Log message:
Upgrade the Shibboleth SP software to version 3.5.0[.1], to address the recent
critical security issue in the OpenSAML library.  The Shibboleth release notes,
edited to remove references to specific package systems, are as follows:

========================================================================
3.5.0.1 (March 13, 2025)

This is a service release to deliver the OpenSAML 3.3.1 library update, which \ 
addresses a critical vulnerability in the SP software. [ \ 
https://shibboleth.net/community/advisories/secadv_20250313.txt ]

3.5.0 (October 16, 2024)

This is a small update to address a few bugs, update a number of libraries, and \ 
implement a correction to the default signing algorithm used when issuing signed \ 
requests via the SAML POST binding. This was inadvertently still defaulting to \ 
RSA-SHA1 and should have been using RSA-SHA256. There is the unlikely \ 
possibility of this causing interoperability issues with badly out of date \ 
Identity Providers, so is another reason for releasing it as a minor update. \ 
Those impacted are free to override the signing algorithm as documented.

This release is accompanied by an update to Xerces-C V3.3.0, OpenSAML V3.3.0, \ 
and a new fork of the now-retired Santuatio XML-Security library which has been \ 
maintained by the project for many years and is now a local fork of that code \ 
with large portions removed, released as V3.0.0.

3.4.1 (January 10, 2023)

This is a small patch to address a few bugs, in particular:

Reinforcing the xmltooling library (V3.2.3, included in this Windows release) to \ 
block an unnecessary XML Encryption construct, related to the advisory issued \ 
for the IdP recently. The SP is not believed to be vulnerable, but this is a \ 
defensive measure.

A warning has been added to the log when systems do not configure an explicit \ 
value for the redirectLimit setting. The default for this setting remains \ 
liberal for compatibility, so the warning was requested to highlight that fact.

3.4.0 (November 3, 2022)

This is a minor update containing a new setting suggested by a contributor (thus \ 
the unplanned minor version change) controlling retries when TCP connections to \ 
shibd are used. The other changes are minimal in nature.

3.3.0 (November 30, 2021)

This is a minor update that contains a small number of fixes, one small feature \ 
addition, and a number of additional deprecation warnings for at risk features. \ 
This version also introduces changes to the supported platforms and to the \ 
packaging process.

This is expected to be the final feature update to the SP in its current form \ 
with the project's focus shifting to radical redesign.

Deprecations

Deprecations are now handled with a common "Shibboleth.DEPRECATION" \ 
logging category for easier identification.

While deprecating a feature does not guarantee it will be removed and not \ 
deprecating something does not guarantee its continued support, we have tried to \ 
identify the most likely features that are at risk during the redesign process \ 
that will occur before a V4 is available.

3.2.3 (July 6, 2021)

This is a patch update that fixes a regression in the RequestMap implementation \ 
introduced in V3.2.0. Earlier versions are not impacted by this bug but are of \ 
course subject to critical vulnerabilities so this is now the only safe version \ 
to use.

3.2.2 (April 25, 2021)

This is a patch update that fixes a couple of bugs and addresses the security \ 
vulnerability described in this advisory. [ \ 
https://shibboleth.net/community/advisories/secadv_20210426.txt ]

3.2.1 (March 16, 2021)

This is a patch update that fixes a couple of bugs and addresses the security \ 
vulnerability described in this advisory. [ \ 
https://shibboleth.net/community/advisories/secadv_20210317.txt ]

3.2.0 (December 14, 2020)

This is a minor update that includes some minimal new functionality and \ 
addresses some bugs.

Changes to Defaults

The shipped default for the handlerSSL and cookieProps settings (see Sessions) \ 
is now to assume use of TLS because of the problems combining use of insecure \ 
cookies with SameSite. Upgrades are not impacted by this change, but all \ 
deployments will encounter problems going forward without TLS due to browser \ 
changes.

A few configuration settings have been renamed as part of the project's broader \ 
push to eliminate insensitive language from the code and some new deprecation \ 
warnings may be observed.

Log message:
*: bump for openssl 3

Log message:
security/xml-security-c: Update to 2.0.4

--
October 2021

Version 2.0.3 of the Apache XML Security for C++ library has been
released. This release adds support for OpenSSL 3.0.0, though using a
number of now-deprecated function calls.

--
November 2021

Version 2.0.4 of the Apache XML Security for C++ library has been
released. This release fixes a regression in 2.0.3 allowing the code to
build on pre-1.1 OpenSSL versions.

Log message:
security: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \ 
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2

Log message:
security: Remove SHA1 hashes for distfiles

Log message:
all: migrate several HOMEPAGEs to https

pkglint --only "https instead of http" -r -F

With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.

This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.

Log message:
*: Recursive revision bump for openssl 1.1.1.

Log message:
xml-security: remove patches that are not in distinfo