Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
with NetBSD -current autoconf will recognize the IPMI user interface.
|
|
|
|
sysutils/syslog-ng: NetBSD bugfix
Revisions pulled up:
- sysutils/syslog-ng/Makefile 1.34
- sysutils/syslog-ng/distinfo 1.16
- sysutils/syslog-ng/patches/patch-lib_signal-handler.c 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Fri Mar 15 10:04:00 UTC 2019
Modified Files:
pkgsrc/sysutils/syslog-ng: Makefile distinfo
Added Files:
pkgsrc/sysutils/syslog-ng/patches: patch-lib_signal-handler.c
Log Message:
syslog-ng overloads sigaction() with its own version, and calls the libc
sigaction() with a dlsym call. On NetBSD this ends up calling the compatibility
sigaction() which fails with ENOSYS if COMPAT_13 is not in the kernel.
Even with COMPAT_13 it would be incorrect because we call the compat
sigaction() with the non-compat arguments.
On NetBSD, fix this by calling explicitely __libc_sigaction14().
Bump PKGREVISION
|
|
|
|
www/ikiwiki: security fix
Revisions pulled up:
- www/ikiwiki/Makefile 1.161-1.162
- www/ikiwiki/distinfo 1.132
---
Module Name: pkgsrc
Committed By: schmonz
Date: Thu Feb 28 22:00:49 UTC 2019
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to ikiwiki. From the changelog:
* aggregate: Use LWPx::ParanoidAgent if available.
Previously blogspam, openid and pinger used this module if available,
but aggregate did not. This prevents server-side request forgery or
local file disclosure, and mitigates denial of service when slow
"tarpit" URLs are accessed.
(CVE-2019-9187)
* blogspam, openid, pinger: Use a HTTP proxy if configured, even if
LWPx::ParanoidAgent is installed.
Previously, only aggregate would obey proxy configuration. If a proxy
is used, the proxy (not ikiwiki) is responsible for preventing attacks
like CVE-2019-9187.
* aggregate, blogspam, openid, pinger: Do not access non-http, non-https
URLs.
Previously, these plugins would have allowed non-HTTP-based requests if
LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
file disclosure, and preventing other rarely-used URI schemes like
gopher mitigates request forgery attacks.
* aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
recommended.
These plugins can request attacker-controlled URLs in some site
configurations.
* blogspam: Document LWPx::ParanoidAgent as desirable.
This plugin doesn't request attacker-controlled URLs, so it's
non-critical here.
* blogspam, openid, pinger: Consistently use cookiejar if configured.
Previously, these plugins would only obey this configuration if
LWPx::ParanoidAgent was not installed, but this appears to have been
unintended.
* po: Always filter .po files.
The po plugin in previous ikiwiki releases made the second and
subsequent filter call per (page, destpage) pair into a no-op,
apparently in an attempt to prevent *recursive* filtering (which as
far as we can tell can't happen anyway), with the undesired effect
of interpreting the raw .po file as page content (e.g. Markdown)
if it was inlined into the same page twice, which is apparently
something that tails.org does. Simplify this by deleting the code
that prevented repeated filtering. Thanks, intrigeri
(Closes: #911356)
---
Module Name: pkgsrc
Committed By: schmonz
Date: Thu Feb 28 22:20:01 UTC 2019
Modified Files:
pkgsrc/www/ikiwiki: Makefile
Log Message:
Add dependency on p5-LWPx-ParanoidAgent. Ride recent version bump.
|
|
www/webkit-gtk: security fix (remote code execution)
Revisions pulled up:
- www/webkit-gtk/Makefile 1.156-1.157
- www/webkit-gtk/PLIST 1.46
- www/webkit-gtk/distinfo 1.115-1.116
- www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp 1.1
---
Module Name: pkgsrc
Committed By: leot
Date: Sat Feb 9 11:29:45 UTC 2019
Modified Files:
pkgsrc/www/webkit-gtk: Makefile PLIST distinfo
Log Message:
webkit-gtk: Update to 2.22.6
pkgsrc changes:
- Set USE_GCC_RUNTIME to depends on gcc6-libs when pkgsrc gcc is used
(XXX: Not tested and not clear if currently mk/compiler/gcc.mk DTRT
XXX: regarding (if not, that's probably why firefox/mozilla-common.mk
XXX: abuses USE_PKGSRC_GCC_RUNTIME!))
Changes:
WebKitGTK+ 2.22.6
=================
- Make kinetic scrolling slow down smoothly when reaching the ends of
pages, instead of abruptly, to better match the GTK+ behaviour.
- Fix Web inspector magnifier under Wayland.
- Fix garbled rendering of some websites (e.g. YouTube) while scrolling
under X11.
- Fix several crashes, race conditions, and rendering issues.
---
Module Name: pkgsrc
Committed By: maya
Date: Thu Feb 21 18:52:15 UTC 2019
Modified Files:
pkgsrc/www/webkit-gtk: Makefile distinfo
Added Files:
pkgsrc/www/webkit-gtk/patches:
patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp
Log Message:
webkit-gtk: backport upstream patch. security fix.
Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq
and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800
<rdar://problem/48183773>
Reviewed by Yusuke Suzuki.
Fix doesGC() for the following nodes:
CompareEq:
CompareLess:
CompareLessEq:
CompareGreater:
CompareGreaterEq:
CompareStrictEq:
Only return false (i.e. does not GC) for child node use kinds that have
been vetted to not do anything that can GC. For all other use kinds
(including StringUse and BigIntUse), we return true (i.e. does GC).
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
This was published alongside with exploit code claiming it is remote
code execution, but I don't understand what the exploit is doing.
bump PKGREVISION
|
|
www/drupal8: security fix (remote code execution)
Revisions pulled up:
- www/drupal8/Makefile 1.17-1.18
- www/drupal8/PLIST 1.14-1.15
- www/drupal8/distinfo 1.16-1.17
- www/drupal8/patches/patch-core_lib_Drupal_Core_Extension_ModulesHandler.php deleted
---
Module Name: pkgsrc
Committed By: wen
Date: Sat Feb 9 00:09:54 UTC 2019
Modified Files:
pkgsrc/www/drupal8: Makefile PLIST distinfo
Removed Files:
pkgsrc/www/drupal8/patches:
patch-core_lib_Drupal_Core_Extension_ModulesHandler.php
Log Message:
Update to 8.6.9
Remove the patch that included in upstream
Upstream changes:
8.6.7:
This is a hotfix release for a regression affecting some Drush installations that was introduced by the fix for SA-CORE-2019-002. No other fixes are included.
8.6.8:
Changes since 8.6.7
#2975539 by mondrake, alexpott, marcoscano, desierto: Changing machine name of image style leads to WSOD when loading widgets that used the old name
#2859315 by quietone, heddn, jhodgdon: SQL error from profile_fields when migrating d6 (or d7) to d8 without Profile module
#2443165 by davidwbarratt, amateescu, HOG, kostyashupenko, yched, Berdir, andypost, alexpott, tstoeckler, xjm: Drupal\Core\Entity\EntityInterface\ContentEntityStorageBase::doCreate() assumes that the bundle is a string
#2849074 by decafdennis, alexpott, zuuperman, AdamPS, sagesolutions, tucho, xjm: SiteConfigureForm overrides value from install profile
#3007716 by Sam152, kevin.dutra, jhedstrom, larowlan: Security update introduces breaking changes to content moderation
#2215857 by michielnugter, Lendude, gmercer, tim.plunkett, cferthorney, marabak, olli, ericmulder1980, TwoD, sanduhrs, stella, dww, nod_: Behaviors get attached to removed forms
#3017812 by ibustos, joachim: Language selector is immune to hook_entity_field_access in entity forms
#2900883 by larskhansen, GaëlG, kalyansamanta, Chi, tim.plunkett, Gábor Hojtsy, joachim: Wrong documentation of Drupal\Component\Plugin\Derivative\DeriverInterface::getDerivativeDefinitions()
#3027595 by amateescu, pmelab: Incorrect blacklist condition in WorkspaceManager
#2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, lauriii, catch, cilefen, Cottser: [regression] Table Drag handles no longer respond to up/down arrow keys
Revert "Issue #2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, @catch, @cilefen, @Cottser, @lauriii: [regression] Table Drag handles no longer respond to up/down arrow keys"
#2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, @catch, @cilefen, @Cottser, @lauriii: [regression] Table Drag handles no longer respond to up/down arrow keys
#2937073 by tim.plunkett, Saviktor, tedbow: Improve robustness of FieldBlockTest
#2973713 by quietone, Adita, etecjdo, apmsooner, mikeryan, gnuschichten, tstoeckler: cache_key source plugin configuration not documented
#2949555 by quietone, ankitjain28may: Correct the documentation on method UserMigrationClassTest
#3025685 by quietone: Add error msg to assertions in MigrateSourceTestBase
#3026840 by izus: Fix plural typo in workspaces field
#3024452 by kfritsche, hchonov, alexpott: DatabaseStorageExpirable:setWithExpireIfNotExists is not respecting expired
#2999908 by penyaskito: View more link in recipe cards is not fully translated
#3028819 by alwaysworking: Update username
#2916021 by d.olaresko, wengerk, Chi, xjm, dawehner, idebr: Update "Running tests" section in core.api.php
#2953995 by kjay, starshaped, rachel_norfolk, Vidushi Mehta, cferthorney, HAL 9000, Eli-T, markconroy, steveparks: Update the Umami Vegan Chocolate Brownie recipe
#3028608 by danharper, Eli-T, markconroy, Not Real: Umami - favicon
#2940027 by jmsosso: Add change record to @deprecated for AccountInterface
#2995150 by msankhala, tim.plunkett: Command examples in core/tests/README.md are confusing and not executable
#3024184 by seanB, andrewmacpherson, Kristen Pol: Make the tabbing order match the visual reading order in MediaLibraryWidget
#2668416 by Krzysztof Domański, wheatpenny, Lendude, alexpott: Wrong assert in NodeTitleTest
#2981870 by Lendude, alexpott: Duplicate BrokenSetUpTest for BrowserTestBase
#2809513 by Lendude, brentgees: Convert AJAX part of \Drupal\responsive_image\Tests\ResponsiveImageFieldUiTest to JavascriptTestBase and the rest to BrowserTestBase
#3027574 by tuutti: SqlContentEntityStorage no longer update entities with certain (id) fields
#3026043 by Berdir: ConfigEntityBase::__sleep() serializes plugin instances if they were not previously initialized
#3021395 by quietone, alexpott: MigrateDrupalTestBase::migrateContent(['translations') does not migrate translations
Revert "Issue #3003238 by Sam152, amateescu, Berdir: EntityStorageException: Default revision can not be deleted in content_moderation_entity_revision_delete()"
#2987418 by quietone, Kristen Pol: Rename MigrateUpgrade tests
#3003238 by Sam152, amateescu, Berdir: EntityStorageException: Default revision can not be deleted in content_moderation_entity_revision_delete()
Merged 8.6.7.
Merged 8.6.6.
#3015992 by Krzysztof Domański, alexpott, larowlan: Not affecting spacing in PhpTransliterationTest
#2998769 by kiamlaluno, quietone, kkalaskar: @see directive used in the wrong place outputs the wrong HTML markup
#3000677 by catch, Shane Birley, featherbelly, alexpott, larowlan: Fatal error after upgrade to 8.6x [due to regression in extension system]
#2955457 by pfrenssen, Chewie, unrealauk, alexpott, Pol: ConfigFactory static cache gets polluted with data from config overrides
#3020142 by mglaman, tim.plunkett: Test module no_transitions_css has invalid hook_page_attachments
#3007973 by tim.plunkett, lukasss, xopoc, bnjmnm, stompersly: Layout builder prevents the rendering of extra fields (like Links) on pages not using Layout Builder
#3024259 by Pol, alexpott: [PHP 7.3] Fix EnvironmentTest::providerTestCheckMemoryLimit() notice
#3023747 by mikelutz, heddn: D6 profile migrations assume stubs, which fail
#2978922 by brathbone, philipnorton42, msankhala, hardikpandya, alexpott, siliconmeadow: Improve batch_process() documentation
#2845975 by quietone, Jo Fitzgerald, aleevas, maxocub, Gábor Hojtsy: Migrate Drupal 6 user profile field value option translations
#2701829 by alexpott, andypost, Soul88, Graber, Eduardo Morales, dawehner, pingwin4eg, catch, Berdir, jibran, httang12: Extension objects should not implement \Serializable
#2693727 by mikelutz, sanduhrs, CalebD, ajlib, Lendude, tstoeckler, catch: Limiting options for exposed Language filters causes errors and doesn't work for special languages
8.6.9:
Changes since 8.6.8:
#2215857 followup by gaydamaka, timmillwood, alexpott, lauriii: Regression on Internet Explorer 11
#3031128 by alexpott, TrevorBradley, indigoxela, catch, cilefen, larowlan, jibran: Update from 8.6.7 to 8.6.8 warnings - Drupal\Core\Extension\Extension has no unserializer
Revert "Issue #2924201 by tim.plunkett, tedbow, larowlan, xjm, jibran, Kristen Pol: Resolve random failure in LayoutBuilderTest so that it can be added to HEAD"
#2924201 by tim.plunkett, tedbow, larowlan, xjm, jibran, Kristen Pol: Resolve random failure in LayoutBuilderTest so that it can be added to HEAD
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 24 16:31:39 UTC 2019
Modified Files:
pkgsrc/www/drupal8: Makefile PLIST distinfo
Log Message:
www/drupal8: update to 8.6.10
Drupal 8.6.10 (2019-02-20)
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the security announcement and notes below:
* Drupal core - Remote code execution - SA-CORE-2019-003
Sites on 8.5.x or earlier should update immediately to Drupal 8.5.11 instead,
and plan to update to the latest 8.6.x release before May 2019 (when 8.7.0 is
released and 8.5.x security coverage ends).
Important update information
For site owners
* In addition to the above fix, this release includes the fix for #3031740:
Updating to 8.6.8 or 8.6.9 with Drush 8 causes data loss via
update_fix_compatibility() to prevent Drush 8 issues for sites updating
directly from an earlier security release.
* update.php must be run after updating to ensure changes from the patch take
effect.
* No changes have been made to the .htaccess, web.config, robots.txt or
default settings.php files in this release, so upgrading custom versions of
those files is not necessary if your site is already on the previous
release.
For module developers
Some contributed module tests may need to be updated if they extend core's
test suite, due to a minor API change in a test base class.
|
|
net/tor: security fix
Revisions pulled up:
- net/tor/Makefile 1.136-1.137
- net/tor/PLIST 1.14
- net/tor/distinfo 1.96-1.97
---
Module Name: pkgsrc
Committed By: adam
Date: Tue Jan 8 08:39:55 UTC 2019
Modified Files:
pkgsrc/net/tor: Makefile PLIST distinfo
Log Message:
tor: updated to 0.3.5.7
Changes in version 0.3.5.7:
Tor 0.3.5.7 is the first stable release in its series; it includes
compilation and portability fixes, and a fix for a severe problem
affecting directory caches.
The Tor 0.3.5 series includes several new features and performance
improvements, including client authorization for v3 onion services,
cleanups to bootstrap reporting, support for improved bandwidth-
measurement tools, experimental support for NSS in place of OpenSSL,
and much more. It also begins a full reorganization of Tor's code
layout, for improved modularity and maintainability in the future.
Finally, there is the usual set of performance improvements and
bugfixes that we try to do in every release series.
There are a couple of changes in the 0.3.5 that may affect
compatibility. First, the default version for newly created onion
services is now v3. Use the HiddenServiceVersion option if you want to
override this. Second, some log messages related to bootstrapping have
changed; if you use stem, you may need to update to the latest version
so it will recognize them.
We have designated 0.3.5 as a "long-term support" (LTS) series: we
will continue to patch major bugs in typical configurations of 0.3.5
until at least 1 Feb 2022. (We do not plan to provide long-term
support for embedding, Rust support, NSS support, running a directory
authority, or unsupported platforms. For these, you will need to stick
with the latest stable release.)
---
Module Name: pkgsrc
Committed By: adam
Date: Fri Feb 22 08:47:51 UTC 2019
Modified Files:
pkgsrc/net/tor: Makefile distinfo
Log Message:
tor: updated to 0.3.5.8
Changes in version 0.3.5.8:
Tor 0.3.5.8 backports serveral fixes from later releases, including fixes
for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x
releases.
It also includes a fix for a medium-severity security bug affecting Tor
0.3.2.1-alpha and later. All Tor instances running an affected release
should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.
o Major bugfixes (cell scheduler, KIST, security):
- Make KIST consider the outbuf length when computing what it can
put in the outbuf. Previously, KIST acted as though the outbuf
were empty, which could lead to the outbuf becoming too full. It
is possible that an attacker could exploit this bug to cause a Tor
client or relay to run out of memory and crash. Fixes bug 29168;
bugfix on 0.3.2.1-alpha. This issue is also being tracked as
TROVE-2019-001 and CVE-2019-8955.
o Major bugfixes (networking, backport from 0.4.0.2-alpha):
- Gracefully handle empty username/password fields in SOCKS5
username/password auth messsage and allow SOCKS5 handshake to
continue. Previously, we had rejected these handshakes, breaking
certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.
o Minor features (compilation, backport from 0.4.0.2-alpha):
- Compile correctly when OpenSSL is built with engine support
disabled, or with deprecated APIs disabled. Closes ticket 29026.
Patches from "Mangix".
o Minor features (geoip):
- Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
Country database. Closes ticket 29478.
o Minor features (testing, backport from 0.4.0.2-alpha):
- Treat all unexpected ERR and BUG messages as test failures. Closes
ticket 28668.
o Minor bugfixes (onion service v3, client, backport from 0.4.0.1-alpha):
- Stop logging a "BUG()" warning and stacktrace when we find a SOCKS
connection waiting for a descriptor that we actually have in the
cache. It turns out that this can actually happen, though it is
rare. Now, tor will recover and retry the descriptor. Fixes bug
28669; bugfix on 0.3.2.4-alpha.
o Minor bugfixes (IPv6, backport from 0.4.0.1-alpha):
- Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the
IPv6 socket was bound using an address family of AF_INET instead
of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from
Kris Katterjohn.
o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
- Update Cargo.lock file to match the version made by the latest
version of Rust, so that "make distcheck" will pass again. Fixes
bug 29244; bugfix on 0.3.3.4-alpha.
o Minor bugfixes (client, clock skew, backport from 0.4.0.1-alpha):
- Select guards even if the consensus has expired, as long as the
consensus is still reasonably live. Fixes bug 24661; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (compilation, backport from 0.4.0.1-alpha):
- Compile correctly on OpenBSD; previously, we were missing some
headers required in order to detect it properly. Fixes bug 28938;
bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.terjohn.
o Minor bugfixes (documentation, backport from 0.4.0.2-alpha):
- Describe the contents of the v3 onion service client authorization
files correctly: They hold public keys, not private keys. Fixes
bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".
o Minor bugfixes (logging, backport from 0.4.0.1-alpha):
- Rework rep_hist_log_link_protocol_counts() to iterate through all
link protocol versions when logging incoming/outgoing connection
counts. Tor no longer skips version 5, and we won't have to
remember to update this function when new link protocol version is
developed. Fixes bug 28920; bugfix on 0.2.6.10.
o Minor bugfixes (logging, backport from 0.4.0.2-alpha):
- Log more information at "warning" level when unable to read a
private key; log more information at "info" level when unable to
read a public key. We had warnings here before, but they were lost
during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (misc, backport from 0.4.0.2-alpha):
- The amount of total available physical memory is now determined
using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
when it is defined and a 64-bit variant is not available. Fixes
bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn.
o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
- Avoid crashing if ClientOnionAuthDir (incorrectly) contains more
than one private key for a hidden service. Fixes bug 29040; bugfix
on 0.3.5.1-alpha.
- In hs_cache_store_as_client() log an HSDesc we failed to parse at
"debug" level. Tor used to log it as a warning, which caused very
long log lines to appear for some users. Fixes bug 29135; bugfix
on 0.3.2.1-alpha.
- Stop logging "Tried to establish rendezvous on non-OR circuit..."
as a warning. Instead, log it as a protocol warning, because there
is nothing that relay operators can do to fix it. Fixes bug 29029;
bugfix on 0.2.5.7-rc.on 0.2.5.7-rc.
o Minor bugfixes (tests, directory clients, backport from 0.4.0.1-alpha):
- Mark outdated dirservers when Tor only has a reasonably live
consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.
o Minor bugfixes (tests, backport from 0.4.0.2-alpha):
- Detect and suppress "bug" warnings from the util/time test on
Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha.
- Do not log an error-level message if we fail to find an IPv6
network interface from the unit tests. Fixes bug 29160; bugfix
on 0.2.7.3-rc.
o Minor bugfixes (usability, backport from 0.4.0.1-alpha):
- Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate().
Some users took this phrasing to mean that the mentioned guard was
under their control or responsibility, which it is not. Fixes bug
28895; bugfix on Tor 0.3.0.1-alpha.
|
|
net/bind912: security fix
Revisions pulled up:
- net/bind912/Makefile 1.8-1.9
- net/bind912/PLIST 1.2
- net/bind912/distinfo 1.6
- net/bind912/options.mk 1.3
---
Module Name: pkgsrc
Committed By: he
Date: Thu Jan 17 08:53:37 UTC 2019
Modified Files:
pkgsrc/net/bind912: Makefile PLIST options.mk
Log Message:
Add a "dnstap" option, defaults to off.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Feb 22 01:24:24 UTC 2019
Modified Files:
pkgsrc/net/bind912: Makefile distinfo
Log Message:
net/bind912: update to 9.12.3pl4
Update bind912 to 9.12.3pl4 (BIND 9.12.3-P4).
--- 9.12.3-P4 released ---
--- 9.12.3-P3 released (withdrawn) ---
5141. [security] Zone transfer controls for writable DLZ zones were
not effective as the allowzonexfr method was not being
called for such zones. (CVE-2019-6465) [GL #790]
--- 9.12.3-P2 released (withdrawn) ---
5118. [security] Named could crash if it is managing a key with
`managed-keys` and the authoritative zone is rolling
the key to an unsupported algorithm. (CVE-2018-5745)
[GL #780]
5110. [security] Named leaked memory if there were multiple Key Tag
EDNS options present. (CVE-2018-5744) [GL #772]
|
|
net/bind911: security fix
Revisions pulled up:
- net/bind911/Makefile 1.7
- net/bind911/distinfo 1.6
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Feb 22 01:22:38 UTC 2019
Modified Files:
pkgsrc/net/bind911: Makefile distinfo
Log Message:
net/bind911: update to 9.11.5pl4
Update bind911 to 9.11.5pl4 (BIND 9.11.5-P4).
--- 9.11.5-P4 released ---
--- 9.11.5-P3 released (withdrawn) ---
5141. [security] Zone transfer controls for writable DLZ zones were
not effective as the allowzonexfr method was not being
called for such zones. (CVE-2019-6465) [GL #790]
--- 9.11.5-P2 released (withdrawn) ---
5118. [security] Named could crash if it is managing a key with
`managed-keys` and the authoritative zone is rolling
the key to an unsupported algorithm. (CVE-2018-5745)
[GL #780]
5110. [security] Named leaked memory if there were multiple Key Tag
EDNS options present. (CVE-2018-5744) [GL #772]
|
|
|
|
mail-dovecot2: security fix
Revisions pulled up:
- mail/dovecot2-sqlite/Makefile 1.17
- mail/dovecot2/Makefile.common 1.24
- mail/dovecot2/distinfo 1.88
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Feb 6 01:41:28 UTC 2019
Modified Files:
pkgsrc/mail/dovecot2: Makefile.common distinfo
Log Message:
mail/dovecot2: update to 2.3.4.1
v2.3.4.1 2019-02-05 Aki Tuomi <aki.tuomi@open-xchange.com>
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication instead
of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This bug
didn't affect Dovecot's Submission service.
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Feb 6 01:42:16 UTC 2019
Modified Files:
pkgsrc/mail/dovecot2-sqlite: Makefile
Log Message:
mail/dovecot2-sqlite: reset PKGREVISION
Reset PKGREVISION with update to 2.3.4.1.
|
|
www/ruby-rack16: security fix
Revisions pulled up:
- www/ruby-rack16/Makefile 1.2
- www/ruby-rack16/distinfo 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 3 15:53:03 UTC 2019
Modified Files:
pkgsrc/www/ruby-rack16: Makefile distinfo
Log Message:
www/ruby-rack16: update to 1.6.11
* pkgsrc change: add "USE_LANGAUGES= # none" line.
Update to 1.6.11 which fixes security problems of CVE-2018-16471.
(CVE-2018-16470 is only for rack 2.0.x.)
|
|
www/ruby-rack: security fix
Revisions pulled up:
- www/ruby-rack/Makefile 1.26
- www/ruby-rack/distinfo 1.23
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 3 15:51:31 UTC 2019
Modified Files:
pkgsrc/www/ruby-rack: Makefile distinfo
Log Message:
www/ruby-rack: update to 2.0.6
* pkgsrc change: add "USE_LANGAUGES= # none" line.
Update to 2.0.6 which fixes security problems of CVE-2018-16470 and
CVE-2018-16471.
|
|
lang/pear: security fix
Revisions pulled up:
- lang/pear/Makefile 1.45-1.46
- lang/pear/distinfo 1.32-1.33
- lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 3 14:06:58 UTC 2019
Modified Files:
pkgsrc/lang/pear: Makefile distinfo
Log Message:
lang/pear: update Archive_Tar pear package to 1.4.6
Update Archive_Tar pear package to 1.4.6.
Bump PKGREVISION.
1.4.4 (2018-12-20)
* Fix Bug #21058: Long symlinks are not supported [mrook]
* Fix Bug #23782: Prevent phar:// files from being extracted [mrook]
1.4.5 (2019-02-01)
* Fix Bug #23788: Relative symlinks are broken [mrook]
1.4.6 (2019-02-01)
* Improve path traversal detection for forward and backward slashes
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 7 13:40:57 UTC 2019
Modified Files:
pkgsrc/lang/pear: Makefile distinfo
Added Files:
pkgsrc/lang/pear/patches: patch-.._Archive__Tar-1.4.5_Archive_Tar.php
Log Message:
lang/pear: fix broken package with previous commit
Fix broken package with previous commit.
* Make Archive_Tar to 1.4.5 which I have the distfile.
* Upload Archive_Tar-1.4.5.tgz to MASTER_SITE_LOCAL.
* Add patch to update Archive/Tar.php to 1.4.6 from GitHub.
No PKGREVISION bump since it was broken.
|
|
textproc/libxml2, textproc/py-libxml2: security fix
Revisions pulled up:
- textproc/libxml2/Makefile 1.152
- textproc/libxml2/Makefile.common 1.12
- textproc/libxml2/distinfo 1.129-1.130
- textproc/libxml2/patches/patch-Makefile.in 1.1
- textproc/libxml2/patches/patch-aa deleted
- textproc/libxml2/patches/patch-ab deleted
- textproc/libxml2/patches/patch-ac deleted
- textproc/libxml2/patches/patch-ad deleted
- textproc/libxml2/patches/patch-ae deleted
- textproc/libxml2/patches/patch-catalog.c 1.1
- textproc/libxml2/patches/patch-configure 1.1
- textproc/libxml2/patches/patch-doc_examples_Makefile.in 1.1
- textproc/libxml2/patches/patch-parser.c deleted
- textproc/libxml2/patches/patch-python_libxml.c 1.1
- textproc/libxml2/patches/patch-result_errors_759573.xml.err deleted
- textproc/libxml2/patches/patch-xmlcatalog.c 1.1
- textproc/libxml2/patches/patch-xpath.c deleted
- textproc/libxml2/patches/patch-xzlib.c deleted
- textproc/py-libxml2/Makefile 1.63-1.64
- textproc/py-libxml2/PLIST 1.4
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Jan 9 13:40:51 UTC 2019
Modified Files:
pkgsrc/textproc/libxml2: distinfo
pkgsrc/textproc/py-libxml2: Makefile
Added Files:
pkgsrc/textproc/libxml2/patches: patch-python_libxml.c
Log Message:
py-libxml2: work around a problem in error handling.
In some cases, invalid UTF-8 strings were returned which caused
python interpreter crashes. See
https://github.com/itstool/itstool/issues/22
Use a variant of the patch that was used in Fedora.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: adam
Date: Wed Jan 9 19:09:03 UTC 2019
Modified Files:
pkgsrc/textproc/libxml2: Makefile Makefile.common distinfo
pkgsrc/textproc/py-libxml2: Makefile PLIST
Added Files:
pkgsrc/textproc/libxml2/patches: patch-Makefile.in patch-catalog.c
patch-configure patch-doc_examples_Makefile.in patch-xmlcatalog.c
Removed Files:
pkgsrc/textproc/libxml2/patches: patch-aa patch-ab patch-ac patch-ad
patch-ae patch-parser.c patch-result_errors_759573.xml.err
patch-xpath.c patch-xzlib.c
Log Message:
libxml2: updated to 2.9.9
v2.9.9:
Security:
CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression
CVE-2018-14404 Fix nullptr deref with XPath logic ops
Documentation:
reader: Fix documentation comment
Portability:
Fix MSVC build with lzma
Variables need 'extern' in static lib on Cygwin
Really declare dllexport/dllimport for Cygwin
Merge branch 'patch-2' into 'master'
Change dir to $THEDIR after ACLOCAL_PATH check autoreconf creates aclocal.m4 in $srcdir
Improve error message if pkg.m4 couldn't be found
NaN and Inf fixes for pre-C99 compilers
Bug Fixes:
Revert "Support xmlTextReaderNextSibling w/o preparsed doc"
Fix building relative URIs
Problem with data in interleave in RelaxNG validation
Fix memory leak in xmlSwitchInputEncodingInt error path
Set doc on element obtained from freeElems
Fix HTML serialization with UTF-8 encoding
Use actual doc in xmlTextReaderRead*Xml
Unlink node before freeing it in xmlSAX2StartElement
Check return value of nodePush in xmlSAX2StartElement
Free input buffer in xmlHaltParser
Reset HTML parser input pointers on encoding failure
Don't run icu_parse_test if EUC-JP is unsupported
Fix xmlSchemaValidCtxtPtr reuse memory leak
Fix xmlTextReaderNext with preparsed document
Remove stray character from comment
Remove a misleading line from xmlCharEncOutput
HTML noscript should not close p
Don't change context node in xmlXPathRoot
Stop using XPATH_OP_RESET
Revert "Change calls to xmlCharEncInput to set flush false"
Improvements:
Fix "Problem with data in interleave in RelaxNG validation"
cleanup: remove some unreachable code
add --relative to testURI
Remove redefined starts and defines inside include elements
Allow choice within choice in nameClass in RELAX NG
Look inside divs for starts and defines inside include
Add compile and libxml2-config.cmake to .gitignore
Stop using doc->charset outside parser code
Add newlines to 'xmllint --xpath' output
Don't include SAX.h from globals.h
Support xmlTextReaderNextSibling w/o preparsed doc
Don't instruct user to run make when autogen.sh failed
Run Travis ASan tests with "sudo: required"
Improve restoring of context size and position
Simplify and harden nodeset filtering
Avoid unnecessary backups of the context node
Fix inconsistency in xmlXPathIsInf
|
|
|
|
www/curl: security fix
Revisions pulled up:
- www/curl/Makefile 1.207
- www/curl/PLIST 1.73
- www/curl/distinfo 1.150
---
Module Name: pkgsrc
Committed By: adam
Date: Wed Feb 6 08:02:48 UTC 2019
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
Log Message:
curl: updated to 7.64.0
curl and libcurl 7.64.0
This release includes the following changes:
* cookies: leave secure cookies alone
* hostip: support wildcard hosts
* http: Implement trailing headers for chunked transfers
* http: added options for allowing HTTP/0.9 responses
* timeval: Use high resolution timestamps on Windows
This release includes the following bugfixes:
* CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
* CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
* CVE-2019-3823: SMTP end-of-response out-of-bounds read
* FAQ: remove mention of sourceforge for github
* OS400: handle memory error in list conversion
* OS400: upgrade ILE/RPG binding.
* README: add codacy code quality badge
* Revert http_negotiate: do not close connection
* THANKS: added several missing names from year <= 2000
* build: make 'tidy' target work for metalink builds
* cmake: added checks for variadic macros
* cmake: updated check for HAVE_POLL_FINE to match autotools
* cmake: use lowercase for function name like the rest of the code
* configure: detect xlclang separately from clang
* configure: fix recv/send/select detection on Android
* configure: rewrite --enable-code-coverage
* conncache_unlock: avoid indirection by changing input argument type
* cookie: fix comment typo
* cookies: allow secure override when done over HTTPS
* cookies: extend domain checks to non psl builds
* cookies: skip custom cookies when redirecting cross-site
* curl --xattr: strip credentials from any URL that is stored
* curl -J: refuse to append to the destination file
* curl/urlapi.h: include "curl.h" first
* curl_multi_remove_handle() don't block terminating c-ares requests
* darwinssl: accept setting max-tls with default min-tls
* disconnect: separate connections and easy handles better
* disconnect: set conn->data for protocol disconnect
* docs/version.d: mention MultiSSL
* docs: fix the --tls-max description
* docs: use $(INSTALL_DATA) to install man page
* docs: use meaningless port number in CURLOPT_LOCALPORT example
* gopher: always include the entire gopher-path in request
* http2: clear pause stream id if it gets closed
* if2ip: remove unused function Curl_if_is_interface_name
* libssh: do not let libssh create socket
* libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
* libssh: free sftp_canonicalize_path() data correctly
* libtest/stub_gssapi: use "real" snprintf
* mbedtls: use VERIFYHOST
* multi: multiplexing improvements
* multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
* ntlm: fix NTMLv2 compliance
* ntlm_sspi: add support for channel binding
* openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
* openssl: fix the SSL_get_tlsext_status_ocsp_resp call
* openvms: fix OpenSSL discovery on VAX
* openvms: fix typos in documentation
* os400: add a missing closing bracket
* os400: fix extra parameter syntax error
* pingpong: change default response timeout to 120 seconds
* pingpong: ignore regular timeout in disconnect phase
* printf: fix format specifiers
* runtests.pl: Fix perl call to include srcdir
* schannel: fix compiler warning
* schannel: preserve original certificate path parameter
* schannel: stop calling it "winssl"
* sigpipe: if mbedTLS is used, ignore SIGPIPE
* smb: fix incorrect path in request if connection reused
* ssh: log the libssh2 error message when ssh session startup fails
* test1558: verify CURLINFO_PROTOCOL on file:// transfer
* test1561: improve test name
* test1653: make it survive torture tests
* tests: allow tests to pass by 2037-02-12
* tests: move objnames-* from lib into tests
* timediff: fix math for unsigned time_t
* timeval: Disable MSVC Analyzer GetTickCount warning
* tool_cb_prg: avoid integer overflow
* travis: added cmake build for osx
* urlapi: Fix port parsing of eol colon
* urlapi: distinguish possibly empty query
* urlapi: fix parsing ipv6 with zone index
* urldata: rename easy_conn to just conn
* winbuild: conditionally use /DZLIB_WINAPI
* wolfssl: fix memory-leak in threaded use
* spnego_sspi: add support for channel binding
|
|
textproc/icu: security fix
Revisions pulled up:
- textproc/icu/Makefile 1.121
- textproc/icu/distinfo 1.81
- textproc/icu/patches/patch-CVE-2018-18928 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Wed Feb 13 20:51:57 UTC 2019
Modified Files:
pkgsrc/textproc/icu: Makefile distinfo
Added Files:
pkgsrc/textproc/icu/patches: patch-CVE-2018-18928
Log Message:
add patch for CVE-2018-18928 from upstream
|
|
net/wget: security fix
Revisions pulled up:
- net/wget/Makefile 1.144
- net/wget/distinfo 1.58
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Feb 10 19:49:58 UTC 2019
Modified Files:
pkgsrc/net/wget: Makefile distinfo
Log Message:
updating wget to 1.20.1, which fixes CVE-2018-20483
Upstream changelog:
* Changes in Wget 1.20.1
** --xattr is no longer default since it introduces privacy issues.
** --xattr saves the Referer as scheme/host/port, user/pw/path/query/fragment
are no longer saved to prevent privacy issues.
** --xattr saves the Original URL without user/password to prevent
privacy issues.
* Changes in Wget 1.20
** Add new option `--retry-on-host-error` to treat local errors as
transient and hence Wget will retry to download the file after
a brief waiting period.
** Fixed multiple potential resource leaks as found by static analysis
** Wget will now not create an empty wget-log file when running with
-q and -b switches together
** When compiled using the GnuTLS >= 3.6.3, Wget now has support for TLSv1.3
** Now there is support for using libpcre2 for regex pattern matching
** When downloading over FTP recursively, one can now use the
--{accept,reject}-regex switches to fine-tune the downloaded files
** Building Wget from the git sources now requires autoconf 2.63 or above.
Building from the Tarballs works as it used to.
|
|
|
|
finance/bitcoin: security update
Revisions pulled up:
- finance/bitcoin/Makefile 1.9
- finance/bitcoin/distinfo 1.2
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: khorben
Date: Mon Feb 4 22:06:22 UTC 2019
Modified Files:
pkgsrc/finance/bitcoin: Makefile distinfo
Log Message:
Update finance/bitcoin to version 0.16.3
- From the release notes for version 0.16.2:
Wallet
* #13622 c04a4a5 Remove mapRequest tracking that just effects Qt
display. (TheBlueMatt)
* #12905 cfc6f74 [rpcwallet] Clamp walletpassphrase value at 100M
seconds (sdaftuar)
* #13437 ed82e71 wallet: Erase wtxOrderd wtx pointer on
removeprunedfunds (MarcoFalke)
RPC and other APIs
* #13451 cbd2f70 rpc: expose CBlockIndex::nTx in getblock(header)
(instagibbs)
* #13507 f7401c8 RPC: Fix parameter count check for importpubkey
(kristapsk)
* #13452 6b9dc8c rpc: have verifytxoutproof check the number of txns
in proof structure (instagibbs)
* #12837 bf1f150 rpc: fix type mistmatch in listreceivedbyaddress
(joemphilips)
* #12743 657dfc5 Fix csBestBlock/cvBlockChange waiting in rpc/mining
(sipa)
GUI
* #12432 f78e7f6 [qt] send: Clear All also resets coin control options
(Sjors)
* #12617 21dd512 gui: Show messages as text not html (laanwj)
* #12793 cf6feb7 qt: Avoid reseting on resetguisettigs=0 (MarcoFalke)
Build system
* #13544 9fd3e00 depends: Update Qt download url (fanquake)
* #12573 88d1a64 Fix compilation when compiler do not support
__builtin_clz* (532479301)
Tests and QA
* #13061 170b309 Make tests pass after 2020 (bmwiedemann)
* #13192 79c4fff [tests] Fixed intermittent failure in
p2p_sendheaders.py (lmanners)
* #13300 d9c5630 qa: Initialize lockstack to prevent null pointer
deref (MarcoFalke)
* #13545 e15e3a9 tests: Fix test case streams_serializedata_xor Remove
Boost dependency. (practicalswift)
* #13304 cbdabef qa: Fix wallet_listreceivedby race (MarcoFalke)
Miscellaneous
* #12887 2291774 Add newlines to end of log messages (jnewbery)
* #12859 18b0c69 Bugfix: Include for std::unique_ptr (luke-jr)
* #13131 ce8aa54 Add Windows shutdown handler (ken2812221)
* #13652 20461fc rpc: Fix that CWallet::AbandonTransaction would leave
the grandchildren, etc. active (Empact)
- From the release notes for version 0.16.3:
Consensus
* #14249 696b936 Fix crash bug with duplicate inputs within a
transaction (TheBlueMatt, sdaftuar)
RPC and other APIs
* #13547 212ef1f Make signrawtransaction* give an error when amount is
needed but missing (ajtowns)
Miscellaneous
* #13655 1cdbea7 bitcoinconsensus: invalid flags error should be set
to bitcoinconsensus_err (afk11)
Documentation
* #13844 11b9dbb correct the help output for -prune (hebasto)
This also fixes a denial-of-service vulnerability (CVE-2018-17144). It i
s
exploitable by miners and has been discovered in Bitcoin Core versions
0.14.0
up to 0.16.2. It is recommended to upgrade any of the vulnerable
versions to
0.16.3 as soon as possible.
XXX pull-up (security fix)
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 pkgsrc/finance/bitcoin/Makefile
cvs rdiff -u -r1.1 -r1.2 pkgsrc/finance/bitcoin/distinfo
|
|
|
|
|
|
lang/go111: security update
Revisions pulled up:
- lang/go/version.mk 1.54
- lang/go111/distinfo 1.5
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bsiegert
Date: Thu Jan 24 09:26:21 UTC 2019
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go111: distinfo
Log Message:
Update go111 to 1.11.5 (security).
This release addresses a recently supported security issue. This DoS
vulnerability in the crypto/elliptic implementations of the P-521 and P-384
elliptic curves may let an attacker craft inputs that consume excessive
amounts of CPU.
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
key is reused more than once, the attack can also lead to key recovery.
The issue is CVE-2019-6486 and Go issue golang.org/issue/29903.
See the Go issue for more details.
To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go111/distinfo
|
|
lang/go110: security update
Revisions pulled up:
- lang/go/version.mk 1.55
- lang/go110/distinfo 1.4
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bsiegert
Date: Thu Jan 24 09:33:08 UTC 2019
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go110: distinfo
Log Message:
Update go110 to 1.10.8 (security).
This release addresses a recently supported security issue. This DoS
vulnerability in the crypto/elliptic implementations of the P-521 and P-384
elliptic curves may let an attacker craft inputs that consume excessive
amounts of CPU.
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
key is reused more than once, the attack can also lead to key recovery.
The issue is CVE-2019-6486 and Go issue golang.org/issue/29903.
See the Go issue for more details.
To generate a diff of this commit:
cvs rdiff -u -r1.54 -r1.55 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go110/distinfo
|
|
fix PR/53929
|
|
|
|
x11/qt5-qtxmlpatterns: build fix
Revisions pulled up:
- x11/qt5-qtxmlpatterns/distinfo 1.9
- x11/qt5-qtxmlpatterns/patches/patch-src_imports_imports.pro 1.1
---
Module Name: pkgsrc
Committed By: markd
Date: Sun Jan 6 10:21:12 UTC 2019
Modified Files:
pkgsrc/x11/qt5-qtxmlpatterns: distinfo
Added Files:
pkgsrc/x11/qt5-qtxmlpatterns/patches: patch-src_imports_imports.pro
Log Message:
qt5-qtxmlpatterns: never try to build xmllistmodel
depends on qml module from qt5-qtdeclarative which would be a cyclic
dependency
|
|
fonts/harfbuzz: NetBSD-7 build fix
Revisions pulled up:
- fonts/harfbuzz/Makefile 1.106
---
Module Name: pkgsrc
Committed By: he
Date: Thu Jan 24 12:46:10 UTC 2019
Modified Files:
pkgsrc/fonts/harfbuzz: Makefile
Log Message:
Add GCC_REQD+=4.9, so that this builds on NetBSD/i386 7.1 again.
For newer OSes this would be a no-op, so no revision bump.
|
|
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.76
- www/apache24/distinfo 1.39
---
Module Name: pkgsrc
Committed By: adam
Date: Wed Jan 23 12:04:18 UTC 2019
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Log Message:
apache24: updated to 2.4.38
Changes with Apache 2.4.38
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused.
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data.
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later.
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
AddLanguage behavior and HTTP specification.
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
have been fixed.
*) mod_setenvif: We can have expressions that become true if a regex pattern
in the expression does NOT match. In this case val is NULL
and we should just set the value for the environment variable
like in the pattern case.
*) mod_session: Always decode session attributes early.
*) core: Incorrect values for environment variables are substituted when
multiple environment variables are specified in a directive.
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
this type of map is present in the configuration.
*) mod_dav: Fix invalid Location header when a resource is created by
passing an absolute URI on the request line
*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
*) mod_ssl: clear *SSL errors before loading certificates and checking
afterwards. Otherwise errors are reported when other SSL using modules
are in play.
*) mod_ssl: Fix the error code returned in an error path of
'ssl_io_filter_handshake()'. This messes-up error handling performed
in 'ssl_io_filter_error()'
*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
authz provider so "Require ssl" works correctly in HTTP/2.
*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
redirects, subsequent ProxyPassReverse statements, whether they are
relative or absolute, may fail.
*) mod_lua: Now marked as a stable module
|
|
security/py-acme: update (stop using TLS-SNI-01)
security/py-certbot: update (stop using TLS-SNI-01)
Revisions pulled up:
- security/py-acme/PLIST 1.11
- security/py-certbot/Makefile.common 1.29
- security/py-certbot/PLIST 1.14
- security/py-certbot/distinfo 1.28
---
Module Name: pkgsrc
Committed By: triaxx
Date: Tue Jan 15 09:32:11 UTC 2019
Modified Files:
pkgsrc/security/py-certbot: Makefile.common PLIST distinfo
Log Message:
py-certbot: update to 0.30.0
Upstream changes:
================================================================================
## 0.30.0 - 2019-01-02
### Added
* Added the `update_account` subcommand for account management commands.
### Changed
* Copied account management functionality from the `register` subcommand
to the `update_account` subcommand.
* Marked usage `register --update-registration` for deprecation and
removal in a future release.
### Fixed
* Older modules in the josepy library can now be accessed through acme.jose
like it could in previous versions of acme. This is only done to preserve
backwards compatibility and support for doing this with new modules in josepy
will not be added. Users of the acme library should switch to using josepy
directly if they haven't done so already.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* acme
More details about these changes can be found on our GitHub repo.
## 0.29.1 - 2018-12-05
### Added
*
### Changed
*
### Fixed
* The default work and log directories have been changed back to
/var/lib/letsencrypt and /var/log/letsencrypt respectively.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* certbot
More details about these changes can be found on our GitHub repo.
## 0.29.0 - 2018-12-05
### Added
* Noninteractive renewals with `certbot renew` (those not started from a
terminal) now randomly sleep 1-480 seconds before beginning work in
order to spread out load spikes on the server side.
* Added External Account Binding support in cli and acme library.
Command line arguments --eab-kid and --eab-hmac-key added.
### Changed
* Private key permissioning changes: Renewal preserves existing group mode
& gid of previous private key material. Private keys for new
lineages (i.e. new certs, not renewed) default to 0o600.
### Fixedxed
* Update code and dependencies to clean up Resource and Deprecation Warnings.
* Only depend on imgconverter extension for Sphinx >= 1.6
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* acme
* certbot
* certbot-apache
* certbot-dns-cloudflare
* certbot-dns-digitalocean
* certbot-dns-google
* certbot-nginx
More details about these changes can be found on our GitHub repo:
https://github.com/certbot/certbot/milestone/62?closed=1
## 0.28.0 - 2018-11-7
### Added
* `revoke` accepts `--cert-name`, and doesn't accept both `--cert-name` and `--cert-path`.
* Use the ACMEv2 newNonce endpoint when a new nonce is needed, and newNonce is available in the directory.
### Changed
* Removed documentation mentions of `#letsencrypt` IRC on Freenode.
* Write README to the base of (config-dir)/live directory
* `--manual` will explicitly warn users that earlier challenges should remain in place when setting up subsequent challenges.
* Warn when using deprecated acme.challenges.TLSSNI01
* Log warning about TLS-SNI deprecation in Certbot
* Stop preferring TLS-SNI in the Apache, Nginx, and standalone plugins
* OVH DNS plugin now relies on Lexicon>=2.7.14 to support HTTP proxies
* Default time the Linode plugin waits for DNS changes to propogate is now 1200 seconds.
### Fixed
* Match Nginx parser update in allowing variable names to start with `${`.
* Fix ranking of vhosts in Nginx so that all port-matching vhosts come first
* Correct OVH integration tests on machines without internet access.
* Stop caching the results of ipv6_info in http01.py
* Test fix for Route53 plugin to prevent boto3 making outgoing connections.
* The grammar used by Augeas parser in Apache plugin was updated to fix various parsing errors.
* The CloudXNS, DNSimple, DNS Made Easy, Gehirn, Linode, LuaDNS, NS1, OVH, and
Sakura Cloud DNS plugins are now compatible with Lexicon 3.0+.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* acme
* certbot
* certbot-apache
* certbot-dns-cloudxns
* certbot-dns-dnsimple
* certbot-dns-dnsmadeeasy
* certbot-dns-gehirn
* certbot-dns-linode
* certbot-dns-luadns
* certbot-dns-nsone
* certbot-dns-ovh
* certbot-dns-route53
* certbot-dns-sakuracloud
* certbot-nginx
More details about these changes can be found on our GitHub repo:
https://github.com/certbot/certbot/milestone/59?closed=1
## 0.27.1 - 2018-09-06
### Fixed
* Fixed parameter name in OpenSUSE overrides for default parameters in the
Apache plugin. Certbot on OpenSUSE works again.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* certbot-apache
More details about these changes can be found on our GitHub repo:
https://github.com/certbot/certbot/milestone/60?closed=1
---
Module Name: pkgsrc
Committed By: triaxx
Date: Tue Jan 15 09:34:10 UTC 2019
Modified Files:
pkgsrc/security/py-acme: PLIST
Log Message:
py-acme: update to 0.30.0
|
|
databases/mysql55-client: security fix
databases/mysql56-client: security fix
databases/mysql57-client: security fix
Revisions pulled up:
- databases/mysql55-client/Makefile 1.32
- databases/mysql55-client/distinfo 1.63
- databases/mysql55-client/patches/patch-CMakeLists.txt 1.7
- databases/mysql55-client/patches/patch-cmake_build__configurations_mysql__release.cmake 1.1
- databases/mysql55-client/patches/patch-sql_sys__vars.cc 1.1
- databases/mysql56-client/Makefile 1.28
- databases/mysql56-client/distinfo 1.49
- databases/mysql56-client/patches/patch-CMakeLists.txt 1.6
- databases/mysql56-client/patches/patch-cmake_build__configurations_mysql__release.cmake 1.1
- databases/mysql56-client/patches/patch-sql_sys__vars.cc 1.3
- databases/mysql57-client/Makefile 1.19
- databases/mysql57-client/distinfo 1.27
- databases/mysql57-client/patches/patch-CMakeLists.txt 1.2
- databases/mysql57-client/patches/patch-cmake_build__configurations_mysql__release.cmake 1.1
- databases/mysql57-client/patches/patch-sql_sys__vars.cc 1.1
---
Module Name: pkgsrc
Committed By: maya
Date: Sun Jan 20 18:03:25 UTC 2019
Modified Files:
pkgsrc/databases/mysql55-client: Makefile distinfo
pkgsrc/databases/mysql55-client/patches: patch-CMakeLists.txt
Added Files:
pkgsrc/databases/mysql55-client/patches:
patch-cmake_build__configurations_mysql__release.cmake
patch-sql_sys__vars.cc
Log Message:
mysql55-client: change the default configuration to avoid information
disclosure to a malicious server.
Backport of upstream commit:
https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
Exploit method described here:
https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
---
Module Name: pkgsrc
Committed By: maya
Date: Sun Jan 20 18:04:49 UTC 2019
Modified Files:
pkgsrc/databases/mysql56-client: Makefile distinfo
pkgsrc/databases/mysql56-client/patches: patch-CMakeLists.txt
Added Files:
pkgsrc/databases/mysql56-client/patches:
patch-cmake_build__configurations_mysql__release.cmake
patch-sql_sys__vars.cc
Log Message:
mysql56-client: change the default configuration to avoid information
disclosure to a malicious server.
Backport of upstream commit:
https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
Exploit method described here:
https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
---
Module Name: pkgsrc
Committed By: maya
Date: Sun Jan 20 18:22:10 UTC 2019
Modified Files:
pkgsrc/databases/mysql57-client: Makefile distinfo
pkgsrc/databases/mysql57-client/patches: patch-CMakeLists.txt
Added Files:
pkgsrc/databases/mysql57-client/patches:
patch-cmake_build__configurations_mysql__release.cmake
patch-sql_sys__vars.cc
Log Message:
mysql57-client: change the default configuration to avoid information
disclosure to a malicious server.
Backport of upstream commit:
https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
Exploit method described here:
https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
|
|
www/drupal8: security fix
Revisions pulled up:
- www/drupal8/Makefile 1.14-1.16
- www/drupal8/PLIST 1.12-1.13
- www/drupal8/distinfo 1.13-1.15
- www/drupal8/patches/patch-core_lib_Drupal_Core_Extension_ModulesHandler.php 1.1
---
Module Name: pkgsrc
Committed By: wen
Date: Fri Jan 4 08:17:37 UTC 2019
Modified Files:
pkgsrc/www/drupal8: Makefile PLIST distinfo
Log Message:
Update to 8.6.5
Upstream changes:
Changes since 8.6.4
#3023402 by alexpott: \Drupal\Tests\Component\Datetime\DateTimePlusTest fails on latest PHP7.3 build
#3001997 by Krzysztof Domańskii, scott_euser, alexpott: Transliteration a string containing an unknown character (e.g. 0x80) is not valid
#3018942 by welly, alexpott, jibran, Krzysztof Domańskii, floydm: Domain URL language detection - InvalidArgumentException: The user-entered string must begin with a '/', '?', or '#'
#3020902 by Berdir, alexpott: PostgresqlDateSql fails to serialize
Revert "Issue #2986725 by Mile23, devitate, alexpott: doctrine common 2.9 has moved reflection"
#3022183 by wengerk, benjifisher: Fix BlockContentAccessHandlerTest::providerTestAccess wrong coverage by early return
#2984072 by vijaycs85, Lendude, ApacheEx, dawehner: System: Convert ErrorHandlerTest to phpunit
#3019706 by hchonov, alexpott, sheanhoxie, jibran, dawehner: Functional JS Tests are broken if XDEBUG_CONFIG is set as an env variable
Revert "Issue #3019706 by hchonov, jibran: Functional JS Tests are broken if XDEBUG_CONFIG is set as an env variable"
#3021204 by maxocub: Remove maxocub from Migrate maintainers
#3019706 by hchonov, jibran: Functional JS Tests are broken if XDEBUG_CONFIG is set as an env variable
#2986725 by Mile23, devitate, alexpott: doctrine common 2.9 has moved reflection
#2939908 by kjay, steveparks, spitzialist, cferthorney, danharper, Eli-T: Add an article to Umami - Dairy-free chocolate
#3007439 by tim.plunkett, Wim Leers, xopoc: Layout builder renders Book navigation block on non-book pages
#2927768 by justinlevi, Lendude, pritish.kumar, Wim Leers, dawehner: Update RestRegisterUserTest to use the ResourceTestBase base class instead of the deprecated RESTTestBase
#3020550 by catch: Passing commands as a string to Process is deprecated in Symfony 4
#3020579 by catch: TypeError: Argument 3 passed to Symfony\Component\HttpKernel\Event\FilterResponseEvent::__construct() must be of the type integer, string given [Symfony 4]
#2618606 by dawehner, rbayliss: Update.php - Reverse proxy settings not used
#2865344 by mpdonadio, Lendude, mbovan, organicwire, alexpott, jibran, jhedstrom, bobemoe, Berdir, larowlan: Exposed date filters 'empty' and 'not empty' are broken
#2974274 by mitrpaka, RumyanaRuseva, joachim: exception message for unrecognized source IDs in lookupDestinationIds() should have more detail
#2809305 by Upchuk, Pavan B S, Jo Fitzgerald, tim.plunkett, Berdir: Block Context assignment form element shows even if no options are available
#3018774 by xjm: hook_post_update_NAME() docs do not explain batching/ parameter
#3018539 by phenaproxima, rodrigoaguilera, alexpott: Media types cannot be created in the UI without JavaScript
#3018764 by Wim Leers: One test case in MediaUiFunctionalTest is not actually tested due to a duplicate key
#2998462 by AndyF, Baysaa, Siavash, tim.plunkett, millionleaves, fatmarker: Error adding Content Type Selection criteria or Context
#3016501 by govind.maloo, andrewmacpherson, markconroy: Writing style - Umami should be capitalised when it is used as a proper noun in English
#2916595 by phenaproxima, AdamPS, Wim Leers: File element discards attributes if #multiple
#2883260 by kiamlaluno, yogeshmpawar, msankhala, benjifisher, alexpott, bdlangton: Replace the schema example with one actually used from a module
#2883553 by govind.maloo, msankhala, seanB, Berdir, xjm, alexpott: Obsolete argument for hasPermission in node_node_access()
#3016011 by mikelutz, quietone, alexpott: Reroll all migrate dump files
#3017753 by mxr576, alexpott: MemoryBackend should validate the passed cids
---
Module Name: pkgsrc
Committed By: prlw1
Date: Wed Jan 9 11:56:17 UTC 2019
Modified Files:
pkgsrc/www/drupal8: Makefile distinfo
Added Files:
pkgsrc/www/drupal8/patches:
patch-core_lib_Drupal_Core_Extension_ModulesHandler.php
Log Message:
drupal8 fix for:
Drupal\Core\Extension\Exception\UnknownExtensionException: The module standard does not exist. in Drupal\Core\Extension\ExtensionList->get() (line 257 of /usr/pkg/share/drupal/core/lib/Drupal/Core/Extension/ExtensionList.php)
e.g. when trying to put the site in maintenance mode.
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jan 19 07:33:55 UTC 2019
Modified Files:
pkgsrc/www/drupal8: Makefile PLIST distinfo
Log Message:
www/drupal8: update to 8.6.6
This is a hotfix release for a regression affecting some Drush installations
that was introduced by the fix for SA-CORE-2019-002. No other fixes are
included.
|
|
www/drupal7: security fix
Revisions pulled up:
- www/drupal7/Makefile 1.54
- www/drupal7/PLIST 1.20
- www/drupal7/distinfo 1.42
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jan 19 07:30:21 UTC 2019
Modified Files:
pkgsrc/www/drupal7: Makefile PLIST distinfo
Log Message:
www/drupal7: update to 7.62
Drupal 7.62, 2019-01-15
-----------------------
- Fixed security issues:
- SA-CORE-2019-001
- SA-CORE-2019-002
|
|
textproc/uriparser: security fix
Revisions pulled up:
- textproc/uriparser/Makefile 1.12
- textproc/uriparser/distinfo 1.10
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sun Jan 6 13:47:20 UTC 2019
Modified Files:
pkgsrc/textproc/uriparser: Makefile distinfo
Log Message:
Update uriparser to 0.9.1.
>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
* Fixed:
Out-of-bounds read in uriParse*Ex* for incomplete URIs with IPv6
addresses with embedded IPv4 address, e.g. "//[::44.1";
mitigated if passed parameter <afterLast> points to readable memory
containing a '\0' byte.
Thanks to Joergen Ibsen for the report!
>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
* Fixed: When parsing a malformed URI with an IPvFuture address
(e.g. "http://[vA.123456" missing "]"), errorPos would point to the first
character after "v" than the actual position of the error (here: the end
of the string)
* Fixed: uriToStringCharsRequired* reported 1 more byte than actually needed
for IPv4 address URIs (GitHub #41); Thanks to @gyh007 for the patch!
* Fixed: Compilation with MinGW
Thanks to Sandro Mani for the patch!
* Fixed: Drop use of asprintf from the test suite for MinGW (GitHub #40)
* Improved: For parse errors, waterproof errorPos <= afterLast
* Soname: 1:24:0
Via email from Sebastian Pipping.
|
|
|
|
lang/php56: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.245
- lang/php56/Makefile 1.20
- lang/php56/distinfo 1.54
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jan 12 15:01:34 UTC 2019
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: Makefile distinfo
Log Message:
lang/php56: udate to 5.6.40
10 Jan 2019, PHP 5.6.40
- GD:
. Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
use-after-free). (cmb)
. Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
- Mbstring:
. Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
. Fixed bug #77371 (heap buffer overflow in mb regex functions
- compile_string_node). (Stas)
. Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
. Fixed bug #77382 (heap buffer overflow due to incorrect length in
expand_case_fold_string). (Stas)
. Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
. Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
. Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
- Phar:
. Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
- Xmlrpc:
. Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
. Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
|
|
lang/php73: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.244
- lang/php73/distinfo 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jan 12 15:00:26 UTC 2019
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php73: distinfo
Log Message:
lang/php73: update to 7.3.1
10 Jan 2019, PHP 7.3.1
- Core:
. Fixed bug #76654 (Build failure on Mac OS X on 32-bit Intel). (Ryandesign)
. Fixed bug #71041 (zend_signal_startup() needs ZEND_API).
(Valentin V. Bartenev)
. Fixed bug #76046 (PHP generates "FE_FREE" opcode on the wrong line).
(Nikita)
. Fixed bug #77291 (magic methods inherited from a trait may be ignored).
(cmb)
- CURL:
. Fixed bug #77264 (curl_getinfo returning microseconds, not seconds).
(Pierrick)
- COM:
. Fixed bug #77177 (Serializing or unserializing COM objects crashes). (cmb)
- Exif:
. Fixed bug #77184 (Unsigned rational numbers are written out as signed
rationals). (Colin Basnett)
- GD:
. Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()). (cmb)
. Fixed bug #77198 (auto cropping has insufficient precision). (cmb)
. Fixed bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
(cmb)
. Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
use-after-free). (cmb)
. Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
- MBString:
. Fixed bug #77367 (Negative size parameter in mb_split). (Stas)
. Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token).
(Stas)
. Fixed bug #77371 (heap buffer overflow in mb regex functions -
compile_string_node). (Stas)
. Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
. Fixed bug #77382 (heap buffer overflow due to incorrect length in
expand_case_fold_string). (Stas)
. Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
. Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode).
(Stas)
. Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
- OCI8:
. Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working). (KoenigsKind)
. Added oci_set_call_timeout() for call timeouts.
. Added oci_set_db_operation() for the DBOP end-to-end-tracing attribute.
- Opcache:
. Fixed bug #77215 (CFG assertion failure on multiple finalizing switch
frees in one block). (Nikita)
. Fixed bug #77275 (OPcache optimization problem for ArrayAccess->offsetGet).
(Nikita)
- PCRE:
. Fixed bug #77193 (Infinite loop in preg_replace_callback). (Anatol)
- PDO:
. Handle invalid index passed to PDOStatement::fetchColumn() as error. (Sergei
Morozov)
- Phar:
. Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
(Stas)
- Soap:
. Fixed bug #77088 (Segfault when using SoapClient with null options).
(Laruence)
- Sockets:
. Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
(Mizunashi Mana)
- Sodium:
. Fixed bug #77297 (SodiumException segfaults on PHP 7.3). (Nikita, Scott)
- SPL:
. Fixed bug #77359 (spl_autoload causes segfault). (Lauri Kenttä)
. Fixed bug #77360 (class_uses causes segfault). (Lauri Kenttä)
- SQLite3:
. Fixed bug #77051 (Issue with re-binding on SQLite3). (BohwaZ)
- Xmlrpc:
. Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
. Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
|
|
lang/php72: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.243
- lang/php72/Makefile 1.16
- lang/php72/distinfo 1.35
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jan 12 14:59:03 UTC 2019
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php72: Makefile distinfo
Log Message:
lang/php72: update to 7.2.14
10 Jan 2019, PHP 7.2.14
- Core:
. Fixed bug #77369 (memcpy with negative length via crafted DNS response). (Stas)
. Fixed bug #71041 (zend_signal_startup() needs ZEND_API).
(Valentin V. Bartenev)
. Fixed bug #76046 (PHP generates "FE_FREE" opcode on the wrong line).
(Nikita)
- COM:
. Fixed bug #77177 (Serializing or unserializing COM objects crashes). (cmb)
- Date:
. Fixed bug #77097 (DateTime::diff gives wrong diff when the actual diff is
less than 1 second). (Derick)
- Exif:
. Fixed bug #77184 (Unsigned rational numbers are written out as signed
rationals). (Colin Basnett)
- GD:
. Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
use-after-free). (cmb)
. Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
. Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()). (cmb)
. Fixed bug #77198 (auto cropping has insufficient precision). (cmb)
. Fixed bug #77200 (imagecropauto($B!D(B, GD_CROP_SIDES) crops left but not right).
(cmb)
- IMAP:
. Fixed bug #77020 (null pointer dereference in imap_mail). (cmb)
- Mbstring:
. Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
. Fixed bug #77371 (heap buffer overflow in mb regex functions
- compile_string_node). (Stas)
. Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
. Fixed bug #77382 (heap buffer overflow due to incorrect length in
expand_case_fold_string). (Stas)
. Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
. Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
. Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
- OCI8:
. Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working). (KoenigsKind)
. Added oci_set_call_timeout() for call timeouts.
. Added oci_set_db_operation() for the DBOP end-to-end-tracing attribute.
- Opcache:
. Fixed bug #77215 (CFG assertion failure on multiple finalizing switch
frees in one block). (Nikita)
- PDO:
. Handle invalid index passed to PDOStatement::fetchColumn() as error. (Sergei
Morozov)
- Phar:
. Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
- Sockets:
. Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
(Mizunashi Mana)
- SQLite3:
. Fixed bug #77051 (Issue with re-binding on SQLite3). (BohwaZ)
- Xmlrpc:
. Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
. Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
|
|
lang/php71: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.242
- lang/php71/Makefile 1.18
- lang/php71/distinfo 1.48
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jan 12 14:56:47 UTC 2019
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php71: Makefile distinfo
Log Message:
lang/php71: update to 7.1.26
10 Jan 2019, PHP 7.1.26
- Core:
. Fixed bug #77369 (memcpy with negative length via crafted DNS response). (Stas)
- GD:
. Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
use-after-free). (cmb)
. Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
- IMAP:
. Fixed bug #77020 (null pointer dereference in imap_mail). (cmb)
- Mbstring:
. Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
. Fixed bug #77371 (heap buffer overflow in mb regex functions
- compile_string_node). (Stas)
. Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
. Fixed bug #77382 (heap buffer overflow due to incorrect length in
expand_case_fold_string). (Stas)
. Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
. Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
. Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
- Phar:
. Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
- Xmlrpc:
. Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
. Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
|
|
www/nghttp2: build fix (don't require C++14 for the C library)
Revisions pulled up:
- www/nghttp2/Makefile (patch)
- www/nghttp2/options.mk (patch)
|
|
|
|
net/megatools: build fix
Revisions pulled up:
- net/megatools/Makefile 1.13
---
Module Name: pkgsrc
Committed By: leot
Date: Fri Jan 11 19:40:58 UTC 2019
Modified Files:
pkgsrc/net/megatools: Makefile
Log Message:
megatools: needs asciidoc for documentation
PKGREVISION++
Thanks to <jmcneill>!
|
|
audio/musicpd: require newer gcc
Revisions pulled up:
- audio/musicpd/Makefile (via patch)
|
|
multimedia/transcode: build fix
Revisions pulled up:
- multimedia/transcode/Makefile 1.115
---
Module Name: pkgsrc
Committed By: triaxx
Date: Fri Jan 4 21:38:31 UTC 2019
Modified Files:
pkgsrc/multimedia/transcode: Makefile
Log Message:
transcode: add missing dependencies
* Fix PR pkg/53835
* Bump revision
|
|
lang/ghc7: build fix
Revisions pulled up:
- lang/ghc7/Makefile 1.32
---
Module Name: pkgsrc
Committed By: maya
Date: Thu Jan 10 18:11:56 UTC 2019
Modified Files:
pkgsrc/lang/ghc7: Makefile
Log Message:
ghc7: not aslr safe, either. bump PKGREVISION
Fix PR pkg/53842. ghci dies with:
ghc: mmap 593920 bytes at 0x40000000: Cannot allocate memory
|
|
mk: SuperH build fix
Revisions pulled up:
- mk/gnu-config/config.sub 1.22-1.24
---
Module Name: pkgsrc
Committed By: maya
Date: Wed Jan 2 15:31:36 UTC 2019
Modified Files:
pkgsrc/mk/gnu-config: config.sub
Log Message:
Match 32-bit SuperH CPUs in the same way that GCC does.
PR pkg/53825
---
Module Name: pkgsrc
Committed By: maya
Date: Wed Jan 2 15:41:13 UTC 2019
Modified Files:
pkgsrc/mk/gnu-config: config.sub
Log Message:
Really mirror GCC now, including the wildcard.
Thanks joerg for the heads up
PR pkg/53825
---
Module Name: pkgsrc
Committed By: maya
Date: Wed Jan 2 15:45:27 UTC 2019
Modified Files:
pkgsrc/mk/gnu-config: config.sub
Log Message:
Revert accidental change.
|
|
|