v2.0.7

OFF v2.0.7 — depends/ modernization + CVE refresh

Bumps the depends/ tree's bundled libraries to their newest releases that
still build with the existing autotools recipe, closing a large security
gap on the libs that actually share the binary's attack surface (libpng,
freetype for PNG/font/QR rendering; protobuf for BIP70 payment-request
parsing).

  libpng       1.6.43  -> 1.6.58   (10 CVEs, several High)
  expat        2.1.0   -> 2.4.8    (~15 CVEs across the gap)
  freetype     2.7.1   -> 2.13.3   (incl. CVE-2020-15999 exploited ITW)
  fontconfig   2.12.1  -> 2.12.6   (+ static, gperf header-regen patch)
  protobuf     2.6.1   -> 3.21.12  (BIP70 attack surface; CVE-2022-1941)
  dbus         1.8.6   -> 1.14.10  (libdbus auth + msg-parse fixes)
  libxcb       1.10    -> 1.17.0
  xcb_proto    1.10.0  -> 1.17.0
  libXau       1.0.8   -> 1.0.9
  xproto       7.0.26  -> 7.0.31
  native_ccache 3.1.9  -> 3.7.12
  + new util-macros package (build-time only)

Qt switched from -qt-libpng to -system-libpng so the bumped libpng is used
in the wallet's PNG/QR rendering. libxcb made static (--enable-static),
which slightly changes Linux Qt font rendering vs prior releases: the
binary now relies on fontconfig's built-in fallback list rather than the
host's /etc/fonts/fonts.conf, so the wallet renders consistently across
Linux distros instead of inheriting the system theme font.

No consensus, wire-format, or wallet-format change. PROTOCOL_VERSION
stays at 90003. Cluster nodes on v2.0.6 do not need to upgrade for
chain participation; this is a security refresh for new wallet installs.

PR #24 by @9019x (skifdni) — first external contributor to the
Restoration since 2018. Rebased + bumped + force-pushed by the
maintainer per maintainer_can_modify; substantive depends/ work is
all his.