Don't let CDPATH affect the build.

Fix build on darwin20 and macOS arm64, via MacPorts. For other
platforms, NFCI.

Probably make cvm-checkpassword actually work as an alternative
checkpassword. Bump PKGREVISION.

Update to 1.0.0. From the changelog:

## Verify(text) ensures a newline at end of files

### BREAKING CHANGE

Since most tools will ensure a newline at the end of a file, approval
test is now adding this to allow copying approval results in diff tools
to work correctly. Please note that this will break all you previous
approvals that do not end with a newline!

This will show by your diff tool opening with two files that look
identical, but one actually has a newline at the end.

### Upgrade Path

We suggest you use ReporterByCopyMoveCommandForEverythingToClipboard()
as your Default Reporter to re-approve all your files.

## Namer handles multiple nested methods in a unit test

Previously if you had nested methods in your unit test, the names would
incorrectly identify the help method rather than the test method. This
is now fixed.

Update to 6.0.8. From the changelog:

* Fix the name and link to the chardet module in the documentation. (#280)

doc: Updated devel/py-approvaltests to 1.0.0

doc: Updated security/cvm to 0.97nb3

doc: Updated textproc/py-feedparser to 6.0.8

macFUSE headers have been in /usr/local/include/fuse for a while. Add
that to BUILDLINK_PASSTHRU_DIRS.

Check a little harder for stat64. Fixes the build on my M1 with
Big Sur 11.4.

Update to 6.0.7. From the changelog:

* Catch ``urllib.error.URLError`` to prevent crashes. (#239)

Updating during the freeze for the bugfix.

doc: Updated textproc/py-feedparser to 6.0.7

Update to 6.0.6. From the changelog:

* Prevent an AttributeError that occurs when a server returns HTTP 3xx
  but doesn't include a Location header as well. (#267)
* Prevent a TypeError crash that may occur when including a username and
  password in the feed URL. (#276)
* Prevent a UnicodeDecodeError crash that may occur when the title
  element's type attribute exists but is empty. (#277)
* Prevent a UnicodeEncodeError crash that may occur if the URL contains
  Unicode characters in the path. (#273)
* Fix an issue with the HTTP request status on Python >= 3.9.

Updating during the freeze for the bugfixes.

doc: Updated textproc/py-feedparser to 6.0.6

Add patch, missed in previous.

Rename VERSION to VERSION.txt so that it does not collide with the C++
version header on case-insensitive filesystems (via MacPorts). No change
intended to installed package.

Extend REPLACE_BASH to get cover.bash substed. Bump PKGREVISION.

doc: Updated lang/go-bin to 1.16.beta1nb3

Add and enable ruby-approvaltests.

Initial import of ruby-approvaltests, an assertion/verification library
to aid testing.

This is the Ruby port of ApprovalTests.

You can use ApprovalTests to verify objects that require more than a
simple assert including long strings, large arrays, and complex hash
structures and objects. ApprovalTests really shines when you need a more
granular look at the test failure. Sometimes, trying to find a small
difference in a long string printed to STDOUT is just too hard!
ApprovalTests solves this problem by providing reporters which let you
view the test results in one of many popular diff utilities.

doc: Added devel/ruby-approvaltests version 0.0.25

Update to 4.5.1. From the changelog:

- documentation-only update.
- add note to README about build problem with Tru64, with workaround.
  Thanks: Víctor Ostorga.

doc: Updated sysutils/memtester to 4.5.1

Update HOMEPAGE, and take MAINTAINER.

ExtUtils-MakeMaker-7.48 rejects invalid MIN_PERL_VERSION values.
Apply patch from <https://rt.cpan.org/Public/Bug/Display.html?id=133491>.

Update to 0.8.0. From the changelog:

- You can now set the approval file extensions via options:
  Options().for_file.with_extension(".md")

doc: Updated devel/py-approvaltests to 0.8.0

Update to 20210401. From the changelog:

- fix IPv6 split masklen
- vpnc-script-win: tidy up, more logging
- vpnc-script-win: make VPN addresses/gateways "non-persistent", and
  delete them on disconnect
- vpnc-script-win: delete DNS and WINS servers before adding them
- vpnc-script-win: dump stdout and stderr when a command fails
- vpnc-script-win: use TUNIDX in all netsh commands, remove
  waitForInterface()
- vpnc-script-win: add FIXMEs regard IPv6 split-excludes and gateways
- vpnc-script-win: add legacy IP split-exclude handling
- vpnc-script-win: cleanup spacing, clarify comments
- vpnc-script-win: simplify 'internal gateway' calculation
- GNU awk regex fix
- move destroy_tun_device into do_disconnect (called only here)
- remove bits for ancient Linux 2.6.x kernels
- mention IDLE_TIMEOUT
- cleanup whitespace and clarify comments
- tweak warning message about un-routable exclude routes
- Ignore unreachable exclude routes
- Document split tunnel EXC variables
- ignore bogus non-forwardable exclude routes on disconnect too
- *BSDs: get_default_gw needs to EXCLUDE routes through tunnel for
  attempt-reconnect, but should NOT exclude them otherwise
- mark tunnel device 'down' before destroying
- Add DragonFly BSD support and improve FreeBSD support
- Use '[[:space:]]' instead of '\s' to support POSIX awk
- *BSDs: don't inadvertently pick up a bogus 0.0.0.0/32 route as a
  default route
- Fix basename invocation on *BSD shells
- fix another ifconfig syntax difference between Linux and *BSDs
- use `ip netns` instead of ocserv `listen-netns` config option for
  test configs
- match preexisting code style
- Use systemd-resolve to check if resolved is running
- FIXME add mock IPv6 configuration to get CI to work
- add a bit more logging to test scripts
- split iproute2 and *BSD-ish into separate CI runs
- CI: don't need to install ocserv and which
- numerous fixes for Linux IPv6 configuration using
  ifconfig/route/netstat
- try running tests with *BSD-ish tools (ifconfig/route/netstat) for
  additional coverage
- match code style
- Don't use /sbin/resolvconf if it just points to resolvectl.
- include calling process ID in DEFAULT_ROUTE_FILE{,_IPV6}
- with BSD 'route', save-and-restore IPv6 default routes
- simplify cases and add ifconfig_syntax_del variable
- Patch: make ipv6 in ipv4 and ipv6 in ipv6 tunnels work on (Net)BSD
- vpnc-scripts: added a sanity check of routes and resolv.conf
  generation
- preserve metric in fix_ip_get_output
- with iproute2, sort the routes to the VPN gateway by metric before
  trying to create an explicit route to the gateway via each of them
- make do_attempt_reconnect work with route/ifconfig
- add working do_attempt_reconnect
- don't try to set an explicit route to VPN gateway if localhost, and
  ignore bogus non-forwardable exclude routes
- Ignore link-local routes in set_default_route
- leave support for older systemd-resolved (v229-v238) in place
- Windows IPv6: remove hard-coded next-hop of fe80::8
- Add split DNS support for systemd-resolved
- Use resolvectl for systemd-resolved
- fix tabs/spaces in POSIX vpnc-script as well
- cleanup whitespace in vpnc-script-win.js
- specify interface when adding routes
- fix Slackware issue (netconfig is an unrelated tool, not relevant for
  resolv.conf handling)
- No need to add a separate sed invocation for `$NETMASKLEN` fixing
- iproute2 5.1+ doesn't allow prefixlen!=32 in get

Update to 3.3.3, syncing with LibreSSL. No known changes.

doc: Updated net/vpnc-script to 20210401

doc: Updated security/libretls to 3.3.3

Update to 0.5. From the changelog:

Bug fixes

- Set peer_cert_len so that application sees correct length of
  certificate chain PEM (instead of 0).
- Account for null terminator when allocating PEM string buffer.
- Pass NULL to br_x509_minimal start_chain when client didn't use SNI
  instead of the empty string to avoid relying on undocumented
  BearSSL behavior.
- Save SNI name in ctx->servername on server side so that applications
  can determine which name the client connected to.
- Fix a few error messages printing errno unintentionally.

Changes

- tls_close() no longer waits for peer's close_notify. Some servers do
  not send their own close, resulting in a hang if they do not close the
  connection.
- Merge changes from libressl 3.3.3.

Update to 0.7.0. From the changelog:

- Date scrubbers are quite basic and only work with json-fied datetimes
- Verify now converts its input to string before verifying

doc: Updated devel/py-approvaltests to 0.7.0

Update to 3.13.1. From the changelog:

* Fix crash on html-mail entries with no URL

doc: Updated mail/rss2email to 3.13.1

Apply upstream patch to catch up to highlight 4.0 API change. Bump
PKGREVISION.

doc: Updated www/ikiwiki to 3.20200202.3nb4

Note highlight and p5-highlight updates.

Reset PKGREVISION for libhighlight update.

Update to 4.1. From the changelog:

- improved handling of Custom theme attributes (#182)
- fixed wrong color code in edit-kwrite.theme
- added rng file mapping (#129)
- improved Lisp highlighting
- GUI: fixed highlighting options tab title (thanks to Craig)
- renamed `std` style name to `def`
- version and README updates
- removed `extras/web_plugins`
- added user-select default property to HTML line number style
- revised color themes
- added two more keyword styles for default themes
- added Custom theme attributes for Plain TeX, LaTeX, SVG and Pango
- enabled syntax message output with `--ls-syntax-error`
- GUI: enabled syntax error checkbox
- added Custom theme attribute
- enabled inline stylesheets with `--ls-hover`
- added Error and Hover theme properties
- enabled syntax error highlighting with `ls-semantic`
- improved LSP message handling
- added delay LSP parameter
- added LSP semantic token styles to base16 themes
- renamed `str` style name to `sng`
- CLI: enabled `--ls-semantic` option
- GUI: enabled semantic checkbox and a server capability test
- added support for the language server protocol
- added new configuration file lsp.conf
- CLI: added `ls-profile`, `--ls-workspace`,`--ls-hover`
- CLI: deprecated `--start-nested`, `--reformat=user`,
  `--reformat-option`, `--base16`, `--delim-cr`, `--plug-in-read`
- GUI: added LSP configuration tab
- added `--syntax-supported` option

doc: Updated textproc/libhighlight to 4.1

Work around build failure with libc++ >=7.0 on case-insensitive
filesystems (issue #1051). Fixes macOS build, at least on Big Sur.

Update to 1.6.0. From the changelog:

- When `mob start` fails, the timer no longer starts to run.

doc: Updated devel/mob to 1.6.0

Update to 0.6.0. From the changelog:

- You can now scrub your approval files

doc: Updated devel/py-approvaltests to 0.6.0

Move "INSTALL" to "INSTALL.txt" so the "install" targets run as expected
on macOS with case-insensitive filesystem, fixing install of cxref.1.

While here, set LICENSE, update MASTER_SITES and HOMEPAGE, and remove
unrecognized configure option "--with-cxref-cpp".

Update to 0.5.0. From the changelog:

- The reporter can now be passed into any verify call via options.

doc: Updated devel/py-approvaltests to 0.5.0

Update to 3.3.2. From the (OpenBSD 6.9 LibreSSL) changelog:

# New Features

- Support for DTLSv1.2.
- Continued rewrite of the record layer for the legacy stack.
- Numerous bugs and interoperability issues were fixed in the new
  verifier. A few bugs and incompatibilities remain, so this release
  uses the old verifier by default.
- The OpenSSL 1.1 TLSv1.3 API is not yet available.


# Portable Improvements

- Added '--enable-libtls-only' build option, which builds and
  installs a statically-linked libtls, skipping libcrypto and libssl.
  This is useful for systems that ship with OpenSSL but wish to also
  package libtls.
- Update getentropy on Windows to use Cryptography Next Generation
  (CNG). wincrypt is deprecated and no longer works with newer Windows
  environments, such as in Windows Store apps.


# API and Documentation Enhancements

- Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
  draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
- Add support for
  [SSL_get_shared_ciphers(3)](https://man.openbsd.org/SSL_get_shared_ciphers.3)
  with TLSv1.3.
- Add DTLSv1.2 methods.
- Implement SSL_is_dtls(3) and use it internally in place of the
  SSL_IS_DTLS macro.
- Provide
  [EVP_PKEY_new_CMAC_KEY(3)](https://man.openbsd.org/EVP_PKEY_new_CMAC_KEY.3).
- Add missing prototype for
  [d2i_DSAPrivateKey_fp(3)](https://man.openbsd.org/d2i_DSAPrivateKey_fp.3) to x509.h.
- Add DTLSv1.2 to [openssl(1)](https://man.openbsd.org/openssl.1)
  s_server and s_client protocol message logging.
- Provide
  [SSL_use_certificate_chain_file(3)](https://man.openbsd.org/SSL_use_certificate_chain_file.3).
- Provide
  [SSL_set_hostflags(3)](https://man.openbsd.org/SSL_set_hostflags.3)
  and
  [SSL_get0_peername(3)](https://man.openbsd.org/SSL_get0_peername.3).
- Provide various DTLSv1.2 specific functions and defines.
- Document meaning of '*' in the genrsa output.
- Updated documentation for
  SSL_get_shared_ciphers(3)](https://man.openbsd.org/SSL_get_shared_ciphers.3).
- Add documentation for
  [SSL_get_finished(3)](https://man.openbsd.org/SSL_get_finished.3).
- Document
  [EVP_PKEY_new_CMAC_key(3)](https://man.openbsd.org/EVP_PKEY_new_CMAC_key.3).
- Document
  [SSL_use_certificate_chain_file(3)](https://man.openbsd.org/SSL_use_certificate_chain_file.3).
- Document
  [SSL_set_hostflags(3)](https://man.openbsd.org/SSL_set_hostflags.3)
  and
  [SSL_get0_peername(3)](https://man.openbsd.org/SSL_get0_peername.3).
- Update [SSL_get_version(3)](https://man.openbsd.org/SSL_get_version.3)
  manual for DTLSv.1.2 support.
- Make supported protocols and options for DHE params more prominent in
  [tls_config_set_protocols(3)](https://man.openbsd.org/tls_config_set_protocols.3).
- Various documentation improvements around TLS methods.


# Compatibility Changes

- Make [openssl(1)](https://man.openbsd.org/openssl.3) s_server ignore
  -4 and -6 for compatibility with OpenSSL.
- Set SO_REUSEADDR on the server socket in the
  [openssl(1)](https://man.openbsd.org/openssl.1) ocsp command.
- Send a host header with OCSP queries to make
  [openssl(1)](https://man.openbsd.org/openssl.1) ocsp work with some
  widely used OCSP responders.
- Add ability to [ocspcheck(8)](https://man.openbsd.org/ocspcheck.8) to
  parse a port in the specified OCSP URL.
- Implement auto chain for the TLSv1.3 server since some software
  relies on this.
- Implement key exporter for TLSv1.3.
- Align
  [SSL_get_shared_ciphers(3)](https://man.openbsd.org/SSL_get_shared_ciphers.3)
  with OpenSSL. This takes into account that it never returned server
  ciphers, so now it will fail when called from the client side.
- Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
- Make
  [SSL{_CTX,}_get_{min,max}_proto_version(3)](https://man.openbsd.org/SSL_CTX_get_min_proto_version.3)
  return a version of zero if the minimum or maximum has been set to
  zero to match OpenSSL's behavior.
- Add DTLSv1.2 support to
  [openssl(1)](https://man.openbsd.org/openssl.1) s_client/s_server.


# Testing and Proactive Security

- Malformed ASN.1 in a certificate revocation list or a timestamp
  response token can lead to a NULL pointer dereference.
- Pull in fix for
  [EVP_CipherUpdate(3)](https://man.openbsd.org/EVP_CipherUpdate.3)
  overflow from OpenSSL.
- Use EXFLAG_INVALID to handle out of memory and parse errors in
  x509v3_cache_extensions().
- Refactor and clean up
  [ocspcheck(8)](https://man.openbsd.org/ocspcheck.8) and add
  regression tests.


# Internal Improvements

- Further cleanup of the DTLS record handling.
- Continue the replacement of the TLSv1.2 record layer by reimplementing
  the read side of the TLSv1.2 record handling.
- Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
- Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
- Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
  .data.rel.ro and .rodata, respectively.
- Add a const qualifier to srtp_known_profiles.
- Simplify TLS method by removing the client and server specific methods
  internally.
- Avoid casting away const in ssl_ctx_make_profiles().
- Avoid explicitly conditioning an assert on DTLS1_VERSION to make the
  assert work for newer DTLS versions.
- Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
- Add a flag to mark DTLS methods as DTLS to have an easy way to
  recognize DTLS methods that avoids inspecting the version number.
- Mark a few more internal static tables const.
- Switch finish{,_peer}_md_len from an int to a size_t.
- Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size for
  cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 was a
  historical artefact.
- Free struct members in tls13_record_layer_free() in their natural
  order for reviewability.
- Use consistent names in tls13_{client,server}_finished_{recv,send}().
- Add tls13_secret_{init,cleanup}() and use them throughout the TLSv1.3
  code base.
- Move the read MAC key into the TLSv1.2 record layer.
- Make tls12_record_layer_free() NULL safe.
- Split the record protection from the TLSv1.2 record layer.
- Clean up sequence number handling in the new TLSv1.2 record layer.
- Clean up sequence number handling in DTLS.
- Clean up dtls1_reset_seq_numbers().
- Factor out code for explicit IV length, block size and MAC length from
  tls12_record_layer_open_record_protected_cipher().
- Provide record layer overhead for DTLS.
- Provide functions to determine if TLSv1.2 record protection is
  engaged.
- Add code to handle change of cipher state in the new TLSv1.2
  record layer.
- Mop up now unused dtls1_build_sequence_numbers() function.
- Allow setting a keypair on a tls context without specifying the
  private key, and fake it internally in libtls. This removes the need
  for privsep engines like relayd to use bogus keys.
- Skip the private key check for fake private keys.
- Move the private key setup from tls_configure_ssl_keypair() to a
  helper function with proper error checking.
- Change the internal tls_configure_ssl_keypair() function to return -1
  instead of 1 on failure.
- Move sequence numbers into the new TLSv1.2 record layer.
- Move AEAD handling into the new TLSv1.2 record layer.
- Factor out legacy stack version checks.
- Correct handshake MAC/PRF for various TLSv1.2 cipher suites which were
  originally added with the default handshake MAC and PRF rather than
  the SHA256 handshake MAC and PRF.
- Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
- Use dtls1_record_retrieve_buffered_record() to load buffered
  application data.
- Enforce read ahead with DTLS.
- Remove bogus DTLS checks that disabled ECC and OCSP.
- Clean up and simplify dtls1_get_cipher().
- Group HelloVerifyRequest decoding and add missing check for
  trailing data.
- Revise HelloVerifyRequest handling for DTLSv1.2.
- Handle DTLS1_2_VERSION in various places.
- Rename the "truncated" label into "decode_err" and the "f_err" label
  into "fatal_err".
- Factor out and change some of the legacy client version code.
- Simplify version checks in the TLSv1.3 client. Ensure that the server
  announced TLSv1.3 and nothing higher and check that the legacy_version
  is set to TLSv1.2 as required by RFC 8446.
- Only use TLS versions internally rather than both TLS and DTLS
  versions since the latter are the one's complement of the human
  readable version numbers, which means that newer versions
  decrease in value.
- Identify DTLS based on the version major value.
- Move handling of cipher/hash based cipher suites into the new
  record layer.
- Add tls12_record_protection_unused() and call it from CCS functions.
- Move key/IV length checks closer to usage sites. Also add explicit
  checks against
  [EVP_CIPHER_{iv,key}_length()](https://man.openbsd.org/EVP_CIPHER_iv_length.3).
- Replace two handrolled tls12_record_protection_engaged().
- Improve internal version handling: add handshake fields for our
  minimum version, our maximum version and the TLS version negotiated
  during the handshake. Convert most of the internal code to use these
  version fields.
- Guard against future internal use of
  TLS1_get_{client,}_version() macros.
- Remove the internal ssl_downgrade_max_version() function which is no
  longer needed.
- Add support for DTLSv1.2 version handling.
- Remove no longer needed read ahead workarounds in the s_client
  and s_server.
- Split TLSv1.3 record protection from record layer.
- Move the TLSv1.3 handshake struct inside the shared handshake struct.
- Fully initialize rrec in tls12_record_layer_open_record_protected() to
  avoid confusing some static analyzers.
- Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
  does not set errno.
- Convert openssl(1) x509 to new option handling and do the usual clean
  up that goes along with it.
- Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
- Rename new_cipher to cipher to align naming with keyblock or other
  parts of the handshake data.
- Move the TLSv1.2 record number increment into the new record layer.
- Move finished and peer finished into the handshake struct.
- Remove pointless assignment in SSL_get0_alpn_selected().
- Add some error checking to openssl(1) x509.


# Bug Fixes

- Move point-on-curve check to set_affine_coordinates to avoid verifying
  ECDSA signatures with unchecked public keys.
- Fix [SSL_is_server(3)](https://man.openbsd.org/SSL_is_server.3) to
  behave as documented by re-introducing the client-specific methods.
- Avoid undefined behavior due to memcpy(NULL, NULL, 0).
- Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
- Correct the return value type from ERR_peek_error() to a long.
- Avoid use of uninitialized in ASN1_time_parse() which could happen on
  parsing UTCTime if the caller did not initialize the passed struct tm.
- Destroy the mutex in a tls_config object on tls_config_free().
- Free alert_data and phh_data in tls13_record_layer_free(). These could
  leak if [SSL_shutdown(3)](https://man.openbsd.org/SSL_shutdown.3) or
  [tls_close(3)](https://man.openbsd.org/tls_close.3) were called after
  closing the underlying socket().
- Gracefully handle root certificates being both trusted and untrusted.
- Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new verifier.
- Use the legacy verifier when building auto chains for TLS.
- Search the intermediates only after searching the root certs in the
  new verifier to avoid problems with the legacy callback.
- Bail out early after finding a single chain in the new verifier, if we
  have been called via the legacy verifier API.
- Set (invalid and likely incomplete) chain on the xsc on chain build
  failure prior to calling the callback. This is required by various
  callers, including auto chain.
- Remove direct assignment of aead_ctx to avoid a leak.
- Fail early in legacy exporter if the master secret is not available to
  avoid a segfault if it is called when the handshake is not completed.
- Only print the certificate file once on verification failure.
- Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that the
  new validator checks for EXFLAG_CRITICAL in
  x509_vfy_check_chain_extension() for all untrusted certs in the chain.
  Take into account that the root is not necessarily trusted.
- Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
- Fix two bugs in the legacy verifier that resulted from refactoring
  of [X509_verify_cert(3)](https://man.openbsd.org/X509_verify_cert.3)
  for the new verifier: a return value was incorrectly treated as
  boolean, making it insufficient to decide whether validation should
  carry on or not.
- Fix checks for memory caps of constraints names. There are internal
  caps on the number of name constraints and other names, that the new
  name constraints code allocates per cert chain. These limits were
  checked too late, making them only partially effective.
- Fix a copy-paste error - skid was confused with an akid when checking
  for EXFLAG_INVALID. This broke OCSP validation with certain mirrors.
- Avoid a use-after-scope in tls13_cert_add().
- Avoid mangled output in BIO_debug_callback().
- Fix client initiated renegotiation by replacing use of
  s->internal-type with s->server.
- Avoid transcript initialization when sending a TLS HelloRequest,
  fixing server initiated renegotiation.
- Avoid leaking param->name in x509_verify_param_zero().
- Avoid a leak in an error path in openssl(1) x509.
- When sending an alert in TLSv1.3, only set its error code when no
  other error was set previously. Certain clients rely on specific
  SSL_R_ error codes to identify that they are dealing with a self
  signed cert.
- When switching from the TLSv1.3 stack to the legacy stack include a
  TLS record header. This is necessary if there is more than one
  handshake message in the TLS plaintext record.
- Fix resource handling on error in OCSP_request_add0_id().
- Make sure there is enough room for stashing the handshake message when
  switching to the legacy TLS stack.
- Fix a memory leak in the openssl(1) s_client.
- Unbreak DTLS retransmissions for flights that include a CCS.
- If x509_verify() fails, ensure that the error is set on both the
  x509_verify_ctx() and its store context to make some failures visible
  from SSL_get_verify_result().
- Use the X509_STORE_CTX get_issuer() callback from the new X.509
  verifier to fix hashed certificate directories.
- Only check
  [BIO_should_read(3)](https://man.openbsd.org/BIO_should_read.3) on
  read and
  [BIO_should_write(3)](https://man.openbsd.org/BIO_should_write.3) on
  write. Previously,
  [BIO_should_write(3)](https://man.openbsd.org/BIO_should_write.3) was
  also checked after read and
  [BIO_should_read(3)](https://man.openbsd.org/BIO_should_read.3) after
  write which could cause stalls in software that uses the same BIO for
  read and write.
- In [openssl(1)](https://man.openbsd.org/openssl.1) verify, also check
  for error on the store context since the return value of
  [X509_verify_cert(3)](https://man.openbsd.org/X509_verify_cert.3) is
  unreliable in presence of a callback that returns 1 too often.
- Handle additional certificate error cases in the new X.509 verifier.
  Keep track of the errors encountered if a verify callback tells the
  verifier to continue and report them back via the error on the store
  context. This mimics the behavior of the old verifier that would
  persist the first error encountered while building the chain.
- Report specific failures for "self signed certificates" in a way
  compatible with the old verifier since software relies on the
  error code.
- Plug a large memory leak in the new verifier caused by calling
  X509_policy_check(3) repeatedly.
- Avoid leaking memory in x509_verify_chain_dup().

doc: Updated security/libretls to 3.3.2

Update to 6.9. From the changelog:

- This is oksh-6.9, matching ksh(1) from OpenBSD 6.9 with portability
  additions.

From the OpenBSD 6.9 changelog:

- Fixed ksh(1) redrawing of a multiline PS1 prompt in vi mode and added
  support for ^R (redraw) in insert mode.

doc: Updated shells/oksh to 6.9

Update to 2021.04.30. From the changelog:

- Compatibility with the latest skalibs.

doc: Updated sysutils/fdtools to 2021.04.30

Update to 2.21.0. From the changelog:

- Minor change in taint extraction: Check for non-whitespace in library
  path after m{ (.+) }x, remove 's' in regex to avoid issues with paths
  including embedded newlines. Up the minor number: if anyone really
  does depend on locating all-whitespace paths or ones with embedded
  newlines warn me.

doc: Updated devel/p5-FindBin-libs to 2.21.0

Bump PKGREVISION for skalibs update.

Note fdtools PKGREVISION bump.

Update to 2.10.0.3. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Bump default BUILDLINK_API_DEPENDS to match.

Update to 2.10.0.3. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

- Bugfixes.

Bump default BUILDLINK_API_DEPENDS to match.

Update to 2.2.3.2. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Update to 2.3.5.1. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Bump default BUILDLINK_API_DEPENDS to match.

Update to 2.4.1.1. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Bump default BUILDLINK_API_DEPENDS to match.

Update to 2.8.0.1. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Bump default BUILDLINK_API_DEPENDS to match.

doc: Updated devel/skalibs to 2.10.0.3

doc: Updated lang/execline to 2.8.0.1

doc: Updated misc/s6-portable-utils to 2.2.3.2

doc: Updated net/s6-dns to 2.3.5.1

doc: Updated net/s6-networking to 2.4.1.1

doc: Updated sysutils/s6 to 2.10.0.3

Add another post-install dylib rpath fixup for macOS (libserde_derive).
Bump PKGREVISION.

doc: Updated lang/rust to 1.50.0nb2

Update to 1.06. From the changelog:

- Drop support for Perls prior to 5.6
- Fix bug in tests that fail could fail with parallel build
  (rt#92313, HAARG++)
- Fixed typo in documentation (rt#90009, dsteinbrunner++)
- Incidentally fixed compatability with Perls that do not have `.` in @INC
  (rt#121002)

Update to 4.0.7. From the changelog:

- Fixing comments on batch report, now compatible with PHP 7
- Try to fix recurring problems with test runs hanging when the last
  test requires a rerun due to a knownbug
- #82 trying to support Python 3.9

doc: Updated devel/texttest to 4.0.7

doc: Updated textproc/p5-File-ReadBackwards to 1.06

Update to 0.4.2. From the changelog:

- Easier to understand error messages (closes #97)

doc: Updated devel/py-approvaltests to 0.4.2

Update to 1.5.0. From the changelog:

- Less noisy output: Only show number of unpushed commits in output if
  there are more than 0.
- Add experimental command `mob squash-wip` to squash any WIP commits in
  the wip branch into a following manual commit using `git rebase
  --interactive` with `mob` as the temporary `GIT_EDITOR`.
- The order of the latest commit is now reversed, the latest one is
  shown last.
- Add experimental configuration option `MOB_WIP_BRANCH_PREFIX` to
  configure the `mob/` prefix to some other value.

doc: Updated devel/mob to 1.5.0

Update to 0.4.1. From the changelog:

- Dynamically discover where the program files directory is
  (only for Beyond compare reporter at the moment)

doc: Updated devel/py-approvaltests to 0.4.1

Update to 0.4.0. From the changelog:

- ReportWithBeyondCompare
- Added new functionality to construct new reporters

doc: Updated devel/py-approvaltests to 0.4.0

Update to 0.12.2. From the changelog:

- fehQlibs-17 changes included regarding socket interface.
- Synced with ucspi-tcp6-1.12.3 providing MAXCONIP capabilities.
- Successful integration tests for OpenSSL 3.0.0-alpha13 and
  LibreSSL 3.3.1.
- Fixed sslserver's binding to IPv4/IPv6 addresses; code aligned with
  tcpserver.

Update to 1.12.3. From the changelog:

- Removed dependency on global variable 'ipv4socket' thus requiring
  fehQlibs-17.
- Added completely re-written iplimit patch to tcpserver.

Update to 17. From the changelog:

- Removed dependency on ipv4socket entirely.
- Reworked socket interface + doc. Removed obsolete dns_sortip() function.
- genalloc.h is now separate. Installation of man pages described.

pkgsrc changes:

- Stop prefixing 0.9., follow upstream versioning

doc: Updated net/fehqlibs to 17

doc: Updated net/ucspi-ssl to 0.999.12.2

doc: Updated net/ucspi-tcp6 to 1.12.3

Update to 3.13. From the changelog:

* Drop support for Python 3.5, add support for Python 3.9
* Switch to feedparser 6
* Switch to poetry instead of requirements.txt
* Make the `verbose` flag in the config file actually have an impact,
  and have it default to `info`
* Improve log messages
* Remove documentation of `smtp-ssl-protocol` as this option was
  dropped in 2016
* Stop forging SMTP and sendmail envelope sender (#134)
* Add sendmail_config option
* Log sendmail output
* Support multipart/alternative emails with both HTML and plain text
  parts with option `multipart-html`
* Add inline-links option, allowing links to be sent to the bottom of
  the paragraph
* Add wrap-links option, preventing links from be wrapped over
  multiple lines
* Stop looking in $XDG_DATA_DIRS for the database, and only look in
  $XDG_DATA_HOME
* Warnings about HTTP content-type being unexpected now properly display
* Make the proxy parameter also affect https connections
* Add a --clean argument on the run command to reduce the database size
* Set body element attribute dir=auto in HTML mail
* Store the lock file in XDG_RUNTIME_DIR instead of /tmp

doc: Updated mail/rss2email to 3.13

Update to 1.4.0. From the changelog:

- The list of commits included in a mob branch is now truncated to a
  maximum of 5 entries to prevent the need for scrolling up in order to
  see the latest included changes.
- Show more informative error message when `mob <cmd>` is run outside of
  a git repository.
- Add environment variable MOB_TIMER which allows setting a default
  timer duration for `mob start` and `mob timer` commands.
- Add automatic co-author attribution. Mob will collect all committers
  from a WIP branch and add them as co-authors in the final WIP commit.
- added support for preventing `mob start` if there are unpushed commits
- better output if one passes a negative number for the timer

doc: Updated devel/mob to 1.4.0

Add missing closing double-quote.

Remove erroneously added CHANGES entry.

Remove old NSIG workaround for macOS to fix configure.

doc: Updated audio/pulseaudio to 14.2nb1

Update to 0.3.3. From the changelog:

- Reporters have better string representations
- Partial equality for some Reporters

doc: Updated devel/py-approvaltests to 0.3.3

Update to 0.79. From the changelog:

[Changed]
- Files with DOS line endings (\r\n) no longer leave \r at the
  end of the line on Unix (\n line-ending systems)
- Stop warning about mixed comments being disallowed after consulting
  the Cucumber project through their Slack channel
- Moved CI to GitHub Actions, because TravisCI minutes ran out

[Fixed]
- Fix parallel testing support in the `prove` plugin (prove '-j' support)
- Fix passing UTF-8 data from sub-process spawned by `prove` plugin
- Fix formatting UTF-8 TAP output collected during step execution

Update to 3.12.3. From the changelog:

* Make dependency on feedparser have an upper bound so that `pip install`
  works again

doc: Updated devel/p5-Test-BDD-Cucumber to 0.79

doc: Updated mail/rss2email to 3.12.3

Update to 0.3.2. From the changelog:

- Add type hints everywhere so you can remove the ignore on your
  mypy settings

doc: Updated devel/py-approvaltests to 0.3.2

Update to 3.3.1p1. From the changelog:

- build: Add OpenSSL includes to libcompat HEAD master
  Some compat sources (getentropy_linux.c for example) require OpenSSL.

doc: Updated security/libretls to 3.3.1p1

Update to 1.3.0. From the changelog:

- The default `MOB_COMMIT_MESSAGE` now includes `[ci skip]` and `[skip
  ci]` so that all the typical CI systems (including Azure DevOps) will
  skip this commit.
- Add `--squash` option to `mob done` that corresponds to `--no-squash`.
- Fixes the default text to speech command on linux and osx.
- Removed `MOB_DEBUG` environment variable (has been deprecated for
  some time).

doc: Updated devel/mob to 1.3.0

Update to 1.4.5. From the changelog:

- Fixed build issue due to initial declarations only allowed in C99 mode
  (e.g., CentOS7).
- Added 'Caddy' to the list of pre-defined log formats.
- Added command line option '--no-strict-status' to disable status validation.
- Added native support to parse JSON logs.
- Added the ability to process timestamps in milliseconds using '%*'.
- Ensure TUI/CSV/HTML reports are able to output 'uint64_t' data.
- Ensure we allow UI render if the rate at which data is being read is
  greater than '8192' req/s.
- Ensure we don't re-render Term/HTML output if no data was read/piped.
- Fixed build configure to work on NetBSD.
- Fixed issue where it would send data via socket each second when managed
  by systemd.
- Fixed issue where parser was unable to parse syslog date with padding.
- Fixed issue where some items under browsers.list were not tab separated.
- Fixed issue where the format parser was unable to properly parse logs
  delimited by a pipe.
- Fixed issue where T.X. Amount metrics were not shown when data was piped.
- Fixed issue where XFF parser could swallow an additional field.
- Fixed memory leak when using '%x' as date/time specifier.
- Replaced select(2) with poll(2) as it is more efficient and a lot faster
  than select(2).
- Updated Swedish i18n.
- Added the ability to set how often goaccess will parse data and output to
  the HTML report via '--html-refresh=<secs>'.
- Changed how TLS is parsed so the Cypher uses a separate specifier.
  It now uses '%K' for the TLS version and '%k' for the Cypher.
- Fixed issue where real-time output would double count a rotated log. This
  was due to the change of inode upon rotating the log.
- Updated man page to reflect proper way of 'tail -f' a remote access log.
- Added the ability to show 'Encryption Settings' such as 'TLSv1.2' and
  Cipher Suites on its own panel.
- Added the ability to show 'MIME Types' such as 'application/javascript' on
  its own panel.
- Ensure the HTML report defaults to widescreen if viewport is larger than
  '2560px'.
- Fixed inability to properly process multiple logs in real-time.
- Fixed issue where named PIPEs were not properly seed upon generating
  filename.
- Fixed issue where served time metrics were not shown when data was piped.
- Removed unnecessary padding from SVG charts. Improves readability on mobile.
- Added addtional browsers and bots to the main list.
- Added 'Android 11' to the list of OSs.
- Added 'macOS 11.0 Big Sur' to the list of OSs.
- Added 'average' to each panel overall metrics.
- Added '.dmg', '.xz', and '.zst' to the static list.
- Added extra check to ensure restoring from disk verifies the content of the
  log against previous runs.
- Added Russian translation (i18n).
- Added Ukrainian translation (i18n).
- Added support for HTTP status code '308'.
- Added the ability for 'get_home ()' to return NULL on error, instead of
  terminating the process. Great if using through systemd.
- Added the ability to read lowercase predefined log formats. For instance,
  '--log-format=COMBINED' or '--log-format=combined'.
- Changed how FIFOs are created and avoid using predictable filenames under
  '/tmp'.
- Changed '--ignore-referer' to use whole referrer instead of referring site.
- Ensure Cache Status can be parsed without sensitivity to case.
- Ensure restored data enforces '--keep-last' if used by truncating
  accordingly.
- Fixed a few memory leaks when restoring from disk.
- Fixed blank time distribution panel when using timestamps.
- Fixed build issue due to lack of 'mmap' on 'Win'/'Cygwin'/'MinGW'.
- Fixed crash in mouse enabled mode.
- Fixed double free on data restore.
- Fixed inability to keep processing a log when using '--keep-last'.
- Fixed inability to properly parse truncated logs.
- Fixed inability to properly count certain requests when restoring from
  disk.
- Fixed issue where it would not parse subsequent requests coming from stdin (tail).
- Fixed issue where log truncation could prevent accurate number counting.
- Fixed issue where parsed date range was not rendered with '--date-spec'.
- Fixed issue where parser would stop regardless of a valid '--num-test' value.
- Fixed issue where restoring from disk would increment 'MAX.TS'.
- Fixed possible incremental issue when log rotation occurs.
- Fixed possible XSS when getting real-time data into the HTML report.
- Fixed potential memory leak when failing to get root node.
- Fixed real-time hits count issue for certain scenarios.
- Fixed segfault in 'Docker' due to a bad allocation when generating FIFOs.
- Fixed 'Unknown' Operating Systems with 'W3C' format.
- Removed unnecessary include from parser.c so it builds in macOS.
- Updated each panel overall UI to be more streamlined.
- Updated French translation.
- Updated German translation.
- Updated Spanish translation.
- Updated sigsegv handler.

doc: Updated www/goaccess to 1.4.5

Update to 20190516. From the changelog:

Benchmarking:
- Speed tests now call cpucycles() before setting resource limits. This
  is important on platforms where cpucycles() needs to read files.

Verification:
- Support for SignExt and several more peephole optimizations, working
  towards support for simpler symbolic-execution backend. Various
  updates to work with angr8 and python3.

doc: Updated math/djbsort to 20190516

Update to 37. From the changelog:

- Fixed bug in tinydns formating NS records for IPv4 wrong
  (IPv4-mapped IPv6).
- Added TLSA/DANE support for tinydns: '_' in data. Automatic name
  synthesis.
- Included and added man pages. Added script add-tlsa.sh.

pkgsrc changes:

- Since this is derived from public-domain djbdns and no other license
  is specified, set LICENSE-public-domain

doc: Updated net/djbdnscurve6 to 37

Add manual pages from flexibeast. Bump PKGREVISION.

doc: Updated sysutils/s6 to 2.10.0.2nb1

Update to 2.10.0.2. From the changelog:

- Bugfixes.

Update to 2.10.0.2. From the changelog:

- Bugfixes.

Update to 2.4.1.0. From the changelog:

- Bugfixes.
- Handshake timeout now also works with the libtls backend.
- The SNI server name is now exported after the handshake in the
  SSL_TLS_SNI_SERVERNAME variable.

Update to 2.8.0.0. From the changelog:

- By default, if now propagates its child exit code when it exits.
- backtick now propagates failure by default; its options have slightly
  different semantics (-i becomes default, new -x introduced).

pkgsrc changes:

- Add manual pages by flexibeast.

doc: Updated devel/skalibs to 2.10.0.2

doc: Updated lang/execline to 2.8.0.0

doc: Updated net/s6-networking to 2.4.1.0

doc: Updated sysutils/s6 to 2.10.0.2

Doesn't build with Python 2.7.

Update to 0.77. From the changelog:

[Added]
- New option `--version` for `pherkin`

[Changed]
- Even more compact storage of language definitions

[Fixed]
- With `prove`, no location details are reported (as they are with
  regular Test::More tests), unless run in verbose mode which includes
  all non-failing output too (gh #176)
- Require YAML v1.15 to fix failures seen on cpantesters
- No exit status reported for tests run by the `prove` integration

doc: Updated devel/p5-Test-BDD-Cucumber to 0.77

Update to 0.76. From the changelog:

[Added]
- Mention the `--strict` option for `pherkin` in SYNOPSIS
- Added deprecation warning to 'data' accessor in
  Test::BDD::Cucumber::Model::Scenario

[Fixed]
- Warnings when processing empty feature files or files without
  a text after the `Feature:` keyword
- Feature and scenario descriptions missing space on concatenated lines
- Location of failed test in TAP output now points to the failed step,
  instead of somewhere inside `TAP::Harness`

[Changed]
- Scenarios defined by a scenario outline (`Examples:`) are now
  independent as in Cucumber; before, failure of a scenario in an
  outline would cancel all subsequent steps *and* scenarios -- now
  only steps are cancelled (skipped), but subsequent scenarios are
  run (gh #123)
- Descriptions of tests no longer contain prefixed 'In '
- Dependency YAML::Syck switched to YAML (which wraps YAML::XS or
  YAML::PP, whichever is available); YAML has 3x more dependencies
  on CPAN, increasing chances of prior availability
- Language definitions now stored as Perl instead of JSON for
  compactness and load speed

[Removed]
- Dependencies on Clone, List::MoreUtils, Number::Range

doc: Updated devel/p5-Test-BDD-Cucumber to 0.76

Add and enable p5-Statistics-Basic.

Initial import of p5-Statistics-Basic, a collection of basic statistics
modules for Perl.

doc: Added math/p5-Statistics-Basic version 1.6611

Update to 0.17.1. From the changelog:

* fix unit tests in a clean environment
* move default database path to ~/.local/share (Closes: GL#16)
* default to data directory and add a deprecation warning (Closes: GL#17)

doc: Updated mail/feed2exec to 0.17.1

Relinquish MAINTAINER.

Update to 2.20.2. From the changelog:

- Fix: Revise the 08* test to use generic regexen on non-word directory
  element separators to deal with MSW inconsistent use of them confusing
  File::Spec::catpath.
- Added die, notes in placeholder lib.pm -- only visible when the
  Makefile.PL is bypassed and Perl version check is skipped.
- Replace VERSION_FROM with VERSION in Makefile.PL to keep release info
  consistent between Perl installation versions.
- Add ./version/v5.32.1
- Strict is unnecessary in 5.32.
- Test cleanups.
- Use canonpat on subdir and lib args to avoid including
- dir's with '//' in them.

doc: Updated devel/p5-FindBin-libs to 2.20.2

Define SKALIBS_TOLERATE_TARGET_SKEW=no.

Most packages that link with skalibs fail configure if the current
platform tuple doesn't match the one skalibs was built with. In pkgsrc,
this almost certainly means the OS has been updated, and almost
certainly doesn't need to break anyone's update builds. Explicitly pass
the contents of ${PREFIX}/lib/skalibs/sysdeps/target as the --target of
those configure scripts, then make sure we don't cross-compile.

skalibs-using packages not needing this workaround can define
SKALIBS_TOLERATE_TARGET_SKEW=no.

Add manual pages. Bump PKGREVISION.

doc: Updated net/s6-networking to 2.4.0.0nb3

Update to 1.4.59. From the changelog:

Summary:

HTTP/2 enabled by default, mod_deflate zstd support, mod_ajp13
(new), bugfixes.

Future Scheduled Behavior Changes:

* graceful restart/shutdown default timeout will change from 0
  (infinite/no timeout) to 5 seconds (or some similar non-zero period)
  configure an alternative with:
  server.feature-flags += ("server.graceful-shutdown-timeout" => 5)

* mod_compress is DEPRECATED; use mod_deflate
  mod_compress has been subsumed by mod_deflate
  Note: mod_compress config options may be removed in a future release

* mod_geoip is DEPRECATED; use mod_maxminddb
  Note: mod_geoip will be removed from a future lighttpd release

* mod_authn_mysql is DEPRECATED; use mod_authn_dbi
  Note: mod_authn_mysql will be removed from a future lighttpd release

* mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
  Note: mod_mysql_vhost will be removed from a future lighttpd release

* mod_cml is DEPRECATED; use mod_magnet
  Note: mod_cml will be removed from a future lighttpd release

Changes from 1.4.58:

* [mod_webdav] hide unused funcs depending on build
* [mod_mbedtls] include mbedtls/platform_util.h
* [mod_mbedtls] use local strncmp_const()
* [mod_gnutls] use local strncmp_const()
* [mod_dirlisting] place vars closer to where used
* [autotools] autoupdate; subst deprecated/obsolete
* [autoconf] update ax_prog_cc_for_build.m4
* [core] fix crash at shutdown w/ certain config
* [tests] use ephemeral ports in tests
* [mod_wolfssl] minor updates for wolfSSL v4.6.0
* [doc] create-mime.conf.pl improve case handling
* [mod_openssl] extend ssl.openssl.ssl-conf-cmd
* [mod_extforward] config warning for module order
* [mod_extforward] fix extforward.headers defaults (fixes #3051)
* [multiple] use HTTP_HEADER_* enum before strcmp
* [multiple] replace buffer_is_equal_caseless_string
* [mod_dirlisting] quiet coverity false positive
* [doc] create-mime.conf.pl improve case handling
* [autoconf] fix LT_INIT syntax
* [doc] create-mime.conf.pl -v for warnings
* [core] fix crash in error trace if backend is down (fixes #3052)
* [doc] create-mime.conf.pl -v silent for mult vnd
* [mod_openssl] update LIBRESSL_VERSION_NUMBER check
* [multiple] fix: honor CipherString for alt TLS lib
* [mod_openssl] set Ciphersuites once API available
* [mod_dirlisting] use fdopendir(), fstatat()
* [mod_deflate] support Accept-Encoding: zstd
* [mod_deflate] use zstd streaming API
* [mod_dirlisting] hide unused variable on MacOS
* [doc] add --with-zstd to INSTALL
* [mod_access] mark mod_access_check attribute pure
* [core] add decls in connections.h
* [build] update scripts/ci-build.sh
* [core] check ifdef WOLFSSL_SHA512 for SHA512 avail
* [build] scripts/ci-build.sh --with-nettle
* [mod_openssl] update LIBRESSL_VERSION_NUMBER check
* [build] scripts/ci-build.sh w/o --with-wolfssl
* [build] scripts/ci-build.sh adjustments
* [build] fix typo in src/CMakeLists.txt
* [build] adjust mbedtls vars in src/CMakeLists.txt
* [build] scripts/ci-build.sh adjustments
* [build] adjust crypto vars in src/CMakeLists.txt
* [core] avoid multiple definition of SHA512_CTX
* [build] adjust crypto vars in src/CMakeLists.txt
* [mod_alias] modify r->physical.path in place
* [build] scripts/ci-build.sh add --with-maxminddb
* build] scripts/ci-build.sh remove --with-maxminddb
* [mod_deflate] use zstd typedefs (minor cleanup)
* [mod_deflate] compat with zstd < v1.4.0
* [multiple] fix coverity warnings
* [multiple] fix TLS config string parsing
* [mod_gnutls] fix ssl.ca_dn_file data access
* [mod_wolfssl] wipe ssl_pemfile_pkey before free()
* [mod_wolfssl] fix syntax errors
* [multiple] fix TLS config string parsing
* [mod_gnutls] fix alt code for coverity
* [core] check more carefully after SSL_WANT_WRITE
* [core] fix 100% CPU spin if traffic limit hit
* [core] skip interest in POLLRDHUP after POLLRDHUP (#3059)
* [TLS] detect expired stapling file at startup (fixes #3056)
* [multiple] avoid duplicate parsing in trigger func (#3056)
* [multiple] quiet some clang-analyzer warnings
* [core] enable HTTP/2 by default
* [mod_ajp13] AJPv13 Tomcat connector for lighttpd
* [core] const data_unset *array_get_element_klen()
* [core] tighten struct data_config and related code
* [core] fix merging large headers across mult reads (fixes #3059)
* [mod_gnutls,mod_mbedtls] recog common cipherstring
* [build] fix typo in SConstruct (fixes #3061)
* [mod_wolfssl] wolfSSL might repeat SNI_Callback()
* [TLS] fix invalid cfg warning
* [mod_openssl] fix acme-tls/1 challenge bootstrap
* [TLS] set r->uri.authority empty str upon accept()
* [mod_gnutls] fix acme-tls/1 challenge bootstrap
* [mod_nss] fix acme-tls/1 challenge bootstrap
* [mod_wolfssl] copy stapling buf for OCSP resp
* [mod_mbedtls] fix acme-tls/1 challenge bootstrap
* [mod_mbedtls] fix acme-tls/1 challenge bootstrap
* [mod_cgi] fix assert if empty X-Sendfile path (fixes #3062)
* [mod_mbedtls] restore ALPN chk after client hello
* [core] re-validate h2 CONTINUATION frame len in cq
* [mod_mbedtls] remove redundant condition check
* [core] quiet coverity warning

doc: Updated www/lighttpd to 1.4.59

Update to 0.3.1. From the changelog:

- PythonNativeReporter bug fix

doc: Updated devel/py-approvaltests to 0.3.1

Update to 1.2.0. From the changelog:

- Add environment variable `MOB_REQUIRE_COMMIT_MESSAGE` which you could
  set to true to require a commit message other than the default one.
- Fixes a bug where you could not run `mob start --branch feature-1`
  because feature-1 contained a dash.