pkgsrc - [no description]

Age	Commit message (Collapse)	Author	Files	Lines
2019-05-18	revert last commit to wrong branchpkgsrc-2018Q4	mlelstv	1	-3/+3

2019-05-18	Enable OpenIPMI support for NetBSD. For NetBSD <= 8 this is no change,	mlelstv	1	-3/+3
	with NetBSD -current autoconf will recognize the IPMI user interface.
2019-03-17	Pullup ticket #5924.	bsiegert	1	-1/+4

2019-03-17	Pullup ticket #5924 - requested by bouyer	bsiegert	3	-2/+28
	sysutils/syslog-ng: NetBSD bugfix Revisions pulled up: - sysutils/syslog-ng/Makefile 1.34 - sysutils/syslog-ng/distinfo 1.16 - sysutils/syslog-ng/patches/patch-lib_signal-handler.c 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Fri Mar 15 10:04:00 UTC 2019 Modified Files: pkgsrc/sysutils/syslog-ng: Makefile distinfo Added Files: pkgsrc/sysutils/syslog-ng/patches: patch-lib_signal-handler.c Log Message: syslog-ng overloads sigaction() with its own version, and calls the libc sigaction() with a dlsym call. On NetBSD this ends up calling the compatibility sigaction() which fails with ENOSYS if COMPAT_13 is not in the kernel. Even with COMPAT_13 it would be incorrect because we call the compat sigaction() with the non-compat arguments. On NetBSD, fix this by calling explicitely __libc_sigaction14(). Bump PKGREVISION
2019-03-06	Latest round of pullup tickets	bsiegert	1	-1/+19

2019-03-06	Pullup ticket #5922 - requested by schmonz	bsiegert	2	-11/+8
	www/ikiwiki: security fix Revisions pulled up: - www/ikiwiki/Makefile 1.161-1.162 - www/ikiwiki/distinfo 1.132 --- Module Name: pkgsrc Committed By: schmonz Date: Thu Feb 28 22:00:49 UTC 2019 Modified Files: pkgsrc/www/ikiwiki: Makefile distinfo Log Message: Update to ikiwiki. From the changelog: * aggregate: Use LWPx::ParanoidAgent if available. Previously blogspam, openid and pinger used this module if available, but aggregate did not. This prevents server-side request forgery or local file disclosure, and mitigates denial of service when slow "tarpit" URLs are accessed. (CVE-2019-9187) * blogspam, openid, pinger: Use a HTTP proxy if configured, even if LWPx::ParanoidAgent is installed. Previously, only aggregate would obey proxy configuration. If a proxy is used, the proxy (not ikiwiki) is responsible for preventing attacks like CVE-2019-9187. * aggregate, blogspam, openid, pinger: Do not access non-http, non-https URLs. Previously, these plugins would have allowed non-HTTP-based requests if LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local file disclosure, and preventing other rarely-used URI schemes like gopher mitigates request forgery attacks. * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly recommended. These plugins can request attacker-controlled URLs in some site configurations. * blogspam: Document LWPx::ParanoidAgent as desirable. This plugin doesn't request attacker-controlled URLs, so it's non-critical here. * blogspam, openid, pinger: Consistently use cookiejar if configured. Previously, these plugins would only obey this configuration if LWPx::ParanoidAgent was not installed, but this appears to have been unintended. * po: Always filter .po files. The po plugin in previous ikiwiki releases made the second and subsequent filter call per (page, destpage) pair into a no-op, apparently in an attempt to prevent recursive filtering (which as far as we can tell can't happen anyway), with the undesired effect of interpreting the raw .po file as page content (e.g. Markdown) if it was inlined into the same page twice, which is apparently something that tails.org does. Simplify this by deleting the code that prevented repeated filtering. Thanks, intrigeri (Closes: #911356) --- Module Name: pkgsrc Committed By: schmonz Date: Thu Feb 28 22:20:01 UTC 2019 Modified Files: pkgsrc/www/ikiwiki: Makefile Log Message: Add dependency on p5-LWPx-ParanoidAgent. Ride recent version bump.
2019-03-06	Pullup ticket #5916 - requested by maya	bsiegert	4	-12/+110
	www/webkit-gtk: security fix (remote code execution) Revisions pulled up: - www/webkit-gtk/Makefile 1.156-1.157 - www/webkit-gtk/PLIST 1.46 - www/webkit-gtk/distinfo 1.115-1.116 - www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp 1.1 --- Module Name: pkgsrc Committed By: leot Date: Sat Feb 9 11:29:45 UTC 2019 Modified Files: pkgsrc/www/webkit-gtk: Makefile PLIST distinfo Log Message: webkit-gtk: Update to 2.22.6 pkgsrc changes: - Set USE_GCC_RUNTIME to depends on gcc6-libs when pkgsrc gcc is used (XXX: Not tested and not clear if currently mk/compiler/gcc.mk DTRT XXX: regarding (if not, that's probably why firefox/mozilla-common.mk XXX: abuses USE_PKGSRC_GCC_RUNTIME!)) Changes: WebKitGTK+ 2.22.6 ================= - Make kinetic scrolling slow down smoothly when reaching the ends of pages, instead of abruptly, to better match the GTK+ behaviour. - Fix Web inspector magnifier under Wayland. - Fix garbled rendering of some websites (e.g. YouTube) while scrolling under X11. - Fix several crashes, race conditions, and rendering issues. --- Module Name: pkgsrc Committed By: maya Date: Thu Feb 21 18:52:15 UTC 2019 Modified Files: pkgsrc/www/webkit-gtk: Makefile distinfo Added Files: pkgsrc/www/webkit-gtk/patches: patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp Log Message: webkit-gtk: backport upstream patch. security fix. Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800 <rdar://problem/48183773> Reviewed by Yusuke Suzuki. Fix doesGC() for the following nodes: CompareEq: CompareLess: CompareLessEq: CompareGreater: CompareGreaterEq: CompareStrictEq: Only return false (i.e. does not GC) for child node use kinds that have been vetted to not do anything that can GC. For all other use kinds (including StringUse and BigIntUse), we return true (i.e. does GC). * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): This was published alongside with exploit code claiming it is remote code execution, but I don't understand what the exploit is doing. bump PKGREVISION
2019-03-04	Pullup ticket #5920 - requested by taca	bsiegert	4	-50/+59
	www/drupal8: security fix (remote code execution) Revisions pulled up: - www/drupal8/Makefile 1.17-1.18 - www/drupal8/PLIST 1.14-1.15 - www/drupal8/distinfo 1.16-1.17 - www/drupal8/patches/patch-core_lib_Drupal_Core_Extension_ModulesHandler.php deleted --- Module Name: pkgsrc Committed By: wen Date: Sat Feb 9 00:09:54 UTC 2019 Modified Files: pkgsrc/www/drupal8: Makefile PLIST distinfo Removed Files: pkgsrc/www/drupal8/patches: patch-core_lib_Drupal_Core_Extension_ModulesHandler.php Log Message: Update to 8.6.9 Remove the patch that included in upstream Upstream changes: 8.6.7: This is a hotfix release for a regression affecting some Drush installations that was introduced by the fix for SA-CORE-2019-002. No other fixes are included. 8.6.8: Changes since 8.6.7 #2975539 by mondrake, alexpott, marcoscano, desierto: Changing machine name of image style leads to WSOD when loading widgets that used the old name #2859315 by quietone, heddn, jhodgdon: SQL error from profile_fields when migrating d6 (or d7) to d8 without Profile module #2443165 by davidwbarratt, amateescu, HOG, kostyashupenko, yched, Berdir, andypost, alexpott, tstoeckler, xjm: Drupal\Core\Entity\EntityInterface\ContentEntityStorageBase::doCreate() assumes that the bundle is a string #2849074 by decafdennis, alexpott, zuuperman, AdamPS, sagesolutions, tucho, xjm: SiteConfigureForm overrides value from install profile #3007716 by Sam152, kevin.dutra, jhedstrom, larowlan: Security update introduces breaking changes to content moderation #2215857 by michielnugter, Lendude, gmercer, tim.plunkett, cferthorney, marabak, olli, ericmulder1980, TwoD, sanduhrs, stella, dww, nod_: Behaviors get attached to removed forms #3017812 by ibustos, joachim: Language selector is immune to hook_entity_field_access in entity forms #2900883 by larskhansen, GaëlG, kalyansamanta, Chi, tim.plunkett, Gábor Hojtsy, joachim: Wrong documentation of Drupal\Component\Plugin\Derivative\DeriverInterface::getDerivativeDefinitions() #3027595 by amateescu, pmelab: Incorrect blacklist condition in WorkspaceManager #2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, lauriii, catch, cilefen, Cottser: [regression] Table Drag handles no longer respond to up/down arrow keys Revert "Issue #2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, @catch, @cilefen, @Cottser, @lauriii: [regression] Table Drag handles no longer respond to up/down arrow keys" #2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, @catch, @cilefen, @Cottser, @lauriii: [regression] Table Drag handles no longer respond to up/down arrow keys #2937073 by tim.plunkett, Saviktor, tedbow: Improve robustness of FieldBlockTest #2973713 by quietone, Adita, etecjdo, apmsooner, mikeryan, gnuschichten, tstoeckler: cache_key source plugin configuration not documented #2949555 by quietone, ankitjain28may: Correct the documentation on method UserMigrationClassTest #3025685 by quietone: Add error msg to assertions in MigrateSourceTestBase #3026840 by izus: Fix plural typo in workspaces field #3024452 by kfritsche, hchonov, alexpott: DatabaseStorageExpirable:setWithExpireIfNotExists is not respecting expired #2999908 by penyaskito: View more link in recipe cards is not fully translated #3028819 by alwaysworking: Update username #2916021 by d.olaresko, wengerk, Chi, xjm, dawehner, idebr: Update "Running tests" section in core.api.php #2953995 by kjay, starshaped, rachel_norfolk, Vidushi Mehta, cferthorney, HAL 9000, Eli-T, markconroy, steveparks: Update the Umami Vegan Chocolate Brownie recipe #3028608 by danharper, Eli-T, markconroy, Not Real: Umami - favicon #2940027 by jmsosso: Add change record to @deprecated for AccountInterface #2995150 by msankhala, tim.plunkett: Command examples in core/tests/README.md are confusing and not executable #3024184 by seanB, andrewmacpherson, Kristen Pol: Make the tabbing order match the visual reading order in MediaLibraryWidget #2668416 by Krzysztof Domański, wheatpenny, Lendude, alexpott: Wrong assert in NodeTitleTest #2981870 by Lendude, alexpott: Duplicate BrokenSetUpTest for BrowserTestBase #2809513 by Lendude, brentgees: Convert AJAX part of \Drupal\responsive_image\Tests\ResponsiveImageFieldUiTest to JavascriptTestBase and the rest to BrowserTestBase #3027574 by tuutti: SqlContentEntityStorage no longer update entities with certain (id) fields #3026043 by Berdir: ConfigEntityBase::__sleep() serializes plugin instances if they were not previously initialized #3021395 by quietone, alexpott: MigrateDrupalTestBase::migrateContent(['translations') does not migrate translations Revert "Issue #3003238 by Sam152, amateescu, Berdir: EntityStorageException: Default revision can not be deleted in content_moderation_entity_revision_delete()" #2987418 by quietone, Kristen Pol: Rename MigrateUpgrade tests #3003238 by Sam152, amateescu, Berdir: EntityStorageException: Default revision can not be deleted in content_moderation_entity_revision_delete() Merged 8.6.7. Merged 8.6.6. #3015992 by Krzysztof Domański, alexpott, larowlan: Not affecting spacing in PhpTransliterationTest #2998769 by kiamlaluno, quietone, kkalaskar: @see directive used in the wrong place outputs the wrong HTML markup #3000677 by catch, Shane Birley, featherbelly, alexpott, larowlan: Fatal error after upgrade to 8.6x [due to regression in extension system] #2955457 by pfrenssen, Chewie, unrealauk, alexpott, Pol: ConfigFactory static cache gets polluted with data from config overrides #3020142 by mglaman, tim.plunkett: Test module no_transitions_css has invalid hook_page_attachments #3007973 by tim.plunkett, lukasss, xopoc, bnjmnm, stompersly: Layout builder prevents the rendering of extra fields (like Links) on pages not using Layout Builder #3024259 by Pol, alexpott: [PHP 7.3] Fix EnvironmentTest::providerTestCheckMemoryLimit() notice #3023747 by mikelutz, heddn: D6 profile migrations assume stubs, which fail #2978922 by brathbone, philipnorton42, msankhala, hardikpandya, alexpott, siliconmeadow: Improve batch_process() documentation #2845975 by quietone, Jo Fitzgerald, aleevas, maxocub, Gábor Hojtsy: Migrate Drupal 6 user profile field value option translations #2701829 by alexpott, andypost, Soul88, Graber, Eduardo Morales, dawehner, pingwin4eg, catch, Berdir, jibran, httang12: Extension objects should not implement \Serializable #2693727 by mikelutz, sanduhrs, CalebD, ajlib, Lendude, tstoeckler, catch: Limiting options for exposed Language filters causes errors and doesn't work for special languages 8.6.9: Changes since 8.6.8: #2215857 followup by gaydamaka, timmillwood, alexpott, lauriii: Regression on Internet Explorer 11 #3031128 by alexpott, TrevorBradley, indigoxela, catch, cilefen, larowlan, jibran: Update from 8.6.7 to 8.6.8 warnings - Drupal\Core\Extension\Extension has no unserializer Revert "Issue #2924201 by tim.plunkett, tedbow, larowlan, xjm, jibran, Kristen Pol: Resolve random failure in LayoutBuilderTest so that it can be added to HEAD" #2924201 by tim.plunkett, tedbow, larowlan, xjm, jibran, Kristen Pol: Resolve random failure in LayoutBuilderTest so that it can be added to HEAD --- Module Name: pkgsrc Committed By: taca Date: Sun Feb 24 16:31:39 UTC 2019 Modified Files: pkgsrc/www/drupal8: Makefile PLIST distinfo Log Message: www/drupal8: update to 8.6.10 Drupal 8.6.10 (2019-02-20) Maintenance and security release of the Drupal 8 series. This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement and notes below: * Drupal core - Remote code execution - SA-CORE-2019-003 Sites on 8.5.x or earlier should update immediately to Drupal 8.5.11 instead, and plan to update to the latest 8.6.x release before May 2019 (when 8.7.0 is released and 8.5.x security coverage ends). Important update information For site owners * In addition to the above fix, this release includes the fix for #3031740: Updating to 8.6.8 or 8.6.9 with Drush 8 causes data loss via update_fix_compatibility() to prevent Drush 8 issues for sites updating directly from an earlier security release. * update.php must be run after updating to ensure changes from the patch take effect. * No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release. For module developers Some contributed module tests may need to be updated if they extend core's test suite, due to a minor API change in a test base class.
2019-03-04	Pullup ticket #5919 - requested by leot	bsiegert	3	-11/+14
	net/tor: security fix Revisions pulled up: - net/tor/Makefile 1.136-1.137 - net/tor/PLIST 1.14 - net/tor/distinfo 1.96-1.97 --- Module Name: pkgsrc Committed By: adam Date: Tue Jan 8 08:39:55 UTC 2019 Modified Files: pkgsrc/net/tor: Makefile PLIST distinfo Log Message: tor: updated to 0.3.5.7 Changes in version 0.3.5.7: Tor 0.3.5.7 is the first stable release in its series; it includes compilation and portability fixes, and a fix for a severe problem affecting directory caches. The Tor 0.3.5 series includes several new features and performance improvements, including client authorization for v3 onion services, cleanups to bootstrap reporting, support for improved bandwidth- measurement tools, experimental support for NSS in place of OpenSSL, and much more. It also begins a full reorganization of Tor's code layout, for improved modularity and maintainability in the future. Finally, there is the usual set of performance improvements and bugfixes that we try to do in every release series. There are a couple of changes in the 0.3.5 that may affect compatibility. First, the default version for newly created onion services is now v3. Use the HiddenServiceVersion option if you want to override this. Second, some log messages related to bootstrapping have changed; if you use stem, you may need to update to the latest version so it will recognize them. We have designated 0.3.5 as a "long-term support" (LTS) series: we will continue to patch major bugs in typical configurations of 0.3.5 until at least 1 Feb 2022. (We do not plan to provide long-term support for embedding, Rust support, NSS support, running a directory authority, or unsupported platforms. For these, you will need to stick with the latest stable release.) --- Module Name: pkgsrc Committed By: adam Date: Fri Feb 22 08:47:51 UTC 2019 Modified Files: pkgsrc/net/tor: Makefile distinfo Log Message: tor: updated to 0.3.5.8 Changes in version 0.3.5.8: Tor 0.3.5.8 backports serveral fixes from later releases, including fixes for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x releases. It also includes a fix for a medium-severity security bug affecting Tor 0.3.2.1-alpha and later. All Tor instances running an affected release should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha. o Major bugfixes (cell scheduler, KIST, security): - Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955. o Major bugfixes (networking, backport from 0.4.0.2-alpha): - Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha. o Minor features (compilation, backport from 0.4.0.2-alpha): - Compile correctly when OpenSSL is built with engine support disabled, or with deprecated APIs disabled. Closes ticket 29026. Patches from "Mangix". o Minor features (geoip): - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2 Country database. Closes ticket 29478. o Minor features (testing, backport from 0.4.0.2-alpha): - Treat all unexpected ERR and BUG messages as test failures. Closes ticket 28668. o Minor bugfixes (onion service v3, client, backport from 0.4.0.1-alpha): - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS connection waiting for a descriptor that we actually have in the cache. It turns out that this can actually happen, though it is rare. Now, tor will recover and retry the descriptor. Fixes bug 28669; bugfix on 0.3.2.4-alpha. o Minor bugfixes (IPv6, backport from 0.4.0.1-alpha): - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the IPv6 socket was bound using an address family of AF_INET instead of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha): - Update Cargo.lock file to match the version made by the latest version of Rust, so that "make distcheck" will pass again. Fixes bug 29244; bugfix on 0.3.3.4-alpha. o Minor bugfixes (client, clock skew, backport from 0.4.0.1-alpha): - Select guards even if the consensus has expired, as long as the consensus is still reasonably live. Fixes bug 24661; bugfix on 0.3.0.1-alpha. o Minor bugfixes (compilation, backport from 0.4.0.1-alpha): - Compile correctly on OpenBSD; previously, we were missing some headers required in order to detect it properly. Fixes bug 28938; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.terjohn. o Minor bugfixes (documentation, backport from 0.4.0.2-alpha): - Describe the contents of the v3 onion service client authorization files correctly: They hold public keys, not private keys. Fixes bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix". o Minor bugfixes (logging, backport from 0.4.0.1-alpha): - Rework rep_hist_log_link_protocol_counts() to iterate through all link protocol versions when logging incoming/outgoing connection counts. Tor no longer skips version 5, and we won't have to remember to update this function when new link protocol version is developed. Fixes bug 28920; bugfix on 0.2.6.10. o Minor bugfixes (logging, backport from 0.4.0.2-alpha): - Log more information at "warning" level when unable to read a private key; log more information at "info" level when unable to read a public key. We had warnings here before, but they were lost during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha. o Minor bugfixes (misc, backport from 0.4.0.2-alpha): - The amount of total available physical memory is now determined using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM) when it is defined and a 64-bit variant is not available. Fixes bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn. o Minor bugfixes (onion services, backport from 0.4.0.2-alpha): - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more than one private key for a hidden service. Fixes bug 29040; bugfix on 0.3.5.1-alpha. - In hs_cache_store_as_client() log an HSDesc we failed to parse at "debug" level. Tor used to log it as a warning, which caused very long log lines to appear for some users. Fixes bug 29135; bugfix on 0.3.2.1-alpha. - Stop logging "Tried to establish rendezvous on non-OR circuit..." as a warning. Instead, log it as a protocol warning, because there is nothing that relay operators can do to fix it. Fixes bug 29029; bugfix on 0.2.5.7-rc.on 0.2.5.7-rc. o Minor bugfixes (tests, directory clients, backport from 0.4.0.1-alpha): - Mark outdated dirservers when Tor only has a reasonably live consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha. o Minor bugfixes (tests, backport from 0.4.0.2-alpha): - Detect and suppress "bug" warnings from the util/time test on Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha. - Do not log an error-level message if we fail to find an IPv6 network interface from the unit tests. Fixes bug 29160; bugfix on 0.2.7.3-rc. o Minor bugfixes (usability, backport from 0.4.0.1-alpha): - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate(). Some users took this phrasing to mean that the mentioned guard was under their control or responsibility, which it is not. Fixes bug 28895; bugfix on Tor 0.3.0.1-alpha.
2019-03-04	Pullup ticket #5918 - requested by taca	bsiegert	4	-11/+22
	net/bind912: security fix Revisions pulled up: - net/bind912/Makefile 1.8-1.9 - net/bind912/PLIST 1.2 - net/bind912/distinfo 1.6 - net/bind912/options.mk 1.3 --- Module Name: pkgsrc Committed By: he Date: Thu Jan 17 08:53:37 UTC 2019 Modified Files: pkgsrc/net/bind912: Makefile PLIST options.mk Log Message: Add a "dnstap" option, defaults to off. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Fri Feb 22 01:24:24 UTC 2019 Modified Files: pkgsrc/net/bind912: Makefile distinfo Log Message: net/bind912: update to 9.12.3pl4 Update bind912 to 9.12.3pl4 (BIND 9.12.3-P4). --- 9.12.3-P4 released --- --- 9.12.3-P3 released (withdrawn) --- 5141. [security] Zone transfer controls for writable DLZ zones were not effective as the allowzonexfr method was not being called for such zones. (CVE-2019-6465) [GL #790] --- 9.12.3-P2 released (withdrawn) --- 5118. [security] Named could crash if it is managing a key with `managed-keys` and the authoritative zone is rolling the key to an unsupported algorithm. (CVE-2018-5745) [GL #780] 5110. [security] Named leaked memory if there were multiple Key Tag EDNS options present. (CVE-2018-5744) [GL #772]
2019-03-04	Pullup ticket #5917 - requested by taca	bsiegert	2	-7/+7
	net/bind911: security fix Revisions pulled up: - net/bind911/Makefile 1.7 - net/bind911/distinfo 1.6 --- Module Name: pkgsrc Committed By: taca Date: Fri Feb 22 01:22:38 UTC 2019 Modified Files: pkgsrc/net/bind911: Makefile distinfo Log Message: net/bind911: update to 9.11.5pl4 Update bind911 to 9.11.5pl4 (BIND 9.11.5-P4). --- 9.11.5-P4 released --- --- 9.11.5-P3 released (withdrawn) --- 5141. [security] Zone transfer controls for writable DLZ zones were not effective as the allowzonexfr method was not being called for such zones. (CVE-2019-6465) [GL #790] --- 9.11.5-P2 released (withdrawn) --- 5118. [security] Named could crash if it is managing a key with `managed-keys` and the authoritative zone is rolling the key to an unsupported algorithm. (CVE-2018-5745) [GL #780] 5110. [security] Named leaked memory if there were multiple Key Tag EDNS options present. (CVE-2018-5744) [GL #772]
2019-02-18	5 more pullup tickets	bsiegert	1	-1/+16

2019-02-18	Pullup ticket #5915 - requested by taca	bsiegert	3	-10/+9
	mail-dovecot2: security fix Revisions pulled up: - mail/dovecot2-sqlite/Makefile 1.17 - mail/dovecot2/Makefile.common 1.24 - mail/dovecot2/distinfo 1.88 --- Module Name: pkgsrc Committed By: taca Date: Wed Feb 6 01:41:28 UTC 2019 Modified Files: pkgsrc/mail/dovecot2: Makefile.common distinfo Log Message: mail/dovecot2: update to 2.3.4.1 v2.3.4.1 2019-02-05 Aki Tuomi <aki.tuomi@open-xchange.com> * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. --- Module Name: pkgsrc Committed By: taca Date: Wed Feb 6 01:42:16 UTC 2019 Modified Files: pkgsrc/mail/dovecot2-sqlite: Makefile Log Message: mail/dovecot2-sqlite: reset PKGREVISION Reset PKGREVISION with update to 2.3.4.1.
2019-02-18	Pullup ticket #5914 - requested by taca	bsiegert	2	-7/+9
	www/ruby-rack16: security fix Revisions pulled up: - www/ruby-rack16/Makefile 1.2 - www/ruby-rack16/distinfo 1.2 --- Module Name: pkgsrc Committed By: taca Date: Sun Feb 3 15:53:03 UTC 2019 Modified Files: pkgsrc/www/ruby-rack16: Makefile distinfo Log Message: www/ruby-rack16: update to 1.6.11 * pkgsrc change: add "USE_LANGAUGES= # none" line. Update to 1.6.11 which fixes security problems of CVE-2018-16471. (CVE-2018-16470 is only for rack 2.0.x.)
2019-02-18	Pullup ticket #5913 - requested by taca	bsiegert	2	-7/+9
	www/ruby-rack: security fix Revisions pulled up: - www/ruby-rack/Makefile 1.26 - www/ruby-rack/distinfo 1.23 --- Module Name: pkgsrc Committed By: taca Date: Sun Feb 3 15:51:31 UTC 2019 Modified Files: pkgsrc/www/ruby-rack: Makefile distinfo Log Message: www/ruby-rack: update to 2.0.6 * pkgsrc change: add "USE_LANGAUGES= # none" line. Update to 2.0.6 which fixes security problems of CVE-2018-16470 and CVE-2018-16471.
2019-02-18	Pullup ticket #5912 - requested by taca	bsiegert	3	-7/+29
	lang/pear: security fix Revisions pulled up: - lang/pear/Makefile 1.45-1.46 - lang/pear/distinfo 1.32-1.33 - lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php 1.1 --- Module Name: pkgsrc Committed By: taca Date: Sun Feb 3 14:06:58 UTC 2019 Modified Files: pkgsrc/lang/pear: Makefile distinfo Log Message: lang/pear: update Archive_Tar pear package to 1.4.6 Update Archive_Tar pear package to 1.4.6. Bump PKGREVISION. 1.4.4 (2018-12-20) * Fix Bug #21058: Long symlinks are not supported [mrook] * Fix Bug #23782: Prevent phar:// files from being extracted [mrook] 1.4.5 (2019-02-01) * Fix Bug #23788: Relative symlinks are broken [mrook] 1.4.6 (2019-02-01) * Improve path traversal detection for forward and backward slashes --- Module Name: pkgsrc Committed By: taca Date: Thu Feb 7 13:40:57 UTC 2019 Modified Files: pkgsrc/lang/pear: Makefile distinfo Added Files: pkgsrc/lang/pear/patches: patch-.._Archive__Tar-1.4.5_Archive_Tar.php Log Message: lang/pear: fix broken package with previous commit Fix broken package with previous commit. * Make Archive_Tar to 1.4.5 which I have the distfile. * Upload Archive_Tar-1.4.5.tgz to MASTER_SITE_LOCAL. * Add patch to update Archive/Tar.php to 1.4.6 from GitHub. No PKGREVISION bump since it was broken.
2019-02-18	Pullup ticket #5911 - requested by taca	bsiegert	15	-151/+58
	textproc/libxml2, textproc/py-libxml2: security fix Revisions pulled up: - textproc/libxml2/Makefile 1.152 - textproc/libxml2/Makefile.common 1.12 - textproc/libxml2/distinfo 1.129-1.130 - textproc/libxml2/patches/patch-Makefile.in 1.1 - textproc/libxml2/patches/patch-aa deleted - textproc/libxml2/patches/patch-ab deleted - textproc/libxml2/patches/patch-ac deleted - textproc/libxml2/patches/patch-ad deleted - textproc/libxml2/patches/patch-ae deleted - textproc/libxml2/patches/patch-catalog.c 1.1 - textproc/libxml2/patches/patch-configure 1.1 - textproc/libxml2/patches/patch-doc_examples_Makefile.in 1.1 - textproc/libxml2/patches/patch-parser.c deleted - textproc/libxml2/patches/patch-python_libxml.c 1.1 - textproc/libxml2/patches/patch-result_errors_759573.xml.err deleted - textproc/libxml2/patches/patch-xmlcatalog.c 1.1 - textproc/libxml2/patches/patch-xpath.c deleted - textproc/libxml2/patches/patch-xzlib.c deleted - textproc/py-libxml2/Makefile 1.63-1.64 - textproc/py-libxml2/PLIST 1.4 --- Module Name: pkgsrc Committed By: wiz Date: Wed Jan 9 13:40:51 UTC 2019 Modified Files: pkgsrc/textproc/libxml2: distinfo pkgsrc/textproc/py-libxml2: Makefile Added Files: pkgsrc/textproc/libxml2/patches: patch-python_libxml.c Log Message: py-libxml2: work around a problem in error handling. In some cases, invalid UTF-8 strings were returned which caused python interpreter crashes. See https://github.com/itstool/itstool/issues/22 Use a variant of the patch that was used in Fedora. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: adam Date: Wed Jan 9 19:09:03 UTC 2019 Modified Files: pkgsrc/textproc/libxml2: Makefile Makefile.common distinfo pkgsrc/textproc/py-libxml2: Makefile PLIST Added Files: pkgsrc/textproc/libxml2/patches: patch-Makefile.in patch-catalog.c patch-configure patch-doc_examples_Makefile.in patch-xmlcatalog.c Removed Files: pkgsrc/textproc/libxml2/patches: patch-aa patch-ab patch-ac patch-ad patch-ae patch-parser.c patch-result_errors_759573.xml.err patch-xpath.c patch-xzlib.c Log Message: libxml2: updated to 2.9.9 v2.9.9: Security: CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression CVE-2018-14404 Fix nullptr deref with XPath logic ops Documentation: reader: Fix documentation comment Portability: Fix MSVC build with lzma Variables need 'extern' in static lib on Cygwin Really declare dllexport/dllimport for Cygwin Merge branch 'patch-2' into 'master' Change dir to $THEDIR after ACLOCAL_PATH check autoreconf creates aclocal.m4 in $srcdir Improve error message if pkg.m4 couldn't be found NaN and Inf fixes for pre-C99 compilers Bug Fixes: Revert "Support xmlTextReaderNextSibling w/o preparsed doc" Fix building relative URIs Problem with data in interleave in RelaxNG validation Fix memory leak in xmlSwitchInputEncodingInt error path Set doc on element obtained from freeElems Fix HTML serialization with UTF-8 encoding Use actual doc in xmlTextReaderRead*Xml Unlink node before freeing it in xmlSAX2StartElement Check return value of nodePush in xmlSAX2StartElement Free input buffer in xmlHaltParser Reset HTML parser input pointers on encoding failure Don't run icu_parse_test if EUC-JP is unsupported Fix xmlSchemaValidCtxtPtr reuse memory leak Fix xmlTextReaderNext with preparsed document Remove stray character from comment Remove a misleading line from xmlCharEncOutput HTML noscript should not close p Don't change context node in xmlXPathRoot Stop using XPATH_OP_RESET Revert "Change calls to xmlCharEncInput to set flush false" Improvements: Fix "Problem with data in interleave in RelaxNG validation" cleanup: remove some unreachable code add --relative to testURI Remove redefined starts and defines inside include elements Allow choice within choice in nameClass in RELAX NG Look inside divs for starts and defines inside include Add compile and libxml2-config.cmake to .gitignore Stop using doc->charset outside parser code Add newlines to 'xmllint --xpath' output Don't include SAX.h from globals.h Support xmlTextReaderNextSibling w/o preparsed doc Don't instruct user to run make when autogen.sh failed Run Travis ASan tests with "sudo: required" Improve restoring of context size and position Simplify and harden nodeset filtering Avoid unnecessary backups of the context node Fix inconsistency in xmlXPathIsInf
2019-02-16	Pullup tickets #5808 to #5810	bsiegert	1	-1/+10

2019-02-16	Pullup ticket #5910 - requested by mlelstv	bsiegert	3	-15/+14
	www/curl: security fix Revisions pulled up: - www/curl/Makefile 1.207 - www/curl/PLIST 1.73 - www/curl/distinfo 1.150 --- Module Name: pkgsrc Committed By: adam Date: Wed Feb 6 08:02:48 UTC 2019 Modified Files: pkgsrc/www/curl: Makefile PLIST distinfo Log Message: curl: updated to 7.64.0 curl and libcurl 7.64.0 This release includes the following changes: * cookies: leave secure cookies alone * hostip: support wildcard hosts * http: Implement trailing headers for chunked transfers * http: added options for allowing HTTP/0.9 responses * timeval: Use high resolution timestamps on Windows This release includes the following bugfixes: * CVE-2018-16890: NTLM type-2 out-of-bounds buffer read * CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow * CVE-2019-3823: SMTP end-of-response out-of-bounds read * FAQ: remove mention of sourceforge for github * OS400: handle memory error in list conversion * OS400: upgrade ILE/RPG binding. * README: add codacy code quality badge * Revert http_negotiate: do not close connection * THANKS: added several missing names from year <= 2000 * build: make 'tidy' target work for metalink builds * cmake: added checks for variadic macros * cmake: updated check for HAVE_POLL_FINE to match autotools * cmake: use lowercase for function name like the rest of the code * configure: detect xlclang separately from clang * configure: fix recv/send/select detection on Android * configure: rewrite --enable-code-coverage * conncache_unlock: avoid indirection by changing input argument type * cookie: fix comment typo * cookies: allow secure override when done over HTTPS * cookies: extend domain checks to non psl builds * cookies: skip custom cookies when redirecting cross-site * curl --xattr: strip credentials from any URL that is stored * curl -J: refuse to append to the destination file * curl/urlapi.h: include "curl.h" first * curl_multi_remove_handle() don't block terminating c-ares requests * darwinssl: accept setting max-tls with default min-tls * disconnect: separate connections and easy handles better * disconnect: set conn->data for protocol disconnect * docs/version.d: mention MultiSSL * docs: fix the --tls-max description * docs: use $(INSTALL_DATA) to install man page * docs: use meaningless port number in CURLOPT_LOCALPORT example * gopher: always include the entire gopher-path in request * http2: clear pause stream id if it gets closed * if2ip: remove unused function Curl_if_is_interface_name * libssh: do not let libssh create socket * libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh * libssh: free sftp_canonicalize_path() data correctly * libtest/stub_gssapi: use "real" snprintf * mbedtls: use VERIFYHOST * multi: multiplexing improvements * multi: set the EXPIRE_TIMEOUT timers at TIMER_STARTSINGLE time ntlm: fix NTMLv2 compliance * ntlm_sspi: add support for channel binding * openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated * openssl: fix the SSL_get_tlsext_status_ocsp_resp call * openvms: fix OpenSSL discovery on VAX * openvms: fix typos in documentation * os400: add a missing closing bracket * os400: fix extra parameter syntax error * pingpong: change default response timeout to 120 seconds * pingpong: ignore regular timeout in disconnect phase * printf: fix format specifiers * runtests.pl: Fix perl call to include srcdir * schannel: fix compiler warning * schannel: preserve original certificate path parameter * schannel: stop calling it "winssl" * sigpipe: if mbedTLS is used, ignore SIGPIPE * smb: fix incorrect path in request if connection reused * ssh: log the libssh2 error message when ssh session startup fails * test1558: verify CURLINFO_PROTOCOL on file:// transfer * test1561: improve test name * test1653: make it survive torture tests * tests: allow tests to pass by 2037-02-12 * tests: move objnames-* from lib into tests * timediff: fix math for unsigned time_t * timeval: Disable MSVC Analyzer GetTickCount warning * tool_cb_prg: avoid integer overflow * travis: added cmake build for osx * urlapi: Fix port parsing of eol colon * urlapi: distinguish possibly empty query * urlapi: fix parsing ipv6 with zone index * urldata: rename easy_conn to just conn * winbuild: conditionally use /DZLIB_WINAPI * wolfssl: fix memory-leak in threaded use * spnego_sspi: add support for channel binding
2019-02-16	Pullup ticket #5909 - requested by spz	bsiegert	3	-3/+53
	textproc/icu: security fix Revisions pulled up: - textproc/icu/Makefile 1.121 - textproc/icu/distinfo 1.81 - textproc/icu/patches/patch-CVE-2018-18928 1.1 --- Module Name: pkgsrc Committed By: spz Date: Wed Feb 13 20:51:57 UTC 2019 Modified Files: pkgsrc/textproc/icu: Makefile distinfo Added Files: pkgsrc/textproc/icu/patches: patch-CVE-2018-18928 Log Message: add patch for CVE-2018-18928 from upstream
2019-02-16	Pullup ticket #5908 - requested by spz	bsiegert	2	-8/+7
	net/wget: security fix Revisions pulled up: - net/wget/Makefile 1.144 - net/wget/distinfo 1.58 --- Module Name: pkgsrc Committed By: spz Date: Sun Feb 10 19:49:58 UTC 2019 Modified Files: pkgsrc/net/wget: Makefile distinfo Log Message: updating wget to 1.20.1, which fixes CVE-2018-20483 Upstream changelog: * Changes in Wget 1.20.1 --xattr is no longer default since it introduces privacy issues. --xattr saves the Referer as scheme/host/port, user/pw/path/query/fragment are no longer saved to prevent privacy issues. ** --xattr saves the Original URL without user/password to prevent privacy issues. * Changes in Wget 1.20 Add new option `--retry-on-host-error` to treat local errors as transient and hence Wget will retry to download the file after a brief waiting period. Fixed multiple potential resource leaks as found by static analysis Wget will now not create an empty wget-log file when running with -q and -b switches together When compiled using the GnuTLS >= 3.6.3, Wget now has support for TLSv1.3 Now there is support for using libpcre2 for regex pattern matching When downloading over FTP recursively, one can now use the --{accept,reject}-regex switches to fine-tune the downloaded files ** Building Wget from the git sources now requires autoconf 2.63 or above. Building from the Tarballs works as it used to.
2019-02-08	#5907	spz	1	-1/+4

2019-02-08	Pullup ticket #5907 - requested by khorben	spz	2	-8/+7
	finance/bitcoin: security update Revisions pulled up: - finance/bitcoin/Makefile 1.9 - finance/bitcoin/distinfo 1.2 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: khorben Date: Mon Feb 4 22:06:22 UTC 2019 Modified Files: pkgsrc/finance/bitcoin: Makefile distinfo Log Message: Update finance/bitcoin to version 0.16.3 - From the release notes for version 0.16.2: Wallet * #13622 c04a4a5 Remove mapRequest tracking that just effects Qt display. (TheBlueMatt) * #12905 cfc6f74 [rpcwallet] Clamp walletpassphrase value at 100M seconds (sdaftuar) * #13437 ed82e71 wallet: Erase wtxOrderd wtx pointer on removeprunedfunds (MarcoFalke) RPC and other APIs * #13451 cbd2f70 rpc: expose CBlockIndex::nTx in getblock(header) (instagibbs) * #13507 f7401c8 RPC: Fix parameter count check for importpubkey (kristapsk) * #13452 6b9dc8c rpc: have verifytxoutproof check the number of txns in proof structure (instagibbs) * #12837 bf1f150 rpc: fix type mistmatch in listreceivedbyaddress (joemphilips) * #12743 657dfc5 Fix csBestBlock/cvBlockChange waiting in rpc/mining (sipa) GUI * #12432 f78e7f6 [qt] send: Clear All also resets coin control options (Sjors) * #12617 21dd512 gui: Show messages as text not html (laanwj) * #12793 cf6feb7 qt: Avoid reseting on resetguisettigs=0 (MarcoFalke) Build system * #13544 9fd3e00 depends: Update Qt download url (fanquake) * #12573 88d1a64 Fix compilation when compiler do not support __builtin_clz* (532479301) Tests and QA * #13061 170b309 Make tests pass after 2020 (bmwiedemann) * #13192 79c4fff [tests] Fixed intermittent failure in p2p_sendheaders.py (lmanners) * #13300 d9c5630 qa: Initialize lockstack to prevent null pointer deref (MarcoFalke) * #13545 e15e3a9 tests: Fix test case streams_serializedata_xor Remove Boost dependency. (practicalswift) * #13304 cbdabef qa: Fix wallet_listreceivedby race (MarcoFalke) Miscellaneous * #12887 2291774 Add newlines to end of log messages (jnewbery) * #12859 18b0c69 Bugfix: Include for std::unique_ptr (luke-jr) * #13131 ce8aa54 Add Windows shutdown handler (ken2812221) * #13652 20461fc rpc: Fix that CWallet::AbandonTransaction would leave the grandchildren, etc. active (Empact) - From the release notes for version 0.16.3: Consensus * #14249 696b936 Fix crash bug with duplicate inputs within a transaction (TheBlueMatt, sdaftuar) RPC and other APIs * #13547 212ef1f Make signrawtransaction* give an error when amount is needed but missing (ajtowns) Miscellaneous * #13655 1cdbea7 bitcoinconsensus: invalid flags error should be set to bitcoinconsensus_err (afk11) Documentation * #13844 11b9dbb correct the help output for -prune (hebasto) This also fixes a denial-of-service vulnerability (CVE-2018-17144). It i s exploitable by miners and has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2. It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible. XXX pull-up (security fix) To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 pkgsrc/finance/bitcoin/Makefile cvs rdiff -u -r1.1 -r1.2 pkgsrc/finance/bitcoin/distinfo
2019-02-08	#5905 #5906	spz	1	-1/+7

2019-02-08	revbump go dependents after lang/go111 and lang/go110 updates	spz	141	-281/+282

2019-02-08	Pullup ticket #5906 - requested by bsiegert	spz	2	-7/+7
	lang/go111: security update Revisions pulled up: - lang/go/version.mk 1.54 - lang/go111/distinfo 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Thu Jan 24 09:26:21 UTC 2019 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go111: distinfo Log Message: Update go111 to 1.11.5 (security). This release addresses a recently supported security issue. This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go111/distinfo
2019-02-08	Pullup ticket #5905 - requested by bsiegert	spz	2	-7/+7
	lang/go110: security update Revisions pulled up: - lang/go/version.mk 1.55 - lang/go110/distinfo 1.4 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Thu Jan 24 09:33:08 UTC 2019 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go110: distinfo Log Message: Update go110 to 1.10.8 (security). This release addresses a recently supported security issue. This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details. To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go110/distinfo
2019-02-02	set $CC when clang is detected in bootstrap	triaxx	1	-1/+3
	fix PR/53929
2019-01-29	Eight new pullup tickets.	bsiegert	1	-1/+28

2019-01-29	Pullup ticket #5902 - requested by markd	bsiegert	2	-1/+13
	x11/qt5-qtxmlpatterns: build fix Revisions pulled up: - x11/qt5-qtxmlpatterns/distinfo 1.9 - x11/qt5-qtxmlpatterns/patches/patch-src_imports_imports.pro 1.1 --- Module Name: pkgsrc Committed By: markd Date: Sun Jan 6 10:21:12 UTC 2019 Modified Files: pkgsrc/x11/qt5-qtxmlpatterns: distinfo Added Files: pkgsrc/x11/qt5-qtxmlpatterns/patches: patch-src_imports_imports.pro Log Message: qt5-qtxmlpatterns: never try to build xmllistmodel depends on qml module from qt5-qtdeclarative which would be a cyclic dependency
2019-01-29	Pullup ticket #5904 - requested by he	bsiegert	1	-1/+2
	fonts/harfbuzz: NetBSD-7 build fix Revisions pulled up: - fonts/harfbuzz/Makefile 1.106 --- Module Name: pkgsrc Committed By: he Date: Thu Jan 24 12:46:10 UTC 2019 Modified Files: pkgsrc/fonts/harfbuzz: Makefile Log Message: Add GCC_REQD+=4.9, so that this builds on NetBSD/i386 7.1 again. For newer OSes this would be a no-op, so no revision bump.
2019-01-29	Pullup ticket #5903 - requested by taca	bsiegert	2	-10/+9
	www/apache24: security fix Revisions pulled up: - www/apache24/Makefile 1.76 - www/apache24/distinfo 1.39 --- Module Name: pkgsrc Committed By: adam Date: Wed Jan 23 12:04:18 UTC 2019 Modified Files: pkgsrc/www/apache24: Makefile distinfo Log Message: apache24: updated to 2.4.38 Changes with Apache 2.4.38 ) SECURITY: CVE-2018-17199 (cve.mitre.org) mod_session: mod_session_cookie does not respect expiry time allowing sessions to be reused. ) SECURITY: CVE-2018-17189 (cve.mitre.org) mod_http2: fixes a DoS attack vector. By sending slow request bodies to resources not consuming them, httpd cleanup code occupies a server thread unnecessarily. This was changed to an immediate stream reset which discards all stream state and incoming data. ) SECURITY: CVE-2019-0190 (cve.mitre.org) mod_ssl: Fix infinite loop triggered by a client-initiated renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and later. ) mod_ssl: Clear retry flag before aborting client-initiated renegotiation. ) mod_negotiation: Treat LanguagePriority as case-insensitive to match AddLanguage behavior and HTTP specification. ) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges have been fixed. ) mod_setenvif: We can have expressions that become true if a regex pattern in the expression does NOT match. In this case val is NULL and we should just set the value for the environment variable like in the pattern case. ) mod_session: Always decode session attributes early. ) core: Incorrect values for environment variables are substituted when multiple environment variables are specified in a directive. ) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when this type of map is present in the configuration. ) mod_dav: Fix invalid Location header when a resource is created by passing an absolute URI on the request line ) mod_session_cookie: avoid duplicate Set-Cookie header in the response. ) mod_ssl: clear SSL errors before loading certificates and checking afterwards. Otherwise errors are reported when other SSL using modules are in play. ) mod_ssl: Fix the error code returned in an error path of 'ssl_io_filter_handshake()'. This messes-up error handling performed in 'ssl_io_filter_error()' ) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix authz provider so "Require ssl" works correctly in HTTP/2. ) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative redirects, subsequent ProxyPassReverse statements, whether they are relative or absolute, may fail. ) mod_lua: Now marked as a stable module
2019-01-29	Pullup ticket #5901 - requested by taca	bsiegert	4	-9/+19
	security/py-acme: update (stop using TLS-SNI-01) security/py-certbot: update (stop using TLS-SNI-01) Revisions pulled up: - security/py-acme/PLIST 1.11 - security/py-certbot/Makefile.common 1.29 - security/py-certbot/PLIST 1.14 - security/py-certbot/distinfo 1.28 --- Module Name: pkgsrc Committed By: triaxx Date: Tue Jan 15 09:32:11 UTC 2019 Modified Files: pkgsrc/security/py-certbot: Makefile.common PLIST distinfo Log Message: py-certbot: update to 0.30.0 Upstream changes: ================================================================================ ## 0.30.0 - 2019-01-02 ### Added * Added the `update_account` subcommand for account management commands. ### Changed * Copied account management functionality from the `register` subcommand to the `update_account` subcommand. * Marked usage `register --update-registration` for deprecation and removal in a future release. ### Fixed * Older modules in the josepy library can now be accessed through acme.jose like it could in previous versions of acme. This is only done to preserve backwards compatibility and support for doing this with new modules in josepy will not be added. Users of the acme library should switch to using josepy directly if they haven't done so already. Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was: * acme More details about these changes can be found on our GitHub repo. ## 0.29.1 - 2018-12-05 ### Added * ### Changed * ### Fixed * The default work and log directories have been changed back to /var/lib/letsencrypt and /var/log/letsencrypt respectively. Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was: * certbot More details about these changes can be found on our GitHub repo. ## 0.29.0 - 2018-12-05 ### Added * Noninteractive renewals with `certbot renew` (those not started from a terminal) now randomly sleep 1-480 seconds before beginning work in order to spread out load spikes on the server side. * Added External Account Binding support in cli and acme library. Command line arguments --eab-kid and --eab-hmac-key added. ### Changed * Private key permissioning changes: Renewal preserves existing group mode & gid of previous private key material. Private keys for new lineages (i.e. new certs, not renewed) default to 0o600. ### Fixedxed * Update code and dependencies to clean up Resource and Deprecation Warnings. * Only depend on imgconverter extension for Sphinx >= 1.6 Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was: * acme * certbot * certbot-apache * certbot-dns-cloudflare * certbot-dns-digitalocean * certbot-dns-google * certbot-nginx More details about these changes can be found on our GitHub repo: https://github.com/certbot/certbot/milestone/62?closed=1 ## 0.28.0 - 2018-11-7 ### Added * `revoke` accepts `--cert-name`, and doesn't accept both `--cert-name` and `--cert-path`. * Use the ACMEv2 newNonce endpoint when a new nonce is needed, and newNonce is available in the directory. ### Changed * Removed documentation mentions of `#letsencrypt` IRC on Freenode. * Write README to the base of (config-dir)/live directory * `--manual` will explicitly warn users that earlier challenges should remain in place when setting up subsequent challenges. * Warn when using deprecated acme.challenges.TLSSNI01 * Log warning about TLS-SNI deprecation in Certbot * Stop preferring TLS-SNI in the Apache, Nginx, and standalone plugins * OVH DNS plugin now relies on Lexicon>=2.7.14 to support HTTP proxies * Default time the Linode plugin waits for DNS changes to propogate is now 1200 seconds. ### Fixed * Match Nginx parser update in allowing variable names to start with `${`. * Fix ranking of vhosts in Nginx so that all port-matching vhosts come first * Correct OVH integration tests on machines without internet access. * Stop caching the results of ipv6_info in http01.py * Test fix for Route53 plugin to prevent boto3 making outgoing connections. * The grammar used by Augeas parser in Apache plugin was updated to fix various parsing errors. * The CloudXNS, DNSimple, DNS Made Easy, Gehirn, Linode, LuaDNS, NS1, OVH, and Sakura Cloud DNS plugins are now compatible with Lexicon 3.0+. Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was: * acme * certbot * certbot-apache * certbot-dns-cloudxns * certbot-dns-dnsimple * certbot-dns-dnsmadeeasy * certbot-dns-gehirn * certbot-dns-linode * certbot-dns-luadns * certbot-dns-nsone * certbot-dns-ovh * certbot-dns-route53 * certbot-dns-sakuracloud * certbot-nginx More details about these changes can be found on our GitHub repo: https://github.com/certbot/certbot/milestone/59?closed=1 ## 0.27.1 - 2018-09-06 ### Fixed * Fixed parameter name in OpenSUSE overrides for default parameters in the Apache plugin. Certbot on OpenSUSE works again. Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was: * certbot-apache More details about these changes can be found on our GitHub repo: https://github.com/certbot/certbot/milestone/60?closed=1 --- Module Name: pkgsrc Committed By: triaxx Date: Tue Jan 15 09:34:10 UTC 2019 Modified Files: pkgsrc/security/py-acme: PLIST Log Message: py-acme: update to 0.30.0
2019-01-29	Pullup ticket #5900 - requested by maya	bsiegert	15	-23/+172
	databases/mysql55-client: security fix databases/mysql56-client: security fix databases/mysql57-client: security fix Revisions pulled up: - databases/mysql55-client/Makefile 1.32 - databases/mysql55-client/distinfo 1.63 - databases/mysql55-client/patches/patch-CMakeLists.txt 1.7 - databases/mysql55-client/patches/patch-cmake_build__configurations_mysql__release.cmake 1.1 - databases/mysql55-client/patches/patch-sql_sys__vars.cc 1.1 - databases/mysql56-client/Makefile 1.28 - databases/mysql56-client/distinfo 1.49 - databases/mysql56-client/patches/patch-CMakeLists.txt 1.6 - databases/mysql56-client/patches/patch-cmake_build__configurations_mysql__release.cmake 1.1 - databases/mysql56-client/patches/patch-sql_sys__vars.cc 1.3 - databases/mysql57-client/Makefile 1.19 - databases/mysql57-client/distinfo 1.27 - databases/mysql57-client/patches/patch-CMakeLists.txt 1.2 - databases/mysql57-client/patches/patch-cmake_build__configurations_mysql__release.cmake 1.1 - databases/mysql57-client/patches/patch-sql_sys__vars.cc 1.1 --- Module Name: pkgsrc Committed By: maya Date: Sun Jan 20 18:03:25 UTC 2019 Modified Files: pkgsrc/databases/mysql55-client: Makefile distinfo pkgsrc/databases/mysql55-client/patches: patch-CMakeLists.txt Added Files: pkgsrc/databases/mysql55-client/patches: patch-cmake_build__configurations_mysql__release.cmake patch-sql_sys__vars.cc Log Message: mysql55-client: change the default configuration to avoid information disclosure to a malicious server. Backport of upstream commit: https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be Exploit method described here: https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/ --- Module Name: pkgsrc Committed By: maya Date: Sun Jan 20 18:04:49 UTC 2019 Modified Files: pkgsrc/databases/mysql56-client: Makefile distinfo pkgsrc/databases/mysql56-client/patches: patch-CMakeLists.txt Added Files: pkgsrc/databases/mysql56-client/patches: patch-cmake_build__configurations_mysql__release.cmake patch-sql_sys__vars.cc Log Message: mysql56-client: change the default configuration to avoid information disclosure to a malicious server. Backport of upstream commit: https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be Exploit method described here: https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/ --- Module Name: pkgsrc Committed By: maya Date: Sun Jan 20 18:22:10 UTC 2019 Modified Files: pkgsrc/databases/mysql57-client: Makefile distinfo pkgsrc/databases/mysql57-client/patches: patch-CMakeLists.txt Added Files: pkgsrc/databases/mysql57-client/patches: patch-cmake_build__configurations_mysql__release.cmake patch-sql_sys__vars.cc Log Message: mysql57-client: change the default configuration to avoid information disclosure to a malicious server. Backport of upstream commit: https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be Exploit method described here: https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
2019-01-29	Pullup ticket #5895 - requested by taca	bsiegert	4	-10/+57
	www/drupal8: security fix Revisions pulled up: - www/drupal8/Makefile 1.14-1.16 - www/drupal8/PLIST 1.12-1.13 - www/drupal8/distinfo 1.13-1.15 - www/drupal8/patches/patch-core_lib_Drupal_Core_Extension_ModulesHandler.php 1.1 --- Module Name: pkgsrc Committed By: wen Date: Fri Jan 4 08:17:37 UTC 2019 Modified Files: pkgsrc/www/drupal8: Makefile PLIST distinfo Log Message: Update to 8.6.5 Upstream changes: Changes since 8.6.4 #3023402 by alexpott: \Drupal\Tests\Component\Datetime\DateTimePlusTest fails on latest PHP7.3 build #3001997 by Krzysztof Domańskii, scott_euser, alexpott: Transliteration a string containing an unknown character (e.g. 0x80) is not valid #3018942 by welly, alexpott, jibran, Krzysztof Domańskii, floydm: Domain URL language detection - InvalidArgumentException: The user-entered string must begin with a '/', '?', or '#' #3020902 by Berdir, alexpott: PostgresqlDateSql fails to serialize Revert "Issue #2986725 by Mile23, devitate, alexpott: doctrine common 2.9 has moved reflection" #3022183 by wengerk, benjifisher: Fix BlockContentAccessHandlerTest::providerTestAccess wrong coverage by early return #2984072 by vijaycs85, Lendude, ApacheEx, dawehner: System: Convert ErrorHandlerTest to phpunit #3019706 by hchonov, alexpott, sheanhoxie, jibran, dawehner: Functional JS Tests are broken if XDEBUG_CONFIG is set as an env variable Revert "Issue #3019706 by hchonov, jibran: Functional JS Tests are broken if XDEBUG_CONFIG is set as an env variable" #3021204 by maxocub: Remove maxocub from Migrate maintainers #3019706 by hchonov, jibran: Functional JS Tests are broken if XDEBUG_CONFIG is set as an env variable #2986725 by Mile23, devitate, alexpott: doctrine common 2.9 has moved reflection #2939908 by kjay, steveparks, spitzialist, cferthorney, danharper, Eli-T: Add an article to Umami - Dairy-free chocolate #3007439 by tim.plunkett, Wim Leers, xopoc: Layout builder renders Book navigation block on non-book pages #2927768 by justinlevi, Lendude, pritish.kumar, Wim Leers, dawehner: Update RestRegisterUserTest to use the ResourceTestBase base class instead of the deprecated RESTTestBase #3020550 by catch: Passing commands as a string to Process is deprecated in Symfony 4 #3020579 by catch: TypeError: Argument 3 passed to Symfony\Component\HttpKernel\Event\FilterResponseEvent::__construct() must be of the type integer, string given [Symfony 4] #2618606 by dawehner, rbayliss: Update.php - Reverse proxy settings not used #2865344 by mpdonadio, Lendude, mbovan, organicwire, alexpott, jibran, jhedstrom, bobemoe, Berdir, larowlan: Exposed date filters 'empty' and 'not empty' are broken #2974274 by mitrpaka, RumyanaRuseva, joachim: exception message for unrecognized source IDs in lookupDestinationIds() should have more detail #2809305 by Upchuk, Pavan B S, Jo Fitzgerald, tim.plunkett, Berdir: Block Context assignment form element shows even if no options are available #3018774 by xjm: hook_post_update_NAME() docs do not explain batching/ parameter #3018539 by phenaproxima, rodrigoaguilera, alexpott: Media types cannot be created in the UI without JavaScript #3018764 by Wim Leers: One test case in MediaUiFunctionalTest is not actually tested due to a duplicate key #2998462 by AndyF, Baysaa, Siavash, tim.plunkett, millionleaves, fatmarker: Error adding Content Type Selection criteria or Context #3016501 by govind.maloo, andrewmacpherson, markconroy: Writing style - Umami should be capitalised when it is used as a proper noun in English #2916595 by phenaproxima, AdamPS, Wim Leers: File element discards attributes if #multiple #2883260 by kiamlaluno, yogeshmpawar, msankhala, benjifisher, alexpott, bdlangton: Replace the schema example with one actually used from a module #2883553 by govind.maloo, msankhala, seanB, Berdir, xjm, alexpott: Obsolete argument for hasPermission in node_node_access() #3016011 by mikelutz, quietone, alexpott: Reroll all migrate dump files #3017753 by mxr576, alexpott: MemoryBackend should validate the passed cids --- Module Name: pkgsrc Committed By: prlw1 Date: Wed Jan 9 11:56:17 UTC 2019 Modified Files: pkgsrc/www/drupal8: Makefile distinfo Added Files: pkgsrc/www/drupal8/patches: patch-core_lib_Drupal_Core_Extension_ModulesHandler.php Log Message: drupal8 fix for: Drupal\Core\Extension\Exception\UnknownExtensionException: The module standard does not exist. in Drupal\Core\Extension\ExtensionList->get() (line 257 of /usr/pkg/share/drupal/core/lib/Drupal/Core/Extension/ExtensionList.php) e.g. when trying to put the site in maintenance mode. --- Module Name: pkgsrc Committed By: taca Date: Sat Jan 19 07:33:55 UTC 2019 Modified Files: pkgsrc/www/drupal8: Makefile PLIST distinfo Log Message: www/drupal8: update to 8.6.6 This is a hotfix release for a regression affecting some Drush installations that was introduced by the fix for SA-CORE-2019-002. No other fixes are included.
2019-01-29	Pullup ticket #5894 - requested by taca	bsiegert	3	-8/+21
	www/drupal7: security fix Revisions pulled up: - www/drupal7/Makefile 1.54 - www/drupal7/PLIST 1.20 - www/drupal7/distinfo 1.42 --- Module Name: pkgsrc Committed By: taca Date: Sat Jan 19 07:30:21 UTC 2019 Modified Files: pkgsrc/www/drupal7: Makefile PLIST distinfo Log Message: www/drupal7: update to 7.62 Drupal 7.62, 2019-01-15 ----------------------- - Fixed security issues: - SA-CORE-2019-001 - SA-CORE-2019-002
2019-01-29	Pullup ticket #5893 - requested by taca	bsiegert	2	-7/+7
	textproc/uriparser: security fix Revisions pulled up: - textproc/uriparser/Makefile 1.12 - textproc/uriparser/distinfo 1.10 --- Module Name: pkgsrc Committed By: bsiegert Date: Sun Jan 6 13:47:20 UTC 2019 Modified Files: pkgsrc/textproc/uriparser: Makefile distinfo Log Message: Update uriparser to 0.9.1. >>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> * Fixed: Out-of-bounds read in uriParseEx for incomplete URIs with IPv6 addresses with embedded IPv4 address, e.g. "//[::44.1"; mitigated if passed parameter <afterLast> points to readable memory containing a '\0' byte. Thanks to Joergen Ibsen for the report! >>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> * Fixed: When parsing a malformed URI with an IPvFuture address (e.g. "http://[vA.123456" missing "]"), errorPos would point to the first character after "v" than the actual position of the error (here: the end of the string) * Fixed: uriToStringCharsRequired* reported 1 more byte than actually needed for IPv4 address URIs (GitHub #41); Thanks to @gyh007 for the patch! * Fixed: Compilation with MinGW Thanks to Sandro Mani for the patch! * Fixed: Drop use of asprintf from the test suite for MinGW (GitHub #40) * Improved: For parse errors, waterproof errorPos <= afterLast * Soname: 1:24:0 Via email from Sebastian Pipping.
2019-01-19	Document latest pullup tickets	bsiegert	1	-1/+16

2019-01-19	Pullup ticket #5899 - requested by taca	bsiegert	3	-9/+8
	lang/php56: security fix Revisions pulled up: - lang/php/phpversion.mk 1.245 - lang/php56/Makefile 1.20 - lang/php56/distinfo 1.54 --- Module Name: pkgsrc Committed By: taca Date: Sat Jan 12 15:01:34 UTC 2019 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php56: Makefile distinfo Log Message: lang/php56: udate to 5.6.40 10 Jan 2019, PHP 5.6.40 - GD: . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free). (cmb) . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb) - Mbstring: . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas) . Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node). (Stas) . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas) . Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string). (Stas) . Fixed bug #77385 (buffer overflow in fetch_token). (Stas) . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas) . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas) - Phar: . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas) - Xmlrpc: . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb) . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
2019-01-19	Pullup ticket #5898 - requested by taca	bsiegert	2	-7/+7
	lang/php73: security fix Revisions pulled up: - lang/php/phpversion.mk 1.244 - lang/php73/distinfo 1.2 --- Module Name: pkgsrc Committed By: taca Date: Sat Jan 12 15:00:26 UTC 2019 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php73: distinfo Log Message: lang/php73: update to 7.3.1 10 Jan 2019, PHP 7.3.1 - Core: . Fixed bug #76654 (Build failure on Mac OS X on 32-bit Intel). (Ryandesign) . Fixed bug #71041 (zend_signal_startup() needs ZEND_API). (Valentin V. Bartenev) . Fixed bug #76046 (PHP generates "FE_FREE" opcode on the wrong line). (Nikita) . Fixed bug #77291 (magic methods inherited from a trait may be ignored). (cmb) - CURL: . Fixed bug #77264 (curl_getinfo returning microseconds, not seconds). (Pierrick) - COM: . Fixed bug #77177 (Serializing or unserializing COM objects crashes). (cmb) - Exif: . Fixed bug #77184 (Unsigned rational numbers are written out as signed rationals). (Colin Basnett) - GD: . Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()). (cmb) . Fixed bug #77198 (auto cropping has insufficient precision). (cmb) . Fixed bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right). (cmb) . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free). (cmb) . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb) - MBString: . Fixed bug #77367 (Negative size parameter in mb_split). (Stas) . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas) . Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node). (Stas) . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas) . Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string). (Stas) . Fixed bug #77385 (buffer overflow in fetch_token). (Stas) . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas) . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas) - OCI8: . Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working). (KoenigsKind) . Added oci_set_call_timeout() for call timeouts. . Added oci_set_db_operation() for the DBOP end-to-end-tracing attribute. - Opcache: . Fixed bug #77215 (CFG assertion failure on multiple finalizing switch frees in one block). (Nikita) . Fixed bug #77275 (OPcache optimization problem for ArrayAccess->offsetGet). (Nikita) - PCRE: . Fixed bug #77193 (Infinite loop in preg_replace_callback). (Anatol) - PDO: . Handle invalid index passed to PDOStatement::fetchColumn() as error. (Sergei Morozov) - Phar: . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas) - Soap: . Fixed bug #77088 (Segfault when using SoapClient with null options). (Laruence) - Sockets: . Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS). (Mizunashi Mana) - Sodium: . Fixed bug #77297 (SodiumException segfaults on PHP 7.3). (Nikita, Scott) - SPL: . Fixed bug #77359 (spl_autoload causes segfault). (Lauri Kenttä) . Fixed bug #77360 (class_uses causes segfault). (Lauri Kenttä) - SQLite3: . Fixed bug #77051 (Issue with re-binding on SQLite3). (BohwaZ) - Xmlrpc: . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb) . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
2019-01-19	Pullup ticket #5897 - requested by taca	bsiegert	3	-9/+8
	lang/php72: security fix Revisions pulled up: - lang/php/phpversion.mk 1.243 - lang/php72/Makefile 1.16 - lang/php72/distinfo 1.35 --- Module Name: pkgsrc Committed By: taca Date: Sat Jan 12 14:59:03 UTC 2019 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php72: Makefile distinfo Log Message: lang/php72: update to 7.2.14 10 Jan 2019, PHP 7.2.14 - Core: . Fixed bug #77369 (memcpy with negative length via crafted DNS response). (Stas) . Fixed bug #71041 (zend_signal_startup() needs ZEND_API). (Valentin V. Bartenev) . Fixed bug #76046 (PHP generates "FE_FREE" opcode on the wrong line). (Nikita) - COM: . Fixed bug #77177 (Serializing or unserializing COM objects crashes). (cmb) - Date: . Fixed bug #77097 (DateTime::diff gives wrong diff when the actual diff is less than 1 second). (Derick) - Exif: . Fixed bug #77184 (Unsigned rational numbers are written out as signed rationals). (Colin Basnett) - GD: . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free). (cmb) . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb) . Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()). (cmb) . Fixed bug #77198 (auto cropping has insufficient precision). (cmb) . Fixed bug #77200 (imagecropauto($B!D(B, GD_CROP_SIDES) crops left but not right). (cmb) - IMAP: . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb) - Mbstring: . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas) . Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node). (Stas) . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas) . Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string). (Stas) . Fixed bug #77385 (buffer overflow in fetch_token). (Stas) . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas) . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas) - OCI8: . Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working). (KoenigsKind) . Added oci_set_call_timeout() for call timeouts. . Added oci_set_db_operation() for the DBOP end-to-end-tracing attribute. - Opcache: . Fixed bug #77215 (CFG assertion failure on multiple finalizing switch frees in one block). (Nikita) - PDO: . Handle invalid index passed to PDOStatement::fetchColumn() as error. (Sergei Morozov) - Phar: . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas) - Sockets: . Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS). (Mizunashi Mana) - SQLite3: . Fixed bug #77051 (Issue with re-binding on SQLite3). (BohwaZ) - Xmlrpc: . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb) . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
2019-01-19	Pullup ticket #5896 - requested by taca	bsiegert	3	-9/+8
	lang/php71: security fix Revisions pulled up: - lang/php/phpversion.mk 1.242 - lang/php71/Makefile 1.18 - lang/php71/distinfo 1.48 --- Module Name: pkgsrc Committed By: taca Date: Sat Jan 12 14:56:47 UTC 2019 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php71: Makefile distinfo Log Message: lang/php71: update to 7.1.26 10 Jan 2019, PHP 7.1.26 - Core: . Fixed bug #77369 (memcpy with negative length via crafted DNS response). (Stas) - GD: . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free). (cmb) . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb) - IMAP: . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb) - Mbstring: . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas) . Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node). (Stas) . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas) . Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string). (Stas) . Fixed bug #77385 (buffer overflow in fetch_token). (Stas) . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas) . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas) - Phar: . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas) - Xmlrpc: . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb) . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
2019-01-19	Pullup ticket #5892 - requested by gdt	bsiegert	2	-8/+16
	www/nghttp2: build fix (don't require C++14 for the C library) Revisions pulled up: - www/nghttp2/Makefile (patch) - www/nghttp2/options.mk (patch)
2019-01-12	Record latest batch of pullups	bsiegert	1	-1/+16

2019-01-12	Pullup ticket #5891 - requested by leot	bsiegert	1	-2/+4
	net/megatools: build fix Revisions pulled up: - net/megatools/Makefile 1.13 --- Module Name: pkgsrc Committed By: leot Date: Fri Jan 11 19:40:58 UTC 2019 Modified Files: pkgsrc/net/megatools: Makefile Log Message: megatools: needs asciidoc for documentation PKGREVISION++ Thanks to <jmcneill>!
2019-01-12	Pullup ticket #5890 - requested by maya	bsiegert	1	-2/+2
	audio/musicpd: require newer gcc Revisions pulled up: - audio/musicpd/Makefile (via patch)
2019-01-12	Pullup ticket #5889 - requested by simonb	bsiegert	1	-2/+5
	multimedia/transcode: build fix Revisions pulled up: - multimedia/transcode/Makefile 1.115 --- Module Name: pkgsrc Committed By: triaxx Date: Fri Jan 4 21:38:31 UTC 2019 Modified Files: pkgsrc/multimedia/transcode: Makefile Log Message: transcode: add missing dependencies * Fix PR pkg/53835 * Bump revision
2019-01-11	Pullup ticket #5888 - requested by maya	bsiegert	1	-2/+4
	lang/ghc7: build fix Revisions pulled up: - lang/ghc7/Makefile 1.32 --- Module Name: pkgsrc Committed By: maya Date: Thu Jan 10 18:11:56 UTC 2019 Modified Files: pkgsrc/lang/ghc7: Makefile Log Message: ghc7: not aslr safe, either. bump PKGREVISION Fix PR pkg/53842. ghci dies with: ghc: mmap 593920 bytes at 0x40000000: Cannot allocate memory
2019-01-11	Pullup ticket #5887 - requested by maya	bsiegert	1	-2/+1
	mk: SuperH build fix Revisions pulled up: - mk/gnu-config/config.sub 1.22-1.24 --- Module Name: pkgsrc Committed By: maya Date: Wed Jan 2 15:31:36 UTC 2019 Modified Files: pkgsrc/mk/gnu-config: config.sub Log Message: Match 32-bit SuperH CPUs in the same way that GCC does. PR pkg/53825 --- Module Name: pkgsrc Committed By: maya Date: Wed Jan 2 15:41:13 UTC 2019 Modified Files: pkgsrc/mk/gnu-config: config.sub Log Message: Really mirror GCC now, including the wildcard. Thanks joerg for the heads up PR pkg/53825 --- Module Name: pkgsrc Committed By: maya Date: Wed Jan 2 15:45:27 UTC 2019 Modified Files: pkgsrc/mk/gnu-config: config.sub Log Message: Revert accidental change.
2018-12-30	doc: Add CHANGES file for 2018Q4 branch	wiz	1	-0/+4