Log message:
www: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts):
www/nghttp2/distinfo

Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz

Log message:
www: Remove SHA1 hashes for distfiles

Log message:
py-django3: updated to 3.2.8

Django 3.2.8 fixes two bugs in 3.2.7.

Bugfixes

Fixed a bug in Django 3.2 that caused incorrect links on read-only fields in the \ 
admin.
Fixed a regression in Django 3.2 that caused incorrect selection of items across \ 
all pages when actions were placed both on the top and bottom of the admin \ 
change-list view.

Log message:
py-django3: updated to 3.2.6

Django 3.2.6

Bugfixes

Fixed a regression in Django 3.2 that caused a crash validating "NaN" \ 
input with a forms.DecimalField when additional constraints, e.g. max_value, \ 
were specified.
Fixed a bug in Django 3.2 where a system check would crash on a model with a \ 
reverse many-to-many relation inherited from a parent class.

Log message:
py-django3: updated to 3.2.5

Django 3.2.5 fixes a security issue with severity “high” and several bugs in \ 
3.2.4. Also, the latest string translations from Transifex are incorporated.

CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input

Unsanitized user input passed to QuerySet.order_by() could bypass intended \ 
column reference validation in path marked for deprecation resulting in a \ 
potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the \ 
duration of the deprecation period. This regression appeared in 3.1.

The issue is not present in the main branch as the deprecated path has been removed.

Bugfixes

Fixed a regression in Django 3.2 that caused a crash of \ 
QuerySet.values_list(…, named=True) after prefetch_related().
Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when \ 
altering BinaryField, JSONField, or TextField to non-nullable.
Fixed a regression in Django 3.2 that caused a migration crash on MySQL 8.0.13+ \ 
when adding nullable BinaryField, JSONField, or TextField with a default value.
Fixed a bug in Django 3.2 where a system check would crash on a model with an \ 
invalid app_label

Log message:
py-django3: updated to 3.2.4

Django 3.2.4 fixes two security issues and several bugs in 3.2.3.

CVE-2021-33203: Potential directory traversal via admindocs

Staff members could use the admindocs TemplateDetailView view to check the \ 
existence of arbitrary files. Additionally, if (and only if) the default \ 
admindocs templates have been customized by the developers to also expose the \ 
file contents, then not only the existence but also the file contents would have \ 
been exposed.

As a mitigation, path sanitation is now applied and only files within the \ 
template root directories can be loaded.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since \ 
validators accepted leading zeros in IPv4 addresses¶

URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t \ 
prohibit leading zeros in octal literals. If you used such values you could \ 
suffer from indeterminate SSRF, RFI, and LFI attacks.

validate_ipv4_address() and validate_ipv46_address() validators were not \ 
affected on Python 3.9.5+.

Bugfixes

Fixed a bug in Django 3.2 where a final catch-all view in the admin didn’t \ 
respect the server-provided value of SCRIPT_NAME when redirecting \ 
unauthenticated users to the login page
Fixed a bug in Django 3.2 where a system check would crash on an abstract model
Prevented unnecessary initialization of unused caches following a regression in \ 
Django 3.2
Fixed a crash in Django 3.2 that could occur when running mod_wsgi with the \ 
recommended settings while the Windows colorama library was installed
Fixed a bug in Django 3.2 that would trigger the auto-reloader for template \ 
changes when directory paths were specified with strings
Fixed a regression in Django 3.2 that caused a crash of auto-reloader with \ 
AttributeError, e.g. inside a Conda environment
Fixed a regression in Django 3.2 that caused a loss of precision for operations \ 
with DecimalField on MySQL

Log message:
py-django3: updated to 3.2.3

Django 3.2.3 fixes several bugs in 3.2.2.

Bugfixes

Prepared for mysqlclient > 2.0.3 support.
Fixed a regression in Django 3.2 that caused the incorrect filtering of \ 
querysets combined with the | operator.
Fixed a regression in Django 3.2.1 where saving FileField would raise a \ 
SuspiciousFileOperation even when a custom upload_to returns a valid file path.

Django 3.2.2 fixes a security issue and a bug in 3.2.1.

CVE-2021-32052: Header injection possibility since URLValidator accepted \ 
newlines in input on Python 3.9.5+

On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used \ 
values with newlines in HTTP response, you could suffer from header injection \ 
attacks. Django itself wasn’t vulnerable because HttpResponse prohibits \ 
newlines in HTTP headers.

Moreover, the URLField form field which uses URLValidator silently removes \ 
newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your \ 
data only existed if you are using this validator outside of the form fields.

This issue was introduced by the bpo-43882 fix.

Log message:
py-django3: updated to 3.2.1

Django 3.2.1

CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via \ 
uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now \ 
applied. Specifically, empty file names and paths with dot segments will be \ 
rejected.

Bugfixes

Corrected detection of GDAL 3.2 on Windows.
Fixed a bug in Django 3.2 where subclasses of BigAutoField and SmallAutoField \ 
were not allowed for the DEFAULT_AUTO_FIELD setting.
Fixed a regression in Django 3.2 that caused a crash of \ 
QuerySet.values()/values_list() after QuerySet.union(), intersection(), and \ 
difference() when it was ordered by an unannotated field.
Restored, following a regression in Django 3.2, displaying an exception message \ 
on the technical 404 debug page.
Fixed a bug in Django 3.2 where a system check would crash on a reverse \ 
one-to-one relationships in CheckConstraint.check or UniqueConstraint.condition.
Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields \ 
when searching against phrases with unbalanced quotes.
Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the \ 
sitemap template if alternates were not defined.
Fixed a regression in Django 3.2 that caused a crash when combining Q() objects \ 
which contains boolean expressions.
Fixed a regression in Django 3.2 that caused a crash of QuerySet.update() on a \ 
queryset ordered by inherited or joined fields on MySQL and MariaDB.
Fixed a regression in Django 3.2 that caused a crash when decoding a cookie \ 
value, used by django.contrib.messages.storage.cookie.CookieStorage, in the \ 
pre-Django 3.2 format.
Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting \ 
multiple rows in the admin changelist.
Fixed a bug in Django 3.2 where a system check would crash on the \ 
STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path).
Fixed a long standing bug involving queryset bitwise combination when used with \ 
subqueries that began manifesting in Django 3.2, due to a separate fix using \ 
Exists to exclude() multi-valued relationships.
Fixed a bug in Django 3.2 where variable lookup errors were logged when \ 
rendering some admin templates.
Fixed a bug in Django 3.2 where an admin changelist would crash when deleting \ 
objects filtered against multi-valued relationships. The admin changelist now \ 
uses Exists() instead QuerySet.distinct() because calling delete() after \ 
distinct() is not allowed in Django 3.2 to address a data loss possibility.
Fixed a regression in Django 3.2 where the calling process environment would not \ 
be passed to the dbshell command on PostgreSQL.
Fixed a performance regression in Django 3.2 when building complex filters with \ 
subqueries. As a side-effect the private API to check django.db.sql.query.Query \ 
equality is removed.

Django 3.2.0:
Automatic AppConfig discovery simplifies configuration of pluggable applications.
Customizing the type of auto-created primary keys begins a process of migrating \ 
to BigAutoField primary key fields by default.
Functional indexes can now be created on expressions and database functions.

Log message:
py-django3: updated to 3.1.7

Django 3.1.7 fixes a security issue and a bug in 3.1.6.

CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

Django contains a copy of urllib.parse.parse_qsl() which was added to backport \ 
some security fixes. A further security fix has been issued recently such that \ 
parse_qsl() no longer allows using ; as a query parameter separator by default. \ 
Django now includes this fix. See bpo-42967 for further details.

Bugfixes

Fixed a regression in Django 3.1 that caused RuntimeError instead of connection \ 
errors when using only the 'postgres' database

Log message:
py-django3: updated to 3.1.6

Django 3.1.6 fixes a security issue with severity “low” and a bug in 3.1.5.

CVE-2021-3281: Potential directory-traversal via archive.extract()

The django.utils.archive.extract() function, used by startapp --template and \ 
startproject --template, allowed directory-traversal via an archive with \ 
absolute paths or relative paths with dot segments.

Bugfixes

Fixed an admin layout issue in Django 3.1 where changelist filter controls would \ 
become squashed