| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
chat/libpurple: security fix
Revisions pulled up:
- chat/finch/Makefile 1.67
- chat/libpurple/Makefile 1.80
- chat/libpurple/Makefile.common 1.47-1.48
- chat/libpurple/PLIST 1.32-1.33
- chat/libpurple/buildlink3.mk 1.43
- chat/libpurple/distinfo 1.47-1.49
- chat/libpurple/patches/patch-libpurple_protocols_mxit_profile.c deleted
- chat/pidgin-sametime/Makefile 1.48
- chat/pidgin-silc/Makefile 1.51
- chat/pidgin/Makefile 1.70
- chat/pidgin/PLIST 1.23-1.24
---
Module Name: pkgsrc
Committed By: khorben
Date: Sat Mar 11 03:02:40 UTC 2017
Modified Files:
pkgsrc/chat/libpurple: Makefile.common PLIST buildlink3.mk distinfo
pkgsrc/chat/pidgin: PLIST
Log Message:
Update chat/{libpurple,pidgin} to version 2.11.0
version 2.11.0 (06/21/2016):
General:
* 2.10.12 was accidentally released with new additions to the API and
should have been released as 2.11.0. Unfortunately, we did not catch
the mistake until after 2.10.12 was released, but we're fixing it now.
See ChangeLog.API for more information.
* Include the Mozilla certificate bundle. This fixes connecting to servers
with certificates from Let's Encrypt.
* Remove all 1024-bit CAs
libpurple:
* media: fix an issue with ximagesink displaying only a corner cut-out of
a larger webcam video (Jakub Adam)
* mediamanager: update output window destruction so that it reflects recent
changes in the media pipeline structure (Jakub Adam)
* Ported Instantbird's CommandUiOps to libpurple (Dequis)
Pidgin:
* Fixed #14962
* Fixed alignment of incoming right-to-left messages in protocols that
don't support rich text
* Fix a potential crash while exiting pidgin
Windows-Specific Changes:
* Use getaddrinfo for DNS to enable IPv6 (#1075)
* Updates to dependencies:
* NSS 3.24 and NSPR 4.12.
AIM:
* Add support for the newer kerberos-based authentication of AIM 8.x
Bonjour
* Fixed building on Mac OSX (Patrick Cloke) (#16883)
ICQ:
* Stop truncating passwords to 8 characters like old ICQ clients did.
(#16692). If you actually needed this, truncate your password
manually by pressing backspace a few times.
IRC:
* Base64-decode SASL messages before passing to libsasl (#16268)
MXit
* Fixed a buffer overflow. Discovered by Yves Younan of Cisco Talos.
(TALOS-CAN-0120)
* Fixed a remote out-of-bounds read. Discovered by Yves Younan of Cisco
Talos. (TALOS-CAN-0140)
* Fixed a remote out-of-band read. Discovered by Yves Younan of Cisco
Talos. (TALOS-CAN-0138, TALOS-CAN-0135)
* Fixed an invalid read. Discovered by Yves Younan of Cisco Talos
(TALOS-CAN-0118)
* Fixed a remote buffer overflow vulnerability. Discovered by Yves
Younan of Cisco Talos. (TALOS-CAN-0119)
* Fixed an out-of-bounds read discovered by Yves Younan of Cisco Talos.
(TALOS-CAN-0123)
* Fixed a directory traversal issue. Discovered by Yves Younan of Cisco
Talos (TALOS-CAN-0128)
* Fixed a remote denial of service vulnerability that could result in
a null pointer dereference. Discovered by Yves Younan of Cisco Talos.
(TALOS-CAN-0133)
* Fixed a remote denial of service that could result in an out-of-bounds
read. Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0134)
* Fixed multiple remote buffer overflows. Discovered by Yves Younan of
Cisco Talos. (TALOS-CAN-0136)
* Fixed a remote NULL pointer dereference. Discovered by Yves Younan of
Cisco Talos (TALOS-CAN-0137)
* Fixed a remote code execution issue discovered by Yves Younan of Cisco
Talos. (TALOS-CAN-0142)
* Fixed a remote denial of service vulnerability in contact mood
handling. Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0141)
* Fixed a remote out-of-bounds write vulnerability. Discovered by Yves
Younan of Cisco Talos. (TALOS-CAN-0139)
* Fix a remote out-of-bounds read. Discovered by Yves Younan of Cisco
Talos. (TALOS-CAN-0143)
---
Module Name: pkgsrc
Committed By: wiz
Date: Sat Mar 11 07:15:25 UTC 2017
Modified Files:
pkgsrc/chat/finch: Makefile
pkgsrc/chat/libpurple: Makefile
pkgsrc/chat/pidgin: Makefile
pkgsrc/chat/pidgin-sametime: Makefile
pkgsrc/chat/pidgin-silc: Makefile
Log Message:
Reset PKGREVISION after update.
---
Module Name: pkgsrc
Committed By: khorben
Date: Mon Mar 20 18:42:51 UTC 2017
Modified Files:
pkgsrc/chat/libpurple: Makefile.common PLIST distinfo
pkgsrc/chat/pidgin: PLIST
Removed Files:
pkgsrc/chat/libpurple/patches: patch-libpurple_protocols_mxit_profile.c
Log Message:
Update chat/{libpurple,pidgin} to version 2.12.0
version 2.12.0 (03/09/2017):
libpurple:
* Fix an out of bounds memory read in purple_markup_unescape_entity.
CVE-2017-2640
* Fix use of uninitialised memory if running non-debug-enabled versions
of glib
* Updated AIM dev and dist ID's to new ones that were assigned by AOL.
* TLS certificate verification now uses SHA-256 checksums.
* Fixed SASL external auth for Freenode.
* Removed the MSN protocol plugin. It has been unusable and dormant for
some
time. MSNP18 has been discontinued and the protocol plugin would
require a
large update to start working again. See: http://ismsndeadyet.com/ The
third-party Pidgin SkypeWeb plugin, however, should provide enough
functionality as a replacement if people still want to use MSN:
https://github.com/EionRobb/skype4pidgin/tree/master/skypeweb
* Removed Mxit protocol plugin. The service was closed at the end of
September 2016. See
https://pidgin.im/pipermail/devel/2016-September/024078.htm
* Removed the MySpaceIM protocol plugin. The service has been defunct for a
long time. (#15356)
* Remove the Yahoo! protocol plugin. Yahoo has completely
reimplemented their protocol, so this version is no longer operable as
of August 5th, 2016:
https://yahoo.tumblr.com/post/145715934739/q2-2016-progress-report-on-our-product
A new protocol plugin has been written to support the new protocol.
It can be found here: https://github.com/EionRobb/funyahoo-plusplus
This also removes support for Yahoo! Japan. According to
http://messenger.yahoo.co.jp/ the service ended March 26th, 2014.
* Remove the Facebook (XMPP) account option. According to
https://developers.facebook.com/docs/chat the XMPP Chat API service
ended April 30th, 2015. A new protocol plugin has been written,
using a different method, to support Facebook. It can be found at
https://github.com/dequis/purple-facebook/wiki
* Fixed gnutls certificate validation errors that mainly affected
google (Dequis)
General
* Replaced instances of d.pidgin.im with developer.pidgin.im and
updated the
urls to use https. (#17036)
IRC
* Fixed issue of messages being silently cut off at 500 characters. Large
messages are now split into parts and sent one by one. (#4753)
---
Module Name: pkgsrc
Committed By: joerg
Date: Wed Mar 22 09:46:11 UTC 2017
Modified Files:
pkgsrc/chat/libpurple: distinfo
Log Message:
Regenerate to match actual patches.
|
|
|
|
security/py-crypto: security patch
Revisions pulled up:
- security/py-crypto/Makefile 1.40
- security/py-crypto/distinfo 1.13
- security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py 1.2
- security/py-crypto/patches/patch-src_block_template.c 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: sevan
Date: Tue Mar 7 23:17:51 UTC 2017
Modified Files:
pkgsrc/security/py-crypto: Makefile distinfo
Added Files:
pkgsrc/security/py-crypto/patches:
patch-lib_Crypto_SelfTest_Cipher_common.py
patch-src_block_template.c
Log Message:
Patch CVE-2013-7459, obtained from:
https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
Bump rev.
Reviewed by: wiz
To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 pkgsrc/security/py-crypto/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/security/py-crypto/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py \
pkgsrc/security/py-crypto/patches/patch-src_block_template.c
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: sevan
Date: Wed Mar 8 01:09:00 UTC 2017
Modified Files:
pkgsrc/security/py-crypto: distinfo
pkgsrc/security/py-crypto/patches:
patch-lib_Crypto_SelfTest_Cipher_common.py
Log Message:
Tabs vs spaces!
Unbreak with the Python 3 versions of the package.
Heads up by Daniel Jakots.
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 pkgsrc/security/py-crypto/distinfo
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py
|
|
|
|
graphics/gd: security fix
Revisions pulled up:
- graphics/gd/Makefile 1.113
- graphics/gd/distinfo 1.43
- graphics/gd/patches/patch-src_gd__webp.c deleted
---
Module Name: pkgsrc
Committed By: spz
Date: Sat Feb 4 23:05:52 UTC 2017
Modified Files:
pkgsrc/graphics/gd: Makefile distinfo
Removed Files:
pkgsrc/graphics/gd/patches: patch-src_gd__webp.c
Log Message:
update of gd to 2.2.4.
Upstream Changelog:
Security
gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317)
double-free in gdImageWebPtr() (CVE-2016-6912)
potential unsigned underflow in gd_interpolation.c
DOS vulnerability in gdImageCreateFromGd2Ctx()
Fixed
Fix #354: Signed Integer Overflow gd_io.c
Fix #340: System frozen
Fix OOB reads of the TGA decompression buffer
Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
Fix potential unsigned underflow
Fix double-free in gdImageWebPtr()
Fix invalid read in gdImageCreateFromTiffPtr()
Fix OOB reads of the TGA decompression buffer
Fix #68: gif: buffer underflow reported by AddressSanitizer
Avoid potentially dangerous signed to unsigned conversion
Fix #304: test suite failure in gif/bug00006 [2.2.3]
Fix #329: GD_BILINEAR_FIXED gdImageScale() can cause black border
Fix #330: Integer overflow in gdImageScaleBilinearPalette()
Fix 321: Null pointer dereferences in gdImageRotateInterpolated
Fix whitespace and add missing comment block
Fix #319: gdImageRotateInterpolated can have wrong background color
Fix color quantization documentation
Fix #309: gdImageGd2() writes wrong chunk sizes on boundaries
Fix #307: GD_QUANT_NEUQUANT fails to unset trueColor flag
Fix #300: gdImageClone() assigns res_y = res_x
Fix #299: Regression regarding gdImageRectangle() with gdImageSetThickness()
Replace GNU old-style field designators with C89 compatible initializers
Fix #297: gdImageCrop() converts palette image to truecolor image
Fix #290: TGA RLE decoding is broken
Fix unnecessary non NULL checks
Fix #289: Passing unrecognized formats to gdImageGd2 results in corrupted files
Fix #280: gdImageWebpEx() quantization parameter is a misnomer
Publish all gdImageCreateFromWebp*() functions and gdImageWebpCtx()
Fix issue #276: Sometimes pixels are missing when storing images as BMPs
Fix issue #275: gdImageBmpCtx() may segfault for non-seekable contexts
Fix copy&paste error in gdImageScaleBicubicFixed()
Added
More documentation
Documentation on GD and GD2 formats
More tests
|
|
www/apache-tomcat8: security fix
Revisions pulled up:
- www/apache-tomcat8/Makefile 1.9-1.10
- www/apache-tomcat8/PLIST 1.5-1.7
- www/apache-tomcat8/distinfo 1.10-1.11
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Jan 1 17:26:13 UTC 2017
Modified Files:
pkgsrc/www/apache-tomcat8: Makefile PLIST distinfo
Log Message:
update to current tomcat 8.0 train version, fixing CVE-2016-5388.
Changelog:
Tomcat 8.0.39 (violetagg)
Catalina
Fix: When creating a new Connector via JMX, ensure that both HTTP/1.1 and AJP/1.3 connectors can be created. (markt)
Fix: Include the Context name in the log message when an item cannot be added to the cache. (markt)
Fix: Exclude JAR files in /WEB-INF/lib from the static resource cache. (markt)
Fix: When calling getResourceAsStream() on a directory, ensure that null is returned. (markt)
Fix: 60161: Allow creating subcategories of the container logger, and use it for the rewrite valve. (remm)
Fix: Correctly test for control characters when reading the provided shutdown password. (markt)
Fix: When configuring the JMX remote listener, specify the allowed types for the credentials. (markt)
Coyote
Fix: Correct the HTTP header parser so that DEL is not treated as a valid token character. (markt)
Fix: 60319: When using an Executor, disconnect it from the Connector attributes maxThreads, minSpareThreads and threadPriority to enable the configuration settings to be consistently reported.
These Connector attributes will be reported as -1 when an Executor is in use. The values used by the executor may be set and obtained via the Executor. (markt)
Fix: If an I/O error occurs during async processing on a non-container thread, ensure that the onError() event is triggered. (markt)
Fix: Improve detection of I/O errors during async processing on non-container threads and trigger async error handling when they are detected. (markt)
Add: Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)
Web applications
Fix: Correct a typo in HTTP Connector How-To. Issue reported via comments.apache.org. (violetagg)
Fix: Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
Fix: Correct a typo in CGI How-To. Issue reported via comments.apache.org. (violetagg)
Tribes
Fix: When the proxy node sends a backup retrieve message, ensure that using the channelSendOptions that has been set rather than the default channelSendOptions. (kfujino)
Other
Update: Update the ECJ compiler to version 4.5.1. (markt)
Fix: Remove classes from tomcat-util-scan.jar that are duplicates of those in tomcat-util.jar. (markt)
2016-10-10 Tomcat 8.0.38 (markt)
Catalina
Add: 59961: Add an option to the StandardJarScanner to control whether or not JAR Manifests are scanned for additional class path entries. (markt)
Fix: 60013: Refactor the previous fix to align the behaviour of the Rewrite Valve with mod_rewrite. As part of this, provide an implementation for the B and NE flags and improve the handling for
the QSA flag. Includes multiple test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt)
Fix: 60087: Refactor the web resources handling to use the Tomcat specific war:file:... URL protocol to refer to WAR files and their contents rather than the standard jar:file:... form since some
components of the JRE, such as JAR verification, give unexpected results when the standard form is used. A side-effect of the refactoring is that when using packed WARs, it is now possible to
reference a WAR and/or specific JARs within a WAR in the security policy file used when running under a SecurityManager. (markt)
Fix: 60116: Fix a problem with the rewrite valve that caused back references evaluated in conditions to be forced to lower case when using the NC flag. (markt)
Fix: Ensure Digester.useContextClassLoader is considered in case the class loader is used. (violetagg)
Fix: 60117: Ensure that the name of LogLevel is localized when using OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
Fix: 60146: Improve performance for resource retrieval by making calls to WebResource.getInputStream() trigger caching if the resource is small enough. Patch provided by mohitchugh. (markt)
Add: 60151: Improve the exception error messages when a ResourceLink fails to specify the type, specifies an unknown type or specifies the wrong type. (markt)
Fix: 60167: Ignore empty lines in /etc/passwd files when using the PasswdUserDatabase. (markt)
Fix: 60170: Exclude the compressed test file index.html.br from RAT analysis. Patch provided by Gavin McDonald. (markt)
Fix: When starting web resources, ensure that class resources are only started once. (markt)
Fix: Improve the access checks for linked global resources to handle the case where the current class loader is a child of the web application class loader. (markt)
Fix: 60199: Log a warning if deserialization issues prevent a session attribute from being loaded. (markt)
Coyote
Fix: Correctly handle a call to AsyncContext.complete() from a non-container thread when non-blocking I/O is being used. (markt)
Add: Refactor the code that implements the requirement that a call to complete() or dispatch() made from a non-container thread before the container initiated thread that called startAsync()
completes must be delayed until the container initiated thread has completed. Rather than implementing this by blocking the non-container thread, extend the internal state machine to track this. This
removes the possibility that blocking the non-container thread could trigger a deadlock. (markt)
Fix: 60123: Avoid potential threading issues that could cause excessively large vales to be returned for the processing time of a current request. (markt)
Fix: 60174: Log instances of HeadersTooLargeException during request processing. (markt)
Jasper
Fix: 60101: Remove preloading of the class that was deleted. (violetagg)
Web applications
Add: Expand the documentation for the nested elements within a Resources element to clarify the behaviour of different configuration options with respect to the order in which resources are
searched. (markt)
Add: Add an example of using the classesToInitialize attribute of the JreMemoryLeakPreventionListener to the documentation web application. Based on a patch by Cris Berneburg. (markt)
Fix: 60192: Correct a typo in the status output of the Manager application. Patch provided by Radhakrishna Pemmasani. (markt)
jdbc-pool
Fix: Notify jmx when returning the connection that has been marked suspect. (kfujino)
Fix: Ensure that the POOL_EMPTY notification has been added to the jmx notification types. (kfujino)
Fix: 60099: Ensure that use all method arguments as a cache key when using StatementCache. (kfujino)
Fix: 60139: Correct Javadocs for PoolConfiguration.getValidationInterval and setValidationInterval. Reported by Phillip Webb. (kfujino)
Other
Fix: Update the download location for Objenesis. (violetagg)
Fix: 60164: Replace log4j-core*.jar with log4j-web*.jar since it is log4j-web*.jar that contains the ServletContainerInitializer. (markt)
Add: Add documentation to the bin/catalina.bat script to remind users that environment variables don't affect the configuration of Tomcat when run as a Windows Service. Based upon a documentation
patch by James H.H. Lampert. (schultz)
Update: Update the packaged version of the Tomcat Native Library to 1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)
2016-09-05 Tomcat 8.0.37 (markt)
Catalina
Fix: 57705: Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch by Graham Leggett. (markt)
Add: 59399: Add a new option to the Realm implementations that ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to be controlled per Realm. (markt)
Update: Change the default of the sessionCookiePathUsesTrailingSlash attribute of the Context element to false since the problems caused when a Servlet is mapped to /* are more significant than
the security risk of not enabling this option by default. (markt)
Fix: Do not attempt to start web resources during a web application's initialisation phase since the web application is not fully configured at that point and the web resources may not be
correctly configured. (markt)
Fix: 59708: Modify the LockOutRealm logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero. (markt)
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: 59813: Ensure that circular relations of the Class-Path attribute from JAR manifests will be processed correctly. (violetagg)
Fix: Ensure that reading the singleThreadModel attribute of a StandardWrapper via JMX does not trigger initialisation of the associated servlet. With some frameworks this can trigger an
unexpected initialisation thread and if initilisation is not thread-safe the initialisation can then fail. (markt)
Fix: Compatibility with rewrite from httpd for non existing headers. (jfclere)
Fix: By default, treat paths used to obtain a request dispatcher as encoded. This behaviour can be changed per web application via the dispatchersUseEncodedPaths attribute of the Context. (markt)
Fix: 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. (fschumacher)
Fix: 59859: Fix resource leak in WebDAV servlet. Based on patch by Coty Sutherland. (fschumacher)
Add: Provide a mechanism that enables the container to check if a component (typically a web application) has been granted a given permission when running under a SecurityManager without the
current execution stack having to have passed through the component. Use this new mechanism to extend SecurityManager protection to the system property replacement feature of the digester. (markt)
Add: When retrieving an object via a ResourceLink, ensure that the object obtained is of the expected type. (markt)
Fix: 59824: Mark the RewriteValve as supporting async processing by default. (markt)
Fix: 59862: Allow nested jar files scanning to be filtered with the system property tomcat.util.scan.StandardJarScanFilter.jarsToSkip. Patch is provided by Terence Bandoian. (violetagg)
Fix: 59866: When scanning WEB-INF/classes for annotations, don't scan the contents of WEB-INF/classes/META-INF (if present) since classes will never be loaded from that location. (markt)
Fix: 59888: Correctly handle tabs and spaces in quoted version one cookies when using the Rfc6265CookieProcessor. (markt)
Fix: 59912: Fix an edge case in input stream handling where an IOException could be thrown when reading a POST body. (markt)
Fix: 59960: Fix Javadoc so it builds with Java 8. Patch by Coty Sutherland. (markt)
Fix: 59966: Do not start the web application if the error page configuration in web.xml is invalid. (markt)
Fix: Switch the CGI servlet to the standard logging mechanism and remove support for the debug attribute. (markt)
Fix: Changes to the allowLinking attribute of a StandardRoot instance now invalidate the cache if caching is enabled. (markt)
Add: Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can be used to mitigate any future,
similar issues. (markt)
Add: When adding and removing ResourceLinks dynamically, ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be. (markt)
Fix: 60008: When processing CORs requests, treat any origin with a URI scheme of file as a valid origin. (markt)
Fix: Improve handling of exceptions during a Lifecycle events triggered by a state transition. The exception is now caught and the component is now placed into the FAILED state. (markt)
Fix: 60013: Fix encoding issues when using the RewriteValve with UTF-8 query strings or UTF-8 redirect URLs. (markt)
Fix: 60022: Improve handling when a WAR file and/or the associated exploded directory are symlinked into the appBase. (markt)
Fix: Fix a file descriptor leak when reading the global web.xml. (markt)
Fix: Consistently decode URL patterns provided via web.xml using the encoding of the web.xml file where specified or UTF-8 where no explicit encoding is specified. (markt)
Fix: Make timing attacks against the Realm implementations harder. (schultz)
Coyote
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: Extend synchronization for NIO2 writes to avoid ConcurrentModificationException observed during testing. (markt)
Fix: 59904: Add a limit (default 200) for the number of cookies allowed per request. Based on a patch by gehui. (markt)
Fix: 59925: Correct regression in r1628368 and ensure that HTTP separators are handled as configured in the LegacyCookieProcessor. Patch provided by Kyohei Nakamura. (markt)
Fix: OpenSSL now disables 3DES by default so reflect this when using OpenSSL syntax to select ciphers. (markt)
Jasper
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: Improve the error handling for custom tags to ensure that the tag is returned to the pool or released and destroyed once used. (markt)
Fix: 60032: Fix handling of method calls that use varargs within EL value expressions. (markt)
Fix: Ignore engineOptionsClass and scratchdir when running under a security manager. (markt)
Fix: Fixed StringIndexOutOfBoundsException. Based on a patch provided by wuwen via Github. (violetagg)
WebSocket
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: 59908: Ensure that a reason phrase is included in the close message if a session is closed due to a timeout. (markt)
Web Applications
Fix: Do not log an additional case of IOExceptions in the error handler for the Drawboard WebSocket example when the root cause is the client disconnecting since the logs add no value. (markt)
Fix: 59642: Mention the localDataSource in the DataSourceRealm section of the Realm How-To. (markt)
Fix: Follow-up to the fix for 59399. Ensure that the new attribute transportGuaranteeRedirectStatus is documented for all Realms. Also document the NullRealm and when it is automatically created
for an Engine. (markt)
Fix: Fix the description of maxAge attribute in jdbc-pool doc. This attribute works both when a connection is returned and when a connection is borrowed. (kfujino)
Fix: 59774: Correct the prefix values in the documented examples for configuring the AccessLogValve. Patch provided by Mike Noordermeer. (markt)
Fix: 59868: Clarify the documentation for the Manager web application to make clearer that the host name and IP address in the server section are the primary host name and IP address. (markt)
Fix: MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. Patch provided by Radoslav Husar. (violetagg)
Fix: Update NIO Connector configuration documentation with an information about socket.directSslBuffer. (violetagg)
Fix: 60034: Correct a typo in the Manager How-To page of the documentation web application. (markt)
Tribes
Add: Add log message when the ping has timed-out. (kfujino)
Fix: If the ping message has been received at the AbstractReplicatedMap#leftOver method, ensure that notify the member is alive than ignore it. (kfujino)
jdbc-pool
Fix: Fix the duplicated connection release when connection verification failed. (kfujino)
Fix: Ensure that do not remove the abandoned connection that has been already released. (kfujino)
Fix: In order to avoid the unintended skip of PoolCleaner, remove the check code of the execution interval in the task that has been scheduled. (kfujino)
Fix: 59850: Ensure that the ResultSet is closed when enabling the StatementCache interceptor. (kfujino)
Fix: 59923: Reduce the default value of validationInterval in order to avoid the potential issue that continues to return an invalid connection after database restart. (kfujino)
Fix: Ensure that the ResultSet is returned as Proxy object when enabling the StatementDecoratorInterceptor. (kfujino)
Fix: 60043: Ensure that the suspectTimeout works without removing connection when the removeAbandoned is disabled. (kfujino)
Fix: Add log message of when returning the connection that has been marked suspect. (kfujino)
Fix: Correct Javadoc for ConnectionPool.suspect(). Based on a patch by Yahya Cahyadi. (markt)
Other
Update: 59276: Update optional Checkstyle library to 6.17. (kkolinko)
Add: Use the mirror network rather than the ASF master site to download the current ASF dependencies. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.8 to pick up the latest fixes and make 1.2.8 the minimum recommended version. (markt)
Fix: 59899: Update Tomcat's copy of the Java Persistence annotations to include the changes made in 2.1 / JavaEE 7. (markt)
Fix: Fixed typos in mbeans-descriptors.xml files. (violetagg)
Update: Update the internal fork of Commons BCEL to r1757132 to align with the BCEL 6 release. (markt)
Update: Update the internal fork of Commons DBCP2 to r1757164 to pick up a couple of bug fixes. (markt)
Update: Update the internal fork of Commons Codec to r1757174. Code formatting changes only. (markt)
Update: Update the internal fork of Commons FileUpload to afdedc9. This pulls in a fix to improve the performance with large multipart boundaries. (markt)
---
Module Name: pkgsrc
Committed By: spz
Date: Sat Feb 4 20:48:03 UTC 2017
Modified Files:
pkgsrc/www/apache-tomcat8: Makefile PLIST distinfo
Log Message:
Update to Tomcat 8.0.41. Upstream changelog:
Tomcat 8.0.41 (violetagg)
Cluster
Add: Make the accessTimeout configurable in BackupManager. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Web applications
Fix: Ensure the ASF logo image is displayed in host-manager. (violetagg)
not released Tomcat 8.0.40 (violetagg)
Catalina
Add: 53602: Add HTTP status code 451 (RFC 7725) to the list of HTTP status codes recognised by Tomcat. (markt)
Fix: 60446: Handle the case where the stored user credential uses a different key length than the length currently configured for the CredentialHandler. Based on a patch by Niklas Holm. (markt)
Fix: 60351: Delay creating META-INF/war-tracker file until after the WAR has been expanded to address the case where the Tomcat process terminates during the expansion. (markt)
Fix: Correctly handle the configClass attribute of a Host when embedding Tomcat. (markt)
Fix: 60379: Dispose of the GSS credential once it is no longer required. Patch provided by Michael Osipov. (markt)
Fix: 60380: Ensure that a call to HttpServletRequest#logout() triggers a call to TomcatPrincipal#logout(). Based on a patch by Michael Osipov. (markt)
Fix: 60387: Correct the javadoc for o.a.catalina.AccessLog.setRequestAttributesEnabled. The default value is different for the different implementations. (violetagg)
Code: 60393: Use consistent parameter naming in implementations of Realm#authenticate(GSSContext, boolean). (markt)
Fix: 60395: Log when an Authenticator passes an incomplete GSSContext to a Realm since it indicates a bug in the Authenticator. Patch provided by Michael Osipov. (markt)
Fix: Correctly generate URLs for resources located inside JARs that are themselves located inside a packed WAR file. (markt)
Fix: 60410: Ensure that multiple calls to JarInputStreamWrapper#close() do not incorrectly trigger the closure of the underlying JAR or WAR file. (markt)
Fix: 60411: Implement support in the RewriteValve for symbolic names to specify the redirect code to use when returning a redirect response to the user agent. Patch provided by Michael Osipov.
(markt)
Fix: 60413: In the RewriteValve write empty capture groups as the empty string rather than as "null" when generating the re-written URL. Based on a patch by Michael Osipov. (markt)
Update: Update the warnings that reference required options for running on Java 9 to use the latest syntax for those options. (markt)
Fix: 60513: Fix thread safety issue with RMI cleanup code. (remm)
Coyote
Fix: Ensure that the endpoint is able to unlock the acceptor thread during shutdown if the endpoint is configured to listen to any local address of a specific type such as 0.0.0.0 or ::. (markt)
Fix: Prevent read time out when the file is deleted while serving the response. The issue was observed only with APR Connector and sendfile enabled. (violetagg)
Fix: Improve the logic that selects an address to use to unlock the Acceptor to take account of platforms what do not listen on all local addresses when configured with an address of 0.0.0.0 or
::. (markt)
Fix: 60409: When unable to complete sendfile request, ensure the Processor will be added to the cache only once. (markt/violetagg)
Jasper
Fix: 60431: Improve handling of varargs in UEL expressions. Based on a patch by Ben Wolfe. (markt)
Fix: 60497: Restore previous tag reuse behavior following the use of try/finally. (remm)
Fix: Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm)
Fix: 60497: Follow up fix using a better variable name for the tag reuse flag. (remm)
Fix: Revert use of try/finally for simple tags. (remm)
Web applications
Fix: Correct a typo in Host Configuration Reference. Issue reported via comments.apache.org. (violetagg)
Fix: 60344: Add a note to BUILDING.txt regarding using the source bundle with the correct line endings. (markt)
Fix: 60412: Add information on the comment syntax for the RewriteValve configuration. (markt)
Fix: 60467: remove problematic characters from XML documentation. Based upon a patch by Michael Osipov. (schultz)
Add: In the documentation web application, be explicit that clustering requires a secure network for all of the cluster network traffic. (markt)
Update: Update the ASF logos to the new versions.
Fix: 60468: Correct the format of the sample ISO-8601 date used to report the build date for the documentation. Patch provided by Michael Osipov. (markt)
Tribes
Fix: Reduce the warning logs for a message received from a different domain in order to avoid excessive log outputs. (kfujino)
Add: Add log message that PING message has received beyond the timeout period. (kfujino)
Fix: When a PING message that beyond the time-out period has been received, make sure that valid member is added to the map membership. (kfujino)
WebSocket
Fix: 60437: Avoid possible handshake overflows in the websocket client. (remm)
jdbc-pool
Add: 58816: Implement the statistics of jdbc-pool. The stats infos are borrowedCount, returnedCount, createdCount, releasedCount, reconnectedCount, releasedIdleCount and removeAbandonedCount.
(kfujino)
Fix: 60194: If validationQuery is not specified, connection validation is done by calling the isValid() method. (kfujino)
Fix: 60398: Fix testcase of TestSlowQueryReport. (kfujino)
Add: Enable reset the statistics without restarting the pool. (kfujino)
Other
Fix: 60366: Change catalina.bat to use directly LOGGING_MANAGER and LOGGING_CONFIG variables in order to configure logging, instead of modifying JAVA_OPTS. Patch provided by Petter Isberg.
(violetagg)
Add: New property is added test.verbose in order to control whether the output of the tests is displayed on the console or not. Patch provided by Emmanuel Bourg. (violetagg)
Update: Update the ASF logos used in the Apache Tomcat installer for Windows to use the new versions.
Fix: Spelling corrections provided by Josh Soref. (violetagg)
---
Module Name: pkgsrc
Committed By: prlw1
Date: Mon Feb 6 15:55:49 UTC 2017
Modified Files:
pkgsrc/www/apache-tomcat8: PLIST
Log Message:
Fix PLIST:
$ tar tzvf /usr/pkgsrc/distfiles/apache-tomcat-8.0.41.tar.gz | egrep 'ROOT=
.*asf-logo'
-rw-r--r-- 1 root wheel 26447 Jan 18 22:25 apache-tomcat-8.0.41/=
webapps/ROOT/asf-logo-wide.svg
|
|
|
|
www/w3m: security update
Revisions pulled up:
- www/w3m/Makefile.common 1.64
- www/w3m/PLIST 1.18
- www/w3m/distinfo 1.30
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: leot
Date: Sat Jan 21 09:11:27 UTC 2017
Modified Files:
pkgsrc/www/w3m: PLIST
Log Message:
Readd `libexec/w3m/w3mimgdisplay' to the PLIST to fix w3m installation built
with an imagelib option.
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 pkgsrc/www/w3m/PLIST
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: snj
Date: Sun Feb 19 18:35:13 UTC 2017
Modified Files:
pkgsrc/www/w3m: Makefile.common distinfo
Log Message:
Update w3m to 0.5.3+git20170102.
Changes:
- fix multiple flaws with malformed text (buffer overflow, use after
free, infinite loop)
- fix uninitialized variable when not USE_IMAGE
To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 pkgsrc/www/w3m/Makefile.common
cvs rdiff -u -r1.29 -r1.30 pkgsrc/www/w3m/distinfo
|
|
shells/bash: security fix
Revisions pulled up:
- shells/bash/Makefile 1.80
- shells/bash/distinfo 1.46
---
Module Name: pkgsrc
Committed By: maya
Date: Sun Jan 22 21:52:05 UTC 2017
Modified Files:
pkgsrc/shells/bash: Makefile distinfo
Log Message:
bash: update to patchlevel 11.
changes:
patch 06:
Out-of-range negative offsets to popd can cause the shell to crash attempting
to free an invalid memory block.
patch 07:
When performing filename completion, bash dequotes the directory name being
completed, which can result in match failures and potential unwanted
expansion.
patch 08:
Under certain circumstances, bash will evaluate arithmetic expressions as
part of reading an expression token even when evaluation is suppressed. This
happens while evaluating a conditional expression and skipping over the
failed branch of the expression.
patch 09:
Depending on compiler optimizations and behavior, the `read' builtin may not
save partial input when a timeout occurs.
patch 10:
Depending on compiler optimizations and behavior, the `read' builtin may not
save partial input when a timeout occurs.
patch 11:
Subshells begun to run command and process substitutions may attempt to
set the terminal's process group to an incorrect value if they receive
a fatal signal. This depends on the behavior of the process that starts
the shell.
|
|
|
|
sysutils/wbm-passwd: remove package
Revisions pulled up:
- sysutils/Makefile 1.688
- sysutils/wbm-passwd/DESCR deleted
- sysutils/wbm-passwd/Makefile deleted
- sysutils/wbm-passwd/PLIST deleted
- sysutils/wbm-passwd/distinfo deleted
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: mef
Date: Wed Feb 1 13:13:23 UTC 2017
Modified Files:
pkgsrc/sysutils: Makefile
Removed Files:
pkgsrc/sysutils/wbm-passwd: DESCR Makefile PLIST distinfo
Log Message:
Deleted sysutils/wbm-passwd.
To generate a diff of this commit:
cvs rdiff -u -r1.687 -r1.688 pkgsrc/sysutils/Makefile
cvs rdiff -u -r1.1.1.1 -r0 pkgsrc/sysutils/wbm-passwd/DESCR
cvs rdiff -u -r1.7 -r0 pkgsrc/sysutils/wbm-passwd/Makefile \
pkgsrc/sysutils/wbm-passwd/PLIST
cvs rdiff -u -r1.8 -r0 pkgsrc/sysutils/wbm-passwd/distinfo
|
|
|
|
www/lighttpd: bugfix
Revisions pulled up:
- www/lighttpd/Makefile 1.60
- www/lighttpd/distinfo 1.38
- www/lighttpd/patches/patch-src_fdevent__freebsd__kqueue.c 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Sat Feb 11 21:13:08 UTC 2017
Modified Files:
pkgsrc/www/lighttpd: Makefile distinfo
Added Files:
pkgsrc/www/lighttpd/patches: patch-src_fdevent__freebsd__kqueue.c
Log Message:
Apply fix from https://redmine.lighttpd.net/issues/2788,
per message to pkgsrc-users@ from Glenn Strauss.
Bump PKGREVISION.
|
|
|
|
editors/ed: security fix
Revisions pulled up:
- editors/ed/Makefile 1.19
- editors/ed/distinfo 1.11
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu Jan 12 11:20:02 UTC 2017
Modified Files:
pkgsrc/editors/ed: Makefile distinfo
Log Message:
Updated ed to 1.14.1.
Changes in version 1.14:
Version 1.14 is the largest bug hunt ever attempted in GNU ed. Other
goals of version 1.14 are to complete the documentation and to remove
any gratuitous incompatibilities with the POSIX standard. Thanks to Ori
Avtalion for initiating all this with a couple bug reports. ;-)
Byte counts, informative messages, command error messages, and the '?'
and '!' prompts are now written to stdout instead of to stderr. The
standard error (stderr) is now used only for diagnostic messages.
The current address is now correctly set to the addressed line after an
empty insert command.
Fixed inconsistent behavior of the substitute command. It incorrectly
reported 'Invalid pattern delimiter' when the two last delimiters were
omitted after a null regular expression. Now it consistently reports
'Missing pattern delimiter' if the two last delimiters are omitted after
any regular expression (null or not).
's/a/%' has been fixed. It incorrectly replaced 'a' with '%' instead of
using the replacement from the last substitution.
An infinite loop, happening when EOF was found in the middle of a
replacement string, has been fixed.
Ed no longer accepts newlines in the replacement of a 's' command if it
is part of the command list of a global command, because in this case
the meaning of the newline becomes ambiguous. For the same reason, the
last delimiter can't be omitted if the 's' command is not the last
command in the command list.
The substitute command now correctly sets the current address to the
address of the last line on which a substitution occurred, and leaves it
unchanged if no substitution is performed.
A bug in the calculation of address offsets has been fixed. '3 ---- 2'
was calculated as address -2 instead of the correct address 1.
Address ranges with the first address omitted are now accepted.
The current address is now correctly set to the addressed line (or to
the new last line if at EOF) after an empty replacement text in the
change command.
Repeated print suffixes are now rejected. It has been documented that ed
allows any combination of non-repeated print suffixes and combines their
effects.
The substitute command now accepts suffixes in any order.
The 'repeat substitution' command now rejects multiple count suffixes.
The 'p' suffix of the 'repeat substitution' command now toggles all the
print suffixes of the last substitution.
End of file on standard input now behaves as a 'q' command.
The modified status is no longer cleared after writing the buffer to the
standard input of a shell command. (Reported by Jerome Frgacic).
The descriptions of the 'a', 'c', 'e', 'g', 'i', 'j', 'k', 'm', 'q',
'r', 's', 'u' and 'w' commands in the manual have been fixed.
Most tests in the testsuite have been improved. Bug reporting has been
simplified; only the failed logs and results are kept in the test
directory, which can then be (tarred, compressed, and) attached to the
bug report.
|
|
print/mupdf: security fix
Revisions pulled up:
- print/mupdf/Makefile 1.44,1.46
- print/mupdf/distinfo 1.30-1.31
- print/mupdf/patches/patch-source_fitz_pixmap.c 1.1
- print/mupdf/patches/patch-source_tools_mudraw.c 1.1
- print/mupdf/patches/patch-thirdparty_mujs_jsdate.c 1.1
- print/mupdf/patches/patch-thirdparty_mujs_jsrun.c 1.1
---
Module Name: pkgsrc
Committed By: leot
Date: Mon Jan 30 14:06:05 UTC 2017
Modified Files:
pkgsrc/print/mupdf: Makefile distinfo
Added Files:
pkgsrc/print/mupdf/patches: patch-thirdparty_mujs_jsdate.c
patch-thirdparty_mujs_jsrun.c
Log Message:
Backport fixes to mupdf-1.10a from upstream for CVE-2017-562[78]
PKGREVISION++
---
Module Name: pkgsrc
Committed By: leot
Date: Sat Feb 11 09:39:05 UTC 2017
Modified Files:
pkgsrc/print/mupdf: Makefile distinfo
Added Files:
pkgsrc/print/mupdf/patches: patch-source_fitz_pixmap.c
patch-source_tools_mudraw.c
Log Message:
Backport security fixes for upstream bugs 697514 and 697515 (CVE-2017-5896) to
PKGREVISON++
|
|
|
|
devel/memcached: security fix
Revisions pulled up:
- devel/memcached/Makefile 1.53
- devel/memcached/distinfo 1.27
- devel/memcached/patches/patch-Makefile.am deleted
- devel/memcached/patches/patch-aa deleted
- devel/memcached/patches/patch-ab deleted
- devel/memcached/patches/patch-items.c 1.1
- devel/memcached/patches/patch-logger.h 1.1
---
Module Name: pkgsrc
Committed By: adam
Date: Thu Feb 16 11:10:53 UTC 2017
Modified Files:
pkgsrc/devel/memcached: Makefile distinfo
Added Files:
pkgsrc/devel/memcached/patches: patch-items.c patch-logger.h
Removed Files:
pkgsrc/devel/memcached/patches: patch-Makefile.am patch-aa patch-ab
Log Message:
Changes 1.4.34:
Add -o modern switches to -h
metadump: Fix preventing dumping of class 63
Fix cache_memlimit bug for > 4G values
metadump: ensure buffer is flushed to client before finishing
Number of small fixes/additions to new logging
add logging endpoint for LRU crawler
evicted_active counter for LRU maintainer
stop pushing NULL byte into watcher stream
Scale item hash locks more with more worker threads (minor performance)
Further increase systemd service hardening
Missing necessary header for atomic_inc_64_nv() used in logger.c (solaris)
Fix print format for idle timeout thread
Improve binary sasl security fixes
Fix clang compile error
Widen systemd caps to allow maxconns to increase
Add -X option to disable cachedump/metadump
Don't double free in lru_crawler on closed clients
Fix segfault if metadump client goes away
|
|
comms/conserver8: bugfix
Revisions pulled up:
- comms/conserver8/Makefile 1.22-1.24
- comms/conserver8/distinfo 1.11
- comms/conserver8/options.mk 1.5
- comms/conserver8/patches/patch-aa 1.3
- comms/conserver8/patches/patch-ab 1.2
- comms/conserver8/patches/patch-conserver_access.c 1.1
- comms/conserver8/patches/patch-conserver_consent.c 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Wed Jan 18 09:54:51 UTC 2017
Modified Files:
pkgsrc/comms/conserver8: Makefile distinfo
pkgsrc/comms/conserver8/patches: patch-aa patch-ab
Added Files:
pkgsrc/comms/conserver8/patches: patch-conserver_access.c
patch-conserver_consent.c
Log Message:
Add two patches so that this at least semi-works when the inet6
option is used:
* Use correct sockaddr length when doing getnameinfo() for inet6,
so we avoid an early return with "permanent failure" from getnameinfo()
* Use temp variables for walking the address lists so that we avoid trying
freeaddrinfo(NULL) and getting SEGV
This still isn't fully baked and backward compatible: with the
inet6 option turned on, on NetBSD the conserver process only opens
an inet6 server socket and no longer serves an inet socket (a
Linuxism, I suspect), making it troublesome to interoperate with
older versions of conserver or installations on hosts without IPv6
connectivity.
PKGREVISION bumped.
---
Module Name: pkgsrc
Committed By: he
Date: Fri Feb 10 10:35:06 UTC 2017
Modified Files:
pkgsrc/comms/conserver8: Makefile options.mk
Log Message:
Don't enable the inet6 option on the various BSDs, since their stack
require separate inet6 and inet sockets, and conserver as of 8.2.1
doesn't do that.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: he
Date: Fri Feb 10 10:38:42 UTC 2017
Modified Files:
pkgsrc/comms/conserver8: Makefile
Log Message:
Um, need bsd.prefs.mk before testing ${OPSYS}.
|
|
|
|
net/tigervnc: security update
Revisions pulled up:
- net/tigervnc/Makefile 1.15
- net/tigervnc/distinfo 1.11
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Tue Jan 24 08:30:25 UTC 2017
Modified Files:
pkgsrc/net/tigervnc: Makefile distinfo
Log Message:
Updated tigervnc to 1.7.1.
This is a security update for TigerVNC 1.7.0 which fixes a memory
overflow issue via the RRE decoder. A malicious server could possibly
use this issue to take control of the TigerVNC viewer.
Users are advised to upgrade as soon as possible.
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 pkgsrc/net/tigervnc/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/net/tigervnc/distinfo
|
|
|
|
|
|
print/cups-filters: build fix
Revisions pulled up:
- print/cups-filters/Makefile 1.62
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: markd
Date: Thu Jan 19 10:19:26 UTC 2017
Modified Files:
pkgsrc/print/cups-filters: Makefile
Log Message:
Fix path to pdftpps.
mv cups-browsed.conf from correct post install location.
To generate a diff of this commit:
cvs rdiff -u -r1.61 -r1.62 pkgsrc/print/cups-filters/Makefile
|
|
|
|
net/bind99: security update
Revisions pulled up:
- net/bind99/Makefile 1.63
- net/bind99/distinfo 1.43
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 9 00:50:15 UTC 2017
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Log Message:
Update bind99 to 9.9.9pl6 (BIND 9.9.9-P6).
Security Fixes
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for
DNS64 address mapping, a NULL pointer can be read triggering a
server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
* named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
* named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
* named incorrectly tried to cache TKEY records which could trigger
an assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
* It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
* It was possible to trigger an assertion when rendering a message
using a specially crafted request. This flaw is disclosed in
CVE-2016-2776. [RT #43139]
* Calling getrrsetbyname() with a non- absolute name could trigger an
infinite recursion bug in lwresd or named with lwres configured if,
when combined with a search list entry from resolv.conf, the
resulting name is too long. This flaw is disclosed in
CVE-2016-2775. [RT #42694]
Feature Changes
* None.
Porting Changes
* None.
Bug Fixes
* A synthesized CNAME record appearing in a response before the
associated DNAME could be cached, when it should not have been.
This was a regression introduced while addressing CVE-2016-8864.
[RT #44318]
* Windows installs were failing due to triggering UAC without the
installation binary being signed.
* A race condition in rbt/rbtdb was leading to INSISTs being
triggered.
To generate a diff of this commit:
cvs rdiff -u -r1.62 -r1.63 pkgsrc/net/bind99/Makefile
cvs rdiff -u -r1.42 -r1.43 pkgsrc/net/bind99/distinfo
|
|
net/bind910: security update
Revisions pulled up:
- net/bind910/Makefile 1.29
- net/bind910/distinfo 1.22
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 9 00:48:59 UTC 2017
Modified Files:
pkgsrc/net/bind910: Makefile distinfo
Log Message:
Update bind910 to 9.10.4pl6 (BIND 9.10.4-P6).
Security Fixes
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for
DNS64 address mapping, a NULL pointer can be read triggering a
server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
* named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
* named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
* named incorrectly tried to cache TKEY records which could trigger
an assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
* It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
* Added the ability to specify the maximum number of records
permitted in a zone (max-records #;). This provides a mechanism to
block overly large zone transfers, which is a potential risk with
slave zones from other parties, as described in CVE-2016-6170. [RT
#42143]
* It was possible to trigger an assertion when rendering a message
using a specially crafted request. This flaw is disclosed in
CVE-2016-2776. [RT #43139]
* Calling getrrsetbyname() with a non absolute name could trigger an
infinite recursion bug in lwresd or named with lwres configured if,
when combined with a search list entry from resolv.conf, the
resulting name is too long. This flaw is disclosed in
CVE-2016-2775. [RT #42694]
New Features
* named now provides feedback to the owners of zones which have trust
anchors configured (trusted-keys, managed-keys, dnssec-validation
auto; and dnssec-lookaside auto;) by sending a daily query which
encodes the keyids of the configured trust anchors for the zone.
This is controlled by trust-anchor-telemetry and defaults to yes.
* A new tcp-only option has been added to server clauses, to indicate
that UDP should not be used when sending queries to a specified IP
address or prefix.
Feature Changes
* The built in mangaged keys for the global root zone have been
updated to include the upcoming key signing key (keyid 20326).
* The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to
be disabled in 2017. A warning is now logged when named is
configured to use this service, either explicitly or via
dnssec-lookaside auto;. [RT #42207]
* If an ACL is specified with an address prefix in which the prefix
length is longer than the address portion (for example,
192.0.2.1/8), named will now log a warning. In future releases this
will be a fatal configuration error. [RT #43367]
Bug Fixes
* A synthesized CNAME record appearing in a response before the
associated DNAME could be cached, when it should not have been.
This was a regression introduced while addressing CVE-2016-8864.
[RT #44318]
* Named could deadlock there were multiple changes to NSEC/NSEC3
parameters for a zone being processed at the same time. [RT #42770]
* Named could trigger a assertion when sending notify messages. [RT
#44019]
* Fixed a crash when calling rndc stats on some Windows builds: some
Visual Studio compilers generate code that crashes when the "%z"
printf() format specifier is used. [RT #42380]
* Windows installs were failing due to triggering UAC without the
installation binary being signed.
* A change in the internal binary representation of the RBT database
node structure enabled a race condition to occur (especially when
BIND was built with certain compilers or optimizer settings),
leading to inconsistent database state which caused random
assertion failures. [RT #42380]
* Referencing a nonexistent zone in a response-policy statement could
cause an assertion failure during configuration. [RT #43787]
* rndc addzone could cause a crash when attempting to add a zone with
a type other than master or slave. Such zones are now rejected. [RT
#43665]
* named could hang when encountering log file names with large
apparent gaps in version number (for example, when files exist
called "logfile.0", "logfile.1", and "logfile.1482954169"). This is
now handled correctly. [RT #38688]
* If a zone was updated while named was processing a query for
nonexistent data, it could return out-of-sync NSEC3 records causing
potential DNSSEC validation failure. [RT #43247]
* named could crash when loading a zone which had RRISG records whose
expiry fields were far enough apart to cause an integer overflow
when comparing them. [RT #40571]
* The arpaname and named-rrchecker commands were not installed into
the correct prefix/bin directory. [RT #42910]
* When receiving a response from an authoritative server with a TTL
value of zero, named> will now only use that response once, to
answer the currently active clients that were waiting for it.
Previously, such response could be cached and reused for up to one
second. [RT #42142]
* named-checkconf now checks the rate-limit clause for correctness.
[RT #42970]
* Corrected a bug in the rndc control channel that could allow a read
past the end of a buffer, crashing named. Thanks to Lian Yihan for
reporting this error.
Maintenance
* The built-in root hints have been updated to include IPv6 addresses
for B.ROOT-SERVERS.NET (2001:500:84::b), E.ROOT-SERVERS.NET
(2001:500:a8::e) and G.ROOT-SERVERS.NET (2001:500:12::d0d).
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 pkgsrc/net/bind910/Makefile
cvs rdiff -u -r1.21 -r1.22 pkgsrc/net/bind910/distinfo
|
|
lang/php70: build fix
lang/php71: build fix
Revisions pulled up:
- lang/php70/Makefile 1.5
- lang/php71/Makefile 1.6
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: maya
Date: Sun Jan 22 11:37:29 UTC 2017
Modified Files:
pkgsrc/lang/php70: Makefile
Log Message:
php70: add workaround requested in PR pkg/51787, pcre-jit segfaults on
non-amd64 (i386, SPARC - at least). disable it until PHP, add note that
it's mostly relevant for PCRE1 8.38, so if PHP updates to PCRE2 as they
plan, it will be irrelevant.
>From Joern Clausen / cmb@php
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/php70/Makefile
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: maya
Date: Sun Jan 22 11:42:22 UTC 2017
Modified Files:
pkgsrc/lang/php71: Makefile
Log Message:
php71: add workaround requested in PR pkg/51787, pcre-jit segfaults on
non-amd64 (i386, SPARC - at least). disable it until PHP, add note that
it's mostly relevant for PCRE1 8.38, so if PHP updates to PCRE2 as they
plan, it will be irrelevant.
>From Joern Clausen / cmb@php
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/php71/Makefile
|
|
sysutils/webmin: security update
sysutils/wbm-*: security update
Revisions pulled up:
- sysutils/wbm-apache/Makefile 1.12
- sysutils/wbm-apache/PLIST 1.10
- sysutils/wbm-apache/distinfo 1.10
- sysutils/wbm-at/Makefile 1.7
- sysutils/wbm-at/PLIST 1.7
- sysutils/wbm-at/distinfo 1.9
- sysutils/wbm-bandwidth/Makefile 1.6
- sysutils/wbm-bandwidth/PLIST 1.7
- sysutils/wbm-bandwidth/distinfo 1.9
- sysutils/wbm-bind8/Makefile 1.10
- sysutils/wbm-bind8/PLIST 1.11
- sysutils/wbm-bind8/distinfo 1.10
- sysutils/wbm-change-user/Makefile 1.7
- sysutils/wbm-change-user/PLIST 1.7
- sysutils/wbm-change-user/distinfo 1.9
- sysutils/wbm-cluster-copy/Makefile 1.8
- sysutils/wbm-cluster-copy/PLIST 1.5
- sysutils/wbm-cluster-copy/distinfo 1.9
- sysutils/wbm-cluster-cron/Makefile 1.8
- sysutils/wbm-cluster-cron/PLIST 1.6
- sysutils/wbm-cluster-cron/distinfo 1.9
- sysutils/wbm-cluster-passwd/Makefile 1.6
- sysutils/wbm-cluster-passwd/PLIST 1.5
- sysutils/wbm-cluster-passwd/distinfo 1.9
- sysutils/wbm-cluster-shell/Makefile 1.7
- sysutils/wbm-cluster-shell/PLIST 1.5
- sysutils/wbm-cluster-shell/distinfo 1.9
- sysutils/wbm-cluster-useradmin/Makefile 1.7
- sysutils/wbm-cluster-useradmin/PLIST 1.5
- sysutils/wbm-cluster-useradmin/distinfo 1.9
- sysutils/wbm-cluster-webmin/Makefile 1.7
- sysutils/wbm-cluster-webmin/PLIST 1.5
- sysutils/wbm-cluster-webmin/distinfo 1.9
- sysutils/wbm-custom/Makefile 1.7
- sysutils/wbm-custom/PLIST 1.6
- sysutils/wbm-custom/distinfo 1.9
- sysutils/wbm-cyrus-imapd/Makefile 1.12
- sysutils/wbm-dhcpd/Makefile 1.7
- sysutils/wbm-dhcpd/PLIST 1.7
- sysutils/wbm-dhcpd/distinfo 1.9
- sysutils/wbm-dovecot/Makefile 1.7
- sysutils/wbm-dovecot/PLIST 1.7
- sysutils/wbm-dovecot/distinfo 1.9
- sysutils/wbm-fetchmail/Makefile 1.7
- sysutils/wbm-fetchmail/PLIST 1.7
- sysutils/wbm-fetchmail/distinfo 1.9
- sysutils/wbm-file/Makefile 1.7
- sysutils/wbm-file/PLIST 1.7
- sysutils/wbm-file/distinfo 1.9
- sysutils/wbm-htaccess-htpasswd/Makefile 1.6
- sysutils/wbm-htaccess-htpasswd/PLIST 1.7
- sysutils/wbm-htaccess-htpasswd/distinfo 1.9
- sysutils/wbm-inetd/Makefile 1.7
- sysutils/wbm-inetd/PLIST 1.8
- sysutils/wbm-inetd/distinfo 1.9
- sysutils/wbm-ipfilter/Makefile 1.6
- sysutils/wbm-ipfilter/PLIST 1.4
- sysutils/wbm-ipfilter/distinfo 1.10
- sysutils/wbm-ipfilter/patches/patch-ab 1.8
- sysutils/wbm-ldap-useradmin/Makefile 1.6
- sysutils/wbm-ldap-useradmin/PLIST 1.7
- sysutils/wbm-ldap-useradmin/distinfo 1.9
- sysutils/wbm-lpadmin/Makefile 1.7
- sysutils/wbm-lpadmin/PLIST 1.7
- sysutils/wbm-lpadmin/distinfo 1.9
- sysutils/wbm-mailboxes/Makefile 1.7
- sysutils/wbm-mailboxes/PLIST 1.8
- sysutils/wbm-mailboxes/distinfo 1.9
- sysutils/wbm-mount/Makefile 1.7
- sysutils/wbm-mount/PLIST 1.7
- sysutils/wbm-mount/distinfo 1.9
- sysutils/wbm-mysql/Makefile 1.7
- sysutils/wbm-mysql/PLIST 1.7
- sysutils/wbm-mysql/distinfo 1.9
- sysutils/wbm-net/Makefile 1.7
- sysutils/wbm-net/PLIST 1.9
- sysutils/wbm-net/distinfo 1.9
- sysutils/wbm-openslp/Makefile 1.7
- sysutils/wbm-openslp/PLIST 1.6
- sysutils/wbm-openslp/distinfo 1.9
- sysutils/wbm-passwd/Makefile 1.7
- sysutils/wbm-postfix/Makefile 1.8
- sysutils/wbm-postfix/PLIST 1.7
- sysutils/wbm-postfix/distinfo 1.9
- sysutils/wbm-postgresql/Makefile 1.7
- sysutils/wbm-postgresql/PLIST 1.9
- sysutils/wbm-postgresql/distinfo 1.9
- sysutils/wbm-qmailadmin/Makefile 1.7
- sysutils/wbm-qmailadmin/PLIST 1.6
- sysutils/wbm-qmailadmin/distinfo 1.9
- sysutils/wbm-quota/Makefile 1.7
- sysutils/wbm-quota/PLIST 1.6
- sysutils/wbm-quota/distinfo 1.9
- sysutils/wbm-sendmail/Makefile 1.7
- sysutils/wbm-sendmail/PLIST 1.6
- sysutils/wbm-sendmail/distinfo 1.9
- sysutils/wbm-shell/Makefile 1.7
- sysutils/wbm-shell/PLIST 1.6
- sysutils/wbm-shell/distinfo 1.9
- sysutils/wbm-sshd/Makefile 1.7
- sysutils/wbm-sshd/PLIST 1.7
- sysutils/wbm-sshd/distinfo 1.9
- sysutils/wbm-status/Makefile 1.7
- sysutils/wbm-status/PLIST 1.6
- sysutils/wbm-status/distinfo 1.9
- sysutils/wbm-syslog/Makefile 1.7
- sysutils/wbm-syslog/PLIST 1.6
- sysutils/wbm-syslog/distinfo 1.9
- sysutils/wbm-telnet/Makefile 1.7
- sysutils/wbm-telnet/PLIST 1.6
- sysutils/wbm-telnet/distinfo 1.9
- sysutils/wbm-time/Makefile 1.8
- sysutils/wbm-time/PLIST 1.7
- sysutils/wbm-time/distinfo 1.11
- sysutils/wbm-tunnel/Makefile 1.7
- sysutils/wbm-tunnel/PLIST 1.5
- sysutils/wbm-tunnel/distinfo 1.9
- sysutils/wbm-useradmin/Makefile 1.7
- sysutils/wbm-useradmin/PLIST 1.7
- sysutils/wbm-useradmin/distinfo 1.9
- sysutils/wbm-virtual-server/Makefile 1.6
- sysutils/webmin/Makefile 1.45
- sysutils/webmin/PLIST 1.19
- sysutils/webmin/distinfo 1.22
- sysutils/webmin/patches/patch-aa 1.9
- sysutils/webmin/patches/patch-ac 1.6
- sysutils/webmin/patches/patch-ag 1.5
- sysutils/webmin/version.mk 1.7
- sysutils/webmin/wbm.mk 1.13
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: mef
Date: Wed Feb 1 12:54:59 UTC 2017
Modified Files:
pkgsrc/sysutils/wbm-apache: Makefile
pkgsrc/sysutils/wbm-at: Makefile
pkgsrc/sysutils/wbm-bandwidth: Makefile
pkgsrc/sysutils/wbm-bind8: Makefile
pkgsrc/sysutils/wbm-change-user: Makefile
pkgsrc/sysutils/wbm-cluster-copy: Makefile
pkgsrc/sysutils/wbm-cluster-cron: Makefile
pkgsrc/sysutils/wbm-cluster-passwd: Makefile
pkgsrc/sysutils/wbm-cluster-shell: Makefile
pkgsrc/sysutils/wbm-cluster-useradmin: Makefile
pkgsrc/sysutils/wbm-cluster-webmin: Makefile
pkgsrc/sysutils/wbm-custom: Makefile
pkgsrc/sysutils/wbm-cyrus-imapd: Makefile
pkgsrc/sysutils/wbm-dhcpd: Makefile
pkgsrc/sysutils/wbm-dovecot: Makefile
pkgsrc/sysutils/wbm-fetchmail: Makefile
pkgsrc/sysutils/wbm-file: Makefile
pkgsrc/sysutils/wbm-htaccess-htpasswd: Makefile
pkgsrc/sysutils/wbm-inetd: Makefile
pkgsrc/sysutils/wbm-ipfilter: Makefile
pkgsrc/sysutils/wbm-ldap-useradmin: Makefile
pkgsrc/sysutils/wbm-lpadmin: Makefile
pkgsrc/sysutils/wbm-mailboxes: Makefile
pkgsrc/sysutils/wbm-mount: Makefile
pkgsrc/sysutils/wbm-mysql: Makefile
pkgsrc/sysutils/wbm-net: Makefile
pkgsrc/sysutils/wbm-openslp: Makefile
pkgsrc/sysutils/wbm-passwd: Makefile
pkgsrc/sysutils/wbm-postfix: Makefile
pkgsrc/sysutils/wbm-postgresql: Makefile
pkgsrc/sysutils/wbm-qmailadmin: Makefile
pkgsrc/sysutils/wbm-quota: Makefile
pkgsrc/sysutils/wbm-sendmail: Makefile
pkgsrc/sysutils/wbm-shell: Makefile
pkgsrc/sysutils/wbm-sshd: Makefile
pkgsrc/sysutils/wbm-status: Makefile
pkgsrc/sysutils/wbm-syslog: Makefile
pkgsrc/sysutils/wbm-telnet: Makefile
pkgsrc/sysutils/wbm-time: Makefile
pkgsrc/sysutils/wbm-tunnel: Makefile
pkgsrc/sysutils/wbm-useradmin: Makefile
pkgsrc/sysutils/wbm-virtual-server: Makefile
Log Message:
Preparing update sysutils/wbm-* 1.600 to 1.831, remove PKGREVISION
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/sysutils/wbm-apache/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-at/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-bandwidth/Makefile
cvs rdiff -u -r1.9 -r1.10 pkgsrc/sysutils/wbm-bind8/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-change-user/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/wbm-cluster-copy/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/wbm-cluster-cron/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-cluster-passwd/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-cluster-shell/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-cluster-useradmin/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-cluster-webmin/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-custom/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/sysutils/wbm-cyrus-imapd/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-dhcpd/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-dovecot/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-fetchmail/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-file/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-htaccess-htpasswd/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-inetd/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-ipfilter/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-ldap-useradmin/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-lpadmin/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-mailboxes/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-mount/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-mysql/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-net/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-openslp/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-passwd/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/wbm-postfix/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-postgresql/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-qmailadmin/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-quota/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-sendmail/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-shell/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-sshd/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-status/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-syslog/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-telnet/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/wbm-time/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-tunnel/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-useradmin/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-virtual-server/Makefile
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: mef
Date: Wed Feb 1 13:00:44 UTC 2017
Modified Files:
pkgsrc/sysutils/wbm-apache: PLIST distinfo
pkgsrc/sysutils/wbm-at: PLIST distinfo
pkgsrc/sysutils/wbm-bandwidth: PLIST distinfo
pkgsrc/sysutils/wbm-bind8: PLIST distinfo
pkgsrc/sysutils/wbm-change-user: PLIST distinfo
pkgsrc/sysutils/wbm-cluster-copy: PLIST distinfo
pkgsrc/sysutils/wbm-cluster-cron: PLIST distinfo
pkgsrc/sysutils/wbm-cluster-passwd: PLIST distinfo
pkgsrc/sysutils/wbm-cluster-shell: PLIST distinfo
pkgsrc/sysutils/wbm-cluster-useradmin: PLIST distinfo
pkgsrc/sysutils/wbm-cluster-webmin: PLIST distinfo
pkgsrc/sysutils/wbm-custom: PLIST distinfo
pkgsrc/sysutils/wbm-dhcpd: PLIST distinfo
pkgsrc/sysutils/wbm-dovecot: PLIST distinfo
pkgsrc/sysutils/wbm-fetchmail: PLIST distinfo
pkgsrc/sysutils/wbm-file: PLIST distinfo
pkgsrc/sysutils/wbm-htaccess-htpasswd: PLIST distinfo
pkgsrc/sysutils/wbm-inetd: PLIST distinfo
pkgsrc/sysutils/wbm-ipfilter: PLIST distinfo
pkgsrc/sysutils/wbm-ipfilter/patches: patch-ab
pkgsrc/sysutils/wbm-ldap-useradmin: PLIST distinfo
pkgsrc/sysutils/wbm-lpadmin: PLIST distinfo
pkgsrc/sysutils/wbm-mailboxes: PLIST distinfo
pkgsrc/sysutils/wbm-mount: PLIST distinfo
pkgsrc/sysutils/wbm-mysql: PLIST distinfo
pkgsrc/sysutils/wbm-net: PLIST distinfo
pkgsrc/sysutils/wbm-openslp: PLIST distinfo
pkgsrc/sysutils/wbm-postfix: PLIST distinfo
pkgsrc/sysutils/wbm-postgresql: PLIST distinfo
pkgsrc/sysutils/wbm-qmailadmin: PLIST distinfo
pkgsrc/sysutils/wbm-quota: PLIST distinfo
pkgsrc/sysutils/wbm-sendmail: PLIST distinfo
pkgsrc/sysutils/wbm-shell: PLIST distinfo
pkgsrc/sysutils/wbm-sshd: PLIST distinfo
pkgsrc/sysutils/wbm-status: PLIST distinfo
pkgsrc/sysutils/wbm-syslog: PLIST distinfo
pkgsrc/sysutils/wbm-telnet: PLIST distinfo
pkgsrc/sysutils/wbm-time: PLIST distinfo
pkgsrc/sysutils/wbm-tunnel: PLIST distinfo
pkgsrc/sysutils/wbm-useradmin: PLIST distinfo
pkgsrc/sysutils/webmin: Makefile PLIST distinfo version.mk wbm.mk
pkgsrc/sysutils/webmin/patches: patch-aa patch-ac patch-ag
Log Message:
Updated sysutils/webmin and wbm-* from 1.600 to 1.831
--------------------------------------
---- Changes since 1.590 ----
The titles for existing clone modules can now be changed on the Module
Titles page.
---- Changes since 1.610 ----
- Added a page for viewing and running Webmin scheduled functions.
- Added a section to the Sending Email page to verify that the
configured mail server settings work.
---- Changes since 1.620 ----
Added a setting to the Web Server Options page to control if redirects
use just a path, or the full URL.
---- Changes since 1.640 ----
Actions on the Webmin Scheduled Functions page can now be clicked on
to change the time the function runs at.
---- Changes since 1.650 ----
Added an SSL option to use only ciphers with perfect forward secrecy.
Added support for two-factor authentication using Authy or Google Authenticator.
---- Changes since 1.660 ----
Updated the UI on several pages to use the standard Webmin library,
for a more consistent look.
---- Changes since 1.730 ----
Added an option to use an SSL connection when Webmin sends email, for
connecting to remote mail servers like Gmail that don't allow
unencrypted SMTP.
---- Changes since 1.770 ----
An SSL certificate can now be requested from Let's Encrypt using a new
tab on the SSL Encryption page.
---- Changes since 1.780 ----
Added an option for automatically renewing Let's Encrypt certificates.
If the Let's Encrypt client is not installed, Webmin will use its own
built-in client code to request a certificate.
---- Changes since 1.800 ----
Added an option to the logging page for sending Webmin action log
messages via email.
---- Changes since 1.810 ----
The Let's Encrypt key size can now be customized.
When Perfect Forward Secrecy ciphers are selected, the required DH
params file is now created and used by Webmin.
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 pkgsrc/sysutils/wbm-apache/PLIST \
pkgsrc/sysutils/wbm-apache/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-at/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-at/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-bandwidth/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-bandwidth/distinfo
cvs rdiff -u -r1.10 -r1.11 pkgsrc/sysutils/wbm-bind8/PLIST
cvs rdiff -u -r1.9 -r1.10 pkgsrc/sysutils/wbm-bind8/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-change-user/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-change-user/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/sysutils/wbm-cluster-copy/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-cluster-copy/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-cluster-cron/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-cluster-cron/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/sysutils/wbm-cluster-passwd/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-cluster-passwd/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/sysutils/wbm-cluster-shell/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-cluster-shell/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/sysutils/wbm-cluster-useradmin/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-cluster-useradmin/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/sysutils/wbm-cluster-webmin/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-cluster-webmin/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-custom/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-custom/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-dhcpd/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-dhcpd/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-dovecot/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-dovecot/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-fetchmail/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-fetchmail/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-file/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-file/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-htaccess-htpasswd/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-htaccess-htpasswd/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/wbm-inetd/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-inetd/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/sysutils/wbm-ipfilter/PLIST
cvs rdiff -u -r1.9 -r1.10 pkgsrc/sysutils/wbm-ipfilter/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/wbm-ipfilter/patches/patch-ab
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-ldap-useradmin/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-ldap-useradmin/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-lpadmin/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-lpadmin/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/wbm-mailboxes/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-mailboxes/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-mount/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-mount/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-mysql/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-mysql/distinfo
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-net/PLIST \
pkgsrc/sysutils/wbm-net/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-openslp/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-openslp/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-postfix/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-postfix/distinfo
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-postgresql/PLIST \
pkgsrc/sysutils/wbm-postgresql/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-qmailadmin/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-qmailadmin/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-quota/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-quota/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-sendmail/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-sendmail/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-shell/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-shell/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-sshd/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-sshd/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-status/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-status/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-syslog/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-syslog/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/wbm-telnet/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-telnet/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-time/PLIST
cvs rdiff -u -r1.10 -r1.11 pkgsrc/sysutils/wbm-time/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/sysutils/wbm-tunnel/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-tunnel/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/wbm-useradmin/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/wbm-useradmin/distinfo
cvs rdiff -u -r1.44 -r1.45 pkgsrc/sysutils/webmin/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/sysutils/webmin/PLIST
cvs rdiff -u -r1.21 -r1.22 pkgsrc/sysutils/webmin/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/webmin/version.mk
cvs rdiff -u -r1.12 -r1.13 pkgsrc/sysutils/webmin/wbm.mk
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/webmin/patches/patch-aa
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/webmin/patches/patch-ac
cvs rdiff -u -r1.4 -r1.5 pkgsrc/sysutils/webmin/patches/patch-ag
|
|
net/tcpdump: security update
Revisions pulled up:
- net/tcpdump/Makefile 1.43
- net/tcpdump/distinfo 1.25
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: maya
Date: Thu Feb 2 18:08:29 UTC 2017
Modified Files:
pkgsrc/net/tcpdump: Makefile distinfo
Log Message:
tcpdump: update to 4.9.0
fixes the most crazy number of buffer overflow CVEs in printing
functions (41 of them).
changelog
Wednesday January 18, 2017 devel.fx.lebail%orange.fr@localhost
Summary for 4.9.0 tcpdump release
General updates:
Improve separation frontend/backend (tcpdump/libnetdissect)
Don't require IPv6 library support in order to support IPv6 addresses
Introduce data types to use for integral values in packet structures
Fix display of timestamps with -tt, -ttt and -ttttt options
Fix some heap overflows found with American Fuzzy Lop by Hanno Boeck and others
(More information in the log with CVE-2016-* and CVE-2017-*)
Change the way protocols print link-layer addresses (Fix heap overflows
in CALM-FAST and GeoNetworking printers)
Pass correct caplen value to ether_print() and some other functions
Fix lookup_nsap() to match what isonsap_string() expects
Clean up relative time stamp printing (Fix an array overflow)
Fix some alignment issues with GCC on Solaris 10 SPARC
Add some ND_TTEST_/ND_TCHECK_ macros to simplify writing bounds checks
Add a fn_printztn() which returns the number of bytes processed
Add nd_init() and nd_cleanup() functions. Improve libsmi support
Add CONTRIBUTING file
Add a summary comment in all printers
Compile with more warning options in devel mode if supported (-Wcast-qual, ...)
Fix some leaks found by Valgrind/Memcheck
Fix a bunch of de-constifications
Squelch some Coverity warnings and some compiler warnings
Update Coverity and Travis-CI setup
Update Visual Studio files
Frontend:
Fix capsicum support to work with zerocopy buffers in bpf
Try opening interfaces by name first, then by name-as-index
Work around pcap_create() failures fetching time stamp type lists
Fix a segmentation fault with 'tcpdump -J'
Improve addrtostr6() bounds checking
Add exit_tcpdump() function
Don't drop CAP_SYS_CHROOT before chrooting
Fixes issue where statistics not reported when -G and -W options used
New printers supporting:
Generic Protocol Extension for VXLAN (VXLAN-GPE)
Home Networking Control Protocol (HNCP), RFCs 7787 and 7788
Locator/Identifier Separation Protocol (LISP), type 3 and type 4 packets
Marvell Extended Distributed Switch Architecture header (MEDSA)
Network Service Header (NSH)
REdis Serialization Protocol (RESP)
Updated printers:
802.11: Beginnings of 11ac radiotap support
802.11: Check the Protected bit for management frames
802.11: Do bounds checking on last_presentp before dereferencing it (Fix a heap overflow)
802.11: Fix the radiotap printer to handle the special bits correctly
802.11: If we have the MCS field, it's 11n
802.11: Only print unknown frame type or subtype messages once
802.11: Radiotap dBm values get printed as dB; Update a test output accordingly
802.11: Source and destination addresses were backwards
AH: Add a bounds check
AH: Report to our caller that dissection failed if a bounds check fails
AP1394: Print src > dst, not dst > src
ARP: Don't assume the target hardware address is <= 6 octets long (Fix a heap overflow)
ATALK: Add bounds and length checks (Fix heap overflows)
ATM: Add some bounds checks (Fix a heap overflow)
ATM: Fix an incorrect bounds check
BFD: Update specification from draft to RFC 5880
BFD: Update to print optional authentication field
BGP: Add decoding of ADD-PATH capability
BGP: Add support for the AIGP attribute (RFC7311)
BGP: Print LARGE_COMMUNITY Path Attribute
BGP: Update BGP numbers from IANA; Print minor values for FSM notification
BOOTP: Add a bounds check
Babel: Add decoder for source-specific extension
CDP: Filter out non-printable characters
CFM: Fixes to match the IEEE standard, additional bounds and length checks
CSLIP: Add more bounds checks (Fix a heap overflow)
ClassicalIPoATM: Add a bounds check on LLC+SNAP header (Fix a heap overflow)
DHCP: Fix MUDURL and TZ options
DHCPv6: Process MUDURL and TZ options
DHCPv6: Update Status Codes with RFCs/IANA names
DNS: Represent the "DNSSEC OK" bit as "DO" instead of "OK". Add a test case
DTP: Improve packet integrity checks
EGP: Fix bounds checks
ESP: Don't use OpenSSL_add_all_algorithms() in OpenSSL 1.1.0 or later
ESP: Handle OpenSSL 1.1.x
Ethernet: Add some bounds checking before calling isoclns_print (Fix a heap overflow)
Ethernet: Print the Length/Type field as length when needed
FDDI: Fix -e output for FDDI
FR: Add some packet-length checks and improve Q.933 printing (Fix heap overflows)
GRE: Add some bounds checks (Fix heap overflows)
Geneve: Fix error message with invalid option length; Update list option classes
HNCP: Fix incorrect time interval format. Fix handling of IPv4 prefixes
ICMP6: Fetch a 32-bit big-endian quantity with EXTRACT_32BITS()
ICMP6: dagid is always an IPv6 address, not an opaque 128-bit string
IGMP: Add a length check
IP: Add a bounds check (Fix a heap overflow)
IP: Check before fetching the protocol version (Fix a heap overflow)
IP: Don't try to dissect if IP version != 4 (Fix a heap overflow)
IP: Stop processing IPPROTO_ values once we hit IPPROTO_IPCOMP
IPComp: Check whether we have the CPI before we fetch it (Fix a heap overflow)
IPoFC: Fix -e output (IP-over-Fibre Channel)
IPv6: Don't overwrite the destination IPv6 address for routing headers
IPv6: Fix header printing
IPv6: Stop processing IPPROTO_ values once we hit IPPROTO_IPCOMP
ISAKMP: Clean up parsing of IKEv2 Security Associations
ISOCLNS/IS-IS: Add support for Purge Originator Identifier (RFC6232) and test cases
ISOCLNS/IS-IS: Don't overwrite packet data when checking the signature
ISOCLNS/IS-IS: Filter out non-printable characters
ISOCLNS/IS-IS: Fix segmentation faults
ISOCLNS/IS-IS: Have signature_verify() do the copying and clearing
ISOCLNS: Add some bounds checks
Juniper: Make sure a Juniper header TLV isn't bigger than what's left in the packet (Fix a heap overflow)
LLC/SNAP: With -e, print the LLC header before the SNAP header; without it, cut the SNAP header
LLC: Add a bounds check (Fix a heap overflow)
LLC: Clean up printing of LLC packets
LLC: Fix the printing of RFC 948-style IP packets
LLC: Skip the LLC and SNAP headers with -x for 802.11 and some other protocols
LLDP: Implement IANA OUI and LLDP MUD option
MPLS LSP ping: Update printing for RFC 4379, bug fixes, more bounds checks
MPLS: "length" is now the *remaining* packet length
MPLS: Add bounds and length checks (Fix a heap overflow)
NFS: Add a test that makes unaligned accesses
NFS: Don't assume the ONC RPC header is nicely aligned
NFS: Don't overflow the Opaque_Handle buffer (Fix a segmentation fault)
NFS: Don't run past the end of an NFSv3 file handle
OLSR: Add a test to cover a HNA sgw case
OLSR: Fix 'Advertised networks' count
OLSR: Fix printing of smart-gateway HNAs in IPv4
OSPF: Add a bounds check for the Hello packet options
OSPF: Do more bounds checking
OSPF: Fix a segmentation fault
OSPF: Fix printing 'ospf_topology_values' default
OTV: Add missing bounds checks
PGM: Print the formatted IP address, not the raw binary address, as a string
PIM: Add some bounds checking (Fix a heap overflow)
PIMv2: Fix checksumming of Register messages
PPI: Pass an adjusted struct pcap_pkthdr to the sub-printer
PPP: Add some bounds checks (Fix a heap overflow)
PPP: Report invalid PAP AACK/ANAK packets
Q.933: Add a missing bounds check
RADIUS: Add Value 13 "VLAN" to Tunnel-Type attribute
RADIUS: Filter out non-printable characters
RADIUS: Translate UDP/1700 as RADIUS
RESP: Do better checking of RESP packets
RPKI-RTR: Add a return value check for "fn_printn" call
RPKI-RTR: Remove printing when truncated condition already detected
RPL: Fix 'Consistency Check' control code
RPL: Fix suboption print
RSVP: An INTEGRITY object in a submessage covers only the submessage
RSVP: Fix an infinite loop; Add bounds and length checks
RSVP: Fix some if statements missing brackets
RSVP: Have signature_verify() do the copying and clearing
RTCP: Add some bounds checks
RTP: Add some bounds checks, fix two segmentation faults
SCTP: Do more bounds checking
SFLOW: Fix bounds checking
SLOW: Fix bugs, add checks
SMB: Before fetching the flags2 field, make sure we have it
SMB: Do bounds checks on NBNS resource types and resource data lengths
SNMP: Clean up the "have libsmi but no modules loaded" case
SNMP: Clean up the object abbreviation list and fix the code to match them
SNMP: Do bounds checks when printing character and octet strings
SNMP: Improve ASN.1 bounds checks
SNMP: More bounds and length checks
STP: Add a bunch of bounds checks, and fix some printing (Fix heap overflows)
STP: Filter out non-printable characters
TCP: Add bounds and length checks for packets with TCP option 20
TCP: Correct TCP option Kind value for TCP Auth and add SCPS-TP
TCP: Fix two bounds checks (Fix heap overflows)
TCP: Make sure we have the data offset field before fetching it (Fix a heap overflow)
TCP: Put TCP-AO option decoding right
TFTP: Don't use strchr() to scan packet data (Fix a heap overflow)
Telnet: Add some bounds checks
TokenRing: Fix -e output
UDLD: Fix an infinite loop
UDP: Add a bounds check (Fix a heap overflow)
UDP: Check against the packet length first
UDP: Don't do the DDP-over-UDP heuristic check up front
VAT: Add some bounds checks
VTP: Add a test on Mgmt Domain Name length
VTP: Add bounds checks and filter out non-printable characters
VXLAN: Add a bound check and a test case
ZeroMQ: Fix an infinite loop
Tuesday October 25, 2016 mcr%sandelman.ca@localhost
Summary for 4.8.1 tcpdump release
Fix "-x" for Apple PKTAP and PPI packets
Use PRIx64 to print a 64-bit number in hex.
Printer for HNCP (RFCs 7787 and 7788).
dagid is always an IPv6 address, not an opaque 128-bit string, and other fixes to RPL printer.
RSVP: Add bounds and length checks
OSPF: Do more bounds checking
Handle OpenSSL 1.1.x.
Initial support for the REdis Serialization Protocol known as RESP.
Add printing function for Generic Protocol Extension for VXLAN
draft-ietf-nvo3-vxlan-gpe-01
Network Service Header: draft-ietf-sfc-nsh-01
Don't recompile the filter if the new file has the same DLT.
Pass an adjusted struct pcap_pkthdr to the sub-printer.
Add three test cases for already fixed CVEs
CVE-2014-8767: OLSR
CVE-2014-8768: Geonet
CVE-2014-8769: AODV
Don't do the DDP-over-UDP heuristic first: GitHub issue #499.
Use the new debugging routines in libpcap.
Harmonize TCP source or destination ports tests with UDP ones
Introduce data types to use for integral values in packet structures.
RSVP: Fix an infinite loop
Support of Type 3 and Type 4 LISP packets.
Don't require IPv6 library support in order to support IPv6 addresses.
Many many changes to support libnetdissect usage.
Add a test that makes unaligned accesses: GitHub issue #478.
add a DNSSEC test case: GH #445 and GH #467.
BGP: add decoding of ADD-PATH capability
fixes to LLC header printing, and RFC948-style IP packets ----------------------------------------------------------------------
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 pkgsrc/net/tcpdump/Makefile
cvs rdiff -u -r1.24 -r1.25 pkgsrc/net/tcpdump/distinfo
|
|
www/viewvc: security fix
Revisions pulled up:
- www/viewvc/Makefile 1.27
- www/viewvc/distinfo 1.15
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Feb 8 20:00:34 UTC 2017
Modified Files:
pkgsrc/www/viewvc: Makefile distinfo
Log Message:
Updated viewvc to 1.1.26.
Version 1.1.26 (released 24-Jan-2017)
* security fix: escape nav_data name to avoid XSS attack
Version 1.1.25 (released 15-Sep-2016)
* fix _rev2optrev assertion on long input
Version 1.1.24 (released 02-Oct-2015)
* fix minor bug in human_readable boolean calculation
* allow hr_funout option to apply to unidiff diffs, too
* fix infinite loop in rcsparse
* fix iso8601 timezone offset handling (issue #542)
* add support for renamed roots (issue #544)
* fix minor buglet in viewvc-install error message
|
|
|
|
archivers/unzip: security fix
Revisions pulled up:
- archivers/unzip/Makefile 1.95
- archivers/unzip/distinfo 1.30
- archivers/unzip/patches/patch-list.c 1.2
- archivers/unzip/patches/patch-zipinfo.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Sat Feb 4 23:25:59 UTC 2017
Modified Files:
pkgsrc/archivers/unzip: Makefile distinfo
pkgsrc/archivers/unzip/patches: patch-list.c
Added Files:
pkgsrc/archivers/unzip/patches: patch-zipinfo.c
Log Message:
Add patches for CVE-2014-9913 and CVE-2016-9844.
Bump PKGREVISION.
|
|
|
|
www/apache2: security fix
Revisions pulled up:
- www/apache22/Makefile 1.111
- www/apache22/distinfo 1.66
- www/apache22/patches/patch-include_ap_mmn.h deleted
- www/apache22/patches/patch-modules_proxy_mod_proxy.c deleted
- www/apache22/patches/patch-modules_proxy_mod_proxy.h deleted
- www/apache22/patches/patch-modules_proxy_proxy_util.c deleted
- www/apache22/patches/patch-server_util__script.c deleted
---
Module Name: pkgsrc
Committed By: adam
Date: Mon Jan 16 14:34:42 UTC 2017
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Removed Files:
pkgsrc/www/apache22/patches: patch-include_ap_mmn.h
patch-modules_proxy_mod_proxy.c patch-modules_proxy_mod_proxy.h
patch-modules_proxy_proxy_util.c patch-server_util__script.c
Log Message:
Changes with Apache 2.2.32
*) SECURITY: CVE-2016-8743 (cve.mitre.org)
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
*) Validate HTTP response header grammar defined by RFC7230, resulting
in a 500 error in the event that invalid response header contents are
detected when serving the response, to avoid response splitting and cache
pollution by malicious clients, upstream servers or faulty modules.
*) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
*) core: Avoid a possible truncation of the faulty header included in the
HTML response when LimitRequestFieldSize is reached.
*) core: Enforce LimitRequestFieldSize after multiple headers with the same
name have been merged.
*) core: Drop Content-Length header and message-body from HTTP 204 responses.
*) core: Permit unencoded ';' characters to appear in proxy requests and
Location: response headers. Corresponds to modern browser behavior.
*) core: ap_rgetline_core now pulls from r->proto_input_filters.
*) core: Correctly parse an IPv6 literal host specification in an absolute
URL in the request line.
*) core: New directive RegisterHttpMethod for registering non-standard
HTTP methods.
*) core: Limit to ten the number of tolerated empty lines between request.
*) core: reject NULLs in request line or request headers.
*) mod_proxy: Use the correct server name for SNI in case the backend
SSL connection itself is established via a proxy server.
*) Fix potential rejection of valid MaxMemFree and ThreadStackSize
directives.
*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
*) mod_proxy: Correctly consider error response codes by the backend when
processing failonstatus.
*) mod_proxy: Play/restore the TLS-SNI on new backend connections which
had to be issued because the remote closed the previous/reusable one
during idle (keep-alive) time.
*) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
*) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to
use a different scoreboard slot then the original one.
*) mod_proxy: Fix a race condition that caused a failed worker to be retried
before the retry period is over.
*) mod_proxy: don't recyle backend announced "Connection: close" connections
to avoid reusing it should the close be effective after some new request
is ready to be sent.
*) mod_mem_cache: Fix concurrent removal of stale entries which could lead
to a crash.
*) mime.types: add common extension "m4a" for MPEG 4 Audio.
*) mod_substitute: Allow to configure the patterns merge order with the new
SubstituteInheritBefore on|off directive.
*) mod_mem_cache: Don't cache incomplete responses when the client
connection is aborted before the body is fully read.
*) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
*) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
|
|
|
|
net/tor: security fix
Revisions pulled up:
- net/tor/Makefile 1.116-1.117
- net/tor/distinfo 1.77-1.78
---
Module Name: pkgsrc
Committed By: maya
Date: Sun Jan 8 12:50:41 UTC 2017
Modified Files:
pkgsrc/net/tor: Makefile distinfo
Log Message:
tor: update to 0.2.9.8
Updated provided by reezer (maintainer) in PR pkg/51745
Changes in version 0.2.9.8 - 2016-12-19
Tor 0.2.9.8 is the first stable release of the Tor 0.2.9 series.
The Tor 0.2.9 series makes mandatory a number of security features
that were formerly optional. It includes support for a new shared-
randomness protocol that will form the basis for next generation
hidden services, includes a single-hop hidden service mode for
optimizing .onion services that don't actually want to be hidden,
tries harder not to overload the directory authorities with excessive
downloads, and supports a better protocol versioning scheme for
improved compatibility with other implementations of the Tor protocol.
And of course, there are numerous other bugfixes and improvements.
This release also includes a fix for a medium-severity issue (bug
21018 below) where Tor clients could crash when attempting to visit a
hostile hidden service. Clients are recommended to upgrade as packages
become available for their systems.
Below are listed the changes since Tor 0.2.8.11. For a list of
changes since 0.2.9.7-rc, see the ChangeLog file.
o New system requirements:
- When building with OpenSSL, Tor now requires version 1.0.1 or
later. OpenSSL 1.0.0 and earlier are no longer supported by the
OpenSSL team, and should not be used. Closes ticket 20303.
- Tor now requires Libevent version 2.0.10-stable or later. Older
versions of Libevent have less efficient backends for several
platforms, and lack the DNS code that we use for our server-side
DNS support. This implements ticket 19554.
- Tor now requires zlib version 1.2 or later, for security,
efficiency, and (eventually) gzip support. (Back when we started,
zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
released in 2003. We recommend the latest version.)
o Deprecated features:
- A number of DNS-cache-related sub-options for client ports are now
deprecated for security reasons, and may be removed in a future
version of Tor. (We believe that client-side DNS caching is a bad
idea for anonymity, and you should not turn it on.) The options
are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache,
UseIPv4Cache, and UseIPv6Cache.
- A number of options are deprecated for security reasons, and may
be removed in a future version of Tor. The options are:
AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits,
AllowSingleHopExits, ClientDNSRejectInternalAddresses,
CloseHSClientCircuitsImmediatelyOnTimeout,
CloseHSServiceRendCircuitsImmediatelyOnTimeout,
ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup,
UseNTorHandshake, and WarnUnsafeSocks.
- The *ListenAddress options are now deprecated as unnecessary: the
corresponding *Port options should be used instead. These options
may someday be removed. The affected options are:
ControlListenAddress, DNSListenAddress, DirListenAddress,
NATDListenAddress, ORListenAddress, SocksListenAddress,
and TransListenAddress.
o Major bugfixes (parsing, security, new since 0.2.9.7-rc):
- Fix a bug in parsing that could cause clients to read a single
byte past the end of an allocated region. This bug could be used
to cause hardened clients (built with --enable-expensive-hardening)
to crash if they tried to visit a hostile hidden service. Non-
hardened clients are only affected depending on the details of
their platform's memory allocator. Fixes bug 21018; bugfix on
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
2016-12-002 and as CVE-2016-1254.
o Major features (build, hardening):
- Tor now builds with -ftrapv by default on compilers that support
it. This option detects signed integer overflow (which C forbids),
and turns it into a hard-failure. We do not apply this option to
code that needs to run in constant time to avoid side-channels;
instead, we use -fwrapv in that code. Closes ticket 17983.
- When --enable-expensive-hardening is selected, stop applying the
clang/gcc sanitizers to code that needs to run in constant time.
Although we are aware of no introduced side-channels, we are not
able to prove that there are none. Related to ticket 17983.
o Major features (circuit building, security):
- Authorities, relays, and clients now require ntor keys in all
descriptors, for all hops (except for rare hidden service protocol
cases), for all circuits, and for all other roles. Part of
ticket 19163.
- Authorities, relays, and clients only use ntor, except for
rare cases in the hidden service protocol. Part of ticket 19163.
o Major features (compilation):
- Our big list of extra GCC warnings is now enabled by default when
building with GCC (or with anything like Clang that claims to be
GCC-compatible). To make all warnings into fatal compilation
errors, pass --enable-fatal-warnings to configure. Closes
ticket 19044.
- Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically
turn on C and POSIX extensions. (Previously, we attempted to do
this on an ad hoc basis.) Closes ticket 19139.
o Major features (directory authorities, hidden services):
- Directory authorities can now perform the shared randomness
protocol specified by proposal 250. Using this protocol, directory
authorities generate a global fresh random value every day. In the
future, this value will be used by hidden services to select
HSDirs. This release implements the directory authority feature;
the hidden service side will be implemented in the future as part
of proposal 224. Resolves ticket 16943; implements proposal 250.
o Major features (downloading, random exponential backoff):
- When we fail to download an object from a directory service, wait
for an (exponentially increasing) randomized amount of time before
retrying, rather than a fixed interval as we did before. This
prevents a group of Tor instances from becoming too synchronized,
or a single Tor instance from becoming too predictable, in its
download schedule. Closes ticket 15942.
o Major features (resource management):
- Tor can now notice it is about to run out of sockets, and
preemptively close connections of lower priority. (This feature is
off by default for now, since the current prioritizing method is
yet not mature enough. You can enable it by setting
"DisableOOSCheck 0", but watch out: it might close some sockets
you would rather have it keep.) Closes ticket 18640.
o Major features (single-hop "hidden" services):
- Add experimental HiddenServiceSingleHopMode and
HiddenServiceNonAnonymousMode options. When both are set to 1,
every hidden service on that Tor instance becomes a non-anonymous
Single Onion Service. Single Onions make one-hop (direct)
connections to their introduction and rendezvous points. One-hop
circuits make Single Onion servers easily locatable, but clients
remain location-anonymous. This is compatible with the existing
hidden service implementation, and works on the current Tor
network without any changes to older relays or clients. Implements
proposal 260, completes ticket 17178. Patch by teor and asn.
o Major features (subprotocol versions):
- Tor directory authorities now vote on a set of recommended
"subprotocol versions", and on a set of required subprotocol
versions. Clients and relays that lack support for a _required_
subprotocol version will not start; those that lack support for a
_recommended_ subprotocol version will warn the user to upgrade.
This change allows compatible implementations of the Tor protocol(s)
to exist without pretending to be 100% bug-compatible with
particular releases of Tor itself. Closes ticket 19958; implements
part of proposal 264.
o Major bugfixes (circuit building):
- Hidden service client-to-intro-point and service-to-rendezvous-
point circuits use the TAP key supplied by the protocol, to avoid
epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc.
o Major bugfixes (download scheduling):
- Avoid resetting download status for consensuses hourly, since we
already have another, smarter retry mechanism. Fixes bug 8625;
bugfix on 0.2.0.9-alpha.
- If a consensus expires while we are waiting for certificates to
download, stop waiting for certificates.
- If we stop waiting for certificates less than a minute after we
started downloading them, do not consider the certificate download
failure a separate failure. Fixes bug 20533; bugfix
on 0.2.0.9-alpha.
- When using exponential backoff in test networks, use a lower
exponent, so the delays do not vary as much. This helps test
networks bootstrap consistently. Fixes bug 20597; bugfix on 20499.
o Major bugfixes (exit policies):
- Avoid disclosing exit outbound bind addresses, configured port
bind addresses, and local interface addresses in relay descriptors
by default under ExitPolicyRejectPrivate. Instead, only reject
these (otherwise unlisted) addresses if
ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on
0.2.7.2-alpha. Patch by teor.
o Major bugfixes (hidden services):
- Allow Tor clients with appropriate controllers to work with
FetchHidServDescriptors set to 0. Previously, this option also
disabled descriptor cache lookup, thus breaking hidden services
entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".
- Clients now require hidden services to include the TAP keys for
their intro points in the hidden service descriptor. This prevents
an inadvertent upgrade to ntor, which a malicious hidden service
could use to distinguish clients by consensus version. Fixes bug
20012; bugfix on 0.2.4.8-alpha. Patch by teor.
o Major bugfixes (relay, resolver, logging):
- For relays that don't know their own address, avoid attempting a
local hostname resolve for each descriptor we download. This
will cut down on the number of "Success: chose address 'x.x.x.x'"
log lines, and also avoid confusing clock jumps if the resolver
is slow. Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha.
o Minor features (port flags):
- Add new flags to the *Port options to give finer control over which
requests are allowed. The flags are NoDNSRequest, NoOnionTraffic,
and the synthetic flag OnionTrafficOnly, which is equivalent to
NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic. Closes enhancement
18693; patch by "teor".
o Minor features (build, hardening):
- Detect and work around a libclang_rt problem that would prevent
clang from finding __mulodi4() on some 32-bit platforms, and thus
keep -ftrapv from linking on those systems. Closes ticket 19079.
- When building on a system without runtime support for the runtime
hardening options, try to log a useful warning at configuration
time, rather than an incomprehensible warning at link time. If
expensive hardening was requested, this warning becomes an error.
Closes ticket 18895.
o Minor features (client, directory):
- Since authorities now omit all routers that lack the Running and
Valid flags, we assume that any relay listed in the consensus must
have those flags. Closes ticket 20001; implements part of
proposal 272.
o Minor features (code safety):
- In our integer-parsing functions, ensure that the maximum value we
allow is no smaller than the minimum value. Closes ticket 19063;
patch from "U+039b".
o Minor features (compilation, portability):
- Compile correctly on MacOS 10.12 (aka "Sierra"). Closes
ticket 20241.
o Minor features (config):
- Warn users when descriptor and port addresses are inconsistent.
Mitigates bug 13953; patch by teor.
o Minor features (controller):
- Allow controllers to configure basic client authorization on
hidden services when they create them with the ADD_ONION controller
command. Implements ticket 15588. Patch by "special".
- Fire a STATUS_SERVER controller event whenever the hibernation
status changes between "awake"/"soft"/"hard". Closes ticket 18685.
- Implement new GETINFO queries for all downloads that use
download_status_t to schedule retries. This allows controllers to
examine the schedule for pending downloads. Closes ticket 19323.
o Minor features (development tools, etags):
- Teach the "make tags" Makefile target how to correctly find
"MOCK_IMPL" function definitions. Patch from nherring; closes
ticket 16869.
o Minor features (directory authority):
- After voting, if the authorities decide that a relay is not
"Valid", they no longer include it in the consensus at all. Closes
ticket 20002; implements part of proposal 272.
- Directory authorities now only give the Guard flag to a relay if
they are also giving it the Stable flag. This change allows us to
simplify path selection for clients. It should have minimal effect
in practice, since >99% of Guards already have the Stable flag.
Implements ticket 18624.
- Directory authorities now write their v3-status-votes file out to
disk earlier in the consensus process, so we have a record of the
votes even if we abort the consensus process. Resolves
ticket 19036.
o Minor features (fallback directory list, new since 0.2.9.7-rc):
- Replace the 81 remaining fallbacks of the 100 originally
introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
fallbacks (123 new, 54 existing, 27 removed) generated in December
2016. Resolves ticket 20170.
o Minor features (hidden service):
- Stop being so strict about the payload length of "rendezvous1"
cells. We used to be locked in to the "TAP" handshake length, and
now we can handle better handshakes like "ntor". Resolves
ticket 18998.
o Minor features (infrastructure, time):
- Tor now includes an improved timer backend, so that we can
efficiently support tens or hundreds of thousands of concurrent
timers, as will be needed for some of our planned anti-traffic-
analysis work. This code is based on William Ahern's "timeout.c"
project, which implements a "tickless hierarchical timing wheel".
Closes ticket 18365.
- Tor now uses the operating system's monotonic timers (where
available) for internal fine-grained timing. Previously we would
look at the system clock, and then attempt to compensate for the
clock running backwards. Closes ticket 18908.
o Minor features (logging):
- Add a set of macros to check nonfatal assertions, for internal
use. Migrating more of our checks to these should help us avoid
needless crash bugs. Closes ticket 18613.
- Provide a more useful warning message when configured with an
invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".
- When dumping unparseable router descriptors, optionally store them
in separate files, named by digest, up to a configurable size
limit. You can change the size limit by setting the
MaxUnparseableDescSizeToLog option, and disable this feature by
setting that option to 0. Closes ticket 18322.
o Minor features (performance):
- Change the "optimistic data" extension from "off by default" to
"on by default". The default was ordinarily overridden by a
consensus option, but when clients were bootstrapping for the
first time, they would not have a consensus to get the option
from. Changing this default saves a round-trip during startup.
Closes ticket 18815.
o Minor features (relay, usability):
- When the directory authorities refuse a bad relay's descriptor,
encourage the relay operator to contact us. Many relay operators
won't notice this line in their logs, but it's a win if even a few
learn why we don't like what their relay was doing. Resolves
ticket 18760.
o Minor features (security, TLS):
- Servers no longer support clients that lack AES ciphersuites.
(3DES is no longer considered an acceptable cipher.) We believe
that no such Tor clients currently exist, since Tor has required
OpenSSL 0.9.7 or later since 2009. Closes ticket 19998.
o Minor features (testing):
- Disable memory protections on OpenBSD when performing our unit
tests for memwipe(). The test deliberately invokes undefined
behavior, and the OpenBSD protections interfere with this. Patch
from "rubiate". Closes ticket 20066.
- Move the test-network.sh script to chutney, and modify tor's test-
network.sh to call the (newer) chutney version when available.
Resolves ticket 19116. Patch by teor.
- Use the lcov convention for marking lines as unreachable, so that
we don't count them when we're generating test coverage data.
Update our coverage tools to understand this convention. Closes
ticket 16792.
- Our link-handshake unit tests now check that when invalid
handshakes fail, they fail with the error messages we expected.
- Our unit testing code that captures log messages no longer
prevents them from being written out if the user asked for them
(by passing --debug or --info or --notice or --warn to the "test"
binary). This change prevents us from missing unexpected log
messages simply because we were looking for others. Related to
ticket 19999.
- The unit tests now log all warning messages with the "BUG" flag.
Previously, they only logged errors by default. This change will
help us make our testing code more correct, and make sure that we
only hit this code when we mean to. In the meantime, however,
there will be more warnings in the unit test logs than before.
This is preparatory work for ticket 19999.
- The unit tests now treat any failure of a "tor_assert_nonfatal()"
assertion as a test failure.
- We've done significant work to make the unit tests run faster.
o Minor features (testing, ipv6):
- Add the hs-ipv6 chutney target to make test-network-all's IPv6
tests. Remove bridges+hs, as it's somewhat redundant. This
requires a recent chutney version that supports IPv6 clients,
relays, and authorities. Closes ticket 20069; patch by teor.
- Add the single-onion and single-onion-ipv6 chutney targets to
"make test-network-all". This requires a recent chutney version
with the single onion network flavors (git c72a652 or later).
Closes ticket 20072; patch by teor.
o Minor features (Tor2web):
- Make Tor2web clients respect ReachableAddresses. This feature was
inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on
0.2.8.7. Implements feature 20034. Patch by teor.
o Minor features (unix domain sockets):
- When configuring a unix domain socket for a SocksPort,
ControlPort, or Hidden service, you can now wrap the address in
quotes, using C-style escapes inside the quotes. This allows unix
domain socket paths to contain spaces. Resolves ticket 18753.
o Minor features (user interface):
- Tor now supports the ability to declare options deprecated, so
that we can recommend that people stop using them. Previously, this
was done in an ad-hoc way. There is a new --list-deprecated-options
command-line option to list all of the deprecated options. Closes
ticket 19820.
o Minor features (virtual addresses):
- Increase the maximum number of bits for the IPv6 virtual network
prefix from 16 to 104. In this way, the condition for address
allocation is less restrictive. Closes ticket 20151; feature
on 0.2.4.7-alpha.
o Minor bug fixes (circuits):
- Use the CircuitBuildTimeout option whenever
LearnCircuitBuildTimeout is disabled. Previously, we would respect
the option when a user disabled it, but not when it was disabled
because some other option was set. Fixes bug 20073; bugfix on
0.2.4.12-alpha. Patch by teor.
o Minor bugfixes (build):
- The current Git revision when building from a local repository is
now detected correctly when using git worktrees. Fixes bug 20492;
bugfix on 0.2.3.9-alpha.
o Minor bugfixes (relay address discovery):
- Stop reordering IP addresses returned by the OS. This makes it
more likely that Tor will guess the same relay IP address every
time. Fixes issue 20163; bugfix on 0.2.7.1-alpha, ticket 17027.
Reported by René Mayrhofer, patch by "cypherpunks".
o Minor bugfixes (memory allocation):
- Change how we allocate memory for large chunks on buffers, to
avoid a (currently impossible) integer overflow, and to waste less
space when allocating unusually large chunks. Fixes bug 20081;
bugfix on 0.2.0.16-alpha. Issue identified by Guido Vranken.
o Minor bugfixes (bootstrap):
- Remember the directory server we fetched the consensus or previous
certificates from, and use it to fetch future authority
certificates. This change improves bootstrapping performance.
Fixes bug 18963; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (circuits):
- Make sure extend_info_from_router() is only called on servers.
Fixes bug 19639; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (client, fascistfirewall):
- Avoid spurious warnings when ReachableAddresses or FascistFirewall
is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
o Minor bugfixes (client, unix domain sockets):
- Disable IsolateClientAddr when using AF_UNIX backed SocksPorts as
the client address is meaningless. Fixes bug 20261; bugfix
on 0.2.6.3-alpha.
o Minor bugfixes (code style):
- Fix an integer signedness conversion issue in the case conversion
tables. Fixes bug 19168; bugfix on 0.2.1.11-alpha.
o Minor bugfixes (compilation):
- Build correctly on versions of libevent2 without support for
evutil_secure_rng_add_bytes(). Fixes bug 19904; bugfix
on 0.2.5.4-alpha.
- When building with Clang, use a full set of GCC warnings.
(Previously, we included only a subset, because of the way we
detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha.
- Detect Libevent2 functions correctly on systems that provide
libevent2, but where libevent1 is linked with -levent. Fixes bug
19904; bugfix on 0.2.2.24-alpha. Patch from Rubiate.
- Run correctly when built on Windows build environments that
require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.
o Minor bugfixes (configuration):
- When parsing quoted configuration values from the torrc file,
handle Windows line endings correctly. Fixes bug 19167; bugfix on
0.2.0.16-alpha. Patch from "Pingl".
o Minor bugfixes (directory authority):
- Authorities now sort the "package" lines in their votes, for ease
of debugging. (They are already sorted in consensus documents.)
Fixes bug 18840; bugfix on 0.2.6.3-alpha.
- Die with a more useful error when the operator forgets to place
the authority_signing_key file into the keys directory. This
avoids an uninformative assert & traceback about having an invalid
key. Fixes bug 20065; bugfix on 0.2.0.1-alpha.
- When allowing private addresses, mark Exits that only exit to
private locations as such. Fixes bug 20064; bugfix
on 0.2.2.9-alpha.
- When parsing a detached signature, make sure we use the length of
the digest algorithm instead of a hardcoded DIGEST256_LEN in
order to avoid comparing bytes out-of-bounds with a smaller digest
length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha.
o Minor bugfixes (getpass):
- Defensively fix a non-triggerable heap corruption at do_getpass()
to protect ourselves from mistakes in the future. Fixes bug
19223; bugfix on 0.2.7.3-rc. Bug found by Guido Vranken, patch
by nherring.
o Minor bugfixes (guard selection):
- Don't mark guards as unreachable if connection_connect() fails.
That function fails for local reasons, so it shouldn't reveal
anything about the status of the guard. Fixes bug 14334; bugfix
on 0.2.3.10-alpha.
- Use a single entry guard even if the NumEntryGuards consensus
parameter is not provided. Fixes bug 17688; bugfix
on 0.2.5.6-alpha.
o Minor bugfixes (hidden services):
- Increase the minimum number of internal circuits we preemptively
build from 2 to 3, so a circuit is available when a client
connects to another onion service. Fixes bug 13239; bugfix
on 0.1.0.1-rc.
- Allow hidden services to run on IPv6 addresses even when the
IPv6Exit option is not set. Fixes bug 18357; bugfix
on 0.2.4.7-alpha.
- Stop logging intro point details to the client log on certain
error conditions. Fixed as part of bug 20012; bugfix on
0.2.4.8-alpha. Patch by teor.
- When deleting an ephemeral hidden service, close its intro points
even if they are not completely open. Fixes bug 18604; bugfix
on 0.2.7.1-alpha.
- When configuring hidden services, check every hidden service
directory's permissions. Previously, we only checked the last
hidden service. Fixes bug 20529; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (IPv6, testing):
- Check for IPv6 correctly on Linux when running test networks.
Fixes bug 19905; bugfix on 0.2.7.3-rc; patch by teor.
o Minor bugfixes (Linux seccomp2 sandbox):
- Add permission to run the sched_yield() and sigaltstack() system
calls, in order to support versions of Tor compiled with asan or
ubsan code that use these calls. Now "sandbox 1" and
"--enable-expensive-hardening" should be compatible on more
systems. Fixes bug 20063; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (logging):
- Downgrade a harmless log message about the
pending_entry_connections list from "warn" to "info". Mitigates
bug 19926.
- Log a more accurate message when we fail to dump a microdescriptor.
Fixes bug 17758; bugfix on 0.2.2.8-alpha. Patch from Daniel Pinto.
- When logging a directory ownership mismatch, log the owning
username correctly. Fixes bug 19578; bugfix on 0.2.2.29-beta.
- When we are unable to remove the bw_accounting file, do not warn
if the reason we couldn't remove it was that it didn't exist.
Fixes bug 19964; bugfix on 0.2.5.4-alpha. Patch from pastly.
o Minor bugfixes (memory leak):
- Fix a series of slow memory leaks related to parsing torrc files
and options. Fixes bug 19466; bugfix on 0.2.1.6-alpha.
- Avoid a small memory leak when informing worker threads about
rotated onion keys. Fixes bug 20401; bugfix on 0.2.6.3-alpha.
- Fix a small memory leak when receiving AF_UNIX connections on a
SocksPort. Fixes bug 20716; bugfix on 0.2.6.3-alpha.
- When moving a signed descriptor object from a source to an
existing destination, free the allocated memory inside that
destination object. Fixes bug 20715; bugfix on 0.2.8.3-alpha.
- Fix a memory leak and use-after-free error when removing entries
from the sandbox's getaddrinfo() cache. Fixes bug 20710; bugfix on
0.2.5.5-alpha. Patch from "cypherpunks".
- Fix a small, uncommon memory leak that could occur when reading a
truncated ed25519 key file. Fixes bug 18956; bugfix
on 0.2.6.1-alpha.
o Minor bugfixes (option parsing):
- Count unix sockets when counting client listeners (SOCKS, Trans,
NATD, and DNS). This has no user-visible behavior changes: these
options are set once, and never read. Required for correct
behavior in ticket 17178. Fixes bug 19677; bugfix on
0.2.6.3-alpha. Patch by teor.
o Minor bugfixes (options):
- Check the consistency of UseEntryGuards and EntryNodes more
reliably. Fixes bug 20074; bugfix on 0.2.4.12-alpha. Patch
by teor.
- Stop changing the configured value of UseEntryGuards on
authorities and Tor2web clients. Fixes bug 20074; bugfix on
commits 51fc6799 in 0.1.1.16-rc and acda1735 in 0.2.4.3-alpha.
Patch by teor.
o Minor bugfixes (relay):
- Ensure relays don't make multiple connections during bootstrap.
Fixes bug 20591; bugfix on 0.2.8.1-alpha.
- Do not try to parallelize workers more than 16x without the user
explicitly configuring us to do so, even if we do detect more than
16 CPU cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.
o Minor bugfixes (testing):
- The test-stem and test-network makefile targets now depend only on
the tor binary that they are testing. Previously, they depended on
"make all". Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a
patch from "cypherpunks".
- Allow clients to retry HSDirs much faster in test networks. Fixes
bug 19702; bugfix on 0.2.7.1-alpha. Patch by teor.
- Avoid a unit test failure on systems with over 16 detectable CPU
cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.
- Let backtrace tests work correctly under AddressSanitizer:
disable ASAN's detection of segmentation faults while running
test_bt.sh, so that we can make sure that our own backtrace
generation code works. Fixes bug 18934; bugfix
on 0.2.5.2-alpha. Patch from "cypherpunks".
- Fix the test-network-all target on out-of-tree builds by using the
correct path to the test driver script. Fixes bug 19421; bugfix
on 0.2.7.3-rc.
- Stop spurious failures in the local interface address discovery
unit tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by
Neel Chauhan.
- Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has
removed the ECDH ciphers which caused the tests to fail on
platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha.
- The tor_tls_server_info_callback unit test no longer crashes when
debug-level logging is turned on. Fixes bug 20041; bugfix
on 0.2.8.1-alpha.
o Minor bugfixes (time):
- Improve overflow checks in tv_udiff and tv_mdiff. Fixes bug 19483;
bugfix on all released tor versions.
- When computing the difference between two times in milliseconds,
we now round to the nearest millisecond correctly. Previously, we
could sometimes round in the wrong direction. Fixes bug 19428;
bugfix on 0.2.2.2-alpha.
o Minor bugfixes (Tor2web):
- Prevent Tor2web clients from running hidden services: these services
are not anonymous due to the one-hop client paths. Fixes bug
19678. Patch by teor.
o Minor bugfixes (user interface):
- Display a more accurate number of suppressed messages in the log
rate-limiter. Previously, there was a potential integer overflow
in the counter. Now, if the number of messages hits a maximum, the
rate-limiter doesn't count any further. Fixes bug 19435; bugfix
on 0.2.4.11-alpha.
- Fix a typo in the passphrase prompt for the ed25519 identity key.
Fixes bug 19503; bugfix on 0.2.7.2-alpha.
o Code simplification and refactoring:
- Remove redundant declarations of the MIN macro. Closes
ticket 18889.
- Rename tor_dup_addr() to tor_addr_to_str_dup() to avoid confusion.
Closes ticket 18462; patch from "icanhasaccount".
- Split the 600-line directory_handle_command_get function into
separate functions for different URL types. Closes ticket 16698.
o Documentation:
- Add module-level internal documentation for 36 C files that
previously didn't have a high-level overview. Closes ticket 20385.
- Correct the IPv6 syntax in our documentation for the
VirtualAddrNetworkIPv6 torrc option. Closes ticket 19743.
- Correct the minimum bandwidth value in torrc.sample, and queue a
corresponding change for torrc.minimal. Closes ticket 20085.
- Fix spelling of "--enable-tor2web-mode" in the manpage. Closes
ticket 19153. Patch from "U+039b".
- Module-level documentation for several more modules. Closes
tickets 19287 and 19290.
- Document the --passphrase-fd option in the tor manpage. Fixes bug
19504; bugfix on 0.2.7.3-rc.
- Document the default PathsNeededToBuildCircuits value that's used
by clients when the directory authorities don't set
min_paths_for_circs_pct. Fixes bug 20117; bugfix on 0.2.4.10-alpha.
Patch by teor, reported by Jesse V.
- Fix manual for the User option: it takes a username, not a UID.
Fixes bug 19122; bugfix on 0.0.2pre16 (the first version to have
a manpage!).
- Fix the description of the --passphrase-fd option in the
tor-gencert manpage. The option is used to pass the number of a
file descriptor to read the passphrase from, not to read the file
descriptor from. Fixes bug 19505; bugfix on 0.2.0.20-alpha.
o Removed code:
- We no longer include the (dead, deprecated) bufferevent code in
Tor. Closes ticket 19450. Based on a patch from "U+039b".
o Removed features:
- Remove support for "GET /tor/bytes.txt" DirPort request, and
"GETINFO dir-usage" controller request, which were only available
via a compile-time option in Tor anyway. Feature was added in
0.2.2.1-alpha. Resolves ticket 19035.
- There is no longer a compile-time option to disable support for
TransPort. (If you don't want TransPort, just don't use it.) Patch
from "U+039b". Closes ticket 19449.
o Testing:
- Run more workqueue tests as part of "make check". These had
previously been implemented, but you needed to know special
command-line options to enable them.
- We now have unit tests for our code to reject zlib "compression
bombs". (Fortunately, the code works fine.)
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Jan 24 08:59:07 UTC 2017
Modified Files:
pkgsrc/net/tor: Makefile distinfo
Log Message:
Updated tor to 0.2.9.9.
Changes in version 0.2.9.9 - 2017-01-23
Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could
cause relays and clients to crash, even if they were not built with
the --enable-expensive-hardening option. This bug affects all 0.2.9.x
versions, and also affects 0.3.0.1-alpha: all relays running an affected
version should upgrade.
This release also resolves a client-side onion service reachability
bug, and resolves a pair of small portability issues.
o Major bugfixes (security):
- Downgrade the "-ftrapv" option from "always on" to "only on when
--enable-expensive-hardening is provided." This hardening option,
like others, can turn survivable bugs into crashes -- and having
it on by default made a (relatively harmless) integer overflow bug
into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
bugfix on 0.2.9.1-alpha.
o Major bugfixes (client, onion service):
- Fix a client-side onion service reachability bug, where multiple
socks requests to an onion service (or a single slow request)
could cause us to mistakenly mark some of the service's
introduction points as failed, and we cache that failure so
eventually we run out and can't reach the service. Also resolves a
mysterious "Remote server sent bogus reason code 65021" log
warning. The bug was introduced in ticket 17218, where we tried to
remember the circuit end reason as a uint16_t, which mangled
negative values. Partially fixes bug 21056 and fixes bug 20307;
bugfix on 0.2.8.1-alpha.
o Minor features (geoip):
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (portability):
- Avoid crashing when Tor is built using headers that contain
CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
on 0.2.9.1-alpha.
- Fix Libevent detection on platforms without Libevent 1 headers
installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
|
|
|
|
sysutils/py-borgbackup: security update
Revisions pulled up:
- sysutils/py-borgbackup/Makefile 1.11
- sysutils/py-borgbackup/distinfo 1.6
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Thu Jan 5 16:33:16 UTC 2017
Modified Files:
pkgsrc/sysutils/py-borgbackup: Makefile distinfo
Log Message:
Updated py-borgbackup to 1.0.9.
Version 1.0.9 (2016-12-20)
Security fixes:
A flaw in the cryptographic authentication scheme in Borg
allowed an attacker to spoof the manifest. See Pre-1.0.9 manifest
spoofing vulnerability above for the steps you should take.
borg check: When rebuilding the manifest (which should only be
needed very rarely) duplicate archive names would be handled
on a �first come first serve� basis, allowing an attacker to
apparently replace archives.
Bug fixes:
borg check:
rebuild manifest if it’s corrupted
skip corrupted chunks during manifest rebuild
fix TypeError in integrity error handler, #1903, #1894
fix location parser for archives with @ char (regression
introduced in 1.0.8), #1930
fix wrong duration/timestamps if system clock jumped during a create
fix progress display not updating if system clock jumps backwards
fix checkpoint interval being incorrect if system clock jumps
Other changes:
docs:
add python3-devel as a dependency for cygwin-based installation
clarify extract is relative to current directory
FAQ: fix link to changelog
markup fixes
tests:
test_get_(cache|keys)_dir: clean env state, #1897
get back pytest’s pretty assertion failures, #1938
setup.py build_usage:
fixed build_usage not processing all commands
fixed build_usage not generating includes for debug commands
Version 1.0.9rc1 (2016-11-27)
Bug fixes:
files cache: fix determination of newest mtime in backup set
(which is used in cache cleanup and led to wrong �A� [added]
status for unchanged files in next backup), #1860.
borg check:
fix incorrectly reporting attic 0.13 and earlier archives as corrupt
handle repo w/o objects gracefully and also bail out early if
repo is completely empty, #1815.
fix tox/pybuild in 1.0-maint
at xattr module import time, loggers are not initialized yet
New features:
borg umount <mountpoint> exposed already existing umount code
via the CLI api, so users can use it, which is more consistent
than using borg to mount and fusermount -u (or umount) to
un-mount, #1855.
implement borg create –noatime –noctime, fixes #1853
Other changes:
docs:
display README correctly on PyPI
improve cache / index docs, esp. files cache docs, fixes #1825
different pattern matching for –exclude, #1779
datetime formatting examples for {now} placeholder, #1822
clarify passphrase mode attic repo upgrade, #1854
clarify –umask usage, #1859
clarify how to choose PR target branch
clarify prune behavior for different archive contents, #1824
fix PDF issues, add logo, fix authors, headings, TOC
move security verification to support section
fix links in standalone README (:ref: tags)
add link to security contact in README
add FAQ about security
move fork differences to FAQ
add more details about resource usage
tests: skip remote tests on cygwin, #1268
travis:
allow OS X failures until the brew cask osxfuse issue is fixed
caskroom osxfuse-beta gone, it’s osxfuse now (3.5.3)
vagrant:
upgrade OSXfuse / FUSE for macOS to 3.5.3
remove llfuse from tox.ini at a central place
do not try to install llfuse on centos6
fix fuse test for darwin, #1546
add windows virtual machine with cygwin
Vagrantfile cleanup / code deduplication
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 pkgsrc/sysutils/py-borgbackup/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/py-borgbackup/distinfo
|
|
|
|
lang/php56: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.171
- lang/php56/distinfo 1.39
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jan 20 00:44:01 UTC 2017
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: distinfo
Log Message:
Update php56 to 5.6.30.
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
19 Jan 2017, PHP 5.6.30
- EXIF:
. Fixed bug #73737 (FPE when parsing a tag format). (Stas)
- GD:
. Fixed bug #73549 (Use after free when stream is passed to imagepng). (cmb)
. Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (cmb)
. Fixed bug #73869 (Signed Integer Overflow gd_io.c). (cmb)
- Intl:
. Fixed bug #68447 (grapheme_extract take an extra trailing character).
(SATŌ Kentarō)
- Phar:
. Fixed bug #73764 (Crash while loading hostile phar archive). (Stas)
. Fixed bug #73768 (Memory corruption when loading hostile phar). (Stas)
. Fixed bug #73773 (Seg fault when loading hostile phar). (Stas)
- SQLite3:
. Reverted fix for bug #73530 (Unsetting result set may reset other result
set). (cmb)
- Standard:
. Fixed bug #70213 (Unserialize context shared on double class lookup).
(Taoguang Chen)
. Fixed bug #73825 (Heap out of bounds read on unserialize in
finish_nested_data()). (Stas)
|
|
lang/php70: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.170
- lang/php70/distinfo 1.25
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jan 19 14:48:49 UTC 2017
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php70: distinfo
Log Message:
Update php70 to 7.0.15.
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
19 Jan 2017 PHP 7.0.15
- Core:
. Fixed bug #73792 (invalid foreach loop hangs script). (Dmitry)
. Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created
with list()). (Laruence)
. Fixed bug #73585 (Logging of "Internal Zend error - Missing class
information" missing class name). (Laruence)
. Fixed bug #73753 (unserialized array pointer not advancing). (David Walker)
. Fixed bug #73825 (Heap out of bounds read on unserialize in
finish_nested_data()). (Stas)
. Fixed bug #73831 (NULL Pointer Dereference while unserialize php object).
(Stas)
. Fixed bug #73832 (Use of uninitialized memory in unserialize()). (Stas)
. Fixed bug #73092 (Unserialize use-after-free when resizing object's
properties hash table). (Nikita)
. Fixed bug #69425 (Use After Free in unserialize()). (Nikita)
. Fixed bug #72731 (Type Confusion in Object Deserialization). (Nikita)
- COM:
. Fixed bug #73679 (DOTNET read access violation using invalid codepage).
(Anatol)
- DOM:
. Fixed bug #67474 (getElementsByTagNameNS filter on default ns). (aboks)
- EXIF:
. Bug bug #73737 (FPE when parsing a tag format). (Stas)
- GD:
. Fixed bug #73869 (Signed Integer Overflow gd_io.c). (cmb)
. Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (cmb)
- GMP:
. Fixed bug #70513 (GMP Deserialization Type Confusion Vulnerability).
(Nikita)
- Mysqli:
. Fixed bug #73462 (Persistent connections don't set $connect_errno).
(darkain)
- Mysqlnd:
. Fixed issue with decoding BIT columns when having more than one rows in the
result set. 7.0+ problem. (Andrey)
. Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
(vanviegen)
- PCRE:
. Fixed bug #73612 (preg_*() may leak memory). (cmb)
- PDO_Firebird:
. Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning
statement). (Dorin Marcoci)
- Phar:
. Fixed bug #73773 (Seg fault when loading hostile phar). (Stas)
. Fixed bug #73768 (Memory corruption when loading hostile phar). (Stas)
. Fixed bug #73764 (Crash while loading hostile phar archive). (Stas)
- Phpdbg:
. Fixed bug #73615 (phpdbg without option never load .phpdbginit at startup).
(Bob)
. Fixed issue getting executable lines from custom wrappers. (Bob)
. Fixed bug #73704 (phpdbg shows the wrong line in files with shebang). (Bob)
- Reflection:
. Fixed bug #46103 (ReflectionObject memory leak). (Nikita)
- Streams:
. Fixed bug #73586 (php_user_filter::$stream is not set to the stream the
filter is working on). (Dmitry)
- SQLite3:
. Reverted fix for bug #73530 (Unsetting result set may reset other result
set). (cmb)
- Standard:
. Fixed bug #73594 (dns_get_record does not populate $additional out
parameter). (Bruce Weirdan)
. Fixed bug #70213 (Unserialize context shared on double class lookup).
(Taoguang Chen)
. Fixed bug #73154 (serialize object with __sleep function crash). (Nikita)
. Fixed bug #70490 (get_browser function is very slow). (Nikita)
. Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
(Nikita)
. Fixed bug #31875 (get_defined_functions additional param to exclude
disabled functions). (willianveiga)
- Zlib:
. Fixed bug #73373 (deflate_add does not verify that output was not truncated).
(Matt Bonneau)
|
|
lang/php71: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.169
- lang/php71/distinfo 1.12
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jan 19 14:43:25 UTC 2017
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php71: distinfo
Log Message:
Update php71 to 7.1.1.
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
19 Jan 2017, PHP 7.1.1
- Core:
. Fixed bug #73792 (invalid foreach loop hangs script). (Dmitry)
. Fixed bug #73686 (Adding settype()ed values to ArrayObject results in
references). (Nikita, Laruence)
. Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created
with list()). (Laruence)
. Fixed bug #73727 (ZEND_MM_BITSET_LEN is "undefined symbol" in
zend_bitset.h). (Nikita)
. Fixed bug #73753 (unserialized array pointer not advancing). (David Walker)
. Fixed bug #73783 (SIG_IGN doesn't work when Zend Signals is enabled).
(David Walker)
. Fixed bug #73825 (Heap out of bounds read on unserialize in
finish_nested_data()). (Stas)
. Fixed bug #73831 (NULL Pointer Dereference while unserialize php object).
(Stas)
. Fixed bug #73832 (Use of uninitialized memory in unserialize()). (Stas)
- CLI:
. Fixed bug #72555 (CLI output(japanese) on Windows). (Anatol)
- COM:
. Fixed bug #73679 (DOTNET read access violation using invalid codepage).
(Anatol)
- DOM:
. Fixed bug #67474 (getElementsByTagNameNS filter on default ns). (aboks)
- EXIF:
. Bug bug #73737 (FPE when parsing a tag format). (Stas)
- GD:
. Fixed bug #73869 (Signed Integer Overflow gd_io.c). (cmb)
. Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (cmb)
- Mbstring:
. Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
(Laruence)
- Mysqli:
. Fixed bug #73462 (Persistent connections don't set $connect_errno).
(darkain)
- Mysqlnd:
. Optimized handling of BIT fields - less memory copies and lower memory
usage. (Andrey)
. Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
(vanviegen)
- Opcache:
. Fixed bug #73789 (Strange behavior of class constants in switch/case block).
(Laruence)
. Fixed bug #73746 (Method that returns string returns UNKNOWN:0 instead).
(Laruence)
. Fixed bug #73654 (Segmentation fault in zend_call_function). (Nikita)
. Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by
minus 1). (Nikita)
. Fixed bug #73847 (Recursion when a variable is redefined as array). (Nikita)
- PDO_Firebird:
. Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning
statement). (Dorin Marcoci)
- Phar:
. Fixed bug #73773 (Seg fault when loading hostile phar). (Stas)
. Fixed bug #73768 (Memory corruption when loading hostile phar). (Stas)
. Fixed bug #73764 (Crash while loading hostile phar archive). (Stas)
- phpdbg:
. Fixed bug #73794 (Crash (out of memory) when using run and # command
separator). (Bob)
. Fixed bug #73704 (phpdbg shows the wrong line in files with shebang). (Bob)
- SQLite3:
. Reverted fix for bug #73530 (Unsetting result set may reset other result
set). (cmb)
- Standard:
. Fixed bug #73594 (dns_get_record does not populate $additional out
parameter). (Bruce Weirdan)
. Fixed bug #70213 (Unserialize context shared on double class lookup).
(Taoguang Chen)
. Fixed bug #73154 (serialize object with __sleep function crash). (Nikita)
. Fixed bug #70490 (get_browser function is very slow). (Nikita)
. Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
(Nikita)
. Add subject to mail log. (tomsommer)
. Fixed bug #31875 (get_defined_functions additional param to exclude
disabled functions). (willianveiga)
- Zlib
. Fixed bug #73373 (deflate_add does not verify that output was not truncated).
(Matt Bonneau)
|
|
www/typo3_62: security fix
Revisions pulled up:
- www/typo3_62/Makefile 1.21
- www/typo3_62/PLIST 1.17
- www/typo3_62/distinfo 1.19
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jan 13 15:06:40 UTC 2017
Modified Files:
pkgsrc/www/typo3_62: Makefile PLIST distinfo
Log Message:
Update typo3_62 to 6.2.30 (TYPO3 6.2.30) including security fixes.
2017-01-03 ec284cf [RELEASE] Release of TYPO3 6.2.30 (TYPO3 Release Team)
2017-01-03 0f79d43 #79114 [SECURITY] Protect Mailtransport (Wouter Wolters)
2016-12-31 7a99325 #70106 [BUGFIX] Do not use realpath for temporary file names (Stefan Froemken)
2016-12-30 5bb34d0 #76478 [TASK] Clean up DebuggerUtility (Nicole Cordes)
2016-12-24 98dd27a #70962 [BUGFIX] FAL relations duplicated when saving in workspaces (Andreas Wolf)
2016-12-16 5124e88 #78915,#78977 [BUGFIX] Optimize cache handling in ReflectionService (Helmut Hummel)
2016-12-15 18b19ea #78977 Revert "[BUGFIX] Reflection Cache does not save methodReflections" (Nicole Cordes)
2016-12-13 8095288 #78925 [BUGFIX] Fix exception in QuickEdit mode for empty pages (Manuel Selbach)
2016-12-12 8ef727a #78915 [BUGFIX] Reflection Cache does not save methodReflections (Tymoteusz Motylewski)
2016-12-08 01a927d #73241 [BUGFIX] Do not fetch pages with pid < 0 in prepareCacheFlush (Steffen Göde)
2016-12-08 bab723b #72654,#62660 [BUGFIX] Improve DataHandler handling for dbType fields (Nicole Cordes)
2016-12-07 1a32e92 #78551 [BUGFIX] Reset hidden field information in FormViewhelper (Nicole Cordes)
2016-12-03 b927c7b #77097 [BUGFIX] Reset FormViewHelper on execution (Helmut Hummel)
|
|
security/botan-devel: build fix
Revisions pulled up:
- security/botan-devel/distinfo 1.12
- security/botan-devel/patches/patch-src_build-data_os_solaris.txt 1.1
- security/botan-devel/patches/patch-src_lib_utils_locking__allocator_info.txt 1.1
- security/botan-devel/patches/patch-src_lib_utils_os__utils.cpp 1.4
---
Module Name: pkgsrc
Committed By: joerg
Date: Mon Jan 16 01:50:15 UTC 2017
Modified Files:
pkgsrc/security/botan-devel: distinfo
pkgsrc/security/botan-devel/patches: patch-src_lib_utils_os__utils.cpp
Added Files:
pkgsrc/security/botan-devel/patches:
patch-src_build-data_os_solaris.txt
patch-src_lib_utils_locking__allocator_info.txt
Log Message:
More fixes for build on SmartOS/Solaris.
|
|
www/ikiwiki: security fix
Revisions pulled up:
- www/ikiwiki/Makefile 1.145-1.148
- www/ikiwiki/distinfo 1.117-1.120
---
Module Name: pkgsrc
Committed By: schmonz
Date: Fri Dec 30 03:21:11 UTC 2016
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to 3.20161229. From the changelog:
* Security: force CGI::FormBuilder->field to scalar context where
necessary, avoiding unintended function argument injection
analogous to CVE-2014-1572. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious.
(CVE-2016-9646)
* Security: try revert operations in a temporary working tree before
approving them. Previously, automatic rename detection could result in
a revert writing outside the wiki srcdir or altering a file that the
reverting user should not be able to alter, an authorization bypass.
(CVE-2016-10026 represents the original vulnerability.)
The incomplete fix released in 3.20161219 was not effective for git
versions prior to 2.8.0rc0.
(CVE-2016-9645 represents that incomplete solution.)
* Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including
CVE-2016-10026
- Build-depend on libipc-run-perl for better build-time test coverage
* Add missing ikiwiki.setup for the manual test for CVE-2016-10026
* git: don't issue a warning if the rcsinfo CGI parameter is undefined
* git: do not fail to commit changes with a recent git version
and an anonymous committer
---
Module Name: pkgsrc
Committed By: schmonz
Date: Fri Dec 30 13:59:42 UTC 2016
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to 3.20161229.1. From the changelog:
* git: Attribute reverts to the user doing the revert, not the wiki
itself.
* git: Do not disable the commit hook while preparing a revert.
---
Module Name: pkgsrc
Committed By: schmonz
Date: Wed Jan 11 02:15:54 UTC 2017
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to 3.20170110. From the changelog:
[ Amitai Schleier ]
* wrappers: Correctly escape quotes in git_wrapper_background_command
[ Simon McVittie ]
* git: use an explicit function parameter for the directory to work
in. Previously, we used global state that was not restored correctly
on catching exceptions, causing an unintended log message
"cannot chdir to .../ikiwiki-temp-working: No such file or directory"
with versions >= 3.20161229 when an attempt to revert a change fails
or is disallowed
* git: don't run "git rev-list ... -- -- ..." which would select the
wrong commits if a file named literally "--" is present in the
repository
* check_canchange: log "bad file name whatever", not literal string
"bad file name %s"
* t/git-cgi.t: fix a race condition that made the test fail
intermittently
* t/git-cgi.t: be more careful to provide a syntactically valid
author/committer name and email, hopefully fixing this test on
ci.debian.net
* templates, comments, passwordauth: use rel=nofollow microformat
for dynamic URLs
* templates: use rel=nofollow microformat for comment authors
* news: use Debian security tracker instead of MITRE for security
references. Thanks, anarcat
* Set package format to 3.0 (native)
* d/copyright: re-order to put more specific stanzas later, to get the
intended interpretation
* d/source/lintian-overrides: override obsolete-url-in-packaging for
OpenID Selector, which does not seem to have any more current URL
(and in any case our version is a fork)
* docwiki.setup: exclude TourBusStop from offline documentation.
It does not make much sense there.
* d/ikiwiki.lintian-overrides: override script-not-executable warnings
* d/ikiwiki.lintian-overrides: silence false positive spelling warning
for Moin Moin
* d/ikiwiki.doc-base: register the documentation with doc-base
* d/control: set libmagickcore-6.q16-3-extra as preferred
build-dependency, with virtual package libmagickcore-extra as an
alternative, to help autopkgtest to do the right thing
---
Module Name: pkgsrc
Committed By: schmonz
Date: Thu Jan 12 00:44:15 UTC 2017
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to 3.20170111. From the changelog:
* passwordauth: prevent authentication bypass via multiple name
parameters (CVE-2017-0356, OVE-20170111-0001)
* passwordauth: avoid userinfo forgery via repeated email parameter
(also in the scope of CVE-2017-0356)
* CGI, attachment, passwordauth: harden against repeated parameters
(not believed to have been a vulnerability)
* remove: make it clearer that repeated page parameter is OK here
* t/passwordauth.t: new automated test for passwordauth
|
|
security/gnutls: build fix
Revisions pulled up:
- security/gnutls/buildlink3.mk 1.32
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Jan 11 17:06:52 UTC 2017
Modified Files:
pkgsrc/security/gnutls: buildlink3.mk
Log Message:
Add libunistring to bl3.mk, it's linked into libgnutls{,xx}.so.
PR 51830
|
|
security/gnutls: security fix
Revisions pulled up:
- security/gnutls/Makefile 1.168-1.169
- security/gnutls/PLIST 1.54
- security/gnutls/distinfo 1.122
- security/gnutls/patches/patch-tests_mini-server-name.c deleted
---
Module Name: pkgsrc
Committed By: maya
Date: Sat Jan 7 18:49:16 UTC 2017
Modified Files:
pkgsrc/security/gnutls: Makefile
Log Message:
gnutls: don't redefine max_align_t on FreeBSD. It incorrectly fails the
configure test because the type in stddef.h is guarded by a c11 macro
(most likely).
Force the configure test to pass.
From David Shao in PR pkg/51793 (originally from FreeBSD ports).
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Jan 10 16:23:50 UTC 2017
Modified Files:
pkgsrc/security/gnutls: Makefile PLIST distinfo
Removed Files:
pkgsrc/security/gnutls/patches: patch-tests_mini-server-name.c
Log Message:
Updated gnutls to 3.5.8.
* Version 3.5.8 (released 2016-01-09)
** libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
functions will not leave the verification profiles field to an
undefined state. The last call will take precedence.
** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
by PKCS#8 decryption functions when an invalid key is provided. This
addresses regression on decrypting certain PKCS#8 keys.
** libgnutls: Introduced option to override the default priority string
used by the library. The intention is to allow support of system-wide
priority strings (as set with --with-system-priority-file). The
configure option is --with-default-priority-string.
** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
This prevents crashes when decrypting malformed PKCS#8 keys.
** libgnutls: Fix crash on the loading of malformed private keys with certain
parameters set to zero.
** libgnutls: Fix double free in certificate information printing. If the PKIX
extension proxy was set with a policy language set but no policy specified,
that could lead to a double free.
** libgnutls: Addressed memory leaks in client and server side error paths
(issues found using oss-fuzz project)
** libgnutls: Addressed memory leaks in X.509 certificate printing error paths
(issues found using oss-fuzz project)
** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)
** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
(issues found using oss-fuzz project)
** API and ABI modifications:
No changes since last version.
* Version 3.5.7 (released 2016-12-8)
** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128
and SECURE256 priority strings.
** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly
operate with OIDs which have elements that exceed 2^32.
** libgnutls: The DN decoding functions output the traditional DN format
rather than the strict RFC4514 compliant textual DN. This reverts the
3.5.6 introduced change, and allows applications which depended on the
previous format to continue to function. Introduced new functions which
output the strict format by default, and can revert to the old one using
a flag.
** libgnutls: Improved TPM key handling. Check authorization requirements
prior to using a key and fix issue on loop for PIN input. Patches by
James Bottomley.
** libgnutls: In all functions accepting UTF-8 passwords, ensure that
passwords are normalized according to RFC7613. When invalid UTF-8
passwords are detected, they are only tolerated for decryption.
This introduces a libunistring dependency on GnuTLS. A version of
libunistring is included in the library for the platforms that do
not ship it; it can be used with the '--with-included-unistring'
option to configure script.
** libgnutls: When setting a subject alternative name in a certificate
which is in UTF-8 format, it will transparently be converted to IDNA form
prior to storing.
** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print()
will print the SHA256 key-ID instead of a certificate fingerprint.
** libgnutls: enhance the PKCS#7 verification capabilities. In the case
signers that are not discoverable using the trust list or input, use
the stored list as pool to generate a trusted chain to the signer.
** libgnutls: Improved MTU calculation precision for the CBC ciphersuites
under DTLS.
** libgnutls: [added missing news entry since 3.5.0]
No longer tolerate certificate key usage violations for
TLS signature verification, and decryption. That is GnuTLS will fail
to connect to servers which incorrectly use a restricted to signing certificate
for decryption, or vice-versa. This reverts the lax behavior introduced
in 3.1.0, due to several such broken servers being available. The %COMPAT
priority keyword can be used to work-around connecting on these servers.
** certtool: When exporting a CRQ in DER format ensure no text data are
intermixed. Patch by Dmitry Eremin-Solenikov.
** certtool: Include the SHA-256 variant of key ID in --certificate-info
options.
** p11tool: Introduced the --initialize-pin and --initialize-so-pin
options.
** API and ABI modifications:
gnutls_utf8_password_normalize: Added
gnutls_ocsp_resp_get_responder2: Added
gnutls_x509_crt_get_issuer_dn3: Added
gnutls_x509_crt_get_dn3: Added
gnutls_x509_rdn_get2: Added
gnutls_x509_dn_get_str2: Added
gnutls_x509_crl_get_issuer_dn3: Added
gnutls_x509_crq_get_dn3: Added
* Version 3.5.6 (released 2016-11-04)
** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
(pre-rfc5652) structures with arbitrary encapsulated content.
** libgnutls: Introduced a function group to set known DH parameters
using groups from RFC7919.
** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
Now the generated textual DN is in reverse order according to RFC4514,
and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
set the expected DN (reverse of the provided string).
** libgnutls: Introduced time and constraints checks in the end certificate
in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
functions.
** libgnutls: Set limits on the maximum number of alerts handled. That is,
applications using gnutls could be tricked into an busy loop if the
peer sends continuously alert messages. Applications which set a maximum
handshake time (via gnutls_handshake_set_timeout) will eventually recover
but others may remain in a busy loops indefinitely. This is related but
not identical to CVE-2016-8610, due to the difference in alert handling
of the libraries (gnutls delegates that handling to applications).
** libgnutls: Reverted the change which made the gnutls_certificate_set_*key*
functions return an index (introduced in 3.5.5), to avoid affecting programs
which explicitly check success of the function as equality to zero. In order
for these functions to return an index an explicit call to gnutls_certificate_set_flags
with the GNUTLS_CERTIFICATE_API_V2 flag is now required.
** libgnutls: Reverted the behavior of sending a status request extension even
without a response (introduced in 3.5.5). That is, we no longer reply to a
client's hello with a status request, with a status request extension. Although
that behavior is legal, it creates incompatibility issues with releases in
the gnutls 3.3.x branch.
** libgnutls: Delayed the initialization of the random generator at
the first call of gnutls_rnd(). This allows applications to load
on systems which getrandom() would block, without blocking until
real random data are needed.
** certtool: --get-dh-params will output parameters from the RFC7919
groups.
** p11tool: improvements in --initialize option.
** API and ABI modifications:
GNUTLS_CERTIFICATE_API_V2: Added
GNUTLS_NO_TICKETS: Added
gnutls_pkcs7_get_embedded_data_oid: Added
gnutls_anon_set_server_known_dh_params: Added
gnutls_certificate_set_known_dh_params: Added
gnutls_psk_set_server_known_dh_params: Added
gnutls_x509_crt_check_key_purpose: Added
* Version 3.5.5 (released 2016-10-09)
** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file()
to allow importing multiple OCSP request files, one for each chain
provided.
** libgnutls: The gnutls_certificate_set_key* functions return an
index of the added chain. That index can be used either with
gnutls_certificate_set_ocsp_status_request_file(), or with
gnutls_certificate_get_crt_raw() and friends.
** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations
for the aarch64 architecture. Uses Andy Polyakov's assembly code.
** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
failures due to key mismatch. This prevents leaks or double freeing
on such failures.
** libgnutls: Increased the maximum size of the handshake message hash.
This will allow the library to cope better with larger packets, as
the ones offered by current TLS 1.3 drafts.
** libgnutls: Allow to use client certificates despite them containing
disallowed algorithms for a session. That allows for example a client
to use DSA-SHA1 due to his old DSA certificate, without requiring him
to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
** libgnutls: Reverted AESNI code on x86 to earlier version as the
latest version was creating position depending code. Added checks
in the CI to detect position depending code early.
** guile: Update code to the I/O port API of Guile >= 2.1.4
This makes sure the GnuTLS bindings will work with the forthcoming 2.2
stable series of Guile, of which 2.1 is a preview.
** API and ABI modifications:
gnutls_certificate_set_ocsp_status_request_function2: Added
gnutls_session_ext_register: Added
gnutls_session_supplemental_register: Added
GNUTLS_E_PK_INVALID_PUBKEY: Added
GNUTLS_E_PK_INVALID_PRIVKEY: Added
|
|
security/libtasn1: bugfix, build fix
Revisions pulled up:
- security/libtasn1/Makefile 1.67-1.68
- security/libtasn1/distinfo 1.47
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Jan 10 15:26:32 UTC 2017
Modified Files:
pkgsrc/security/libtasn1: Makefile distinfo
Log Message:
Updated libtasn1 to 4.9.
* Noteworthy changes in release 4.9 (released 2016-07-25) [stable]
- Fixes to OID encoding of OIDs which have elements which exceed 2^32
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Jan 11 16:25:06 UTC 2017
Modified Files:
pkgsrc/security/libtasn1: Makefile
Log Message:
Remove -Werror from compilation flags.
PR 51821
PR 51829
|
