tls-1.2 - TLS 1.2 client + server support for 9legacy:
    ECDHE (X25519 both sides; secp256r1, secp384r1 client-side
    only, constant-time Montgomery-ladder scalar multiplication
    on the NIST curves), AEAD ciphers (AES-128-GCM,
    ChaCha20-Poly1305), SNI, server-side ECDHE-RSA, X.509 chain
    + hostname + validity + RFC 5280 Section 4.2
    (basicConstraints, keyUsage, extKeyUsage, nameConstraints)
    verification on by default via /sys/lib/tls/ca.pem, RFC 5746
    renegotiation_info server echo, RFC 7627
    extended_master_secret, per-vhost SNI cert routing in
    ip/httpd, session keys zeroized at close.

abaco-html4 - usability fixes for the 9legacy abaco(1) browser:
    NOTES bug fixes (text selection, double-click), html(2) field
    wiring, UTF-8 default charset, webfs cookie support,
    failure-path error prefix, relative-BASE-href crash guard.

webfs-readline-overflow - fix a dormant Ibuf pointer-reset bug in
    /sys/src/cmd/webfs/buf.c readline(); affects any webfs consumer driving
    sustained parallel reads (observed in abaco loading modern HTTPS pages).

libregexp-listsize-bump - bump LISTSIZE 10 -> 12 in libregexp/regcomp.h to
    dodge an off-by-one in rregexec's thread-list overflow detection; the
    OOB byte write corrupts heap memory adjacent to the regex engine's
    stack.  Affects any libregexp consumer with a large enough regex.

ndb-dns-empty-noerror - fix Plan 9 ndb/dns to return NOERROR (RCODE
    0) for unsupported RR types instead of the non-RFC NOTIMP
    response, with SOA in authority section when authoritative.
    Required by modern public CAs (CAA gate per RFC 8659) for any
    Plan 9 host running authoritative DNS for its own zone.