Log message:
gsasl: update to 2.2.1. Changes:

* Noteworthy changes in release 2.2.1 (2024-01-02) [stable]

** Base64 encoding/decoding now rejects non-conforming data.

** SCRAM server: Add support for GSASL_SCRAM_SALTED_PASSWORD.
If the server knows GSASL_SCRAM_SALTED_PASSWORD with matching
GSASL_SCRAM_ITER and GSASL_SCRAM_SALT values, it can avoid having to
compute the expensive PBKDF2 operation.  The SCRAM client already
supports this mode.  It is recommended for servers to store
GSASL_SCRAM_SERVERKEY and GSASL_SCRAM_STOREDKEY values in a database,
but sometimes storing GSASL_SCRAM_SALTED_PASSWORD, GSASL_SCRAM_ITER
and GSASL_SCRAM_SALT has other advantages.

** gsasl: Added --scram-salted-password=STRING for test purposes.
Based on idea from Manvendra Bhangui <mbhangui@gmail.com> in
<https://lists.gnu.org/archive/html/help-gsasl/2022-11/msg00000.html>.

** tests: Resolve spurious 'Improper format of Kerberos configuration'.
The gsasl-dovecot-gssapi.sh and gsasl-mailutils-gs2krb5-gssapi.sh
self-tests configures a local Kerberos KDC running as non-root with
configuration and database in local temporary directories.  The
kadmin.local tool will read and parse all files under the directory
pointed to by KRB5_KDC_PROFILE assuming it contain configuration
files.  We accidentally put the KDC internal database in that
directory.  Normally reading these binary files (databases with
encryption keys) is harmless, the garbage content is just ignored.
However once in a while the encryption key or database will contain a
line feed followed by the [ character, causing the configuration file
parser to look for a balancing ] character, and if this cannot be
found the tool fails.  Since this only happened once in a while it was
challenging to debug.  Thanks to Andreas Metzler for report, for more
background see
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057285> and
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017638>.

** Reasonable compiler warnings are now enabled by default.
You may disable this using --disable-gcc-warnings (old behaviour) or
turn them into fatal build errors using --enable-gcc-warnings=error to
enable -Werror.  Based on gnulib's manywarnings module, see
<https://www.gnu.org/software/gnulib//manual/html_node/manywarnings.html>.

** Various minor bug fixes and improvements.

* Noteworthy changes in release 2.2.0 (2022-09-03) [stable]

** Fix build error with too old GnuTLS.

** Tests: New tests/gsasl-mailutils-tls.sh.
It performs integration checks between GNU SASL and GNU MailUtils
imapd with TLS enabled, thereby testing TLS support in the 'gsasl'
command line tool.

** Various minor bug fixes and improvements.
Mainly to pacify improved CI/CD checking.

* Noteworthy changes in release 2.1.1 (2022-08-16) [beta]

** Tests: New tests/gsasl-mailutils-gs2krb5-gssapi.sh.
It perform integration checks between GNU SASL and GNU MailUtils imapd
(GSSAPI and GS2-KRB5).  They can be used externally from the GNU SASL
build environment to perform system integration tests, see
.gitlab-ci.yml for inspiration.

** Various minor bug fixes and improvements.
Fix two crashes in 'gsasl' introduced in 2.1.0.

* Noteworthy changes in release 2.1.0 (2022-08-05) [beta]

** Support new "tls-exporter" channel binding.
The "tls-exporter" channel binding is specified in RFC 9266
<https://datatracker.ietf.org/doc/html/rfc9266>.  Now we can support
SCRAM-*-PLUS over TLS 1.3 channels, and address some of the security
problems with "tls-unique".

The library add new callback property GSASL_CB_TLS_EXPORTER and error
code GSASL_NO_CB_TLS_EXPORTER.  These are documented in the manual.

The 'gsasl' command-line tool set it if system GnuTLS has
GNUTLS_CB_TLS_EXPORTER, which was introduced with GnuTLS 3.7.2
released on 2021-05-29.

** SCRAM: Support for "tls-exporter".
The SCRAM client will now query the application for
GSASL_CB_TLS_EXPORTER before it query for GSASL_CB_TLS_UNIQUE.  Supply
it to support TLS 1.3.  The SCRAM server will query the application
for the channel binding type requested by the client (tls-unique or
tls-exporter), and it is up to the application to decide what to do.

** SCRAM: Fix memory leaks on incremental application usage.
See tests/scram-incremental.c for application behaviour that trigger
the leaks.  We run valgrind --leak-check=full to catch future
regressions.

** Tests: New tests/gsasl-dovecot-gssapi.sh & tests/gsasl-mailutils-cram.sh.
These perform integration checks between GNU SASL and Dovecot
(GSS-API) and GNU MailUtils imapd (CRAM-MD5, DIGEST-MD5, SCRAM-SHA-*).
They can be used externally from the GNU SASL build environment to
perform system integration tests, see .gitlab-ci.yml for inspiration.

** API and ABI modifications.
GSASL_CB_TLS_EXPORTER: Added.
GSASL_NO_CB_TLS_EXPORTER: Added.

Passes self-tests on NetBSD. jabberd2, mailutils, mpop, and msmtp still
build with this version; libinfinity has other build problems on NetBSD
and macOS (so it and gobby aren't obviously worse off with this update).

Log message:
*: recursive bump for icu 76 shlib major version bump

Log message:
*: revbump for icu downgrade

Log message:
*: recursive bump for icu 76.1 shlib bump

Log message:
revbump after icu and protobuf updates

Log message:
*: recursive bump for gnutls p11-kit option

(existing installations need the bl3.mk included, but it's now only
optionally included)

Log message:
*: recursive bump for icu 74.1

Log message:
*: bump for openssl 3