Log message:
putty: fix build on Linux

Log message:
putty: Update to 0.74

Changelog:
This release fixes the following security issues:

 - In some situations an SSH server could cause PuTTY to access freed
   mdmory by pretending to accept an SSH key and then refusing the
   actual signature. It can only happen if you're using an SSH agent.

 - New configuration option to disable PuTTY's default policy of
   changing its host key algorithm preferences to prefer keys it
   already knows. (There is a theoretical information leak in this
   policy.)

Other bug fixes include:

 - Windows installer: the text in the installer UI is now visible in
   Windows high-contrast mode. (Previously it was white on white by
   mistake.)

 - Windows 7: fixed spurious OS out-of-memory error when reading
   passwords from a Windows console (e.g. psftp).

 - Terminal crash: the dreaded "line==NULL" error could happen if an
   application switched between the main and alternate screens while
   the user was looking at the scrollback.

 - Terminal crash: the terminal could fail an assertion when sending
   an empty answerback string, and when pasting text none of whose
   characters exist in the selected character set.

 - SSH: fixed endless memory-allocating loop that could be triggered
   by the combination of a misbehaving SSH agent and PuTTY's bug
   compatibility mode for padded RSA signatures.

 - File transfer: when uploading files to some SFTP servers (e.g. the
   one in proftpd's mod_sftp), PSFTP would consume up to 4GB of local
   memory before sending anything to the server.

 - Terminal behaviour: sometimes the cursor was put in the wrong place
   after restoring from the alternate screen.

 - GTK: fixed font size calculation when using newer Pango libraries
   (e.g. the one on Ubuntu 20.04).

 - GTK: scroll wheel events now work in unusual environments like VNC.

Log message:
librsvg: update bl3.mk to remove libcroco in rust case

recursive bump for the dependency change

Log message:
*: recursive bump for libffi

Log message:
Avoid using a non-literal string as format string.

Log message:
Update to 0.73

Changelog:
Vulnerabilities fixed in this release include:

 - On Windows, the listening sockets used for local port forwarding
   were opened in a mode that did not prevent other processes from
   also listening on the same ports and stealing some of the incoming
   connections.

 - In the PuTTY terminal, bracketed paste mode was broken in 0.72, in
   a way that made the pasted data look like manual keyboard input. So
   any application relying on the bracketing sequences to protect
   against malicious clipboard contents would have been misled.

 - An SSH-1 server could trigger an access to freed memory by sending
   the SSH1_MSG_DISCONNECT message. Not known to be exploitable.

Other bug fixes include:

 - Windows Plink no longer crashes on startup when it tries to tell
   you it's reusing an existing SSH connection.

 - Windows PuTTY now updates its terminal window size correctly if the
   screen resolution changes while it's maximised.

 - If you display the coloured error messages from gcc in the PuTTY
   terminal, there is no longer a missing character if a colour change
   happens exactly at the end of a line.

 - If you use the 'Clear Scrollback' menu option or escape sequence
   while text in the scrollback is selected, it no longer causes an
   assertion failure.

Log message:
Update to 0.72

Changelog:
This is a SECURITY UPDATE, fixing vulnerabilities in the obsolete SSH-1
protocol. It also includes many bug fixes over 0.71. We recommend that
everybody update.

Vulnerabilities fixed in this release include:

 - A malicious SSH-1 server could trigger a buffer overrun by sending
   extremely short RSA keys, or certain bad packet length fields.
   Either of these could happen before host key verification, so even
   if you trust the server you *intended* to connect to, you would
   still be at risk.

   (However, the SSH-1 protocol is obsolete, and recent versions of
   PuTTY do not try it by default, so you are only at risk if you work
   with old servers and have explicitly configured SSH-1.)

 - If a malicious process found a way to impersonate Pageant, then it
   could cause an integer overflow in any of the SSH client tools
   (PuTTY, Plink, PSCP, PSFTP) which accessed the malicious Pageant.

Other security-related bug fixes include:

 - The 'trust sigil' system introduced in PuTTY 0.71 to protect
   against server spoofing attacks had multiple bugs. Trust sigils
   were not turned off after login in the SSH-1 and Rlogin protocols,
   and not turned back on if you used the Restart Session command.
   Both are now fixed.

Other bug fixes include:

 - Kerberos key exchange could crash at the start of an SSH session
   in the presence of a third-party Windows provider such as
   MIT Kerberos for Windows, and could also crash if the server sent
   an ordinary SSH host key as part of the Kerberos exchange.

 - In SSH-2 keyboard-interactive authentication, one of the message
   fields sent by the server (namely the 'instructions' message) was
   accidentally never displayed to the user.

 - When using SSH-2 connection sharing, pasting text into a downstream
   PuTTY window that included a line longer than 16Kb could cause that
   window's connection to be closed.

 - When using PSCP in old-fashioned SCP mode, downloading files
   specified by a wildcard could cause a newline character to be
   appended to the downloaded file names. Also, using the -p option to
   preserve file times failed with a spurious error message.

 - On Windows, the numeric keypad key that should generate '.' or ','
   depending on keyboard layout was always generating '.'.

 - RSA keys generated by PuTTYgen could be 1 bit shorter than
   requested. (Harmless, but a regression in 0.71 compared to 0.70.)

Log message:
*: recursive bump for gdk-pixbuf2-2.38.1

Log message:
Update to 0.71

Changelog:
 These features were new in 0.70 (released 2017-07-08):

    Security fix: the Windows PuTTY binaries should no longer be
    vulnerable to hijacking by specially named DLLs in the same
    directory, even a name we missed when we thought we'd fixed
    this in 0.69. See vuln-indirect-dll-hijack-3.

    Windows PuTTY should be able to print again, after our DLL
    hijacking defences broke that functionality.

    Windows PuTTY should be able to accept keyboard input outside
    the current code page, after our DLL hijacking defences broke
    that too.

 These features are new in 0.71 (released 2019-03-16):

    Security fixes found by an EU-funded bug bounty programme:

	a remotely triggerable memory overwrite in RSA key exchange,
	which can occur before host key verification

	potential recycling of random numbers used in cryptography

	on Windows, hijacking by a malicious help file in the same
	directory as the executable

	on Unix, remotely triggerable buffer overflow in any kind
	of server-to-client forwarding

	multiple denial-of-service attacks that can be triggered
	by writing to the terminal

    Other security enhancements: major rewrite of the crypto code
    to remove cache and timing side channels.

    User interface changes to protect against fake authentication
    prompts from a malicious server.

    We now provide pre-built binaries for Windows on Arm.

    Hardware-accelerated versions of the most common cryptographic
    primitives: AES, SHA-256, SHA-1.

    GTK PuTTY now supports non-X11 displays (e.g. Wayland) and
    high-DPI configurations.

    Type-ahead now works as soon as a PuTTY window is opened:
    keystrokes typed before authentication has finished will be
    buffered instead of being dropped.

    Support for GSSAPI key exchange: an alternative to the older
    GSSAPI authentication system which can keep your forwarded
    Kerberos credentials updated during a long session.

    More choices of user interface for clipboard handling.

    New terminal features: support the REP escape sequence (fixing
    an ncurses screen redraw failure), true colour, and SGR 2 dim
    text.

    Pressing Ctrl+Shift+PgUp or Ctrl+Shift+PgDn now takes you
    straight to the top or bottom of the terminal scrollback.

Log message:
Revbump after cairo 1.16.0 update.