| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
mediawiki: security update
Revisions pulled up:
- www/mediawiki/Makefile 1.11
- www/mediawiki/distinfo 1.7
---
Module Name: pkgsrc
Committed By: martti
Date: Wed Apr 7 05:40:11 UTC 2010
Modified Files:
pkgsrc/www/mediawiki: Makefile distinfo
Log Message:
Updated www/mediawiki to 1.15.3
This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
1.16.0beta2.
MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.
Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.
Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.
For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
|
|
clamav: security improvements
Revisions pulled up:
- mail/clamav/Makefile 1.100-1.102
- mail/clamav/Makefile 1.99
- mail/clamav/PLIST 1.23-1.24
- mail/clamav/PLIST.milter 1.5
- mail/clamav/distinfo 1.63
- mail/clamav/options.mk 1.5
- mail/clamav/patches/patch-aa 1.20
- mail/clamav/patches/patch-ab 1.13
- mail/clamav/patches/patch-ac 1.7
- mail/clamav/patches/patch-ad 1.20
- mail/clamav/patches/patch-af 1.11
- mail/clamav/patches/patch-ag 1.4
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Mar 21 16:29:44 UTC 2010
Modified Files:
pkgsrc/mail/clamav: Makefile
Log Message:
Reset maintainer, developer lost his commit bit.
---
Module Name: pkgsrc
Committed By: asau
Date: Wed Mar 24 19:43:29 UTC 2010
Modified Files:
pkgsrc/mail/clamav: Makefile
Log Message:
Recursive revision bump for GMP update.
---
Module Name: pkgsrc
Committed By: martti
Date: Thu Apr 1 12:02:23 UTC 2010
Modified Files:
pkgsrc/mail/clamav: Makefile PLIST distinfo
pkgsrc/mail/clamav/patches: patch-aa patch-ad patch-af patch-ag
Added Files:
pkgsrc/mail/clamav/patches: patch-ab patch-ac
Log Message:
Updated mail/clamav to 0.96
This release of ClamAV introduces new malware detection mechanisms and other
significant improvements to the scan engine. The key features include:
- The Bytecode Interpreter: the interpreter built into LibClamAV allows
the signature writers to create and distribute very complex detection
routines and remotely enhance the scanner's functionality
- Heuristic improvements: improve the PE heuristics detection engine by
adding support of bogus icons and fake PE header information. In a
nutshell, ClamAV can now detect malware that tries to disguise itself
as a harmless application by using the most common Windows program icons.
- Signature Improvements: logical signature improvements to allow more
detailed matching and referencing groups of signatures. Additionally,
improvements to wildcard matching on word boundaries and newlines.
- Support for new archives: 7zip, InstallShield and CPIO. LibClamAV
can now transparently unpack and inspect their contents.
- Support for new executable file formats: 64-bit ELF files and OS X
Universal Binaries with Mach-O files. Additionally, the PE module
can now decompress and inspect executables packed with UPX 3.0.
- Support for DazukoFS in clamd
- Performance improvements: overall performance improvements and memory
optimizations for a better overall resource utilization experience.
- Native Windows Support: ClamAV will now build natively under Visual
Studio. This will allow 3rd Party application developers on Windows
to easily integrate LibClamAV into their applications.
---
Module Name: pkgsrc
Committed By: martti
Date: Fri Apr 2 19:45:24 UTC 2010
Modified Files:
pkgsrc/mail/clamav: Makefile PLIST options.mk
Added Files:
pkgsrc/mail/clamav: PLIST.milter
Log Message:
Fixed PLIST when using the milter option.
|
|
|
|
apache22: security update
Revisions pulled up:
- www/apache22/Makefile 1.56
- www/apache22/PLIST 1.16
- www/apache22/distinfo 1.30-1.31
- www/apache22/patches/patch-aq delete
- www/apache22/patches/patch-as delete
- www/apache22/patches/patch-au delete
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Mar 5 00:22:59 UTC 2010
Modified Files:
pkgsrc/www/apache22: distinfo
Removed Files:
pkgsrc/www/apache22/patches: patch-aq patch-as patch-au
Log Message:
Remove CVE-2007-3304 related patches. CVE-2007-3304 was fixed
in Apache 2.2.6 and these patches are noop.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Mar 9 02:30:15 UTC 2010
Modified Files:
pkgsrc/www/apache22: Makefile PLIST distinfo
Log Message:
Update apache22 package to 2.2.15.
For full changes information please refer:
http://www.apache.org/dist/httpd/Announcement2.2.html.
Here is security related changes from ChangeLog
(http://www.apache.org/dist/httpd/CHANGES_2.2.15).
Changes with Apache 2.2.15
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
|
|
|
|
pango: security patch
Revisions pulled up:
- devel/pango/Makefile 1.140-1.141
- devel/pango/distinfo 1.82-1.83
- devel/pango/patches/patch-ae 1.5
- devel/pango/patches/patch-am 1.1
---
Module Name: pkgsrc
Committed By: tron
Date: Sun Feb 21 23:51:26 UTC 2010
Modified Files:
pkgsrc/devel/pango: Makefile distinfo
pkgsrc/devel/pango/patches: patch-ae
Log Message:
Change very questionable C++ code slightly to avoid high CPU usage under
Mac OS X. (see https://bugzilla.gnome.org/show_bug.cgi?id=593240 for
more details). Tested with XChat and Wireshark under Mac OS 10.6.2 and
NetBSD/amd64 5.0_STABLE.
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Mar 27 15:59:34 UTC 2010
Modified Files:
pkgsrc/devel/pango: Makefile distinfo
Added Files:
pkgsrc/devel/pango/patches: patch-am
Log Message:
Add a patch to fix CVE-2010-0421, DoS security fix.
Bump PKGREVISION.
|
|
|
|
openssl: security update
Revisions pulled up:
- security/openssl/Makefile 1.144-1.1.146
- security/openssl/PLIST.common 1.17
- security/openssl/distinfo 1.72-1.73
- security/openssl/patches/patch-aa 1.23
- security/openssl/patches/patch-ac 1.38
- security/openssl/patches/patch-af 1.24
- security/openssl/patches/patch-ax delete
- security/openssl/patches/patch-ay delete
- security/openssl/patches/patch-az delete
- security/openssl/patches/patch-ba delete
- security/openssl/patches/patch-bb delete
- security/openssl/patches/patch-bc 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Feb 26 03:15:14 UTC 2010
Modified Files:
pkgsrc/security/openssl: Makefile distinfo
pkgsrc/security/openssl/patches: patch-aa patch-ac patch-af
Removed Files:
pkgsrc/security/openssl/patches: patch-ax patch-ay patch-az patch-ba
patch-bb
Log Message:
Update openssl to 0.9.8m.
The OpenSSL project team is pleased to announce the release of
version 0.9.8m of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release which implements
RFC5746 to address renegotiation vulnerabilities mentioned in
CVE-2009-3555. For a complete list of changes,
please see http://www.openssl.org/source/exp/CHANGES.
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Mar 1 08:15:40 UTC 2010
Modified Files:
pkgsrc/security/openssl: Makefile PLIST.common
Log Message:
Fix broken PLIST.
(I wonder why "make print-PLIST" generated wrong result before...")
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Mar 26 00:20:49 UTC 2010
Modified Files:
pkgsrc/security/openssl: Makefile distinfo
Added Files:
pkgsrc/security/openssl/patches: patch-bc
Log Message:
Add a patch for Fix for CVE-2010-0740, DoS problem.
http://www.openssl.org/news/secadv_20100324.txt
Bump PKGREVISION.
|
|
|
|
ejabberd: security update
Revisions pulled up:
- chat/ejabberd/Makefile 1.17-1.19
- chat/ejabberd/PLIST 1.11
- chat/ejabberd/distinfo 1.11-1.12
- chat/ejabberd/patches/patch-aa 1.6-1.7
- chat/ejabberd/patches/patch-ad 1.5
- chat/ejabberd/patches/patch-ae 1.5
---
Module Name: pkgsrc
Committed By: dmcmahill
Date: Mon Mar 8 17:30:23 UTC 2010
Modified Files:
pkgsrc/chat/ejabberd: Makefile
pkgsrc/chat/ejabberd/patches: patch-aa
Log Message:
use BSD_INSTALL_SCRIPT instead of BSD_INSTALL_DATA for a shell script
---
Module Name: pkgsrc
Committed By: spz
Date: Thu Mar 11 06:33:04 UTC 2010
Modified Files:
pkgsrc/chat/ejabberd: distinfo
Log Message:
updated patch -> distinfo needs an update too
---
odule Name: pkgsrc
Committed By: fhajny
Date: Sat Mar 13 21:05:49 UTC 2010
Modified Files:
pkgsrc/chat/ejabberd: Makefile PLIST distinfo
pkgsrc/chat/ejabberd/patches: patch-aa patch-ad patch-ae
Log Message:
Updated chat/ejabberd to 2.1.3.
Changes in ejabberd-2.1.3
Client connections
* Avoid 'invalid' value in iq record
* Avoid resending stream:error stanzas on terminate (EJAB-1180)
* Close also legacy sessions that were half connected (EJAB-1165)
* iq_query_info/1 now returns 'invalid' if XMLNS is invalid
* New ejabberd_c2s option support: max_fsm_queue
* Rewrite mnesia counter functions to use dirty_update_counter (EJAB-1177)
* Run user_receive_packet also when sending offline messages (EJAB-1193)
* Use p1_fsm behaviour in c2s FSM (EJAB-1173)
Clustering
* Fix cluster race condition in route read
* New command to set master Mnesia node
* Use mnesia:async_dirty when cleaning table from failed node
Documentation
* Add quotes in documentation of some erl arguments (EJAB-1191)
* Add option access_from (EJAB-1187)
* Add option max_fsm_queue (EJAB-1185)
* Fix documentation installation, no need for executable permission
(EJAB-1170)
* Fix typo in EJABBERD_BIN_PATH (EJAB-891)
* Fix typos in example config comments (EJAB-1192)
ejabberdctl
* Support concurrent connections with bound connection names
* Add support for Jot in ctl and TTY in debug
* Support help command names with old - characters
* Fix to really use the variable ERL_PROCESSES
Erlang compatibility
* Don't call queue:filter/2 to keep compatibility with older Erlang versions
* Use alternative of file:read_line/1 to not require R13B02
HTTP
* Add new debugging hook to the http receiving process
* Allow a request_handler to serve a file in root of HTTP
HTTP-Bind (BOSH)
* Cross-domain HTTP-Bind support (EJAB-1168)
* Hibernate http-bind process after handling a request
* Reduce verbosity of HTTP Binding log messages
LDAP
* Document ldap_dn_filter, fetch only needed attributes in search
(EJAB-1204)
* Use "%u" pattern as default for ldap_uids (EJAB-1203)
Localization
* Fix German translation (EJAB-1195)
* Fix Russian translation
ODBC
* Fix MSSQL support, which was broken (EJAB-1201)
* Improved SQL reconnect behaviour
Pubsub, PEP and Caps
* Add extended stanza addressing 'replyto' on PEP (EJAB-1198)
* Add pubsub#purge_offline (EJAB-1186)
* Fix pubsub#title option (EJAB-1190)
* Fix remove_user for node subscriptions (EJAB-1172)
* Optimizations in mod_caps
Other
* mod_register: Add new acl access_from, default is to deny
* mod_sic: new module for the experimental XEP-0279 Server IP Check
(EJAB-1205)
* PIEFXIS: Catch errors when exporting to PIEFXIS file (EJAB-1178)
* Proxy65: new option "hostname" (EJAB-838)
* Roster: Fix resending authorization problem
* Shared Roster Groups: get contacts nickname from vcard (EJAB-114)
* S2S: Improved s2s connections clean up (EJAB-1202)
Changes in ejabberd-2.1.2
Core
* Close sessions that were half connected
* Fix SASL PLAIN authentication message for RFC4616 compliance
* Fix support for old Erlang/OTP R10 and R11
* Return proper error (not 'conflict') when register is forbidden by ACL
* When ejabberd stops, send stream close to clients
ejabberdctl
* Check for EGID in ejabberdctl command
* Command to stop ejabberd informing users, with grace period
* If there's a problem in config file, display config lines and stop node
MUC
* Kick occupants with reason when room is stopped due to MUC shutdown
* Write in room log when a room is created, destroyed, started, stopped
PubSub and PEP
* Don't call gen_server on internal event (improves performance and
scalability)
* Fix duplicate SHIM header in Pubsub message
* Notification messages of Pubsub node config change contained a SHIM
header
* SubID SHIM header missing in Pubsub message with multiple subscriptions
on the same node
* PEP: last published item not sent from unavailable users when the
subscription is implicit (XEP-0115)
* pep_mapping not working due to Node type mismatch
WebAdmin
* If big offline message queue, show only subset on WebAdmin
* Support in user list page of WebAdmin when mod_offline is disabled
---
Module Name: pkgsrc
Committed By: martti
Date: Mon Mar 15 06:27:55 UTC 2010
Modified Files:
pkgsrc/chat/ejabberd: Makefile
Log Message:
Reset MAINTAINER.
|
|
|
|
mediawiki: security update
Revisions pulled up:
- www/mediawiki/Makefile 1.10
- www/mediawiki/distinfo 1.6
---
Module Name: pkgsrc
Committed By: martti
Date: Tue Mar 9 05:16:42 UTC 2010
Modified Files:
pkgsrc/www/mediawiki: Makefile distinfo
Log Message:
Updated www/mediawiki to 1.15.2
Two security issues were discovered:
A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.
A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.
Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
patch below to whatever version of MediaWiki you are using.
|
|
|
|
chrony: security update
Revisions pulled up:
- net/chrony/Makefile 1.26
- net/chrony/distinfo 1.7
- net/chrony/patches/patch-aa 1.4
- net/chrony/patches/patch-ab 1.4
- net/chrony/patches/patch-ac 1.4
- net/chrony/patches/patch-ad 1.3
- net/chrony/patches/patch-ae 1.4
- net/chrony/patches/patch-ag delete
---
Module Name: pkgsrc
Committed By: hannken
Date: Fri Feb 26 09:27:43 UTC 2010
Modified Files:
pkgsrc/doc: TODO
pkgsrc/net/chrony: Makefile distinfo
pkgsrc/net/chrony/patches: patch-aa patch-ab patch-ac patch-ad patch-ae
Removed Files:
pkgsrc/net/chrony/patches: patch-ag
Log Message:
Update to 1.24.
The changes in version 1.24 are
Security fixes
--------------
* Don't reply to invalid cmdmon packets (CVE-2010-0292)
* Limit client log memory size (CVE-2010-0293)
* Limit rate of syslog messages (CVE-2010-0294)
Bug fixes/Enhancements
----------------------
* Support for reference clocks (SHM, SOCK, PPS drivers)
* IPv6 support
* Linux capabilities support (to drop root privileges)
* Memory locking support on Linux
* Real-time scheduler support on Linux
* Leap second support on Linux
* Support for editline library
* Support for new Linux readonly adjtime
* NTP client support for KoD RATE
* Read kernel timestamps for received NTP packets
* Reply to NTP requests with correct address on multihomed hosts
* Retry name resolving after temporary failure
* Fix makestep command, make it available on all systems
* Add makestep directive for automatic clock stepping
* Don't require _bigadj kernel symbol on NetBSD
* Avoid blocking read in Linux RTC driver
* Support for Linux on S/390 and PowerPC
* Fix various bugs on 64-bit systems
* Fix valgrind errors and compiler warnings
* Improve configure to support common options and variables
* Improve status checking and printing in chronyc
* Return non-zero exit code on errors in chronyc
* Reduce request timeout in chronyc
* Print estimated offset in sourcestats
* Changed chronyc protocol, incompatible with older versions
Reviewed by: Joerg Sonnenberger <joerg@netbsd.org>
|
|
|
|
drupal6: security update
Revisions pulled up:
- www/drupal6/Makefile 1.19
- www/drupal6/PLIST 1.6
- www/drupal6/distinfo 1.15
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Mar 4 01:29:58 UTC 2010
Modified Files:
pkgsrc/www/drupal6: Makefile PLIST distinfo
Log Message:
Update drupal6 package to 6.16.
Drupal 6.16, 2010-03-03
----------------------
- Fixed security issues (Installation cross site scripting, Open redirection,
Locale module cross site scripting, Blocked user session regeneration),
see SA-CORE-2010-001.
- Better support for updated jQuery versions.
- Reduced resource usage of update.module.
- Fixed several issues relating to support of install profiles and
distributions.
- Added a locking framework to avoid data corruption on long operations.
- Fixed a variety of other bugs.
|
|
drupal: security update
Revisions pulled up:
- www/drupal/Makefile 1.44
- www/drupal/distinfo 1.34
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Mar 4 01:29:39 UTC 2010
Modified Files:
pkgsrc/www/drupal: Makefile distinfo
Log Message:
Update drupal package to 5.22.
Drupal 5.22, 2010-03-03
-----------------------
- Fixed security issues (Open redirection, Locale module cross site scripting,
Blocked user session regeneration), see SA-CORE-2010-001.
|
|
|
|
php5: security update
php-bz2: security update
php-zip: security update
php-zlib: security update
php-iconv: security update
php-dba: security update
php-dbase: security update
php-dbx: security update
php-ldap: security update
php-mssql: security update
php-mysql: security update
php-odbc: security update
php-pdo: security update
php-pdo_dblib: security update
php-pdo_mysql: security update
php-pdo_pgsql: security update
php-pdo_sqlite: security update
php-pgsql: security update
php-sqlite: security update
php5-mysqli: security update
php-gettext: security update
php-gmp: security update
php-memcache: security update
php-pcntl: security update
php-posix: security update
php-shmop: security update
php-sysvsem: security update
php-sysvshm: security update
php-exif: security update
php-gd: security update
php5-perl: security update
php-imap: security update
php-bcmath: security update
php-calendar: security update
php-mbstring: security update
php-ming: security update
php-ftp: security update
php-snmp: security update
php-sockets: security update
php-xmlrpc: security update
php-yaz: security update
php5-soap: security update
php-pdflib: security update
php-mcrypt: security update
php-mhash: security update
php-suhosin: security update
php-json: security update
php-pspell: security update
php-wddx: security update
php5-dom: security update
php5-xsl: security update
php-apc: security update
php-curl: security update
php-eaccelerator: security update
Revisions pulled up:
- archivers/php-zlib/Makefile 1.14
- databases/php-dba/Makefile 1.12
- databases/php-ldap/Makefile 1.16
- databases/php-mssql/Makefile 1.12
- databases/php-pdo_dblib/Makefile 1.12
- databases/php-pdo_pgsql/Makefile 1.13
- databases/php-pgsql/Makefile 1.14
- graphics/php-exif/Makefile 1.8
- graphics/php-gd/Makefile 1.22
- lang/php5/Makefile 1.77-1.78
- lang/php5/Makefile.common 1.40
- lang/php5/Makefile.php 1.39-1.41
- lang/php5/distinfo 1.73,1.76
- mail/php-imap/Makefile 1.20
- net/php-ftp/Makefile 1.12
- print/php-pdflib/Makefile 1.13
- www/php-curl/Makefile 1.16
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Feb 27 03:25:17 UTC 2010
Modified Files:
pkgsrc/lang/php5: Makefile Makefile.common Makefile.php distinfo
Log Message:
Update php5 package to 5.2.13.
25 Feb 2010, PHP 5.2.13
- Updated timezone database to version 2010.2. (Derick)
- Upgraded bundled PCRE to version 7.9. (Ilia)
- Removed automatic file descriptor unlocking happening on shutdown and/or
stream close (on all OSes excluding Windows). (Tony, Ilia)
- Changed tidyNode class to disallow manual node creation. (Pierrick)
- Added missing host validation for HTTP urls inside FILTER_VALIDATE_URL.
(Ilia)
- Improved LCG entropy. (Rasmus, Samy Kamkar)
- Fixed safe_mode validation inside tempnam() when the directory path does
not end with a /). (Martin Jansen)
- Fixed a possible open_basedir/safe_mode bypass in session extension
identified by Grzegorz Stachowiak. (Ilia)
- Fixed bug in bundled libgd causing spurious horizontal lines drawn by
gdImageFilledPolygon (libgd #100). (Takeshi Abe)
- Fixed build of mysqli with MySQL 5.5.0-m2. (Andrey)
- Fixed bug #50940 Custom content-length set incorrectly in Apache sapis.
(Brian France, Rasmus)
- Fixed bug #50930 (Wrong date by php_date.c patch with ancient gcc/glibc
versions). (Derick)
- Fixed bug #50859 (build fails with openssl 1.0 due to md2 deprecation).
(Ilia, hanno at hboeck dot de)
- Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes
long). (Ilia)
- Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP
authentication). (Jani)
- Fixed bug #50823 (ReflectionFunction::isDeprecated producing "cannot be called
statically" error). (Jani, Felipe)
- Fixed bug #50791 (Compile failure: Bad logic in defining fopencookie
emulation). (Jani)
- Fixed bug #50787 (stream_set_write_buffer() has no effect on socket
streams). (vnegrier at optilian dot com, Ilia)
- Fixed bug #50772 (mysqli constructor without parameters does not return a
working mysqli object). (Andrey)
- Fixed bug #50761 (system.multiCall crashes in xmlrpc extension). (hiroaki
dot kawai at gmail dot com, Ilia)
- Fixed bug #50732 (exec() adds single byte twice to $output array). (Ilia)
- Fixed bug #50728 (All PDOExceptions hardcode 'code' property to 0). (Joey,
Ilia)
- Fixed bug #50727 (Accessing mysqli->affected_rows on no connection causes
segfault). (Andrey, Johannes)
- Fixed bug #50680 (strtotime() does not support eighth ordinal number).
(Ilia)
- Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16). (Rob)
- Fixed bug #50657 (copy() with an empty (zero-byte) HTTP source succeeds but
returns false). (Ilia)
- Fixed bug #50636 (MySQLi_Result sets values before calling constructor).
(Pierrick)
- Fixed bug #50632 (filter_input() does not return default value if the
variable does not exist). (Ilia)
- Fixed bug #50576 (XML_OPTION_SKIP_TAGSTART option has no effect). (Pierrick)
- Fixed bug #50575 (PDO_PGSQL LOBs are not compatible with PostgreSQL 8.5).
(Matteo)
- Fixed bug #50558 (Broken object model when extending tidy). (Pierrick)
- Fixed bug #50540 (Crash while running ldap_next_reference test cases).
(Sriram)
- Fixed bug #50508 (compile failure: Conflicting HEADER type declarations).
(Jani)
- Fixed bug #50394 (Reference argument converted to value in __call). (Stas)
- Fixed bug #49851 (http wrapper breaks on 1024 char long headers). (Ilia)
- Fixed bug #49600 (imageTTFText text shifted right). (Takeshi Abe)
- Fixed bug #49585 (date_format buffer not long enough for >4 digit years).
(Derick, Adam)
- Fixed bug #49463 (setAttributeNS fails setting default namespace). (Rob)
- Fixed bug #48667 (Implementing Iterator and IteratorAggregate). (Etienne)
- Fixed bug #48590 (SoapClient does not honor max_redirects). (Sriram)
- Fixed bug #48190 (Content-type parameter "boundary" is not case-insensitive
in HTTP uploads). (Ilia)
- Fixed bug #47601 (defined() requires class to exist when testing for class
constants). (Ilia)
- Fixed bug #47409 (extract() problem with array containing word "this").
(Ilia, chrisstocktonaz at gmail dot com)
- Fixed bug #47002 (Field truncation when reading from dbase dbs with more
then 1024 fields). (Ilia, sjoerd-php at linuxonly dot nl)
- Fixed bug #45599 (strip_tags() truncates rest of string with invalid
attribute). (Ilia, hradtke)
- Fixed bug #44827 (define() allows :: in constant names). (Ilia)
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Feb 27 03:35:12 UTC 2010
Modified Files:
pkgsrc/archivers/php-zlib: Makefile
pkgsrc/databases/php-dba: Makefile
pkgsrc/databases/php-ldap: Makefile
pkgsrc/databases/php-mssql: Makefile
pkgsrc/databases/php-pdo_dblib: Makefile
pkgsrc/databases/php-pdo_pgsql: Makefile
pkgsrc/databases/php-pgsql: Makefile
pkgsrc/graphics/php-exif: Makefile
pkgsrc/graphics/php-gd: Makefile
pkgsrc/mail/php-imap: Makefile
pkgsrc/net/php-ftp: Makefile
pkgsrc/print/php-pdflib: Makefile
pkgsrc/www/php-curl: Makefile
Log Message:
Reset PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Mar 3 10:51:35 UTC 2010
Modified Files:
pkgsrc/lang/php5: Makefile.php
Log Message:
Re-enable suhosin option since there is no need to disable it.
Noted by Volkmar Seifert and I misunderstood something.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Mar 4 15:36:04 UTC 2010
Modified Files:
pkgsrc/lang/php5: Makefile Makefile.php distinfo
Log Message:
Update suhosin patch for PHP 5.2.13.
Bump PKGREVISION.
|
|
|
|
thunderbird: security update
Revisions pulled up:
- mail/thunderbird/Makefile 1.47-1.49
- mail/thunderbird/distinfo 1.62-1.63
---
Module Name: pkgsrc
Committed By: tnn
Date: Mon Jan 25 14:42:55 UTC 2010
Modified Files:
pkgsrc/mail/thunderbird: Makefile distinfo
Log Message:
Update to thunderbird-3.0.1.
General stability/bugfix update.
---
Module Name: pkgsrc
Committed By: tnn
Date: Fri Feb 26 18:38:39 UTC 2010
Modified Files:
pkgsrc/mail/thunderbird: Makefile distinfo
Log Message:
Update to thunderbird-3.0.2
* Several fixes to improve stability and security.
* Fixes for Thunderbird 2 users upgrading to Thunderbird 3.
* Several fixes to IMAP.
---
Module Name: pkgsrc
Committed By: tnn
Date: Wed Mar 3 13:54:47 UTC 2010
Modified Files:
pkgsrc/mail/thunderbird: Makefile
Log Message:
relax sqlite3 dependency to match what we have in pkgsrc-2009Q4.
|
|
|
|
tor: security and compatibility update
Revisions pulled up:
- net/tor/Makefile 1.71
- net/tor/distinfo 1.40
---
Module Name: pkgsrc
Committed By: obache
Date: Tue Mar 2 11:25:59 UTC 2010
Modified Files:
pkgsrc/net/tor: Makefile distinfo
Log Message:
Update tor to 0.2.1.24 per maintainer update request by PR#42911.
Changes in version 0.2.1.24 - 2010-02-21
Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time
for sure!
o Minor bugfixes:
- Work correctly out-of-the-box with even more vendor-patched versions
of OpenSSL. In particular, make it so Debian and OS X don't need
customized patches to run/build.
Changes in version 0.2.1.23 - 2010-02-13
Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work
again on the latest OS X, and updates the location of a directory
authority.
o Major bugfixes (performance):
- We were selecting our guards uniformly at random, and then weighting
which of our guards we'd use uniformly at random. This imbalance
meant that Tor clients were severely limited on throughput (and
probably latency too) by the first hop in their circuit. Now we
select guards weighted by currently advertised bandwidth. We also
automatically discard guards picked using the old algorithm. Fixes
bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
o Major bugfixes:
- Make Tor work again on the latest OS X: when deciding whether to
use strange flags to turn TLS renegotiation on, detect the OpenSSL
version at run-time, not compile time. We need to do this because
Apple doesn't update its dev-tools headers when it updates its
libraries in a security patch.
- Fix a potential buffer overflow in lookup_last_hid_serv_request()
that could happen on 32-bit platforms with 64-bit time_t. Also fix
a memory leak when requesting a hidden service descriptor we've
requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
by aakova.
o Minor bugfixes:
- Refactor resolve_my_address() to not use gethostbyname() anymore.
Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.
o Minor features:
- Avoid a mad rush at the beginning of each month when each client
rotates half of its guards. Instead we spread the rotation out
throughout the month, but we still avoid leaving a precise timestamp
in the state file about when we first picked the guard. Improves
over the behavior introduced in 0.1.2.17.
|
|
|
|
curl: security update
Revisions pulled up:
- www/curl/Makefile 1.96
- www/curl/distinfo 1.64
- www/curl/patches/patch-ab delete
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Feb 16 12:51:44 UTC 2010
Modified Files:
pkgsrc/www/curl: Makefile distinfo
Removed Files:
pkgsrc/www/curl/patches: patch-ab
Log Message:
Update to 7.20.0:
Version 7.20.0 (9 February 2010)
Daniel Stenberg (9 Feb 2010)
- When downloading compressed content over HTTP and the app asked libcurl to
automatically uncompress it with the CURLOPT_ENCODING option, libcurl could
wrongly provide the callback with more data than the maximum documented
amount. An application could thus get tricked into badness if the maximum
limit was trusted to be enforced by libcurl itself (as it is documented).
This is further detailed and explained in the libcurl security advisory
20100209 at
http://curl.haxx.se/docs/adv_20100209.html
Daniel Fandrich (3 Feb 2010)
- Changed the Watcom makefiles to make them easier to keep in sync with
Makefile.inc since that can't be included directly.
Yang Tse (2 Feb 2010)
- Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
symbol will not be available when building with CURL_NO_OLDIES defined. Use
of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
Daniel Stenberg (1 Feb 2010)
- Using the multi_socket API, it turns out at times it seemed to "forget"
connections (which caused a hang). It turned out to be an existing (7.19.7)
bug in libcurl (that's been around for a long time) and it happened like
this:
The app calls curl_multi_add_handle() to add a new easy handle, libcurl will
then set it to timeout in 1 millisecond so libcurl will tell the app about
it.
The app's timeout fires off that there's a timeout, the app calls libcurl as
we so often document it:
do {
res = curl_multi_socket_action(... TIMEOUT ...);
} while(CURLM_CALL_MULTI_PERFORM == res);
And this is the problem number one:
When curl_multi_socket_action() is called with no specific handle, but only
a timeout-action, it will *only* perform actions within libcurl that are
marked to run at this time. In this case, the request would go from INIT to
CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl
again, there's no timer set for this handle so it remains in the CONNECT
state. The CONNECT state is a transitional state in libcurl so it reports no
sockets there, and thus libcurl never tells the app anything more about that
easy handle/connection.
libcurl _does_ set a 1ms timeout for the handle at the end of
multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop
is instant the new job is not ready to run at that point (and there's no
code that makes libcurl call the app to update the timout for this new
timeout). It will simply rely on that some other timeout will trigger later
on or that something else will update the timeout callback. This makes the
bug fairly hard to repeat.
The fix made to adress this issue:
We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
benefit that this goes in line with my long-term wishes to get rid of the
CURLM_CALL_MULTI_PERFORM all together from the public API.
The downside of this fix, is that the counter we return in 'running_handles'
in several of our public functions then gets a slightly new and possibly
confusing behavior during times:
If an app adds a handle that fails to connect (very quickly) it may just
as well never appear as a 'running_handle' with this fix. Previously it
would first bump the counter only to get it decreased again at next call.
Even I have used that change in handle counter to signal "end of a
transfer". The only *good* way to find the end of a individual transfer
is calling curl_multi_info_read() to see if it returns one.
Of course, if the app previously did the looping before it checked the
counter, it really shouldn't be any new effect.
Yang Tse (26 Jan 2010)
- Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months
relative to the asynchronous DNS lookups, along with with some integration
adjustments I have done are finally committed to CVS.
Currently these enhancements will benefit builds done using c-ares on any
platform as well as Windows builds using the default threaded resolver.
This release does not make generally available POSIX threaded DNS lookups
yet. There is no configure option to enable this feature yet. It is possible
to experimantally try this feature running configure with compiler flags that
make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and
HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones
are required to link and properly use pthread_* functions on each platform.
Daniel Stenberg (26 Jan 2010)
- Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
proxy that cannot be resolved when using c-ares. This matches the behaviour
when not using c-ares.
Bj
- Added a new flag: -J/--remote-header-name. This option tells the
-O/--remote-name option to use the server-specified Content-Disposition
filename instead of extracting a filename from the URL.
Daniel Stenberg (21 Jan 2010)
- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
libcurl options for controlling what to get and how to receive posssibly
interleaved RTP data.
Daniel Stenberg (20 Jan 2010)
- As was pointed out on the http-state mailing list, the order of cookies in a
HTTP Cookie: header _needs_ to be sorted on the path length in the cases
where two cookies using the same name are set more than once using
(overlapping) paths. Realizing this, identically named cookies must be
sorted correctly. But detecting only identically named cookies and take care
of them individually is harder than just to blindly and unconditionally sort
all cookies based on their path lengths. All major browsers also already do
this, so this makes our behavior one step closer to them in the cookie area.
Test case 8 was the only one that broke due to this change and I updated it
accordingly.
Daniel Stenberg (19 Jan 2010)
- David McCreedy brought a fix and a new test case (129) to make libcurl work
again when downloading files over FTP using ASCII and it turns out that the
final size of the file is not the same as the initial size the server
reported. This is very common since servers don't take the newline
conversions into account.
Kamil Dudka (14 Jan 2010)
- Suppressed side effect of OpenSSL configure checks, which prevented NSS from
being properly detected under certain circumstances. It had been caused by
strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
distinguishes among empty and non-existent environment variable in that case.
Daniel Stenberg (12 Jan 2010)
- Gil Weber reported a peculiar flaw with the multi interface when doing SFTP
transfers: curl_multi_fdset() would return -1 and not set and file
descriptors several times during a transfer of a single file. It turned out
to be due to two different flaws now fixed. Gil's excellent recipe helped me
nail this.
Daniel Stenberg (11 Jan 2010)
- Made sure that the progress callback is repeatedly called at a regular
interval even during very slow connects.
- The tests/runtests.pl script now checks to see if the test case that runs is
present in the tests/data/Makefile.am and outputs a notice message on the
screen if not. Each test file has to be included in that Makefile.am to get
included in release archives and forgetting to add files there is a common
mistake. This is an attempt to make it harder to forget.
Daniel Stenberg (9 Jan 2010)
- Johan van Selst found and fixed a OpenSSL session ref count leak:
ossl_connect_step3() increments an SSL session handle reference counter on
each call. When sessions are re-used this reference counter may be
incremented many times, but it will be decremented only once when done (by
Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
if this reference count remains positive. When a session is re-used the
reference counter should be corrected by explicitly calling
SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
introducing a memory leak.
(http://curl.haxx.se/bug/view.cgi?id=2926284)
Daniel Stenberg (7 Jan 2010)
- Make sure the progress callback is called repeatedly even during very slow
name resolves when c-ares is used for resolving.
Claes Jakobsson (6 Jan 2010)
- Julien Chaffraix fixed so that the fragment part in an URL is not sent
to the server anymore.
Kamil Dudka (3 Jan 2010)
- Julien Chaffraix eliminated a duplicated initialization in singlesocket().
Daniel Stenberg (2 Jan 2010)
- Make curl support --ssl and --ssl-reqd instead of the previous FTP-specific
versions --ftp-ssl and --ftp-ssl-reqd as these options are now used to
control SSL/TLS for IMAP, POP3 and SMTP as well in addition to FTP. The old
option names are still working but the new ones are the ones listed and
documented.
Daniel Stenberg (1 Jan 2010)
- Ingmar Runge enhanced libcurl's FTP engine to support the PRET command. This
command is a special "hack" used by the drftpd server, but even though it is
a custom extension I've deemed it fine to add to libcurl since this server
seems to survive and people keep using it and want libcurl to support
it. The new libcurl option is named CURLOPT_FTP_USE_PRET, and it is also
usable from the curl tool with --ftp-pret. Using this option on a server
that doesn't support this command will make libcurl fail.
I added test cases 1107 and 1108 to verify the functionality.
The PRET command is documented at
http://www.drftpd.org/index.php/Distributed_PASV
Yang Tse (30 Dec 2009)
- Steven M. Schweda improved VMS build system, and Craig A. Berry helped
with the patch and testing.
Daniel Stenberg (26 Dec 2009)
- Renato Botelho and Peter Pentchev brought a patch that makes the libcurl
headers work correctly even on FreeBSD systems before v8.
(http://curl.haxx.se/bug/view.cgi?id=2916915)
Daniel Stenberg (17 Dec 2009)
- David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when
available.
- Follow-up fix for the proxy fix I did for Jon Nelson's bug. It turned out I
was a bit too quick and broke test case 1101 with that change. The order of
some of the setups is sensitive. I now changed it slightly again to make
sure we do them in this order:
1 - parse URL and figure out what protocol is used in the URL
2 - prepend protocol:// to URL if missing
3 - parse name+password off URL, which needs to know what protocol is used
(since only some allows for name+password in the URL)
4 - figure out if a proxy should be used set by an option
5 - if no proxy option, check proxy environment variables
6 - run the protocol-specific setup function, which needs to have the proxy
already set
Daniel Stenberg (15 Dec 2009)
- Jon Nelson found a regression that turned out to be a flaw in how libcurl
detects and uses proxies based on the environment variables. If the proxy
was given as an explicit option it worked, but due to the setup order
mistake proxies would not be used fine for a few protocols when picked up
from '[protocol]_proxy'. Obviously this broke after 7.19.4. I now also added
test case 1106 that verifies this functionality.
(http://curl.haxx.se/bug/view.cgi?id=2913886)
Daniel Stenberg (12 Dec 2009)
- IMAP, POP3 and SMTP support and their TLS versions (including IMAPS, POP3S
and SMTPS) are now supported. The current state may not yet be solid, but
the foundation is in place and the test suite has some initial support for
these protocols. Work will now persue to make them nice libcurl citizens
until release.
The work with supporting these new protocols was sponsored by
networking4all.com - thanks!
Daniel Stenberg (10 Dec 2009)
- Siegfried Gyuricsko found out that the curl manual said --retry would retry
on FTP errors in the transient 5xx range. Transient FTP errors are in the
4xx range. The code itself only tried on 5xx errors that occured _at login_.
Now the retry code retries on all FTP transfer failures that ended with a
4xx response.
(http://curl.haxx.se/bug/view.cgi?id=2911279)
- Constantine Sapuntzakis figured out a case which would lead to libcurl
accessing alredy freed memory and thus crash when using HTTPS (with
OpenSSL), multi interface and the CURLOPT_DEBUGFUNCTION and a certain order
of cleaning things up. I fixed it.
(http://curl.haxx.se/bug/view.cgi?id=2905220)
Daniel Stenberg (7 Dec 2009)
- Martin Storsjo made libcurl use the Expect: 100-continue header for posts
with unknown size. Previously it was only used for posts with a known size
larger than 1024 bytes.
Daniel Stenberg (1 Dec 2009)
- If the Expect: 100-continue header has been set by the application through
curl_easy_setopt with CURLOPT_HTTPHEADER, the library should set
data->state.expect100header accordingly - the current code (in 7.19.7 at
least) doesn't handle this properly. Martin Storsjo provided the fix!
Yang Tse (28 Nov 2009)
- Added Diffie-Hellman parameters to several test harness certificate files in
PEM format. Required by several stunnel versions used by our test harness.
Daniel Stenberg (28 Nov 2009)
- Markus Koetter provided a polished and updated version of Chad Monroe's TFTP
rework patch that now integrates TFTP properly into libcurl so that it can
be used non-blocking with the multi interface and more. BLKSIZE also works.
The --tftp-blksize option was added to allow setting the TFTP BLKSIZE from
the command line.
Daniel Stenberg (26 Nov 2009)
- Extended and fixed the change I did on Dec 11 for the the progress
meter/callback during FTP command/response sequences. It turned out it was
really lame before and now the progress meter SHOULD get called at least
once per second.
Daniel Stenberg (23 Nov 2009)
- Bjorn Augustsson reported a bug which made curl not report any problems even
though it failed to write a very small download to disk (done in a single
fwrite call). It turned out to be because fwrite() returned success, but
there was insufficient error-checking for the fclose() call which tricked
curl to believe things were fine.
Yang Tse (23 Nov 2009)
- David Byron modified Makefile.dist vc8 and vc9 targets in order to allow
finer granularity control when generating src and lib makefiles.
Yang Tse (22 Nov 2009)
- I modified configure to force removal of the curlbuild.h file included in
distribution tarballs for use by non-configure systems. As intended, this
would get overwriten when doing in-tree builds. But VPATH builds would end
having two curlbuild.h files, one in the source tree and another in the
build tree. With the modification I introduced 5 Nov 2009 this could become
an issue when running libcurl's test suite.
Daniel Stenberg (20 Nov 2009)
- Constantine Sapuntzakis identified a write after close, as the sockets were
closed by libcurl before the SSL lib were shutdown and they may write to its
socket. Detected to at least happen with OpenSSL builds.
- Jad Chamcham pointed out a bug with connection re-use. If a connection had
CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the
same proxy with the tunnel option disabled would still wrongly re-use that
previous connection and the outcome would only be badness.
Yang Tse (18 Nov 2009)
- I modified the memory tracking system to make it intolerant with zero sized
malloc(), calloc() and realloc() function calls.
Daniel Stenberg (17 Nov 2009)
- Constantine Sapuntzakis provided another fix for the DNS cache that could
end up with entries that wouldn't time-out:
1. Set up a first web server that redirects (307) to a http://server:port
that's down
2. Have curl connect to the first web server using curl multi
After the curl_easy_cleanup call, there will be curl dns entries hanging
around with in_use != 0.
(http://curl.haxx.se/bug/view.cgi?id=2891591)
- Marc Kleine-Budde fixed: curl saved the LDFLAGS set during configure into
its pkg-config file. So -Wl stuff ended up in the .pc file, which is really
bad, and breaks if there are multiple -Wl in our LDFLAGS (which are in
PTXdist). bug #2893592 (http://curl.haxx.se/bug/view.cgi?id=2893592)
Kamil Dudka (15 Nov 2009)
- David Byron improved the configure script to use pkg-config to find OpenSSL
(and in particular the list of required libraries) even if a path is given
as argument to --with-ssl
Yang Tse (15 Nov 2009)
- I removed enable-thread / disable-thread configure option. These were only
placebo options. The library is always built as thread safe as possible on
every system.
Claes Jakobsson (14 Nov 2009)
- curl-config now accepts '--configure' to see what arguments was
passed to the configure script when building curl.
Daniel Stenberg (14 Nov 2009)
- Claes Jakobsson restored the configure functionality to detect NSS when
--with-nss is set but not "yes".
I think we can still improve that to check for pkg-config in that path etc,
but at least this patch brings back the same functionality we had before.
- Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for
the client certificate. It also disable the key name test as some engines
can select a private key/cert automatically (When there is only one key
and/or certificate on the hardware device used by the engine)
Yang Tse (14 Nov 2009)
- Constantine Sapuntzakis provided the fix that ensures that an SSL connection
won't be reused unless protection level for peer and host verification match.
I refactored how preprocessor symbol _THREAD_SAFE definition is done.
Kamil Dudka (12 Nov 2009)
- Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly
closed NSPR descriptor. The issue was hard to find, reported several times
before and always closed unresolved. More info at the RH bug:
https://bugzilla.redhat.com/534176
- libcurl-NSS now tries to reconnect with TLS disabled in case it detects
a broken TLS server. However it does not happen if SSL version is selected
manually. The approach was originally taken from PSM. Kaspar Brand helped me
to complete the patch. Original bug reports:
https://bugzilla.redhat.com/525496
https://bugzilla.redhat.com/527771
Yang Tse (12 Nov 2009)
- I modified configure script to make the getaddrinfo function check also
verify if the function is thread safe.
Yang Tse (11 Nov 2009)
- Marco Maggi reported that compilation failed when configured --with-gssapi
and GNU GSS installed due to a missing mutual exclusion of header files in
the Kerberos 5 code path. He also verified that my patch worked for him.
Daniel Stenberg (11 Nov 2009)
- Constantine Sapuntzakis posted bug #2891595
(http://curl.haxx.se/bug/view.cgi?id=2891595) which identified how an entry
in the DNS cache would linger too long if the request that added it was in
use that long. He also provided the patch that now makes libcurl capable of
still doing a request while the DNS hash entry may get timed out.
- Christian Schmitz noticed that the progress meter/callback was not properly
used during the FTP connection phase (after the actual TCP connect), while
it of course should be. I also made the speed check get called correctly so
that really slow servers will trigger that properly too.
Kamil Dudka (5 Nov 2009)
- Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket works
in non-blocking mode.
Yang Tse (5 Nov 2009)
- I removed leading 'curl' path on the 'curlbuild.h' include statement in
curl.h, adjusting auto-makefiles include path, to enhance portability to
OS's without an orthogonal directory tree structure such as OS/400.
Daniel Stenberg (4 Nov 2009)
- I fixed several problems with the transfer progress meter. It showed the
wrong percentage for small files, most notable for <1000 bytes and could
easily end up showing more than 100% at the end. It also didn't show any
percentage, transfer size or estimated transfer times when transferring
less than 100 bytes.
|
|
|
|
security patch
Revisions pulled up:
- pkgsrc/x11/wxGTK28/Makefile 1.8
- pkgsrc/x11/wxGTK28/Makefile.common 1.5
- pkgsrc/x11/wxGTK28/distinfo 1.8
- pkgsrc/x11/wxGTK28/patches/patch-ba 1.2
- pkgsrc/x11/wxGTK28/patches/patch-bb 1.2
- pkgsrc/x11/wxGTK28/patches/patch-ca 1.2
Files added:
pkgsrc/x11/wxGTK28/patches/patch-cb
--------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Tue Feb 16 17:38:14 UTC 2010
Modified Files:
pkgsrc/x11/wxGTK28: Makefile Makefile.common distinfo
pkgsrc/x11/wxGTK28/patches: patch-ba patch-bb patch-ca
Added Files:
pkgsrc/x11/wxGTK28/patches: patch-cb
Log Message:
* Add patches for CVE-2009-2369 and CVE-2009-2625.
* Use textproc/expat to fix CVE-2009-3720.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/x11/wxGTK28/Makefile \
pkgsrc/x11/wxGTK28/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/x11/wxGTK28/Makefile.common
cvs rdiff -u -r1.1 -r1.2 pkgsrc/x11/wxGTK28/patches/patch-ba \
pkgsrc/x11/wxGTK28/patches/patch-bb pkgsrc/x11/wxGTK28/patches/patch-ca
cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK28/patches/patch-cb
|
|
security patch
Revisions pulled up:
- pkgsrc/x11/wxGTK26/Makefile 1.5
- pkgsrc/x11/wxGTK26/distinfo 1.4
Files added:
pkgsrc/x11/wxGTK26/patches/patch-ae
pkgsrc/x11/wxGTK26/patches/patch-af
pkgsrc/x11/wxGTK26/patches/patch-ag
pkgsrc/x11/wxGTK26/patches/patch-ah
--------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Tue Feb 16 17:35:34 UTC 2010
Modified Files:
pkgsrc/x11/wxGTK26: Makefile distinfo
Added Files:
pkgsrc/x11/wxGTK26/patches: patch-ae patch-af patch-ag patch-ah
Log Message:
Add patches for CVE-2009-2369 and CVE-2009-2625.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 pkgsrc/x11/wxGTK26/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/x11/wxGTK26/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK26/patches/patch-ae \
pkgsrc/x11/wxGTK26/patches/patch-af pkgsrc/x11/wxGTK26/patches/patch-ag \
pkgsrc/x11/wxGTK26/patches/patch-ah
|
|
security patch
Revisions pulled up:
- pkgsrc/x11/wxGTK24/Makefile 1.11
- pkgsrc/x11/wxGTK24/distinfo 1.10
Files added:
pkgsrc/x11/wxGTK24/patches/patch-am
pkgsrc/x11/wxGTK24/patches/patch-an
pkgsrc/x11/wxGTK24/patches/patch-ao
pkgsrc/x11/wxGTK24/patches/patch-ap
--------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Tue Feb 16 17:33:39 UTC 2010
Modified Files:
pkgsrc/x11/wxGTK24: Makefile distinfo
Added Files:
pkgsrc/x11/wxGTK24/patches: patch-am patch-an patch-ao patch-ap
Log Message:
Add patches for CVE-2009-2625 and CVE-2009-2369.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 pkgsrc/x11/wxGTK24/Makefile
cvs rdiff -u -r1.9 -r1.10 pkgsrc/x11/wxGTK24/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK24/patches/patch-am \
pkgsrc/x11/wxGTK24/patches/patch-an pkgsrc/x11/wxGTK24/patches/patch-ao \
pkgsrc/x11/wxGTK24/patches/patch-ap
|
|
|
|
security update
Revisions pulled up:
- pkgsrc/security/sudo/Makefile 1.119
- pkgsrc/security/sudo/distinfo 1.61
--------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Fri Feb 26 01:08:38 UTC 2010
Modified Files:
pkgsrc/security/sudo: Makefile distinfo
Log Message:
Update sudo package to 1.7.2p4.
Major changes between version 1.7.2p3 and 1.7.2p4:
* Fix a bug that could allow users with permission to run sudoedit
to run arbitrary commands.
Major changes between version 1.7.2p2 and 1.7.2p3:
* Fix printing of entries with multiple host entries on a single line.
* Fix use after free when sending error messages via email.
* Use setrlimit64(), if available, instead of setrlimit() when
setting AIX resource limits since rlim_t is 32bits.
* Fix size arg when realloc()ing include stack.
* Avoid a duplicate fclose() of the sudoers file.
To generate a diff of this commit:
cvs rdiff -u -r1.118 -r1.119 pkgsrc/security/sudo/Makefile
cvs rdiff -u -r1.60 -r1.61 pkgsrc/security/sudo/distinfo
------------------------------------------------------------------
Module Name: pkgsrc
Committed By: zafer
Date: Tue Feb 9 00:05:48 UTC 2010
Modified Files:
pkgsrc/security/sudo: Makefile
Log Message:
update master_sites
To generate a diff of this commit:
cvs rdiff -u -r1.117 -r1.118 pkgsrc/security/sudo/Makefile
|
|
|
|
security update
Revisions pulled up:
- pkgsrc/graphics/netpbm/Makefile
- pkgsrc/graphics/netpbm/distinfo
- pkgsrc/graphics/netpbm/patches/patch-aa
- pkgsrc/graphics/netpbm/patches/patch-ao
- pkgsrc/graphics/netpbm/patches/patch-da
- pkgsrc/graphics/netpbm/patches/patch-db
- pkgsrc/graphics/netpbm/patches/patch-dd
Files added:
pkgsrc/graphics/netpbm/PLIST
pkgsrc/graphics/netpbm/patches/patch-ec
Files deleted:
pkgsrc/graphics/netpbm/patches/patch-ac
pkgsrc/graphics/netpbm/patches/patch-af
pkgsrc/graphics/netpbm/patches/patch-ag
pkgsrc/graphics/netpbm/patches/patch-ai
pkgsrc/graphics/netpbm/patches/patch-aj
pkgsrc/graphics/netpbm/patches/patch-ak
pkgsrc/graphics/netpbm/patches/patch-al
pkgsrc/graphics/netpbm/patches/patch-am
pkgsrc/graphics/netpbm/patches/patch-an
pkgsrc/graphics/netpbm/patches/patch-ap
pkgsrc/graphics/netpbm/patches/patch-aq
pkgsrc/graphics/netpbm/patches/patch-ar
pkgsrc/graphics/netpbm/patches/patch-as
pkgsrc/graphics/netpbm/patches/patch-at
pkgsrc/graphics/netpbm/patches/patch-au
pkgsrc/graphics/netpbm/patches/patch-av
pkgsrc/graphics/netpbm/patches/patch-az
pkgsrc/graphics/netpbm/patches/patch-ba
pkgsrc/graphics/netpbm/patches/patch-ca
pkgsrc/graphics/netpbm/patches/patch-ea
--------------------------------------------------------------------
Module Name: pkgsrc
Committed By: drochner
Date: Fri Feb 19 18:25:44 UTC 2010
Modified Files:
pkgsrc/graphics/netpbm: Makefile distinfo
pkgsrc/graphics/netpbm/patches: patch-aa patch-ao patch-da patch-db
patch-dd
Added Files:
pkgsrc/graphics/netpbm: PLIST
pkgsrc/graphics/netpbm/patches: patch-ec
Removed Files:
pkgsrc/graphics/netpbm/patches: patch-ac patch-af patch-ag patch-ai
patch-aj patch-ak patch-al patch-am patch-an patch-ap patch-aq
patch-ar patch-as patch-at patch-au patch-av patch-az patch-ba
patch-ca patch-ea
Log Message:
update to 10.35.73
changes: many bugfixes, especially:
xpmtoppm: fix wild pointer with color index > 127.
which fixes a stack-based buffer overflow (CVE-2009-4274)
pkgsrc change: use a fixed PLIST instead of generating on install,
helps to detect problems
To generate a diff of this commit:
cvs rdiff -u -r1.164 -r1.165 pkgsrc/graphics/netpbm/Makefile
cvs rdiff -u -r0 -r1.6 pkgsrc/graphics/netpbm/PLIST
cvs rdiff -u -r1.71 -r1.72 pkgsrc/graphics/netpbm/distinfo
cvs rdiff -u -r1.39 -r1.40 pkgsrc/graphics/netpbm/patches/patch-aa
cvs rdiff -u -r1.17 -r0 pkgsrc/graphics/netpbm/patches/patch-ac
cvs rdiff -u -r1.12 -r0 pkgsrc/graphics/netpbm/patches/patch-af
cvs rdiff -u -r1.18 -r0 pkgsrc/graphics/netpbm/patches/patch-ag
cvs rdiff -u -r1.11 -r0 pkgsrc/graphics/netpbm/patches/patch-ai \
pkgsrc/graphics/netpbm/patches/patch-aj
cvs rdiff -u -r1.7 -r0 pkgsrc/graphics/netpbm/patches/patch-ak
cvs rdiff -u -r1.3 -r0 pkgsrc/graphics/netpbm/patches/patch-al \
pkgsrc/graphics/netpbm/patches/patch-am \
pkgsrc/graphics/netpbm/patches/patch-an \
pkgsrc/graphics/netpbm/patches/patch-ap \
pkgsrc/graphics/netpbm/patches/patch-aq \
pkgsrc/graphics/netpbm/patches/patch-ar \
pkgsrc/graphics/netpbm/patches/patch-as \
pkgsrc/graphics/netpbm/patches/patch-at \
pkgsrc/graphics/netpbm/patches/patch-au
cvs rdiff -u -r1.3 -r1.4 pkgsrc/graphics/netpbm/patches/patch-ao
cvs rdiff -u -r1.4 -r0 pkgsrc/graphics/netpbm/patches/patch-av \
pkgsrc/graphics/netpbm/patches/patch-az
cvs rdiff -u -r1.5 -r0 pkgsrc/graphics/netpbm/patches/patch-ba
cvs rdiff -u -r1.1 -r0 pkgsrc/graphics/netpbm/patches/patch-ca \
pkgsrc/graphics/netpbm/patches/patch-ea
cvs rdiff -u -r1.1 -r1.2 pkgsrc/graphics/netpbm/patches/patch-da \
pkgsrc/graphics/netpbm/patches/patch-db \
pkgsrc/graphics/netpbm/patches/patch-dd
cvs rdiff -u -r0 -r1.1 pkgsrc/graphics/netpbm/patches/patch-ec
|
|
|
|
typo3: security update
Revisions pulled up:
- www/typo3/Makefile 1.19
- www/typo3/PLIST 1.11
- www/typo3/distinfo 1.13
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Feb 23 14:12:22 UTC 2010
Modified Files:
pkgsrc/www/typo3: Makefile PLIST distinfo
Log Message:
Update typo3 package to 4.3.2. For complete changes, please refer
ChangeLog file.
Also switch DESTDIR support to user-destdir.
the TYPO3 core team has just released the TYPO3 versions 4.3.2 and
4.2.12, which are now ready for you to download. All versions are
maintenance releases and contain bugfixes and security fixes.
IMPORTANT:
These versions include important security fixes to the TYPO3 core. A
security announcement has just been released:
https://typo3.org/teams/security/security-bulletins/typo3-sa-2010-004/
|
|
mysql5-client: security update
mysql5-server: security update
Revisions pulled up:
- databases/mysql5-client/Makefile.common 1.38
- databases/mysql5-client/buildlink3.mk 1.15 via patch
- databases/mysql5-client/distinfo 1.28
- databases/mysql5-client/patches/patch-ac 1.8
- databases/mysql5-client/patches/patch-ae 1.10
- databases/mysql5-client/patches/patch-af 1.8
- databases/mysql5-client/patches/patch-ag 1.5
- databases/mysql5-client/patches/patch-aj 1.4
- databases/mysql5-client/patches/patch-al 1.4
- databases/mysql5-client/patches/patch-au 1.5
- databases/mysql5-client/patches/patch-av 1.1
- databases/mysql5-server/Makefile 1.31
- databases/mysql5-server/PLIST 1.16
- databases/mysql5-server/distinfo 1.24
- databases/mysql5-server/patches/patch-aa 1.6
- databases/mysql5-server/patches/patch-ag 1.8
- databases/mysql5-server/patches/patch-ah 1.7
- databases/mysql5-server/patches/patch-aj 1.4
- databases/mysql5-server/patches/patch-am 1.4
- databases/mysql5-server/patches/patch-an 1.7
- databases/mysql5-server/patches/patch-ap 1.1
- databases/mysql5-server/patches/patch-aq 1.1
- databases/mysql5-server/patches/patch-bf 1.3
- databases/mysql5-server/patches/patch-ca 1.3
- databases/mysql5-server/patches/patch-cb 1.3
- databases/mysql5-server/patches/patch-cc 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 18 15:46:10 UTC 2010
Modified Files:
pkgsrc/databases/mysql5-client: Makefile.common buildlink3.mk distinfo
pkgsrc/databases/mysql5-client/patches: patch-ac patch-ae patch-af
patch-ag patch-aj patch-al
pkgsrc/databases/mysql5-server: Makefile PLIST distinfo
pkgsrc/databases/mysql5-server/patches: patch-aa patch-ag patch-ah
patch-aj patch-am patch-an patch-bf patch-ca patch-cb patch-cc
Added Files:
pkgsrc/databases/mysql5-client/patches: patch-au patch-av
pkgsrc/databases/mysql5-server/patches: patch-ap patch-aq
Log Message:
Update mysql5-client and mysql5-server package to version 5.0.90.
This release many bug fixes and DoS security problem (CVE-2009-4484).
Plese refer these URL in detail.
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-89.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.html
There some minor pkgsrc change to prevent compile time warnings.
|
|
|
|
libdaemon: build fix
Revisions pulled up:
- devel/libdaemon/Makefile 1.6
---
Module Name: pkgsrc
Committed By: he
Date: Fri Feb 19 15:04:51 UTC 2010
Modified Files:
pkgsrc/devel/libdaemon: Makefile
Log Message:
Update from version 0.14 to 0.14nb1.
Pkgsrc changes:
o On NetBSD 4.*, avoid the use of -Wl,--no-undefined. It doesn't work
there, because the shared lib is not linked with libc.so (which is
possibly a bug).
Thanks to joerg@ for hints for how to work around this.
|
|
GraphicsMagick: security update
Revisions pulled up:
- graphics/GraphicsMagick/Makefile 1.28-1.29-1.30
- graphics/GraphicsMagick/PLIST 1.14
- graphics/GraphicsMagick/distinfo 1.22-1.24
---
Module Name: pkgsrc
Committed By: obache
Date: Fri Feb 5 05:09:07 UTC 2010
Modified Files:
pkgsrc/graphics/GraphicsMagick: Makefile PLIST distinfo
Log Message:
Update GraphicsMagick to 1.3.9.
1.3.9 (February 4, 2010)
========================
Security Fixes:
* None
Bug fixes:
* Fix "double free" error when using gm import -frame.
* XPM does not support RGBA color syntax, so return RGB instead.
* The display '-update' option was only working in conjunction with
the '-delay' option with a delay setting of 2 or greater.
* For formats which support multiple frames, output with +adjoing to
filenames containing a scene specification (e.g. foo%02d.tiff) was
resulting in wrong output file names.
* -convolve was crashing rather than reporting an error.
* Fixed crash if the number of OpenMP threads was reduced from the
original value via '-limit threads' or omp_set_num_threads().
* -blur was not blurring the opacity channel for solid-color images.
* When installing HTML documentation, many files were included which
are not part of the formatted documentation.
* Several deleted global string constants are restored with
deprecated status in order to assure that symbols are not removed
from the ABI.
New Features:
* None
Feature improvements:
* None
Performance Improvements:
* None
Behavior Changes:
* There is no longer an implicit 'adjoin' if an output filename
contains an apparent scene specification (e.g. foo%02d.tiff) and
multiple files are not needed to save the image.. It is necessary
to use +adjoin. For example ``gm convert foo.pdf +adjoin
%02d.tiff``.
* -flatten now applies the image background color under the first
image in the list if it is not already opaque.
---
Module Name: pkgsrc
Committed By: obache
Date: Thu Feb 11 06:43:55 UTC 2010
Modified Files:
pkgsrc/graphics/GraphicsMagick: Makefile distinfo
Log Message:
Update GraphicsMagick to 1.3.10.
1.3.10 (February 10, 2010)
==========================
Security Fixes:
* None
Bug fixes:
* +adjoin was not working correctly for the case when only one image
frame is present. With +adjoin and writing one frame to
"foo%d.jpg" it was outputting "foo%d.jpg" rather than "foo0.jpg".
* When drawing paths, memory allocation for the points was much
larger than it needed to be (patch by Vladimir Lukianov).
New Features:
* None
Feature improvements:
* None
Performance Improvements:
* None
Behavior Changes:
* To reiterate the change which first appeared in 1.3.9, there is no
longer an implicit +adjoin if the output file name happens to
contain a %d sequence, or there are multiple frames and the output
file format only supports storing one frame. Specify +adjoin if
scene number substition is desired in the output file names.
---
Module Name: pkgsrc
Committed By: obache
Date: Mon Feb 22 06:10:32 UTC 2010
Modified Files:
pkgsrc/graphics/GraphicsMagick: Makefile distinfo
Log Message:
Update GraphicsMagick to 1.3.11.
1.3.11 (February 21, 2010)
==========================
Security Fixes:
* Fixed array underflow on systems using signed char which could
result in a program crash due to extended characters in filenames
or in certain file formats.
Bug fixes:
* Fixed array underflow on systems using signed char which could
result in a program crash due to extended characters in filenames
or in certain file formats.
New Features:
* Added a -thumbnail command to 'convert' and 'mogrify'. This is a
faster way to scale down the image when speed is a primary
concern.
* Added a -extent command to 'convert' and 'mogrify' which
composites the image on top of a backing canvas image of solid
color.
* Added support for -compose to the 'convert' and 'mogrify', which
were documented to support it (but did not).
Feature improvements:
* None
Performance Improvements:
* Requests for 'Over' and 'Atop' composition are converted to a
request for the (faster) 'Copy' composition when both images are
opaque.
Behavior Changes:
* None
|
|
|
|
bug fix
Revisions pulled up:
- pkgsrc/pkgtools/x11-links/Makefile 1.110
Files added:
pkgsrc/pkgtools/x11-links/files/xfree.libXpm
Files deleted:
pkgsrc/pkgtools/x11-links/files/xfree.xpm
--------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bouyer
Date: Sat Feb 20 16:23:29 UTC 2010
Modified Files:
pkgsrc/pkgtools/x11-links: Makefile
Added Files:
pkgsrc/pkgtools/x11-links/files: xfree.libXpm
Removed Files:
pkgsrc/pkgtools/x11-links/files: xfree.xpm
Log Message:
Rename xfree.xpm to xfree.libXpm, so that xfree.mk will find it.
Fixes PR pkg/42827 and should also fix pkg/42671 once pulled up.
PKGREVISION++
To generate a diff of this commit:
cvs rdiff -u -r1.109 -r1.110 pkgsrc/pkgtools/x11-links/Makefile
cvs rdiff -u -r0 -r1.1 pkgsrc/pkgtools/x11-links/files/xfree.libXpm
cvs rdiff -u -r1.3 -r0 pkgsrc/pkgtools/x11-links/files/xfree.xpm
|
|
|
|
seamonkey: security update
Revisions pulled up:
- www/seamonkey/Makefile 1.32-1.33
- www/seamonkey/distinfo 1.45-1.46
---
Module Name: pkgsrc
Committed By: tnn
Date: Mon Jan 25 14:43:20 UTC 2010
Modified Files:
pkgsrc/www/seamonkey: Makefile distinfo
Log Message:
Update to seamonkey-2.0.2.
General stability/bugfix update.
---
Module Name: pkgsrc
Committed By: tnn
Date: Wed Feb 17 20:22:45 UTC 2010
Modified Files:
pkgsrc/www/seamonkey: Makefile distinfo
Log Message:
Update to seamonkey-2.0.3.
Security and bugfix release.
|
|
|
|
security and bug fixes
Revisions pulled up:
- pkgsrc/devel/nspr/Makefile by patch to equiv of 1.34
- pkgsrc/devel/xulrunner/dist.mk by patch to equiv of 1.7
- pkgsrc/devel/xulrunner/distinfo by patch to equiv of 1.24
- pkgsrc/www/firefox/Makefile by patch to equiv of 1.70
--------------------------------------------------------------------
The attached diff against 2009Q4 updates firefox to 3.5.8.
This is a security and bugfix update.
|
|
|
|
hobbitmon: build fix
Revisions pulled up:
- net/hobbitmon/Makefile 1.26
---
Module Name: pkgsrc
Committed By: spz
Date: Sat Feb 6 13:58:06 UTC 2010
Modified Files:
pkgsrc/net/hobbitmon: Makefile
Log Message:
include mk/apache.mk instead of www/apache/buildlink3.mk.
Fixes PR pkg/29688
|
|
|
|
functionality fix
Revisions pulled up:
- pkgsrc/misc/rubygems/Makefile 1.30
- pkgsrc/misc/rubygems/distinfo 1.24
- pkgsrc/misc/rubygems/patches/patch-ag 1.6
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: fhajny
Date: Wed Jan 27 13:21:58 UTC 2010
Modified Files:
pkgsrc/misc/rubygems: Makefile distinfo
pkgsrc/misc/rubygems/patches: patch-ag
Log Message:
Fix (finally) the typo in patch-ag. Previous fix wasn't correct.
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 pkgsrc/misc/rubygems/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/misc/rubygems/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/misc/rubygems/patches/patch-ag
|
