| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
lang/php74: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.345
- lang/php74/distinfo 1.33
- lang/php74/patches/patch-ext_intl_breakiterator_codepointiterator__internal.cpp 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Nov 19 14:26:29 UTC 2021
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php74: distinfo
pkgsrc/lang/php74/patches:
patch-ext_intl_breakiterator_codepointiterator__internal.cpp
Log Message:
lang/php74: udpate to 7.4.26
This release contains security fix.
18 Nov 2021, PHP 7.4.26
- Core:
. Fixed bug #81518 (Header injection via default_mimetype / default_charset).
(cmb)
- Date:
. Fixed bug #81500 (Interval serialization regression since 7.3.14 / 7.4.2).
(cmb)
- MBString:
. Fixed bug #76167 (mbstring may use pointer from some previous request).
(cmb, cataphract)
- MySQLi:
. Fixed bug #81494 (Stopped unbuffered query does not throw error). (Nikita)
- PCRE:
. Fixed bug #81424 (PCRE2 10.35 JIT performance regression). (cmb)
- Streams:
. Fixed bug #54340 (Memory corruption with user_filter). (Nikita)
- XML:
. Fixed bug #79971 (special character is breaking the path in xml function).
(CVE-2021-21707) (cmb)
|
|
|
|
devel/ruby-redmine41: security fix
Revisions pulled up:
- devel/ruby-redmine41/Makefile 1.7
- devel/ruby-redmine41/distinfo 1.7
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Nov 8 15:06:37 UTC 2021
Modified Files:
pkgsrc/devel/ruby-redmine41: Makefile distinfo
Log Message:
devel/ruby-redmine41: update to 4.1.5
This release includes a fix for a moderate severity issue found in all
recent releases.
4.1.5 (2021-10-10)
[Administration]
* Defect #35731: Password and Confirmation fields are marked as required
when editing a user
[Attachments]
* Defect #35715: File upload fails when run with uWSGI
[Issues]
* Defect #35642: Long text custom field values are not aligned with their
labels
[Issues planning]
* Defect #35669: Prints of Issues Report details are messed-up due to the
size of the graphs
[Permissions and roles]
* Defect #35634: Attachments deletable even though issue edit not permitted
[Security]
* Defect #35789: Redmine is leaking usernames on activities index view
* Patch #35463: Enforce stricter class filtering in WatchersController
[UI]
* Defect #34834: Line breaks in the description of a custom field are
ignored in a tooltip
|
|
|
|
devel/ruby-redmine42: security fix
Revisions pulled up:
- devel/ruby-redmine42/Makefile 1.3
- devel/ruby-redmine42/distinfo 1.5
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Nov 8 15:04:57 UTC 2021
Modified Files:
pkgsrc/devel/ruby-redmine42: Makefile distinfo
Log Message:
devel/ruby-redmine42: update to 4.2.3
This release includes a fix for a moderate severity issue found in all
recent releases.
4.2.3 (2021-10-10)
[Administration]
* Defect #35731: Password and Confirmation fields are marked as required
when editing a user
[Attachments]
* Defect #35642: Long text custom field values are not aligned with their
labels
* Defect #35715: File upload fails when run with uWSGI
[Issues]
* Defect #35655: Create duplicated follows relations fails with 500 internal
error
[Issues planning]
* Defect #35669: Prints of Issues Report details are messed-up due to the
size of the graphs
[Permissions and roles]
* Defect #35634: Attachments deletable even though issue edit not permitted
[Projects]
* Defect #35827: Deleting a closed or archived project returns 403
[Roadmap]
* Feature #35758: Add some space around the versions on the Roadmap
[Security]
* Defect #35789: Redmine is leaking usernames on activities index view
* Patch #35463: Enforce stricter class filtering in WatchersController
[Translations]
* Patch #35662: Mongolian translation update for "Notes", "Totals", and "%
Done"
* Patch #35766: Galician translation update for 4.2-stable
[UI]
* Defect #34834: Line breaks in the description of a custom field are
ignored in a tooltip
|
|
|
|
www/ap2-auth-mellon: security fix
Revisions pulled up:
- www/ap2-auth-mellon/Makefile 1.66
- www/ap2-auth-mellon/distinfo 1.24
---
Module Name: pkgsrc
Committed By: manu
Date: Tue Nov 9 01:50:45 UTC 2021
Modified Files:
pkgsrc/doc: CHANGES-2021
pkgsrc/www/ap2-auth-mellon: Makefile distinfo
Log Message:
Updated www/ap2-auth-mellon to 0.18.0
Change sine 0.17 from NEWS file:
Version 0.18.0
---------------------------------------------------------------------------
Security fixes:
* [CVE-2019-13038] Redirect URL validation bypass
Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL formatted as
"///fishing-site.example.com/logout.html". In this case, the browser
would interpret the URL differently than the APR parsing utility
mellon uses and redirect to fishing-site.example.com.
This could be reproduced with:
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com
/logout.html
This version fixes that issue by rejecting all URLs that start with "///".
Enhancements:
* A new option MellonSessionIdleTimeout that represents the amount of time
a user can be inactive before the user's session times out in seconds.
Bug fixes:
* Several build-time fixes
* The CookieTest SameSite attribute was only set to None if mellon configure
option MellonCookieSameSite was set to something other than default.
This is now fixed.
|
|
|
|
net/zeromq: security fix
Revisions pulled up:
- net/zeromq/Makefile 1.32
- net/zeromq/PLIST 1.11
- net/zeromq/distinfo 1.34
- net/zeromq/patches/patch-src_ipc__listener.cpp 1.5
- net/zeromq/patches/patch-src_tcp__listener.cpp 1.6
---
Module Name: pkgsrc
Committed By: adam
Date: Sun Nov 14 20:15:46 UTC 2021
Modified Files:
pkgsrc/net/zeromq: Makefile PLIST distinfo
pkgsrc/net/zeromq/patches: patch-src_ipc__listener.cpp
patch-src_tcp__listener.cpp
Log Message:
zeromq: updated to 4.3.4
libzmq 4.3.4
New DRAFT (see NEWS for 4.2.0) socket option:
ZMQ_PRIORITY will set the SO_PRIORITY socket option on the underlying
sockets. Only supported on Linux.
See doc/zmq_setsockopt.txt and doc/zmq_getsockopt.txt for details.
Fixed 4113 - compilation errors on kFreeBSD and GNU/Hurd
Fixed 4086 - excessive amount of socket files left behind in Windows TMP
directory
Fixed 4108 - regression that breaks using IPv6 link-local addresses on Linux
Fixed 4078 - compilation errors on Android
Fixed 4074 - compilation error with ulibc and libbsd
Fixed 4060 - stack overflow on Windows x64
Fixed 4051 - various compilation errors on Windows ARM 32bit
Fixed 4043 - various compilation warnings with XCode
Fixed 4038 - return value of zmq_ctx_get changed unintentionally
libzmq 4.3.3
Security advisories:
CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients.
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered to
the library, but the server application never receives them.
For more information see the security advisory:
GHSA-25wp-cf8g-938m
Stack overflow on server running PUB/XPUB socket (CURVE disabled).
The PUB/XPUB subscription store (mtrie) is traversed using recursive
function calls. In the remove (unsubscription) case, the recursive calls are
NOT tail calls, so even with optimizations the stack grows linearly with the
length of a subscription topic. Topics are under the control of remote
clients - they can send a subscription to arbitrary length topics. An
attacker can thus cause a server to create an mtrie sufficiently large such
that, when unsubscribing, traversal will cause a stack overflow.
For more information see the security advisory:
GHSA-qq65-x72m-9wr8
Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
Messages with metadata are never processed by PUB sockets, but the metadata
is kept referenced in the PUB object and never freed.
For more information see the security advisory:
GHSA-4p5v-h92w-6wxw
Memory leak in client induced by malicious server(s) without CURVE/ZAP.
When a pipe processes a delimiter and is already not in active state but
still has an unfinished message, the message is leaked.
For more information see the security advisory:
GHSA-wfr2-29gj-5w87
Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
By crafting a packet which is not valid ZMTP v2/v3, and which has two
messages larger than 8192 bytes, the decoder can be tricked into changing
the recorded size of the 8192 bytes static buffer, which then gets overflown
by the next message. The content that gets written in the overflown memory
is entirely decided by the sender.
For more information see the security advisory:
GHSA-fc3w-qxf5-7hp6
Note for packagers: an external, self-contained sha1 library is now
included in the source tree under external/sha1/ - it is licensed
under BSD-3-Clause and thus it is fully compatible with libzmq's
license.
It is only used if WebSockets support is enabled, and if neither GnuTLS nor
NSS are available.
Note for packagers: an internal reimplementation of strlcpy is now included,
for wider platform compatibility.
libbsd can be used and is enabled by default if available instead of the
internal implementation, for better security maintenance in distros.
Note for packagers: ZeroMQConfig.cmake is now installed in the arch-dependent
subdirectory - eg: /usr/lib/x86_64-linux-gnu/cmake/
New DRAFT (see NEWS for 4.2.0) socket type:
ZMQ_CHANNEL is a thread-safe alternative to ZMQ_PAIR.
See doc/zmq_socket.txt for details.
New DRAFT (see NEWS for 4.2.0) socket option:
ZMQ_ONLY_FIRST_SUBSCRIBE will cause only the first part of a multipart
message to be processed as a subscribe/unsubscribe message, and the rest
will be forwarded as user data to the application.
ZMQ_RECONNECT_STOP will cause a connecting socket to stop trying to
reconnect in specific circumstances. See the manpage for details.
ZMQ_HELLO_MSG to set a message that will be automatically sent to a new
connection.
ZMQ_DISCONNECT_MSG to set a message that will be automatically received when
a peer disconnects.
See doc/zmq_setsockopt.txt and doc/zmq_getsockopt.txt for details.
New DRAFT (see NEWS for 4.2.0) zmq_ctx_get_ext/zmq_ctx_set_ext APIs were added
to allow enhancing the context options with variable data inputs.
See doc/zmq_ctx_get_ext.txt and doc/zmq_ctx_set_ext.txt for details.
New DRAFT (see NEWS for 4.2.0) transport options WS and WSS added for support
of WebSockets (and secure WebSockets via TLS) via the ZWS 2.0 protocol.
WSS requires the GnuTLS library for TLS support. ZMQ_WSS_ specific socket
options were added to support TLS.
WebSockets support is disabled by default if DRAFT APIs are disabled.
New DRAFT (see NEWS for 4.2.0) socket type, PEER, which is thread safe and a
related zmq_connect_peer function which atomically and thread-safely connects
and returns a routing-id.
New DRAFT (see NEWS for 4.2.0) zmq_msg_init_buffer API was added to allow
the construction of a message by copying from an existing buffer.
New DRAFT (see NEWS for 4.2.0) zmq_poller_size API was added to allow querying
the number of sockets/fds registered in a zmq_poller.
ZMTP 3.1 peers will receive subscribe/cancel on PUB/SUB via commands rather
than using the first byte of the payload.
zmq_z85_decode now checks that the input string's length is at least 5
characters
and always a multiple of 5 as per API specification.
Fixed 3566 - malformed CURVE message can cause memory leak
Fixed 3567 - missing ZeroMQ_INCLUDE_DIR in ZeroMQConfig.cmake when only
static lib is built
Fixed 3576 - CURVE plaintext secrets now stored in libsodium's secure memory
Fixed 3588 - install debug libraries for debug msvc builds with CMake
Fixed 3591 - incorrect ZMQ_MAX_SOCKETS default value in doc
Fixed 3594 - fixed stream_engine use after free due to concurrent heartbeats
Fixed 3586 - error when compiling with MinGW due to usage of MS-specific
__except keyword
Fixed 3603 - fixed CMake build on SL6.9
Fixed 3607 - added scripts to ease performance graph generation
Fixed 3608 - fix for IPv4 mapping not supported in DragonFlyBSD
Fixed 3636 - added ENABLE_PRECOMPILED CMake option to fix build with Ninja
Fixed 2862 - UDP engine aborts on networking-related errors from socket
syscalls
Fixed 3656 - segfault on sending data from XSUB to XPUB
Fixed 3646 - static-only test run fails
Fixed 3668 - fixed CMAKE_CXX_FLAGS_* regexes on MSVC
Fixed 110 - do not include winsock2.h in public zmq.h header
Fixed 3683 - allow "configure --disable-maintainer-mode"
Fixed 3686 - fix documentation about sockets blocking on send operations
Fixed 3323 - fix behavior of ZMQ_CONFLATE on PUB sockets
Fixed 3698 - fix build on IBM i/PASE/os400
Fixed 3705 - zero-sized messages cause assertion when glibc assertion are on
Fixed 3713 - remove dependency on math library by avoiding std::ceil
Fixed 3694 - build targeting Windows XP is broken
Fixed 3691 - added support for IPC on Windows 10 via AF_UNIX
Fixed 3725 - disable by default test that requires sudo on CMake
Fixed 3727 - fix zmq_poller documentation example
Fixed 3729 - do not check for FD_OOB when using WSAEventSelect on Windows
Fixed 3738 - allow renaming the library in CMake
Fixed 1808 - use AF_UNIX instead of TCP for the internal socket on Windows 10
Fixed 3758 - fix pthread_set_affinity detection in CMake
Fixed 3769 - fix undefined behaviour in array.hpp
Fixed 3772 - fix compiling under msys2-mingw
Fixed 3775 - add -latomic to the private libs flag in pkg-config if needed
Fixed 3778 - fix documentation of zmq_poller's thread safety
Fixed 3792 - do not allow creation of new sockets after zmq_ctx_shutdown
Fixed 3805 - improve performance of CURVE by reducing copies
Fixed 3814 - send subscribe/cancel as commands to ZMTP 3.1 peers
Fixed 3847 - fix building without PGM and NORM
Fixed 3849 - install .cmake file in arch-dependent subdirectory
Fixed 4005 - allow building on Windows ARM/ARM64
|
|
|
|
mail/mailman: security fix
Revisions pulled up:
- mail/mailman/Makefile 1.95
- mail/mailman/PLIST 1.31
- mail/mailman/distinfo 1.31
---
Module Name: pkgsrc
Committed By: tm
Date: Tue Oct 26 18:42:55 UTC 2021
Modified Files:
pkgsrc/mail/mailman: Makefile PLIST distinfo
Log Message:
mail/mailman: Update to 2.1.35
2.1.35 (19-Oct-2021)
Security
- A potential for for a list member to carry out an off-line brute force
attack to obtain the list admin password has been reported by Andre
Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.
CVE-2021-42096 (LP:#1947639)
- A CSRF attack via the user options page could allow takeover of a users
account. This is fixed. CVE-2021-42097 (LP:#1947640)
Bug Fixes and other patches
- Fixed an issue where sometimes the wrapper message for DMARC mitigation
Wrap Message has no Subject:. (LP: #1915655)
- Plain text message bodies with Content-Disposition: and no declared
charset are no longer scrubbed. (LP: #1917968)
- CommandRunner now recodes message bodies in the charset of the user's
or list's language to avoid a possible UnicodeError when including the
message body in the reply. (LP: #1921682)
- Delivery disabled by bounce notices to admins now have 'disabled'
properly translated. (LP: #1922843)
- DMARC policy discovery ignores domains with multiple DMARC records per
RFC 7849, (LP: 1931029)
|
|
|
|
www/firefox91: security fix
Revisions pulled up:
- www/firefox91/Makefile 1.8
- www/firefox91/PLIST 1.3
- www/firefox91/distinfo 1.6
- www/firefox91/patches/patch-modules_fdlibm_src_math__private.h 1.1
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Nov 3 19:19:40 UTC 2021
Modified Files:
pkgsrc/www/firefox91: Makefile PLIST distinfo
Added Files:
pkgsrc/www/firefox91/patches: patch-modules_fdlibm_src_math__private.h
Log Message:
firefox91: update to 91.3.0
Security Vulnerabilities fixed in Firefox ESR 91.3
#CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
#CVE-2021-38504: Use-after-free in file picker dialog
#CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode
without notification or warning
#CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass
the Same-Origin-Policy on services hosted on other ports
#MOZ-2021-0008: Use-after-free in HTTP2 Session object
#CVE-2021-38508: Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
#CVE-2021-38509: Javascript alert box could have been spoofed onto an
arbitrary domain
#CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac
OS
#MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
|
|
firefox91-l10n: dependent update
Revisions pulled up:
- www/firefox91-l10n/Makefile 1.4
- www/firefox91-l10n/distinfo 1.6
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Nov 3 19:23:05 UTC 2021
Modified Files:
pkgsrc/www/firefox91-l10n: Makefile distinfo
Log Message:
firefox91-l10n: sync with firefox91
|
|
|
|
lang/python27: bugfix
Revisions pulled up:
- lang/python27/Makefile 1.95
- lang/python27/distinfo 1.87
- lang/python27/patches/patch-Lib_urlparse.py 1.2
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Wed Oct 27 23:58:55 UTC 2021
Modified Files:
pkgsrc/lang/python27: Makefile distinfo
pkgsrc/lang/python27/patches: patch-Lib_urlparse.py
Log Message:
python27: fix definition of variable added in security patch
Correct a merge botch introduced in a previous commit. It was intended
that a variable be redefined, but it was committed in an incomplete
testing state.
|
|
|
|
lang/php80: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.342
- lang/php80/distinfo 1.11
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Oct 22 15:09:52 UTC 2021
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php80: distinfo
Log Message:
lang/php80: update to 8.0.12
This is a security fix release.
21 Oct 2021, PHP 8.0.12
- CLI:
. Fixed bug #81496 (Server logs incorrect request method). (lauri)
- Core:
. Fixed bug #81435 (Observer current_observed_frame may point to an old
(overwritten) frame). (Bob)
. Fixed bug #81380 (Observer may not be initialized properly). (krakjoe)
- DOM:
. Fixed bug #81433 (DOMElement::setIdAttribute() called twice may remove ID).
(Viktor Volkov)
- FFI:
. Fixed bug #79576 ("TYPE *" shows unhelpful message when type is not
defined). (Dmitry)
- FPM:
. Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege
escalation) (CVE-2021-21703). (Jakub Zelenka)
- Fileinfo:
. Fixed bug #78987 (High memory usage during encoding detection). (Anatol)
- Filter:
. Fixed bug #61700 (FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing).
(cmb, Nikita)
- Opcache:
. Fixed bug #81472 (Cannot support large linux major/minor device number when
read /proc/self/maps). (Lin Yang)
- Reflection:
. ReflectionAttribute is no longer final. (sasezaki)
- SPL:
. Fixed bug #80663 (Recursive SplFixedArray::setSize() may cause double-free).
(cmb, Nikita, Tyson Andre)
. Fixed bug #81477 (LimitIterator + SplFileObject regression in 8.0.1). (cmb)
- Standard:
. Fixed bug #69751 (Change Error message of sprintf/printf for missing/typo
position specifier). (Aliaksandr Bystry)
- Streams:
. Fixed bug #81475 (stream_isatty emits warning with attached stream wrapper).
(cmb)
- XML:
. Fixed bug #70962 (XML_OPTION_SKIP_WHITE strips embedded whitespace).
(Aliaksandr Bystry, cmb)
- Zip:
. Fixed bug #81490 (ZipArchive::extractTo() may leak memory). (cmb, Remi)
. Fixed bug #77978 (Dirname ending in colon unzips to wrong dir). (cmb)
|
|
lang/php74: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.343
- lang/php74/distinfo 1.31
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Oct 22 15:14:24 UTC 2021
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php74: distinfo
Log Message:
lang/php74: update to 7.4.25
This is a security fix release.
21 Oct 2021, PHP 7.4.25
- DOM:
. Fixed bug #81433 (DOMElement::setIdAttribute() called twice may remove ID).
(Viktor Volkov)
- FFI:
. Fixed bug #79576 ("TYPE *" shows unhelpful message when type is not
defined). (Dmitry)
- Fileinfo:
. Fixed bug #78987 (High memory usage during encoding detection). (Anatol)
- Filter:
. Fixed bug #61700 (FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing).
(cmb, Nikita)
- FPM:
. Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege
escalation) (CVE-2021-21703). (Jakub Zelenka)
- SPL:
. Fixed bug #80663 (Recursive SplFixedArray::setSize() may cause double-free).
(cmb, Nikita, Tyson Andre)
- Streams:
. Fixed bug #81475 (stream_isatty emits warning with attached stream wrapper).
(cmb)
- XML:
. Fixed bug #70962 (XML_OPTION_SKIP_WHITE strips embedded whitespace).
(Aliaksandr Bystry, cmb)
- Zip:
. Fixed bug #81490 (ZipArchive::extractTo() may leak memory). (cmb, Remi)
. Fixed bug #77978 (Dirname ending in colon unzips to wrong dir). (cmb)
|
|
net/bind916: security fix
Revisions pulled up:
- net/bind916/Makefile 1.28-1.29
- net/bind916/distinfo 1.24,1.26
- net/bind916/patches/patch-bin_named_unix_os.c 1.1
- net/bind916/patches/patch-bin_tools_arpaname.c deleted
- net/bind916/patches/patch-contrib_dlz_modules_wildcard_dlz__wildcard__dynamic.c deleted
- net/bind916/patches/patch-lib_dns_client.c 1.1
- net/bind916/patches/patch-lib_dns_dnsrps.c deleted
- net/bind916/patches/patch-lib_dns_include_dns_client.h 1.1
- net/bind916/patches/patch-lib_dns_include_dns_zone.h 1.3
- net/bind916/patches/patch-lib_dns_peer.c deleted
- net/bind916/patches/patch-lib_dns_rbt.c 1.3
- net/bind916/patches/patch-lib_dns_rdata.c 1.1
- net/bind916/patches/patch-lib_dns_zone.c 1.5
- net/bind916/patches/patch-lib_isc_app.c 1.1
- net/bind916/patches/patch-lib_isc_netmgr_netmgr-int.h 1.1
- net/bind916/patches/patch-lib_isc_netmgr_netmgr.c 1.2
- net/bind916/patches/patch-lib_isc_siphash.c 1.3
- net/bind916/patches/patch-lib_isc_timer.c 1.1
- net/bind916/patches/patch-lib_isc_unix_include_isc_align.h deleted
- net/bind916/patches/patch-lib_isc_unix_include_isc_stdatomic.h 1.1
- net/bind916/patches/patch-lib_isc_unix_socket.c 1.6
- net/bind916/patches/patch-lib_ns_Makefile.in 1.3
- net/bind916/patches/patch-lib_ns_client.c 1.5
- net/bind916/patches/patch-lib_ns_interfacemgr.c deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Oct 24 06:40:28 UTC 2021
Modified Files:
pkgsrc/net/bind916: Makefile distinfo
pkgsrc/net/bind916/patches: patch-lib_dns_include_dns_zone.h
patch-lib_dns_rbt.c patch-lib_dns_zone.c
patch-lib_isc_netmgr_netmgr.c patch-lib_isc_unix_socket.c
patch-lib_ns_Makefile.in patch-lib_ns_client.c
Added Files:
pkgsrc/net/bind916/patches: patch-bin_named_unix_os.c
patch-lib_dns_client.c patch-lib_dns_include_dns_client.h
patch-lib_dns_rdata.c patch-lib_isc_app.c
patch-lib_isc_netmgr_netmgr-int.h patch-lib_isc_siphash.c
patch-lib_isc_timer.c patch-lib_isc_unix_include_isc_stdatomic.h
Removed Files:
pkgsrc/net/bind916/patches: patch-bin_tools_arpaname.c
patch-contrib_dlz_modules_wildcard_dlz__wildcard__dynamic.c
patch-lib_dns_dnsrps.c patch-lib_dns_peer.c
patch-lib_isc_unix_include_isc_align.h patch-lib_ns_interfacemgr.c
Log Message:
net/bind916: update pkgsrc changes from NetBSD
Catch up changes from NetBSD; update them for BIND 9.16.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Oct 29 06:01:19 UTC 2021
Modified Files:
pkgsrc/net/bind916: Makefile distinfo
Log Message:
net/bind916: update to 9.16.22
This release contains security fix.
--- 9.16.22 released ---
5736. [security] The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could
previously be abused by an attacker to significantly
degrade resolver performance. (CVE-2021-25219)
[GL #2899]
5724. [bug] Address a potential deadlock when checking zone content
consistency. [GL #2908]
5723. [bug] Change 5709 broke backward compatibility for the
"check-names master ..." and "check-names slave ..."
options. This has been fixed. [GL #2911]
5720. [contrib] Old-style DLZ drivers that had to be enabled at
build-time have been marked as deprecated. [GL #2814]
5719. [func] The "map" zone file format has been marked as
deprecated. [GL #2882]
5717. [func] The "cache-file" option, which was documented as "for
testing purposes only" and not to be used, has been
removed. [GL #2903]
5716. [bug] Multiple library names were mistakenly passed to the
krb5-config utility when ./configure was invoked with
the --with-gssapi=[/path/to/]krb5-config option. This
has been fixed by invoking krb5-config separately for
each required library. [GL #2866]
5715. [func] Add a check for ports specified in "*-source(-v6)"
options clashing with a global listening port. Such a
configuration was already unsupported, but it failed
silently; it is now treated as an error. [GL #2888]
5714. [bug] Remove the "adjust interface" mechanism which was
responsible for setting up listeners on interfaces when
the "*-source(-v6)" address and port were the same as
the "listen-on(-v6)" address and port. Such a
configuration is no longer supported; under certain
timing conditions, that mechanism could prevent named
from listening on some TCP ports. This has been fixed.
[GL #2852]
5712. [doc] Add deprecation notice about removing native PKCS#11
support in the next major BIND 9 release. [GL #2691]
|
|
net/bind911: security fix
Revisions pulled up:
- net/bind911/Makefile 1.51
- net/bind911/distinfo 1.37
- net/bind911/patches/patch-configure 1.6
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Oct 29 06:02:26 UTC 2021
Modified Files:
pkgsrc/net/bind911: Makefile distinfo
pkgsrc/net/bind911/patches: patch-configure
Log Message:
net/bind911: update to 9.11.36
--- 9.11.36 released ---
5736. [security] The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could
previously be abused by an attacker to significantly
degrade resolver performance. (CVE-2021-25219)
[GL #2899]
5716. [bug] Multiple library names were mistakenly passed to the
krb5-config utility when ./configure was invoked with
the --with-gssapi=[/path/to/]krb5-config option. This
has been fixed by invoking krb5-config separately for
each required library. [GL #2866]
|
|
lang/php73: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.344
- lang/php73/distinfo 1.40
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Oct 30 07:45:42 UTC 2021
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php73: distinfo
Log Message:
lang/php73: update to 7.3.32
This is a security fix release.
28 Oct 2021, PHP 7.3.32
- FPM:
. Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege
escalation). (CVE-2021-21703) (Jakub Zelenka)
|
|
|
|
mail/alpine: security fix
Revisions pulled up:
- mail/alpine/Makefile 1.48
- mail/alpine/distinfo 1.27
- mail/alpine/patches/patch-imap_src_mtest_mtest.c deleted
---
Module Name: pkgsrc
Committed By: nia
Date: Sun Oct 17 09:49:10 UTC 2021
Modified Files:
pkgsrc/mail/alpine: Makefile distinfo
Removed Files:
pkgsrc/mail/alpine/patches: patch-imap_src_mtest_mtest.c
Log Message:
alpine: Update to 2.25.
pkgsrc changes and notes:
- According to the release notes, this fixes CVE-2021-38370 by
Damian Poddebniak.
- I have added the maildir patch, as FreeBSD does, because it seems
useful.
- I have removed the non-trivial patch for OpenBSD, because going by
OpenBSD's ports repository it's no longer necessary at all.
Version 2.25 includes several new features and bug fixes.
Additions include:
* Unix Alpine: New configuration variable ssl-ciphers that allows users
to list the ciphers to use when connecting to a SSL server. Based on a
collaboration with Professor Martin Trusler.
* New hidden feature enable-delete-before-writing to add support for
terminals that need lines to be deleted before being written. Based on
a collaboration with Professor Martin Trusler.
* Experimental: The instruction to remove the double quotes from the
processing of customized headers existed in pine, but it was removed
in alpine. Restoring old Alpine behavior. See this
* Add the capability to record http debug. This is necessary to debug
XOAUTH2 authentication, and records sensitive login information. Do
not share your debug file if you use this form of debug.
* Remove the ability to choose between the device and authorize methods
to login to outlook, since the original client-id can only be used for
the device method. One needs a special client-id and client-secret to
use the authorize method in Outlook.
* PC-Alpine only: Some service providers produce access tokens that are
too long to save in the Windows Credentials, so the access tokens will
be split and saved as several pieces. This means that old versions of
Alpine will NOT be able to use saved passwords once this new version
of Alpine is used.
* PC-Alpine: Debug files used to be created with extension .txt1, .txt2,
etc. Rename those files so that they have extension .txt.
* Always follow **suppress-asterisks-in-password-prompt** setting in
the various password prompts. Submitted by tienne Deparis.
* Use 'alpine -F' instead of 'pine -F' as the browser default pager.
Submitted by tienne Deparis.
* Introduction of OTHER CMDS menu for the browser/pilot to let people
discover the two new commands: "1" is a toggle that switches between 1
column and multicolumn mode. The "." command toggles between hiding or
showing hidden files, and the "G" command to travel between
directories. Contributed by tienne Deparis.
* Add option -xoauth2-flow to the command line, so that users can
specify the parameters to set up an xoauth2 connection through the
command line.
* Alpine deletes, from its internal memory and external cache, passwords
that do not work, even if they were saved by the user.
* New format for saving passwords in the windows credential manager for
PC-Alpine. Upon starting this new version of Alpine the passwords
saved in the credential manager are converted to the new format and
they will not be recognized by old versions of Alpine, but only by
this and newer versions of Alpine.
* Enabled encryption protocols in PC-Alpine are based on those enabled
in the system, unless one is specified directly.
Bugs that have been addressed include:
* The c-client library parses information from an IMAP server during
non-authenticated state which could lead to denial of service.
Reported by Damian Poddebniak from Mnster University of Applied
Sciences.
* Memory corruption when alpine searches for a string that is an
incomplete utf8 string in a local folder. This could happen by
chopping a string to make it fit a buffer without regard to its
content. We fix the string so that chopping it does not damage it.
Reported by Andrew.
* Crash in the ntlm authenticator when the user name does not include a
domain. Reported and fixed by Anders Skargren.
* When forwarding a message, replacing an attachment might make Alpine
re-attach the original attachment. Reported by Michael Traxler.
* When an attachment is deleted, the saved message with the deleted
attachment contains extra null characters after the end of the
attachment boundary.
* Tcp and http debug information is not printed unless the default debug
level is set to 1. Print this if requested, regardless of what the
default debug level is.
* When trying to select a folder for saving a message, one can only
enter a subfolder by pressing the ">" command, rather than the normal
navigation by pressing "Return". Reported by Ulf-Dietrich Braunmann.
* Crash when attempting to remove a configuration for a XOAUTH2 server
that has no usernames configured.
* Crash caused by saving (and resaving) XOAUTH2 refresh and access
tokens in PC-Alpine. Reported by Karl Lindauer.
|
|
|
|
mail/balsa: security fix
Revisions pulled up:
- mail/balsa/Makefile 1.169
- mail/balsa/distinfo 1.27
- mail/balsa/patches/patch-sounds_Makefile.in 1.2
- mail/balsa/patches/patch-src_sendmsg-window.c deleted
---
Module Name: pkgsrc
Committed By: nia
Date: Sun Oct 17 10:08:53 UTC 2021
Modified Files:
pkgsrc/mail/balsa: Makefile distinfo
pkgsrc/mail/balsa/patches: patch-sounds_Makefile.in
Removed Files:
pkgsrc/mail/balsa/patches: patch-src_sendmsg-window.c
Log Message:
balsa: update to 2.6.3
This fixes the STARTTLS-related crash bugs mentioned here:
https://nostarttls.secvuln.info/
* Balsa-2.6.3 release. Release date 2021-08-18
- Improve Autocrypt-related error messages.
- Improvements to communication with GnuPG key servers.
- Create standard-compatible HTML messages.
- Implement sender-dependent HTML message preferences.
- Reuse HTTP connections when rendering HTML messages.
- Do not send empty Reply-To, Cc, etc headers.
- More robust IMAP parser and response handling.
- Code cleanups, platform-dependent build fixes
|
|
|
|
databases/sqlite3: segfault fix
Revisions pulled up:
- databases/sqlite3/Makefile 1.142
- databases/sqlite3/distinfo 1.173
- databases/sqlite3/patches/patch-shell.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Oct 17 07:14:27 UTC 2021
Modified Files:
pkgsrc/databases/sqlite3: Makefile distinfo
Added Files:
pkgsrc/databases/sqlite3/patches: patch-shell.c
Log Message:
sqlite3: fix (disputed) CVE-2021-36690
Bump PKGREVISION.
|
|
|
|
graphics/pfstools: build fix
Revisions pulled up:
- graphics/pfstools/Makefile 1.78
- graphics/pfstools/PLIST 1.6
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Oct 16 08:16:07 UTC 2021
Modified Files:
pkgsrc/graphics/pfstools: Makefile PLIST
Log Message:
pfstools: OpenEXR support is broken. Fix PLIST for now.
|
|
|
|
devel/apache-maven: security fix
Revisions pulled up:
- devel/apache-maven/Makefile 1.18
- devel/apache-maven/PLIST 1.12
- devel/apache-maven/distinfo 1.20
- devel/apache-maven/patches/patch-bin_mvn 1.9
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Oct 8 15:08:21 UTC 2021
Modified Files:
pkgsrc/devel/apache-maven: Makefile PLIST distinfo
pkgsrc/devel/apache-maven/patches: patch-bin_mvn
Log Message:
apache-maven: update to 3.8.3.
3.8.3
** Bug
* [MNG-7045] - Drop CDI API from Maven
* [MNG-7214] - Bad transitive dependency parent from CDI API
* [MNG-7215] - [Regression] Maven Site Plugin cannot resolve parent site descriptor without locale
* [MNG-7216] - Revert MNG-7170
* [MNG-7218] - [Regression] o.a.m.model.Build.getSourceDirectory() incorrectly returns absolute dir on 3.8.2
* [MNG-7219] - [Regression] plexus-cipher missing from transitive dependencies
* [MNG-7220] - [REGRESSION] test-classpath incorrectly resolved
* [MNG-7251] - Fix threadLocalArtifactsHolder leaking into cloned project
* [MNG-7253] - Relocation message is never shown
** New Feature
* [MNG-7164] - Add constructor MojoExecutionException(Throwable)
** Improvement
* [MNG-7235] - Speed improvements when calculating the sorted project graph
* [MNG-7236] - The DefaultPluginVersionResolver should cache results for the session
** Task
* [MNG-7252] - Fix warnings issued by dependency:analyze
* [MNG-7254] - Expand Windows native libraries for Jansi due to JDK-8195129 (workaround)
3.8.2
** Sub-task
* [MNG-6281] - ArrayIndexOutOfBoundsException caused by pom.xml with invalid/duplicate XML
** Bug
* [MNG-4706] - Multithreaded building can create bad files for downloaded artifacts in local repository
* [MNG-5307] - NPE during resolution of dependencies - parallel mode
* [MNG-5315] - Artifact resolution sporadically fails in parallel builds
* [MNG-5838] - Maven on No-File-Lock Systems
* [MNG-5868] - Adding serval times the same artifact via MavenProjectHelper (attachArtifact) keep adding to the List duplicate artifacts
* [MNG-6071] - GetResource ('/) returns 'null' if build is started with -f
* [MNG-6216] - ArrayIndexOutOfBoundsException when parsing POM
* [MNG-6239] - Jansi messes up System.err and System.out
* [MNG-6380] - Option -Dstyle.color=always doesn't force color output
* [MNG-6604] - Intermittent failures while downloading GAVs from Nexus
* [MNG-6648] - 'mavenrc_pre' script does not receive arguments like mavenrc in Bourne shell does
* [MNG-6719] - mvn color output escape keys w/ "| tee xxx.log" on Win with git/bash
* [MNG-6737] - StackOverflowError when version ranges are unsolvable and graph contains a cycle
* [MNG-6767] - Plugin with ${project.groupId} resolved improperly
* [MNG-6819] - NullPointerException for DefaultArtifactDescriptorReader.loadPom
* [MNG-6828] - DependencyResolutionException breaks serialization
* [MNG-6842] - ProjectBuilderTest uses Guava, but Guava is not defined in dependencies
* [MNG-6843] - Parallel build fails due to missing JAR artifacts in compilePath
* [MNG-6850] - Prevent printing the EXEC_DIR when it's just a disk letter
* [MNG-6921] - Maven compile with properties ${artifactId} and ${project.build.finalName} occurs java.lang.NullPointerException
* [MNG-6937] - StringSearchModelInterpolatorTest fails on symlinked paths
* [MNG-6964] - Maven version sorting is internally inconsistent
* [MNG-6983] - Plugin key can get out of sync with artifactId and groupId
* [MNG-7000] - metadata.mdo contains invalid link to schema
* [MNG-7032] - Option -B still showing formatting when used with --version
* [MNG-7034] - StackOverflowError thrown if a cycle exists in BOM imports
* [MNG-7090] - mvnDebug does not work on Java 11+
* [MNG-7127] - NullPointerException in MavenCliTest.testStyleColors in JDK 16
* [MNG-7155] - make sources jar reproducible (upgrade maven-source-plugin to 3.2.1)
* [MNG-7161] - Error thrown during uninstalling of JAnsi
** New Feature
* [MNG-7149] - Introduce MAVEN_DEBUG_ADDRESS in mvnDebug scripts
** Improvement
* [MNG-2802] - Concurrent-safe access to local Maven repository
* [MNG-6471] - Parallel builder should use the module name as thread name
* [MNG-6754] - Set the same timestamp in multi module builds
* [MNG-6810] - Remove profiles in maven-model
* [MNG-6811] - Remove unnecessary filtering configuration
* [MNG-6816] - Prefer System.lineSeparator() over system properties
* [MNG-6827] - Replace deprecated StringUtils#defaultString() from Plexus Utils
* [MNG-6837] - Simplify detection of the MAVEN_HOME and make it fully qualified on Windows
* [MNG-6844] - Use StandardCharsets and remove outdated @SuppressWarnings
* [MNG-6853] - Don't box primitives where it's not needed
* [MNG-6859] - Build not easily reproducible when built from source release archive
* [MNG-6873] - Inconsistent library versions notice
* [MNG-6967] - Improve the command line output from maven-artifact
* [MNG-6987] - Reorder groupId before artifactId when writing an exclusion using maven-model
* [MNG-7010] - Omit "NB: JAVA_HOME should point to a JDK not a JRE" except when that is the problem
* [MNG-7064] - Use HTTPS for schema location in global settings.xml
* [MNG-7080] - Add a --color option
* [MNG-7170] - Allow to associate pomFile/${basedir} with DefaultProjectBuilder.build(ModelSource, ...)
* [MNG-7180] - Make --color option behave more like BSD/GNU grep's --color option
* [MNG-7181] - Make --version support -q
* [MNG-7185] - Describe explicit and recommended version for VersionRange.createFromVersionSpec()
* [MNG-7190] - Load mavenrc from /usr/local/etc also in Bourne shell script
** Task
* [MNG-6598] - Maven 3.6.0 and Surefire problem
* [MNG-6884] - Cleanup POM File after version upgrade
* [MNG-7172] - Remove expansion of Jansi native libraries
* [MNG-7184] - document .mavenrc/maven_pre.bat|cmd scripts and
MAVEN_SKIP_RC environment variable
3.8.1
This release with CVE fixes is a result based on the findings and feedback of Jonathan Leitschuh
and Olaf Flebbe.
One of the changes that might impact your builds is the way custom repositories defined in
dependency POMs will be handled.
By default external insecure repositories will now be blocked (localhost over HTTP will still
work).
Configuration can be adjusted via the conf/settings.xml.
Release Notes - Maven - Version 3.8.1
** Bug
* [MNG-7128] - improve error message when blocked repository defined in build POM
** New Feature
* [MNG-7116] - Add support for mirror selector on external:http:*
* [MNG-7117] - Add support for blocking mirrors
* [MNG-7118] - Block external HTTP repositories by default
** Dependency upgrade
* [MNG-7119] - Upgrade Maven Wagon to 3.4.3
* [MNG-7123] - Upgrade Maven Resolver to 1.6.2
|
|
|
|
devel/ncurses: security fix
Revisions pulled up:
- devel/ncurses/Makefile 1.111
- devel/ncurses/distinfo 1.48
- devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Sat Oct 9 07:52:36 UTC 2021
Modified Files:
pkgsrc/devel/ncurses: Makefile distinfo
Added Files:
pkgsrc/devel/ncurses/patches: patch-ncurses_tinfo_captoinfo.c
Log Message:
ncurses: fix for CVE-2021-39537 from upstream
Many thanks to Thomas Dickey for help in tracking down the bugfix patch!
PKGREVISION++
|
|
|
|
multimedia/libmediainfo: security fix
multimedia/mediainfo: security fix
Revisions pulled up:
- multimedia/libmediainfo/Makefile 1.8
- multimedia/mediainfo/Makefile 1.15
- multimedia/mediainfo/distinfo 1.17
- multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp 1.1
- multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu Oct 14 07:03:02 UTC 2021
Modified Files:
pkgsrc/multimedia/libmediainfo: Makefile
pkgsrc/multimedia/mediainfo: Makefile distinfo
Added Files:
pkgsrc/multimedia/mediainfo/patches:
patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp
patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp
Log Message:
medainfo: fix two CVEs using upstream patches
Bump PKGREVISION
|
|
|
|
databases/p5-DBI: security fix
Revisions pulled up:
- databases/p5-DBI/Makefile 1.87
- databases/p5-DBI/distinfo 1.54
- databases/p5-DBI/patches/patch-lib_DBD_File.pm 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu Oct 14 07:08:58 UTC 2021
Modified Files:
pkgsrc/databases/p5-DBI: Makefile distinfo
Added Files:
pkgsrc/databases/p5-DBI/patches: patch-lib_DBD_File.pm
Log Message:
p5-DBI: fix CVE-2014-10402
Bump PKGREVISION
|
|
|
|
mail/neomutt: security fix
Revisions pulled up:
- mail/neomutt/Makefile 1.69
- mail/neomutt/PLIST 1.23
- mail/neomutt/distinfo 1.53
- mail/neomutt/patches/patch-resize.c deleted
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Oct 15 11:43:54 UTC 2021
Modified Files:
pkgsrc/mail/neomutt: Makefile PLIST distinfo
Removed Files:
pkgsrc/mail/neomutt/patches: patch-resize.c
Log Message:
neomutt: update to 20211015.
* Security
- Fix CVE-2021-32055
* Features
- threads: implement the `$use_threads` feature
https://neomutt.org/feature/use-threads
- hooks: allow a -noregex param to folder and mbox hooks
- mailing lists: implement list-(un)subscribe using RFC2369 headers
- mailcap: implement x-neomutt-nowrap flag
- pager: add `$local_date_header` option
- imap, smtp: add support for authenticating using XOAUTH2
- Allow `<sync-mailbox`> to fail quietly
- imap: speed up server-side searches
- pager: improve skip-quoted and skip-headers
- notmuch: open database with user's configuration
- notmuch: implement `<vfolder-window-reset>`
- config: allow += modification of my_ variables
- notmuch: tolerate file renames behind neomutt's back
- pager: implement `$pager_read_delay`
- notmuch: validate `nm_query_window_timebase`
- notmuch: make $nm_record work in non-notmuch mailboxes
- compose: add `$greeting` - a welcome message on top of emails
- notmuch: show additional mail in query windows
* Changed Config
- Renamed lots of config, e.g. `askbcc` to `ask_bcc`.
* Bug Fixes
- imap: fix crash on external IMAP events
- notmuch: handle missing libnotmuch version bumps
- imap: add sanity check for qresync
- notmuch: allow windows with 0 duration
- index: fix index selection on `<collapse-all>`
- imap: fix crash when sync'ing labels
- search: fix searching by Message-Id in `<mark-message>`
- threads: fix double sorting of threads
- stats: don't check mailbox stats unless told
- alias: fix crash on empty query
- pager: honor mid-message config changes
- mailbox: don't propagate read-only state across reopens
- hcache: fix caching new labels in the header cache
- crypto: set invalidity flags for gpgme/smime keys
- notmuch: fix parsing of multiple `type=`
- notmuch: validate $nm_default_url
- messages: avoid unnecessary opening of messages
- imap: fix seqset iterator when it ends in a comma
- build: refuse to build without pcre2 when pcre2 is linked in ncurses
* Translation updates
|
|
|
|
|
|
lang/python27: security fix
Revisions pulled up:
- lang/python27/Makefile 1.94
- lang/python27/distinfo 1.85
- lang/python27/patches/patch-Doc_library_cgi.rst 1.1
- lang/python27/patches/patch-Doc_library_urlparse.rst 1.1
- lang/python27/patches/patch-Lib_cgi.py 1.1
- lang/python27/patches/patch-Lib_ctypes_test_test__parameters.py 1.1
- lang/python27/patches/patch-Lib_httplib.py 1.4
- lang/python27/patches/patch-Lib_test_multibytecodec__support.py 1.1
- lang/python27/patches/patch-Lib_test_test__cgi.py 1.1
- lang/python27/patches/patch-Lib_test_test__httplib.py 1.4
- lang/python27/patches/patch-Lib_test_test__urlparse.py 1.1
- lang/python27/patches/patch-Lib_urllib2.py 1.3
- lang/python27/patches/patch-Lib_urlparse.py 1.1
- lang/python27/patches/patch-Modules___ctypes_callproc.c 1.2
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Sun Oct 10 03:00:59 UTC 2021
Modified Files:
pkgsrc/lang/python27: Makefile distinfo
pkgsrc/lang/python27/patches: patch-Lib_httplib.py
patch-Lib_test_test__httplib.py patch-Lib_urllib2.py
patch-Modules___ctypes_callproc.c
Added Files:
pkgsrc/lang/python27/patches: patch-Doc_library_cgi.rst
patch-Doc_library_urlparse.rst patch-Lib_cgi.py
patch-Lib_ctypes_test_test__parameters.py
patch-Lib_test_multibytecodec__support.py
patch-Lib_test_test__cgi.py patch-Lib_test_test__urlparse.py
patch-Lib_urlparse.py
Log Message:
python27: fix various security issues
Addresses CVE-2020-27619, CVE-2021-3177, CVE-2021-3733, CVE-2021-3737
and CVE-2021-23336. Patches mostly sourced via Fedora.
|
|
|
|
print/ghostscript-agpl: pullup and build fix
Revisions pulled up:
- print/ghostscript-agpl/Makefile.common 1.25
- print/ghostscript-agpl/PLIST 1.20
- print/ghostscript-agpl/distinfo 1.37
- print/ghostscript-agpl/patches/patch-configure 1.8
|
|
|
|
databases/hiredis: security fix
Revisions pulled up:
- databases/hiredis/Makefile 1.8-1.9
- databases/hiredis/distinfo 1.11,1.13
---
Module Name: pkgsrc
Committed By: adam
Date: Tue Oct 5 12:14:54 UTC 2021
Modified Files:
pkgsrc/databases/hiredis: Makefile distinfo
Log Message:
hiredis: updated to 1.0.1
1.0.1
Fix for CVE-2021-32765 commit
---
Module Name: pkgsrc
Committed By: adam
Date: Fri Oct 8 06:46:02 UTC 2021
Modified Files:
pkgsrc/databases/hiredis: Makefile distinfo
Log Message:
hiredis: updated to 1.0.2
1.0.2:
Announcing Hiredis v1.0.2, which fixes CVE-2021-32765 but returns the SONAME to the correct value of 1.0.0.
|
|
www/firefox91: security fix
www/firefox91-l10n: dependent update
Revisions pulled up:
- www/firefox91-l10n/Makefile 1.3
- www/firefox91-l10n/distinfo 1.4
- www/firefox91/Makefile 1.6
- www/firefox91/distinfo 1.4
---
Module Name: pkgsrc
Committed By: nia
Date: Fri Oct 8 14:41:35 UTC 2021
Modified Files:
pkgsrc/www/firefox91: Makefile distinfo
pkgsrc/www/firefox91-l10n: Makefile distinfo
Log Message:
firefox91: Update to 91.2.0
Security Vulnerabilities fixed in Firefox ESR 91.2
#CVE-2021-38496: Use-after-free in MessageTask
#CVE-2021-38497: Validation message could have been overlaid on another
origin
#CVE-2021-38498: Use-after-free of nsLanguageAtomService object
#CVE-2021-32810: Data race in crossbeam-deque
#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
|
|
www/firefox78: security fix
www/firefox78-l10n: dependent update
Revisions pulled up:
- www/firefox78-l10n/Makefile 1.18
- www/firefox78-l10n/distinfo 1.19
- www/firefox78/Makefile 1.37
- www/firefox78/PLIST 1.5
- www/firefox78/distinfo 1.22
---
Module Name: pkgsrc
Committed By: nia
Date: Fri Oct 8 14:09:56 UTC 2021
Modified Files:
pkgsrc/www/firefox78: Makefile PLIST distinfo
pkgsrc/www/firefox78-l10n: Makefile distinfo
Log Message:
firefox78-l10n: update to 78.15.0
Security Vulnerabilities fixed in Firefox ESR 78.15
#CVE-2021-38496: Use-after-free in MessageTask
#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
|
|
|
