Log message:
www/contao35: update to 3.5.40

Version 3.5.40 (2019-04-10)
---------------------------

### Fixed
Fix the save callback in the back end password module (see #429).

Log message:
www/contao35: update to 3.5.39

pkgsrc change: use SUBST_VARS.

Version 3.5.39 (2019-04-09)
---------------------------

### Fixed
Invalidate the user sessions if a password changes (see CVE-2019-10641).

Log message:
www/contao35: update to 3.5.38

Version 3.5.38 (2018-12-21)
---------------------------

### Fixed
Correctly check the permission to move child records as non-admin user.

Log message:
www/contao35: update to 3.5.37

Version 3.5.37 (2018-12-13)
---------------------------

### Fixed
Prevent information disclosure in the back end (see CVE-2018-20028).

Log message:
www/contao35: update to 3.5.36

Version 3.5.36 (2018-09-18)
---------------------------

### Fixed
Prevent arbitrary code execution through .phar files (see CVE-2018-17057).

### Fixed
Correctly reset the autologin data upon logout (#8868).

### Fixed
Remove support for deprecated user password hashes (see #8889).

Log message:
www/contao35: update to 3.5.35

Version 3.5.35 (2018-04-18)
---------------------------

### Fixed
Fix an XSS vulnerability in the system log (see CVE-2018-10125).

CVE-2018-10125

With a manipulated request, an attacker can implant a script which is executed
when a logged in back end user opens the system log.  The attacker themselves
does not have to be logged in.

The problem affects Contao 3.0.0 to 3.5.34, 4.0.0 to 4.4.17 and 4.5.0 to
4.5.7. We highly recommend you to update.

Log message:
www/contao35: update to 3.5.34

Version 3.5.34 (2018-03-06)
---------------------------

### Fixed
Check the registry for table prefixed queries (see contao/core-bundle#1161).

### Fixed
Improve the folder hashing performance (see #8856).

### Fixed
Reset the autologin hash if the username or password changes (see #8843).

### Fixed
Correctly encode the sitemap URLs (see #8849).

Log message:
www/contao35: update to 3.5.33

Contao 3.5.33 is available			2018/01/22 10:08 by Leo Feyer

Contao version 3.5.33 is available.  The bugfix release restores the PHP 5.4
compatibility and fixes problems with MariaDB 10.2.4+ and MySQL 8.

PHP 5.4

Even if Contao 3.5 still supports PHP 5.4, we strongly advise against using
outdated PHP versions.  Contao 3.5 is compatible with the latest PHP versions,
therefore – if the installed extensions allow it – you should run it with PHP
7 or at least PHP 5.6.

Identifier Quoting

We have revised identifier quoting, which we had added to Contao 4.4.10, and
ported it to Contao 3, so Contao 3.5 should be compatible with MariaDB 10.2.4+
and MySQL 8 now.

Log message:
www/contao35: update to 3.5.32

Contao 3.5.32 is available		2018/01/18 09:48 by Leo Feyer

Contao version 3.5.32 is available. The bugfix release fixes an XSS
vulnerability in the newsletter extension (CVE-2018-5478).

CVE-2018-5478

The vulnerability is in the "unsubscribe" module of the newsletter \ 
extension
and can easily be exploited by anyone in the front end. We therefore strongly
recommend you to update.

The problem affects Contao 2.0.0 to 3.5.31 and the Contao newsletter bundle
4.0.0 to 4.0.3.

If you are not using the newsletter extension or the "unsubscribe" module,
your installation is not affected by the vulnerability.

Log message:
Update contaoet to 3.5.31.

Version 3.5.31 (2017-11-15)
---------------------------

### Fixed
Prevent SQL injections in the back end search panel (see CVE-2017-16558).