| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
lang/libLLVM: PowerPC build fix
Revisions pulled up:
- lang/libLLVM/hacks.mk 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Tue Sep 15 16:16:29 UTC 2020
Added Files:
pkgsrc/lang/libLLVM: hacks.mk
Log Message:
On powerpc, use -mlongcall so that we don't get 24-bit relocation overflow.
|
|
multimedia/ffmpeg4: PowerPC build fix
Revisions pulled up:
- multimedia/ffmpeg4/hacks.mk 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Mon Sep 14 20:43:36 UTC 2020
Added Files:
pkgsrc/multimedia/ffmpeg4: hacks.mk
Log Message:
Use -mvsx compiler flag on powerpc so that the appropriate section
of the compiler's <altivec.h> header is exposed, so that this builds.
|
|
net/freeradius: PowerPC build fix
Revisions pulled up:
- net/freeradius/hacks.mk 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Sun Sep 13 18:56:29 UTC 2020
Added Files:
pkgsrc/net/freeradius: hacks.mk
Log Message:
Use devel/libatomic on powerpc so that this package builds.
|
|
textproc/groonga: PowerPC build fix
Revisions pulled up:
- textproc/groonga/hacks.mk 1.5
---
Module Name: pkgsrc
Committed By: he
Date: Sun Sep 13 13:16:10 UTC 2020
Added Files:
pkgsrc/textproc/groonga: hacks.mk
Log Message:
Add use of devel/libatomic on powerpc ports; fixes the build since
this platform doesn't have native 8-byte atomics.
|
|
www/webkit24-gtk: PowerPC build fix
Revisions pulled up:
- www/webkit24-gtk/hacks.mk 1.2
---
Module Name: pkgsrc
Committed By: he
Date: Sat Sep 12 16:39:06 UTC 2020
Modified Files:
pkgsrc/www/webkit24-gtk: hacks.mk
Log Message:
Pull in devel/libatomic on powerpc due to lack of native 8-byte atomics.
Fixes build on NetBSD/macppc 9.0, should have no effect elsewhere, so no
revision bump.
|
|
www/webkit-gtk: PowerPC build fix
Revisions pulled up:
- www/webkit-gtk/hacks.mk 1.2
---
Module Name: pkgsrc
Committed By: he
Date: Fri Sep 11 09:21:32 UTC 2020
Modified Files:
pkgsrc/www/webkit-gtk: hacks.mk
Log Message:
Pull in devel/libatomic on powerpc due to lack of native 8-byte atomics.
Fixes build on NetBSD/macppc 9.0, should have no effect elsewhere, so no
revision bump.
|
|
devel/protobuf: PowerPC build fix
Revisions pulled up:
- devel/protobuf/hacks.mk 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Tue Sep 8 08:35:23 UTC 2020
Added Files:
pkgsrc/devel/protobuf: hacks.mk
Log Message:
On powerpc, which lacks native 8-byte atomics, use devel/libatomic.
Build fix on this platform only, so no revision bump.
|
|
converters/wkhtmltopdf: PowerPC build fix
Revisions pulled up:
- converters/wkhtmltopdf/hacks.mk 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Tue Sep 8 06:33:47 UTC 2020
Added Files:
pkgsrc/converters/wkhtmltopdf: hacks.mk
Log Message:
On powerpc, build with -mlongcall, to avoid truncated relocations.
Build fix only for this arch, so no revision bump.
|
|
|
|
security/tor-browser-noscript: dependent update
Revisions pulled up:
- security/tor-browser-noscript/Makefile 1.5
- security/tor-browser-noscript/distinfo 1.5
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Aug 26 20:08:15 UTC 2020
Modified Files:
pkgsrc/security/tor-browser-noscript: Makefile distinfo
Log Message:
tor-browser-noscript: update to 11.0.41.
v 11.0.41rc2
============================================================
x More precise event suppression mechanism
x Fixed regression: events suppressed on file:// pages
unless scripts are allowed
x Updated TLDs
v 11.0.41rc2
============================================================
x More precise event suppression mechanism
v 11.0.41rc1
============================================================
x Fixed regression: events suppressed on file:// pages
unless scripts are allowed
x Updated TLDs
v 11.0.40
============================================================
x Avoid synchronous policy fetching whenever possible
(fixes multiple issues)
v 11.0.40rc2
============================================================
x Avoid synchronous policy fetching whenever possible
v 11.0.40rc1
============================================================
x Handle edge case in file:// pages: policy change and
reload before DOMContentLoaded
v 11.0.39
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)
x [XSS] Updated HTML event attributes
x Local policy fallback for file: and ftp: URLs using
window.name rather than sessionStorage
x [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,
ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr,
zh_CN, zh_TW
x Added "Revoke temporary permissions on NoScript updates,
even if the browser is not restarted" advanced option
x Let temporary permissions survive NoScript updates
(shameless hack)
x Fixed some traps around Messages abstraction
x Ignore search / hash on policy matching of domain-less
URLs (e.g. file:///...)
x Updated TLDs
x Fixed automatic scrolling hampers usability on long sites
lists in popup
x Better timing for event attributes removal/restore
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
v 11.0.39rc8
============================================================
x Several hacks to make non-distruptive updates compatible
with Chromium
x Tighten localPolicy persistence mechanism during reloads
v 11.0.39rc7
============================================================
x Temporary settings survival more resilient and compatible
with Fenix
x [L10n] Updated es
v 11.0.39rc6
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)
x [XSS] Updated HTML event attributes
v 11.0.39rc5
============================================================
x Local policy fallback for file: and ftp: URLs using
window.name rather than sessionStorage
x [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,
ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr,
zh_CN, zh_TW
x Renamed option to "Revoke temporary permissions on
NoScript updates, even if the browser is not restarted"
v 11.0.39rc4
============================================================
x Added option to forget temporary settings immediately
whenever NoScript gets updated
x Fixed regression: file:/// URLs reloaded whenever NoScript
gets reinstalled / enabled / reloaded
x More resilient and easy to debug survival data retrieving
v 11.0.39rc3
============================================================
x Fixed regression causing manual NoScript downgrades to be
delayed until manual restart
v 11.0.39rc2
============================================================
x Let temporary permissions survive NoScript updates
(shameless hack)
x Fixed some traps around Messages abstraction
x Ignore search / hash on policy matching of domain-less
URLs (e.g. file:///...)
x Removed useless CSS property
x Updated TLDs
v 11.0.39rc1
============================================================
x Updated TLDs
x Fixed automatic scrolling hampers usability on long sites
lists in popup
x Fixed typo in vendor-prefixed CSS
v 11.0.38rc2
============================================================
x Better timing for event attributes removal/restore
v 11.0.38rc1
============================================================
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
x [L10n] Updated bn
v 11.0.38
============================================================
x Better timing for event attributes removal/restore
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
x [L10n] Updated bn
v 11.0.38rc2
============================================================
x Better timing for event attributes removal/restore
v 11.0.38rc1
============================================================
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
x [L10n] Updated bn
v 11.0.37
============================================================
x Simpler and more reliable sendSyncMessage implementation
and usage
x sendSyncMessage support for multiple suspension requests
(should fix extension script injection issues)
x Updated TLDs
v 11.0.37rc3
============================================================
x Simpler and more reliable sendSyncMessage implementation
and usage
x Updated TLDs
v 11.0.37rc2
============================================================
x SyncMessage suspending on DOM modification as well
x Updated TLDs
v 11.0.37rc1
============================================================
x Updated TLDs
x sendSyncMessage support for multiple suspension requests
(should fix extension script injection issues)
v 11.0.36
============================================================
x Fixed regression: temporary permissions revocation not
working anymore on privileged pages
x SendSyncMessage script execution safety net more
compatible with other extensions (e.g. BlockTube)
v 11.0.35
============================================================
x Avoid unnecessary reloads on temporary permissions
revocation
x [UI] Removed accidental cyan background for site labels
x [L10n] Updated es
x Work-around for conflict with extensions inserting
elements into content pages' DOM early
x [XSS] Updated HTML events
x Updated TLDs
x Fixed buggy policy references in the Options dialog
x More accurate NOSCRIPT element emulation
x Anticipate onScriptDisabled surrogates to first script-src
'none' CSP violation
x isTrusted checks for all the content events
x Improved look in mobile portrait mode
x Let SyncMessage prevent undesired script execution
scheduled during suspension
v 11.0.35rc4
============================================================
x Avoid unnecessary reloads on temporary permissions
revocation
x Fixed potentially infinite loop in SyncMessage Firefox
implementation
x [UI] Removed accidental cyan background for site labels
x [L10n] Updated es
v 11.0.35rc3
============================================================
x Work-around for conflict with extensions inserting
elements into content pages' DOM early
x [XSS] Updated HTML events
v 11.0.35rc2
============================================================
x Updated TLDs
x Fixed buggy policy references in the Options dialog
x More accurate NOSCRIPT element emulation
x Anticipate onScriptDisabled surrogates to first script-src
'none' CSP violation
x isTrusted checks for all the content events
x Improved look in mobile portrait mode
v 11.0.35rc1
============================================================
x Let SyncMessage prevent undesired script execution
scheduled during suspension
|
|
security/tor-browser-https-everywhere: dependent update
Revisions pulled up:
- security/tor-browser-https-everywhere/Makefile 1.3
- security/tor-browser-https-everywhere/distinfo 1.3
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Aug 24 08:02:33 UTC 2020
Modified Files:
pkgsrc/security/tor-browser-https-everywhere: Makefile distinfo
Log Message:
tor-browser-https-everywhere: update to 2020.8.13.
2020.8.13
* Fix port based whitelsiting issue #19291
* Update documentation
* Update dependencies (NPM and Chromedriver)
* Minor code fixes in JS
|
|
security/tor-browser: security fix
Revisions pulled up:
- security/tor-browser/Makefile 1.71,1.74
- security/tor-browser/distinfo 1.26,1.28
- security/tor-browser/options.mk 1.7
- security/tor-browser/patches/patch-config_makefiles_rust.mk 1.2
- security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_lib.rs 1.1
- security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_device.rs 1.1
- security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_fd.rs 1.1
- security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_mod.rs 1.1
- security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_monitor.rs 1.1
- security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_transaction.rs 1.1
- security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_uhid.rs 1.1
---
Module Name: pkgsrc
Committed By: riastradh
Date: Mon Aug 17 06:58:02 UTC 2020
Modified Files:
pkgsrc/security/tor-browser: Makefile options.mk
Log Message:
security/tor-browser: Make dbus an option.
---
Module Name: pkgsrc
Committed By: riastradh
Date: Mon Aug 17 06:58:32 UTC 2020
Modified Files:
pkgsrc/security/tor-browser: distinfo
Added Files:
pkgsrc/security/tor-browser/patches:
patch-dom_webauthn_u2f-hid-rs_src_lib.rs
patch-dom_webauthn_u2f-hid-rs_src_netbsd_device.rs
patch-dom_webauthn_u2f-hid-rs_src_netbsd_fd.rs
patch-dom_webauthn_u2f-hid-rs_src_netbsd_mod.rs
patch-dom_webauthn_u2f-hid-rs_src_netbsd_monitor.rs
patch-dom_webauthn_u2f-hid-rs_src_netbsd_transaction.rs
patch-dom_webauthn_u2f-hid-rs_src_netbsd_uhid.rs
Log Message:
security/tor-browser: Add U2F support to NetBSD.
The webauthn API is disabled by default in the Tor Browser:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26614
In order to use it, risking the consequences since the Tor Project
has not audited its anonymity properties, you have to explicitly
enable security.webauthn.webauthn=true in about:config.
So if you definitely want to log into a web site using U2F in spite
of that, with location privacy but not anonymity, then these patches
now enable it to work on NetBSD (with the caveat that enabling
security.webauthn.webauthn=true applies also to any web site that
tries to use the webauthn API, not just the ones you want to log
into).
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Aug 26 20:55:20 UTC 2020
Modified Files:
pkgsrc/security/tor-browser: Makefile distinfo
pkgsrc/security/tor-browser/patches: patch-config_makefiles_rust.mk
Log Message:
tor-browser: update to 9.5.4.
This release updates Firefox to 68.12.0esr.
Also, this release features important security updates to Firefox.
|
|
net/chrony: security fix
Revisions pulled up:
- net/chrony/Makefile 1.43
- net/chrony/distinfo 1.14
---
Module Name: pkgsrc
Committed By: hannken
Date: Thu Aug 27 07:00:51 UTC 2020
Modified Files:
pkgsrc/net/chrony: Makefile distinfo
Log Message:
chrony: update to 3.5.1.
New in version 3.5.1
====================
Security fixes
--------------
* Create new file when writing pidfile (CVE-2020-14367)
|
|
net/bind911: security fix
Revisions pulled up:
- net/bind911/Makefile 1.29
- net/bind911/distinfo 1.21
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Aug 21 16:09:44 UTC 2020
Modified Files:
pkgsrc/net/bind911: Makefile distinfo
Log Message:
net/bind911: update to 9.11.22
Update bind911 to 9.11.22 (BIND 9.11.22).
--- 9.11.22 released ---
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet. (CVE-2020-8623)
[GL #2037]
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
5475. [bug] Wildcard RPZ passthru rules could incorrectly be
overridden by other rules that were loaded from RPZ
zones which appeared later in the "response-policy"
statement. This has been fixed. [GL #1619]
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
5465. [func] Added fallback to built-in trust-anchors, managed-keys,
or trusted-keys if the bindkeys-file (bind.keys) cannot
be parsed. [GL #1235]
5463. [bug] Address a potential NULL pointer dereference when out of
memory in dnstap.c. [GL #2010]
5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
|
|
lang/mozjs60: PowerPC build fix
Revisions pulled up:
- lang/mozjs60/Makefile 1.10
- lang/mozjs60/distinfo 1.7
- lang/mozjs60/patches/patch-js_src_jit_AtomicOperations.h 1.1
- lang/mozjs60/patches/patch-js_src_jit_none_AtomicOperations-feeling-lucky.h 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Sun Aug 23 22:29:47 UTC 2020
Modified Files:
pkgsrc/lang/mozjs60: Makefile distinfo
Added Files:
pkgsrc/lang/mozjs60/patches: patch-js_src_jit_AtomicOperations.h
patch-js_src_jit_none_AtomicOperations-feeling-lucky.h
Log Message:
Make this build on NetBSD/powerpc:
* c++ doesn't predefine __ppc__, only __powerpc__. Compensate.
* On NetBSD/powerpc, use libatomic for access to 64-bit atomics.
PKGREVISION not bumped; build fix for NetBSD/powerpc, should not affect others.
|
|
www/php-nextcloud: security fix
Revisions pulled up:
- www/php-nextcloud/Makefile 1.39
- www/php-nextcloud/PLIST 1.32
- www/php-nextcloud/distinfo 1.33
---
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Aug 12 18:18:41 UTC 2020
Modified Files:
pkgsrc/www/php-nextcloud: Makefile PLIST distinfo
Log Message:
php-nextcloud: Update to 19.0.1
Changelog:
Changes
Improve group queries (server#21068)
Do not read certificate bundle from data dir by default (server#21095)
Fixes infinitely repeating LDPA search results with PHP <= 7.2
(server#21111)
Use the loginname to verify the old password in user password changes
(server#21114)
Make the translation sanitization optional (server#21126)
Simplify getGroups, fixing wrong chunking logic (server#21128)
Move the password confirmation form template to post (server#21131)
Clear the statscache before fetching the metadata (server#21135)
Fix reference to wrong class name (server#21148)
Fix password changes in link and mail shares (server#21151)
Do not only catch Exceptions but any Throwable during rmt share delete
(server#21200)
Normalize sftp path in read and write stream (server#21203)
Fix the Talk verification (server#21210)
Prevent harder to share your root (server#21226)
Use \OC::$CLI instead of PHP_SAPI (server#21242)
Fix empty event UUID reminder notifications (server#21247)
Enable passwordless for everyone not only admins. (server#21287)
Only use background fade if nextcloud blue is set (server#21308)
Clear LDAP cache after user deletion (server#21333)
Update icewind/smb to 3.2.5 (server#21342)
Always sort shares in a reliable way (server#21352)
Pass the proper share permissions to the create share call (server#21354)
Reflect unreadable state in the UI (server#21356)
Increase timeout of the appstore requests (server#21387)
Fix pagination of contacts search (server#21405)
Upload part size as S3 parameter instead of constant value (server#21409)
Avoid duplicate matches in wide and exact results (server#21419)
Clean up auth tokens when user is deleted (server#21427)
Fix invalid usage of \Exception::getResult (server#21441)
Disable Client-Side Monitoring on AWS storage (server#21447)
Don't log Keys (server#21485)
GetXbyY can still return false, e.g. when using ldap write support
(server#21491)
Acceptence tests shall specify which branch to pick when cloning apps
(server#21493)
Give up after 10 seconds in SCSS timeout (server#21495)
Clarify that the email is always shared within the instance (server#21521)
Allow to specify the cookie type for appframework responses (server#21526)
Fix autocomplete for LDAP with `shareapi_only_share_with_group_members` on
(server#21538)
Fix modal support for vue apps and dark theme (server#21541)
Fix language in share notes email for users (server#21550)
Fix obsolete usage of OCdialogs (server#21568)
Comment was wrong, block is needed nevertheless (server#21571)
Relax permissions mask check for detecting part file rename (server#21573)
Fix share permission checkboxes enabled when permissions can not be set
(server#21574)
Fix strings being passed where arrays where expected (server#21583)
Remove rescanDelay from directory mtime (server#21584)
Precalculate the primary element color for dark mode too (server#21622)
Update presign method to match with interface again. (server#21638)
Log deprecated events as debug (server#21652)
Fix IPv6 remote addresses from X_FORWARDED_FOR headers before validating
(server#21655)
Check if debugMode is defined before using it (server#21660)
Fix static method call for s3 bucket compat check (server#21663)
Add missing TarHeader.php (server#21664)
Revert "Do not read certificate bundle from data dir by default"
(server#21671)
Change OAuth2 redirect link to relative link (server#21687)
Changes the Birthday calendar color to slightly brighter one
(server#21703)
Fix releasing a shared lock multiple times (server#21710)
Fix main bundle on IE11 (server#21726)
Add a clear message why you could end up there (server#21751)
Fix placeholder issues with multiplace spaces in the name (server#21770)
Use the correct mountpoint to calculate (server#21772)
Fix #21285 as oneliner (server#21779)
Set the moment locale even earlier (server#21780)
19.0.1 final (server#21801)
Build source maps on production build again (server#21834)
Add missing TarHeader.php (3rdparty#466)
Allow downloads in sandboxed iframe (files_pdfviewer#187)
Do not keep loading the slide list on every reopen (firstrunwizard#351)
Allow to group push notifications via an event (notifications#651)
Don't shutdown the notifications when it freezes by browser shutdown
(notifications#666)
Ignore old push devices (notifications#667)
More buffer to the key size (notifications#672)
Delete duplicates of the same push token hash (notifications#676)
Fix wordwrap issue regression from #540, fix #679 (notifications#686)
Don't push without internet connection (notifications#694)
Also check for internet on delete push (notifications#697)
Correct format for uptime is used (serverinfo#221)
|
|
sysutils/xenkernel411: security fix
Revisions pulled up:
- sysutils/xenkernel411/Makefile 1.14
- sysutils/xenkernel411/distinfo 1.12
- sysutils/xenkernel411/patches/patch-XSA317 1.1
- sysutils/xenkernel411/patches/patch-XSA319 1.1
- sysutils/xenkernel411/patches/patch-XSA320 1.1
- sysutils/xenkernel411/patches/patch-XSA321 1.1
- sysutils/xenkernel411/patches/patch-XSA328 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Thu Jul 16 09:57:17 UTC 2020
Modified Files:
pkgsrc/sysutils/xenkernel411: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel411/patches: patch-XSA317 patch-XSA319
patch-XSA320 patch-XSA321 patch-XSA328
Log Message:
Add patches for Xen Security Advisories XSA317, XSA319, XSA320, XSA321
and XSA328
Bump PKGREVISION
|
|
sysutils/xenkernel413: security fix
Revisions pulled up:
- sysutils/xenkernel413/Makefile 1.2
- sysutils/xenkernel413/distinfo 1.2
- sysutils/xenkernel413/patches/patch-XSA317 1.1
- sysutils/xenkernel413/patches/patch-XSA319 1.1
- sysutils/xenkernel413/patches/patch-XSA320 1.1
- sysutils/xenkernel413/patches/patch-XSA321 1.1
- sysutils/xenkernel413/patches/patch-XSA328 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Thu Jul 16 09:56:47 UTC 2020
Modified Files:
pkgsrc/sysutils/xenkernel413: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel413/patches: patch-XSA317 patch-XSA319
patch-XSA320 patch-XSA321 patch-XSA328
Log Message:
Add patches for Xen Security Advisories XSA317, XSA319, XSA320, XSA321
and XSA328.
Bump PKGREVISION
|
|
misc/xygrib: build fix
Revisions pulled up:
- misc/xygrib/distinfo 1.5
- misc/xygrib/patches/patch-src_SkewT.h 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Fri Aug 21 11:31:28 UTC 2020
Modified Files:
pkgsrc/misc/xygrib: distinfo
Added Files:
pkgsrc/misc/xygrib/patches: patch-src_SkewT.h
Log Message:
include <QPainterPath> to fix build with current version of Qt.
|
|
|
|
graphics/xfig: build fix
Revisions pulled up:
- graphics/xfig/Makefile 1.79
---
Module Name: pkgsrc
Committed By: bouyer
Date: Wed Aug 19 19:54:11 UTC 2020
Modified Files:
pkgsrc/graphics/xfig: Makefile
Log Message:
This needs netpbm (to build a pixmap file) in the build phase.
|
|
mail/dovecot2-pigeonhole: dependent update
Revisions pulled up:
- mail/dovecot2-pigeonhole/Makefile 1.57
- mail/dovecot2-pigeonhole/distinfo 1.43
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Aug 12 15:58:02 UTC 2020
Modified Files:
pkgsrc/mail/dovecot2-pigeonhole: Makefile distinfo
Log Message:
mail/dovecot2-pigeonhole: update to 0.5.11
Update dovecot2-pigeonhole to 0.5.11.
v0.5.11 2020-08-12 Aki Tuomi <aki.tuomi@open-xchange.com>
* managesieve: managesieve_max_line_length setting is now a "size" type
instead of just number of bytes. This allows using e.g. "64k" as the
value.
- lib-sieve: When folding white space is used in the Message-ID header,
it is not stripped away correctly before the message ID value is used,
causing e.g. garbled log lines at delivery.
|
|
mail/dovecot2: security fix
Revisions pulled up:
- mail/dovecot2-sqlite/Makefile 1.23
- mail/dovecot2/Makefile.common 1.41
- mail/dovecot2/PLIST 1.70
- mail/dovecot2/buildlink3.mk 1.34
- mail/dovecot2/distinfo 1.105
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Aug 12 15:54:38 UTC 2020
Modified Files:
pkgsrc/mail/dovecot2: Makefile.common PLIST buildlink3.mk distinfo
pkgsrc/mail/dovecot2-sqlite: Makefile
Log Message:
mail/dovocot2: update to 2.3.11.3
Update dovecot2 and related packages to 2.3.11.3.
v2.3.11.3 2020-07-29 Aki Tuomi <aki.tuomi@open-xchange.com>
- pop3-login: Login didn't handle commands in multiple IP packets properly.
This mainly affected large XCLIENT commands or a large SASL initial
response parameter in the AUTH command.
- pop3: pop3_deleted_flag setting was broken, causing:
Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
assertion failed: (range[count-1].seq2 <= max_seq)
v2.3.11.2 2020-07-13 Aki Tuomi <aki.tuomi@open-xchange.com>
- auth: Lua passdb/userdb leaks stack elements per call, eventually
causing the stack to become too deep and crashing the auth or
auth-worker process.
- lib-mail: v2.3.11 regression: MIME parts not returned correctly by
Dovecot MIME parser.
- pop3-login: Login would fail with "Input buffer full" if the initial
response for SASL was too long.
v2.3.11 2020-06-17 Aki Tuomi <aki.tuomi@open-xchange.com>
* CVE-2020-12100: Parsing mails with a large number of MIME parts could
have resulted in excessive CPU usage or a crash due to running out of
stack memory.
* CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash.
* CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
* Events: Fix inconsistency in events. See event documentation in
https://doc.dovecot.org.
* imap_command_finished event's cmd_name field now contains "unknown"
for unknown commands. A new "cmd_input_name" field contains the
command name exactly as it was sent.
* lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*.
Note that these settings are mainly intended for testing and usually
shouldn't be changed.
* events: Renamed "index" event category to "mail-index".
* events: service:<name> category is now using the name from
configuration file.
* dns-client: service dns_client was renamed to dns-client.
* log: Prefixes generally use the service name from configuration file.
For example dict-async service will now use
"dict-async(pid): " log prefix instead of "dict(pid): "
* *-login: Changed logging done by proxying to use a consistent prefix
containing the IP address and port.
* *-login: Changed disconnection log messages to be slightly clearer.
+ dict: Add events for dictionaries.
+ lib-index: Finish logging with events.
+ oauth2: Support local validation of JWT tokens.
+ stats: Add support for dynamic histograms and grouping. See
https://doc.dovecot.org/configuration_manual/stats/.
+ imap: Implement RFC 8514: IMAP SAVEDATE
+ lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
folder) adds a lot of data to dovecot.index.cache file, commit those
changes periodically to make them visible to other concurrent sessions
as well.
+ stats: Add OpenMetrics exporter for statistics. See
https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
+ stats: Support disabling stats-writer socket by setting
stats_writer_socket_path="".
- auth-worker: Process keeps slowly increasing its memory usage and
eventually dies with "out of memory" due to reaching vsz_limit.
- auth: Prevent potential timing attacks in authentication secret
comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
- auth: Several auth-mechanisms allowed input to be truncated by NUL
which can potentially lead to unintentional issues or even successful
logins which should have failed.
- auth: When auth policy returned a delay, auth_request_finished event
had policy_result=ok field instead of policy_result=delayed.
- auth: auth process crash when auth_policy_server_url is set to an
invalid URL.
- dict-ldap: Crash occurs if var_expand template expansion fails.
- dict: If dict client disconnected while iteration was still running,
dict process could have started using 100% CPU, although it was still
handling clients.
- doveadm: Running doveadm commands via proxying may hang, especially
when doveadm is printing a lot of output.
- imap: "MOVE * destfolder" goes to a loop copying the last mail to the
destination until the imap process dies due to running out of memory.
- imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite
loop.
- imap: SEARCH doesn't support $.
- lib-compress: Buffer over-read in zlib stream read.
- lib-dns: If DNS lookup times out, lib-dns can cause crash in calling
process.
- lib-index: Fixed several bugs in dovecot.index.cache handling that
could have caused cached data to be lost.
- lib-index: Writing to >=1 GB dovecot.index.cache files may cause
assert-crashes:
Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset):
assertion failed: (offset < 0x40000000)
- lib-ssl-iostream: Fix buggy OpenSSL error handling without
assert-crashing. If there is no error available, log it as an error
instead of crashing:
Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error):
assertion failed: (errno != 0)
- lib-ssl-iostream: ssl_key_password setting did not work.
- submission: A segfault crash may occur when the client or server
disconnects while a non-transaction command like NOOP or VRFY is still
being processed.
- virtual: Copying/moving mails with IMAP into a virtual folder assert-crashes:
Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
(copy_ctx->copy_count == seq_range_count(©_ctx->saved_uids))
|
|
|
|
mail/roundcube: security fix
Revisions pulled up:
- mail/roundcube-plugin-password/distinfo 1.21
- mail/roundcube/Makefile.common 1.21
- mail/roundcube/distinfo 1.72
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Aug 10 22:30:41 UTC 2020
Modified Files:
pkgsrc/mail/roundcube: Makefile.common distinfo
pkgsrc/mail/roundcube-plugin-password: distinfo
Log Message:
mail/roundcube: update to 1.4.8
Update roundcube to 1.4.8, security release.
RELEASE 1.4.8
-------------
- Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
- Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
- Fix support for an error as a string in message_before_send hook (#7475)
- Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
- Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
- Managesieve: Allow angle brackets in out-of-office message body (#7518)
- Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
- Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
- Fix incorrect rewriting of internal links in HTML content (#7512)
- Fix handling links without defined protocol (#7454)
- Fix paging of search results on IMAP servers with no SORT capability (#7462)
- Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
|
|
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.94
- www/apache24/distinfo 1.44
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 9 15:01:55 UTC 2020
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Log Message:
www/apache24: update to 2.4.46
Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several
security problems:
CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
CVE-2020-11984: mod_uwsgi buffer overlow
CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header
pkgsrc changes: reduce warnings by SUBST_* processing.
Changes with Apache 2.4.46
*) mod_proxy_fcgi: Fix build warnings for Windows platform
[Eric Covener, Christophe Jaillet]
Changes with Apache 2.4.45
*) mod_http2: remove support for abandoned http-wg draft
<https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
[Stefan Eissing]
Changes with Apache 2.4.44
*) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
protocol limit). [Yann Ylavic]
*) mod_http2:
Fixes <https://github.com/icing/mod_h2/issues/200>:
"LimitRequestFields 0" now disables the limit, as documented.
Fixes <https://github.com/icing/mod_h2/issues/201>:
Do not count repeated headers with same name against the field
count limit. The are merged internally, as if sent in a single HTTP/1 line.
[Stefan Eissing]
*) mod_http2: Avoid segfaults in case of handling certain responses for
already aborted connections. [Stefan Eissing, Ruediger Pluem]
*) mod_http2: The module now handles master/secondary connections and has marked
methods according to use. [Stefan Eissing]
*) core: Drop an invalid Last-Modified header value coming
from a FCGI/CGI script instead of replacing it with Unix epoch.
[Yann Ylavic, Luca Toscano]
*) Add support for strict content-length parsing through addition of
ap_parse_strict_length() [Yann Ylavic]
*) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
*) mod_proxy_http: flush spooled request body in one go to avoid
leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
*) mod_ssl: Fix a race condition and possible crash when using a proxy client
certificate (SSLProxyMachineCertificateFile).
[Armin Abfalterer <a.abfalterer gmail.com>]
*) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
*) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
PR64330 [Stefan Eissing]
*) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
was configured with a handshake timeout. Fixes gitub issue #196.
[Stefan Eissing]
*) mod_proxy_http2: the "ping" proxy parameter
(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
when checking the liveliness of a new or reused h2 connection to the backend.
With short durations, this makes load-balancing more responsive. The module
will hold back requests until ping conditions are met, using features of the
HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
*) core: httpd is no longer linked against -lsystemd if mod_systemd
is enabled (and built as a DSO). [Rainer Jung]
*) mod_proxy_http2: respect ProxyTimeout settings on backend connections
while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
|
|
lang/php72: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.306
- lang/php72/Makefile 1.28
- lang/php72/distinfo 1.56-1.57
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jul 11 04:06:07 UTC 2020
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php72: Makefile distinfo
Log Message:
lang/php72: update to 7.2.
Update php72 to 7.2
09 Jul 2020, PHP 7.2.32
- Core:
. No source changes to this release.
Vesion number added for reproduction of Windows builds. (cmb)
14 May 2020, PHP 7.2.31
- Core:
. Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
(CVE-2019-11048) (cmb)
. Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
files are not cleaned). (CVE-2019-11048) (cmb)
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Aug 8 13:32:57 UTC 2020
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php72: distinfo
Log Message:
lang/php72: update to 7.2.33
Update php72 to 7.2.33 (PHP 7.2.33).
06 Aug 2020, PHP 7.2.33
- Core:
. Fixed bug #79877 (getimagesize function silently truncates after a null
byte) (cmb)
- Phar:
. Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
function). (CVE-2020-7068) (cmb)
|
|
lang/php74: security fix
Revisions pulled up:
- lang/php74/distinfo 1.10-1.11
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jul 11 04:02:14 UTC 2020
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php74: distinfo
Log Message:
lang/php74: update to 7.4.8
Update php74 to 7.4.8.
09 Jul 2020, PHP 7.4.8
- Core:
. Fixed bug #79649 (Altering disable_functions from module init corrupts
memory). (Laruence)
. Fixed bug #79595 (zend_init_fpu() alters FPU precision). (cmb, Nikita)
. Fixed bug #79650 (php-win.exe 100% cpu lockup). (cmb)
. Fixed bug #79668 (get_defined_functions(true) may miss functions). (cmb,
Nikita)
. Fixed bug #79657 ("yield from" hangs when invalid value encountered).
(Nikita)
. Fixed bug #79683 (Fake reflection scope affects __toString()). (Nikita)
. Fixed possibly unsupported timercmp() usage. (cmb)
- Exif:
. Fixed bug #79687 (Sony picture - PHP Warning - Make, Model, MakerNotes).
(cmb)
- Fileinfo:
. Fixed bug #79681 (mime_content_type/finfo returning incorrect mimetype).
(cmb)
- Filter:
. Fixed bug #73527 (Invalid memory access in php_filter_strip). (cmb)
- GD:
. Fixed bug #79676 (imagescale adds black border with IMG_BICUBIC). (cmb)
- OpenSSL:
. Fixed bug #62890 (default_socket_timeout=-1 causes connection to timeout).
(cmb)
- PDO SQLite:
. Fixed bug #79664 (PDOStatement::getColumnMeta fails on empty result set).
(cmb)
- phpdbg:
. Fixed bug #73926 (phpdbg will not accept input on restart execution). (cmb)
. Fixed bug #73927 (phpdbg fails with windows error prompt at "watch array").
(cmb)
. Fixed several mostly Windows related phpdbg bugs. (cmb)
- SPL:
. Fixed bug #79710 (Reproducible segfault in error_handler during GC
involved an SplFileObject). (Nikita)
- Standard:
. Fixed bug #74267 (segfault with streams and invalid data). (cmb)
. Fixed bug #79579 (ZTS build of PHP 7.3.17 doesn't handle ERANGE for
posix_getgrgid and others). (Böszörményi Zoltán)
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Aug 8 13:31:19 UTC 2020
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php74: distinfo
Log Message:
lang/php74: update to 7.4.9
Update php74 to 7.4.9 (PHP 7.4.9).
06 Aug 2020, PHP 7.4.9
- Apache:
. Fixed bug #79030 (Upgrade apache2handler's php_apache_sapi_get_request_time
to return usec). (Herbert256)
- COM:
. Fixed bug #63208 (BSTR to PHP string conversion not binary safe). (cmb)
. Fixed bug #63527 (DCOM does not work with Username, Password parameter).
(cmb)
- Core:
. Fixed bug #79740 (serialize() and unserialize() methods can not be called
statically). (Nikita)
. Fixed bug #79783 (Segfault in php_str_replace_common). (Nikita)
. Fixed bug #79778 (Assertion failure if dumping closure with unresolved
static variable). (Nikita)
. Fixed bug #79779 (Assertion failure when assigning property of string
offset by reference). (Nikita)
. Fixed bug #79792 (HT iterators not removed if empty array is destroyed).
(Nikita)
. Fixed bug #78598 (Changing array during undef index RW error segfaults).
(Nikita)
. Fixed bug #79784 (Use after free if changing array during undef var during
array write fetch). (Nikita)
. Fixed bug #79793 (Use after free if string used in undefined index warning
is changed). (Nikita)
. Fixed bug #79862 (Public non-static property in child should take priority
over private static). (Nikita)
. Fixed bug #79877 (getimagesize function silently truncates after a null
byte) (cmb)
- Fileinfo:
. Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)). (cmb)
- FTP:
. Fixed bug #55857 (ftp_size on large files). (cmb)
- Mbstring:
. Fixed bug #79787 (mb_strimwidth does not trim string). (XXiang)
- Phar:
. Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
function). (CVE-2020-7068) (cmb)
- Reflection:
. Fixed bug #79487 (::getStaticProperties() ignores property modifications).
(cmb, Nikita)
. Fixed bug #69804 (::getStaticPropertyValue() throws on protected props).
(cmb, Nikita)
. Fixed bug #79820 (Use after free when type duplicated into
ReflectionProperty gets resolved). (Christopher Broadbent)
- Standard:
. Fixed bug #70362 (Can't copy() large 'data://' with open_basedir). (cmb)
. Fixed bug #78008 (dns_check_record() always return true on Alpine).
(Andy Postnikov)
. Fixed bug #79839 (array_walk() does not respect property types). (Nikita)
|
|
|
|
Upstream NEWS:
3.21: 2020-08-04
Create python programs from .in files to allow macro substitution.
Finally clean .sconsign*.dblite with "scons -c"
Remove revision.h. Move REVISION into gpsd_config.h
Change asciidoc to asciidoctor, and revise documents to match.
library version bumped to 27
Add leap_seconds to gps_data_t
Add/change many rtcm2 structs in gps.h
Add/change many rtcm3 structs in gps.h
Maindenhead now 8 chars.
Add icondir and sharedir install options
Install basic doc in sharedir
Move gps_data_t->status to gps_fix_t.status for better fix merging
The gps python module is now Pure Python + FFI. FFI only for packet.py
User should manually delete any old packet*so.
Add wspeedt, wspeedr, wanglem, wanglet, wangler to gps_fix_t
Add "-p CONFIG", "-p STATUS", "-t" and "-tt" options to ubxtool.
Add python_shebang option to scons config.
gpsrinex has long options and many new options.
Added long options to gpsd.
Remove unused FORCE_GLOBAL_ENABLE
Remove config option reconfigure, replace with -p, --passive runtime option.
Remove config option controlsend (RECONFIGURE_ENABLE)
Add config option rundir=XX. Default set to /run, or /var/run as required.
Fixes for Python 2.6 up to 3.9.
|
|
|
|
lang/php73: security fix
Revisions pulled up:
- lang/php73/distinfo 1.24-1.25
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jul 11 03:59:46 UTC 2020
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php73: distinfo
Log Message:
lang/php73: update to 7.3.20
Update php73 to 7.3.20.
09 Jul 2020, PHP 7.3.20
- Core:
. Fixed bug #79650 (php-win.exe 100% cpu lockup). (cmb)
. Fixed bug #79668 (get_defined_functions(true) may miss functions). =
(cmb,
Nikita)
. Fixed possibly unsupported timercmp() usage. (cmb)
- Exif:
. Fixed bug #79687 (Sony picture - PHP Warning - Make, Model, MakerNo=
tes).
(cmb)
- Filter:
. Fixed bug #73527 (Invalid memory access in php_filter_strip). (cmb)=
- GD:
. Fixed bug #79676 (imagescale adds black border with IMG_BICUBIC). (=
cmb)
- OpenSSL:
. Fixed bug #62890 (default_socket_timeout=3D-1 causes connection to =
timeout).
(cmb)
- PDO SQLite:
. Fixed bug #79664 (PDOStatement::getColumnMeta fails on empty result=
set).
(cmb)
- SPL:
. Fixed bug #79710 (Reproducible segfault in error_handler during GC
involved an SplFileObject). (Nikita)
- Standard:
. Fixed bug #74267 (segfault with streams and invalid data). (cmb)
. Fixed bug #79579 (ZTS build of PHP 7.3.17 doesn't handle ERANGE for=
posix_getgrgid and others). (B=F6sz=F6rm=E9nyi Zolt=E1n)
09 Jul 2020, PHP 7.3.20
- Core:
. Fixed bug #79650 (php-win.exe 100% cpu lockup). (cmb)
. Fixed bug #79668 (get_defined_functions(true) may miss functions). =
(cmb,
Nikita)
. Fixed possibly unsupported timercmp() usage. (cmb)
- Exif:
. Fixed bug #79687 (Sony picture - PHP Warning - Make, Model, MakerNo=
tes).
(cmb)
- Filter:
. Fixed bug #73527 (Invalid memory access in php_filter_strip). (cmb)=
- GD:
. Fixed bug #79676 (imagescale adds black border with IMG_BICUBIC). (=
cmb)
- OpenSSL:
. Fixed bug #62890 (default_socket_timeout=3D-1 causes connection to =
timeout).
(cmb)
- PDO SQLite:
. Fixed bug #79664 (PDOStatement::getColumnMeta fails on empty result=
set).
(cmb)
- SPL:
. Fixed bug #79710 (Reproducible segfault in error_handler during GC
involved an SplFileObject). (Nikita)
- Standard:
. Fixed bug #74267 (segfault with streams and invalid data). (cmb)
. Fixed bug #79579 (ZTS build of PHP 7.3.17 doesn't handle ERANGE for=
posix_getgrgid and others). (B=F6sz=F6rm=E9nyi Zolt=E1n)
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Aug 8 13:30:07 UTC 2020
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php73: distinfo
Log Message:
lang/php73: update to 7.3.21
Update php73 to 7.3.21 (PHP 7.3.21).
06 Aug 2020, PHP 7.3.21
- Apache:
. Fixed bug #79030 (Upgrade apache2handler's php_apache_sapi_get_requ=
est_time
to return usec). (Herbert256)
- Core:
. Fixed bug #79877 (getimagesize function silently truncates after a =
null
byte) (cmb)
. Fixed bug #79778 (Assertion failure if dumping closure with unresol=
ved
static variable). (Nikita)
. Fixed bug #79792 (HT iterators not removed if empty array is destro=
yed).
(Nikita)
- COM:
. Fixed bug #63208 (BSTR to PHP string conversion not binary safe). (=
cmb)
. Fixed bug #63527 (DCOM does not work with Username, Password parame=
ter).
(cmb)
- Curl:
. Fixed bug #79741 (curl_setopt CURLOPT_POSTFIELDS asserts on object =
with
declared properties). (Nikita)
- Fileinfo:
. Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)). (cmb)
- FTP:
. Fixed bug #55857 (ftp_size on large files). (cmb)
- Mbstring:
. Fixed bug #79787 (mb_strimwidth does not trim string). (XXiang)
- Phar:
. Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
function). (CVE-2020-7068) (cmb)
- Standard:
. Fixed bug #70362 (Can't copy() large 'data://' with open_basedir). =
(cmb)
. Fixed bug #79817 (str_replace() does not handle INDIRECT elements).=
(Nikita)
. Fixed bug #78008 (dns_check_record() always return true on Alpine).=
(Andy Postnikov)
|
|
security/clamav: security fix
Revisions pulled up:
- security/clamav/Makefile 1.69
- security/clamav/Makefile.common 1.17
- security/clamav/distinfo 1.34
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jul 17 04:48:32 UTC 2020
Modified Files:
pkgsrc/security/clamav: Makefile Makefile.common distinfo
Log Message:
security/clamav: update to 0.102.4
Update clamav to 0.102.4.
## 0.102.4
ClamAV 0.102.4 is a bug patch release to address the following issues.
- [CVE-2020-3350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350):
Fix a vulnerability wherein a malicious user could replace a scan target's
directory with a symlink to another path to trick clamscan, clamdscan, or
clamonacc into removing or moving a different file (eg. a critical system
file). The issue would affect users that use the --move or --remove options
for clamscan, clamdscan, and clamonacc.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software).
- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that
could cause a Denial-of-Service (DoS) condition. Improper bounds checking
results in an out-of-bounds read which could cause a crash.
The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly
resolves the issue.
- [CVE-2020-3481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481):
Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3
could cause a Denial-of-Service (DoS) condition. Improper error handling
may result in a crash due to a NULL pointer dereference.
This vulnerability is mitigated for those using the official ClamAV
signature databases because the file type signatures in daily.cvd
will not enable the EGG archive parser in versions affected by the
vulnerability.
|
|
lang/nodejs: aarch64 bugfix, PR port-arm/55533
(via patch)
---
Module Name: pkgsrc
Committed By: maya
Date: Wed Aug 5 21:49:18 UTC 2020
Modified Files:
pkgsrc/lang/nodejs: Makefile distinfo
pkgsrc/lang/nodejs/patches:
patch-deps_v8_src_base_platform_platform-posix.cc
Log Message:
nodejs: workaround issue for netbsd/aarch64 in PR port-arm/55533
NetBSD mmap might fail depending on the choice of hint addr given, so don't
give a hint at all.
bump PKGREVISION.
|
|
x11/libX11: bugfix
Revisions pulled up:
- x11/libX11/Makefile 1.53
- x11/libX11/distinfo 1.32
- x11/libX11/patches/patch-regression 1.1
---
Module Name: pkgsrc
Committed By: maya
Date: Tue Aug 4 15:50:19 UTC 2020
Modified Files:
pkgsrc/x11/libX11: Makefile distinfo
Added Files:
pkgsrc/x11/libX11/patches: patch-regression
Log Message:
libX11: backport patch fixing regression from upstream. bump PKGREVISION
|
|
textproc/hunspell: security fix
Revisions pulled up:
- textproc/hunspell/Makefile 1.32
- textproc/hunspell/distinfo 1.13
- textproc/hunspell/patches/patch-src_hunspell_suggestmgr.cxx 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Aug 3 11:19:28 UTC 2020
Modified Files:
pkgsrc/textproc/hunspell: Makefile distinfo
Added Files:
pkgsrc/textproc/hunspell/patches: patch-src_hunspell_suggestmgr.cxx
Log Message:
hunspell: fix CVE-2019-16707 using upstream patch
Bump PKGREVISION.
|
|
databases/redis: security fix
Revisions pulled up:
- databases/redis/Makefile 1.56
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Aug 3 10:38:45 UTC 2020
Modified Files:
pkgsrc/databases/redis: Makefile
Log Message:
redis: fix CVE-2016-2121
The configuration file was installed mode 644, but could contain passwords.
Bump PKGREVISION.
|
|
multimedia/mediainfo: security fix
Revisions pulled up:
- multimedia/mediainfo/Makefile.common 1.9
- multimedia/mediainfo/distinfo 1.15
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Aug 3 09:51:28 UTC 2020
Modified Files:
pkgsrc/multimedia/mediainfo: Makefile.common distinfo
Log Message:
{lib,}mediainfo: update to 20.03
Version 20.03, 2020-04-03
-------------
+ AC-4 full featured support (presentations, groups, substreams)
+ MPEG-H 3D Audio basic support
+ MPEG-TS: audio preselection descriptor support
+ Dolby Vision v2 detection
+ MPEG-4: support of colr/nclx (color information) box
x URL encoding option fixes, permitting to use URL encoded or non URL encoded links
x AAC: fix SBR frequency when in ADIF
x DPX: ColorimetricSpecification and TransferCharacteristic were inverted
x Several crash and memory leaks fixes
|
|
|
|
net/transmission-gtk: security update
net/transmission-qt: security update
net/transmission: security update
Revisions pulled up:
- net/transmission-gtk/Makefile 1.46
- net/transmission-gtk/PLIST 1.2
- net/transmission-qt/Makefile 1.54
- net/transmission/Makefile 1.27
- net/transmission/Makefile.common 1.10
- net/transmission/PLIST 1.4
- net/transmission/distinfo 1.16
- net/transmission/patches/patch-qt_qtr.pro 1.7
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Mon Jul 13 13:01:02 UTC 2020
Modified Files:
pkgsrc/net/transmission: Makefile Makefile.common PLIST distinfo
pkgsrc/net/transmission-gtk: Makefile PLIST
pkgsrc/net/transmission-qt: Makefile
pkgsrc/net/transmission/patches: patch-qt_qtr.pro
Log Message:
transmission*: update to 3.00
### All Platforms
- Allow the RPC server to listen on an IPv6 address ([#161](https://github.com/transmission/transmission/pull/161))
- Change `TR_CURL_SSL_VERIFY` to `TR_CURL_SSL_NO_VERIFY` and enable verification by default ([#334](https://github.com/transmission/transmission/pull/334))
- Go back to using hash as base name for resume and torrent files (those stored in configuration directory) ([#122](https://github.com/transmission/transmission/pull/122))
- Handle "fields" argument in "session-get" RPC request; if "fields" array is present in arguments, only return session fields specified; otherwise return all the fields as before
- Limit the number of incorrect authentication attempts in embedded web server to 100 to prevent brute-force attacks ([#371](https://github.com/transmission/transmission/pull/371))
- Set idle seed limit range to 1..40320 (4 weeks tops) in all clients ([#212](https://github.com/transmission/transmission/pull/212))
- Add Peer ID for Xfplay, PicoTorrent, Free Download Manager, Folx, Baidu Netdisk torrent clients ([#256](https://github.com/transmission/transmission/pull/256), [#285](https://github.com/transmission/transmission/pull/285), [#355](https://github.com/transmission/transmission/pull/355), [#363](https://github.com/transmission/transmission/pull/363), [#386](https://github.com/transmission/transmission/pull/386))
- Announce `INT64_MAX` as size left if the value is unknown (helps with e.g. Amazon S3 trackers) ([#250](https://github.com/transmission/transmission/pull/250))
- Add `TCP_FASTOPEN` support (should result in slight speedup) ([#184](https://github.com/transmission/transmission/pull/184))
- Improve ToS handling on IPv6 connections ([#128](https://github.com/transmission/transmission/pull/128), [#341](https://github.com/transmission/transmission/pull/341), [#360](https://github.com/transmission/transmission/pull/360), [#692](https://github.com/transmission/transmission/pull/692), [#737](https://github.com/transmission/transmission/pull/737))
- Abort handshake if establishing DH shared secret fails (leads to crash) ([#27](https://github.com/transmission/transmission/pull/27))
- Don't switch trackers while announcing (leads to crash) ([#297](https://github.com/transmission/transmission/pull/297))
- Improve completion scripts execution and error handling; add support for .cmd and .bat files on Windows ([#405](https://github.com/transmission/transmission/pull/405))
- Maintain a "session ID" file (in temporary directory) to better detect whether session is local or remote; return the ID as part of "session-get" response (TRAC-5348, [#861](https://github.com/transmission/transmission/pull/861))
- Change torrent location even if no data move is needed ([#35](https://github.com/transmission/transmission/pull/35))
- Support CIDR-notated blocklists ([#230](https://github.com/transmission/transmission/pull/230), [#741](https://github.com/transmission/transmission/pull/741))
- Update the resume file before running scripts ([#825](https://github.com/transmission/transmission/pull/825))
- Make multiscrape limits adaptive ([#837](https://github.com/transmission/transmission/pull/837))
- Add labels support to libtransmission and transmission-remote ([#822](https://github.com/transmission/transmission/pull/822))
- Parse `session-id` header case-insensitively ([#765](https://github.com/transmission/transmission/pull/765))
- Sanitize suspicious path components instead of rejecting them ([#62](https://github.com/transmission/transmission/pull/62), [#294](https://github.com/transmission/transmission/pull/294))
- Load CA certs from system store on Windows / OpenSSL ([#446](https://github.com/transmission/transmission/pull/446))
- Add support for mbedtls (formely polarssl) and wolfssl (formely cyassl), LibreSSL ([#115](https://github.com/transmission/transmission/pull/115), [#116](https://github.com/transmission/transmission/pull/116), [#284](https://github.com/transmission/transmission/pull/284), [#486](https://github.com/transmission/transmission/pull/486), [#524](https://github.com/transmission/transmission/pull/524), [#570](https://github.com/transmission/transmission/pull/570))
- Fix building against OpenSSL 1.1.0+ ([#24](https://github.com/transmission/transmission/pull/24))
- Fix quota support for uClibc-ng 1.0.18+ and DragonFly BSD ([#42](https://github.com/transmission/transmission/pull/42), [#58](https://github.com/transmission/transmission/pull/58), [#312](https://github.com/transmission/transmission/pull/312))
- Fix a number of memory leaks (magnet loading, session shutdown, bencoded data parsing) ([#56](https://github.com/transmission/transmission/pull/56))
- Bump miniupnpc version to 2.0.20170509 ([#347](https://github.com/transmission/transmission/pull/347))
- CMake-related improvements (Ninja generator, libappindicator, systemd, Solaris and macOS) ([#72](https://github.com/transmission/transmission/pull/72), [#96](https://github.com/transmission/transmission/pull/96), [#117](https://github.com/transmission/transmission/pull/117), [#118](https://github.com/transmission/transmission/pull/118), [#133](https://github.com/transmission/transmission/pull/133), [#191](https://github.com/transmission/transmission/pull/191))
- Switch to submodules to manage (most of) third-party dependencies
- Fail installation on Windows if UCRT is not installed
### Mac Client
- Bump minimum macOS version to 10.10
- Dark Mode support ([#644](https://github.com/transmission/transmission/pull/644), [#722](https://github.com/transmission/transmission/pull/722), [#757](https://github.com/transmission/transmission/pull/757), [#779](https://github.com/transmission/transmission/pull/779), [#788](https://github.com/transmission/transmission/pull/788))
- Remove Growl support, notification center is always used ([#387](https://github.com/transmission/transmission/pull/387))
- Fix autoupdate on High Sierra and up by bumping the Sparkle version ([#121](https://github.com/transmission/transmission/pull/121), [#600](https://github.com/transmission/transmission/pull/600))
- Transition to ARC ([#336](https://github.com/transmission/transmission/pull/336))
- Use proper UTF-8 encoding (with macOS-specific normalization) when setting download/incomplete directory and completion script paths ([#11](https://github.com/transmission/transmission/pull/11))
- Fix uncaught exception when dragging multiple items between groups ([#51](https://github.com/transmission/transmission/pull/51))
- Add flat variants of status icons for message log ([#134](https://github.com/transmission/transmission/pull/134))
- Optimize image resources size ([#304](https://github.com/transmission/transmission/pull/304), [#429](https://github.com/transmission/transmission/pull/429))
- Update file icon when file name changes ([#37](https://github.com/transmission/transmission/pull/37))
- Update translations
### GTK+ Client
- Add queue up/down hotkeys ([#158](https://github.com/transmission/transmission/pull/158))
- Modernize the .desktop file ([#162](https://github.com/transmission/transmission/pull/162))
- Add AppData file ([#224](https://github.com/transmission/transmission/pull/224))
- Add symbolic icon variant for the Gnome top bar and when the high contrast theme is in use ([#414](https://github.com/transmission/transmission/pull/414), [#449](https://github.com/transmission/transmission/pull/449))
- Update file icon when its name changes ([#37](https://github.com/transmission/transmission/pull/37))
- Switch from intltool to gettext for translations ([#584](https://github.com/transmission/transmission/pull/584), [#647](https://github.com/transmission/transmission/pull/647))
- Update translations, add new translations for Portuguese (Portugal)
### Qt Client
- Bump minimum Qt version to 5.2
- Fix dropping .torrent files into main window on Windows ([#269](https://github.com/transmission/transmission/pull/269))
- Fix prepending of drive letter to various user-selected paths on Windows ([#236](https://github.com/transmission/transmission/pull/236), [#307](https://github.com/transmission/transmission/pull/307), [#404](https://github.com/transmission/transmission/pull/404), [#437](https://github.com/transmission/transmission/pull/437), [#699](https://github.com/transmission/transmission/pull/699), [#723](https://github.com/transmission/transmission/pull/723), [#877](https://github.com/transmission/transmission/pull/877))
- Fix sorting by progress in presence of magnet transfers ([#234](https://github.com/transmission/transmission/pull/234))
- Fix .torrent file trashing upon addition ([#262](https://github.com/transmission/transmission/pull/262))
- Add queue up/down hotkeys ([#158](https://github.com/transmission/transmission/pull/158))
- Reduce torrent properties (file tree) memory usage
- Display tooltips in torrent properties (file tree) in case the names don't fit ([#411](https://github.com/transmission/transmission/pull/411))
- Improve UI look on hi-dpi displays (YMMV)
- Use session ID (if available) to check if session is local or not ([#861](https://github.com/transmission/transmission/pull/861))
- Use default (instead of system) locale to be more flexible ([#130](https://github.com/transmission/transmission/pull/130))
- Modernize the .desktop file ([#162](https://github.com/transmission/transmission/pull/162))
- Update translations, add new translations for Afrikaans, Catalan, Danish, Greek, Norwegian Bokmål, Slovenian
### Daemon
- Use libsystemd instead of libsystemd-daemon (TRAC-5921)
- Harden transmission-daemon.service by disallowing privileges elevation ([#795](https://github.com/transmission/transmission/pull/795))
- Fix exit code to be zero when dumping settings ([#487](https://github.com/transmission/transmission/pull/487))
### Web Client
- Fix tracker error XSS in inspector (CVE-?)
- Fix performance issues due to improper use of `setInterval()` for UI refresh (TRAC-6031)
- Fix recognition of `https://` links in comments field ([#41](https://github.com/transmission/transmission/pull/41), [#180](https://github.com/transmission/transmission/pull/180))
- Fix torrent list style in Google Chrome 59+ ([#384](https://github.com/transmission/transmission/pull/384))
- Show ETA in compact view on non-mobile devices ([#146](https://github.com/transmission/transmission/pull/146))
- Show upload file button on mobile devices ([#320](https://github.com/transmission/transmission/pull/320), [#431](https://github.com/transmission/transmission/pull/431), [#956](https://github.com/transmission/transmission/pull/956))
- Add keyboard hotkeys for web interface ([#351](https://github.com/transmission/transmission/pull/351))
- Disable autocompletion in torrent URL field ([#367](https://github.com/transmission/transmission/pull/367))
### Utils
- Prevent crash in transmission-show displaying torrents with invalid creation date ([#609](https://github.com/transmission/transmission/pull/609))
- Handle IPv6 RPC addresses in transmission-remote ([#247](https://github.com/transmission/transmission/pull/247))
- Add `--unsorted` option to transmission-show ([#767](https://github.com/transmission/transmission/pull/767))
- Widen the torrent-id column in transmission-remote for cleaner formatting ([#840](https://github.com/transmission/transmission/pull/840))
To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 pkgsrc/net/transmission/Makefile
cvs rdiff -u -r1.9 -r1.10 pkgsrc/net/transmission/Makefile.common
cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/transmission/PLIST
cvs rdiff -u -r1.15 -r1.16 pkgsrc/net/transmission/distinfo
cvs rdiff -u -r1.45 -r1.46 pkgsrc/net/transmission-gtk/Makefile
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/transmission-gtk/PLIST
cvs rdiff -u -r1.52 -r1.53 pkgsrc/net/transmission-qt/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/transmission/patches/patch-qt_qtr.pro
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Sat Jul 25 20:20:05 UTC 2020
Modified Files:
pkgsrc/net/transmission-qt: Makefile
Log Message:
transmission-qt: needs gcc 7.x (for <optional>)
Reported and tested by spz.
To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 pkgsrc/net/transmission-qt/Makefile
|
|
|
|
x11/modular-xorg-server: security fix
Revisions pulled up:
- x11/modular-xorg-server/Makefile 1.128
- x11/modular-xorg-server/distinfo 1.102
- x11/modular-xorg-server/patches/patch-dix_pixmap.c 1.1
- x11/modular-xorg-xephyr/Makefile 1.20
- x11/modular-xorg-xwayland/Makefile 1.8
---
Module Name: pkgsrc
Committed By: maya
Date: Fri Jul 31 16:50:57 UTC 2020
Modified Files:
pkgsrc/x11/modular-xorg-server: Makefile distinfo
pkgsrc/x11/modular-xorg-xephyr: Makefile
pkgsrc/x11/modular-xorg-xwayland: Makefile
Added Files:
pkgsrc/x11/modular-xorg-server/patches: patch-dix_pixmap.c
Log Message:
modular-xorg-*: provide patch (making this package equivalent to
xorg-server 1.20.9, couldn't find a tarball).
X.Org security advisory: July 31, 2020
X Server Pixel Data Uninitialized Memory Information Disclosure
===============================================================
CVE-2020-14347
Allocation for pixmap data in AllocatePixmap() does not initialize the
memory in xserver, it leads to leak uninitialize heap memory to
clients. When the X server runs with elevated privileges.
This flaw can lead to ASLR bypass, which when combined with other
flaws (known/unknown) could lead to lead to privilege elevation in the
client.
Patch
=====
A patch for this issue has been commited to the xorg server git
repository. xorg-server 1.20.9 will be released shortly and will
include this patch.
https://gitlab.freedesktop.org/xorg/xserver.git
diff --git a/dix/pixmap.c b/dix/pixmap.c
index 1186d7dbb..5a0146bbb 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
return NullPixmap;
- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
if (!pPixmap)
return NullPixmap;
Thanks
======
This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.
|
|
x11/libX11: security fix
Revisions pulled up:
- x11/libX11/Makefile 1.52
- x11/libX11/distinfo 1.31
---
Module Name: pkgsrc
Committed By: maya
Date: Fri Jul 31 16:36:55 UTC 2020
Modified Files:
pkgsrc/x11/libX11: Makefile distinfo
Log Message:
libX11: update to 1.6.10
Heap corruption in the X input method client in libX11
======================================================
CVE-2020-14344
The X Input Method (XIM) client implementation in libX11 has some
integer overflows and signed/unsigned comparison issues that can lead
to heap corruption when handling malformed messages from an input
method.
Patches
=======
Patches for these issues have been commited to the libX11 git repository.
libX11 1.6.10 will be released shortly and will include those patches.
https://gitlab.freedesktop.org/xorg/lib/libx11
commit 1703b9f3435079d3c6021e1ee2ec34fd4978103d (HEAD -> master)
Change the data_len parameter of _XimAttributeToValue() to CARD16
It's coming from a length in the protocol (unsigned) and passed
to functions that expect unsigned int parameters (_XCopyToArg()
and memcpy()).
commit 1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
Zero out buffers in functions
It looks like uninitialized stack or heap memory can leak
out via padding bytes.
commit 2fcfcc49f3b1be854bb9085993a01d17c62acf60
Fix more unchecked lengths
commit 388b303c62aa35a245f1704211a023440ad2c488
fix integer overflows in _XimAttributeToValue()
commit 0e6561efcfaa0ae7b5c74eac7e064b76d687544e
Fix signed length values in _XimGetAttributeID()
The lengths are unsigned according to the specification. Passing
negative values can lead to data corruption.
Thanks
======
X.Org thanks Todd Carson for reporting these issues to our security
team and assisting them in understanding them and providing fixes.
|
|
|
|
net/youtube-dl: update
Revisions pulled up:
- net/youtube-dl/Makefile 1.211
- net/youtube-dl/distinfo 1.193
---
Module Name: pkgsrc
Committed By: leot
Date: Mon Jul 27 22:21:45 UTC 2020
Modified Files:
pkgsrc/net/youtube-dl: Makefile distinfo
Log Message:
youtube-dl: Update to 20200728
Changes:
20200728
--------
Extractors
* [youtube] Fix sigfunc name extraction (#26134, #26135, #26136, #26137)
* [youtube] Improve description extraction (#25937, #25980)
* [wistia] Restrict embed regular expression (#25969)
* [youtube] Prevent excess HTTP 301 (#25786)
+ [youtube:playlists] Extend URL regular expression (#25810)
+ [bellmedia] Add support for cp24.com clip URLs (#25764)
* [brightcove] Improve embed detection (#25674)
|
|
mail/opendmarc: bugfix
Revisions pulled up:
- mail/opendmarc/Makefile 1.19
- mail/opendmarc/distinfo 1.7
- mail/opendmarc/patches/patch-build-config.h.in 1.1
- mail/opendmarc/patches/patch-configure 1.2
- mail/opendmarc/patches/patch-configure.ac 1.2
- mail/opendmarc/patches/patch-libopendmarc_opendmarc__dns.c 1.1
- mail/opendmarc/patches/patch-libopendmarc_opendmarc__spf__dns.c 1.1
---
Module Name: pkgsrc
Committed By: oster
Date: Mon Jul 27 20:41:10 UTC 2020
Modified Files:
pkgsrc/mail/opendmarc: distinfo
pkgsrc/mail/opendmarc/patches: patch-configure patch-configure.ac
Added Files:
pkgsrc/mail/opendmarc/patches: patch-build-config.h.in
patch-libopendmarc_opendmarc__dns.c
patch-libopendmarc_opendmarc__spf__dns.c
Log Message:
Fix resource leakage observed when using opendmarc on NetBSD.
Use res_ndestroy() instead of res_nclose() to properly cleanup resources
on NetBSD (and others that use __res_ndestroy() or res_ndestroy() instead
of res_nclose()). Original patch by Roy Marples.
---
Module Name: pkgsrc
Committed By: oster
Date: Mon Jul 27 22:28:47 UTC 2020
Modified Files:
pkgsrc/mail/opendmarc: Makefile
Log Message:
Bump pkgrevision. Thanks, Joerg.
|
|
www/firefox68-l10n: dependent update
Revisions pulled up:
- www/firefox68-l10n/Makefile 1.17
- www/firefox68-l10n/distinfo 1.13
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Jul 29 14:21:29 UTC 2020
Modified Files:
pkgsrc/www/firefox68-l10n: Makefile distinfo
Log Message:
firefox68-l10n: Sync with firefox68
|
|
www/firefox68: security fix
Revisions pulled up:
- www/firefox68/Makefile 1.31
- www/firefox68/distinfo 1.21
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Jul 29 14:20:30 UTC 2020
Modified Files:
pkgsrc/www/firefox68: Makefile distinfo
Log Message:
firefox68: Update to 68.11.0
Security Vulnerabilities fixed in Firefox ESR 68.11
#CVE-2020-15652: Potential leak of redirect targets when loading scripts in
a worker
#CVE-2020-6514: WebRTC data channel leaks internal address to peer
#CVE-2020-6463: Use-after-free in ANGLE
gl::Texture::onUnbindAsSamplerTexture
#CVE-2020-15650: Overwriting local files through malicious file picker
application
#CVE-2020-15649: Exfiltrating local files through malicious file picker
application
#CVE-2020-15659: Memory safety bugs fixed in Firefox 79 and Firefox ESR
68.11
|
|
www/webkit-gtk: security fix (WSA-2020-0007)
Revisions pulled up:
- www/webkit-gtk/Makefile 1.190
- www/webkit-gtk/PLIST 1.62
- www/webkit-gtk/distinfo 1.137
- www/webkit-gtk/patches/patch-Source_WebCore_crypto_algorithms_CryptoAlgorithmAES__GCM.cpp 1.1
- www/webkit-gtk/patches/patch-Source_WebCore_rendering_RenderLayerBacking.h 1.1
---
Module Name: pkgsrc
Committed By: leot
Date: Tue Jul 28 14:24:03 UTC 2020
Modified Files:
pkgsrc/www/webkit-gtk: Makefile PLIST distinfo
Added Files:
pkgsrc/www/webkit-gtk/patches:
patch-Source_WebCore_crypto_algorithms_CryptoAlgorithmAES__GCM.cpp
patch-Source_WebCore_rendering_RenderLayerBacking.h
Log Message:
webkit-gtk: Update to 2.28.4
pkgsrc changes:
- Define non-standard __WORDSIZE if not already defined (at the moment the
patches directly patch problematic files where __WORDSIZE is used, it would
be probably nicer to find a common place to define it).
Changes:
2.28.4
------
- Fix several crashes and rendering issues.
|
|
security/tor-browser: security fix
Revisions pulled up:
- security/tor-browser/Makefile 1.70
- security/tor-browser/distinfo 1.25
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Jul 29 07:46:37 UTC 2020
Modified Files:
pkgsrc/security/tor-browser: Makefile distinfo
Log Message:
tor-browser: update to 9.5.3.
Tor Browser 9.5.3 -- July 28 2020
* All Platforms
* Update Firefox to 68.11.0esr
* Update NoScript to 11.0.34
* Update Tor to 0.4.3.6
Tor Browser 9.5.2 -- July 7 2020
* Android
* Update Firefox to 68.10.1esr
|
