Pullup #6848bis: add the change to lang/php/phpversion.mk for PHP83_VERSION
that pullup #6848 was supposed to contain but didn't.

(spz)

Mention pullup tickets #6851 and #6852

(bsiegert)

Pullup ticket #6852 - requested by taca
net/bind916: blocklist handling fix (PR bin/58170)

Revisions pulled up:
- net/bind916/Makefile                                          1.70-1.72
- net/bind916/distinfo                                          1.55-1.56
- net/bind916/patches/patch-lib_ns_query.c                      1.3

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Fri Apr  5 14:01:01 UTC 2024

  Modified Files:
  pkgsrc/audio/forked-daapd: Makefile
  pkgsrc/audio/mixxx: Makefile
  pkgsrc/audio/strawberry: Makefile
  pkgsrc/audio/termusic: Makefile
  pkgsrc/biology/plinkseq: Makefile
  pkgsrc/chat/ekg: Makefile
  pkgsrc/chat/libgadu: Makefile buildlink3.mk
  pkgsrc/chat/mumble: Makefile
  pkgsrc/databases/mysql80-server: Makefile
  pkgsrc/databases/postgresql-postgis2: Makefile
  pkgsrc/devel/compizconfig-backend-gconf: Makefile buildlink3.mk
  pkgsrc/devel/libcompizconfig: Makefile buildlink3.mk
  pkgsrc/devel/protobuf: buildlink3.mk
  pkgsrc/devel/protobuf-c: Makefile buildlink3.mk
  pkgsrc/devel/py-compizconfig: Makefile buildlink3.mk
  pkgsrc/finance/bitcoin: Makefile
  pkgsrc/geography/qgis: Makefile
  pkgsrc/graphics/digikam: Makefile
  pkgsrc/graphics/opencv: Makefile buildlink3.mk
  pkgsrc/graphics/opencv-contrib-face: Makefile buildlink3.mk
  pkgsrc/graphics/py-Willow: Makefile
  pkgsrc/misc/marble: Makefile
  pkgsrc/multimedia/vlc: Makefile
  pkgsrc/net/bind916: Makefile
  pkgsrc/net/bind918: Makefile
  pkgsrc/net/frr: Makefile
  pkgsrc/net/grpc: Makefile buildlink3.mk
  pkgsrc/net/kopete: Makefile
  pkgsrc/net/mosh: Makefile
  pkgsrc/net/py-grpcio: Makefile
  pkgsrc/net/py-grpcio-tools: Makefile
  pkgsrc/net/qt6-qtgrpc: Makefile buildlink3.mk
  pkgsrc/net/ratman: Makefile
  pkgsrc/net/unbound: Makefile
  pkgsrc/sysutils/collectd-grpc: Makefile
  pkgsrc/sysutils/collectd-pinba: Makefile
  pkgsrc/sysutils/collectd-riemann: Makefile
  pkgsrc/sysutils/collectd-write_prometheus: Makefile
  pkgsrc/sysutils/riemann-client: Makefile
  pkgsrc/wm/ccsm: Makefile

  Log Message:
  *: recursive bump for protobuf 26.1

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Apr 18 13:39:53 UTC 2024

  Modified Files:
  pkgsrc/net/bind916: Makefile distinfo

  Log Message:
  net/bind916: update to 9.16.50

  9.16.50 (2024-04-17)

  This release marks the end of maintenance for the BIND 9.16 branch.

  6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
  [GL #4580]

  6338. [func] Optimize slabheader placement, so the infrastructure
  records are put in the beginning of the slabheader
  linked list. [GL !8675]

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr 20 14:01:08 UTC 2024

  Modified Files:
  pkgsrc/net/bind916: Makefile distinfo
  pkgsrc/net/bind916/patches: patch-lib_ns_query.c

  Log Message:
  net/bind916: fix blocklist handling

  Apply change of revision 1.21 in NetBSD base which fixed PR bin/58170.

  Bump PKGREVISION.

(bsiegert)

Pullup ticket #6851 - requested by taca
net/bind918: blocklist handling fix (PR bin/58170)

Revisions pulled up:
- net/bind918/Makefile                                          1.29-1.31
- net/bind918/distinfo                                          1.17-1.18
- net/bind918/patches/patch-lib_ns_query.c                      1.2

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Fri Apr  5 14:01:01 UTC 2024

  Modified Files:
  pkgsrc/audio/forked-daapd: Makefile
  pkgsrc/audio/mixxx: Makefile
  pkgsrc/audio/strawberry: Makefile
  pkgsrc/audio/termusic: Makefile
  pkgsrc/biology/plinkseq: Makefile
  pkgsrc/chat/ekg: Makefile
  pkgsrc/chat/libgadu: Makefile buildlink3.mk
  pkgsrc/chat/mumble: Makefile
  pkgsrc/databases/mysql80-server: Makefile
  pkgsrc/databases/postgresql-postgis2: Makefile
  pkgsrc/devel/compizconfig-backend-gconf: Makefile buildlink3.mk
  pkgsrc/devel/libcompizconfig: Makefile buildlink3.mk
  pkgsrc/devel/protobuf: buildlink3.mk
  pkgsrc/devel/protobuf-c: Makefile buildlink3.mk
  pkgsrc/devel/py-compizconfig: Makefile buildlink3.mk
  pkgsrc/finance/bitcoin: Makefile
  pkgsrc/geography/qgis: Makefile
  pkgsrc/graphics/digikam: Makefile
  pkgsrc/graphics/opencv: Makefile buildlink3.mk
  pkgsrc/graphics/opencv-contrib-face: Makefile buildlink3.mk
  pkgsrc/graphics/py-Willow: Makefile
  pkgsrc/misc/marble: Makefile
  pkgsrc/multimedia/vlc: Makefile
  pkgsrc/net/bind916: Makefile
  pkgsrc/net/bind918: Makefile
  pkgsrc/net/frr: Makefile
  pkgsrc/net/grpc: Makefile buildlink3.mk
  pkgsrc/net/kopete: Makefile
  pkgsrc/net/mosh: Makefile
  pkgsrc/net/py-grpcio: Makefile
  pkgsrc/net/py-grpcio-tools: Makefile
  pkgsrc/net/qt6-qtgrpc: Makefile buildlink3.mk
  pkgsrc/net/ratman: Makefile
  pkgsrc/net/unbound: Makefile
  pkgsrc/sysutils/collectd-grpc: Makefile
  pkgsrc/sysutils/collectd-pinba: Makefile
  pkgsrc/sysutils/collectd-riemann: Makefile
  pkgsrc/sysutils/collectd-write_prometheus: Makefile
  pkgsrc/sysutils/riemann-client: Makefile
  pkgsrc/wm/ccsm: Makefile

  Log Message:
  *: recursive bump for protobuf 26.1

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Thu Apr 18 13:37:53 UTC 2024

  Modified Files:
  pkgsrc/net/bind918: Makefile distinfo

  Log Message:
  net/bind918: update to 9.18.62

  9.18.26 (2024-04-17)

  6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
  [GL #4580]

  6363. [bug] dig/mdig +ednsflags=<non-zero-value> did not re-enable
  EDNS if it had been disabled. [GL #4641]

  6361. [bug] Some invalid ISO 8601 durations were accepted
  erroneously. [GL #4624]

  6360. [bug] Don't return static-stub synthesised NS RRset.
  [GL #4608]

  6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552]

  6351. [protocol] Support for the RESINFO record type has been added.
  [GL #4413]

  6346. [bug] Cleaned up several minor bugs in the RBTDB dbiterator
  implementation. [GL !8741]

  6345. [bug] Added missing dns_rdataset_disassociate calls in
  validator.c:findnsec3proofs. [GL #4571]

  6340. [test] Fix incorrectly reported errors when running tests
  with `make test` on platforms with older pytest.
  [GL #4560]

  6338. [func] Optimize slabheader placement, so the infrastructure
  records are put in the beginning of the slabheader
  linked list. [GL !8675]

  6334. [doc] Improve ARM parental-agents definition. [GL #4531]

  6333. [bug] Fix the DNS_GETDB_STALEFIRST flag, which was defined
  incorrectly in lib/ns/query.c. [GL !8683]

  6330. [doc] Update ZSK minimum lifetime documentation in ARM, also
  depends on signing delay. [GL #4510]

  6328. [func] Add workaround to enforce dynamic linker to pull
  jemalloc earlier than libc to ensure all memory
  allocations are done via jemalloc. [GL #4404]

  6326. [bug] Changes to "listen-on" statements were ignored on
  reconfiguration unless the port or interface address was
  changed, making it impossible to change a related
  listener transport type. Thanks to Thomas Amgarten.
  [GL #4518] [GL #4528]

  6325. [func] Expose the TCP client count in statistics channel.
  [GL #4425]

  6324. [bug] Fix a possible crash in 'dig +nssearch +nofail' and
  'host -C' commands when one of the name servers returns
  SERVFAIL. [GL #4508]

  6313. [bug] When dnssec-policy is in effect the DNSKEY's TTLs in
  the zone where not being updated to match the policy.
  This lead to failures when DNSKEYs where updated as the
  TTLs mismatched. [GL #4466]

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr 20 14:02:40 UTC 2024

  Modified Files:
  pkgsrc/net/bind918: Makefile distinfo
  pkgsrc/net/bind918/patches: patch-lib_ns_query.c

  Log Message:
  net/bind918: fix blocklist handling

  Apply change of revision 1.21 in NetBSD base which fixed PR bin/58170.

  Bump PKGREVISION.

(bsiegert)

Mention pullup tickets #6846 and #6850

(bsiegert)

Pullup ticket #6850 - requested by gutteridge
www/firefox115: security fix
www/firefox115-l10n: dependent update

Revisions pulled up:
- www/firefox115-l10n/Makefile                                  1.7
- www/firefox115-l10n/distinfo                                  1.7
- www/firefox115/Makefile                                      1.20
- www/firefox115/distinfo                                      1.7

---
  Module Name:    pkgsrc
  Committed By:  gutteridge
  Date:          Wed Apr 17 13:42:45 UTC 2024

  Modified Files:
            pkgsrc/www/firefox115: Makefile distinfo

  Log Message:
  firefox115: update to 115.10.0

  * Fixes for mfsa2024-19, also known as:
        CVE-2024-3852, CVE-2024-3854, CVE-2024-3857, CVE-2024-2609,
        CVE-2024-3859, CVE-2024-3861, CVE-2024-3302, CVE-2024-3864.

---
  Module Name:    pkgsrc
  Committed By:  gutteridge
  Date:          Wed Apr 17 13:46:55 UTC 2024

  Modified Files:
            pkgsrc/www/firefox115-l10n: Makefile distinfo

  Log Message:
  firefox115-l10n: update to 115.10.0

(bsiegert)

Pullup ticket #6846 - requested by bouyer
net/mirror: build fix

Revisions pulled up:
- net/mirror/Makefile                                          1.47
- net/mirror/distinfo                                          1.10-1.11
- net/mirror/patches/patch-ac                                  1.6
- net/mirror/patches/patch-ad                                  1.6
- net/mirror/patches/patch-ae                                  1.8-1.9
- net/mirror/patches/patch-ag                                  1.3
- net/mirror/patches/patch-lsparse.pl                          1.1

---
  Module Name: pkgsrc
  Committed By: bouyer
  Date: Thu Apr 11 10:23:44 UTC 2024

  Modified Files:
  pkgsrc/net/mirror: Makefile distinfo
  pkgsrc/net/mirror/patches: patch-ac patch-ad patch-ae patch-ag
  Added Files:
  pkgsrc/net/mirror/patches: patch-lsparse.pl

  Log Message:
  Fix warning:
  Old package separator "'" deprecated at ...
  Bump PKGREVISION

---
  Module Name: pkgsrc
  Committed By: bouyer
  Date: Thu Apr 11 17:11:01 UTC 2024

  Modified Files:
  pkgsrc/net/mirror: distinfo
  pkgsrc/net/mirror/patches: patch-ae

  Log Message:
  Remove $Id: from patch-ae, so that CVS doesn't change it
  Regen distinfo

(bsiegert)

Mention PHP updates

(bsiegert)

Pullup ticket #6849 - requested by taca
lang/php81: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.429
- lang/php81/distinfo                                          1.32

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr 13 02:53:35 UTC 2024

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php81: distinfo

  Log Message:
  lang/php81: update to 8.1.27

  This release includes security fixes.

  11 Apr 2024, PHP 8.1.28

  - Standard:
    . Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
      parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
    . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
      partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
    . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
      opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)

(bsiegert)

Pullup ticket #6848 - requested by taca
lang/php83: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.428
- lang/php83/distinfo                                          1.6
- lang/php83/patches/patch-configure                            1.4

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr 13 02:51:54 UTC 2024

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php83: distinfo
  pkgsrc/lang/php83/patches: patch-configure

  Log Message:
  lang/php83: update to 8.3.5

  This release includes security fixes.

  11 Apr 2024, PHP 8.3.5

  - Core:
    . Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when
      scanning WeakMaps). (Arnaud)
    . Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
      (nielsdos)
    . Fixed bug GH-13446 (Restore exception handler after it finishes). (ilutov)
    . Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure). (Remi)
    . Fixed bug GH-13670 (GC does not scale well with a lot of objects created in
      destructor). (Arnaud)

  - DOM:
    . Add some missing ZPP checks. (nielsdos)
    . Fix potential memory leak in XPath evaluation results. (nielsdos)

  - FPM:
    . Fixed GH-11086 (FPM: config test runs twice in daemonised mode).
      (Jakub Zelenka)
    . Fix incorrect check in fpm_shm_free(). (nielsdos)

  - GD:
    . Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests). (Michael Orlitzky)

  - Gettext:
    . Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5
      with category set to LC_ALL. (David Carlier)

  - MySQLnd:
    . Fix GH-13452 (Fixed handshake response [mysqlnd]). (Saki Takamachi)
    . Fix incorrect charset length in check_mb_eucjpms(). (nielsdos)

  - Opcache:
    . Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
      (Arnaud, Dmitry)
    . Fixed GH-13712 (Segmentation fault for enabled observers when calling trait
      method of internal trait when opcache is loaded). (Bob)

  - Random:
    . Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
      modes). (timwolla)
    . Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between
      requests when MT_RAND_PHP is used). (timwolla)

  - Session:
    . Fixed bug GH-13680 (Segfault with session_decode and compilation error).
      (nielsdos)

  - SPL:
    . Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos)

  - Standard:
    . Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos)
    . Fixed GH-13402 (Added validation of `\n` in $additional_headers of mail()).
      (SakiTakamachi)
    . Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
      (divinity76)
    . Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
      parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
    . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
      partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
    . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
      opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
      Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some
      inputs). (CVE-2024-2757) (Alex Dowad)

(bsiegert)

Pullup ticket #6847 - requested by taca
lang/php82: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.427
- lang/php82/distinfo                                          1.20
- lang/php82/patches/patch-configure                            1.18

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sat Apr 13 02:49:41 UTC 2024

  Modified Files:
  pkgsrc/lang/php: phpversion.mk
  pkgsrc/lang/php82: distinfo
  pkgsrc/lang/php82/patches: patch-configure

  Log Message:
  lang/php82: update to 8.2.18

  This release includes security fixes.

  11 Apr 2024, PHP 8.2.18

  - Core:
    . Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
      (nielsdos)
    . Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure). (Remi)
    . Fixed bug GH-13670 (GC does not scale well with a lot of objects created in
      destructor). (Arnaud)

  - DOM:
    . Add some missing ZPP checks. (nielsdos)
    . Fix potential memory leak in XPath evaluation results. (nielsdos)
    . Fix phpdoc for DOMDocument load methods. (VincentLanglet)

  - FPM
    . Fix incorrect check in fpm_shm_free(). (nielsdos)

  - GD:
    . Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests). (Michael Orlitzky)

  - Gettext:
    . Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5
      with category set to LC_ALL. (David Carlier)

  - MySQLnd:
    . Fix GH-13452 (Fixed handshake response [mysqlnd]). (Saki Takamachi)
    . Fix incorrect charset length in check_mb_eucjpms(). (nielsdos)

  - Opcache:
    . Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
      (Arnaud, Dmitry)
    . Fixed GH-13712 (Segmentation fault for enabled observers when calling trait
      method of internal trait when opcache is loaded). (Bob)

  - PDO:
    . Fix various PDORow bugs. (Girgias)

  - Random:
    . Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
      modes). (timwolla)
    . Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between
      requests when MT_RAND_PHP is used). (timwolla)

  - Session:
    . Fixed bug GH-13680 (Segfault with session_decode and compilation error).
      (nielsdos)

  - Sockets:
    . Fixed bug GH-13604 (socket_getsockname returns random characters in the end
      of the socket name). (David Carlier)

  - SPL:
    . Fixed bug GH-13531 (Unable to resize SplfixedArray after being unserialized
      in PHP 8.2.15). (nielsdos)
    . Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos)

  - Standard:
    . Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos)
    . Fixed GH-13402 (Added validation of `\n` in $additional_headers of mail()).
      (SakiTakamachi)
    . Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
      (divinity76)
    . Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
      parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
    . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
      partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
    . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
      opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)

  - XML:
    . Fixed bug GH-13517 (Multiple test failures when building with
      --with-expat). (nielsdos)

(bsiegert)

Pullup tickets up to #6845

(bsiegert)

Pullup ticket #6845 - requested by taca
www/php-concrete-cms: security fix

Revisions pulled up:
- www/php-concrete-cms/Makefile                                1.3
- www/php-concrete-cms/PLIST                                    1.2
- www/php-concrete-cms/distinfo                                1.3

---
  Module Name: pkgsrc
  Committed By: taca
  Date: Sun Apr  7 13:59:05 UTC 2024

  Modified Files:
  pkgsrc/www/php-concrete-cms: Makefile PLIST distinfo

  Log Message:
  www/php-concrete-cms: update to 9.2.8

  9.2.8 (2024-04-02)

  Bug Fixes

  * Fixed bug where c5:info console command would fail when run on a Concrete
    webroot if that webroot was not yet an installed Concrete site.

  * Fixed bug where logout link in toolbar would not work when user was logged
    in as an editor who could not view the Dashboard (thanks ounziw)

  Security Updates

  * Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
    fixed it with commit 11988 Prior to the fix, a rogue administrator could
    put malicious javascript on the Concrete CMS color setting screen which
    would have would have been triggered by and affected users who accessed
    the color settings screen.  The Concrete CMS security team gave this
    vulnerability a CVSS v3.1 score of 2.0 with a vector of
    AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

    Thank you Rikuto Tauchi for reporting HackerOne 2433383.

  * Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
    Filter and fixed it with commit 11988 for version 9 and commit 11989 for
    version 8.  Prior to the fix, a rogue administrator could add malicious
    code in the file manager because of insufficient validation of
    administrator provided data.  All administrators have access to the File
    Manager and hence could create a search filter with the malicious code
    attached.  The Concrete CMS security team gave this vulnerability a CVSS
    v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

    Thank you Guram (javakhishvili) for reporting HackerOne 949443

  * Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
    fixed it with commit 11988 for version 9 and commit 11989 for version 8.
    Prior to the fix, a rogue administrator could insert malicious code in the
    custom class field due to insufficient validation of administrator
    provided data.  Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
    non alphanumeric characters in this CSS class.  The Concrete CMS security
    team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
    AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
    reporting HackerOne 918129.

  * Created and fixed [CVE-2024-3180]
    (https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
    could be executed by a rogue administrator adding malicious code to the
    link-text field when creating a block of type file.  Fixed with commit
    11988 for version 9 and commit 11989 for version 8.  The Concrete CMS
    security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
    vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
    for reporting HackerOne 903356

  * Created CVE-2024-3181 Stored XSS in the Search Field.  Prior to the fix,
    stored XSS could be executed by an administrator changing a filter to
    which a rogue administrator had previously added malicious code.  The
    Concrete Team fixed this with commit 11988 for version 9 and commit 11989
    for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142

(bsiegert)

Pullup ticket #6844 - requested by taca
editors/abiword-plugins: build fix

Revisions pulled up:
- editors/abiword-plugins/Makefile                              1.148
- editors/abiword-plugins/PLIST                                1.15

---
  Module Name: pkgsrc
  Committed By: gutteridge
  Date: Mon Apr  1 15:41:08 UTC 2024

  Modified Files:
  pkgsrc/editors/abiword-plugins: Makefile PLIST

  Log Message:
  abiword-plugins: fix builds by disabling AbiCollab component

  collab no longer builds with boost/asio in some environments, when the
  AbiCollab component is built, but that service seems defunct, anyway.

(bsiegert)

Pullup ticket #6843 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                        1.124
- www/apache24/distinfo                                        1.62
- www/apache24/patches/patch-configure                          1.5
- www/apache24/patches/patch-modules_filters_mod__xml2enc.c    deleted

---
  Module Name: pkgsrc
  Committed By: adam
  Date: Fri Apr  5 09:31:38 UTC 2024

  Modified Files:
  pkgsrc/www/apache24: Makefile distinfo
  pkgsrc/www/apache24/patches: patch-configure
  Removed Files:
  pkgsrc/www/apache24/patches: patch-modules_filters_mod__xml2enc.c

  Log Message:
  apache24: updated to 2.4.59

  Changes with Apache 2.4.59

  *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
      memory exhaustion on endless continuation frames (cve.mitre.org)
      HTTP/2 incoming headers exceeding the limit are temporarily
      buffered in nghttp2 in order to generate an informative HTTP 413
      response. If a client does not stop sending headers, this leads
      to memory exhaustion.
      Credits: Bartek Nowotarski (https://nowotarski.info/)

  *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
      Splitting in multiple modules (cve.mitre.org)
      HTTP Response splitting in multiple modules in Apache HTTP
      Server allows an attacker that can inject malicious response
      headers into backend applications to cause an HTTP
      desynchronization attack.
      Users are recommended to upgrade to version 2.4.59, which fixes
      this issue.
      Credits: Keran Mu, Tsinghua University and Zhongguancun
      Laboratory.

  *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
      splitting (cve.mitre.org)
      Faulty input validation in the core of Apache allows malicious
      or exploitable backend/content generators to split HTTP
      responses.
      This issue affects Apache HTTP Server: through 2.4.58.
      Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) mod_deflate: Fixes and better logging for handling various
      error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
      Eric Norris <enorris etsy.com>]

  *) Add CGIScriptTimeout to mod_cgi. [Eric Covener]

  *) mod_xml2enc: Tolerate libxml2 2.12.0 and later.
      [ttachi <tachihara AT hotmail.com>]

  *) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
      [Jean-Frederic Clere]

  *) mod_ssl: Use OpenSSL-standard functions to assemble CA
      name lists for SSLCACertificatePath/SSLCADNRequestPath.
      Names will now be consistently sorted.
      [Joe Orton]

  *) mod_xml2enc: Update check to accept any text/ media type
      or any XML media type per RFC 7303, avoiding
      corruption of Microsoft OOXML formats.
      [Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]

  *) mod_http2: v2.0.26 with the following fixes:
      - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
        <https://github.com/icing/mod_h2/issues/272>.
      - Fixed small memory leak in h2 header bucket free. Thanks to
        Michael Kaufmann for finding this and providing the fix.

  *) htcacheclean: In -a/-A mode, list all files per subdirectory
      rather than only one.
      [Artem Egorenkov <aegorenkov.91 gmail.com>]

  *) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
      which include CA certificates; those CA certs are treated as if
      configured with SSLProxyMachineCertificateChainFile.  [Joe Orton]

  *) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
      "hashing", rather than "encrypting" passwords.
      [Michele Preziuso <mpreziuso kaosdynamics.com>]

  *) mod_ssl: Fix build with LibreSSL 2.0.7+.
      [Giovanni Bechis, Yann Ylavic]

  *) htpasswd: Add support for passwords using SHA-2.  [Joe Orton,
      Yann Ylavic]

  *) core: Allow mod_env to override system environment vars. [Joe Orton]

  *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
      operation which removes a directory/file between apr_dir_read() and
      apr_stat(). Current behaviour is to abort the connection which seems
      inferior to tolerating (and logging) the error. [Joe Orton]

  *) mod_ldap: HTML-escape data in the ldap-status handler.
      [Eric Covener, Chamal De Silva]

  *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
      Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
      notably with OpenSSL >= 3.  [Yann Ylavic, Joe Orton]

  *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
      deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
      to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
      [Yann Ylavic]

  *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]

  *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
      some dollar substitution (backreference) happens in the hostname or port
      part of the URL.  [Yann Ylavic]

  *) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
      systems are cached. [Yann Ylavic]

  *) mod_proxy: Add optional third argument for ProxyRemote, which
      configures Basic authentication credentials to pass to the remote
      proxy.

(bsiegert)

I hereby declare pull-up season to be open! :)

(bsiegert)

Pullup ticket #6842 - requested by bouyer
sysutils/xentools415: NetBSD 10 bugfix
sysutils/xentools418: NetBSD 10 bugfix

Revisions pulled up:
- sysutils/xentools415/Makefile                                1.30
- sysutils/xentools415/distinfo                                1.15
- sysutils/xentools415/patches/patch-xen_common_libelf_libelf-loader.c 1.1
- sysutils/xentools418/Makefile                                1.5
- sysutils/xentools418/distinfo                                1.3
- sysutils/xentools418/patches/patch-xen_common_libelf_libelf-loader.c 1.1

---
  Module Name: pkgsrc
  Committed By: bouyer
  Date: Tue Apr  2 22:01:24 UTC 2024

  Modified Files:
  pkgsrc/sysutils/xentools415: Makefile distinfo
  pkgsrc/sysutils/xentools418: Makefile distinfo
  Added Files:
  pkgsrc/sysutils/xentools415/patches:
      patch-xen_common_libelf_libelf-loader.c
  pkgsrc/sysutils/xentools418/patches:
      patch-xen_common_libelf_libelf-loader.c

  Log Message:
  xentools415, xentools418: fix bug in BSD symbol table support for i386:
  When computing the size of the ELF symbol table, the code use
  sizeof(Elf64_Shdr) or sizeof(Elf32_Shdr) depending on the kernel being
  loaded. But later when computing offsets, the code uses
  sizeof(struct elf_sym_header) which contains a union of both Shdr. This result
  in an overflow of 64 bytes. Fortunably the code checks the size being copied
  with the allocated size and silently ignores the copy if there isn't enough
  space. Fortunably as well, the allocated size is rounded up to the next page
  boundary, so most of the time there is enough space. Unfortunably, the official
  i386 GENERIC kernel from the 10.0 release has the right size to trigger
  this bug.
  Bump PKGREVISION.

(bsiegert)

Pullup ticket #6841 - requested by wiz
www/p5-libwww: build fix

Revisions pulled up:
- www/p5-libwww/Makefile                                        1.143

---
  Module Name: pkgsrc
  Committed By: wiz
  Date: Wed Apr  3 07:15:39 UTC 2024

  Modified Files:
  pkgsrc/www/p5-libwww: Makefile

  Log Message:
  p5-libwww: p5-Try-Tiny is a runtime dependency, make it so

  Bump PKGREVISION

(bsiegert)

doc: add changes file for pkgsrc-2024Q1

(wiz)