Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
lang/php54: security update
Revisions pulled up:
- pkgsrc/lang/php/phpversion.mk 1.102
- pkgsrc/lang/php54/distinfo 1.58
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jun 12 04:51:01 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php54: distinfo
Log Message:
Update php54 to 5.4.42.
11 Jun 2015 PHP 5.4.42
- Core:
. Imroved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in
heap overflow). (Max Spelsberg)
. Fixed bug #69646 (OS command injection vulnerability in escapeshellarg).
(Anatol Belski)
. Fixed bug #69719 (Incorrect handling of paths with NULs). (Stas)
- Litespeed SAPI:
. Fixed bug #68812 (Unchecked return value). (George Wang)
- Mail:
. Fixed bug #68776 (mail() does not have mail header injection prevention for
additional headers). (Yasuo)
- Postgres:
. Fixed bug #69667 (segfault in php_pgsql_meta_data). (Remi)
- Sqlite3:
. Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415,
CVE-2015-3416) (Kaplan)
|
|
|
|
textproc/ruby-redcarpet: security fix
Revisions pulled up:
- textproc/ruby-redcarpet/Makefile 1.5
- textproc/ruby-redcarpet/distinfo 1.4
---
Module Name: pkgsrc
Committed By: taca
Date: Thu May 14 22:17:40 UTC 2015
Modified Files:
pkgsrc/textproc/ruby-redcarpet: Makefile distinfo
Log Message:
Update ruby-redcarpet to 3.2.3, including security fix.
Version 3.2.3
* Avoid rewinding content of a previous inline when autolinking is enabled.
Daniel LeCheminant
* Fix escaping of forward slashes with the Safe render object (add a missing
semi-colon).
|
|
lang/php56: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.101
- lang/php56/distinfo 1.11
- lang/php56/patches/patch-ext_phar_Makefile.frag 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jun 12 00:47:03 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: distinfo
pkgsrc/lang/php56/patches: patch-ext_phar_Makefile.frag
Log Message:
Update php56 to 5.6.10.
11 Jun 2015, PHP 5.6.10
- Core:
. Fixed bug #66048 (temp. directory is cached during multiple requests).
(Julien)
. Fixed bug #69566 (Conditional jump or move depends on uninitialised value
in extension trait). (jbboehr at gmail dot com)
. Fixed bug #69599 (Strange generator+exception+variadic crash). (Nikita)
. Fixed bug #69628 (complex GLOB_BRACE fails on Windows).
(Christoph M. Becker)
. Fixed POST data processing slowdown due to small input buffer size
on Windows. (Jorge Oliveira, Anatol)
. Fixed bug #69646 (OS command injection vulnerability in escapeshellarg).
(Anatol Belski)
. Fixed bug #69719 (Incorrect handling of paths with NULs). (Stas)
- FTP
. Improved fix for bug #69545 (Integer overflow in ftp_genlist()
resulting in heap overflow). (Max Spelsberg)
- GD:
. Fixed bug #69479 (GD fails to build with newer libvpx). (Remi)
- Iconv:
. Fixed bug #48147 (iconv with //IGNORE cuts the string). (Stas)
- Litespeed SAPI:
. Fixed bug #68812 (Unchecked return value). (George Wang)
- Mail:
. Fixed bug #68776 (mail() does not have mail header injection prevention for
additional headers). (Yasuo)
- MCrypt:
. Added file descriptor caching to mcrypt_create_iv() (Leigh)
- Opcache
. Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).
(Laruence, Dmitry)
- Phar:
. Fixed bug #69680 (phar symlink in binary directory broken).
(Matteo Bernardini, Remi)
- Postgres:
. Fixed bug #69667 (segfault in php_pgsql_meta_data). (Remi)
- Sqlite3:
. Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415,
CVE-2015-3416) (Kaplan)
|
|
|
|
|
|
security/gnutls: build fix
Revisions pulled up:
- security/gnutls/distinfo 1.115
- security/gnutls/patches/patch-src_libopts_libopts.c 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: joerg
Date: Mon Jun 8 13:44:57 UTC 2015
Modified Files:
pkgsrc/security/gnutls: distinfo
Added Files:
pkgsrc/security/gnutls/patches: patch-src_libopts_libopts.c
Log Message:
Workaround gettext context function definition mess to unbreak
NetBSD/current.
To generate a diff of this commit:
cvs rdiff -u -r1.114 -r1.115 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/security/gnutls/patches/patch-src_libopts_libopts.c
|
|
lang/php55: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.100
- lang/php55/distinfo 1.41
- lang/php55/patches/patch-ext_phar_Makefile.frag 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jun 12 00:44:32 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php55: distinfo
pkgsrc/lang/php55/patches: patch-ext_phar_Makefile.frag
Log Message:
Update php55 to 5.5.26.
11 Jun 2015, PHP 5.5.26
- Core:
. Fixed bug #69566 (Conditional jump or move depends on uninitialised value
in extension trait). (jbboehr at gmail dot com)
. Fixed bug #66048 (temp. directory is cached during multiple requests).
(Julien)
. Fixed bug #69628 (complex GLOB_BRACE fails on Windows).
(Christoph M. Becker)
. Fixed bug #69646 (OS command injection vulnerability in escapeshellarg).
(Anatol Belski)
. Fixed bug #69719 (Incorrect handling of paths with NULs). (Stas)
- FTP:
. Improved fix for bug #69545 (Integer overflow in ftp_genlist()
resulting in heap overflow). (Max Spelsberg)
- GD:
. Fixed bug #69479 (GD fails to build with newer libvpx). (Remi)
- Iconv:
. Fixed bug #48147 (iconv with //IGNORE cuts the string). (Stas)
- Litespeed SAPI:
. Fixed bug #68812 (Unchecked return value). (George Wang)
- Mail:
. Fixed bug #68776 (mail() does not have mail header injection prevention for
additional headers). (Yasuo)
- MCrypt:
. Added file descriptor caching to mcrypt_create_iv() (Leigh)
- Opcache
. Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).
(Laruence, Dmitry)
- PCRE:
. Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
- Phar:
. Fixed bug #69680 (phar symlink in binary directory broken).
(Matteo Bernardini, Remi)
- Postgres:
. Fixed bug #69667 (segfault in php_pgsql_meta_data). (Remi)
- Sqlite3:
. Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415,
CVE-2015-3416) (Kaplan)
|
|
|
|
sysutils/xentools42: security patch
Revisions pulled up:
- sysutils/xentools42/Makefile 1.28
- sysutils/xentools42/distinfo 1.17
- sysutils/xentools42/patches/patch-CVE-2015-3456 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: khorben
Date: Fri Jun 5 18:41:18 UTC 2015
Modified Files:
pkgsrc/sysutils/xentools42: Makefile distinfo
Added Files:
pkgsrc/sysutils/xentools42/patches: patch-CVE-2015-3456
Log Message:
Apply fixes from upstream for XSA-133
XXX pull-ups
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 pkgsrc/sysutils/xentools42/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/sysutils/xentools42/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools42/patches/patch-CVE-2015-3456
|
|
sysutils/xenkernel42: security patch
Revisions pulled up:
- sysutils/xenkernel42/Makefile 1.16
- sysutils/xenkernel42/distinfo 1.14
- sysutils/xenkernel42/patches/patch-CVE-2015-3456 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: khorben
Date: Fri Jun 5 18:18:41 UTC 2015
Modified Files:
pkgsrc/sysutils/xenkernel42: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel42/patches: patch-CVE-2015-3456
Log Message:
Apply fixes from upstream for XSA-133
XXX pull-ups
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 pkgsrc/sysutils/xenkernel42/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/sysutils/xenkernel42/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/sysutils/xenkernel42/patches/patch-CVE-2015-3456
|
|
sysutils/xentools45: security patch
Revisions pulled up:
- sysutils/xentools45/Makefile 1.7
- sysutils/xentools45/distinfo 1.7
- sysutils/xentools45/patches/patch-CVE-2015-3456 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: khorben
Date: Fri Jun 5 18:15:42 UTC 2015
Modified Files:
pkgsrc/sysutils/xentools45: Makefile distinfo
Added Files:
pkgsrc/sysutils/xentools45/patches: patch-CVE-2015-3456
Log Message:
Apply fixes from upstream for XSA-133
The patch really belongs here rather than in sysutils/xenkernel45 (where
it is already applied).
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/xentools45/Makefile \
pkgsrc/sysutils/xentools45/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/sysutils/xentools45/patches/patch-CVE-2015-3456
|
|
sysutils/xenkernel45: security patch
Revisions pulled up:
- sysutils/xenkernel45/Makefile 1.8
- sysutils/xenkernel45/distinfo 1.7
- sysutils/xenkernel45/patches/patch-CVE-2015-3456 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: khorben
Date: Fri Jun 5 17:15:04 UTC 2015
Modified Files:
pkgsrc/sysutils/xenkernel45: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel45/patches: patch-CVE-2015-3456
Log Message:
Apply fixes from upstream for XSA-133
Privilege escalation via emulated floppy disk drive
The code in qemu which emulates a floppy disk controller did not
correctly bounds check accesses to an array and therefore was
vulnerable to a buffer overflow attack.
A guest which has access to an emulated floppy device can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.
All Xen systems running x86 HVM guests without stubdomains are
vulnerable to this depending on the specific guest configuration. The
default configuration is vulnerable.
Guests using either the traditional "qemu-xen" or upstream qemu device
models are vulnerable.
Guests using a qemu-dm stubdomain to run the device model are only
vulnerable to takeover of that service domain.
Systems running only x86 PV guests are not vulnerable.
ARM systems are not vulnerable.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/xenkernel45/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/xenkernel45/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel45/patches/patch-CVE-2015-3456
|
|
security/openssl: security update
Revisions pulled up:
- security/openssl/Makefile 1.208-1.209
- security/openssl/PLIST.common 1.24
- security/openssl/distinfo 1.113-1.114
- security/openssl/patches/patch-Configure 1.5
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Fri Jun 12 17:02:24 UTC 2015
Modified Files:
pkgsrc/security/openssl: Makefile PLIST.common distinfo
pkgsrc/security/openssl/patches: patch-Configure
Log Message:
Update "openssl" package to version 1.0.2b. Changes since version 1.0.2a:
- Malformed ECParameters causes infinite loop
When processing an ECParameters structure OpenSSL enters an infinite loop
if the curve specified is over a specially malformed binary polynomial
field.
This can be used to perform denial of service against any
system which processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with
client authentication enabled.
This issue was reported to OpenSSL by Joseph Barr-Pixton.
(CVE-2015-1788)
[Andy Polyakov]
- Exploitable out-of-bounds read in X509_cmp_time
X509_cmp_time does not properly check the length of the ASN1_TIME
string and can read a few bytes out of bounds. In addition,
X509_cmp_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in
a DoS on applications that verify certificates or CRLs. TLS clients
that verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue was reported to OpenSSL by Robert Swiecki (Google), and
independently by Hanno B?ck.
(CVE-2015-1789)
[Emilia K?sper]
- PKCS7 crash with missing EnvelopedContent
The PKCS#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-1790)
[Emilia K?sper]
- CMS verify infinite loop with unknown hash function
When verifying a signedData message the CMS code can enter an infinite lo=
op
if presented with an unknown hash function OID. This can be used to perfo=
rm
denial of service against any system which verifies signedData messages u=
sing
the CMS code.
This issue was reported to OpenSSL by Johannes Bauer.
(CVE-2015-1792)
[Stephen Henson]
- Race condition handling NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
(CVE-2015-1791)
[Matt Caswell]
- Removed support for the two export grade static DH ciphersuites
EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
were newly added (along with a number of other static DH ciphersuites) to
1.0.2. However the two export ones have *never* worked since they were
introduced. It seems strange in any case to be adding new export
ciphersuites, and given "logjam" it also does not seem correct to fix the=
m.
[Matt Caswell]
- Only support 256-bit or stronger elliptic curves with the
'ecdh_auto' setting (server) or by default (client). Of supported
curves, prefer P-256 (both).
[Emilia Kasper]
- Reject DH handshakes with parameters shorter than 768 bits.
[Kurt Roeckx and Emilia Kasper]
To generate a diff of this commit:
cvs rdiff -u -r1.207 -r1.208 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/security/openssl/PLIST.common
cvs rdiff -u -r1.112 -r1.113 pkgsrc/security/openssl/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/openssl/patches/patch-Configure
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Fri Jun 12 17:32:32 UTC 2015
Modified Files:
pkgsrc/security/openssl: Makefile distinfo
Log Message:
Update "openssl" package to version 1.0.2b. Changes since version 1.0.2c:
- Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.
To generate a diff of this commit:
cvs rdiff -u -r1.208 -r1.209 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.113 -r1.114 pkgsrc/security/openssl/distinfo
|
|
www/contao34: security patch
Revisions pulled up:
- www/contao34/Makefile 1.5
- www/contao34/distinfo 1.6
- www/contao34/patches/patch-system_helper_functions.php 1.1
- www/contao34/patches/patch-system_modules_core_classes_BackendUser.php 1.1
- www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php 1.1
- www/contao34/patches/patch-system_modules_core_dca_tl__files.php 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jun 6 03:31:01 UTC 2015
Modified Files:
pkgsrc/www/contao34: Makefile distinfo
Added Files:
pkgsrc/www/contao34/patches: patch-system_helper_functions.php
patch-system_modules_core_classes_BackendUser.php
patch-system_modules_core_controllers_BackendPopup.php
patch-system_modules_core_dca_tl__files.php
Log Message:
Add several security related fixes from Contao 3.2.21.
Bump PKGREVISION.
|
|
|
|
www/contao32: security update
Revisions pulled up:
- www/contao/Makefile.common 1.96
- www/contao32/distinfo 1.22
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jun 6 03:29:33 UTC 2015
Modified Files:
pkgsrc/www/contao: Makefile.common
pkgsrc/www/contao32: distinfo
Log Message:
Update contao32 to 3.2.21.
Version 3.2.21 (2015-06-05)
---------------------------
### Fixed
Back-ported two security related changes from the upstream versions.
|
|
|
|
comms/asterisk18: security update
Revisions pulled up:
- comms/asterisk18/Makefile 1.94,1.97 via patch
- comms/asterisk18/distinfo 1.60-1.61
- comms/asterisk18/patches/patch-main_loader.c 1.1
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Sun Apr 12 03:35:39 UTC 2015
Modified Files:
pkgsrc/comms/asterisk18: Makefile distinfo
Log Message:
Update to Asterisk 1.8.32.3: this is a security fix update.
The Asterisk Development Team has announced security releases for
Certified Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11,
12, and 13. The available security releases are released as versions
1.8.28.cert-5, 1.8.32.3, 11.6-cert11, 11.17.1, 12.8.2, 13.1-cert2,
and 13.3.2.
The release of these versions resolves the following security vulnerability:
* AST-2015-003: TLS Certificate Common name NULL byte exploit
When Asterisk registers to a SIP TLS device and verifies the
server, Asterisk will accept signed certificates that match a
common name other than the one Asterisk is expecting if the signed
certificate has a common name containing a null byte after the
portion of the common name that Asterisk expected. This potentially
allows for a man in the middle attack.
For more information about the details of this vulnerability, please read
security advisory AST-2015-003, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the Change Logs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.3
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
Thank you for your continued support of Asterisk!
---
Module Name: pkgsrc
Committed By: manu
Date: Tue Apr 28 08:48:11 UTC 2015
Modified Files:
pkgsrc/comms/asterisk18: Makefile distinfo
Added Files:
pkgsrc/comms/asterisk18/patches: patch-main_loader.c
Log Message:
Fix crash in asterisk18 startup
The added patch fixes startup crash and was submitted upstream.
While there also remove the ban on i386, as it was tested to run fine.
|
|
|
|
lang/ruby22-base: build fix
Revisions pulled up:
- pkgsrc/lang/ruby22-base/Makefile 1.2
- pkgsrc/lang/ruby22-base/distinfo 1.4
- pkgsrc/lang/ruby22-base/patches/patch-configure 1.2
- pkgsrc/lang/ruby22-base/patches/patch-lib_mkmf.rb 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Wed Apr 22 19:04:35 UTC 2015
Modified Files:
pkgsrc/lang/ruby22-base: distinfo
pkgsrc/lang/ruby22-base/patches: patch-configure
Log Message:
Remove mention of MirBSD in patch description as support is there by default now
Reviewed by wiz@
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Apr 30 03:27:52 UTC 2015
Modified Files:
pkgsrc/lang/ruby22-base: Makefile distinfo
Added Files:
pkgsrc/lang/ruby22-base/patches: patch-lib_mkmf.rb
Log Message:
Avoid to generate empty command line on some platforms:
$(DLLIB): $(OBJS) Makefile
...
$(Q) $(POSTLINK)
And POSTLINK is empty macro. In such case, GNU make ignore empty command
line but BSD make tries to execute it and causes error.
Bump PKGREVISION.
|
|
|
|
lang/ruby21-base: build fix
Revisions pulled up:
- pkgsrc/lang/ruby21-base/Makefile 1.12
- pkgsrc/lang/ruby21-base/distinfo 1.17
- pkgsrc/lang/ruby21-base/patches/patch-configure 1.4
- pkgsrc/lang/ruby21-base/patches/patch-lib_mkmf.rb 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Wed Apr 22 19:04:56 UTC 2015
Modified Files:
pkgsrc/lang/ruby21-base: distinfo
pkgsrc/lang/ruby21-base/patches: patch-configure
Log Message:
Remove mention of MirBSD in patch description as support is there by default now
Reviewed by wiz@
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Apr 30 03:27:20 UTC 2015
Modified Files:
pkgsrc/lang/ruby21-base: Makefile distinfo
Added Files:
pkgsrc/lang/ruby21-base/patches: patch-lib_mkmf.rb
Log Message:
Avoid to generate empty command line on some platforms:
$(DLLIB): $(OBJS) Makefile
...
$(Q) $(POSTLINK)
And POSTLINK is empty macro. In such case, GNU make ignore empty command
line but BSD make tries to execute it and causes error.
Bump PKGREVISION.
|
|
|
|
sysutils/file: security patch
Revisions pulled up:
- sysutils/file/Makefile 1.35
- sysutils/file/distinfo 1.23
- sysutils/file/patches/patch-src_softmagic.c 1.1
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat May 23 13:11:07 UTC 2015
Modified Files:
pkgsrc/sysutils/file: Makefile distinfo
Added Files:
pkgsrc/sysutils/file/patches: patch-src_softmagic.c
Log Message:
SECURITY: add patch for denial-of-service vulnerability. From Matthias
Ferdinand via pkgsrc-users. Bump PKGREVISION.
|
|
|
|
lang/ruby193-base: build fix
Revisions pulled up:
- pkgsrc/lang/ruby193-base/Makefile 1.50
- pkgsrc/lang/ruby193-base/distinfo 1.42-1.44
- pkgsrc/lang/ruby193-base/patches/patch-configure 1.12
- pkgsrc/lang/ruby193-base/patches/patch-lib_mkmf.rb 1.3
---
Module Name: pkgsrc
Committed By: jperkin
Date: Fri Apr 3 08:59:08 UTC 2015
Modified Files:
pkgsrc/lang/ruby193-base: distinfo
pkgsrc/lang/ruby193-base/patches: patch-configure
Log Message:
Disable CPU detection on Darwin, the result for 32-bit (i486) is incompatible
with pkgsrc MACHINE_ARCH (i386). Fixes 32-bit build, no change for 64-bit.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Apr 30 03:25:56 UTC 2015
Modified Files:
pkgsrc/lang/ruby193-base: Makefile distinfo
Added Files:
pkgsrc/lang/ruby193-base/patches: patch-lib_mkmf.rb
Log Message:
Avoid to generate empty command line on some platforms:
$(DLLIB): $(OBJS) Makefile
...
$(Q) $(POSTLINK)
And POSTLINK is empty macro. In such case, GNU make ignore empty command
line but BSD make tries to execute it and causes error.
Bump PKGREVISION.
|
|
|
|
www/apache22: security patch
Revisions pulled up:
- www/apache22/Makefile 1.103
- www/apache22/distinfo 1.61
- www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c 1.1
---
Module Name: pkgsrc
Committed By: sborrill
Date: Fri May 22 09:20:20 UTC 2015
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Added Files:
pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c
Log Message:
Add patch to mitigate Logjam TLS vulnerabilities (CVE-2015-4000).
Based on FreeBSD ports.
|
|
security/clamav: security update
Revisions pulled up:
- security/clamav/Makefile 1.24
- security/clamav/Makefile.common 1.2
- security/clamav/distinfo 1.19
---
Module Name: pkgsrc
Committed By: bouyer
Date: Wed May 20 21:15:26 UTC 2015
Modified Files:
pkgsrc/security/clamav: Makefile Makefile.common distinfo
Log Message:
Update clamav to 0.98.7.
This release contains new scanning features and bug fixes.
- Improvements to PDF processing: decryption, escape sequence
handling, and file property collection.
- Scanning/analysis of additional Microsoft Office 2003 XML format.
- Fix infinite loop condition on crafted y0da cryptor file. Identified
and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
- Fix crash on crafted petite packed file. Reported and patch
supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
- Fix false negatives on files within iso9660 containers. This issue
was reported by Minzhuan Gong.
- Fix a couple crashes on crafted upack packed file. Identified and
patches supplied by Sebastian Andrzej Siewior.
- Fix a crash during algorithmic detection on crafted PE file.
Identified and patch supplied by Sebastian Andrzej Siewior.
- Fix an infinite loop condition on a crafted "xz" archive file.
This was reported by Dimitri Kirchner and Goulven Guiheux.
CVE-2015-2668.
- Fix compilation error after ./configure --disable-pthreads.
Reported and fix suggested by John E. Krokes.
- Apply upstream patch for possible heap overflow in Henry Spencer's
regex library. CVE-2015-2305.
- Fix crash in upx decoder with crafted file. Discovered and patch
supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
- Fix segfault scanning certain HTML files. Reported with sample by
Kai Risku.
- Improve detections within xar/pkg files.
|
|
www/fcgi: security patch
Revisions pulled up:
- www/fcgi/Makefile 1.19
- www/fcgi/distinfo 1.6
- www/fcgi/patches/patch-libfcgi_os_unix.c 1.1
---
Module Name: pkgsrc
Committed By: kim
Date: Wed May 20 04:10:38 UTC 2015
Modified Files:
pkgsrc/www/fcgi: Makefile distinfo
Added Files:
pkgsrc/www/fcgi/patches: patch-libfcgi_os_unix.c
Log Message:
Use poll instead of select. Fixes CVE-2012-6687.
|
|
|
|
databases/php-ldap: packaging fix
www/ap-php: packaging fix
Revisions pulled up:
- databases/php-ldap/Makefile 1.25
- www/ap-php/Makefile 1.34
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 11:19:53 UTC 2015
Modified Files:
pkgsrc/databases/php-ldap: Makefile
pkgsrc/databases/php-pdo_sqlite: Makefile
pkgsrc/textproc/php-intl: Makefile
pkgsrc/www/ap-php: Makefile
Log Message:
Reset PKGREVISION along with php{54,55,56} update.
|
|
emulators/qemu: security patch
Revisions pulled up:
- emulators/qemu/Makefile 1.138,1.137 via patch
- emulators/qemu/distinfo 1.104,1.103
- emulators/qemu/patches/patch-hw_block_fdc.c 1.1
- emulators/qemu/patches/patch-tests_Makefile 1.2
- emulators/qemu/patches/patch-user-exec.c deleted
---
Module Name: pkgsrc
Committed By: khorben
Date: Sat May 16 03:19:54 UTC 2015
Modified Files:
pkgsrc/emulators/qemu: Makefile distinfo
Added Files:
pkgsrc/emulators/qemu/patches: patch-hw_block_fdc.c
Log Message:
Add patch for CVE-2015-3456.
fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
XXX pull-up where applicable
---
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Apr 29 20:30:53 UTC 2015
Modified Files:
pkgsrc/emulators/qemu: Makefile distinfo
pkgsrc/emulators/qemu/patches: patch-tests_Makefile
Removed Files:
pkgsrc/emulators/qemu/patches: patch-user-exec.c
Log Message:
Update to 2.3.0
Changelog:
* Support for 32-bit KVM guests on 64-bit ARM hosts
* Support for running KVM under valgrind
* New IvyBridge CPU model for x86 guests
* Xen: support for ioreq-server API
* New 5KEc and 5KEf MIPS64r2, and M14K and M14Kc MIPS32r2
microMIPS CPU models for MIPS guests
* Basic support for transactional memory extentions in PowerPC guests
* Improved VGA support for little-endian PPC/pSeries guests
* PCI bus support for s390x guests
* Support for automatic guest device unplug when passthrough devices
are unbound from VFIO host driver
* Improved UI performance/support for GTK+/VNC/SDL/Spice, and VNC
support for multiseat
* Performance improvements for virtio-blk emulation: asynchronous SCSI
request handling, and disk read merging.
* QEMU Guest Agent: now also supports file operations in Windows guests,
can be used to enable/disable memory blocks in linux guests in
support for memory hotplug.
* Migration can now include a JSON description of migration stream to aid
in identifying incompatibilities betweens guests/hosts.
* And lots more...
|
|
|
|
lang/php56: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.99
- lang/php56/distinfo 1.10
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 11:18:57 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: distinfo
Log Message:
Update php56 to 5.6.9.
14 May 2015, PHP 5.6.9
- Core:
. Fixed bug #69467 (Wrong checked for the interface by using Trait).
(Laruence)
. Fixed bug #69420 (Invalid read in zend_std_get_method). (Laruence)
. Fixed bug #60022 ("use statement [...] has no effect" depends on leading
backslash). (Nikita)
. Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
(Dmitry)
. Fixed bug #68652 (segmentation fault in destructor). (Dmitry)
. Fixed bug #69419 (Returning compatible sub generator produces a warning).
(Nikita)
. Fixed bug #69472 (php_sys_readlink ignores misc errors from
GetFinalPathNameByHandleA). (Jan Starke)
. Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas)
. Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
(Stas)
. Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas)
. Fixed bug #69522 (heap buffer overflow in unpack()). (Stas)
- FTP:
. Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap
overflow). (Stas)
- ODBC:
. Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
(Anatol)
. Fixed bug #69474 (ODBC: Query with same field name from two tables returns
incorrect result). (Anatol)
. Fixed bug #69381 (out of memory with sage odbc driver). (Frederic Marchall,
Anatol Belski)
- OpenSSL:
. Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
(Daniel Lowrey)
- PCNTL:
. Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas)
- PCRE
. Upgraded pcrelib to 8.37.
- Phar:
. Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry
filename starts with null). (Stas)
|
|
lang/php55: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.98
- lang/php55/distinfo 1.40
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 11:17:45 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php55: distinfo
Log Message:
Update php55 to 5.5.25.
14 May 2015, PHP 5.5.25
- Core:
. Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas)
. Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
(Stas)
. Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas)
. Fixed bug #69522 (heap buffer overflow in unpack()). (Stas)
. Fixed bug #69467 (Wrong checked for the interface by using Trait).
(Laruence)
. Fixed bug #69420 (Invalid read in zend_std_get_method). (Laruence)
. Fixed bug #60022 ("use statement [...] has no effect" depends on leading
backslash). (Nikita)
. Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
(Dmitry)
. Fixed bug #68652 (segmentation fault in destructor). (Dmitry)
. Fixed bug #69419 (Returning compatible sub generator produces a warning).
(Nikita)
. Fixed bug #69472 (php_sys_readlink ignores misc errors from
GetFinalPathNameByHandleA). (Jan Starke)
- FTP:
. Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap
overflow). (Stas)
- ODBC:
. Fixed bug #69474 (ODBC: Query with same field name from two tables returns
incorrect result). (Anatol)
. Fixed bug #69381 (out of memory with sage odbc driver). (Frederic Marchall,
Anatol Belski)
- OpenSSL:
. Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
(Daniel Lowrey)
- PCNTL:
. Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas)
- Phar:
. Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename
starts with null). (Stas)
|
|
lang/php54: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.97
- lang/php54/distinfo 1.57
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 11:16:41 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php54: distinfo
Log Message:
Update php54 to 5.4.41.
14 May 2015 PHP 5.4.41
- Core:
. Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas)
. Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
(Stas)
. Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas)
. Fixed bug #69522 (heap buffer overflow in unpack()). (Stas)
- FTP:
. Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap
overflow). (Stas)
- PCNTL:
. Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas)
- PCRE
. Upgraded pcrelib to 8.37.
- Phar:
. Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry
filename starts with null). (Stas)
|
|
|
|
audio/pulseaudio: build fix
Revisions pulled up:
- audio/pulseaudio/buildlink3.mk 1.24
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Apr 19 06:42:02 UTC 2015
Modified Files:
pkgsrc/audio/pulseaudio: buildlink3.mk
pkgsrc/x11/qt5-qtmultimedia: Makefile
Log Message:
Wrap libtool arguments (instead of cxx) and do it for all pulseaudio users
instead of only qt5-qtmultimedia.
Fixes build failures in qt5-qtmultimedia users like kid3.
Suggested by joerg.
|
|
|
|
archivers/libarchive: security patch
Revisions pulled up:
- archivers/libarchive/Makefile.common 1.3
- archivers/libarchive/files/libarchive/archive_read.c 1.5
---
Module Name: pkgsrc
Committed By: sevan
Date: Thu May 14 14:54:55 UTC 2015
Modified Files:
pkgsrc/archivers/libarchive: Makefile.common
pkgsrc/archivers/libarchive/files/libarchive: archive_read.c
Log Message:
Patch an out of bounds reads obtained from:
https://github.com/libarchive/libarchive/issues/502
https://github.com/libarchive/libarchive/commit/e6c9668f3202215ddb71617b41c19b6f05acf008
Bump PKGREVISION.
Reviewed by bsiegert@
|
|
databases/sqlite3: security update
Revisions pulled up:
- databases/sqlite3/Makefile patch
- databases/sqlite3/distinfo patch
---
Apply patch proposed by J. Lewis Muir on "pkgsrc-users" mailing list:
Below is a patch against pkgsrc-2015Q1 to update databases/sqlite3 to
version 3.8.10 which includes fixes for the bugs found by the AFL fuzzer.
|
|
|
|
security/openssh: security fix
Revisions pulled up:
- security/openssh/Makefile 1.229
- security/openssh/distinfo 1.91
- security/openssh/patches/patch-compat.c 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Sat May 16 14:43:02 UTC 2015
Modified Files:
pkgsrc/security/openssh: Makefile distinfo
Added Files:
pkgsrc/security/openssh/patches: patch-compat.c
Log Message:
Use the correct buffer when calling strlen
http://www.openwall.com/lists/oss-security/2015/05/16/3
Reviewed by wiz@
|
|
|
|
net/wireshark: security fix
Revisions pulled up:
- net/wireshark/Makefile 1.133
- net/wireshark/distinfo 1.81
---
Module Name: pkgsrc
Committed By: tron
Date: Fri May 15 18:02:13 UTC 2015
Modified Files:
pkgsrc/net/wireshark: Makefile distinfo
Log Message:
Update "wireshark" package to version 1.10.14. Changes since 1.10.13:
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2015-14
The WCP dissector could crash while decompressing data. (Bug 10978)
CVE-2015-3811
* wnpa-sec-2015-15
The X11 dissector could leak memory. (Bug 11088)
CVE-2015-3812
* wnpa-sec-2015-17
The IEEE 802.11 dissector could go into an infinite loop. (Bug 11110)
CVE-2015-3814
The following bugs have been fixed:
* Wireshark crashes if "Update list of packets in real time" is
disabled and a display filter is applied while capturing. (Bug 6217)
* Wireshark relative ISN set incorrectly if raw ISN set to 0.
(Bug 10713)
* Buffer overrun in encryption code. (Bug 10849)
* ICMP Parameter Problem message contains Length of original datagram
is treated as the total IPv4 length. (Bug 10991)
* ICMP Redirect takes 4 bytes for IPv4 payload instead of 8. (Bug
10992)
* Interface Identifier incorrectly represented by Wireshark. (Bug
11053)
* Annoying popup when trying to capture on bonding devices on Linux.
(Bug 11058)
* CanOpen dissector fails on frames with RTR and 0 length. (Bug 11083)
* Typo in secp521r1 curve wrongly identified as sect521r1. (Bug 11106)
* packet-zbee-zcl.h: IS_ANALOG_SUBTYPE doesn't filter ENUM. (Bug 11120)
* Typo: "LTE Positioning Protocol" abbreviated as "LPP", not "LLP".
(Bug 11141)
- Updated Protocol Support
ASN.1 PER, CANopen, GSM RLC/MAC, GSMTAP, ICMP, IEEE 802.11, LPP,
MEGACO, PKCS-1, PPP IPv6CP, SRVLOC, SSL, TCP, WCP, X11, and ZigBee ZCL
- New and Updated Capture File Support
Savvius OmniPeek Visual Networks
|
|
math/cln: build fix
Revisions pulled up:
- math/cln/Makefile 1.25
- math/cln/distinfo 1.14
- math/cln/patches/patch-src_base_cl__low.h 1.1
---
Module Name: pkgsrc
Committed By: joerg
Date: Fri May 15 09:17:03 UTC 2015
Modified Files:
pkgsrc/math/cln: Makefile distinfo
Added Files:
pkgsrc/math/cln/patches: patch-src_base_cl__low.h
Log Message:
Disable assembler on ARM, it doesn't work with EABI. Don't put a
variable with C linkage in a namespace, clang (correctly) complains
about the shadowing (re)declarations. Bump revision.
|
|
|