Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
www/curl: security update
Revisions pulled up:
- www/curl/Makefile 1.190
- www/curl/distinfo 1.140,1.139
- www/curl/patches/patch-configure 1.3
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Wed Nov 29 13:56:28 UTC 2017
Modified Files:
pkgsrc/www/curl: Makefile distinfo
Log Message:
curl: update to 7.57.0.
Curl and libcurl 7.57.0
o auth: add support for RFC7616 - HTTP Digest access authentication [12]
o share: add support for sharing the connection cache [31]
o HTTP: implement Brotli content encoding [28]
This release includes the following bugfixes:
o CVE-2017-8816: NTLM buffer overflow via integer overflow [47]
o CVE-2017-8817: FTP wildcard out of bounds read [48]
o CVE-2017-8818: SSL out of buffer access [49]
o curl_mime_filedata.3: fix typos [1]
o libtest: Add required test libraries for lib1552 and lib1553 [2]
o fix time diffs for systems using unsigned time_t [3]
o ftplistparser: memory leak fix: free temporary memory always [4]
o multi: allow table handle sizes to be overridden [5]
o wildcards: don't use with non-supported protocols [6]
o curl_fnmatch: return error on illegal wildcard pattern [7]
o transfer: Fix chunked-encoding upload too early exit [8]
o curl_setup: Improve detection of CURL_WINDOWS_APP [9]
o resolvers: only include anything if needed [10]
o setopt: fix CURLOPT_SSH_AUTH_TYPES option read
o appveyor: add a win32 build
o Curl_timeleft: change return type to timediff_t [11]
o cmake: Export libcurl and curl targets to use by other cmake projects [13]
o curl: in -F option arg, comma is a delimiter for files only [14]
o curl: improved ";type=" handling in -F option arguments
o timeval: use mach_absolute_time() on MacOS [15]
o curlx: the timeval functions are no longer provided as curlx_* [16]
o mkhelp.pl: do not generate comment with current date [17]
o memdebug: use send/recv signature for curl_dosend/curl_dorecv [18]
o cookie: avoid NULL dereference [19]
o url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1 [20]
o include: remove conncache.h inclusion from where its not needed
o CURLOPT_MAXREDIRS: allow -1 as a value [21]
o tests: Fixed torture tests on tests 556 and 650
o http2: Fixed OOM handling in upgrade request
o url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
o CURLOPT_INFILESIZE: accept -1 [22]
o curl: pass through [] in URLs instead of calling globbing error [23]
o curl: speed up handling of many URLs [24]
o ntlm: avoid malloc(0) for zero length passwords [25]
o url: remove faulty arg value check from CURLOPT_SSH_AUTH_TYPES [26]
o HTTP: support multiple Content-Encodings [27]
o travis: add a job with brotli enabled
o url: remove unncessary NULL-check
o fnmatch: remove dead code
o connect: store IPv6 connection status after valid connection [29]
o imap: deal with commands case insensitively [30]
o --interface: add support for Linux VRF [32]
o content_encoding: fix inflate_stream for no bytes available [33]
o cmake: Correctly include curl.rc in Windows builds [34]
o cmake: Add missing setmode check [35]
o connect.c: remove executable bit on file [36]
o SMB: fix uninitialized local variable
o zlib/brotli: only include header files in modules needing them [37]
o URL: return error on malformed URLs with junk after IPv6 bracket [38]
o openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY [39]
o macOS: Fix missing connectx function with Xcode version older than 9.0 [40]
o --resolve: allow IP address within [] brackets [41]
o examples/curlx: Fix code style [42]
o ntlm: remove unnecessary NULL-check to please scan-build [43]
o Curl_llist_remove: fix potential NULL pointer deref [43]
o mime: fix "Value stored to 'sz' is never read" scan-build error [43]
o openssl: fix "Value stored to 'rc' is never read" scan-build error [43]
o http2: fix "Value stored to 'hdbuf' is never read" scan-build error [43]
o http2: fix "Value stored to 'end' is never read" scan-build error [43]
o Curl_open: fix OOM return error correctly [43]
o url: reject ASCII control characters and space in host names [44]
o examples/rtsp: clear RANGE again after use [45]
o connect: improve the bind error message [46]
o make: fix "make distclean" [50]
o connect: add support for new TCP Fast Open API on Linux [51]
o metalink: fix memory-leak and NULL pointer dereference [52]
o URL: update "file:" URL handling [53]
o ssh: remove check for a NULL pointer [54]
o global_init: ignore CURL_GLOBAL_SSL's absense [55]
To generate a diff of this commit:
cvs rdiff -u -r1.189 -r1.190 pkgsrc/www/curl/Makefile
cvs rdiff -u -r1.139 -r1.140 pkgsrc/www/curl/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: jperkin
Date: Fri Nov 3 09:40:37 UTC 2017
Modified Files:
pkgsrc/www/curl: distinfo
pkgsrc/www/curl/patches: patch-configure
Log Message:
curl: Don't strip out user-supplied debug flags.
To generate a diff of this commit:
cvs rdiff -u -r1.138 -r1.139 pkgsrc/www/curl/distinfo
cvs rdiff -u -r1.2 -r1.3 pkgsrc/www/curl/patches/patch-configure
|
|
|
|
x11/libXcursor: security update
Revisions pulled up:
- x11/libXcursor/Makefile 1.9
- x11/libXcursor/distinfo 1.7
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Tue Nov 28 14:57:20 UTC 2017
Modified Files:
pkgsrc/x11/libXcursor: Makefile distinfo
Log Message:
libXcursor: update to 1.1.15.
Alan Coopersmith (4):
configure: Drop AM_MAINTAINER_MODE
autogen.sh: Honor NOCONFIGURE=1
Use strdup() instead of malloc(strlen())+strcpy()
Fix some clang integer sign/size mismatch warnings
Emil Velikov (1):
autogen.sh: use quoted string variables
Matthieu Herrb (1):
libXcursor 1.1.15
Mihail Konev (1):
autogen: add default patch prefix
Peter Hutterer (1):
autogen.sh: use exec instead of waiting for configure to finish
Tobias Stoeckmann (1):
Fix heap overflows when parsing malicious files. (CVE-2017-16612)
shubham shrivastav (1):
Insufficient memory for terminating null of string in
_XcursorThemeInherits
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 pkgsrc/x11/libXcursor/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/x11/libXcursor/distinfo
|
|
x11/libXfont2: security update
Revisions pulled up:
- x11/libXfont2/Makefile 1.4
- x11/libXfont2/distinfo 1.4
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Tue Nov 28 14:58:26 UTC 2017
Modified Files:
pkgsrc/x11/libXfont2: Makefile distinfo
Log Message:
libXfont2: update to 2.0.3.
Matthieu Herrb (1):
libXfont2 2.0.3
Michal Srb (1):
Open files with O_NOFOLLOW. (CVE-2017-16611)
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 pkgsrc/x11/libXfont2/Makefile \
pkgsrc/x11/libXfont2/distinfo
|
|
x11/libXfont: security update
Revisions pulled up:
- x11/libXfont/Makefile 1.38
- x11/libXfont/distinfo 1.30
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Tue Nov 28 14:59:27 UTC 2017
Modified Files:
pkgsrc/x11/libXfont: Makefile distinfo
Log Message:
libXfont: update to 1.5.4.
Matthieu Herrb (1):
libXfont 1.5.4
Michal Srb (1):
Open files with O_NOFOLLOW. (CVE-2017-16611)
To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 pkgsrc/x11/libXfont/Makefile
cvs rdiff -u -r1.29 -r1.30 pkgsrc/x11/libXfont/distinfo
|
|
www/wordpress: security update
Revisions pulled up:
- www/wordpress/Makefile 1.74
- www/wordpress/PLIST 1.36
- www/wordpress/distinfo 1.59
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: morr
Date: Sun Dec 3 17:06:37 UTC 2017
Modified Files:
pkgsrc/www/wordpress: Makefile PLIST distinfo
Log Message:
Update to newest version, 4.9.1
This version fixes 4 security bugs from earlier versions.
For details, head to https://codex.wordpress.org/Version_4.9.1
For 4.9 changes, head to https://codex.wordpress.org/Version_4.9
To generate a diff of this commit:
cvs rdiff -u -r1.73 -r1.74 pkgsrc/www/wordpress/Makefile
cvs rdiff -u -r1.35 -r1.36 pkgsrc/www/wordpress/PLIST
cvs rdiff -u -r1.58 -r1.59 pkgsrc/www/wordpress/distinfo
|
|
lang/openjdk8: security update
Revisions pulled up:
- lang/openjdk8/Makefile 1.55
- lang/openjdk8/PLIST 1.8
- lang/openjdk8/distinfo 1.51
- lang/openjdk8/patches/patch-common_autoconf_generated-configure.sh 1.13
- lang/openjdk8/patches/patch-jdk_make_CompileLaunchers.gmk 1.5
- lang/openjdk8/patches/patch-jdk_make_lib_CoreLibraries.gmk 1.4
- lang/openjdk8/patches/patch-jdk_src_solaris_native_java_net_NetworkInterface.c 1.4
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Tue Nov 28 05:07:25 UTC 2017
Modified Files:
pkgsrc/lang/openjdk8: Makefile PLIST distinfo
pkgsrc/lang/openjdk8/patches:
patch-common_autoconf_generated-configure.sh
patch-jdk_make_CompileLaunchers.gmk
patch-jdk_make_lib_CoreLibraries.gmk
patch-jdk_src_solaris_native_java_net_NetworkInterface.c
Log Message:
Update to 1.8.152
Changelog:
Security bug fixes:
CVE-2017-10285
CVE-2017-10388
CVE-2017-10309
CVE-2017-10274
CVE-2017-10356
CVE-2017-10293
CVE-2017-10342
CVE-2017-10350
CVE-2017-10349
CVE-2017-10348
CVE-2017-10357
CVE-2016-9841
CVE-2016-10165
CVE-2017-10355
CVE-2017-10281
CVE-2017-10347
CVE-2017-10386
CVE-2017-10380
CVE-2017-10295
CVE-2017-10341
CVE-2017-10345
To generate a diff of this commit:
cvs rdiff -u -r1.54 -r1.55 pkgsrc/lang/openjdk8/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/openjdk8/PLIST
cvs rdiff -u -r1.50 -r1.51 pkgsrc/lang/openjdk8/distinfo
cvs rdiff -u -r1.12 -r1.13 \
pkgsrc/lang/openjdk8/patches/patch-common_autoconf_generated-configure.sh
cvs rdiff -u -r1.4 -r1.5 \
pkgsrc/lang/openjdk8/patches/patch-jdk_make_CompileLaunchers.gmk
cvs rdiff -u -r1.3 -r1.4 \
pkgsrc/lang/openjdk8/patches/patch-jdk_make_lib_CoreLibraries.gmk \
pkgsrc/lang/openjdk8/patches/patch-jdk_src_solaris_native_java_net_NetworkInterface.c
|
|
mail/procmail: security patch
Revisions pulled up:
- mail/procmail/Makefile 1.50
- mail/procmail/distinfo 1.17
- mail/procmail/patches/patch-bd 1.4
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: snj
Date: Sun Nov 26 20:39:41 UTC 2017
Modified Files:
pkgsrc/mail/procmail: Makefile distinfo
pkgsrc/mail/procmail/patches: patch-bd
Log Message:
procmail: Fix CVE-2017-16844
Patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug6511
Bump PKGREVISION
To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 pkgsrc/mail/procmail/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/mail/procmail/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/mail/procmail/patches/patch-bd
|
|
|
|
mail/thunderbird: security fix
mail/thunderbird-l10n: update
Revisions pulled up:
- mail/thunderbird-l10n/Makefile 1.61-1.62
- mail/thunderbird-l10n/distinfo 1.59-1.60
- mail/thunderbird/Makefile 1.198,1.200
- mail/thunderbird/distinfo 1.193-1.194
- mail/thunderbird/hacks.mk 1.8
- mail/thunderbird45/hacks.mk 1.2
---
Module Name: pkgsrc
Committed By: ryoon
Date: Fri Oct 27 18:01:44 UTC 2017
Modified Files:
pkgsrc/mail/thunderbird: hacks.mk
pkgsrc/mail/thunderbird45: hacks.mk
Log Message:
Remove removed inclusion. Pointed by oster@. Thank you
---
Module Name: pkgsrc
Committed By: ryoon
Date: Fri Nov 17 00:49:20 UTC 2017
Modified Files:
pkgsrc/mail/thunderbird: Makefile distinfo
Log Message:
Update to 52.4.0
Chagelog:
New
In Thunderbird 52 a new behavior was introduced for replies to mailing
list posts: "When replying to a mailing list, reply will be sent to
address in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
Fixed
Under certain circumstances (image attachment and non-image attachment),
attached images were shown truncated in messages stored in IMAP
folders not synchronised for offline use.
Fixed
IMAP UIDs > 0x7FFFFFFF not handled properly
Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API
Reporter
Abhishek Arya
Impact
high
Description
A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use,
resulting in a potentially exploitable crash.
References
Bug 1371889
#CVE-2017-7818: Use-after-free during ARIA array manipulation
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.
References
Bug 1363723
#CVE-2017-7819: Use-after-free while resizing images in design mode
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have
been freed from memory. This results in a potentially exploitable crash.
References
Bug 1380292
#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE
Reporter
Omair, Andre Weissflog
Impact
high
Description
A buffer overflow occurs when drawing and validating elements with
the ANGLE graphics library, used for WebGL content. This is due to
an incorrect value being passed within the library during checks and
results in a potentially exploitable crash.
References
Bug 1398381
#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
Reporter
Martin Thomson
Impact
high
Description
During TLS 1.2 exchanges, handshake hashes are generated which point
to a message buffer. This saved data is used for later messages but
in some cases, the handshake transcript can exceed the space available
in the current buffer, causing the allocation of a new buffer. This
leaves a pointer pointing to the old, freed buffer, resulting in
a use-after-free when handshake hashes are then calculated afterwards.
This can result in a potentially exploitable crash.
References
Bug 1377618
#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings
Reporter
François Marier
Impact
moderate
Description
File downloads encoded with blob: and data: URL elements bypassed
normal file download checks though the Phishing and Malware Protection
feature and its block lists of suspicious sites and files. This
would allow malicious sites to lure users into downloading executables
that would otherwise be detected as suspicious.
References
Bug 1376036
#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces
Reporter
Khalil Zhani
Impact
moderate
Description
Several fonts on OS X display some Tibetan and Arabic characters
as whitespace. When used in the addressbar as part of an IDN
this can be used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other
operating systems are unaffected.
References
Bug 1393624
Bug 1390980
#CVE-2017-7823: CSP sandbox directive did not create a unique origin
Reporter
Jun Kokatsu
Impact
moderate
Description
The content security policy (CSP) sandbox directive did not
create a unique origin for the document, causing it to behave as
if the allow-same-origin keyword were always specified. This could
allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.
References
Bug 1396320
#CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4,
and Thunderbird 52.4
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55, Firefox
ESR 52.3, and Thunderbird 52.3. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
---
Module Name: pkgsrc
Committed By: ryoon
Date: Fri Nov 17 00:52:40 UTC 2017
Modified Files:
pkgsrc/mail/thunderbird-l10n: Makefile distinfo
Log Message:
Update to 52.4.0
* Sync with mail/thunderbird-52.4.0
---
Module Name: pkgsrc
Committed By: ryoon
Date: Mon Nov 27 23:36:40 UTC 2017
Modified Files:
pkgsrc/mail/thunderbird: Makefile distinfo
Log Message:
Update to 52.5.0
Changelog:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in use.
This results in a potentially exploitable crash during these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource
Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for data
theft of URLs loaded by users.
References
Bug 1408990
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David Keeler,
Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp,
Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56, Firefox ESR 52.4, and
Thunderbird 52.4. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
---
Module Name: pkgsrc
Committed By: ryoon
Date: Mon Nov 27 23:38:39 UTC 2017
Modified Files:
pkgsrc/mail/thunderbird-l10n: Makefile distinfo
Log Message:
Update to 52.5.0
* Sync with mail/thunderbird-52.5.0
|
|
www/firefox52: security fix
www/firefox52-l10n: update
Revisions pulled up:
- www/firefox52-l10n/Makefile 1.7
- www/firefox52-l10n/distinfo 1.7
- www/firefox52/Makefile 1.11
- www/firefox52/distinfo 1.9
---
Module Name: pkgsrc
Committed By: ryoon
Date: Fri Nov 17 00:19:01 UTC 2017
Modified Files:
pkgsrc/www/firefox52: Makefile distinfo
Log Message:
Update to 52.5.0
Changelog:
Security fixes:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still
in use. This results in a potentially exploitable crash during
these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource
Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for
data theft of URLs loaded by users.
References
Memory safety bugs fixed in Firefox 57
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David
Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer,
Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56 and Firefox ESR 52.4.
Some of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to
run arbitrary code.
References
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
---
Module Name: pkgsrc
Committed By: ryoon
Date: Fri Nov 17 00:53:53 UTC 2017
Modified Files:
pkgsrc/www/firefox52-l10n: Makefile distinfo
Log Message:
Update to 52.5.0
* Sync with www/firefox52-52.5.0
|
|
Since the last update, translations have been added but the additional files
have not been included into PLIST. The build failed in such a case:
PKG_OPTIONS.sudo= +nls
PKG_DEVELOPER= yes
|
|
|
|
www/firefox52: security fix
www/firefox52-l10n: security fix
Revisions pulled up:
- www/firefox52-l10n/Makefile 1.5-1.6
- www/firefox52-l10n/distinfo 1.5-1.6
- www/firefox52/Makefile 1.9-1.10
- www/firefox52/distinfo 1.7-1.8
- www/firefox52/patches/patch-extensions_spellcheck_hunspell_glue_mozHunspell.cpp deleted
---
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Sep 30 11:19:10 UTC 2017
Modified Files:
pkgsrc/www/firefox52: Makefile distinfo
Removed Files:
pkgsrc/www/firefox52/patches:
patch-extensions_spellcheck_hunspell_glue_mozHunspell.cpp
Log Message:
Update to 52.4.0
* Remove an unnecessary patch
Changelog:
Fixed
Various security fixes
Various stability and regression fixes
Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API
Reporter
Abhishek Arya
Impact
high
Description
A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use, resulting
in a potentially exploitable crash.
References
Bug 1371889
#CVE-2017-7818: Use-after-free during ARIA array manipulation
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.
References
Bug 1363723
#CVE-2017-7819: Use-after-free while resizing images in design mode
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have been
freed from memory. This results in a potentially exploitable crash.
References
Bug 1380292
#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE
Reporter
Omair, Andre Weissflog
Impact
high
Description
A buffer overflow occurs when drawing and validating elements with the
ANGLE graphics library, used for WebGL content. This is due to an
incorrect value being passed within the library during checks and
results in a potentially exploitable crash.
References
Bug 1398381
#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
Reporter
Martin Thomson
Impact
high
Description
During TLS 1.2 exchanges, handshake hashes are generated which point to
a message buffer. This saved data is used for later messages but in some
cases, the handshake transcript can exceed the space available in the
current buffer, causing the allocation of a new buffer. This leaves a
pointer pointing to the old, freed buffer, resulting in a use-after-free
when handshake hashes are then calculated afterwards. This can result in
a potentially exploitable crash.
References
Bug 1377618
#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings
Reporter
Francois Marier
Impact
moderate
Description
File downloads encoded with blob: and data: URL elements bypassed normal
file download checks though the Phishing and Malware Protection feature
and its block lists of suspicious sites and files. This would allow
malicious sites to lure users into downloading executables that would
otherwise be detected as suspicious.
References
Bug 1376036
#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces
Reporter
Khalil Zhani
Impact
moderate
Description
Several fonts on OS X display some Tibetan and Arabic characters as
whitespace. When used in the addressbar as part of an IDN this can be
used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other operating
systems are unaffected.
References
Bug 1393624
Bug 1390980
#CVE-2017-7823: CSP sandbox directive did not create a unique origin
Reporter
Jun Kokatsu
Impact
moderate
Description
The content security policy (CSP) sandbox directive did not create a
unique origin for the document, causing it to behave as if the
allow-same-origin keyword were always specified. This could allow a
Cross-Site Scripting (XSS) attack to be launched from unsafe content.
References
Bug 1396320
#CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55 and Firefox ESR
52.3. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort that some of these could be exploited to
run arbitrary code.
References
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
---
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Sep 30 11:21:00 UTC 2017
Modified Files:
pkgsrc/www/firefox52-l10n: Makefile distinfo
Log Message:
Update to 52.4.0
* Sync with firefox52-52.4.0
---
Module Name: pkgsrc
Committed By: ryoon
Date: Thu Nov 9 19:17:19 UTC 2017
Modified Files:
pkgsrc/www/firefox52: Makefile distinfo
Log Message:
Update to 52.4.1
Changelog:
Fixed
Fixed a crash when playing videos on macOS 10.13
Fixed a crash when using the color picker on macOS 10.13
---
Module Name: pkgsrc
Committed By: ryoon
Date: Thu Nov 9 19:24:37 UTC 2017
Modified Files:
pkgsrc/www/firefox52-l10n: Makefile distinfo
Log Message:
Update to 52.4.1
* Sync with www/firefox52-52.4.1
|
|
textproc/icu: security fix
Revisions pulled up:
- textproc/icu/Makefile 1.111-1.112
- textproc/icu/distinfo 1.66,1.70
- textproc/icu/patches/patch-config_mh-solaris-gcc 1.4
- textproc/icu/patches/patch-i18n_zonemeta.cpp 1.1
---
Module Name: pkgsrc
Committed By: jperkin
Date: Wed Oct 4 10:52:40 UTC 2017
Modified Files:
pkgsrc/textproc/icu: Makefile distinfo
pkgsrc/textproc/icu/patches: patch-config_mh-solaris-gcc
Log Message:
icu: Remove -nodefaultlibs -nostdlib from SunOS linker args.
This prevented GCC libraries from being used and thus disabled SSP and
other features. Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: he
Date: Thu Nov 16 09:58:26 UTC 2017
Modified Files:
pkgsrc/textproc/icu: Makefile distinfo
Added Files:
pkgsrc/textproc/icu/patches: patch-i18n_zonemeta.cpp
Log Message:
Apply a fix for CVE-2017-14952 from
http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp
Bump PKGREVISION.
|
|
sysutils/zabbix: bugfix
Revisions pulled up:
- sysutils/zabbix/Makefile 1.4+patch
- sysutils/zabbix/distinfo 1.4+patch
- sysutils/zabbix/patches/patch-src_libs_zbxsysinfo_common_net.c 1.1+patch
---
Module Name: pkgsrc
Committed By: he
Date: Thu Nov 16 11:01:12 UTC 2017
Modified Files:
pkgsrc/sysutils/zabbix: Makefile distinfo
Added Files:
pkgsrc/sysutils/zabbix/patches: patch-src_libs_zbxsysinfo_common_net.c
Log Message:
Zabbix_agentd is a threaded program, and it tries to muck with the
global `_res' variable. That's not supported on NetBSD, and IME
causes the zabbix agent daemon to exit shortly after having been started.
Convert to instead using res_ninit(), res_nsend(), and res_nclose().
Bump PKGREVISION.
|
|
www/contao44: security fix
Revisions pulled up:
- www/contao44/Makefile 1.9-1.12
- www/contao44/PLIST 1.7-1.10
- www/contao44/distinfo 1.7-1.10
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Sep 28 13:46:00 UTC 2017
Modified Files:
pkgsrc/www/contao44: Makefile PLIST distinfo
Log Message:
Update contao44 to 4.4.6.
Contao 4.4.6 is available 2017/09/28 10:32 by Leo Feyer
Contao version 4.4.6 is available. The bugfix release fixes several minor
issues and also includes the changes from Contao 3.5.
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Oct 13 16:08:28 UTC 2017
Modified Files:
pkgsrc/www/contao44: Makefile PLIST distinfo
Log Message:
www/contao44: update to 4.4.7
Contao 4.4.7 is available 12.10.2017 16:12 by Leo Feyer
Contao version 4.4.7 is available. The bugfix release fixes several minor
issues, including a problem with the back end referrer management.
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Nov 15 14:09:16 UTC 2017
Modified Files:
pkgsrc/www/contao44: Makefile PLIST distinfo
Log Message:
www/contao44: update to 4.4.8
# Contao core bundle change log
### 4.4.8 (2017-11-15)
* Prevent SQL injections in the back end search panel (see CVE-2017-16558).
* Support class named services in System::import() and System::importStatic()
(see #1176).
* Only show pretty error screens on Contao routes (see #1149).
# Contao listing bundle change log
### 4.4.8 (2017-11-15)
* Prevent SQL injections in the listing module (see CVE-2017-16558).
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Nov 20 04:53:56 UTC 2017
Modified Files:
pkgsrc/www/contao44: Makefile PLIST distinfo
Log Message:
www/contao44: Update due to repacakge.
Add DIST_SUBDIR due to repacakging.
Bump PKGREVISION.
|
|
security/openssh: security fix
Revisions pulled up:
- security/openssh/Makefile 1.254
- security/openssh/distinfo 1.105
- security/openssh/patches/patch-sshd.c 1.9
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Oct 4 11:44:14 UTC 2017
Modified Files:
pkgsrc/security/openssh: Makefile distinfo
pkgsrc/security/openssh/patches: patch-sshd.c
Log Message:
openssh: update to 7.6.1.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* ssh(1): delete SSH protocol version 1 support, associated
configuration options and documentation.
* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
* ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST
ciphers.
* Refuse RSA keys <1024 bits in length and improve reporting for keys
that do not meet this requirement.
* ssh(1): do not offer CBC ciphers by default.
Changes since OpenSSH 7.5
=========================
This is primarily a bugfix release. It also contains substantial
internal refactoring.
Security
--------
* sftp-server(8): in read-only mode, sftp-server was incorrectly
permitting creation of zero-length files. Reported by Michal
Zalewski.
New Features
------------
* ssh(1): add RemoteCommand option to specify a command in the ssh
config file instead of giving it on the client's command line. This
allows the configuration file to specify the command that will be
executed on the remote host.
* sshd(8): add ExposeAuthInfo option that enables writing details of
the authentication methods used (including public keys where
applicable) to a file that is exposed via a $SSH_USER_AUTH
environment variable in the subsequent session.
* ssh(1): add support for reverse dynamic forwarding. In this mode,
ssh will act as a SOCKS4/5 proxy and forward connections
to destinations requested by the remote SOCKS client. This mode
is requested using extended syntax for the -R and RemoteForward
options and, because it is implemented solely at the client,
does not require the server be updated to be supported.
* sshd(8): allow LogLevel directive in sshd_config Match blocks;
bz#2717
* ssh-keygen(1): allow inclusion of arbitrary string or flag
certificate extensions and critical options.
* ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as
a CA when signing certificates. bz#2377
* ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit
ToS/DSCP value and just use the operating system default.
* ssh-add(1): added -q option to make ssh-add quiet on success.
* ssh(1): expand the StrictHostKeyChecking option with two new
settings. The first "accept-new" will automatically accept
hitherto-unseen keys but will refuse connections for changed or
invalid hostkeys. This is a safer subset of the current behaviour
of StrictHostKeyChecking=no. The second setting "off", is a synonym
for the current behaviour of StrictHostKeyChecking=no: accept new
host keys, and continue connection for hosts with incorrect
hostkeys. A future release will change the meaning of
StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400
* ssh(1): add SyslogFacility option to ssh(1) matching the equivalent
option in sshd(8). bz#2705
Bugfixes
--------
* ssh(1): use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728
* sftp(1): implement sorting for globbed ls; bz#2649
* ssh(1): add a user@host prefix to client's "Permission denied"
messages, useful in particular when using "stacked" connections
(e.g. ssh -J) where it's not clear which host is denying. bz#2720
* ssh(1): accept unknown EXT_INFO extension values that contain \0
characters. These are legal, but would previously cause fatal
connection errors if received.
* ssh(1)/sshd(8): repair compression statistics printed at
connection exit
* sftp(1): print '?' instead of incorrect link count (that the
protocol doesn't provide) for remote listings. bz#2710
* ssh(1): return failure rather than fatal() for more cases during
session multiplexing negotiations. Causes the session to fall back
to a non-mux connection if they occur. bz#2707
* ssh(1): mention that the server may send debug messages to explain
public key authentication problems under some circumstances; bz#2709
* Translate OpenSSL error codes to better report incorrect passphrase
errors when loading private keys; bz#2699
* sshd(8): adjust compatibility patterns for WinSCP to correctly
identify versions that implement only the legacy DH group exchange
scheme. bz#2748
* ssh(1): print the "Killed by signal 1" message only at LogLevel
verbose so that it is not shown at the default level; prevents it
from appearing during ssh -J and equivalent ProxyCommand configs.
bz#1906, bz#2744
* ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber
existing keys if they exist but are zero length. zero-length keys
could previously be made if ssh-keygen failed or was interrupted part
way through generating them. bz#2561
* ssh(1): fix pledge(2) violation in the escape sequence "~&" used to
place the current session in the background.
* ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734
* sshd(8): avoid reliance on shared use of pointers shared between
monitor and child sshd processes. bz#2704
* sshd_config(8): document available AuthenticationMethods; bz#2453
* ssh(1): avoid truncation in some login prompts; bz#2768
* sshd(8): Fix various compilations failures, inc bz#2767
* ssh(1): make "--" before the hostname terminate argument processing
after the hostname too.
* ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting
new-style private keys. Fixes problems related to private key
handling for no-OpenSSL builds. bz#2754
* ssh(1): warn and do not attempt to use keys when the public and
private halves do not match. bz#2737
* sftp(1): don't print verbose error message when ssh disconnects
from under sftp. bz#2750
* sshd(8): fix keepalive scheduling problem: activity on a forwarded
port from preventing the keepalive from being sent; bz#2756
* sshd(8): when started without root privileges, don't require the
privilege separation user or path to exist. Makes running the
regression tests easier without touching the filesystem.
* Make integrity.sh regression tests more robust against timeouts.
bz#2658
* ssh(1)/sshd(8): correctness fix for channels implementation: accept
channel IDs greater than 0x7FFFFFFF.
Portability
-----------
* sshd(9): drop two more privileges in the Solaris sandbox:
PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723
* sshd(8): expose list of completed authentication methods to PAM
via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408
* ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code,
mostly to do with host/network byte order confusion. bz#2735
* Add --with-cflags-after and --with-ldflags-after configure flags to
allow setting CFLAGS/LDFLAGS after configure has completed. These
are useful for setting sanitiser/fuzzing options that may interfere
with configure's operation.
* sshd(8): avoid Linux seccomp violations on ppc64le over the
socketcall syscall.
* Fix use of ldns when using ldns-config; bz#2697
* configure: set cache variables when cross-compiling. The cross-
compiling fallback message was saying it assumed the test passed,
but it wasn't actually set the cache variables and this would
cause later tests to fail.
* Add clang libFuzzer harnesses for public key parsing and signature
verification.
|
|
www/contao35: security fix
Revisions pulled up:
- www/contao35/Makefile 1.33-1.35
- www/contao35/PLIST 1.16-1.17
- www/contao35/distinfo 1.25-1.27
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Sep 28 12:46:25 UTC 2017
Modified Files:
pkgsrc/www/contao35: Makefile PLIST distinfo
Log Message:
www/contao35: update to 3.5.29
Version 3.5.29 (2017-09-27)
---------------------------
### Fixed
Correctly handle unencoded data images in the Combiner (see #8788).
### Fixed
Correctly show multi-day events if the shortened view is disabled (see #8782).
### Fixed
Do not add a suffix when copying if the "doNotCopy" flag is set (see #8610).
### Fixed
Use the module type as group header if sorted by type (see #8402).
### Fixed
Always show the "show from" and "show until" fields (see #8766).
### Fixed
Encode the username when opening the front end preview as a member (see #8762).
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Oct 7 13:01:17 UTC 2017
Modified Files:
pkgsrc/www/contao35: Makefile distinfo
Log Message:
www/contao35: Update to 3.5.30.
Version 3.5.30 (2017-10-06)
---------------------------
### Fixed
Filter multi-day events outside the scope in the event list (see #8792).
### Fixed
Correctly show multi-day events if the shortened view is disabled (see #8782).
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Nov 15 14:07:53 UTC 2017
Modified Files:
pkgsrc/www/contao35: Makefile PLIST distinfo
Log Message:
Update contaoet to 3.5.31.
Version 3.5.31 (2017-11-15)
---------------------------
### Fixed
Prevent SQL injections in the back end search panel (see CVE-2017-16558).
|
|
devel/git-base: security fix
Revisions pulled up:
- devel/git-base/Makefile 1.46
- devel/git-base/distinfo 1.71-1.72
- devel/git/Makefile.version 1.62-1.63
---
Module Name: pkgsrc
Committed By: adam
Date: Wed Sep 27 06:37:47 UTC 2017
Modified Files:
pkgsrc/devel/git: Makefile.version
pkgsrc/devel/git-base: Makefile distinfo
Log Message:
git: update to 2.14.2
Fixes since v2.14.1
* Because recent Git for Windows do come with a real msgfmt, the
build procedure for git-gui has been updated to use it instead of a
hand-rolled substitute.
* "%C(color name)" in the pretty print format always produced ANSI
color escape codes, which was an early design mistake. They now
honor the configuration (e.g. "color.ui = never") and also tty-ness
of the output medium.
* The http.{sslkey,sslCert} configuration variables are to be
interpreted as a pathname that honors "~[username]/" prefix, but
weren't, which has been fixed.
* Numerous bugs in walking of reflogs via "log -g" and friends have
been fixed.
* "git commit" when seeing an totally empty message said "you did not
edit the message", which is clearly wrong. The message has been
corrected.
* When a directory is not readable, "gitweb" fails to build the
project list. Work this around by skipping such a directory.
* A recently added test for the "credential-cache" helper revealed
that EOF detection done around the time the connection to the cache
daemon is torn down were flaky. This was fixed by reacting to
ECONNRESET and behaving as if we got an EOF.
* Some versions of GnuPG fail to kill gpg-agent it auto-spawned
and such a left-over agent can interfere with a test. Work it
around by attempting to kill one before starting a new test.
* "git log --tag=no-such-tag" showed log starting from HEAD, which
has been fixed---it now shows nothing.
* The "tag.pager" configuration variable was useless for those who
actually create tag objects, as it interfered with the use of an
editor. A new mechanism has been introduced for commands to enable
pager depending on what operation is being carried out to fix this,
and then "git tag -l" is made to run pager by default.
* "git push --recurse-submodules $there HEAD:$target" was not
propagated down to the submodules, but now it is.
* Commands like "git rebase" accepted the --rerere-autoupdate option
from the command line, but did not always use it. This has been
fixed.
* "git clone --recurse-submodules --quiet" did not pass the quiet
option down to submodules.
* "git am -s" has been taught that some input may end with a trailer
block that is not Signed-off-by: and it should refrain from adding
an extra blank line before adding a new sign-off in such a case.
* "git svn" used with "--localtime" option did not compute the tz
offset for the timestamp in question and instead always used the
current time, which has been corrected.
* Memory leaks in a few error codepaths have been plugged.
* bash 4.4 or newer gave a warning on NUL byte in command
substitution done in "git stash"; this has been squelched.
* "git grep -L" and "git grep --quiet -L" reported different exit
codes; this has been corrected.
* When handshake with a subprocess filter notices that the process
asked for an unknown capability, Git did not report what program
the offending subprocess was running. This has been corrected.
* "git apply" that is used as a better "patch -p1" failed to apply a
taken from a file with CRLF line endings to a file with CRLF line
endings. The root cause was because it misused convert_to_git()
that tried to do "safe-crlf" processing by looking at the index
entry at the same path, which is a nonsense---in that mode, "apply"
is not working on the data in (or derived from) the index at all.
This has been fixed.
* Killing "git merge --edit" before the editor returns control left
the repository in a state with MERGE_MSG but without MERGE_HEAD,
which incorrectly tells the subsequent "git commit" that there was
a squash merge in progress. This has been fixed.
* "git archive" did not work well with pathspecs and the
export-ignore attribute.
* "git cvsserver" no longer is invoked by "git daemon" by default,
as it is old and largely unmaintained.
* Various Perl scripts did not use safe_pipe_capture() instead of
backticks, leaving them susceptible to end-user input. They have
been corrected.
---
Module Name: pkgsrc
Committed By: adam
Date: Tue Oct 24 06:43:24 UTC 2017
Modified Files:
pkgsrc/devel/git: Makefile.version
pkgsrc/devel/git-base: distinfo
Log Message:
git: updated to 2.14.3
Git v2.14.3 Release Notes
Fixes since v2.14.2
* A helper function to read a single whole line into strbuf
mistakenly triggered OOM error at EOF under certain conditions,
which has been fixed.
* In addition to "cc: <a@dd.re.ss> # cruft", "cc: a@dd.re.ss # cruft"
was taught to "git send-email" as a valid way to tell it that it
needs to also send a carbon copy to <a@dd.re.ss> in the trailer
section.
* Fix regression to "gitk --bisect" by a recent update.
* Unlike "git commit-tree < file", "git commit-tree -F file" did not
pass the contents of the file verbatim and instead completed an
incomplete line at the end, if exists. The latter has been updated
to match the behaviour of the former.
* "git archive", especially when used with pathspec, stored an empty
directory in its output, even though Git itself never does so.
This has been fixed.
* API error-proofing which happens to also squelch warnings from GCC.
* "git gc" tries to avoid running two instances at the same time by
reading and writing pid/host from and to a lock file; it used to
use an incorrect fscanf() format when reading, which has been
corrected.
* The test linter has been taught that we do not like "echo -e".
* Code cmp.std.c nitpick.
* "git describe --match" learned to take multiple patterns in v2.13
series, but the feature ignored the patterns after the first one
and did not work at all. This has been fixed.
* "git cat-file --textconv" started segfaulting recently, which
has been corrected.
* The built-in pattern to detect the "function header" for HTML did
not match <H1>..<H6> elements without any attributes, which has
been fixed.
* "git mailinfo" was loose in decoding quoted printable and produced
garbage when the two letters after the equal sign are not
hexadecimal. This has been fixed.
* The documentation for '-X<option>' for merges was misleadingly
written to suggest that "-s theirs" exists, which is not the case.
* Spell the name of our system as "Git" in the output from
request-pull script.
* Fixes for a handful memory access issues identified by valgrind.
* Backports a moral equivalent of 2015 fix to the poll emulation from
the upstream gnulib to fix occasional breakages on HPE NonStop.
* In the "--format=..." option of the "git for-each-ref" command (and
its friends, i.e. the listing mode of "git branch/tag"), "%(atom:)"
(e.g. "%(refname:)", "%(body:)" used to error out. Instead, treat
them as if the colon and an empty string that follows it were not
there.
* Users with "color.ui = always" in their configuration were broken
by a recent change that made plumbing commands to pay attention to
them as the patch created internally by "git add -p" were colored
(heh) and made unusable. This has been fixed.
* "git branch -M a b" while on a branch that is completely unrelated
to either branch a or branch b misbehaved when multiple worktree
was in use. This has been fixed.
* "git fast-export" with -M/-C option issued "copy" instruction on a
path that is simultaneously modified, which was incorrect.
* The checkpoint command "git fast-import" did not flush updates to
refs and marks unless at least one object was created since the
last checkpoint, which has been corrected, as these things can
happen without any new object getting created.
* The scripts to drive TravisCI has been reorganized and then an
optimization to avoid spending cycles on a branch whose tip is
tagged has been implemented.
* "git fetch <there> <src>:<dst>" allows an object name on the <src>
side when the other side accepts such a request since Git v2.5, but
the documentation was left stale.
* A regression in 2.11 that made the code to read the list of
alternate object stores overrun the end of the string has been
fixed.
Also contains various documentation updates and code clean-ups.
|
|
|
|
net/nagios-plugin-ldap: build fix
Revisions pulled up:
- net/nagios-plugin-ldap/Makefile 1.19
- net/nagios-plugins/Makefile.common 1.15
- net/nagios-plugins/distinfo 1.23
- net/nagios-plugins/patches/patch-configure 1.4
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Nov 8 03:20:49 UTC 2017
Modified Files:
pkgsrc/net/nagios-plugin-ldap: Makefile
pkgsrc/net/nagios-plugins: Makefile.common distinfo
pkgsrc/net/nagios-plugins/patches: patch-configure
Log Message:
net/nagios-plugin-ldap: fix build problem
Fix build problem of nagios-plugin-ldap using --with-ldap option of
configure.
This is minimum change to build fix for nagios-plugin-ldap.
|
|
textproc/ruby-nokogiri: bugfix
Revisions pulled up:
- textproc/ruby-nokogiri/Makefile 1.37
- textproc/ruby-nokogiri/PLIST 1.24
- textproc/ruby-nokogiri/distinfo 1.26
---
Module Name: pkgsrc
Committed By: tsutsui
Date: Fri Oct 20 15:56:58 UTC 2017
Modified Files:
pkgsrc/textproc/ruby-nokogiri: Makefile PLIST distinfo
Log Message:
nokogiri: update to 1.8.1.
This version is necessary for ruby-mini_portile2 2.3.0 in pkgsrc-2017Q3.
pkgsrc changes:
- strict dependency against ruby-mini_portile2 as defined in the Gemfile
- take maintainership
Upstream changes (from CHANGELOG.md):
# 1.8.1 / 2017-09-19
## Dependencies
* [MRI] libxml2 is updated from 2.9.4 to 2.9.5.
* [MRI] libxslt is updated from 1.1.29 to 1.1.30.
* [MRI] optional dependency on the pkg-config gem has had its constraint loosened to `~> 1.1` (from `~> 1.1.7`). [#1660]
* [MRI] Upgrade mini_portile2 dependency from `~> 2.2.0` to `~> 2.3.0`, which will validate checksums on the vendored libxml2 and libxslt tarballs before using them.
## Bugs
* NodeSet#first with an integer argument longer than the length of the NodeSet now correctly clamps the length of the returned NodeSet to the original length. [#1650] (Thanks, @Derenge!)
* [MRI] Ensure CData.new raises TypeError if the `content` argument is not implicitly convertible into a string. [#1669]
|
|
|
|
www/apache22: security patch
Revisions pulled up:
- www/apache22/Makefile 1.114
- www/apache22/distinfo 1.68
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Thu Sep 28 04:58:29 UTC 2017
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Log Message:
apache: update to 2.2.34nb1.
Apply upstream patch to fix CVE 2017-9798.
To generate a diff of this commit:
cvs rdiff -u -r1.113 -r1.114 pkgsrc/www/apache22/Makefile
cvs rdiff -u -r1.67 -r1.68 pkgsrc/www/apache22/distinfo
|
|
|
|
mail/roundcube: security update
mail/roundcube-plugin-enigma: security update
mail/roundcube-plugin-password: security update
mail/roundcube-plugin-zipdownload: security update
Revisions pulled up:
- mail/roundcube-plugin-enigma/distinfo 1.7
- mail/roundcube-plugin-password/distinfo 1.7
- mail/roundcube-plugin-zipdownload/distinfo 1.7
- mail/roundcube/Makefile.common 1.7
- mail/roundcube/distinfo 1.58
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu Nov 9 01:13:12 UTC 2017
Modified Files:
pkgsrc/mail/roundcube: Makefile.common distinfo
pkgsrc/mail/roundcube-plugin-enigma: distinfo
pkgsrc/mail/roundcube-plugin-password: distinfo
pkgsrc/mail/roundcube-plugin-zipdownload: distinfo
Log Message:
mail/roundcube: update to 1.2.7
Security fix for CVE-2017-16651.
RELEASE 1.2.7
-------------
- Fix rewind(): stream does not support seeking (#5950)
- Fix bug where HTML messages could have been rendered empty on some systems
(#5957)
- Fix (again) bug where image data URIs in css style were treated as
evil/remote in mail preview (#5580)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838, #5959)
- Fix file disclosure vulnerability caused by insufficient input validation
[CVE-2017-16651] (#6026)
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 pkgsrc/mail/roundcube/Makefile.common
cvs rdiff -u -r1.57 -r1.58 pkgsrc/mail/roundcube/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/mail/roundcube-plugin-enigma/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/mail/roundcube-plugin-password/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/mail/roundcube-plugin-zipdownload/distinfo
|
|
|
|
net/socket++: build fix
Revisions pulled up:
- net/socket++/Makefile 1.12
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Nov 6 13:36:39 UTC 2017
Modified Files:
pkgsrc/net/socket++: Makefile
Log Message:
socketxx: fix HOMEPAGE
|
|
www/paros: build fix
Revisions pulled up:
- www/paros/Makefile 1.18
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Nov 6 13:33:48 UTC 2017
Modified Files:
pkgsrc/www/paros: Makefile
Log Message:
paros: fix HOMEPAGE, set LICENSE
|
|
x11/rofi: build fix
Revisions pulled up:
- x11/rofi/Makefile 1.7
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Nov 6 13:35:43 UTC 2017
Modified Files:
pkgsrc/x11/rofi: Makefile
Log Message:
rofi: fix HOMEPAGE
|
|
|
|
net/rsync: security patch
Revisions pulled up:
- net/rsync/Makefile 1.105
- net/rsync/distinfo 1.45
- net/rsync/patches/patch-authenticate.c 1.3
- net/rsync/patches/patch-xattrs.c 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: spz
Date: Fri Nov 10 06:59:16 UTC 2017
Modified Files:
pkgsrc/net/rsync: Makefile distinfo
Added Files:
pkgsrc/net/rsync/patches: patch-authenticate.c patch-xattrs.c
Log Message:
patch for CVE-2017-16548, mitigation for weak checksums
To generate a diff of this commit:
cvs rdiff -u -r1.104 -r1.105 pkgsrc/net/rsync/Makefile
cvs rdiff -u -r1.44 -r1.45 pkgsrc/net/rsync/distinfo
cvs rdiff -u -r0 -r1.3 pkgsrc/net/rsync/patches/patch-authenticate.c
cvs rdiff -u -r0 -r1.1 pkgsrc/net/rsync/patches/patch-xattrs.c
|
|
|
|
www/curl: security update
Revisions pulled up:
- www/curl/Makefile 1.188-1.189
- www/curl/PLIST 1.66
- www/curl/distinfo 1.137-1.138
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Wed Oct 4 06:32:58 UTC 2017
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
Log Message:
curl: update to 7.56.0.
Curl and libcurl 7.56.0
This release includes the following changes:
o curl: enable compression for SCP/SFTP with --compressed-ssh [11]
o libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION [11]
o vtls: added dynamic changing SSL backend with curl_global_sslset() [28]
o new MIME API, curl_mime_init() and friends [32]
o openssl: initial SSLKEYLOGFILE implementation [36]
This release includes the following bugfixes:
o FTP: zero terminate the entry path even on bad input [67]
o examples/ftpuploadresume.c: use portable code
o runtests: match keywords case insensitively
o travis: build the examples too [1]
o strtoofft: reduce integer overflow risks globally [2]
o zsh.pl: produce a working completion script again [3]
o cmake: remove dead code for CURL_DISABLE_RTMP [4]
o progress: Track total times following redirects [5]
o configure: fix --disable-threaded-resolver [6]
o cmake: remove dead code for DISABLED_THREADSAFE [7]
o configure: fix clang version detection
o darwinssi: fix error: variable length array used
o travis: add metalink to some osx builds [8]
o configure: check for __builtin_available() availability [9]
o http_proxy: fix build error for CURL_DOES_CONVERSIONS [10]
o examples/ftpuploadresume: checksrc compliance
o ftp: fix CWD when doing multicwd then nocwd on same connection [12]
o system.h: remove all CURL_SIZEOF_* defines [13]
o http: Don't wait on CONNECT when there is no proxy [14]
o system.h: check for __ppc__ as well [15]
o http2_recv: return error better on fatal h2 errors [16]
o scripts/contri*sh: use "git log --use-mailmap"
o tftp: fix memory leak on too long filename [17]
o system.h: fix build for hppa [18]
o cmake: enable picky compiler options with clang and gcc [19]
o makefile.m32: add support for libidn2 [20]
o curl: turn off MinGW CRT's globbing [21]
o request-target.d: mention added in 7.55.0
o curl: shorten and clean up CA cert verification error message [22]
o imap: support PREAUTH [23]
o CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
o examples/threaded-ssl: mention that this is for openssl before 1.1
o winbuild: fix embedded manifest option [24]
o tests: Make sure libtests & unittests call curl_global_cleanup()
o system.h: include sys/poll.h for AIX [25]
o darwinssl: handle long strings in TLS certs [26]
o strtooff: fix build for systems with long long but no strtoll [27]
o asyn-thread: Improved cleanup after OOM situations
o HELP-US.md: "How to get started helping out in the curl project" [29]
o curl.h: CURLSSLBACKEND_WOLFSSL used wrong value [30]
o unit1301: fix error message on first test
o ossfuzz: moving towards the ideal integration [31]
o http: fix a memory leakage in checkrtspprefix()
o examples/post-callback: stop returning one byte at a time
o schannel: return CURLE_SSL_CACERT on failed verification [33]
o MAIL-ETIQUETTE: added "1.9 Your emails are public"
o http-proxy: treat all 2xx as CONNECT success [34]
o openssl: use OpenSSL's default ciphers by default [35]
o runtests.pl: support attribute "nonewline" in part verify/upload
o configure: remove --enable-soname-bump and SONAME_BUMP [37]
o travis: add c-ares enabled builds linux + osx [38]
o vtls: fix WolfSSL 3.12 build problems [39]
o http-proxy: when not doing CONNECT, that phase is done immediately [40]
o configure: fix curl_off_t check's include order [41]
o configure: use -Wno-varargs on clang 3.9[.X] debug builds
o rtsp: do not call fwrite() with NULL pointer FILE * [42]
o mbedtls: enable CA path processing [43]
o travis: add build without HTTP/SMTP/IMAP
o checksrc: verify more code style rules [44]
o HTTP proxy: on connection re-use, still use the new remote port [45]
o tests: add initial gssapi test using stub implementation [46]
o rtsp: Segfault when using WRITEDATA [47]
o docs: clarify the CURLOPT_INTERLEAVE* options behavior
o non-ascii: use iconv() with 'char **' argument [48]
o server/getpart: provide dummy function to build conversion enabled
o conversions: fix several compiler warnings
o openssl: add missing includes [49]
o schannel: Support partial send for when data is too large [50]
o socks: fix incorrect port number in SOCKS4 error message [51]
o curl: fix integer overflow in timeout options [52]
o travis: on mac, don't install openssl or libidn [53]
o cookies: reject oversized cookies instead of truncating [54]
o cookies: use lock when using CURLINFO_COOKIELIST [55]
o curl: check fseek() return code and bail on error
o examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
o openssl: only verify RSA private key if supported [56]
o tests: make the imap server not verify user+password [57]
o imap: quote atoms properly when escaping characters [58]
o tests: fix a compiler warning in test 643
o file_range: avoid integer overflow when figuring out byte range [59]
o curl.h: include <sys/select.h> on cygwin too [60]
o reuse_conn: don't copy flags that are known to be equal [61]
o http: fix adding custom empty headers to repeated requests [62]
o docs: clarify the use of environment variables for proxy [63]
o docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS [64]
o connect: fix race condition with happy eyeballs timeout [65]
o cookie: fix memory leak if path was set twice in header [66]
o vtls: compare and clone ssl configs properly [68]
o proxy: read the "no_proxy" variable only if necessary [69]
To generate a diff of this commit:
cvs rdiff -u -r1.187 -r1.188 pkgsrc/www/curl/Makefile
cvs rdiff -u -r1.65 -r1.66 pkgsrc/www/curl/PLIST
cvs rdiff -u -r1.136 -r1.137 pkgsrc/www/curl/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: adam
Date: Mon Oct 23 06:59:36 UTC 2017
Modified Files:
pkgsrc/www/curl: Makefile distinfo
Log Message:
curl: update to 7.56.1
Curl and libcurl 7.56.1
This release includes the following bugfixes:
o imap: if a FETCH response has no size, don't call write callback
o ftp: UBsan fixup 'pointer index expression overflowed
o failf: skip the sprintf() if there are no consumers
o fuzzer: move to using external curl-fuzzer
o lib/Makefile.m32: allow customizing dll suffixes
o docs: fix typo in curl_mime_data_cb man page
o darwinssl: add support for TLSv1.3
o build: fix --disable-crypto-auth
o lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
o openssl: fix build without HAVE_OPAQUE_EVP_PKEY
o strtoofft: Remove extraneous null check
o multi_cleanup: call DONE on handles that never got that
o tests: added flaky keyword to tests 587 and 644
o pingpong: return error when trying to send without connection
o remove_handle: call multi_done() first, then clear dns cache pointer
o mime: be tolerant about setting twice the same header list in a part.
o mime: improve unbinding top multipart from easy handle.
o mime: avoid resetting a part's encoder when part's contents change.
o mime: refuse to add subparts to one of their own descendants
o RTSP: avoid integer overflow on funny RTSP responses
o curl: don't pass semicolons when parsing Content-Disposition
o openssl: enable PKCS12 support for !BoringSSL
o FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
o CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
o CURLOPT_XFERINFODATA.3: fix duplicate see also
o test298: verify --ftp-method nowcwd with URL encoded path
o FTP: URL decode path for dir listing in nocwd mode
o smtp_done: fix memory leak on send failure
o ftpserver: support case insensitive commands
o test950; verify SMTP with custom request
o openssl: don't use old BORINGSSL_YYYYMM macros
o setopt: update current connection SSL verify params
o winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
o curl: reimplement stdin buffering in -F option
o mime: keep "text/plain" content type if user-specified
o mime: fix the content reader to handle >16K data properly
o configure: remove the C++ compiler check
o memdebug: trace send, recv and socket
o runtests: use valgrind for torture as well
o ldap: silence clang warning
o makefile.m32: allow to override gcc, ar and ranlib
o setopt: avoid integer overflows when setting millsecond values
o setopt: range check most long options
o ftp: reject illegal IP/port in PASV 227 response
o mime: do not reuse previously computed multipart size
o vtls: change struct Curl_ssl `close' field name to `close_one'
o os400: add missing symbols in config file
o mime: limit bas64-encoded lines length to 76 characters
o mk-ca-bundle: Remove URL for aurora
o mk-ca-bundle: Fix URL for NSS
To generate a diff of this commit:
cvs rdiff -u -r1.188 -r1.189 pkgsrc/www/curl/Makefile
cvs rdiff -u -r1.137 -r1.138 pkgsrc/www/curl/distinfo
|
|
emulators/stella: build fix
Revisions pulled up:
- emulators/stella/distinfo 1.22
- emulators/stella/patches/patch-configure 1.4
---
Module Name: pkgsrc
Committed By: dbj
Date: Fri Nov 3 07:49:58 UTC 2017
Modified Files:
pkgsrc/emulators/stella: distinfo
pkgsrc/emulators/stella/patches: patch-configure
Log Message:
tweak clang compiler version matching
|
|
sysutils/augeas: security fix
Revisions pulled up:
- sysutils/augeas/Makefile 1.3
- sysutils/augeas/PLIST 1.2
- sysutils/augeas/distinfo 1.3
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Fri Nov 3 11:05:43 UTC 2017
Modified Files:
pkgsrc/sysutils/augeas: Makefile PLIST distinfo
Log Message:
Update Augeas to 1.9.0.
The changelog is too long for this commit message, go find it at
https://github.com/hercules-team/augeas/releases and
http://augeas.net/news.html.
Note that 1.8.1 included the following:
Fix error in handling escaped whitespace at the end of path expressions
(addresses CVE-2017-7555).
|
|
net/py-suds: build fix
Revisions pulled up:
- net/py-suds/Makefile 1.10
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Nov 3 19:40:31 UTC 2017
Modified Files:
pkgsrc/net/py-suds: Makefile
Log Message:
py-suds: replace dead HOMEPAGE with bad one at pypi
|
|
sysutils/beats: build fix
Revisions pulled up:
- sysutils/beats/Makefile 1.19
---
Module Name: pkgsrc
Committed By: fhajny
Date: Thu Nov 2 15:30:50 UTC 2017
Modified Files:
pkgsrc/sysutils/beats: Makefile
Log Message:
sysutils/beats: Provide a better hint to where libpcap is. May fix
the build in some situations.
|
|
devel/idutils: FreeBSD build fix
Revisions pulled up:
- devel/idutils/distinfo 1.10
- devel/idutils/patches/patch-lib_fflush_c 1.2
- devel/idutils/patches/patch-lib_fseeko_c 1.2
---
Module Name: pkgsrc
Committed By: agc
Date: Thu Nov 2 04:26:21 UTC 2017
Modified Files:
pkgsrc/devel/idutils/patches: patch-lib_fflush_c patch-lib_fseeko_c
Log Message:
patch fflush.c and fseeko.c so that this package builds on FreeBSD HEAD
---
Module Name: pkgsrc
Committed By: maya
Date: Thu Nov 2 04:54:27 UTC 2017
Modified Files:
pkgsrc/devel/idutils: distinfo
Log Message:
idutils: regen patch sums after previous commit
|
|
security/yara: build fix
Revisions pulled up:
- security/yara/Makefile 1.5
---
Module Name: pkgsrc
Committed By: minskim
Date: Wed Nov 1 19:29:30 UTC 2017
Modified Files:
pkgsrc/security/yara: Makefile
Log Message:
security/yara: Needs OpenSSL to build
|
|
sysutils/py-augeas: build fix
Revisions pulled up:
- sysutils/py-augeas/Makefile 1.3
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Nov 1 08:23:42 UTC 2017
Modified Files:
pkgsrc/sysutils/py-augeas: Makefile
Log Message:
py-augeas: use pypi instead of deprecated fedorahosted
|
|
textproc/xmlto: build fix
Revisions pulled up:
- textproc/xmlto/Makefile 1.31
---
Module Name: pkgsrc
Committed By: maya
Date: Wed Nov 1 06:41:23 UTC 2017
Modified Files:
pkgsrc/textproc/xmlto: Makefile
Log Message:
xmlto: master sites / homepage from fedorahosted to pagure
|
|
devel/py-dulwich: security fix
Revisions pulled up:
- devel/py-dulwich/Makefile 1.24
- devel/py-dulwich/distinfo 1.21
---
Module Name: pkgsrc
Committed By: adam
Date: Mon Oct 30 18:37:38 UTC 2017
Modified Files:
pkgsrc/devel/py-dulwich: Makefile distinfo
Log Message:
py-dulwich: updated to 0.18.5
0.18.5:
BUG FIXES
* Fix cwd for hooks.
* Fix setting of origin in config when non-standard origin is passed into
``Repo.clone``.
* Prevent setting SSH arguments from SSH URLs when using SSH through a
subprocess. Note that Dulwich doesn't support cloning submodules.
(CVE 2017-1000117)
IMPROVEMENTS
* Silently ignored directories in ``Repo.stage``.
API CHANGES
* GitFile now raises ``FileLocked`` when encountering a lock
rather than OSError(EEXIST).
|
|
mail/imapsync: build fix
Revisions pulled up:
- mail/imapsync/Makefile 1.20
---
Module Name: pkgsrc
Committed By: maya
Date: Wed Nov 1 05:27:44 UTC 2017
Modified Files:
pkgsrc/mail/imapsync: Makefile
Log Message:
imapsync: switch homepage/master sites fedorahosted -> pagure
|
|
fonts/lohit-fonts: build fix
Revisions pulled up:
- fonts/lohit-fonts/Makefile 1.6
---
Module Name: pkgsrc
Committed By: maya
Date: Wed Nov 1 05:19:33 UTC 2017
Modified Files:
pkgsrc/fonts/lohit-fonts: Makefile
Log Message:
lohit-fonts: replace fedorahosted with pagure
|
|
fonts/liberation-ttf: build fix
Revisions pulled up:
- fonts/liberation-ttf/Makefile 1.15
---
Module Name: pkgsrc
Committed By: maya
Date: Wed Nov 1 05:17:06 UTC 2017
Modified Files:
pkgsrc/fonts/liberation-ttf: Makefile
Log Message:
liberation-ttf: add non-fedorahosted MASTER_SITES
|
|
math/R: Darwin build fix
Revisions pulled up:
- math/R/PLIST.Darwin 1.6
---
Module Name: pkgsrc
Committed By: jperkin
Date: Mon Oct 30 11:49:38 UTC 2017
Modified Files:
pkgsrc/math/R: PLIST.Darwin
Log Message:
R: Add missing zoneinfo file from previous update.
|
|
|