| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
multimedia/gstreamer1: build fix
Revisions pulled up:
- multimedia/gstreamer1/PLIST 1.17
---
Module Name: pkgsrc
Committed By: prlw1
Date: Thu Jan 7 10:09:06 UTC 2021
Modified Files:
pkgsrc/multimedia/gstreamer1: PLIST
Log Message:
gstreamer1: GstCheck-1.0.* depend on both the gstcheck and introspection options
Fixes PR pkg/55912
|
|
|
|
mail/dovecot2-pigeonhole: dependent update
Revisions pulled up:
- mail/dovecot2-pigeonhole/Makefile 1.60
- mail/dovecot2-pigeonhole/distinfo 1.45
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 4 14:58:26 UTC 2021
Modified Files:
pkgsrc/mail/dovecot2-pigeonhole: Makefile distinfo
Log Message:
mail/dovecot2-pigeonhole: update to 0.5.13
Update dovecot2-pigeonhole package to 0.5.13.
v0.5.13 2021-01-04 Aki Tuomi <aki.tuomi@open-xchange.com>
- duplicate: The test was handled badly in a multiscript (sieve_before,
sieve_after) scenario in which an earlier script in the sequence with
a duplicate test succeeded, while a later script caused a runtime
failure. In that case, the message is recorded for duplicate tracking,
while the message may not actually have been delivered in the end.
- editheader: Sieve interpreter entered infinite loop at startup when
the "editheader" configuration listed an invalid header name. This
problem can only be triggered by the administrator.
- relational: The Sieve relational extension can cause a segfault at
compile time. This is triggered by invalid script syntax. The segfault
happens when this match type is the last argument of the test command.
This situation is not possible in a valid script; positional arguments
are normally present after that, which would prevent the segfault.
- sieve: For some Sieve commands the provided mailbox name is not
properly checked for UTF-8 validity, which can cause assert crashes at
runtime when an invalid mailbox name is encountered. This can be
caused by the user by writing a bad Sieve script involving the
affected commands ("mailboxexists", "specialuse_exists").
This can be triggered by the remote sender only when the user has
written a Sieve script that passes message content to one of the
affected commands.
- sieve: Large sequences of 8-bit octets passed to certain Sieve
commands that create or modify message headers that allow UTF-8 text
(vacation, notify and addheader) can cause the delivery or IMAP
process (when IMAPSieve is used) to enter a memory-consuming
semi-infinite loop that ends when the process exceeds its memory
limits. Logged in users can cause these hangs only for their own
processes.
|
|
mail/dovecot2: security fix
Revisions pulled up:
- mail/dovecot2-gssapi/Makefile 1.7
- mail/dovecot2-sqlite/Makefile 1.25
- mail/dovecot2/Makefile 1.106
- mail/dovecot2/Makefile.common 1.42
- mail/dovecot2/PLIST 1.71
- mail/dovecot2/buildlink3.mk 1.36
- mail/dovecot2/distinfo 1.107
- mail/dovecot2/patches/patch-src_auth_mech-gssapi.c deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 4 14:57:19 UTC 2021
Modified Files:
pkgsrc/mail/dovecot2: Makefile Makefile.common PLIST buildlink3.mk
distinfo
pkgsrc/mail/dovecot2-gssapi: Makefile
pkgsrc/mail/dovecot2-sqlite: Makefile
Removed Files:
pkgsrc/mail/dovecot2/patches: patch-src_auth_mech-gssapi.c
Log Message:
mail/dovecot2: update to 2.3.13
Update mail/dovecot2 pacakge to 2.3.13, including security fixes.
v2.3.13 2021-01-04 Aki Tuomi <aki.tuomi@open-xchange.com>
* CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
* Metric filter and global event filter variable syntax changed to a
SQL-like format. See https://doc.dovecot.org/configuration_manual/event_filter/
* auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
* auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
* auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
* auth: Removed postfix postmap socket
+ auth: Added new fields for auth server events. These fields are now
also available for all auth events. See
https://doc.dovecot.org/admin_manual/list_of_events/#authentication-server
for details.
+ imap-hibernate: Added imap_client_hibernated, imap_client_unhibernated
and imap_client_unhibernate_retried events. See
https://doc.dovecot.org/admin_manual/list_of_events/ for details.
+ lib-index: Added new mail_index_recreated event. See
https://doc.dovecot.org/admin_manual/list_of_events/#mail-index-recreated
+ lib-sql: Support TLS options for cassandra driver. This requires
cpp-driver v2.15 (or later) to work reliably.
+ lib-storage: Missing $HasAttachment / $HasNoAttachment flags are now
added to existing mails if mail_attachment_detection_option=add-flags
and it can be done inexpensively.
+ login proxy: Added login_proxy_max_reconnects setting (default 3) to
control how many reconnections are attempted.
+ login proxy: imap/pop3/submission/managesieve proxying now supports
reconnection retrying on more than just connect() failure. Any error
except a non-temporary authentication failure will result in reconnect
attempts.
- auth: Lua passdb/userdb leaks stack elements per call, eventually
causing the stack to become too deep and crashing the auth or
auth-worker process.
- auth: SASL authentication PLAIN mechanism could be used to trigger
read buffer overflow. However, this doesn't seem to be exploitable in
any way.
- auth: v2.3.11 regression: GSSAPI authentication fails because dovecot
disallows NUL bytes for it.
- dict: Process used too much CPU when iterating keys, because each key
used a separate write() syscall.
- doveadm-server: Crash could occur if logging was done outside command
handling. For example http-client could have done debug logging
afterwards, resulting in either segfault or
Panic: file http-client.c: line 642 (http_client_context_close):
assertion failed: (cctx->clients_list == NULL).
- doveadm-server: v2.3.11 regression: Trying to connect to doveadm server
process via starttls assert-crashed if there were no ssl=yes listeners:
Panic: file master-service-ssl.c: line 22 (master_service_ssl_init):
assertion failed: (service->ssl_ctx_initialized).
- fts-solr: HTTP requests may have assert-crashed:
Panic: file http-client-request.c: line 1232 (http_client_request_send_more):
assertion failed: (req->payload_input != NULL)
- imap: IMAP NOTIFY could crash with a segmentation fault due to a bad
configuration that causes errors. Sending the error responses to the
client can cause the segmentation fault. This can for example happen
when several namespaces use the same mail storage location.
- imap: IMAP NOTIFY used on a shared namespace that doesn't actually
exist (e.g. public namespace for a nonexistent user) can crash with a panic:
Panic: Leaked view for index /tmp/home/asdf/mdbox/dovecot.list.index: Opened in (null):0
- imap: IMAP session can crash with QRESYNC extension if many changes
are done before asking for expunged mails since last sync.
- imap: Process might hang indefinitely if client disconnects after
sending some long-running commands pipelined, for example FETCH+LOGOUT.
- lib-compress: Mitigate crashes when configuring a not compiled in
compression. Errors with compression configuration now distinguish
between not supported and unknown.
- lib-compression: Using xz/lzma compression in v2.3.11 could have
written truncated output in some situations. This would result in
"Broken pipe" read errors when trying to read it back.
- lib-compression: zstd compression could have crashed in some situations:
Panic: file ostream.c: line 287 (o_stream_sendv_int): assertion failed: (!stream->blocking)
- lib-dict: dict client could have crashed in some rare situations when
iterating keys.
- lib-http: Fix several assert-crashes in HTTP client.
- lib-index: v2.3.11 regression: When mails were expunged at the same
time as lots of new content was being saved to the cache (e.g. cache
file was lost and is being re-filled) a deadlock could occur with
dovecot.index.cache / dovecot.index.log.
- lib-index: v2.3.11 regression: dovecot.index.cache file was being
purged (rewritten) too often when it had a field that hadn't been
accessed for over 1 month, but less than 2 months. Every cache file
change caused a purging in this situation.
- lib-mail: MIME parts were not returned correctly by Dovecot MIME parser.
Regression caused by fixing CVE-2020-12100.
- lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE
was written in a way that may have caused confusion for both IMAP
clients and Dovecot itself when parsing it. The truncated part is now
written out using application/octet-stream MIME type.
- lib-mail: v2.3.11 regression: Mail delivery / parsing crashed when the
10000th MIME part was message/rfc822 (or if parent was multipart/digest):
Panic: file message-parser.c: line 167 (message_part_append):
assertion failed: (ctx->total_parts_count <= ctx->max_total_mime_parts).
- lib-oauth2: Dovecot incorrectly required oauth2 server introspection
reply to contain username with invalid token.
- lib-ssl-iostream, lib-dcrypt: Fix building with OpenSSL that has
deprecated APIs disabled.
- lib-storage: When mail's size is different from the cached one (in
dovecot.index.cache or Maildir S=size in the filename), this is
handled by logging "Cached message size smaller/larger than expected"
error. However, in some situations this also ended up crashing with:
Panic: file istream.c: line 315 (i_stream_read_memarea):
assertion failed: (old_size <= _stream->pos - _stream->skip).
- lib-storage: v2.3 regression: Copying/moving mails was taking much more
memory than before. This was mainly visible when copying/moving
thousands of mails in a single transaction.
- lib-storage: v2.3.11 regression: Searching messages assert-crashed
(without FTS): Panic: file message-parser.c: line 174 (message_part_finish):
assertion failed: (ctx->nested_parts_count > 0).
- lib: Dovecot v2.3 moved signal handlers around in ioloops,
causing more CPU usage than in v2.2.
- lib: Fixed JSON parsing: '\' escape sequence may have wrongly resulted
in error if it happened to be at read boundary. Any NUL characters and
'\u0000' will now result in parsing error instead of silently
truncating the data.
- lmtp, submission: Server may hang if SSL client connection disconnects
during the delivery. If this happened repeated, it could have ended
up reaching process_limit and preventing any further lmtp/submission
deliveries.
- lmtp: Proxy does not always properly log TLS connection problems as
errors; in some cases, only a debug message is logged if enabled.
- lmtp: The LMTP service can hang when commands are pipelined. This can
particularly occur when one command in the middle of the pipeline fails.
One example of this occurs for proxied LMTP transactions in which the
final DATA or BDAT command is pipelined after a failing RCPT command.
- login-proxy: The login_source_ips setting has no effect, and therefore
the proxy source IPs are not cycled through as they should be.
- master: Process was using 100% CPU in some situations when a broken
service was being throttled.
- pop3-login: POP3 login would fail with "Input buffer full" if the
initial response for SASL was too long.
- stats: Crash would occur when generating openmetrics data for metrics
using aggregating functions.
|
|
security/p11-kit: security fix
Revisions pulled up:
- security/p11-kit/Makefile 1.18
- security/p11-kit/distinfo 1.13
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Jan 4 11:43:48 UTC 2021
Modified Files:
pkgsrc/security/p11-kit: Makefile distinfo
Log Message:
p11-kit: update to 0.23.22.
0.23.22 (stable)
* Fix memory-safety issues that affect the RPC protocol
(CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363), discovered
and fixed by David Cook
* anchor: Prefer persistent format when storing anchor [PR#329]
* common: Fix infloop in p11_path_build [PR#326, PR#327]
* proxy: C_CloseAllSessions: Make sure that calloc args are non-zero [PR#325]
* common: Check for a NULL locale before freeing it [PR#321]
* Build and test fixes [PR#313, PR#315, PR#317, PR#318, PR#319, PR#323, PR#330, PR#333, PR#334, PR#335, PR#338, PR#339]
|
|
security/tor-browser-noscript: dependent update
Revisions pulled up:
- security/tor-browser-noscript/Makefile 1.9
- security/tor-browser-noscript/distinfo 1.9
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Jan 3 19:02:52 UTC 2021
Modified Files:
pkgsrc/security/tor-browser-noscript: Makefile distinfo
Log Message:
tor-browser-noscript: update to 11.1.7.
v 11.1.7
============================================================
x Optimize serviceWorker tracking for heavy tabs usage
(thanks vadimm and barbaz for investigation)
x Force placeholder visibility on Youtube embeddings
x Fixed popup opening being slowed down if options UI is
opened (thanks Sirus for report)
x Explicit failure for wrong settings importation formats
x Updated TLDs
v 11.1.7rc3
============================================================
x Updated TLDs
x Optimize serviceWorker tracking for heavy tabs usage
(thanks vadimm and barbaz for investigation)
x Force placeholder visibility on Youtube embeddings
v 11.1.7rc2
============================================================
x Fixed popup opening being slowed down if options UI is
opened (thanks Sirus for report)
v 11.1.7rc1
============================================================
x Explicit failure for wrong settings importation formats
v 11.1.6
============================================================
x Better handling of concurrent prompts issues (thanks
billarbor for reporting)
x Remove z-index boosting from ancestors when placeholder is
collapsed or replaced (issue #162)
x Fixed permission keyboard shortcuts being triggered with
modifiers like CTRL (thanks barbaz for report)
x More accurate blockage reporting, with better filtering of
page's own CSP effects
x [UI] Fixed bug in CUSTOM sites filtering (thanks barbaz
for reporting)
x Fixed bug in automatic HTML events build-time updates
x Updated HTML events
x Updated TLDs
x [L10n] Updated sv_SE
x Better handling 0 width / 0 height media placeholders
v 11.1.6rc6
============================================================
x Better handling of concurrent prompts issues (thanks
billarbor for reporting)
v 11.1.6rc5
============================================================
x Remove z-index boosting from ancestors when placeholder is
collapsed or replaced (issue #162)
v 11.1.6rc4
============================================================
x Fixed permission keyboard shortcuts being triggered with
modifiers like CTRL (thanks barbaz for report)
v 11.1.6rc3
============================================================
x More accurate blockage reporting, with better filtering of
page's own CSP effects
v 11.1.6rc2
============================================================
x [UI] Fixed bug in CUSTOM sites filtering (thanks barbaz
for reporting)
x Fixed bug in automatic HTML events build-time updates
x Updated HTML events
x Updated TLDs
v 11.1.6rc1
============================================================
x Updated TLDs
x [L10n] Updated sv_SE
x Better handling 0 width / 0 height media placeholders
|
|
security/tor-browser: security fix
Revisions pulled up:
- security/tor-browser/Makefile 1.83
- security/tor-browser/distinfo 1.34
- security/tor-browser/patches/patch-dom_webgpu_ipc_WebGPUParent.cpp 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Jan 3 19:00:38 UTC 2021
Modified Files:
pkgsrc/security/tor-browser: Makefile distinfo
Added Files:
pkgsrc/security/tor-browser/patches:
patch-dom_webgpu_ipc_WebGPUParent.cpp
Log Message:
tor-browser: update to 10.0.7.
This release updates Firefox for desktops to 78.6.0esr and Firefox
for Android to 84.1.0. This release includes important security
updates to Firefox for Desktop, and similar important security
updates to Firefox for Android.
The full changelog since Desktop and Android Tor Browser 10.0.6 is:
All Platforms
Update HTTPS Everywhere to 2020.11.17
Bug 40166: Disable security.certerrors.mitm.auto_enable_enterprise_roots
Bug 40176: Update openssl to 1.1.1i
Windows + OS X + Linux
Update Firefox to 78.6.0esr
Android
Update Firefox to 84.1.0
Update NoScript to 11.1.6
Linux
Bug 40226: Crash on Fedora Workstation Rawhide GNOME
Build System
All Platforms
Bug 40139: Pick up rbm commit for bug 40008
Bug 40161: Update Go compiler to 1.14.13
Android
Bug 40128: Allow updating Fenix allowed_addons.json
Bug 40140: Create own Gradle project
Bug 40155: Update toolchain for Fenix 84
Bug 40156: Update Fenix and dependencies to 84.0.0-beta2
Bug 40163: Avoid checking hash of .pom files
Bug 40171: Include all uniffi-rs artifacts into application-services
Bug 40184: Update Fenix and deps to 84.1.0
10.0.6
All Platforms
Bug 40175: Update obfs4proxy's TLS certificate public key pinning
|
|
|
|
Also avoid passing crazy optimization and debug flags in general, just
honor the user's CFLAGS.
|
|
|
|
|
|
|
|
|
|
|
|
macOS. In exchange for avoiding the use of the bundled i386 binary blob,
this drops compatibility with older macOS (by requiring a newer API in
the system libXplugin). In case this had been building for anyone on
semi-recent macOS, bump PKGREVISION.
Addresses pkg/55880.
|
|
|
|
build log says
checking for a Python interpreter with version >= 2.5... none
configure: error: no suitable Python interpreter found
So I've added the line:
.include "../../lang/python/application.mk"
Please correct for better resolution, thanks
|
|
* Disable weak alias, which is not supported by Mach-O
* Disable espeak, which officially says it does not support macOS
|
|
|
|
|
|
Correctly update list of commands.
Bump PKGREVISION.
|
|
|
|
|
|
|
|
|
|
Has issues with NetBSD curses. See the upstream issue:
https://github.com/crawl/crawl/issues/1661
PR pkg/55896
|
|
Reflect Python version support noted in setup.py.
|
|
|
|
This will ease transition to newer Python versions, and also removes
the apparently unnecessary restriction on 3.6. According to the upstream
build system, 3.6 is the minimum version required.
|
|
|
|
## Version 20.12.1 (2020-12-30)
* Fix version selection of packages and dependencies for install. Previously
the first returned match would win, and preferred.conf was not considered
for dependencies.
|
|
This results in a successful build and a js78 executable that runs in
my test environment (the most recent OmniOS release). However, test
suite execution yields an immediate failure with the message "too much
recursion", so it seems more work is still required here.
|
|
Based on an offlist complaint from the shell style police :-)
|
|
|
|
|
|
[Fixed]
- Passing multiple tags arguments to prove correctly intersects
the sets;
e.g. '--feature-option tags=@wip --feature-option tags=@daily' now
correctly runs stricttly the scenarios matching both @wip and @daily
- Tutorial.pod incorrectly stated --tags=@tag1,~@tag2 runs scenarios
tagged '@tag1' except those tagged '@tag2': it runs all tagged
'@tag1' and all *not* tagged '@tag2'.
- Clarified difference between step definitions, step models and step
execution contexts
[Added]
- Explanation in 'pherkin' how to pass tag patterns
- Expanded explanation in Tuturial.pod how to pass tag patterns
Updating during the freeze for bugfixes and documentation improvements.
|
|
|
|
|
|
|
|
|
|
Errors immediately on startup.
File "/usr/pkg/share/newspipe/newspipe.py", line 496
except HTTPError, e:
^
SyntaxError: invalid syntax
Bump PKGREVISION.
|
|
|
|
Changes since v4.5.0:
wolfSSL Release 4.6.0 (December 22, 2020)
Release 4.6.0 of wolfSSL embedded TLS has bug fixes and new features including:
New Feature Additions
New Build Options
* wolfSSL now enables linux kernel module support. Big news for Linux kernel
module developers with crypto requirements! wolfCrypt and wolfSSL are now
loadable as modules in the Linux kernel, providing the entire libwolfssl
API natively to other kernel modules. For the first time on Linux, the
entire TLS protocol stack can be loaded as a module, allowing fully
kernel-resident TLS/DTLS endpoints with in-kernel handshaking.
(--enable-linuxkm, --enable-linuxkm-defaults, --with-linux-source)
(https://www.wolfssl.com/loading-wolfssl-into-the-linux-kernel/)
* Build tests and updated instructions for use with Apple’s A12Z chipset
(https://www.wolfssl.com/preliminary-cryptographic-benchmarks-on-new-apple-a12z-bionic-platform/)
* Expansion of wolfSSL SP math implementation and addition of
--enable-sp-math-all build option
* Apache httpd w/TLS 1.3 support added
* Sniffer support for TLS 1.3 and AES CCM
* Support small memory footprint build with only TLS 1.3 and PSK without
code for (EC)DHE and certificates
New Hardware Acceleration
* Added support for NXP DCP (i.MX RT1060/1062) crypto co-processor
* Add Silicon Labs hardware acceleration using SL SE Manager
New Algorithms
* RC2 ECB/CBC added for use with PKCS#12 bundles
* XChaCha and the XChaCha20-Poly1305 AEAD algorithm support added
Misc
* Added support for 802.11Q VLAN frames to sniffer
* Added OCSP function wolfSSL_get_ocsp_producedDate
* Added API to set CPU ID flags cpuid_select_flags, cpuid_set_flag,
cpuid_clear_flag
* New DTLS/TLS non-blocking Secure Renegotiation example added to server.c
and client.c
Fixes
Math Library
* Fix mp_to_unsigned_bin_len out of bounds read with buffers longer than
maximum MP
* Fix for fp_read_radix_16 out of bounds read
* Fix to add wrapper for new timing resistant wc_ecc_mulmod_ex2 function
version in HW ECC acceleration
* Handle an edge case with RSA-PSS encoding message to hash
Compatibility Layer Fixes
* Fix for setting serial number wolfSSL_X509_set_serialNumber
* Fix for setting ASN1 time not before / not after with WOLFSSL_X509
* Fix for order of components in issuer name when using X509_sign
* Fix for compatibility layer API DH_compute_key
* EVP fix incorrect block size for GCM and buffer up AAD for
encryption/decryption
* EVP fix for AES-XTS key length return value and fix for string compare
calls
* Fix for mutex freeing during RNG failure case with EVP_KEY creation
* Non blocking use with compatibility layer BIOs in TLS connections
Build Configuration
* Fix for custom build with WOLFSSL_USER_MALLOC defined
* ED448 compiler warning on Intel 32bit systems
* CURVE448_SMALL build fix for 32bit systems with Curve448
* Fix to build SP math with IAR
* CMake fix to only set ranlib arguments for Mac, and for stray typo of
, -> ;
* Build with --enable-wpas=small fix
* Fix for building fips ready using openssl extra
* Fixes for building with Microchip (min/max and undef SHA_BLOCK_SIZE)
* FIx for NO_FILESYSTEM build on Windows
* Fixed SHA256 support for IMX-RT1060
* Fix for ECC key gen with NO_TFM_64BIT
Sniffer
* Fixes for sniffer when using static ECC keys. Adds back TLS v1.2 static
ECC key fallback detection and fixes new ECC RNG requirement for timing
resistance
* Fix for sniffer with SNI enabled to properly handle WOLFSSL_SUCCESS error
code in ProcessClientHello
* Fix for sniffer using HAVE_MAX_FRAGMENT in "certificate" type message
* Fix build error with unused "ret" when building with WOLFSSL_SNIFFER_WATCH.
* Fix to not treat cert/key not found as error in myWatchCb and
WOLFSSL_SNIFFER_WATCH.
* Sniffer fixes for handling TCP out-of-range sequence number
* Fixes SSLv3 use of ECDH in sniffer
PKCS
* PKCS#11 fix to generate ECC key for decrypt/sign or derive
* Fix for resetting internal variables when parsing a malformed PKCS#7
bundle with PKCS7_VerifySignedData()
* Verify the extracted public key in wc_PKCS7_InitWithCert
* Fix for internal buffer size when using decompression with PKCS#7
Misc
* Pin the C# verify callback function to keep from garbage collection
* DH fixes for when public key is owned and free’d after a handshake
* Fix for TLS 1.3 early data packets
* Fix for STM32 issue with some Cube HAL versions and STM32 example timeout
* Fix mmCAU and LTC hardware mutex locking to prevent double lock
* Fix potential race condition with CRL monitor
* Fix for possible malformed encrypted key with 3DES causing negative length
* AES-CTR performance fixed with AES-NI
Improvements/Optimizations
SP and Math
* mp_radix_size adjustment for leading 0
* Resolve implicit cast warnings with SP build
* Change mp_sqr to return an error if the result won't fit into the fixed
length dp
* ARM64 assembly with clang improvements, clang doesn't always handle use of
x29 (FP or Frame Pointer) in inline assembly code correctly - reworked
sp_2048_sqr_8 to not use x29
* SP mod exp changed to support exponents of different lengths
* TFM div: fix initial value of size in q so clamping doesn't OOB read
* Numerous stack depth improvements with --enable-smallstack
* Improve cache resistance with Base64 operations
TLS 1.3
* TLS 1.3 wolfSSL_peek want read return addition
* TLS 1.3: Fix P-521 algorithm matching
PKCS
* Improvements and refactoring to PKCS#11 key look up
* PKCS #11 changes for signing and loading RSA public key from private
* check PKCS#7 SignedData private key is valid before using it
* check PKCS#7 VerifySignedData content length against total bundle size
to avoid large malloc
Compatibility Layer
* EVP add block size for more ciphers in wolfSSL_EVP_CIPHER_block_size()
* Return long names instead of short names in wolfSSL_OBJ_obj2txt()
* Add additional OpenSSL compatibility functions to update the version of
Apache httpd supported
* add "CCM8" variants to cipher_names "CCM-8" ciphers, for OpenSSL compat
Builds
* Cortex-M SP ASM support for IAR 6.70
* STM Cube pack support (IDE/STM32Cube)
* Build option --enable-aesgcm=4bit added for AES-GCM GMULT using 4 bit
table
* Xilinx IDE updates to allow XTIME override for Xilinx, spelling fixes in
Xilinx README.md, and add Xilinx SDK printf support
* Added ED448 to the "all" options and ED448 check key null argument sanity
check
* Added ARC4, 3DES, nullcipher, BLAKE2, BLAKE2s, XChaCha, MD2, and MD4 to
the “all” options
* Added an --enable-all-crypto option, to enable only the wolfCrypt features
of --enable-all, combinable with --enable-cryptonly
* Added the ability to selectively remove features from --enable-all and
--enable-all-crypto using specific --disable- options
* Use Intel intrinsics with Windows for RDSEED and RDRAND
(thanks to dr-m from MariaDB)
* Add option to build with WOLFSSL_NO_CLIENT_AUTH
* Updated build requirements for wolfSSH use to be less restrictive
* lighttpd support update for v1.4.56
* Added batch file to copy files to ESP-IDF folders and resolved warnings
when using v4.0 ESP-IDF
* Added --enable-stacksize=verbose, showing at a glance the stack high water
mark for each subtest in testwolfcrypt
ECC
* Performance increase for ECC verify only, using non constant time SP modinv
* During ECC verify add validation of r and s before any use
* Always use safe add and dbl with ECC
* Timing resistant scalar multiplication updated with use of Joye double-add
ladder
* Update mp_jacobi function to reduce stack and increase performance for
base ECC build
* Reduce heap memory use with wc_EccPrivateKeyDecode, Improvement to
ECC wc_ecc_sig_to_rs and wc_ecc_rs_raw_to_sig to reduce memory use (avoid the mp_int)
* Improve StoreECC_DSA_Sig bounds checking
OCSP
* OCSP improvement to handle extensions in singleResponse
* support for OCSP request/response for multiple certificates
* OCSP Must Staple option added to require OCSP stapling response
* Add support for id-pkix-ocsp-nocheck extension
Misc
* Additional code coverage added for ECC and RSA, PKCS#7, 3DES, EVP and
Blake2b operations
* DTLS MTU: check MTU on write
* Refactor hash sig selection and add the macros WOLFSSL_STRONGEST_HASH_SIG
(picks the strongest hash) and WOLFSSL_ECDSA_MATCH_HASH (will pick the
hash to match the ECC curve)
* Strict certificate version allowed from client, TLS 1.2 / 1.3 can not
accept client certificates lower than version 3
* wolfSSL_get_ciphers_compat(), skip the fake indicator ciphers like the
renegotiation indication and the quantum-safe hybrid
* When parsing session ticket, check TLS version to see whether they are
version compatible
* Additional sanity check for invalid ASN1 padding on integer type
* Adding in ChaCha20 streaming feature with Mac and Intel assembly build
* Sniffer build with --enable-oldtls option on
|
|
|
|
- [tests] collect code for "die-at-end" tests
- [tests] remove FastCGI test dependency on libfcgi
- [core] prefer IPv6+IPv4 func vs IPv4-specific func
- [tests] remove FastCGI test dependency on PHP
- [core] reuse large mem chunks (fix mem usage) (fixes #3033)
- [core] add comment for FastCGI mem use in hctx→rb (#3033)
- [mod_proxy] fix sending of initial reqbody chunked
- [multiple] fdevent_waitpid() wrapper
- [core] sys-time.h – localtime_r,gmtime_r macros
- [core] http_date.[ch] encapsulate HTTP-date parse
- [core] specialized strptime() for HTTP date fmts
- [multiple] employ http_date.h, sys-time.h
- [core] http_date_timegm() (portable timegm())
- buffer_append_path_len() to join paths
- [core] inet_ntop_cache -> sock_addr_cache
- [tests] slight speed up checking for server ready
- [tests] load required modules in alt .conf tests
- [multiple] etag.[ch] -> http_etag.[ch]; better imp
- [core] fix crash after specific err in config file
- [core] fix bug in FastCGI uploads (#3033)
- [tests] OpenBSD crypt() support limited to bcrypt
- [core] http_response_match_if_range()
- [mod_webdav] typedef off_t loff_t for FreeBSD
- [multiple] chunkqueue_write_chunk()
- [build] add GNUMAKEFLAGS=—no-print-directory
- [tests] consolidate some tests/ content
- [core] fix bug in read retry found by coverity
Updating during the freeze for (also from the changelog) "important
changes: bugfixes, portability".
|
|
mail/roundcube
mail/roundcube-plugin-enigma
mail/roundcube-plugin-password
mail/roundcube-plugin-zipdownload
|
|
Reset PKGREVISION by updating to 1.4.10.
|
|
Update roundcube to 1.4.10, including security fix.
RELEASE 1.4.10
--------------
- Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
- Fix folder list issue whan special folder is a subfolder (#7647)
- Fix Elastic's folder subscription toggle in search result (#7653)
- Fix state of subscription toggle on folders list after changing folder state from the search result (#7653)
- Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730]
|
|
+ ruby-3.0.0, sudo-1.9.4p2
|
|
|
