Log message:
security/gsasl: Update to 2.2.2
Changelog:
* Noteworthy changes in release 2.2.2 (2025-03-30) [stable]
** The release tarball is now reproducible.
Builds on the following pairs of systems are tested continuously in
GitLab CI/CD to assert that the tarball is identical: Trisquel 11
against Ubuntu 22.04, PureOS 10 against Debian 11, Devuan 5 against
Debian 12, AlmaLinux 8 against RockyLinux 8, and AlmaLinux 9 against
RockyLinux 9.  There are still minor variations between non-similar
platforms, depending on the different versions of the bootstrapping
tools used.  For example, a tarball generated on a Trisquel 11
(derived from Ubuntu 22.04) system should be identical to a tarball
from a Ubuntu 22.04 system, but will not be identical to a tarball
generated on a PureOS 10 system which uses different bootstrapping
tool versions.  The release archive itself was prepared using Guix.
** We publish a minimal source-only tarball generated by 'git archive'.
This tarball only contains the files stored in version controlled
sources, and no auxiliary files.  The source-only tarball may be
reproduced with Git 2.49.0 from Guix.  If something results in the
'git archive' format changing again, the tarball can only be
reproduced using an earlier system.  The git version in AlmaLinux 8,
AlmaLinux 9, RockyLinux 8, RockyLinux 9, Devuan 5, Debian 12 and
Ubuntu 24.04 all produce the same identical 'git archive' tarball.
The git version used on Debian 11, PureOS 10, Trisquel 11 and Ubuntu
22.04 produce another identical tarball.  These two 'git archive'
outputs are not the same, due to how Git works.  The release archive
itself was prepared using Guix.
** The release tarball uses tar --format=ustar.
Some other flags are added too, to follow these recommendations:
https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html
For reference, the GNUMakefile file from gnulib add to TAR_OPTIONS:
--owner=0 --group=0 numeric-owner --sort=name
The cfg.mk file further add:
--mode=go+u,go-w --mtime=$(abs_top_srcdir)/NEWS
The modification time of NEWS is always set to last git commit time
before release, see below AC_OUTPUT in configure.ac.
We hope that the tarball produced this way is usable on all host but
please let us know if you run into troubles like unpacking the tarball
or that some generated file is rebuilt needlessly requiring some
maintainer tool that shouldn't normally be needed.
** libgsasl: Support for macOS GSS framework.
Build using --with-gssapi-impl=framework to get native GSS-API
implementation on macOS.  Patch from Daniel Macks.
** The gsasl tool now binds the "gnulib" domain for translations.
** The gsasl.h header #include's sys/types.h instead of unistd.h for ssize_t.
** Update gnulib files and build fixes.

Log message:
*: recursive bump for default Kerberos implementation switch

Log message:
*: recursive bump for icu 77 and libxml2 2.14

Log message:
gsasl: update to 2.2.1. Changes:
* Noteworthy changes in release 2.2.1 (2024-01-02) [stable]
** Base64 encoding/decoding now rejects non-conforming data.
** SCRAM server: Add support for GSASL_SCRAM_SALTED_PASSWORD.
If the server knows GSASL_SCRAM_SALTED_PASSWORD with matching
GSASL_SCRAM_ITER and GSASL_SCRAM_SALT values, it can avoid having to
compute the expensive PBKDF2 operation.  The SCRAM client already
supports this mode.  It is recommended for servers to store
GSASL_SCRAM_SERVERKEY and GSASL_SCRAM_STOREDKEY values in a database,
but sometimes storing GSASL_SCRAM_SALTED_PASSWORD, GSASL_SCRAM_ITER
and GSASL_SCRAM_SALT has other advantages.
** gsasl: Added --scram-salted-password=STRING for test purposes.
Based on idea from Manvendra Bhangui <mbhangui@gmail.com> in
<https://lists.gnu.org/archive/html/help-gsasl/2022-11/msg00000.html>.
** tests: Resolve spurious 'Improper format of Kerberos configuration'.
The gsasl-dovecot-gssapi.sh and gsasl-mailutils-gs2krb5-gssapi.sh
self-tests configures a local Kerberos KDC running as non-root with
configuration and database in local temporary directories.  The
kadmin.local tool will read and parse all files under the directory
pointed to by KRB5_KDC_PROFILE assuming it contain configuration
files.  We accidentally put the KDC internal database in that
directory.  Normally reading these binary files (databases with
encryption keys) is harmless, the garbage content is just ignored.
However once in a while the encryption key or database will contain a
line feed followed by the [ character, causing the configuration file
parser to look for a balancing ] character, and if this cannot be
found the tool fails.  Since this only happened once in a while it was
challenging to debug.  Thanks to Andreas Metzler for report, for more
background see
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057285> and
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017638>.
** Reasonable compiler warnings are now enabled by default.
You may disable this using --disable-gcc-warnings (old behaviour) or
turn them into fatal build errors using --enable-gcc-warnings=error to
enable -Werror.  Based on gnulib's manywarnings module, see
<https://www.gnu.org/software/gnulib//manual/html_node/manywarnings.html>.
** Various minor bug fixes and improvements.
* Noteworthy changes in release 2.2.0 (2022-09-03) [stable]
** Fix build error with too old GnuTLS.
** Tests: New tests/gsasl-mailutils-tls.sh.
It performs integration checks between GNU SASL and GNU MailUtils
imapd with TLS enabled, thereby testing TLS support in the 'gsasl'
command line tool.
** Various minor bug fixes and improvements.
Mainly to pacify improved CI/CD checking.
* Noteworthy changes in release 2.1.1 (2022-08-16) [beta]
** Tests: New tests/gsasl-mailutils-gs2krb5-gssapi.sh.
It perform integration checks between GNU SASL and GNU MailUtils imapd
(GSSAPI and GS2-KRB5).  They can be used externally from the GNU SASL
build environment to perform system integration tests, see
.gitlab-ci.yml for inspiration.
** Various minor bug fixes and improvements.
Fix two crashes in 'gsasl' introduced in 2.1.0.
* Noteworthy changes in release 2.1.0 (2022-08-05) [beta]
** Support new "tls-exporter" channel binding.
The "tls-exporter" channel binding is specified in RFC 9266
<https://datatracker.ietf.org/doc/html/rfc9266>.  Now we can support
SCRAM-*-PLUS over TLS 1.3 channels, and address some of the security
problems with "tls-unique".
The library add new callback property GSASL_CB_TLS_EXPORTER and error
code GSASL_NO_CB_TLS_EXPORTER.  These are documented in the manual.
The 'gsasl' command-line tool set it if system GnuTLS has
GNUTLS_CB_TLS_EXPORTER, which was introduced with GnuTLS 3.7.2
released on 2021-05-29.
** SCRAM: Support for "tls-exporter".
The SCRAM client will now query the application for
GSASL_CB_TLS_EXPORTER before it query for GSASL_CB_TLS_UNIQUE.  Supply
it to support TLS 1.3.  The SCRAM server will query the application
for the channel binding type requested by the client (tls-unique or
tls-exporter), and it is up to the application to decide what to do.
** SCRAM: Fix memory leaks on incremental application usage.
See tests/scram-incremental.c for application behaviour that trigger
the leaks.  We run valgrind --leak-check=full to catch future
regressions.
** Tests: New tests/gsasl-dovecot-gssapi.sh & tests/gsasl-mailutils-cram.sh.
These perform integration checks between GNU SASL and Dovecot
(GSS-API) and GNU MailUtils imapd (CRAM-MD5, DIGEST-MD5, SCRAM-SHA-*).
They can be used externally from the GNU SASL build environment to
perform system integration tests, see .gitlab-ci.yml for inspiration.
** API and ABI modifications.
GSASL_CB_TLS_EXPORTER: Added.
GSASL_NO_CB_TLS_EXPORTER: Added.
Passes self-tests on NetBSD. jabberd2, mailutils, mpop, and msmtp still
build with this version; libinfinity has other build problems on NetBSD
and macOS (so it and gobby aren't obviously worse off with this update).

Log message:
*: recursive bump for icu 76 shlib major version bump

Log message:
*: revbump for icu downgrade

Log message:
*: recursive bump for icu 76.1 shlib bump

Log message:
revbump after icu and protobuf updates