_version.rb            1.1

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Jun 29 15:42:07 UTC 2023

  Modified Files:
  pkgsrc/lang/ruby: rubyversion.mk
  pkgsrc/lang/ruby32-base: Makefile distinfo
  Added Files:
  pkgsrc/lang/ruby32-base/patches: patch-lib_uri_rfc2396__parser.rb
      patch-lib_uri_rfc3986__parser.rb patch-lib_uri_version.rb

  Log Message:
  lang/ruby32-base: update bundled gem uri to 0.12.2

  Fix CVE-2023-36617: ReDoS vulnerability in URI.

  Bump PKGREVISION.

(bsiegert)

Pullup ticket #6769 - requested by taca
lang/ruby31-base: security fix

Revisions pulled up:
- lang/ruby/rubyversion.mk                                      1.267
- lang/ruby31-base/Makefile                                    1.9
- lang/ruby31-base/distinfo                                    1.11
- lang/ruby31-base/patches/patch-lib_uri_rfc2396__parser.rb    1.1
- lang/ruby31-base/patches/patch-lib_uri_rfc3986__parser.rb    1.1
- lang/ruby31-base/patches/patch-lib_uri_version.rb            1.1

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Jun 29 15:39:12 UTC 2023

  Modified Files:
  pkgsrc/lang/ruby: rubyversion.mk
  pkgsrc/lang/ruby31-base: Makefile distinfo
  Added Files:
  pkgsrc/lang/ruby31-base/patches: patch-lib_uri_rfc2396__parser.rb
      patch-lib_uri_rfc3986__parser.rb patch-lib_uri_version.rb

  Log Message:
  lang/ruby31-base: update bundled gem uri to 0.12.2

  Fix CVE-2023-36617: ReDoS vulnerability in URI.

  Bump PKGREVISION.

(bsiegert)

Pullup ticket #6768 - requested by taca
lang/ruby30-base: security fix

Revisions pulled up:
- lang/ruby/rubyversion.mk                                      1.266
- lang/ruby30-base/Makefile                                    1.10
- lang/ruby30-base/distinfo                                    1.13
- lang/ruby30-base/patches/patch-lib_uri_rfc2396__parser.rb    1.1
- lang/ruby30-base/patches/patch-lib_uri_rfc3986__parser.rb    1.1
- lang/ruby30-base/patches/patch-lib_uri_version.rb            1.1

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Jun 29 15:37:17 UTC 2023

  Modified Files:
  pkgsrc/lang/ruby: rubyversion.mk
  pkgsrc/lang/ruby30-base: Makefile distinfo
  Added Files:
  pkgsrc/lang/ruby30-base/patches: patch-lib_uri_rfc2396__parser.rb
      patch-lib_uri_rfc3986__parser.rb patch-lib_uri_version.rb

  Log Message:
  lang/ruby30-base: update bundled gem uri to 0.10.3

  Fix CVE-2023-36617: ReDoS vulnerability in URI.

  Bump PKGREVISION.

(bsiegert)

Fix changes

I should read before I commit.

(bsiegert)

#6767 and #6773

(bsiegert)

Pullup ticket #6773 - requested by gdt
textproc/py-rapidfuzz: i386 build fix

Revisions pulled up:
- textproc/py-rapidfuzz/Makefile                                1.12

---
  Module Name: pkgsrc
  Committed By: gdt
  Date: Mon Jul  3 13:54:32 UTC 2023

  Modified Files:
  pkgsrc/textproc/py-rapidfuzz: Makefile

  Log Message:
  textprox/py-rapidfuzz: Exclude i386 from avx2 PLIST conditional

  This package had untested code to expect three files that are
  avx2-only when building on i386, but those files don't actually get
  built.  This is almost certainly because not all i486-and-up CPUs have
  avx2 instructions.

  Resolves failure to package on NetBSD 9 i386 using
    cpu0: "Intel(R) Core(TM)2 Duo CPU    T8100  @ 2.10GHz"

(bsiegert)

Pullup ticket #6767 - requested by taca
www/ruby-rails70: security fix

Revisions pulled up:
- databases/ruby-activerecord70/distinfo                        1.13
- devel/ruby-activejob70/distinfo                              1.13
- devel/ruby-activemodel70/distinfo                            1.13
- devel/ruby-activestorage70/distinfo                          1.13
- devel/ruby-activesupport70/distinfo                          1.13
- devel/ruby-railties70/distinfo                                1.13
- lang/ruby/rails.mk                                            1.147
- mail/ruby-actionmailbox70/distinfo                            1.13
- mail/ruby-actionmailer70/distinfo                            1.13
- textproc/ruby-actiontext70/distinfo                          1.13
- www/ruby-actioncable70/distinfo                              1.13
- www/ruby-actionpack70/distinfo                                1.13
- www/ruby-actionview70/distinfo                                1.13
- www/ruby-rails70/distinfo                                    1.13

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Tue Jun 27 13:39:05 UTC 2023

  Modified Files:
  pkgsrc/databases/ruby-activerecord70: distinfo
  pkgsrc/devel/ruby-activejob70: distinfo
  pkgsrc/devel/ruby-activemodel70: distinfo
  pkgsrc/devel/ruby-activestorage70: distinfo
  pkgsrc/devel/ruby-activesupport70: distinfo
  pkgsrc/devel/ruby-railties70: distinfo
  pkgsrc/lang/ruby: rails.mk
  pkgsrc/mail/ruby-actionmailbox70: distinfo
  pkgsrc/mail/ruby-actionmailer70: distinfo
  pkgsrc/textproc/ruby-actiontext70: distinfo
  pkgsrc/www/ruby-actioncable70: distinfo
  pkgsrc/www/ruby-actionpack70: distinfo
  pkgsrc/www/ruby-actionview70: distinfo
  pkgsrc/www/ruby-rails70: distinfo

  Log Message:
  www/ruby-rails70

  Rails 7.0.5.1 (2023-06-26)

  Action Pack

  *  Raise an exception if illegal characters are provide to redirect_to
      [CVE-2023-28362]

      *Zack Deveau*

(bsiegert)

textproc/py-rapidfuzz: Revert commit wrongly on branch

(gdt)

textprox/py-rapidfuzz: Exclude i386 from avx2 PLIST conditional

This package had untested code to expect three files that are
avx2-only when building on i386, but those files don't actually get
built.  This is almost certainly because not all i486-and-up CPUs have
avx2 instructions.

Resolves failure to package on NetBSD 9 i386 using
  cpu0: "Intel(R) Core(TM)2 Duo CPU    T8100  @ 2.10GHz"

(gdt)

Pullup ticket #6766 - requested by taca
www/ruby-rails61: security fix

Revisions pulled up:
- databases/ruby-activerecord61/distinfo                        1.19
- devel/ruby-activejob61/distinfo                              1.19
- devel/ruby-activemodel61/distinfo                            1.19
- devel/ruby-activestorage61/distinfo                          1.19
- devel/ruby-activesupport61/distinfo                          1.19
- devel/ruby-railties61/distinfo                                1.19
- lang/ruby/rails.mk                                            1.146
- mail/ruby-actionmailbox61/distinfo                            1.19
- mail/ruby-actionmailer61/distinfo                            1.19
- textproc/ruby-actiontext61/distinfo                          1.19
- www/ruby-actioncable61/distinfo                              1.19
- www/ruby-actionpack61/distinfo                                1.19
- www/ruby-actionview61/distinfo                                1.19
- www/ruby-rails61/distinfo                                    1.19

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Tue Jun 27 13:35:19 UTC 2023

  Modified Files:
  pkgsrc/databases/ruby-activerecord61: distinfo
  pkgsrc/devel/ruby-activejob61: distinfo
  pkgsrc/devel/ruby-activemodel61: distinfo
  pkgsrc/devel/ruby-activestorage61: distinfo
  pkgsrc/devel/ruby-activesupport61: distinfo
  pkgsrc/devel/ruby-railties61: distinfo
  pkgsrc/lang/ruby: rails.mk
  pkgsrc/mail/ruby-actionmailbox61: distinfo
  pkgsrc/mail/ruby-actionmailer61: distinfo
  pkgsrc/textproc/ruby-actiontext61: distinfo
  pkgsrc/www/ruby-actioncable61: distinfo
  pkgsrc/www/ruby-actionpack61: distinfo
  pkgsrc/www/ruby-actionview61: distinfo
  pkgsrc/www/ruby-rails61: distinfo

  Log Message:
  www/rails61: update to 6.1.7.4

  Rails 6.1.7.4 (2023-06-26)

  Action Pack

  *  Raise an exception if illegal characters are provide to redirect_to
      [CVE-2023-28362]

      *Zack Deveau*

(bsiegert)

doc: add CHANGES file for 2023Q2

(wiz)