pkgsrc - [no description]

Age	Commit message (Collapse)	Author	Files	Lines
2022-06-13	Pullup ticket #6646pkgsrc-2022Q1	bsiegert	1	-1/+4

2022-06-13	Pullup ticket #6646 - requested by nia	bsiegert	3	-9/+8
	graphics/gdk-pixbuf2: security fix Revisions pulled up: - graphics/gdk-pixbuf2/Makefile 1.53 - graphics/gdk-pixbuf2/PLIST 1.22 - graphics/gdk-pixbuf2/distinfo 1.51 --- Module Name: pkgsrc Committed By: nia Date: Sat Jun 11 12:46:06 UTC 2022 Modified Files: pkgsrc/graphics/gdk-pixbuf2: Makefile PLIST distinfo Log Message: gdk-pixbuf2: update to 2.42.8 2.42.8 (stable) === - Clear the pixbuf's memory buffer to avoid returning uninitialized memory - Turn GdkPixbufModule functions into typed callbacks - tiff: Use non-deprecated C99 integer types - gif: Check for overflow when compositing or clearing frames - Change png/jpeg/tiff build options from boolean to feature - jpeg: Do not rely on UB around setjmp/longjmp - Build fixes - Documentation fixes - Translation updates
2022-06-11	Pullup tickets #6643 to #6645	bsiegert	1	-1/+10

2022-06-11	Pullup ticket #6645 - requested by taca	bsiegert	2	-6/+6
	www/apache24: security fix Revisions pulled up: - www/apache24/Makefile 1.111 - www/apache24/distinfo 1.53 --- Module Name: pkgsrc Committed By: adam Date: Thu Jun 9 18:15:51 UTC 2022 Modified Files: pkgsrc/www/apache24: Makefile distinfo Log Message: apache24: updated to 2.4.54 Changes with Apache 2.4.54 ) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded- headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credits: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue ) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with websockets (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue ) SECURITY: CVE-2022-30522: mod_sed denial of service (cve.mitre.org) If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Credits: This issue was found by Brian Moussalli from the JFrog Security Research team ) SECURITY: CVE-2022-29404: Denial of service in mod_lua r:parsebody (cve.mitre.org) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue ) SECURITY: CVE-2022-28615: Read beyond bounds in ap_strcmp_match() (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue ) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite() (cve.mitre.org) The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue ) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue ) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. Credits: Ricter Z @ 360 Noah Lab ) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. ) mod_md: a bug was fixed that caused very large MDomains with the combined DNS names exceeding ~7k to fail, as request bodies would contain partially wrong data from uninitialized memory. This would have appeared as failure in signing-up/renewing such configurations. ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. ) MPM event: Restart children processes killed before idle maintenance. ) ab: Allow for TLSv1.3 when the SSL library supports it. ) core: Disable TCP_NOPUSH optimization on OSX since it might introduce transmission delays. ) MPM event: Fix accounting of active/total processes on ungraceful restart, ) core: make ap_escape_quotes() work correctly on strings with more than MAX_INT/2 characters, counting quotes double. Credit to <generalbugs@zippenhop.com> for finding this. ) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of an ACME CA. This gives a failover for renewals when several consecutive attempts to get a certificate failed. A new directive was added: `MDRetryDelay` sets the delay of retries. A new directive was added: `MDRetryFailover` sets the number of errored attempts before an alternate CA is selected for certificate renewals. ) mod_http2: remove unused and insecure code. ) mod_proxy: Add backend port to log messages to ease identification of involved service. ) mod_http2: removing unscheduling of ongoing tasks when connection shows potential abuse by a client. This proved counter-productive and the abuse detection can false flag requests using server-side-events. Fixes <https://github.com/icing/mod_h2/issues/231>. ) mod_md: Implement full auto status ("key: value" type status output). Especially not only status summary counts for certificates and OCSP stapling but also lists. Auto status format is similar to what was used for mod_proxy_balancer. ) mod_md: fixed a bug leading to failed transfers for OCSP stapling information when more than 6 certificates needed updates in the same run. ) mod_proxy: Set a status code of 502 in case the backend just closed the connection in reply to our forwarded request. ) mod_md: a possible NULL pointer deref was fixed in the JSON code for persisting time periods (start+end). Fixes #282 on mod_md's github. Thanks to @marcstern for finding this. ) mod_heartmonitor: Set the documented default value "10" for HeartbeatMaxServers instead of "0". With "0" no shared memory slotmem was initialized. ) mod_md: added support for managing certificates via a local tailscale daemon for users of that secure networking. This gives trusted certificates for tailscale assigned domain names in the *.ts.net space.
2022-06-11	Pullup ticket #6644 - requested by taca	bsiegert	2	-6/+6
	www/ruby-rack: security fix Revisions pulled up: - www/ruby-rack/Makefile 1.30 - www/ruby-rack/distinfo 1.28 --- Module Name: pkgsrc Committed By: taca Date: Sat May 28 09:55:51 UTC 2022 Modified Files: pkgsrc/www/ruby-rack: Makefile distinfo Log Message: www/ruby-rack: update to 2.2.3.1 2.2.3.1 (2022-05-27) * [CVE-2022-30123] Fix shell escaping issue in Common Logger * [CVE-2022-30122] Restrict parsing of broken MIME attachments
2022-06-11	Pullup ticket #6643 - requested by taca	bsiegert	2	-2/+6
	security/clamav-doc: build fix after pullup #6625 Revisions pulled up: - security/clamav-doc/Makefile 1.7 - security/clamav-doc/PLIST 1.9 --- Module Name: pkgsrc Committed By: wiz Date: Sun May 15 04:46:32 UTC 2022 Modified Files: pkgsrc/security/clamav-doc: Makefile PLIST Log Message: clamav-doc: fix PLIST Bump PKGREVISION.
2022-06-11	Forgot to commit the changelog for my last batch of pullups	bsiegert	1	-1/+16

2022-06-05	tickets #6635 #6636 #6639 #6640 #6641 #6642	spz	1	-1/+19

2022-06-05	Pullup ticket #6642 - requested by nia	spz	1	-1/+3
	lang/gcc6: build fix Revisions pulled up: - lang/gcc6/Makefile 1.36 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Sat May 21 12:21:44 UTC 2022 Modified Files: pkgsrc/lang/gcc6: Makefile Log Message: gcc6: workaround: get this at least building by disabling RELRO To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.36 pkgsrc/lang/gcc6/Makefile
2022-06-05	Pullup ticket #6641 - requested by nia	spz	4	-14/+17
	databases/mariadb105-client: security update databases/mariadb105-server: security update Revisions pulled up: - databases/mariadb105-client/Makefile.common 1.16 - databases/mariadb105-client/distinfo 1.13 - databases/mariadb105-client/patches/patch-CMakeLists.txt 1.2 - databases/mariadb105-server/Makefile 1.25 - databases/mariadb105-server/PLIST 1.10 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Sat May 21 10:38:26 UTC 2022 Modified Files: pkgsrc/databases/mariadb105-client: Makefile.common distinfo pkgsrc/databases/mariadb105-client/patches: patch-CMakeLists.txt pkgsrc/databases/mariadb105-server: Makefile PLIST Log Message: mariadb105: Update to 10.5.16 MariaDB 10.5.16 Release Notes Notable Items InnoDB * innodb_disallow_writes removed (MDEV-25975) * InnoDB gap locking fixes (MDEV-20605, MDEV-28422) * InnoDB performance improvements (MDEV-27557, MDEV-28185) Replication * Server initialization time gtid_slave_pos purge related reason of crashing in binlog background thread is removed (MDEV-26473) * Shutdown of the semisync master can't produce inconsistent state anymore (MDEV-11853) * Binlogs disappear after rsync IST (MDEV-28583) * autocommit=0 slave hang is eliminated (DBAAS-7828) * master crash is eliminated in compressed semisync replication protocol with packet counting amendment (MDEV-25580) * OPTIMIZE on a sequence does not cause counterfactual ER_BINLOG_UNSAFE_STATEMENT anymore (MDEV-24617) * Automatically generated Gtid_log_list_event is made to recognize within replication event group as a formal member (MDEV-28550) * Replication unsafe INSERT .. ON DUPLICATE KEY UPDATE using two or more unique key values at a time with MIXED format binlogging is corrected (MDEV-28310) * Replication unsafe INSERT .. ON DUPLICATE KEY UPDATE stops issuing unnessary "Unsafe statement" with MIXED binlog format (MDEV-21810) * Incomplete replication event groups are detected to error out by the slave IO thread (MDEV-27697) * mysqlbinlog --stop-never --raw now flushes the result file to disk after each processed event so the file can be listed with the actual bytes (MDEV-14608) Backup * Incorrect binlogs after Galera SST using rsync and mariabackup (MDEV-27524) * mariabackup does not detect multi-source replication slave (MDEV-21037) * Useless warning "InnoDB: Allocated tablespace ID <id> for <tablename>, old maximum was 0" during backup stage (MDEV-27343) * mariabackup prepare fails for incrementals if a new schema is created after full backup is taken (MDEV-28446) Optimizer * A SEGV in Item_field::used_tables/update_depend_map_for_order... (MDEV-26402) * ANALYZE FORMAT=JSON fields are incorrect for UNION ALL queries (MDEV-27699) * Subquery in an UPDATE query uses full scan instead of range (MDEV-22377) * Assertion `item1->type() = Item::FIELD_ITEM ... (MDEV-19398) * Server crashes in Expression_cache_tracker::fetch_current_stats (MDEV-28268) * MariaDB server crash at Item_subselect::init_expr_cache_tracker (MDEV-26164, MDEV-26047) * Crash with union of my_decimal type in ORDER BY clause (MDEV-25994) * SIGSEGV in st_join_table::cleanup (MDEV-24560) * Assertion `!eliminated' failed in Item_subselect::exec (MDEV-28437) General * Server error messages are now available in Chinese (MDEV-28227) * For RHEL/CentOS 7, non x86_64 architectures are no longer supported upstream and so our support will also be dropped with this release Security * Fixes for the following security vulnerabilities: * CVE-2022-27376 * CVE-2022-27377 * CVE-2022-27378 * CVE-2022-27379 * CVE-2022-27380 * CVE-2022-27381 * CVE-2022-27382 * CVE-2022-27383 * CVE-2022-27384 * CVE-2022-27386 * CVE-2022-27387 * CVE-2022-27444 * CVE-2022-27445 * CVE-2022-27446 * CVE-2022-27447 * CVE-2022-27448 * CVE-2022-27449 * CVE-2022-27451 * CVE-2022-27452 * CVE-2022-27455 * CVE-2022-27456 * CVE-2022-27457 * CVE-2022-27458 To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 pkgsrc/databases/mariadb105-client/Makefile.common cvs rdiff -u -r1.12 -r1.13 pkgsrc/databases/mariadb105-client/distinfo cvs rdiff -u -r1.1 -r1.2 \ pkgsrc/databases/mariadb105-client/patches/patch-CMakeLists.txt cvs rdiff -u -r1.24 -r1.25 pkgsrc/databases/mariadb105-server/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/databases/mariadb105-server/PLIST
2022-06-05	Pullup ticket #6640 - requested by nia	spz	5	-20/+23
	databases/mariadb106-client: security update databases/mariadb106-server: security update Revisions pulled up: - databases/mariadb106-client/Makefile.common 1.8 - databases/mariadb106-client/distinfo 1.9 - databases/mariadb106-client/patches/patch-CMakeLists.txt 1.3 - databases/mariadb106-client/patches/patch-storage_innobase_include_transactional__lock__guard.h 1.3 - databases/mariadb106-server/Makefile 1.15 - databases/mariadb106-server/PLIST 1.7 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Sat May 21 09:36:03 UTC 2022 Modified Files: pkgsrc/databases/mariadb106-client: Makefile.common distinfo pkgsrc/databases/mariadb106-client/patches: patch-CMakeLists.txt patch-storage_innobase_include_transactional__lock__guard.h pkgsrc/databases/mariadb106-server: Makefile PLIST Log Message: mariadb106: update to 10.6.8 MariaDB 10.6.8 Release Notes Notable Items InnoDB * innodb_disallow_writes removed (MDEV-25975) * InnoDB gap locking fixes (MDEV-20605, MDEV-28422) * InnoDB performance improvements (MDEV-27557, MDEV-28185, MDEV-27767, MDEV-28313, MDEV-28137, MDEV-28465, MDEV-26789) * Backup regression fixes (MDEV-27919) * InnoDB portability: FreeBSD futexes (MDEV-26476), POWER and s390x transactional memory (MDEV-27956) * ALTER TABLE: Fixed bogus duplicate key errors (MDEV-15250) * DDL and crash recovery fixes (MDEV-27274, MDEV-27234, MDEV-27817) * Requests to recalculate persistent statistics were sometimes lost (MDEV-27805) Replication * Semisync-slave server recovery is refined to correctly rollback prepared transaction (MDEV-28461) * Circular semisync setup endless event circulation is handled (MDEV-27760) * Semisync-slave server recovery is extended to work on new server_id server (MDEV-27342) * Server initialization time gtid_slave_pos purge related reason of crashing in binlog background thread is removed (MDEV-26473) * Shutdown of the semisync master can't produce inconsistent state anymore (MDEV-11853) * Binlogs disappear after rsync IST (MDEV-28583) * autocommit=0 slave hang is eliminated (DBAAS-7828) * master crash is eliminated in compressed semisync replication protocol with packet counting amendment (MDEV-25580) * OPTIMIZE on a sequence does not cause counterfactual ER_BINLOG_UNSAFE_STATEMENT anymore (MDEV-24617) * Automatically generated Gtid_log_list_event is made to recognize within replication event group as a formal member (MDEV-28550) * Replication unsafe INSERT .. ON DUPLICATE KEY UPDATE using two or more unique key values at a time with MIXED format binlogging is corrected (MDEV-28310) * Replication unsafe INSERT .. ON DUPLICATE KEY UPDATE stops issuing unnessary "Unsafe statement" with MIXED binlog format (MDEV-21810) * Incomplete replication event groups are detected to error out by the slave IO thread (MDEV-27697) * mysqlbinlog --stop-never --raw now flushes the result file to disk after each processed event so the file can be listed with the actual bytes (MDEV-14608) Backup * Incorrect binlogs after Galera SST using rsync and mariabackup (MDEV-27524) * mariabackup does not detect multi-source replication slave (MDEV-21037) * Useless warning "InnoDB: Allocated tablespace ID <id> for <tablename>, old maximum was 0" during backup stage (MDEV-27343) * mariabackup prepare fails for incrementals if a new schema is created after full backup is taken (MDEV-28446) Optimizer * Query performance degradation in newer MariaDB versions when using many tables (MDEV-28073) * A SEGV in Item_field::used_tables/update_depend_map_for_order... (MDEV-26402) * ANALYZE FORMAT=JSON fields are incorrect for UNION ALL queries (MDEV-27699) * Subquery in an UPDATE query uses full scan instead of range (MDEV-22377) * Assertion `item1->type() = Item::FIELD_ITEM ... (MDEV-19398) * Server crashes in Expression_cache_tracker::fetch_current_stats (MDEV-28268) * MariaDB server crash at Item_subselect::init_expr_cache_tracker (MDEV-26164, MDEV-26047) * Crash with union of my_decimal type in ORDER BY clause (MDEV-25994) * SIGSEGV in st_join_table::cleanup (MDEV-24560) * Assertion `!eliminated' failed in Item_subselect::exec (MDEV-28437) General * Server error messages are now available in Chinese (MDEV-28227) * For RHEL/CentOS 7, non x86_64 architectures are no longer supported upstream and so our support will also be dropped with this release * Packages for Ubuntu 22.04 LTS "Jammy" and Fedora 36 are not yet available pending the resolution of MDEV-28133: Backport OpenSSL-3.0 compatibility to 10.6 branch Security * Fixes for the following security vulnerabilities: * CVE-2022-27376 * CVE-2022-27377 * CVE-2022-27378 * CVE-2022-27379 * CVE-2022-27380 * CVE-2022-27381 * CVE-2022-27382 * CVE-2022-27383 * CVE-2022-27384 * CVE-2022-27386 * CVE-2022-27387 * CVE-2022-27444 * CVE-2022-27445 * CVE-2022-27446 * CVE-2022-27447 * CVE-2022-27448 * CVE-2022-27449 * CVE-2022-27451 * CVE-2022-27452 * CVE-2022-27455 * CVE-2022-27456 * CVE-2022-27457 * CVE-2022-27458 To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 pkgsrc/databases/mariadb106-client/Makefile.common cvs rdiff -u -r1.8 -r1.9 pkgsrc/databases/mariadb106-client/distinfo cvs rdiff -u -r1.2 -r1.3 \ pkgsrc/databases/mariadb106-client/patches/patch-CMakeLists.txt \ pkgsrc/databases/mariadb106-client/patches/patch-storage_innobase_include_transactional__lock__guard.h cvs rdiff -u -r1.14 -r1.15 pkgsrc/databases/mariadb106-server/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/databases/mariadb106-server/PLIST
2022-06-05	Pullup ticket #6639 - requested by nia	spz	2	-4/+15
	print/poppler: build fix Revisions pulled up: - print/poppler/Makefile.common 1.134 - print/poppler/buildlink3.mk 1.90 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Sat May 21 07:43:57 UTC 2022 Modified Files: pkgsrc/print/poppler: Makefile.common buildlink3.mk Log Message: poppler: Bump GCC requirement to GCC 7, it wants std::optional. To generate a diff of this commit: cvs rdiff -u -r1.133 -r1.134 pkgsrc/print/poppler/Makefile.common cvs rdiff -u -r1.89 -r1.90 pkgsrc/print/poppler/buildlink3.mk
2022-06-05	Pullup ticket #6636 - requested by nia	spz	2	-279/+279
	www/firefox91-l10n: dependency update Revisions pulled up: - www/firefox91-l10n/Makefile 1.11 - www/firefox91-l10n/distinfo 1.13 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Mon May 16 21:21:29 UTC 2022 Modified Files: pkgsrc/www/firefox91-l10n: Makefile distinfo Log Message: firefox91-l10n: sync with firefox91 To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 pkgsrc/www/firefox91-l10n/Makefile cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/firefox91-l10n/distinfo
2022-06-05	Pullup ticket #6635 - requested by nia	spz	3	-10/+21
	www/firefox91: security update Revisions pulled up: - www/firefox91/Makefile 1.18 - www/firefox91/distinfo 1.13 - www/firefox91/patches/patch-browser_app_profile_firefox.js 1.2 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Mon May 16 21:16:00 UTC 2022 Modified Files: pkgsrc/www/firefox91: Makefile distinfo pkgsrc/www/firefox91/patches: patch-browser_app_profile_firefox.js Log Message: firefox91: update to 91.9.0 Security Vulnerabilities fixed in Firefox ESR 91.9 #CVE-2022-29914: Fullscreen notification bypass using popups #CVE-2022-29909: Bypassing permission prompt in nested browsing contexts #CVE-2022-29916: Leaking browser history with CSS variables #CVE-2022-29911: iframe Sandbox bypass #CVE-2022-29912: Reader mode bypassed SameSite cookies #CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9 To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 pkgsrc/www/firefox91/Makefile cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/firefox91/distinfo cvs rdiff -u -r1.1 -r1.2 \ pkgsrc/www/firefox91/patches/patch-browser_app_profile_firefox.js
2022-06-04	pullups #6628 #6629 #6630 #6631	spz	1	-1/+63

2022-06-04	Pullup ticket #6631 - requested by taca	spz	15	-56/+56
	databases/ruby-activerecord70: security update devel/ruby-activejob70: security update devel/ruby-activemodel70: security update devel/ruby-activestorage70: security update devel/ruby-activesupport70: security update devel/ruby-railties70: security update lang/ruby: version info update mail/ruby-actionmailbox70: security update mail/ruby-actionmailer70: security update textproc/ruby-actiontext70: security update www/ruby-actioncable70: security update www/ruby-actionpack70: security update www/ruby-actionview70: security update www/ruby-rails70: security update Revisions pulled up: - databases/ruby-activerecord70/distinfo 1.5 - devel/ruby-activejob70/distinfo 1.5 - devel/ruby-activemodel70/distinfo 1.5 - devel/ruby-activestorage70/Makefile 1.4 - devel/ruby-activestorage70/distinfo 1.5 - devel/ruby-activesupport70/distinfo 1.5 - devel/ruby-railties70/distinfo 1.5 - lang/ruby/rails.mk 1.122 - mail/ruby-actionmailbox70/distinfo 1.5 - mail/ruby-actionmailer70/distinfo 1.5 - textproc/ruby-actiontext70/distinfo 1.5 - www/ruby-actioncable70/distinfo 1.5 - www/ruby-actionpack70/distinfo 1.5 - www/ruby-actionview70/distinfo 1.5 - www/ruby-rails70/distinfo 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:39:02 UTC 2022 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby/rails.mk: start update of Ruby on Rails to 7.0.2.4 To generate a diff of this commit: cvs rdiff -u -r1.121 -r1.122 pkgsrc/lang/ruby/rails.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:39:53 UTC 2022 Modified Files: pkgsrc/devel/ruby-activesupport70: distinfo Log Message: devel/ruby-activesupport70: update to 7.0.2.4 ## Rails 7.0.2.4 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. Álvaro Martín Fraguas To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activesupport70/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:40:27 UTC 2022 Modified Files: pkgsrc/www/ruby-actionview70: distinfo Log Message: www/ruby-actionview70: update to 7.0.2.4 ## Rails 7.0.2.4 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. Álvaro Martín Fraguas To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-actionview70/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:40:53 UTC 2022 Modified Files: pkgsrc/www/ruby-actionpack70: distinfo Log Message: www/ruby-actionpack70: update to 7.0.2.4 ## Rails 7.0.2.4 (April 26, 2022) ## * Allow Content Security Policy DSL to generate for API responses. Tim Wade To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-actionpack70/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:41:42 UTC 2022 Modified Files: pkgsrc/databases/ruby-activerecord70: distinfo pkgsrc/devel/ruby-activejob70: distinfo pkgsrc/devel/ruby-activemodel70: distinfo pkgsrc/devel/ruby-activestorage70: Makefile distinfo pkgsrc/devel/ruby-railties70: distinfo pkgsrc/mail/ruby-actionmailbox70: distinfo pkgsrc/mail/ruby-actionmailer70: distinfo pkgsrc/textproc/ruby-actiontext70: distinfo pkgsrc/www/ruby-actioncable70: distinfo pkgsrc/www/ruby-rails70: distinfo Log Message: Update rest of Ruby on Rails 70 components. No change except version. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/databases/ruby-activerecord70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activejob70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activemodel70/distinfo cvs rdiff -u -r1.3 -r1.4 pkgsrc/devel/ruby-activestorage70/Makefile cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activestorage70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-railties70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/mail/ruby-actionmailbox70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/mail/ruby-actionmailer70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/textproc/ruby-actiontext70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-actioncable70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-rails70/distinfo
2022-06-04	Pullup ticket #6630 - requested by taca	spz	18	-60/+62
	databases/ruby-activerecord61: security update devel/ruby-activejob61: security update devel/ruby-activemodel61: security update devel/ruby-activestorage61: security update devel/ruby-activesupport61: security update devel/ruby-railties61: security update lang/ruby: version info update mail/ruby-actionmailbox61: security update mail/ruby-actionmailer61: security update textproc/ruby-actiontext61: security update www/ruby-actioncable61: security update www/ruby-actionpack61: security update www/ruby-actionview61: security update www/ruby-rails61: security update Revisions pulled up: - databases/ruby-activerecord61/distinfo 1.12 - devel/ruby-activejob61/distinfo 1.12 - devel/ruby-activemodel61/distinfo 1.12 - devel/ruby-activestorage61/Makefile 1.5 - devel/ruby-activestorage61/distinfo 1.12 - devel/ruby-activesupport61/Makefile 1.4 - devel/ruby-activesupport61/distinfo 1.12 - devel/ruby-railties61/distinfo 1.12 - lang/ruby/rails.mk 1.121 - mail/ruby-actionmailbox61/PLIST 1.2 - mail/ruby-actionmailbox61/distinfo 1.12 - mail/ruby-actionmailer61/PLIST 1.2 - mail/ruby-actionmailer61/distinfo 1.12 - textproc/ruby-actiontext61/distinfo 1.12 - www/ruby-actioncable61/distinfo 1.12 - www/ruby-actionpack61/distinfo 1.12 - www/ruby-actionview61/distinfo 1.12 - www/ruby-rails61/distinfo 1.12 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:38:25 UTC 2022 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby/rails.mk: Really update of Ruby on Rails to 6.1.5.1 To generate a diff of this commit: cvs rdiff -u -r1.120 -r1.121 pkgsrc/lang/ruby/rails.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:28:21 UTC 2022 Modified Files: pkgsrc/devel/ruby-activesupport61: Makefile distinfo Log Message: devel/ruby-activesupport61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. Álvaro Martín Fraguas ## Rails 6.1.5 (March 09, 2022) ## * Fix `ActiveSupport::Duration.build` to support negative values. The algorithm to collect the `parts` of the `ActiveSupport::Duration` ignored the sign of the `value` and accumulated incorrect part values. This impacted `ActiveSupport::Duration#sum` (which is dependent on `parts`) but not `ActiveSupport::Duration#eql?` (which is dependent on `value`). Caleb Buxton, Braden Staudacher * `Time#change` and methods that call it (eg. `Time#advance`) will now return a `Time` with the timezone argument provided, if the caller was initialized with a timezone argument. Fixes [#42467](https://github.com/rails/rails/issues/42467). Alex Ghiculescu * Clone to keep extended Logger methods for tagged logger. Orhan Toy * `assert_changes` works on including `ActiveSupport::Assertions` module. Pedro Medeiros To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 pkgsrc/devel/ruby-activesupport61/Makefile cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activesupport61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:28:57 UTC 2022 Modified Files: pkgsrc/devel/ruby-activemodel61: distinfo Log Message: devel/ruby-activemodel61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Clear secure password cache if password is set to `nil` Before: user.password = 'something' user.password = nil user.password # => 'something' Now: user.password = 'something' user.password = nil user.password # => nil Markus Doits * Fix delegation in `ActiveModel::Type::Registry#lookup` and `ActiveModel::Type.lookup` Passing a last positional argument `{}` would be incorrectly considered as keyword argument. Benoit Daloze * Fix `to_json` after `changes_applied` for `ActiveModel::Dirty` object. Ryuta Kamizono To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activemodel61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:29:32 UTC 2022 Modified Files: pkgsrc/www/ruby-actionview61: distinfo Log Message: www/ruby-actionview61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. Álvaro Martín Fraguas ## Rails 6.1.5 (March 09, 2022) ## * `preload_link_tag` properly inserts `as` attributes for files with `image` MIME types, such as JPG or SVG. Nate Berkopec * Add `autocomplete="off"` to all generated hidden fields. Fixes #42610. Ryan Baumann * Fix `current_page?` when URL has trailing slash. This fixes the `current_page?` helper when the given URL has a trailing slash, and is an absolute URL or also has query params. Fixes #33956. Jonathan Hefner To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-actionview61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:30:02 UTC 2022 Modified Files: pkgsrc/www/ruby-actionpack61: distinfo Log Message: www/ruby-actionpack61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * Allow Content Security Policy DSL to generate for API responses. Tim Wade ## Rails 6.1.5 (March 09, 2022) ## * Fix `content_security_policy` returning invalid directives. Directives such as `self`, `unsafe-eval` and few others were not single quoted when the directive was the result of calling a lambda returning an array. ```ruby content_security_policy do \|policy\| policy.frame_ancestors lambda { [:self, "https://example.com"] } end ``` With this fix the policy generated from above will now be valid. Edouard Chin * Update `HostAuthorization` middleware to render debug info only when `config.consider_all_requests_local` is set to true. Also, blocked host info is always logged with level `error`. Fixes #42813. Nikita Vyrko * Dup arrays that get "converted". Fixes #43681. Aaron Patterson * Don't show deprecation warning for equal paths. Anton Rieder * Fix crash in `ActionController::Instrumentation` with invalid HTTP formats. Fixes #43094. Alex Ghiculescu * Add fallback host for SystemTestCase driven by RackTest. Fixes #42780. Petrik de Heus * Add more detail about what hosts are allowed. Alex Ghiculescu To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-actionpack61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:30:33 UTC 2022 Modified Files: pkgsrc/databases/ruby-activerecord61: distinfo Log Message: databases/ruby-activerecord61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6. Ruby 2.6 and 2.7 have slightly different implementations of the `String#@-` method. In Ruby 2.6, the receiver of the `String#@-` method is modified under certain circumstances. This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only fixed in Ruby 2.7. Before the changes in this commit, the `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally calls the `String#@-` method, could also modify an input string argument in Ruby 2.6 -- changing a tainted, unfrozen string into a tainted, frozen string. Fixes #43056 Eric O'Hanlon * Fix migration compatibility to create SQLite references/belongs_to column as integer when migration version is 6.0. `reference`/`belongs_to` in migrations with version 6.0 were creating columns as bigint instead of integer for the SQLite Adapter. Marcelo Lauxen * Fix dbconsole for 3-tier config. Eileen M. Uchitelle * Better handle SQL queries with invalid encoding. ```ruby Post.create(name: "broken \xC8 UTF-8") ``` Would cause all adapters to fail in a non controlled way in the code responsible to detect write queries. The query is now properly passed to the database connection, which might or might not be able to handle it, but will either succeed or failed in a more correct way. Jean Boussier * Ignore persisted in-memory records when merging target lists. Kevin Sjöberg * Fix regression bug that caused ignoring additional conditions for preloading `has_many` through relations. Fixes #43132 Alexander Pauly * Fix `ActiveRecord::InternalMetadata` to not be broken by `config.active_record.record_timestamps = false` Since the model always create the timestamp columns, it has to set them, otherwise it breaks various DB management tasks. Fixes #42983 Jean Boussier * Fix duplicate active record objects on `inverse_of`. Justin Carvalho * Fix duplicate objects stored in has many association after save. Fixes #42549. Alex Ghiculescu * Fix performance regression in `CollectionAssocation#build`. Alex Ghiculescu * Fix retrieving default value for text column for MariaDB. fatkodima To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/databases/ruby-activerecord61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:31:02 UTC 2022 Modified Files: pkgsrc/devel/ruby-activestorage61: Makefile distinfo Log Message: devel/ruby-activestorage61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Attachments can be deleted after their association is no longer defined. Fixes #42514 Don Sisco To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activestorage61/Makefile cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activestorage61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:31:47 UTC 2022 Modified Files: pkgsrc/mail/ruby-actionmailbox61: PLIST distinfo Log Message: mail/ruby-actionmailbox61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Add `attachments` to the list of permitted parameters for inbound emails conductor. When using the conductor to test inbound emails with attachments, this prevents an unpermitted parameter warning in default configurations, and prevents errors for applications that set: ```ruby config.action_controller.action_on_unpermitted_parameters = :raise ``` David Jones, Dana Henke To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/ruby-actionmailbox61/PLIST cvs rdiff -u -r1.11 -r1.12 pkgsrc/mail/ruby-actionmailbox61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:32:28 UTC 2022 Modified Files: pkgsrc/www/ruby-actioncable61: distinfo Log Message: www/ruby-actioncable61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * The Action Cable client now ensures successful channel subscriptions: * The client maintains a set of pending subscriptions until either the server confirms the subscription or the channel is torn down. * Rectifies the race condition where an unsubscribe is rapidly followed by a subscribe (on the same channel identifier) and the requests are handled out of order by the ActionCable server, thereby ignoring the subscribe command. Daniel Spinosa * Truncate broadcast logging messages. J Smith To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-actioncable61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:32:59 UTC 2022 Modified Files: pkgsrc/devel/ruby-railties61: distinfo Log Message: devel/ruby-railties61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * In `zeitwerk` mode, setup the `once` autoloader first, and the `main` autoloader after it. This order plays better with shared namespaces. Xavier Noria * Handle paths with spaces when editing credentials. Alex Ghiculescu * Support Psych 4 when loading secrets. Nat Morcos To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-railties61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:33:27 UTC 2022 Modified Files: pkgsrc/textproc/ruby-actiontext61: distinfo Log Message: textproc/ruby-actiontext61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Fix Action Text extra trix content wrapper. Alexandre Ruban To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/textproc/ruby-actiontext61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:34:37 UTC 2022 Modified Files: pkgsrc/devel/ruby-activejob61: distinfo pkgsrc/mail/ruby-actionmailer61: PLIST distinfo pkgsrc/www/ruby-rails61: distinfo Log Message: Update rest of Ruby on Rails 61 components. No change except version. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activejob61/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/ruby-actionmailer61/PLIST cvs rdiff -u -r1.11 -r1.12 pkgsrc/mail/ruby-actionmailer61/distinfo cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-rails61/distinfo
2022-06-04	Pullup ticket #6629 - requested by taca	spz	14	-54/+54
	databases/ruby-activerecord60: security update devel/ruby-activejob60: security update devel/ruby-activemodel60: security update devel/ruby-activestorage60: security update devel/ruby-activesupport60: security update devel/ruby-railties60: security update lang/ruby: version info update mail/ruby-actionmailbox60: security update mail/ruby-actionmailer60: security update textproc/ruby-actiontext60: security update www/ruby-actioncable60: security update www/ruby-actionpack60: security update www/ruby-actionview60: security update www/ruby-rails60: security update Revisions pulled up: - databases/ruby-activerecord60/distinfo 1.17 - devel/ruby-activejob60/distinfo 1.17 - devel/ruby-activemodel60/distinfo 1.17 - devel/ruby-activestorage60/distinfo 1.17 - devel/ruby-activesupport60/distinfo 1.17 - devel/ruby-railties60/distinfo 1.17 - lang/ruby/rails.mk 1.120 - mail/ruby-actionmailbox60/distinfo 1.17 - mail/ruby-actionmailer60/distinfo 1.17 - textproc/ruby-actiontext60/distinfo 1.17 - www/ruby-actioncable60/distinfo 1.17 - www/ruby-actionpack60/distinfo 1.17 - www/ruby-actionview60/distinfo 1.17 - www/ruby-rails60/distinfo 1.17 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:20:39 UTC 2022 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby/rails.mk: start update of Ruby on Rails to 6.0.4.8 To generate a diff of this commit: cvs rdiff -u -r1.119 -r1.120 pkgsrc/lang/ruby/rails.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:21:25 UTC 2022 Modified Files: pkgsrc/devel/ruby-activesupport60: distinfo Log Message: devel/ruby-activesupport60: update to 6.0.4.8 ## Rails 6.0.4.8 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. Álvaro Martín Fraguas To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activesupport60/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:23:12 UTC 2022 Modified Files: pkgsrc/www/ruby-actionview60: distinfo Log Message: www/ruby-actionview60: update to 6.0.4.8 ## Rails 6.0.4.8 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. Álvaro Martín Fraguas To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-actionview60/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:23:48 UTC 2022 Modified Files: pkgsrc/www/ruby-actionpack60: distinfo Log Message: www/ruby-actionpack60: update to 6.0.4.8 ## Rails 6.0.4.8 (April 26, 2022) ## * Allow Content Security Policy DSL to generate for API responses. Tim Wade To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-actionpack60/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:24:55 UTC 2022 Modified Files: pkgsrc/databases/ruby-activerecord60: distinfo pkgsrc/devel/ruby-activejob60: distinfo pkgsrc/devel/ruby-activemodel60: distinfo pkgsrc/devel/ruby-activestorage60: distinfo pkgsrc/devel/ruby-railties60: distinfo pkgsrc/mail/ruby-actionmailbox60: distinfo pkgsrc/mail/ruby-actionmailer60: distinfo pkgsrc/textproc/ruby-actiontext60: distinfo pkgsrc/www/ruby-actioncable60: distinfo pkgsrc/www/ruby-rails60: distinfo Log Message: Update rest of Ruby on Rails 60 components. No change except version. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/databases/ruby-activerecord60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activejob60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activemodel60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activestorage60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-railties60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/mail/ruby-actionmailbox60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/mail/ruby-actionmailer60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/textproc/ruby-actiontext60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-actioncable60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-rails60/distinfo
2022-06-04	Pullup ticket #6628 - requested by taca	spz	13	-48/+48
	databases/ruby-activerecord52: security update devel/ruby-activejob52: security update devel/ruby-activemodel52: security update devel/ruby-activestorage52: security update devel/ruby-activesupport52: security update devel/ruby-railties52: security update lang/ruby: version info update mail/ruby-actionmailer52: security update www/ruby-actioncable52: security update www/ruby-actionpack52: security update www/ruby-actionview52: security update www/ruby-rails52: security update Revisions pulled up: - databases/ruby-activerecord52/distinfo 1.13 - devel/ruby-activejob52/distinfo 1.13 - devel/ruby-activemodel52/distinfo 1.13 - devel/ruby-activestorage52/distinfo 1.13 - devel/ruby-activesupport52/distinfo 1.13 - devel/ruby-railties52/distinfo 1.13 - lang/ruby/rails.mk 1.119 - mail/ruby-actionmailer52/distinfo 1.13 - www/ruby-actioncable52/distinfo 1.13 - www/ruby-actionpack52/Makefile 1.2 - www/ruby-actionpack52/distinfo 1.13 - www/ruby-actionview52/distinfo 1.13 - www/ruby-rails52/distinfo 1.13 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:02:07 UTC 2022 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby/rails.mk: start update of Ruby on Rails to 5.2.7.1 To generate a diff of this commit: cvs rdiff -u -r1.118 -r1.119 pkgsrc/lang/ruby/rails.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:03:50 UTC 2022 Modified Files: pkgsrc/devel/ruby-activesupport52: distinfo Log Message: devel/ruby-activesupport52: update to 5.2.7.1 ## Rails 5.2.7.1 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. Álvaro Martín Fraguas ## Rails 5.2.7 (March 10, 2022) ## * Restore support to Ruby 2.2. ojab To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-activesupport52/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:04:44 UTC 2022 Modified Files: pkgsrc/www/ruby-actionview52: distinfo Log Message: www/ruby-actionview52: update to 5.2.7.1 ## Rails 5.2.7.1 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. Álvaro Martín Fraguas ## Rails 5.2.7 (March 10, 2022) ## * No changes. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/ruby-actionview52/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:05:24 UTC 2022 Modified Files: pkgsrc/www/ruby-actionpack52: Makefile distinfo Log Message: www/ruby-actionpack52: update to 5.2.7.1 ## Rails 5.2.7.1 (April 26, 2022) ## * Allow Content Security Policy DSL to generate for API responses. Tim Wade ## Rails 5.2.7 (March 10, 2022) ## * No changes. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/ruby-actionpack52/Makefile cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/ruby-actionpack52/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:06:04 UTC 2022 Modified Files: pkgsrc/devel/ruby-activestorage52: distinfo Log Message: devel/ruby-activestorage52: update to 5.2.7.1 ## Rails 5.2.7.1 (April 26, 2022) ## * No changes. ## Rails 5.2.7 (March 10, 2022) ## * Fix `ActiveStorage.supported_image_processing_methods` and `ActiveStorage.unsupported_image_processing_arguments` that were not being applied. Rafael Mendonça França To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-activestorage52/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:08:16 UTC 2022 Modified Files: pkgsrc/databases/ruby-activerecord52: distinfo pkgsrc/devel/ruby-activejob52: distinfo pkgsrc/devel/ruby-activemodel52: distinfo pkgsrc/devel/ruby-railties52: distinfo pkgsrc/mail/ruby-actionmailer52: distinfo pkgsrc/www/ruby-actioncable52: distinfo pkgsrc/www/ruby-rails52: distinfo Log Message: Update rest of Ruby on Rails 52 components. No change except version. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 pkgsrc/databases/ruby-activerecord52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-activejob52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-activemodel52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-railties52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/mail/ruby-actionmailer52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/ruby-actioncable52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/ruby-rails52/distinfo
2022-05-30	Pullup ticket #6638 - requested by khorben	bsiegert	3	-804/+3515
	www/gitea: security fix Revisions pulled up: - www/gitea/Makefile 1.73 - www/gitea/distinfo 1.31 - www/gitea/go-modules.mk 1.2 --- Module Name: pkgsrc Committed By: khorben Date: Wed May 18 18:38:34 UTC 2022 Modified Files: pkgsrc/www/gitea: Makefile distinfo go-modules.mk Log Message: gitea: update to 1.16.8 This is a security update: * CVE-2022-30781 * CVE-2022-27313 * and more security issues fixed but without CVEs - see below XXX pull-up to pkgsrc-2022Q1 Tested on NetBSD/amd64. Changes in 1.16.8: ENHANCEMENTS * Add doctor check/fix for bogus action rows (#19656) (#19669) * Make .cs highlighting legible on dark themes (#19604) (#19605) BUGFIXES * Fix oauth setting list bug (#19681) * Delete user related oauth stuff on user deletion too (#19677) (#19680) * Fix new release from tags list UI (#19670) (#19673) * Prevent NPE when checking repo units if the user is nil (#19625) (#19630) * GetFeeds must always discard actions with dangling repo_id (#19598) (#19629) * Call MultipartForm.RemoveAll when request finishes (#19606) (#19607) * Avoid MoreThanOne error when creating a branch whose name conflicts with other ref names (#19557) (#19591) * Fix sending empty notifications (#19589) (#19590) * Ignore DNS error when doing migration allow/block check (#19566) (#19567) * Fix issue overview for teams (#19652) (#19653) Changes in 1.16.7: SECURITY * Escape git fetch remote (#19487) (#19490) CVE-2022-30781 BUGFIXES * Don't overwrite err with nil (#19572) (#19574) * On Migrations, only write commit-graph if wiki clone was successful (#19563) (#19568) * Respect DefaultUserIsRestricted system default when creating new user (#19310) (#19560) * Don't error when branch's commit doesn't exist (#19547) (#19548) * Support hostname:port to pass host matcher's check (#19543) (#19544) * Prevent intermittent race in attribute reader close (#19537) (#19539) * Fix 64-bit atomic operations on 32-bit machines (#19531) (#19532) * Prevent dangling archiver goroutine (#19516) (#19526) * Fix migrate release from github (#19510) (#19523) * When view _Siderbar or _Footer, just display once (#19501) (#19522) * Fix blame page select range error and some typos (#19503) * Fix name of doctor fix "authorized-keys" in hints (#19464) (#19484) * User specific repoID or xorm builder conditions for issue search (#19475) (#19476) * Prevent dangling cat-file calls (goroutine alternative) (#19454) (#19466) * RepoAssignment ensure to close before overwrite (#19449) (#19460) * Set correct PR status on 3way on conflict checking (#19457) (#19458) * Mark TemplateLoading error as "UnprocessableEntity" (#19445) (#19446) Changes in 1.16.6: ENHANCEMENTS * Only request write when necessary (#18657) (#19422) * Disable service worker by default (#18914) (#19342) BUGFIXES * When dumping trim the standard suffices instead of a random suffix (#19440) (#19447) * Fix DELETE request for non-existent public key (#19443) (#19444) * Don't panic on ErrEmailInvalid (#19441) (#19442) * Add uploadpack.allowAnySHA1InWant to allow --filter=blob:none with older git clients (#19430) (#19438) * Warn on SSH connection for incorrect configuration (#19317) (#19437) * Search Issues via API, dont show 500 if filter result in empty list (#19244) (#19436) * When updating mirror repo intervals by API reschedule next update too (#19429) (#19433) * Fix nil error when some pages are rendered outside request context (#19427) (#19428) * Fix double blob-hunk on diff page (#19404) (#19405) * Don't allow merging PR's which are being conflict checked (#19357) (#19358) * Fix middleware function's placements (#19377) (#19378) * Fix invalid CSRF token bug, make sure CSRF tokens can be up-to-date (#19338) * Restore user autoregistration with email addresses (#19261) (#19312) * Move checks for pulls before merge into own function (#19271) (#19277) * Granular webhook events in editHook (#19251) (#19257) * Only send webhook events to active system webhooks and only deliver to active hooks (#19234) (#19248) * Use full output of git show-ref --tags to get tags for PushUpdateAddTag (#19235) (#19236) * Touch mirrors on even on fail to update (#19217) (#19233) * Hide sensitive content on admin panel progress monitor (#19218 & #19226) (#19231) * Fix clone url JS error for the empty repo page (#19209) * Bump goldmark to v1.4.11 (#19201) (#19203) TESTING * Prevent intermittent failures in RepoIndexerTest (#19225 #19229) (#19228) BUILD * Revert the minimal golang version requirement from 1.17 to 1.16 and add a warning in Makefile (#19319) MISC * Performance improvement for add team user when org has more than 1000 repositories (#19227) (#19289) * Check go and nodejs version by go.mod and package.json (#19197) (#19254) Changes in 1.16.5: BREAKING * Bump to build with go1.18 (#19120 et al) (#19127) SECURITY * Prevent redirect to Host (2) (#19175) (#19186) * Try to prevent autolinking of displaynames by email readers (#19169) (#19183) * Clean paths when looking in Storage (#19124) (#19179) * Do not send notification emails to inactive users (#19131) (#19139) * Do not send activation email if manual confirm is set (#19119) (#19122) ENHANCEMENTS * Use the new/choose link for New Issue on project page (#19172) (#19176) BUGFIXES * Fix showing issues in your repositories (#18916) (#19191) * Fix compare link in active feeds for new branch (#19149) (#19185) * Redirect .wiki/* ui link to /wiki (#18831) (#19184) * Ensure deploy keys with write access can push (#19010) (#19182) * Ensure that setting.LocalURL always has a trailing slash (#19171) (#19177) * Cleanup protected branches when deleting users & teams (#19158) (#19174) * Use IterateBufferSize whilst querying repositories during adoption check (#19140) (#19160) * Fix NPE /repos/issues/search when not signed in (#19154) (#19155) * Use custom favicon when viewing static files if it exists (#19130) (#19152) * Fix the editor height in review box (#19003) (#19147) * Ensure isSSH is set whenever DISABLE_HTTP_GIT is set (#19028) (#19146) * Fix wrong scopes caused by empty scope input (#19029) (#19145) * Make migrations SKIP_TLS_VERIFY apply to git too (#19132) (#19141) * Handle email address not exist (#19089) (#19121) MISC * Update json-iterator to allow compilation with go1.18 (#18644) (#19100) * Update golang.org/x/crypto (#19097) (#19098) Changes in 1.16.4: SECURITY * Restrict email address validation (#17688) (#19085) * Fix lfs bug (#19072) (#19080) ENHANCEMENTS * Improve SyncMirrors logging (#19045) (#19050) BUGFIXES * Refactor mirror code & fix StartToMirror (#18904) (#19075) * Update the webauthn_credential_id_sequence in Postgres (#19048) (#19060) * Prevent 500 when there is an error during new auth source post (#19041) (#19059) * If rendering has failed due to a net.OpError stop rendering (attempt 2) (#19049) (#19056) * Fix flag validation (#19046) (#19051) * Add pam account authorization check (#19040) (#19047) * Ignore missing comment for user notifications (#18954) (#19043) * Set rel="nofollow noindex" on new issue links (#19023) (#19042) * Upgrading binding package (#19034) (#19035) * Don't show context cancelled errors in attribute reader (#19006) (#19027) * Fix update hint bug (#18996) (#19002) MISC * Fix potential assignee query for repo (#18994) (#18999) Changes in 1.16.3: SECURITY * Git backend ignore replace objects (#18979) (#18980) CVE-2022-27313 ENHANCEMENTS * Adjust error for already locked db and prevent level db lock on malformed connstr (#18923) (#18938) BUGFIXES * Set max text height to prevent overflow (#18862) (#18977) * Fix newAttachmentPaths deletion for DeleteRepository() (#18973) (#18974) * Accounts with WebAuthn only (no TOTP) now exist ... fix code to handle that case (#18897) (#18964) * Send 404 on /{org}.gpg (#18959) (#18962) * Fix admin user list pagination (#18957) (#18960) * Fix lfs management setting (#18947) (#18946) * Fix login with email panic when email is not exist (#18942) * Update go-org to v1.6.1 (#18932) (#18933) * Fix <strong> html in translation (#18929) (#18931) * Fix page and missing return on unadopted repos API (#18848) (#18927) * Allow adminstrator teams members to see other teams (#18918) (#18919) * Don't treat BOM escape sequence as hidden character. (#18909) (#18910) * Correctly link URLs to users/repos with dashes, dots or underscores (â€Š (#18908) * Fix redirect when using lowercase repo name (#18775) (#18902) * Fix migration v210 (#18893) (#18892) * Fix team management UI (#18887) (18886) * BeforeSourcePath should point to base commit (#18880) (#18799) TRANSLATION * Backport locales from master (#18944) MISC * Don't update email for organisation (#18905) (#18906) Changes in 1.16.2: ENHANCEMENTS * Show fullname on issue edits and gpg/ssh signing info (#18828) * Immediately Hammer if second kill is sent (#18823) (#18826) * Allow mermaid render error to wrap (#18791) BUGFIXES * Fix ldap user sync missed email in email_address table (#18786) (#18876) * Update assignees check to include any writing team and change org sidebar (#18680) (#18873) * Don't report signal: killed errors in serviceRPC (#18850) (#18865) * Fix bug where certain LDAP settings were reverted (#18859) * Update go-org to 1.6.0 (#18824) (#18839) * Fix login with email for ldap users (#18800) (#18836) * Fix bug for get user by email (#18834) * Fix panic in EscapeReader (#18820) (#18821) * Fix ldap loginname (#18789) (#18804) * Remove redundant call to UpdateRepoStats during migration (#18591) (#18794) * In disk_channel queues synchronously push to disk on shutdown (#18415) (#18788) * Fix template bug of LFS lock (#18784) (#18787) * Attempt to fix the webauthn migration again - part 3 (#18770) (#18771) * Send mail to issue/pr assignee/reviewer also when OnMention is set (#18707) (#18765) * Fix a broken link in commits_list_small.tmpl (#18763) (#18764) * Increase the size of the webauthn_credential credential_id field (#18739) (#18756) * Prevent dangling GetAttribute calls (#18754) (#18755) * Fix isempty detection of git repository (#18746) (#18750) * Fix source code line highlighting on external tracker (#18729) (#18740) * Prevent double encoding of branch names in delete branch (#18714) (#18738) * Always set PullRequestWorkInProgressPrefixes in PrepareViewPullInfo (#18713) (#18737) * Fix forked repositories missed tags (#18719) (#18735) * Fix release typo (#18728) (#18731) * Separate the details links of commit-statuses in headers (#18661) (#18730) * Update object repo with the migrated repository (#18684) (#18726) * Fix bug for version update hint (#18701) (#18705) * Fix issue with docker-rootless shimming script (#18690) (#18699) * Let MinUnitAccessMode return correct perm (#18675) (#18689) * Prevent security failure due to bad APP_ID (#18678) (#18682) * Restart zero worker if there is still work to do (#18658) (#18672) * If rendering has failed due to a net.OpError stop rendering (#18642) (#18645) TESTING * Ensure git tag tests and others create test repos in tmpdir (#18447) (#18767) BUILD * Reduce CI go module downloads, add make targets (#18708, #18475, #18443) (#18741) MISC * Put buttons back in org dashboard (#18817) (#18825) * Various Mermaid improvements (#18776) (#18780) * C preprocessor colors improvement (#18671) (#18696) * Fix the missing i18n key for update checker (#18646) (#18665)
2022-05-20	Pullup ticket #6637 - requested by nia	bsiegert	5	-25/+25
	multimedia/libaom: security fix Revisions pulled up: - multimedia/libaom/Makefile 1.22 - multimedia/libaom/distinfo 1.16 - multimedia/libaom/patches/patch-aom__ports_ppc__cpudetect.c 1.3 - multimedia/libaom/patches/patch-build_cmake_aom__configure.cmake 1.5 - multimedia/libaom/patches/patch-build_cmake_version.cmake 1.3 --- Module Name: pkgsrc Committed By: nia Date: Tue May 17 21:44:11 UTC 2022 Modified Files: pkgsrc/multimedia/libaom: Makefile distinfo pkgsrc/multimedia/libaom/patches: patch-aom__ports_ppc__cpudetect.c patch-build_cmake_aom__configure.cmake patch-build_cmake_version.cmake Log Message: libaom: Update to 3.3.0 2022-01-28 v3.3.0 This release includes compression efficiency and perceptual quality improvements, speedup and memory optimizations, some new features, and several bug fixes. - New Features * AV1 RT: Introducing CDEF search level 5 * Changed real time speed 4 to behave the same as real time speed 5 * Add --deltaq-strength * rtc: Allow scene-change and overshoot detection for svc * rtc: Intra-only frame for svc * AV1 RT: Option 2 for codec control AV1E_SET_ENABLE_CDEF to disable CDEF on non-ref frames * New codec controls AV1E_SET_LOOPFILTER_CONTROL and AOME_GET_LOOPFILTER_LEVEL * Improvements to three pass encoding - Compression Efficiency Improvements * Overall compression gains: 0.6% - Perceptual Quality Improvements * Improves the perceptual quality of high QP encoding for delta-q mode 4 * Auto select noise synthesis level for all intra - Speedup and Memory Optimizations * Added many SSE2 optimizations. * Good quality 2-pass encoder speedups: o Speed 2: 9% o Speed 3: 12.5% o Speed 4: 8% o Speed 5: 3% o Speed 6: 4% * Real time mode encoder speedups: o Speed 5: 2.6% BDRate gain, 4% speedup o Speed 6: 3.5% BDRate gain, 4% speedup o Speed 9: 1% BDRate gain, 3% speedup o Speed 10: 3% BDRate gain, neutral speedup * All intra encoding speedups (AVIF): o Single thread - speed 6: 8% o Single thread - speed 9: 15% o Multi thread(8) - speed 6: 14% o Multi thread(8) - speed 9: 34% - Bug Fixes * Issue 3163: Segmentation fault when using --enable-keyframe-filtering=2 * Issue 2436: Integer overflow in av1_warp_affine_c() * Issue 3226: armv7 build failure due to gcc-11 * Issue 3195: Bug report on libaom (AddressSanitizer: heap-buffer-overflow) * Issue 3191: Bug report on libaom (AddressSanitizer: SEGV on unknown address) * Issue 3176: Some SSE2/SADx4AvgTest.* tests fail on Windows * Issue 3175: Some SSE2/SADSkipTest.* tests fail on Windows
2022-05-20	Pullup ticket #6634 - requested by sborrill	bsiegert	3	-8/+21
	mail/sendmail: bugfix for SMTP AUTH Revisions pulled up: - mail/sendmail/Makefile 1.141 - mail/sendmail/distinfo 1.68 - mail/sendmail/patches/patch-bo 1.5 --- Module Name: pkgsrc Committed By: sborrill Date: Tue May 10 13:46:49 UTC 2022 Modified Files: pkgsrc/mail/sendmail: Makefile distinfo pkgsrc/mail/sendmail/patches: patch-bo Log Message: sendmail: fix SMTP AUTH Pull in SMTP AUTH fix from 8.17.1.9. Bump PKGREVISION
2022-05-20	Pullup ticket #6633 - requested by gutteridge	bsiegert	2	-6/+6
	textproc/libxml2: security fix Revisions pulled up: - textproc/libxml2/Makefile 1.164 - textproc/libxml2/Makefile.common 1.16 - textproc/libxml2/distinfo 1.141 - textproc/py-libxml2/Makefile 1.81 --- Module Name: pkgsrc Committed By: gutteridge Date: Fri May 6 00:55:55 UTC 2022 Modified Files: pkgsrc/textproc/libxml2: Makefile Makefile.common distinfo pkgsrc/textproc/py-libxml2: Makefile Log Message: libxml2: update to 2.9.14, includes security fixes v2.9.14: May 02 2022: - Security: [CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer Fix potential double-free in xmlXPtrStringRangeFunction Fix memory leak in xmlFindCharEncodingHandler Normalize XPath strings in-place Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars() (David Kilzer) Fix leak of xmlElementContent (David Kilzer) - Bug fixes: Fix parsing of subtracted regex character classes Fix recursion check in xinclude.c Reset last error in xmlCleanupGlobals Fix certain combinations of regex range quantifiers Fix range quantifier on subregex - Improvements: Fix recovery from invalid HTML start tags - Build system, portability: Define LFS macros before including system headers Initialize XPath floating-point globals configure: check for icu DEFS (James Hilliard) configure.ac: produce tar.xz only (GNOME policy) (David Seifert) CMakeLists.txt: Fix LIBXML_VERSION_NUMBER Fix build with older Python versions Fix --without-valid build
2022-05-20	Pullup ticket #6632 - requested by nia	bsiegert	1	-2/+2
	math/py-numpy: build fix Revisions pulled up: - math/py-numpy/Makefile 1.92 --- Module Name: pkgsrc Committed By: nia Date: Sun May 8 10:18:31 UTC 2022 Modified Files: pkgsrc/math/py-numpy: Makefile Log Message: py-numpy: Expects compiler to default to C++11.
2022-05-08	Note pullup ticket #6625	bsiegert	1	-1/+4

2022-05-08	Pullup ticket #6625 - requested by taca	bsiegert	3	-8/+8
	security/clamav: security fix Revisions pulled up: - security/clamav/Makefile 1.84 - security/clamav/Makefile.common 1.23 - security/clamav/buildlink3.mk 1.16 - security/clamav/distinfo 1.42 --- Module Name: pkgsrc Committed By: taca Date: Thu May 5 00:44:07 UTC 2022 Modified Files: pkgsrc/security/clamav: Makefile Makefile.common buildlink3.mk distinfo Log Message: security/clamav: update to 0.103.6 0.103.6 (2022-05-04) ClamAV 0.103.6 is a critical patch release with the following fixes: - [CVE-2022-20770](CVE-2022-20770): Fixed a possible infinite loop vulner= ability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 = and prior versions. Thank you to Micha=A9=A9 Dardas for reporting this issue. - [CVE-2022-20796](CVE-2022-20796): Fixed a possible NULL-pointer derefer= ence crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and Antoine Gatineau for reporting this= issue. - [CVE-2022-20771](CVE-2022-20771): Fixed a possible infinite loop vulner= ability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 = and prior versions. The issue only occurs if the "--alert-broken-media" ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and = for libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. Thank you to Micha=A9=A9 Dardas for reporting this issue. - [CVE-2022-20785](CVE-2022-20785): Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 = and prior versions. Thank you to Micha=A9=A9 Dardas for reporting this issue. - [CVE-2022-20792](CVE-2022-20792): Fixed a possible multi-byte heap buff= er overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 = and prior versions. Thank you to Micha=A9=A9 Dardas for reporting this issue. - ClamOnAcc: Fixed a number of assorted stability issues and added niceti= es for debugging ClamOnAcc. Patches courtesy of Frank Fegert. - Fixed an issue causing byte-compare subsignatures to cause an alert whe= n they match even if other conditions of the given logical signatures were not= met. - Fix memleak when using multiple byte-compare subsignatures. This fix was backported from 0.104.0. Thank you to Andrea De Pasquale for contributing the fix. - Assorted bug fixes and improvements. Special thanks to the following people for code contributions and bug rep= orts: - Alexander Patrakov - Andrea De Pasquale - Antoine Gatineau - Frank Fegert - Micha=A9=A9 Dardas
2022-05-08	Pullup tickets up to #6627	bsiegert	1	-1/+14

2022-05-08	Pullup tickets #6626 and #6627 - requested by taca	bsiegert	12	-33/+154
	ruby30-base: build fix ruby31-base: build fix Revisions pulled up: - lang/ruby/platform.mk 1.10-1.12 - lang/ruby/rubyversion.mk 1.251 - lang/ruby30-base/Makefile 1.7 - lang/ruby30-base/distinfo 1.9-1.10 - lang/ruby30-base/patches/patch-configure 1.2 - lang/ruby30-base/patches/patch-include_ruby_internal_static__assert.h 1.1 - lang/ruby31-base/Makefile 1.4-1.5 - lang/ruby31-base/distinfo 1.4-1.7 - lang/ruby31-base/patches/patch-configure 1.2 - lang/ruby31-base/patches/patch-include_ruby_internal_static__assert.h 1.1 - lang/ruby31-base/patches/patch-template_Makefile.in 1.1 - lang/ruby31-base/patches/patch-tool_runruby.rb 1.1 --- Module Name: pkgsrc Committed By: jperkin Date: Wed May 4 15:49:51 UTC 2022 Modified Files: pkgsrc/lang/ruby31-base: Makefile distinfo pkgsrc/lang/ruby31-base/patches: patch-configure Log Message: ruby31-base: Retain _XOPEN_SOURCE on SunOS. Fixes build of eventmachine (which assumes the XPG4.2 "void " type for iov_base), and mirrors settings of ruby 2.x. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Wed May 4 16:16:49 UTC 2022 Modified Files: pkgsrc/lang/ruby: platform.mk Log Message: lang/ruby: fix build problem of Ruby 3.1 on NetBSD 8 Fix build problem of Ruby 3.1 on NetBSD 8 by disabling dtrace. Ruby 3.1 dtrace(1) to modify compiled object files during build process. But something wrong on NetBSD 8, includeing 8.2_STABLE. For example, vm.o contains these symbols on NetBSD 9: 0000000000000000 A __dtrace_ruby___array__create 0000000000000000 A __dtrace_ruby___cmethod__entry 0000000000000000 A __dtrace_ruby___cmethod__return 0000000000000000 A __dtrace_ruby___hash__create 0000000000000000 A __dtrace_ruby___method__entry 0000000000000000 A __dtrace_ruby___method__return 0000000000000000 A __dtraceenabled_ruby___array__create 0000000000000000 A __dtraceenabled_ruby___cmethod__entry 0000000000000000 A __dtraceenabled_ruby___cmethod__return 0000000000000000 A __dtraceenabled_ruby___hash__create 0000000000000000 A __dtraceenabled_ruby___method__entry 0000000000000000 A __dtraceenabled_ruby___method__return But on NetBSD 8: 0000000000000000 A __dtrace_ruby___array-create 0000000000000000 A __dtrace_ruby___cmethod-entry 0000000000000000 A __dtrace_ruby___cmethod-return 0000000000000000 A __dtrace_ruby___hash-create 0000000000000000 A __dtrace_ruby___method-entry 0000000000000000 A __dtrace_ruby___method-return 0000000000000000 A __dtraceenabled_ruby___array-create 0000000000000000 A __dtraceenabled_ruby___cmethod-entry 0000000000000000 A __dtraceenabled_ruby___cmethod-return 0000000000000000 A __dtraceenabled_ruby___hash-create 0000000000000000 A __dtraceenabled_ruby___method-entry 0000000000000000 A __dtraceenabled_ruby___method-return --- Module Name: pkgsrc Committed By: jperkin Date: Wed May 4 15:49:16 UTC 2022 Modified Files: pkgsrc/lang/ruby30-base: Makefile distinfo pkgsrc/lang/ruby30-base/patches: patch-configure Log Message: ruby30-base: Retain _XOPEN_SOURCE on SunOS. Fixes build of eventmachine (which assumes the XPG4.2 "void " type for iov_base), and mirrors settings of ruby 2.x. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Wed May 4 16:44:53 UTC 2022 Modified Files: pkgsrc/lang/ruby: platform.mk pkgsrc/lang/ruby30-base: distinfo pkgsrc/lang/ruby31-base: distinfo Added Files: pkgsrc/lang/ruby30-base/patches: patch-include_ruby_internal_static__assert.h pkgsrc/lang/ruby31-base/patches: patch-include_ruby_internal_static__assert.h Log Message: lang/ruby: fix Ruby 3.0 build problem on NetBSD 8.0 Something wrong with expantion of static_assert macro in <assert.h> on NetBSD 8.0. So, avoid use of static_assert on NetBSD 8.0. NetBSD 8.1 and later dose not have this problem. --- Module Name: pkgsrc Committed By: jperkin Date: Thu May 5 10:15:17 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk Log Message: ruby: Handle ruby31 changing the config triple for arm64 macOS. --- Module Name: pkgsrc Committed By: jperkin Date: Thu May 5 10:25:06 UTC 2022 Modified Files: pkgsrc/lang/ruby31-base: distinfo Added Files: pkgsrc/lang/ruby31-base/patches: patch-tool_runruby.rb Log Message: ruby31-base: Fix install on macOS arm64. --- Module Name: pkgsrc Committed By: taca Date: Sat May 7 09:36:16 UTC 2022 Modified Files: pkgsrc/lang/ruby: platform.mk pkgsrc/lang/ruby31-base: Makefile distinfo Added Files: pkgsrc/lang/ruby31-base/patches: patch-template_Makefile.in Log Message: lang/ruby31-base: better fix than privious one Instead of disabling DTrace, process object file yjit.o with "dtrace -G". Bump PKGREVISION.
2022-05-07	Pullup ticket #6624 - requested by taca	bsiegert	3	-7/+11
	www/drupal7: security fix Revisions pulled up: - www/drupal7/Makefile 1.76 - www/drupal7/PLIST 1.30 - www/drupal7/distinfo 1.60 --- Module Name: pkgsrc Committed By: wen Date: Sat Apr 30 08:50:35 UTC 2022 Modified Files: pkgsrc/www/drupal7: Makefile PLIST distinfo Log Message: Update to 7.89 Upstream changes: Drupal 7.89, 2022-03-02 ----------------------- - Bug fixes for PHP 8.1 - Fix tests for PostgreSQL Drupal 7.88, 2022-02-15 ----------------------- - Fixed security issues: - SA-CORE-2022-003 Drupal 7.87, 2022-01-19 ----------------------- - Fix regression caused by jQuery UI position() backport
2022-05-07	Pullup ticket #6623 - requested by taca	bsiegert	2	-6/+6
	www/ruby-puma: security fix Revisions pulled up: - www/ruby-puma/Makefile 1.33 - www/ruby-puma/distinfo 1.30 --- Module Name: pkgsrc Committed By: taca Date: Sun Apr 24 14:43:10 UTC 2022 Modified Files: pkgsrc/www/ruby-puma: Makefile distinfo Log Message: www/ruby-puma: update to 5.6.4 5.6.4 (2022-03-30) Security * Close several HTTP Request Smuggling exploits (CVE-2022-24790) 5.6.2 (2022-02-11) Bugfix/Security * Response body will always be closed. (GHSA-rmj8-8hhh-gv5h, related to #2809) 5.6.1 (2022-01-26) Bugfixes * Reverted a commit which appeared to be causing occasional blank header values (#2809) 5.6.0 (2022-01-25) Features * Support localhost integration in ssl_bind (#2764, #2708) * Allow backlog parameter to be set with ssl_bind DSL (#2780) * Remove yaml (psych) requirement in StateFile (#2784) * Allow culling of oldest workers, previously was only youngest (#2773, #2794) * Add worker_check_interval configuration option (#2759) * Always send lowlevel_error response to client (#2731, #2341) * Support for cert_pem and key_pem with ssl_bind DSL (#2728) Bugfixes * Keep thread names under 15 characters, prevents breakage on some OSes (#2733) * Fix two 'old-style-definition' compile warning (#2807, #2806) * Log environment correctly using option value (#2799) * Fix warning from Ruby master (will be 3.2.0) (#2785) * extconf.rb - fix openssl with old Windows builds (#2757) * server.rb - rescue handling (Errno::EBADF) for @notify.close (#2745) Refactor * server.rb - refactor code using @options[:remote_address] (#2742) * [jruby] a couple refactorings - avoid copy-ing bytes (#2730)
2022-05-07	Pullup ticket #6622 - requested by taca	bsiegert	3	-8/+8
	textproc/ruby-yajl: security fix Revisions pulled up: - textproc/ruby-yajl/Makefile 1.8 - textproc/ruby-yajl/PLIST 1.7 - textproc/ruby-yajl/distinfo 1.9 --- Module Name: pkgsrc Committed By: taca Date: Sun Apr 24 14:39:32 UTC 2022 Modified Files: pkgsrc/textproc/ruby-yajl: Makefile PLIST distinfo Log Message: textproc/ruby-yajl: update to 1.4.2 1.4.2 (2022-04-04) No release note nor proper changelog. But there is security fix. Please refer <https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm> in detail.
2022-04-23	tickets #6620 and #6621	bsiegert	1	-1/+7

2022-04-23	Pullup ticket #6621 - requested by nia	bsiegert	2	-6/+13
	devel/afl++: ARM build fix Revisions pulled up: - devel/afl++/Makefile 1.3 - devel/afl++/PLIST 1.2 --- Module Name: pkgsrc Committed By: nia Date: Sun Apr 17 07:34:46 UTC 2022 Modified Files: pkgsrc/devel/afl++: Makefile PLIST Log Message: afl++: fix PLIST on aarch64
2022-04-23	Pullup ticket #6620 - requested by nia	bsiegert	4	-27/+19
	multimedia/pitivi: build fix Revisions pulled up: - multimedia/pitivi/Makefile 1.67 - multimedia/pitivi/PLIST 1.8 - multimedia/pitivi/distinfo 1.9 - multimedia/pitivi/patches/patch-meson.build 1.2 --- Module Name: pkgsrc Committed By: nia Date: Sun Apr 17 07:18:06 UTC 2022 Modified Files: pkgsrc/multimedia/pitivi: Makefile PLIST distinfo pkgsrc/multimedia/pitivi/patches: patch-meson.build Log Message: pitivi: Adapt to new gst-plugins world. Fixes build.
2022-04-16	Tickets #6613 - #6619	spz	1	-1/+28

2022-04-16	Pullup ticket #6619 - requested by gutteridge	spz	2	-6/+6
	devel/git-base: security update devel/git: security update Revisions pulled up: - devel/git-base/distinfo 1.117 - devel/git/Makefile.version 1.103 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 14 23:39:21 UTC 2022 Modified Files: pkgsrc/devel/git: Makefile.version pkgsrc/devel/git-base: distinfo Log Message: git: update to 2.35.3 Includes a fix for CVE-2022-24765. Addresses PR pkg/56796 from Eric N Vander Weele. Git v2.35.2 Release Notes ============ This release merges up the fixes that appear in v2.30.3, v2.31.2, v2.32.1, v2.33.2 and v2.34.2 to address the security issue CVE-2022-24765; see the release notes for these versions for details. Release notes for 2.35.3 simply state: This release merges up the fixes that appear in v2.35.3. To generate a diff of this commit: cvs rdiff -u -r1.102 -r1.103 pkgsrc/devel/git/Makefile.version cvs rdiff -u -r1.116 -r1.117 pkgsrc/devel/git-base/distinfo
2022-04-16	Pullup ticket #6618 - requested by taca	spz	2	-6/+6
	lang/ruby31-base: security update Revisions pulled up: - lang/ruby/rubyversion.mk 1.249 - lang/ruby31-base/distinfo 1.3 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 15:12:13 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby31-base: distinfo Log Message: lang/ruby31-base: update to 3.1.2 Ruby 3.1.2 has been released. This release includes security fixes. Please check the topics below for details. * CVE-2022-28738: Double free in Regexp compilation * CVE-2022-28739: Buffer overrun in String-to-Float conversion See the commit logs for further details. To generate a diff of this commit: cvs rdiff -u -r1.248 -r1.249 pkgsrc/lang/ruby/rubyversion.mk cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/ruby31-base/distinfo
2022-04-16	Pullup ticket #6617 - requested by taca	spz	5	-12/+16
	lang/ruby30-base: security update Revisions pulled up: - lang/ruby/rubyversion.mk 1.248 - lang/ruby30-base/Makefile 1.6 - lang/ruby30-base/PLIST 1.7 - lang/ruby30-base/distinfo 1.8 - lang/ruby30/Makefile 1.3 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 14:52:27 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby30: Makefile pkgsrc/lang/ruby30-base: Makefile PLIST distinfo Log Message: lang/ruby30-base: update to 3.0.4 Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for details. * CVE-2022-28738: Double free in Regexp compilation * CVE-2022-28739: Buffer overrun in String-to-Float conversion See the commit logs for further details. To generate a diff of this commit: cvs rdiff -u -r1.247 -r1.248 pkgsrc/lang/ruby/rubyversion.mk cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/ruby30/Makefile cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/ruby30-base/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/lang/ruby30-base/PLIST cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/ruby30-base/distinfo
2022-04-16	Pullup ticket #6616 - requested by taca	spz	4	-10/+8
	lang/ruby27: security update Revisions pulled up: - lang/ruby/rubyversion.mk 1.247 - lang/ruby27-base/Makefile 1.9 - lang/ruby27-base/distinfo 1.10 - lang/ruby27/Makefile 1.3 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 14:21:00 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby27: Makefile pkgsrc/lang/ruby27-base: Makefile distinfo Log Message: lang/ruby27-base: update to 2.6.7 Ruby 2.7.6 has been released. This release includes a security fix. Please check the topics below for details. CVE-2022-28739: Buffer overrun in String-to-Float conversion This release also includes some bug fixes. See the commit logs for further details. After thies release, we end the normal maintenance phase of Ruby 2.7, and Ruby 2.7 enters the security maintenance phase. This means that we will no longer backport any bug fixes to Ruby 2.7 excpet security fixes. Ther term of the security maintenance pahse is scheduled for a year. Ruby 2.7 reaches EOL and its official support ends by the end of the security maintenance phase. Therefore, we recommend that you start to plan upgrade to Ruby 3.0 or 3.1. To generate a diff of this commit: cvs rdiff -u -r1.246 -r1.247 pkgsrc/lang/ruby/rubyversion.mk cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/ruby27/Makefile cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/ruby27-base/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/ruby27-base/distinfo
2022-04-16	Pullup ticket #6615 - requested by taca	spz	4	-11/+9
	lang/ruby26-base: security-update Revisions pulled up: - lang/ruby/rubyversion.mk 1.246 - lang/ruby26-base/Makefile 1.17 - lang/ruby26-base/distinfo 1.16 - lang/ruby26/Makefile 1.6 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 14:16:44 UTC 2022 Modified Files: pkgsrc/lang/ruby26: Makefile pkgsrc/lang/ruby26-base: Makefile distinfo Log Message: lang/ruby26-base: update to 2.6.10 Here is release announce: Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below for details. CVE-2022-28739: Buffer overrun in String-to-Float conversion This release also includes a fix of a build problem with very old compilers and a fix of a regression of date library. See the commit logs for further details. After this release, Ruby 2.6 reaches EOL. In other words, this is expected to be the last release of Ruby 2.6 series. We will not release Ruby 2.6.11 even if a security vulnerability is found (but ocould release if a severe regression is found). We recommend all Ruby 2.6 users to start migration to Ruby 3.1, 3.0, or 2.7 immediately. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/ruby26/Makefile cvs rdiff -u -r1.16 -r1.17 pkgsrc/lang/ruby26-base/Makefile cvs rdiff -u -r1.15 -r1.16 pkgsrc/lang/ruby26-base/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 14:19:26 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk Log Message: lang/ruby: forgot to commit for 2.6.10 To generate a diff of this commit: cvs rdiff -u -r1.245 -r1.246 pkgsrc/lang/ruby/rubyversion.mk
2022-04-16	Pullup ticket #6613 - requested by bsiegert	spz	8	-18/+12
	devel/java-subversion: security update devel/p5-subversion: security update devel/py-subversion: security update devel/ruby-subversion: security update devel/subversion-base: security update devel/subversion: security update Revisions pulled up: - devel/java-subversion/Makefile 1.62 - devel/p5-subversion/Makefile 1.122 - devel/py-subversion/Makefile 1.95 - devel/ruby-subversion/Makefile 1.84 - devel/subversion-base/Makefile 1.130 - devel/subversion/Makefile 1.68 - devel/subversion/Makefile.version 1.88 - devel/subversion/distinfo 1.119 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Tue Apr 12 16:24:29 UTC 2022 Modified Files: pkgsrc/devel/java-subversion: Makefile pkgsrc/devel/p5-subversion: Makefile pkgsrc/devel/py-subversion: Makefile pkgsrc/devel/ruby-subversion: Makefile pkgsrc/devel/subversion: Makefile.version distinfo pkgsrc/devel/subversion-base: Makefile Log Message: subversion: update to 1.4.2 (security). HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES: CVE-2021-28544 "SVN authz protected copyfrom paths regression" The full security advisory for CVE-2021-28544 is available at: https://subversion.apache.org/security/CVE-2021-28544-advisory.txt https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc A brief summary of this advisory follows: Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the `copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable. We recommend all users to upgrade to a known fixed release of the Subversion server. This issue was reported by Evgeny Kotkov CVE-2022-24070 "Subversion's mod_dav_svn is vulnerable to memory corruption" The full security advisory for CVE-2022-24070 is available at: https://subversion.apache.org/security/CVE-2022-24070-advisory.txt https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc A brief summary of this advisory follows: While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. We recommend all users to upgrade to a known fixed release of the Subversion server. This issue was reported by Thomas Weißschuh To generate a diff of this commit: cvs rdiff -u -r1.61 -r1.62 pkgsrc/devel/java-subversion/Makefile cvs rdiff -u -r1.121 -r1.122 pkgsrc/devel/p5-subversion/Makefile cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/py-subversion/Makefile cvs rdiff -u -r1.83 -r1.84 pkgsrc/devel/ruby-subversion/Makefile cvs rdiff -u -r1.87 -r1.88 pkgsrc/devel/subversion/Makefile.version cvs rdiff -u -r1.118 -r1.119 pkgsrc/devel/subversion/distinfo cvs rdiff -u -r1.129 -r1.130 pkgsrc/devel/subversion-base/Makefile ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Tue Apr 12 21:40:36 UTC 2022 Modified Files: pkgsrc/devel/subversion: Makefile Log Message: subversion: reset PKGREVISION after update To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 pkgsrc/devel/subversion/Makefile
2022-04-16	Pullup ticket #6614 - requested by tron	spz	2	-6/+6
	mail/mutt: security update Revisions pulled up: - mail/mutt/Makefile 1.259 - mail/mutt/distinfo 1.107 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Wed Apr 13 08:24:37 UTC 2022 Modified Files: pkgsrc/mail/mutt: Makefile distinfo Log Message: mutt: Update to version 2.2.3 This is a bug-fix release, addressing CVE-2022-1328: a buffer overread in the uuencoded decoder routine. Also fixed were a possible integer overflow issue in the general iconv and rfc2047-conversion iconv functions. These are not believed to be exploitable. To generate a diff of this commit: cvs rdiff -u -r1.258 -r1.259 pkgsrc/mail/mutt/Makefile cvs rdiff -u -r1.106 -r1.107 pkgsrc/mail/mutt/distinfo
2022-04-13	Pullup ticket #6612	bsiegert	1	-1/+5

2022-04-13	Pullup ticket #6612 - requested by nia	bsiegert	4	-286/+285
	www/firefox91: security fix www/firefox91-l10n: dependent update Revisions pulled up: - www/firefox91-l10n/Makefile 1.10 - www/firefox91-l10n/distinfo 1.12 - www/firefox91/Makefile 1.16 - www/firefox91/distinfo 1.12 --- Module Name: pkgsrc Committed By: nia Date: Sun Apr 10 13:43:44 UTC 2022 Modified Files: pkgsrc/www/firefox91: Makefile distinfo pkgsrc/www/firefox91-l10n: Makefile distinfo Log Message: firefox91: update to 91.8.0 Security Vulnerabilities fixed in Firefox ESR 91.8 #CVE-2022-1097: Use-after-free in NSSToken objects #CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions #CVE-2022-1196: Use-after-free after VR Process destruction #CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument #CVE-2022-28285: Incorrect AliasSet used in JIT Codegen #CVE-2022-28286: iframe contents could be rendered outside the border #CVE-2022-24713: Denial of Service via complex regular expressions #CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
2022-04-02	The first set of pullups, up to ticket #6611	bsiegert	1	-2/+18

2022-04-02	Pullup ticket #6611 - requested by nia	bsiegert	1	-2/+2
	lang/ruby: NetBSD/arm build fix Revisions pulled up: - lang/ruby/rubyversion.mk 1.245 --- Module Name: pkgsrc Committed By: nia Date: Sat Apr 2 07:51:46 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk Log Message: ruby: Do not append an ABI on NetBSD to the arch-specific extension directory. Failure seen in: http://victory.netbsd.org/pkgsrc/packages/reports/2022Q1/evbarm7-9.0/20220330.2134/ruby31-base-3.1.1/install.log
2022-04-02	Pullup ticket #6610 - requested by wiz	bsiegert	1	-2/+2
	sysutils/ioping: build fix Revisions pulled up: - sysutils/ioping/distinfo 1.8 --- Module Name: pkgsrc Committed By: wiz Date: Tue Mar 29 17:48:53 UTC 2022 Modified Files: pkgsrc/sysutils/ioping: distinfo Log Message: ioping: fix patch checksum
2022-04-02	Pullup ticket #6609 - requested by tnn	bsiegert	3	-6/+8022
	www/gitea: build fix Revisions pulled up: - www/gitea/Makefile 1.69 - www/gitea/distinfo 1.30 - www/gitea/go-modules.mk 1.1 --- Module Name: pkgsrc Committed By: tnn Date: Mon Mar 28 15:59:22 UTC 2022 Modified Files: pkgsrc/www/gitea: Makefile distinfo Added Files: pkgsrc/www/gitea: go-modules.mk Log Message: gitea: don't download distfiles during build phase (convert to go-module.mk)
2022-04-01	Pullup ticket #6608 - requested by tnn	bsiegert	2	-1/+21
	devel/SDL: NetBSD/i386 build fix Revisions pulled up: - devel/SDL/distinfo 1.86 - devel/SDL/patches/patch-build-scripts_strip__fPIC.sh 1.1 --- Module Name: pkgsrc Committed By: tnn Date: Mon Mar 28 14:34:13 UTC 2022 Modified Files: pkgsrc/devel/SDL: distinfo Added Files: pkgsrc/devel/SDL/patches: patch-build-scripts_strip__fPIC.sh Log Message: SDL: fix build on NetBSD/i386 XXX maybe pullup 2022Q1?
2022-04-01	Pullup ticket #6607 - requested by wiz	bsiegert	1	-1/+3
	devel/R-tcltk2: mark as broken (infinite loop) Revisions pulled up: - devel/R-tcltk2/Makefile 1.5 --- Module Name: pkgsrc Committed By: wiz Date: Mon Mar 28 15:51:46 UTC 2022 Modified Files: pkgsrc/devel/R-tcltk2: Makefile Log Message: R-tcltk2: mark as BROKEN Infinite loop during build, see PR pkg/56696.

graphics/gdk-pixbuf2: security fix Revisions pulled up: - graphics/gdk-pixbuf2/Makefile 1.53 - graphics/gdk-pixbuf2/PLIST 1.22 - graphics/gdk-pixbuf2/distinfo 1.51 --- Module Name: pkgsrc Committed By: nia Date: Sat Jun 11 12:46:06 UTC 2022 Modified Files: pkgsrc/graphics/gdk-pixbuf2: Makefile PLIST distinfo Log Message: gdk-pixbuf2: update to 2.42.8 2.42.8 (stable) === - Clear the pixbuf's memory buffer to avoid returning uninitialized memory - Turn GdkPixbufModule functions into typed callbacks - tiff: Use non-deprecated C99 integer types - gif: Check for overflow when compositing or clearing frames - Change png/jpeg/tiff build options from boolean to feature - jpeg: Do not rely on UB around setjmp/longjmp - Build fixes - Documentation fixes - Translation updates

www/apache24: security fix Revisions pulled up: - www/apache24/Makefile 1.111 - www/apache24/distinfo 1.53 --- Module Name: pkgsrc Committed By: adam Date: Thu Jun 9 18:15:51 UTC 2022 Modified Files: pkgsrc/www/apache24: Makefile distinfo Log Message: apache24: updated to 2.4.54 Changes with Apache 2.4.54 *) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credits: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue *) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with websockets (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue *) SECURITY: CVE-2022-30522: mod_sed denial of service (cve.mitre.org) If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Credits: This issue was found by Brian Moussalli from the JFrog Security Research team *) SECURITY: CVE-2022-29404: Denial of service in mod_lua r:parsebody (cve.mitre.org) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue *) SECURITY: CVE-2022-28615: Read beyond bounds in ap_strcmp_match() (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue *) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite() (cve.mitre.org) The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue *) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue *) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. Credits: Ricter Z @ 360 Noah Lab *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. *) mod_md: a bug was fixed that caused very large MDomains with the combined DNS names exceeding ~7k to fail, as request bodies would contain partially wrong data from uninitialized memory. This would have appeared as failure in signing-up/renewing such configurations. *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. *) MPM event: Restart children processes killed before idle maintenance. *) ab: Allow for TLSv1.3 when the SSL library supports it. *) core: Disable TCP_NOPUSH optimization on OSX since it might introduce transmission delays. *) MPM event: Fix accounting of active/total processes on ungraceful restart, *) core: make ap_escape_quotes() work correctly on strings with more than MAX_INT/2 characters, counting quotes double. Credit to <generalbugs@zippenhop.com> for finding this. *) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of an ACME CA. This gives a failover for renewals when several consecutive attempts to get a certificate failed. A new directive was added: `MDRetryDelay` sets the delay of retries. A new directive was added: `MDRetryFailover` sets the number of errored attempts before an alternate CA is selected for certificate renewals. *) mod_http2: remove unused and insecure code. *) mod_proxy: Add backend port to log messages to ease identification of involved service. *) mod_http2: removing unscheduling of ongoing tasks when connection shows potential abuse by a client. This proved counter-productive and the abuse detection can false flag requests using server-side-events. Fixes <https://github.com/icing/mod_h2/issues/231>. *) mod_md: Implement full auto status ("key: value" type status output). Especially not only status summary counts for certificates and OCSP stapling but also lists. Auto status format is similar to what was used for mod_proxy_balancer. *) mod_md: fixed a bug leading to failed transfers for OCSP stapling information when more than 6 certificates needed updates in the same run. *) mod_proxy: Set a status code of 502 in case the backend just closed the connection in reply to our forwarded request. *) mod_md: a possible NULL pointer deref was fixed in the JSON code for persisting time periods (start+end). Fixes #282 on mod_md's github. Thanks to @marcstern for finding this. *) mod_heartmonitor: Set the documented default value "10" for HeartbeatMaxServers instead of "0". With "0" no shared memory slotmem was initialized. *) mod_md: added support for managing certificates via a local tailscale daemon for users of that secure networking. This gives trusted certificates for tailscale assigned domain names in the *.ts.net space.

www/ruby-rack: security fix Revisions pulled up: - www/ruby-rack/Makefile 1.30 - www/ruby-rack/distinfo 1.28 --- Module Name: pkgsrc Committed By: taca Date: Sat May 28 09:55:51 UTC 2022 Modified Files: pkgsrc/www/ruby-rack: Makefile distinfo Log Message: www/ruby-rack: update to 2.2.3.1 2.2.3.1 (2022-05-27) * [CVE-2022-30123] Fix shell escaping issue in Common Logger * [CVE-2022-30122] Restrict parsing of broken MIME attachments

security/clamav-doc: build fix after pullup #6625 Revisions pulled up: - security/clamav-doc/Makefile 1.7 - security/clamav-doc/PLIST 1.9 --- Module Name: pkgsrc Committed By: wiz Date: Sun May 15 04:46:32 UTC 2022 Modified Files: pkgsrc/security/clamav-doc: Makefile PLIST Log Message: clamav-doc: fix PLIST Bump PKGREVISION.

lang/gcc6: build fix Revisions pulled up: - lang/gcc6/Makefile 1.36 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Sat May 21 12:21:44 UTC 2022 Modified Files: pkgsrc/lang/gcc6: Makefile Log Message: gcc6: workaround: get this at least building by disabling RELRO To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.36 pkgsrc/lang/gcc6/Makefile

databases/mariadb105-client: security update databases/mariadb105-server: security update Revisions pulled up: - databases/mariadb105-client/Makefile.common 1.16 - databases/mariadb105-client/distinfo 1.13 - databases/mariadb105-client/patches/patch-CMakeLists.txt 1.2 - databases/mariadb105-server/Makefile 1.25 - databases/mariadb105-server/PLIST 1.10 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Sat May 21 10:38:26 UTC 2022 Modified Files: pkgsrc/databases/mariadb105-client: Makefile.common distinfo pkgsrc/databases/mariadb105-client/patches: patch-CMakeLists.txt pkgsrc/databases/mariadb105-server: Makefile PLIST Log Message: mariadb105: Update to 10.5.16 MariaDB 10.5.16 Release Notes Notable Items InnoDB * innodb_disallow_writes removed (MDEV-25975) * InnoDB gap locking fixes (MDEV-20605, MDEV-28422) * InnoDB performance improvements (MDEV-27557, MDEV-28185) Replication * Server initialization time gtid_slave_pos purge related reason of crashing in binlog background thread is removed (MDEV-26473) * Shutdown of the semisync master can't produce inconsistent state anymore (MDEV-11853) * Binlogs disappear after rsync IST (MDEV-28583) * autocommit=0 slave hang is eliminated (DBAAS-7828) * master crash is eliminated in compressed semisync replication protocol with packet counting amendment (MDEV-25580) * OPTIMIZE on a sequence does not cause counterfactual ER_BINLOG_UNSAFE_STATEMENT anymore (MDEV-24617) * Automatically generated Gtid_log_list_event is made to recognize within replication event group as a formal member (MDEV-28550) * Replication unsafe INSERT .. ON DUPLICATE KEY UPDATE using two or more unique key values at a time with MIXED format binlogging is corrected (MDEV-28310) * Replication unsafe INSERT .. ON DUPLICATE KEY UPDATE stops issuing unnessary "Unsafe statement" with MIXED binlog format (MDEV-21810) * Incomplete replication event groups are detected to error out by the slave IO thread (MDEV-27697) * mysqlbinlog --stop-never --raw now flushes the result file to disk after each processed event so the file can be listed with the actual bytes (MDEV-14608) Backup * Incorrect binlogs after Galera SST using rsync and mariabackup (MDEV-27524) * mariabackup does not detect multi-source replication slave (MDEV-21037) * Useless warning "InnoDB: Allocated tablespace ID <id> for <tablename>, old maximum was 0" during backup stage (MDEV-27343) * mariabackup prepare fails for incrementals if a new schema is created after full backup is taken (MDEV-28446) Optimizer * A SEGV in Item_field::used_tables/update_depend_map_for_order... (MDEV-26402) * ANALYZE FORMAT=JSON fields are incorrect for UNION ALL queries (MDEV-27699) * Subquery in an UPDATE query uses full scan instead of range (MDEV-22377) * Assertion `item1->type() = Item::FIELD_ITEM ... (MDEV-19398) * Server crashes in Expression_cache_tracker::fetch_current_stats (MDEV-28268) * MariaDB server crash at Item_subselect::init_expr_cache_tracker (MDEV-26164, MDEV-26047) * Crash with union of my_decimal type in ORDER BY clause (MDEV-25994) * SIGSEGV in st_join_table::cleanup (MDEV-24560) * Assertion `!eliminated' failed in Item_subselect::exec (MDEV-28437) General * Server error messages are now available in Chinese (MDEV-28227) * For RHEL/CentOS 7, non x86_64 architectures are no longer supported upstream and so our support will also be dropped with this release Security * Fixes for the following security vulnerabilities: * CVE-2022-27376 * CVE-2022-27377 * CVE-2022-27378 * CVE-2022-27379 * CVE-2022-27380 * CVE-2022-27381 * CVE-2022-27382 * CVE-2022-27383 * CVE-2022-27384 * CVE-2022-27386 * CVE-2022-27387 * CVE-2022-27444 * CVE-2022-27445 * CVE-2022-27446 * CVE-2022-27447 * CVE-2022-27448 * CVE-2022-27449 * CVE-2022-27451 * CVE-2022-27452 * CVE-2022-27455 * CVE-2022-27456 * CVE-2022-27457 * CVE-2022-27458 To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 pkgsrc/databases/mariadb105-client/Makefile.common cvs rdiff -u -r1.12 -r1.13 pkgsrc/databases/mariadb105-client/distinfo cvs rdiff -u -r1.1 -r1.2 \ pkgsrc/databases/mariadb105-client/patches/patch-CMakeLists.txt cvs rdiff -u -r1.24 -r1.25 pkgsrc/databases/mariadb105-server/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/databases/mariadb105-server/PLIST

databases/mariadb106-client: security update databases/mariadb106-server: security update Revisions pulled up: - databases/mariadb106-client/Makefile.common 1.8 - databases/mariadb106-client/distinfo 1.9 - databases/mariadb106-client/patches/patch-CMakeLists.txt 1.3 - databases/mariadb106-client/patches/patch-storage_innobase_include_transactional__lock__guard.h 1.3 - databases/mariadb106-server/Makefile 1.15 - databases/mariadb106-server/PLIST 1.7 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Sat May 21 09:36:03 UTC 2022 Modified Files: pkgsrc/databases/mariadb106-client: Makefile.common distinfo pkgsrc/databases/mariadb106-client/patches: patch-CMakeLists.txt patch-storage_innobase_include_transactional__lock__guard.h pkgsrc/databases/mariadb106-server: Makefile PLIST Log Message: mariadb106: update to 10.6.8 MariaDB 10.6.8 Release Notes Notable Items InnoDB * innodb_disallow_writes removed (MDEV-25975) * InnoDB gap locking fixes (MDEV-20605, MDEV-28422) * InnoDB performance improvements (MDEV-27557, MDEV-28185, MDEV-27767, MDEV-28313, MDEV-28137, MDEV-28465, MDEV-26789) * Backup regression fixes (MDEV-27919) * InnoDB portability: FreeBSD futexes (MDEV-26476), POWER and s390x transactional memory (MDEV-27956) * ALTER TABLE: Fixed bogus duplicate key errors (MDEV-15250) * DDL and crash recovery fixes (MDEV-27274, MDEV-27234, MDEV-27817) * Requests to recalculate persistent statistics were sometimes lost (MDEV-27805) Replication * Semisync-slave server recovery is refined to correctly rollback prepared transaction (MDEV-28461) * Circular semisync setup endless event circulation is handled (MDEV-27760) * Semisync-slave server recovery is extended to work on new server_id server (MDEV-27342) * Server initialization time gtid_slave_pos purge related reason of crashing in binlog background thread is removed (MDEV-26473) * Shutdown of the semisync master can't produce inconsistent state anymore (MDEV-11853) * Binlogs disappear after rsync IST (MDEV-28583) * autocommit=0 slave hang is eliminated (DBAAS-7828) * master crash is eliminated in compressed semisync replication protocol with packet counting amendment (MDEV-25580) * OPTIMIZE on a sequence does not cause counterfactual ER_BINLOG_UNSAFE_STATEMENT anymore (MDEV-24617) * Automatically generated Gtid_log_list_event is made to recognize within replication event group as a formal member (MDEV-28550) * Replication unsafe INSERT .. ON DUPLICATE KEY UPDATE using two or more unique key values at a time with MIXED format binlogging is corrected (MDEV-28310) * Replication unsafe INSERT .. ON DUPLICATE KEY UPDATE stops issuing unnessary "Unsafe statement" with MIXED binlog format (MDEV-21810) * Incomplete replication event groups are detected to error out by the slave IO thread (MDEV-27697) * mysqlbinlog --stop-never --raw now flushes the result file to disk after each processed event so the file can be listed with the actual bytes (MDEV-14608) Backup * Incorrect binlogs after Galera SST using rsync and mariabackup (MDEV-27524) * mariabackup does not detect multi-source replication slave (MDEV-21037) * Useless warning "InnoDB: Allocated tablespace ID <id> for <tablename>, old maximum was 0" during backup stage (MDEV-27343) * mariabackup prepare fails for incrementals if a new schema is created after full backup is taken (MDEV-28446) Optimizer * Query performance degradation in newer MariaDB versions when using many tables (MDEV-28073) * A SEGV in Item_field::used_tables/update_depend_map_for_order... (MDEV-26402) * ANALYZE FORMAT=JSON fields are incorrect for UNION ALL queries (MDEV-27699) * Subquery in an UPDATE query uses full scan instead of range (MDEV-22377) * Assertion `item1->type() = Item::FIELD_ITEM ... (MDEV-19398) * Server crashes in Expression_cache_tracker::fetch_current_stats (MDEV-28268) * MariaDB server crash at Item_subselect::init_expr_cache_tracker (MDEV-26164, MDEV-26047) * Crash with union of my_decimal type in ORDER BY clause (MDEV-25994) * SIGSEGV in st_join_table::cleanup (MDEV-24560) * Assertion `!eliminated' failed in Item_subselect::exec (MDEV-28437) General * Server error messages are now available in Chinese (MDEV-28227) * For RHEL/CentOS 7, non x86_64 architectures are no longer supported upstream and so our support will also be dropped with this release * Packages for Ubuntu 22.04 LTS "Jammy" and Fedora 36 are not yet available pending the resolution of MDEV-28133: Backport OpenSSL-3.0 compatibility to 10.6 branch Security * Fixes for the following security vulnerabilities: * CVE-2022-27376 * CVE-2022-27377 * CVE-2022-27378 * CVE-2022-27379 * CVE-2022-27380 * CVE-2022-27381 * CVE-2022-27382 * CVE-2022-27383 * CVE-2022-27384 * CVE-2022-27386 * CVE-2022-27387 * CVE-2022-27444 * CVE-2022-27445 * CVE-2022-27446 * CVE-2022-27447 * CVE-2022-27448 * CVE-2022-27449 * CVE-2022-27451 * CVE-2022-27452 * CVE-2022-27455 * CVE-2022-27456 * CVE-2022-27457 * CVE-2022-27458 To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 pkgsrc/databases/mariadb106-client/Makefile.common cvs rdiff -u -r1.8 -r1.9 pkgsrc/databases/mariadb106-client/distinfo cvs rdiff -u -r1.2 -r1.3 \ pkgsrc/databases/mariadb106-client/patches/patch-CMakeLists.txt \ pkgsrc/databases/mariadb106-client/patches/patch-storage_innobase_include_transactional__lock__guard.h cvs rdiff -u -r1.14 -r1.15 pkgsrc/databases/mariadb106-server/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/databases/mariadb106-server/PLIST

print/poppler: build fix Revisions pulled up: - print/poppler/Makefile.common 1.134 - print/poppler/buildlink3.mk 1.90 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Sat May 21 07:43:57 UTC 2022 Modified Files: pkgsrc/print/poppler: Makefile.common buildlink3.mk Log Message: poppler: Bump GCC requirement to GCC 7, it wants std::optional. To generate a diff of this commit: cvs rdiff -u -r1.133 -r1.134 pkgsrc/print/poppler/Makefile.common cvs rdiff -u -r1.89 -r1.90 pkgsrc/print/poppler/buildlink3.mk

www/firefox91-l10n: dependency update Revisions pulled up: - www/firefox91-l10n/Makefile 1.11 - www/firefox91-l10n/distinfo 1.13 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Mon May 16 21:21:29 UTC 2022 Modified Files: pkgsrc/www/firefox91-l10n: Makefile distinfo Log Message: firefox91-l10n: sync with firefox91 To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 pkgsrc/www/firefox91-l10n/Makefile cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/firefox91-l10n/distinfo

www/firefox91: security update Revisions pulled up: - www/firefox91/Makefile 1.18 - www/firefox91/distinfo 1.13 - www/firefox91/patches/patch-browser_app_profile_firefox.js 1.2 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Mon May 16 21:16:00 UTC 2022 Modified Files: pkgsrc/www/firefox91: Makefile distinfo pkgsrc/www/firefox91/patches: patch-browser_app_profile_firefox.js Log Message: firefox91: update to 91.9.0 Security Vulnerabilities fixed in Firefox ESR 91.9 #CVE-2022-29914: Fullscreen notification bypass using popups #CVE-2022-29909: Bypassing permission prompt in nested browsing contexts #CVE-2022-29916: Leaking browser history with CSS variables #CVE-2022-29911: iframe Sandbox bypass #CVE-2022-29912: Reader mode bypassed SameSite cookies #CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9 To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 pkgsrc/www/firefox91/Makefile cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/firefox91/distinfo cvs rdiff -u -r1.1 -r1.2 \ pkgsrc/www/firefox91/patches/patch-browser_app_profile_firefox.js

databases/ruby-activerecord70: security update devel/ruby-activejob70: security update devel/ruby-activemodel70: security update devel/ruby-activestorage70: security update devel/ruby-activesupport70: security update devel/ruby-railties70: security update lang/ruby: version info update mail/ruby-actionmailbox70: security update mail/ruby-actionmailer70: security update textproc/ruby-actiontext70: security update www/ruby-actioncable70: security update www/ruby-actionpack70: security update www/ruby-actionview70: security update www/ruby-rails70: security update Revisions pulled up: - databases/ruby-activerecord70/distinfo 1.5 - devel/ruby-activejob70/distinfo 1.5 - devel/ruby-activemodel70/distinfo 1.5 - devel/ruby-activestorage70/Makefile 1.4 - devel/ruby-activestorage70/distinfo 1.5 - devel/ruby-activesupport70/distinfo 1.5 - devel/ruby-railties70/distinfo 1.5 - lang/ruby/rails.mk 1.122 - mail/ruby-actionmailbox70/distinfo 1.5 - mail/ruby-actionmailer70/distinfo 1.5 - textproc/ruby-actiontext70/distinfo 1.5 - www/ruby-actioncable70/distinfo 1.5 - www/ruby-actionpack70/distinfo 1.5 - www/ruby-actionview70/distinfo 1.5 - www/ruby-rails70/distinfo 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:39:02 UTC 2022 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby/rails.mk: start update of Ruby on Rails to 7.0.2.4 To generate a diff of this commit: cvs rdiff -u -r1.121 -r1.122 pkgsrc/lang/ruby/rails.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:39:53 UTC 2022 Modified Files: pkgsrc/devel/ruby-activesupport70: distinfo Log Message: devel/ruby-activesupport70: update to 7.0.2.4 ## Rails 7.0.2.4 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activesupport70/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:40:27 UTC 2022 Modified Files: pkgsrc/www/ruby-actionview70: distinfo Log Message: www/ruby-actionview70: update to 7.0.2.4 ## Rails 7.0.2.4 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-actionview70/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:40:53 UTC 2022 Modified Files: pkgsrc/www/ruby-actionpack70: distinfo Log Message: www/ruby-actionpack70: update to 7.0.2.4 ## Rails 7.0.2.4 (April 26, 2022) ## * Allow Content Security Policy DSL to generate for API responses. *Tim Wade* To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-actionpack70/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:41:42 UTC 2022 Modified Files: pkgsrc/databases/ruby-activerecord70: distinfo pkgsrc/devel/ruby-activejob70: distinfo pkgsrc/devel/ruby-activemodel70: distinfo pkgsrc/devel/ruby-activestorage70: Makefile distinfo pkgsrc/devel/ruby-railties70: distinfo pkgsrc/mail/ruby-actionmailbox70: distinfo pkgsrc/mail/ruby-actionmailer70: distinfo pkgsrc/textproc/ruby-actiontext70: distinfo pkgsrc/www/ruby-actioncable70: distinfo pkgsrc/www/ruby-rails70: distinfo Log Message: Update rest of Ruby on Rails 70 components. No change except version. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/databases/ruby-activerecord70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activejob70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activemodel70/distinfo cvs rdiff -u -r1.3 -r1.4 pkgsrc/devel/ruby-activestorage70/Makefile cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activestorage70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-railties70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/mail/ruby-actionmailbox70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/mail/ruby-actionmailer70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/textproc/ruby-actiontext70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-actioncable70/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-rails70/distinfo

databases/ruby-activerecord61: security update devel/ruby-activejob61: security update devel/ruby-activemodel61: security update devel/ruby-activestorage61: security update devel/ruby-activesupport61: security update devel/ruby-railties61: security update lang/ruby: version info update mail/ruby-actionmailbox61: security update mail/ruby-actionmailer61: security update textproc/ruby-actiontext61: security update www/ruby-actioncable61: security update www/ruby-actionpack61: security update www/ruby-actionview61: security update www/ruby-rails61: security update Revisions pulled up: - databases/ruby-activerecord61/distinfo 1.12 - devel/ruby-activejob61/distinfo 1.12 - devel/ruby-activemodel61/distinfo 1.12 - devel/ruby-activestorage61/Makefile 1.5 - devel/ruby-activestorage61/distinfo 1.12 - devel/ruby-activesupport61/Makefile 1.4 - devel/ruby-activesupport61/distinfo 1.12 - devel/ruby-railties61/distinfo 1.12 - lang/ruby/rails.mk 1.121 - mail/ruby-actionmailbox61/PLIST 1.2 - mail/ruby-actionmailbox61/distinfo 1.12 - mail/ruby-actionmailer61/PLIST 1.2 - mail/ruby-actionmailer61/distinfo 1.12 - textproc/ruby-actiontext61/distinfo 1.12 - www/ruby-actioncable61/distinfo 1.12 - www/ruby-actionpack61/distinfo 1.12 - www/ruby-actionview61/distinfo 1.12 - www/ruby-rails61/distinfo 1.12 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:38:25 UTC 2022 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby/rails.mk: Really update of Ruby on Rails to 6.1.5.1 To generate a diff of this commit: cvs rdiff -u -r1.120 -r1.121 pkgsrc/lang/ruby/rails.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:28:21 UTC 2022 Modified Files: pkgsrc/devel/ruby-activesupport61: Makefile distinfo Log Message: devel/ruby-activesupport61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* ## Rails 6.1.5 (March 09, 2022) ## * Fix `ActiveSupport::Duration.build` to support negative values. The algorithm to collect the `parts` of the `ActiveSupport::Duration` ignored the sign of the `value` and accumulated incorrect part values. This impacted `ActiveSupport::Duration#sum` (which is dependent on `parts`) but not `ActiveSupport::Duration#eql?` (which is dependent on `value`). *Caleb Buxton*, *Braden Staudacher* * `Time#change` and methods that call it (eg. `Time#advance`) will now return a `Time` with the timezone argument provided, if the caller was initialized with a timezone argument. Fixes [#42467](https://github.com/rails/rails/issues/42467). *Alex Ghiculescu* * Clone to keep extended Logger methods for tagged logger. *Orhan Toy* * `assert_changes` works on including `ActiveSupport::Assertions` module. *Pedro Medeiros* To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 pkgsrc/devel/ruby-activesupport61/Makefile cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activesupport61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:28:57 UTC 2022 Modified Files: pkgsrc/devel/ruby-activemodel61: distinfo Log Message: devel/ruby-activemodel61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Clear secure password cache if password is set to `nil` Before: user.password = 'something' user.password = nil user.password # => 'something' Now: user.password = 'something' user.password = nil user.password # => nil *Markus Doits* * Fix delegation in `ActiveModel::Type::Registry#lookup` and `ActiveModel::Type.lookup` Passing a last positional argument `{}` would be incorrectly considered as keyword argument. *Benoit Daloze* * Fix `to_json` after `changes_applied` for `ActiveModel::Dirty` object. *Ryuta Kamizono* To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activemodel61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:29:32 UTC 2022 Modified Files: pkgsrc/www/ruby-actionview61: distinfo Log Message: www/ruby-actionview61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* ## Rails 6.1.5 (March 09, 2022) ## * `preload_link_tag` properly inserts `as` attributes for files with `image` MIME types, such as JPG or SVG. *Nate Berkopec* * Add `autocomplete="off"` to all generated hidden fields. Fixes #42610. *Ryan Baumann* * Fix `current_page?` when URL has trailing slash. This fixes the `current_page?` helper when the given URL has a trailing slash, and is an absolute URL or also has query params. Fixes #33956. *Jonathan Hefner* To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-actionview61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:30:02 UTC 2022 Modified Files: pkgsrc/www/ruby-actionpack61: distinfo Log Message: www/ruby-actionpack61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * Allow Content Security Policy DSL to generate for API responses. *Tim Wade* ## Rails 6.1.5 (March 09, 2022) ## * Fix `content_security_policy` returning invalid directives. Directives such as `self`, `unsafe-eval` and few others were not single quoted when the directive was the result of calling a lambda returning an array. ```ruby content_security_policy do |policy| policy.frame_ancestors lambda { [:self, "https://example.com"] } end ``` With this fix the policy generated from above will now be valid. *Edouard Chin* * Update `HostAuthorization` middleware to render debug info only when `config.consider_all_requests_local` is set to true. Also, blocked host info is always logged with level `error`. Fixes #42813. *Nikita Vyrko* * Dup arrays that get "converted". Fixes #43681. *Aaron Patterson* * Don't show deprecation warning for equal paths. *Anton Rieder* * Fix crash in `ActionController::Instrumentation` with invalid HTTP formats. Fixes #43094. *Alex Ghiculescu* * Add fallback host for SystemTestCase driven by RackTest. Fixes #42780. *Petrik de Heus* * Add more detail about what hosts are allowed. *Alex Ghiculescu* To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-actionpack61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:30:33 UTC 2022 Modified Files: pkgsrc/databases/ruby-activerecord61: distinfo Log Message: databases/ruby-activerecord61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6. Ruby 2.6 and 2.7 have slightly different implementations of the `String#@-` method. In Ruby 2.6, the receiver of the `String#@-` method is modified under certain circumstances. This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only fixed in Ruby 2.7. Before the changes in this commit, the `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally calls the `String#@-` method, could also modify an input string argument in Ruby 2.6 -- changing a tainted, unfrozen string into a tainted, frozen string. Fixes #43056 *Eric O'Hanlon* * Fix migration compatibility to create SQLite references/belongs_to column as integer when migration version is 6.0. `reference`/`belongs_to` in migrations with version 6.0 were creating columns as bigint instead of integer for the SQLite Adapter. *Marcelo Lauxen* * Fix dbconsole for 3-tier config. *Eileen M. Uchitelle* * Better handle SQL queries with invalid encoding. ```ruby Post.create(name: "broken \xC8 UTF-8") ``` Would cause all adapters to fail in a non controlled way in the code responsible to detect write queries. The query is now properly passed to the database connection, which might or might not be able to handle it, but will either succeed or failed in a more correct way. *Jean Boussier* * Ignore persisted in-memory records when merging target lists. *Kevin Sjöberg* * Fix regression bug that caused ignoring additional conditions for preloading `has_many` through relations. Fixes #43132 *Alexander Pauly* * Fix `ActiveRecord::InternalMetadata` to not be broken by `config.active_record.record_timestamps = false` Since the model always create the timestamp columns, it has to set them, otherwise it breaks various DB management tasks. Fixes #42983 *Jean Boussier* * Fix duplicate active record objects on `inverse_of`. *Justin Carvalho* * Fix duplicate objects stored in has many association after save. Fixes #42549. *Alex Ghiculescu* * Fix performance regression in `CollectionAssocation#build`. *Alex Ghiculescu* * Fix retrieving default value for text column for MariaDB. *fatkodima* To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/databases/ruby-activerecord61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:31:02 UTC 2022 Modified Files: pkgsrc/devel/ruby-activestorage61: Makefile distinfo Log Message: devel/ruby-activestorage61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Attachments can be deleted after their association is no longer defined. Fixes #42514 *Don Sisco* To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activestorage61/Makefile cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activestorage61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:31:47 UTC 2022 Modified Files: pkgsrc/mail/ruby-actionmailbox61: PLIST distinfo Log Message: mail/ruby-actionmailbox61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Add `attachments` to the list of permitted parameters for inbound emails conductor. When using the conductor to test inbound emails with attachments, this prevents an unpermitted parameter warning in default configurations, and prevents errors for applications that set: ```ruby config.action_controller.action_on_unpermitted_parameters = :raise ``` *David Jones*, *Dana Henke* To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/ruby-actionmailbox61/PLIST cvs rdiff -u -r1.11 -r1.12 pkgsrc/mail/ruby-actionmailbox61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:32:28 UTC 2022 Modified Files: pkgsrc/www/ruby-actioncable61: distinfo Log Message: www/ruby-actioncable61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * The Action Cable client now ensures successful channel subscriptions: * The client maintains a set of pending subscriptions until either the server confirms the subscription or the channel is torn down. * Rectifies the race condition where an unsubscribe is rapidly followed by a subscribe (on the same channel identifier) and the requests are handled out of order by the ActionCable server, thereby ignoring the subscribe command. *Daniel Spinosa* * Truncate broadcast logging messages. *J Smith* To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-actioncable61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:32:59 UTC 2022 Modified Files: pkgsrc/devel/ruby-railties61: distinfo Log Message: devel/ruby-railties61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * In `zeitwerk` mode, setup the `once` autoloader first, and the `main` autoloader after it. This order plays better with shared namespaces. *Xavier Noria* * Handle paths with spaces when editing credentials. *Alex Ghiculescu* * Support Psych 4 when loading secrets. *Nat Morcos* To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-railties61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:33:27 UTC 2022 Modified Files: pkgsrc/textproc/ruby-actiontext61: distinfo Log Message: textproc/ruby-actiontext61: update to 6.1.5.1 ## Rails 6.1.5.1 (April 26, 2022) ## * No changes. ## Rails 6.1.5 (March 09, 2022) ## * Fix Action Text extra trix content wrapper. *Alexandre Ruban* To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/textproc/ruby-actiontext61/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:34:37 UTC 2022 Modified Files: pkgsrc/devel/ruby-activejob61: distinfo pkgsrc/mail/ruby-actionmailer61: PLIST distinfo pkgsrc/www/ruby-rails61: distinfo Log Message: Update rest of Ruby on Rails 61 components. No change except version. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activejob61/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/ruby-actionmailer61/PLIST cvs rdiff -u -r1.11 -r1.12 pkgsrc/mail/ruby-actionmailer61/distinfo cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-rails61/distinfo

databases/ruby-activerecord60: security update devel/ruby-activejob60: security update devel/ruby-activemodel60: security update devel/ruby-activestorage60: security update devel/ruby-activesupport60: security update devel/ruby-railties60: security update lang/ruby: version info update mail/ruby-actionmailbox60: security update mail/ruby-actionmailer60: security update textproc/ruby-actiontext60: security update www/ruby-actioncable60: security update www/ruby-actionpack60: security update www/ruby-actionview60: security update www/ruby-rails60: security update Revisions pulled up: - databases/ruby-activerecord60/distinfo 1.17 - devel/ruby-activejob60/distinfo 1.17 - devel/ruby-activemodel60/distinfo 1.17 - devel/ruby-activestorage60/distinfo 1.17 - devel/ruby-activesupport60/distinfo 1.17 - devel/ruby-railties60/distinfo 1.17 - lang/ruby/rails.mk 1.120 - mail/ruby-actionmailbox60/distinfo 1.17 - mail/ruby-actionmailer60/distinfo 1.17 - textproc/ruby-actiontext60/distinfo 1.17 - www/ruby-actioncable60/distinfo 1.17 - www/ruby-actionpack60/distinfo 1.17 - www/ruby-actionview60/distinfo 1.17 - www/ruby-rails60/distinfo 1.17 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:20:39 UTC 2022 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby/rails.mk: start update of Ruby on Rails to 6.0.4.8 To generate a diff of this commit: cvs rdiff -u -r1.119 -r1.120 pkgsrc/lang/ruby/rails.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:21:25 UTC 2022 Modified Files: pkgsrc/devel/ruby-activesupport60: distinfo Log Message: devel/ruby-activesupport60: update to 6.0.4.8 ## Rails 6.0.4.8 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activesupport60/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:23:12 UTC 2022 Modified Files: pkgsrc/www/ruby-actionview60: distinfo Log Message: www/ruby-actionview60: update to 6.0.4.8 ## Rails 6.0.4.8 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-actionview60/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:23:48 UTC 2022 Modified Files: pkgsrc/www/ruby-actionpack60: distinfo Log Message: www/ruby-actionpack60: update to 6.0.4.8 ## Rails 6.0.4.8 (April 26, 2022) ## * Allow Content Security Policy DSL to generate for API responses. *Tim Wade* To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-actionpack60/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:24:55 UTC 2022 Modified Files: pkgsrc/databases/ruby-activerecord60: distinfo pkgsrc/devel/ruby-activejob60: distinfo pkgsrc/devel/ruby-activemodel60: distinfo pkgsrc/devel/ruby-activestorage60: distinfo pkgsrc/devel/ruby-railties60: distinfo pkgsrc/mail/ruby-actionmailbox60: distinfo pkgsrc/mail/ruby-actionmailer60: distinfo pkgsrc/textproc/ruby-actiontext60: distinfo pkgsrc/www/ruby-actioncable60: distinfo pkgsrc/www/ruby-rails60: distinfo Log Message: Update rest of Ruby on Rails 60 components. No change except version. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/databases/ruby-activerecord60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activejob60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activemodel60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activestorage60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-railties60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/mail/ruby-actionmailbox60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/mail/ruby-actionmailer60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/textproc/ruby-actiontext60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-actioncable60/distinfo cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-rails60/distinfo

databases/ruby-activerecord52: security update devel/ruby-activejob52: security update devel/ruby-activemodel52: security update devel/ruby-activestorage52: security update devel/ruby-activesupport52: security update devel/ruby-railties52: security update lang/ruby: version info update mail/ruby-actionmailer52: security update www/ruby-actioncable52: security update www/ruby-actionpack52: security update www/ruby-actionview52: security update www/ruby-rails52: security update Revisions pulled up: - databases/ruby-activerecord52/distinfo 1.13 - devel/ruby-activejob52/distinfo 1.13 - devel/ruby-activemodel52/distinfo 1.13 - devel/ruby-activestorage52/distinfo 1.13 - devel/ruby-activesupport52/distinfo 1.13 - devel/ruby-railties52/distinfo 1.13 - lang/ruby/rails.mk 1.119 - mail/ruby-actionmailer52/distinfo 1.13 - www/ruby-actioncable52/distinfo 1.13 - www/ruby-actionpack52/Makefile 1.2 - www/ruby-actionpack52/distinfo 1.13 - www/ruby-actionview52/distinfo 1.13 - www/ruby-rails52/distinfo 1.13 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:02:07 UTC 2022 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby/rails.mk: start update of Ruby on Rails to 5.2.7.1 To generate a diff of this commit: cvs rdiff -u -r1.118 -r1.119 pkgsrc/lang/ruby/rails.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:03:50 UTC 2022 Modified Files: pkgsrc/devel/ruby-activesupport52: distinfo Log Message: devel/ruby-activesupport52: update to 5.2.7.1 ## Rails 5.2.7.1 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* ## Rails 5.2.7 (March 10, 2022) ## * Restore support to Ruby 2.2. *ojab* To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-activesupport52/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:04:44 UTC 2022 Modified Files: pkgsrc/www/ruby-actionview52: distinfo Log Message: www/ruby-actionview52: update to 5.2.7.1 ## Rails 5.2.7.1 (April 26, 2022) ## * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* ## Rails 5.2.7 (March 10, 2022) ## * No changes. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/ruby-actionview52/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:05:24 UTC 2022 Modified Files: pkgsrc/www/ruby-actionpack52: Makefile distinfo Log Message: www/ruby-actionpack52: update to 5.2.7.1 ## Rails 5.2.7.1 (April 26, 2022) ## * Allow Content Security Policy DSL to generate for API responses. *Tim Wade* ## Rails 5.2.7 (March 10, 2022) ## * No changes. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/ruby-actionpack52/Makefile cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/ruby-actionpack52/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:06:04 UTC 2022 Modified Files: pkgsrc/devel/ruby-activestorage52: distinfo Log Message: devel/ruby-activestorage52: update to 5.2.7.1 ## Rails 5.2.7.1 (April 26, 2022) ## * No changes. ## Rails 5.2.7 (March 10, 2022) ## * Fix `ActiveStorage.supported_image_processing_methods` and `ActiveStorage.unsupported_image_processing_arguments` that were not being applied. *Rafael Mendonça França* To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-activestorage52/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu May 5 03:08:16 UTC 2022 Modified Files: pkgsrc/databases/ruby-activerecord52: distinfo pkgsrc/devel/ruby-activejob52: distinfo pkgsrc/devel/ruby-activemodel52: distinfo pkgsrc/devel/ruby-railties52: distinfo pkgsrc/mail/ruby-actionmailer52: distinfo pkgsrc/www/ruby-actioncable52: distinfo pkgsrc/www/ruby-rails52: distinfo Log Message: Update rest of Ruby on Rails 52 components. No change except version. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 pkgsrc/databases/ruby-activerecord52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-activejob52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-activemodel52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/ruby-railties52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/mail/ruby-actionmailer52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/ruby-actioncable52/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/ruby-rails52/distinfo

www/gitea: security fix Revisions pulled up: - www/gitea/Makefile 1.73 - www/gitea/distinfo 1.31 - www/gitea/go-modules.mk 1.2 --- Module Name: pkgsrc Committed By: khorben Date: Wed May 18 18:38:34 UTC 2022 Modified Files: pkgsrc/www/gitea: Makefile distinfo go-modules.mk Log Message: gitea: update to 1.16.8 This is a security update: * CVE-2022-30781 * CVE-2022-27313 * and more security issues fixed but without CVEs - see below XXX pull-up to pkgsrc-2022Q1 Tested on NetBSD/amd64. Changes in 1.16.8: ENHANCEMENTS * Add doctor check/fix for bogus action rows (#19656) (#19669) * Make .cs highlighting legible on dark themes (#19604) (#19605) BUGFIXES * Fix oauth setting list bug (#19681) * Delete user related oauth stuff on user deletion too (#19677) (#19680) * Fix new release from tags list UI (#19670) (#19673) * Prevent NPE when checking repo units if the user is nil (#19625) (#19630) * GetFeeds must always discard actions with dangling repo_id (#19598) (#19629) * Call MultipartForm.RemoveAll when request finishes (#19606) (#19607) * Avoid MoreThanOne error when creating a branch whose name conflicts with other ref names (#19557) (#19591) * Fix sending empty notifications (#19589) (#19590) * Ignore DNS error when doing migration allow/block check (#19566) (#19567) * Fix issue overview for teams (#19652) (#19653) Changes in 1.16.7: SECURITY * Escape git fetch remote (#19487) (#19490) CVE-2022-30781 BUGFIXES * Don't overwrite err with nil (#19572) (#19574) * On Migrations, only write commit-graph if wiki clone was successful (#19563) (#19568) * Respect DefaultUserIsRestricted system default when creating new user (#19310) (#19560) * Don't error when branch's commit doesn't exist (#19547) (#19548) * Support hostname:port to pass host matcher's check (#19543) (#19544) * Prevent intermittent race in attribute reader close (#19537) (#19539) * Fix 64-bit atomic operations on 32-bit machines (#19531) (#19532) * Prevent dangling archiver goroutine (#19516) (#19526) * Fix migrate release from github (#19510) (#19523) * When view _Siderbar or _Footer, just display once (#19501) (#19522) * Fix blame page select range error and some typos (#19503) * Fix name of doctor fix "authorized-keys" in hints (#19464) (#19484) * User specific repoID or xorm builder conditions for issue search (#19475) (#19476) * Prevent dangling cat-file calls (goroutine alternative) (#19454) (#19466) * RepoAssignment ensure to close before overwrite (#19449) (#19460) * Set correct PR status on 3way on conflict checking (#19457) (#19458) * Mark TemplateLoading error as "UnprocessableEntity" (#19445) (#19446) Changes in 1.16.6: ENHANCEMENTS * Only request write when necessary (#18657) (#19422) * Disable service worker by default (#18914) (#19342) BUGFIXES * When dumping trim the standard suffices instead of a random suffix (#19440) (#19447) * Fix DELETE request for non-existent public key (#19443) (#19444) * Don't panic on ErrEmailInvalid (#19441) (#19442) * Add uploadpack.allowAnySHA1InWant to allow --filter=blob:none with older git clients (#19430) (#19438) * Warn on SSH connection for incorrect configuration (#19317) (#19437) * Search Issues via API, dont show 500 if filter result in empty list (#19244) (#19436) * When updating mirror repo intervals by API reschedule next update too (#19429) (#19433) * Fix nil error when some pages are rendered outside request context (#19427) (#19428) * Fix double blob-hunk on diff page (#19404) (#19405) * Don't allow merging PR's which are being conflict checked (#19357) (#19358) * Fix middleware function's placements (#19377) (#19378) * Fix invalid CSRF token bug, make sure CSRF tokens can be up-to-date (#19338) * Restore user autoregistration with email addresses (#19261) (#19312) * Move checks for pulls before merge into own function (#19271) (#19277) * Granular webhook events in editHook (#19251) (#19257) * Only send webhook events to active system webhooks and only deliver to active hooks (#19234) (#19248) * Use full output of git show-ref --tags to get tags for PushUpdateAddTag (#19235) (#19236) * Touch mirrors on even on fail to update (#19217) (#19233) * Hide sensitive content on admin panel progress monitor (#19218 & #19226) (#19231) * Fix clone url JS error for the empty repo page (#19209) * Bump goldmark to v1.4.11 (#19201) (#19203) TESTING * Prevent intermittent failures in RepoIndexerTest (#19225 #19229) (#19228) BUILD * Revert the minimal golang version requirement from 1.17 to 1.16 and add a warning in Makefile (#19319) MISC * Performance improvement for add team user when org has more than 1000 repositories (#19227) (#19289) * Check go and nodejs version by go.mod and package.json (#19197) (#19254) Changes in 1.16.5: BREAKING * Bump to build with go1.18 (#19120 et al) (#19127) SECURITY * Prevent redirect to Host (2) (#19175) (#19186) * Try to prevent autolinking of displaynames by email readers (#19169) (#19183) * Clean paths when looking in Storage (#19124) (#19179) * Do not send notification emails to inactive users (#19131) (#19139) * Do not send activation email if manual confirm is set (#19119) (#19122) ENHANCEMENTS * Use the new/choose link for New Issue on project page (#19172) (#19176) BUGFIXES * Fix showing issues in your repositories (#18916) (#19191) * Fix compare link in active feeds for new branch (#19149) (#19185) * Redirect .wiki/* ui link to /wiki (#18831) (#19184) * Ensure deploy keys with write access can push (#19010) (#19182) * Ensure that setting.LocalURL always has a trailing slash (#19171) (#19177) * Cleanup protected branches when deleting users & teams (#19158) (#19174) * Use IterateBufferSize whilst querying repositories during adoption check (#19140) (#19160) * Fix NPE /repos/issues/search when not signed in (#19154) (#19155) * Use custom favicon when viewing static files if it exists (#19130) (#19152) * Fix the editor height in review box (#19003) (#19147) * Ensure isSSH is set whenever DISABLE_HTTP_GIT is set (#19028) (#19146) * Fix wrong scopes caused by empty scope input (#19029) (#19145) * Make migrations SKIP_TLS_VERIFY apply to git too (#19132) (#19141) * Handle email address not exist (#19089) (#19121) MISC * Update json-iterator to allow compilation with go1.18 (#18644) (#19100) * Update golang.org/x/crypto (#19097) (#19098) Changes in 1.16.4: SECURITY * Restrict email address validation (#17688) (#19085) * Fix lfs bug (#19072) (#19080) ENHANCEMENTS * Improve SyncMirrors logging (#19045) (#19050) BUGFIXES * Refactor mirror code & fix StartToMirror (#18904) (#19075) * Update the webauthn_credential_id_sequence in Postgres (#19048) (#19060) * Prevent 500 when there is an error during new auth source post (#19041) (#19059) * If rendering has failed due to a net.OpError stop rendering (attempt 2) (#19049) (#19056) * Fix flag validation (#19046) (#19051) * Add pam account authorization check (#19040) (#19047) * Ignore missing comment for user notifications (#18954) (#19043) * Set rel="nofollow noindex" on new issue links (#19023) (#19042) * Upgrading binding package (#19034) (#19035) * Don't show context cancelled errors in attribute reader (#19006) (#19027) * Fix update hint bug (#18996) (#19002) MISC * Fix potential assignee query for repo (#18994) (#18999) Changes in 1.16.3: SECURITY * Git backend ignore replace objects (#18979) (#18980) CVE-2022-27313 ENHANCEMENTS * Adjust error for already locked db and prevent level db lock on malformed connstr (#18923) (#18938) BUGFIXES * Set max text height to prevent overflow (#18862) (#18977) * Fix newAttachmentPaths deletion for DeleteRepository() (#18973) (#18974) * Accounts with WebAuthn only (no TOTP) now exist ... fix code to handle that case (#18897) (#18964) * Send 404 on /{org}.gpg (#18959) (#18962) * Fix admin user list pagination (#18957) (#18960) * Fix lfs management setting (#18947) (#18946) * Fix login with email panic when email is not exist (#18942) * Update go-org to v1.6.1 (#18932) (#18933) * Fix <strong> html in translation (#18929) (#18931) * Fix page and missing return on unadopted repos API (#18848) (#18927) * Allow adminstrator teams members to see other teams (#18918) (#18919) * Don't treat BOM escape sequence as hidden character. (#18909) (#18910) * Correctly link URLs to users/repos with dashes, dots or underscores (â€Š (#18908) * Fix redirect when using lowercase repo name (#18775) (#18902) * Fix migration v210 (#18893) (#18892) * Fix team management UI (#18887) (18886) * BeforeSourcePath should point to base commit (#18880) (#18799) TRANSLATION * Backport locales from master (#18944) MISC * Don't update email for organisation (#18905) (#18906) Changes in 1.16.2: ENHANCEMENTS * Show fullname on issue edits and gpg/ssh signing info (#18828) * Immediately Hammer if second kill is sent (#18823) (#18826) * Allow mermaid render error to wrap (#18791) BUGFIXES * Fix ldap user sync missed email in email_address table (#18786) (#18876) * Update assignees check to include any writing team and change org sidebar (#18680) (#18873) * Don't report signal: killed errors in serviceRPC (#18850) (#18865) * Fix bug where certain LDAP settings were reverted (#18859) * Update go-org to 1.6.0 (#18824) (#18839) * Fix login with email for ldap users (#18800) (#18836) * Fix bug for get user by email (#18834) * Fix panic in EscapeReader (#18820) (#18821) * Fix ldap loginname (#18789) (#18804) * Remove redundant call to UpdateRepoStats during migration (#18591) (#18794) * In disk_channel queues synchronously push to disk on shutdown (#18415) (#18788) * Fix template bug of LFS lock (#18784) (#18787) * Attempt to fix the webauthn migration again - part 3 (#18770) (#18771) * Send mail to issue/pr assignee/reviewer also when OnMention is set (#18707) (#18765) * Fix a broken link in commits_list_small.tmpl (#18763) (#18764) * Increase the size of the webauthn_credential credential_id field (#18739) (#18756) * Prevent dangling GetAttribute calls (#18754) (#18755) * Fix isempty detection of git repository (#18746) (#18750) * Fix source code line highlighting on external tracker (#18729) (#18740) * Prevent double encoding of branch names in delete branch (#18714) (#18738) * Always set PullRequestWorkInProgressPrefixes in PrepareViewPullInfo (#18713) (#18737) * Fix forked repositories missed tags (#18719) (#18735) * Fix release typo (#18728) (#18731) * Separate the details links of commit-statuses in headers (#18661) (#18730) * Update object repo with the migrated repository (#18684) (#18726) * Fix bug for version update hint (#18701) (#18705) * Fix issue with docker-rootless shimming script (#18690) (#18699) * Let MinUnitAccessMode return correct perm (#18675) (#18689) * Prevent security failure due to bad APP_ID (#18678) (#18682) * Restart zero worker if there is still work to do (#18658) (#18672) * If rendering has failed due to a net.OpError stop rendering (#18642) (#18645) TESTING * Ensure git tag tests and others create test repos in tmpdir (#18447) (#18767) BUILD * Reduce CI go module downloads, add make targets (#18708, #18475, #18443) (#18741) MISC * Put buttons back in org dashboard (#18817) (#18825) * Various Mermaid improvements (#18776) (#18780) * C preprocessor colors improvement (#18671) (#18696) * Fix the missing i18n key for update checker (#18646) (#18665)

multimedia/libaom: security fix Revisions pulled up: - multimedia/libaom/Makefile 1.22 - multimedia/libaom/distinfo 1.16 - multimedia/libaom/patches/patch-aom__ports_ppc__cpudetect.c 1.3 - multimedia/libaom/patches/patch-build_cmake_aom__configure.cmake 1.5 - multimedia/libaom/patches/patch-build_cmake_version.cmake 1.3 --- Module Name: pkgsrc Committed By: nia Date: Tue May 17 21:44:11 UTC 2022 Modified Files: pkgsrc/multimedia/libaom: Makefile distinfo pkgsrc/multimedia/libaom/patches: patch-aom__ports_ppc__cpudetect.c patch-build_cmake_aom__configure.cmake patch-build_cmake_version.cmake Log Message: libaom: Update to 3.3.0 2022-01-28 v3.3.0 This release includes compression efficiency and perceptual quality improvements, speedup and memory optimizations, some new features, and several bug fixes. - New Features * AV1 RT: Introducing CDEF search level 5 * Changed real time speed 4 to behave the same as real time speed 5 * Add --deltaq-strength * rtc: Allow scene-change and overshoot detection for svc * rtc: Intra-only frame for svc * AV1 RT: Option 2 for codec control AV1E_SET_ENABLE_CDEF to disable CDEF on non-ref frames * New codec controls AV1E_SET_LOOPFILTER_CONTROL and AOME_GET_LOOPFILTER_LEVEL * Improvements to three pass encoding - Compression Efficiency Improvements * Overall compression gains: 0.6% - Perceptual Quality Improvements * Improves the perceptual quality of high QP encoding for delta-q mode 4 * Auto select noise synthesis level for all intra - Speedup and Memory Optimizations * Added many SSE2 optimizations. * Good quality 2-pass encoder speedups: o Speed 2: 9% o Speed 3: 12.5% o Speed 4: 8% o Speed 5: 3% o Speed 6: 4% * Real time mode encoder speedups: o Speed 5: 2.6% BDRate gain, 4% speedup o Speed 6: 3.5% BDRate gain, 4% speedup o Speed 9: 1% BDRate gain, 3% speedup o Speed 10: 3% BDRate gain, neutral speedup * All intra encoding speedups (AVIF): o Single thread - speed 6: 8% o Single thread - speed 9: 15% o Multi thread(8) - speed 6: 14% o Multi thread(8) - speed 9: 34% - Bug Fixes * Issue 3163: Segmentation fault when using --enable-keyframe-filtering=2 * Issue 2436: Integer overflow in av1_warp_affine_c() * Issue 3226: armv7 build failure due to gcc-11 * Issue 3195: Bug report on libaom (AddressSanitizer: heap-buffer-overflow) * Issue 3191: Bug report on libaom (AddressSanitizer: SEGV on unknown address) * Issue 3176: Some SSE2/SADx4AvgTest.* tests fail on Windows * Issue 3175: Some SSE2/SADSkipTest.* tests fail on Windows

mail/sendmail: bugfix for SMTP AUTH Revisions pulled up: - mail/sendmail/Makefile 1.141 - mail/sendmail/distinfo 1.68 - mail/sendmail/patches/patch-bo 1.5 --- Module Name: pkgsrc Committed By: sborrill Date: Tue May 10 13:46:49 UTC 2022 Modified Files: pkgsrc/mail/sendmail: Makefile distinfo pkgsrc/mail/sendmail/patches: patch-bo Log Message: sendmail: fix SMTP AUTH Pull in SMTP AUTH fix from 8.17.1.9. Bump PKGREVISION

textproc/libxml2: security fix Revisions pulled up: - textproc/libxml2/Makefile 1.164 - textproc/libxml2/Makefile.common 1.16 - textproc/libxml2/distinfo 1.141 - textproc/py-libxml2/Makefile 1.81 --- Module Name: pkgsrc Committed By: gutteridge Date: Fri May 6 00:55:55 UTC 2022 Modified Files: pkgsrc/textproc/libxml2: Makefile Makefile.common distinfo pkgsrc/textproc/py-libxml2: Makefile Log Message: libxml2: update to 2.9.14, includes security fixes v2.9.14: May 02 2022: - Security: [CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer Fix potential double-free in xmlXPtrStringRangeFunction Fix memory leak in xmlFindCharEncodingHandler Normalize XPath strings in-place Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars() (David Kilzer) Fix leak of xmlElementContent (David Kilzer) - Bug fixes: Fix parsing of subtracted regex character classes Fix recursion check in xinclude.c Reset last error in xmlCleanupGlobals Fix certain combinations of regex range quantifiers Fix range quantifier on subregex - Improvements: Fix recovery from invalid HTML start tags - Build system, portability: Define LFS macros before including system headers Initialize XPath floating-point globals configure: check for icu DEFS (James Hilliard) configure.ac: produce tar.xz only (GNOME policy) (David Seifert) CMakeLists.txt: Fix LIBXML_VERSION_NUMBER Fix build with older Python versions Fix --without-valid build

math/py-numpy: build fix Revisions pulled up: - math/py-numpy/Makefile 1.92 --- Module Name: pkgsrc Committed By: nia Date: Sun May 8 10:18:31 UTC 2022 Modified Files: pkgsrc/math/py-numpy: Makefile Log Message: py-numpy: Expects compiler to default to C++11.

security/clamav: security fix Revisions pulled up: - security/clamav/Makefile 1.84 - security/clamav/Makefile.common 1.23 - security/clamav/buildlink3.mk 1.16 - security/clamav/distinfo 1.42 --- Module Name: pkgsrc Committed By: taca Date: Thu May 5 00:44:07 UTC 2022 Modified Files: pkgsrc/security/clamav: Makefile Makefile.common buildlink3.mk distinfo Log Message: security/clamav: update to 0.103.6 0.103.6 (2022-05-04) ClamAV 0.103.6 is a critical patch release with the following fixes: - [CVE-2022-20770](CVE-2022-20770): Fixed a possible infinite loop vulner= ability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 = and prior versions. Thank you to Micha=A9=A9 Dardas for reporting this issue. - [CVE-2022-20796](CVE-2022-20796): Fixed a possible NULL-pointer derefer= ence crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and Antoine Gatineau for reporting this= issue. - [CVE-2022-20771](CVE-2022-20771): Fixed a possible infinite loop vulner= ability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 = and prior versions. The issue only occurs if the "--alert-broken-media" ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and = for libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. Thank you to Micha=A9=A9 Dardas for reporting this issue. - [CVE-2022-20785](CVE-2022-20785): Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 = and prior versions. Thank you to Micha=A9=A9 Dardas for reporting this issue. - [CVE-2022-20792](CVE-2022-20792): Fixed a possible multi-byte heap buff= er overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 = and prior versions. Thank you to Micha=A9=A9 Dardas for reporting this issue. - ClamOnAcc: Fixed a number of assorted stability issues and added niceti= es for debugging ClamOnAcc. Patches courtesy of Frank Fegert. - Fixed an issue causing byte-compare subsignatures to cause an alert whe= n they match even if other conditions of the given logical signatures were not= met. - Fix memleak when using multiple byte-compare subsignatures. This fix was backported from 0.104.0. Thank you to Andrea De Pasquale for contributing the fix. - Assorted bug fixes and improvements. Special thanks to the following people for code contributions and bug rep= orts: - Alexander Patrakov - Andrea De Pasquale - Antoine Gatineau - Frank Fegert - Micha=A9=A9 Dardas

ruby30-base: build fix ruby31-base: build fix Revisions pulled up: - lang/ruby/platform.mk 1.10-1.12 - lang/ruby/rubyversion.mk 1.251 - lang/ruby30-base/Makefile 1.7 - lang/ruby30-base/distinfo 1.9-1.10 - lang/ruby30-base/patches/patch-configure 1.2 - lang/ruby30-base/patches/patch-include_ruby_internal_static__assert.h 1.1 - lang/ruby31-base/Makefile 1.4-1.5 - lang/ruby31-base/distinfo 1.4-1.7 - lang/ruby31-base/patches/patch-configure 1.2 - lang/ruby31-base/patches/patch-include_ruby_internal_static__assert.h 1.1 - lang/ruby31-base/patches/patch-template_Makefile.in 1.1 - lang/ruby31-base/patches/patch-tool_runruby.rb 1.1 --- Module Name: pkgsrc Committed By: jperkin Date: Wed May 4 15:49:51 UTC 2022 Modified Files: pkgsrc/lang/ruby31-base: Makefile distinfo pkgsrc/lang/ruby31-base/patches: patch-configure Log Message: ruby31-base: Retain _XOPEN_SOURCE on SunOS. Fixes build of eventmachine (which assumes the XPG4.2 "void *" type for iov_base), and mirrors settings of ruby 2.x. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Wed May 4 16:16:49 UTC 2022 Modified Files: pkgsrc/lang/ruby: platform.mk Log Message: lang/ruby: fix build problem of Ruby 3.1 on NetBSD 8 Fix build problem of Ruby 3.1 on NetBSD 8 by disabling dtrace. Ruby 3.1 dtrace(1) to modify compiled object files during build process. But something wrong on NetBSD 8, includeing 8.2_STABLE. For example, vm.o contains these symbols on NetBSD 9: 0000000000000000 A __dtrace_ruby___array__create 0000000000000000 A __dtrace_ruby___cmethod__entry 0000000000000000 A __dtrace_ruby___cmethod__return 0000000000000000 A __dtrace_ruby___hash__create 0000000000000000 A __dtrace_ruby___method__entry 0000000000000000 A __dtrace_ruby___method__return 0000000000000000 A __dtraceenabled_ruby___array__create 0000000000000000 A __dtraceenabled_ruby___cmethod__entry 0000000000000000 A __dtraceenabled_ruby___cmethod__return 0000000000000000 A __dtraceenabled_ruby___hash__create 0000000000000000 A __dtraceenabled_ruby___method__entry 0000000000000000 A __dtraceenabled_ruby___method__return But on NetBSD 8: 0000000000000000 A __dtrace_ruby___array-create 0000000000000000 A __dtrace_ruby___cmethod-entry 0000000000000000 A __dtrace_ruby___cmethod-return 0000000000000000 A __dtrace_ruby___hash-create 0000000000000000 A __dtrace_ruby___method-entry 0000000000000000 A __dtrace_ruby___method-return 0000000000000000 A __dtraceenabled_ruby___array-create 0000000000000000 A __dtraceenabled_ruby___cmethod-entry 0000000000000000 A __dtraceenabled_ruby___cmethod-return 0000000000000000 A __dtraceenabled_ruby___hash-create 0000000000000000 A __dtraceenabled_ruby___method-entry 0000000000000000 A __dtraceenabled_ruby___method-return --- Module Name: pkgsrc Committed By: jperkin Date: Wed May 4 15:49:16 UTC 2022 Modified Files: pkgsrc/lang/ruby30-base: Makefile distinfo pkgsrc/lang/ruby30-base/patches: patch-configure Log Message: ruby30-base: Retain _XOPEN_SOURCE on SunOS. Fixes build of eventmachine (which assumes the XPG4.2 "void *" type for iov_base), and mirrors settings of ruby 2.x. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Wed May 4 16:44:53 UTC 2022 Modified Files: pkgsrc/lang/ruby: platform.mk pkgsrc/lang/ruby30-base: distinfo pkgsrc/lang/ruby31-base: distinfo Added Files: pkgsrc/lang/ruby30-base/patches: patch-include_ruby_internal_static__assert.h pkgsrc/lang/ruby31-base/patches: patch-include_ruby_internal_static__assert.h Log Message: lang/ruby: fix Ruby 3.0 build problem on NetBSD 8.0 Something wrong with expantion of static_assert macro in <assert.h> on NetBSD 8.0. So, avoid use of static_assert on NetBSD 8.0. NetBSD 8.1 and later dose not have this problem. --- Module Name: pkgsrc Committed By: jperkin Date: Thu May 5 10:15:17 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk Log Message: ruby: Handle ruby31 changing the config triple for arm64 macOS. --- Module Name: pkgsrc Committed By: jperkin Date: Thu May 5 10:25:06 UTC 2022 Modified Files: pkgsrc/lang/ruby31-base: distinfo Added Files: pkgsrc/lang/ruby31-base/patches: patch-tool_runruby.rb Log Message: ruby31-base: Fix install on macOS arm64. --- Module Name: pkgsrc Committed By: taca Date: Sat May 7 09:36:16 UTC 2022 Modified Files: pkgsrc/lang/ruby: platform.mk pkgsrc/lang/ruby31-base: Makefile distinfo Added Files: pkgsrc/lang/ruby31-base/patches: patch-template_Makefile.in Log Message: lang/ruby31-base: better fix than privious one Instead of disabling DTrace, process object file yjit.o with "dtrace -G". Bump PKGREVISION.

www/drupal7: security fix Revisions pulled up: - www/drupal7/Makefile 1.76 - www/drupal7/PLIST 1.30 - www/drupal7/distinfo 1.60 --- Module Name: pkgsrc Committed By: wen Date: Sat Apr 30 08:50:35 UTC 2022 Modified Files: pkgsrc/www/drupal7: Makefile PLIST distinfo Log Message: Update to 7.89 Upstream changes: Drupal 7.89, 2022-03-02 ----------------------- - Bug fixes for PHP 8.1 - Fix tests for PostgreSQL Drupal 7.88, 2022-02-15 ----------------------- - Fixed security issues: - SA-CORE-2022-003 Drupal 7.87, 2022-01-19 ----------------------- - Fix regression caused by jQuery UI position() backport

www/ruby-puma: security fix Revisions pulled up: - www/ruby-puma/Makefile 1.33 - www/ruby-puma/distinfo 1.30 --- Module Name: pkgsrc Committed By: taca Date: Sun Apr 24 14:43:10 UTC 2022 Modified Files: pkgsrc/www/ruby-puma: Makefile distinfo Log Message: www/ruby-puma: update to 5.6.4 5.6.4 (2022-03-30) Security * Close several HTTP Request Smuggling exploits (CVE-2022-24790) 5.6.2 (2022-02-11) Bugfix/Security * Response body will always be closed. (GHSA-rmj8-8hhh-gv5h, related to #2809) 5.6.1 (2022-01-26) Bugfixes * Reverted a commit which appeared to be causing occasional blank header values (#2809) 5.6.0 (2022-01-25) Features * Support localhost integration in ssl_bind (#2764, #2708) * Allow backlog parameter to be set with ssl_bind DSL (#2780) * Remove yaml (psych) requirement in StateFile (#2784) * Allow culling of oldest workers, previously was only youngest (#2773, #2794) * Add worker_check_interval configuration option (#2759) * Always send lowlevel_error response to client (#2731, #2341) * Support for cert_pem and key_pem with ssl_bind DSL (#2728) Bugfixes * Keep thread names under 15 characters, prevents breakage on some OSes (#2733) * Fix two 'old-style-definition' compile warning (#2807, #2806) * Log environment correctly using option value (#2799) * Fix warning from Ruby master (will be 3.2.0) (#2785) * extconf.rb - fix openssl with old Windows builds (#2757) * server.rb - rescue handling (Errno::EBADF) for @notify.close (#2745) Refactor * server.rb - refactor code using @options[:remote_address] (#2742) * [jruby] a couple refactorings - avoid copy-ing bytes (#2730)

textproc/ruby-yajl: security fix Revisions pulled up: - textproc/ruby-yajl/Makefile 1.8 - textproc/ruby-yajl/PLIST 1.7 - textproc/ruby-yajl/distinfo 1.9 --- Module Name: pkgsrc Committed By: taca Date: Sun Apr 24 14:39:32 UTC 2022 Modified Files: pkgsrc/textproc/ruby-yajl: Makefile PLIST distinfo Log Message: textproc/ruby-yajl: update to 1.4.2 1.4.2 (2022-04-04) No release note nor proper changelog. But there is security fix. Please refer <https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm> in detail.

devel/afl++: ARM build fix Revisions pulled up: - devel/afl++/Makefile 1.3 - devel/afl++/PLIST 1.2 --- Module Name: pkgsrc Committed By: nia Date: Sun Apr 17 07:34:46 UTC 2022 Modified Files: pkgsrc/devel/afl++: Makefile PLIST Log Message: afl++: fix PLIST on aarch64

multimedia/pitivi: build fix Revisions pulled up: - multimedia/pitivi/Makefile 1.67 - multimedia/pitivi/PLIST 1.8 - multimedia/pitivi/distinfo 1.9 - multimedia/pitivi/patches/patch-meson.build 1.2 --- Module Name: pkgsrc Committed By: nia Date: Sun Apr 17 07:18:06 UTC 2022 Modified Files: pkgsrc/multimedia/pitivi: Makefile PLIST distinfo pkgsrc/multimedia/pitivi/patches: patch-meson.build Log Message: pitivi: Adapt to new gst-plugins world. Fixes build.

devel/git-base: security update devel/git: security update Revisions pulled up: - devel/git-base/distinfo 1.117 - devel/git/Makefile.version 1.103 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 14 23:39:21 UTC 2022 Modified Files: pkgsrc/devel/git: Makefile.version pkgsrc/devel/git-base: distinfo Log Message: git: update to 2.35.3 Includes a fix for CVE-2022-24765. Addresses PR pkg/56796 from Eric N Vander Weele. Git v2.35.2 Release Notes ============ This release merges up the fixes that appear in v2.30.3, v2.31.2, v2.32.1, v2.33.2 and v2.34.2 to address the security issue CVE-2022-24765; see the release notes for these versions for details. Release notes for 2.35.3 simply state: This release merges up the fixes that appear in v2.35.3. To generate a diff of this commit: cvs rdiff -u -r1.102 -r1.103 pkgsrc/devel/git/Makefile.version cvs rdiff -u -r1.116 -r1.117 pkgsrc/devel/git-base/distinfo

lang/ruby31-base: security update Revisions pulled up: - lang/ruby/rubyversion.mk 1.249 - lang/ruby31-base/distinfo 1.3 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 15:12:13 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby31-base: distinfo Log Message: lang/ruby31-base: update to 3.1.2 Ruby 3.1.2 has been released. This release includes security fixes. Please check the topics below for details. * CVE-2022-28738: Double free in Regexp compilation * CVE-2022-28739: Buffer overrun in String-to-Float conversion See the commit logs for further details. To generate a diff of this commit: cvs rdiff -u -r1.248 -r1.249 pkgsrc/lang/ruby/rubyversion.mk cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/ruby31-base/distinfo

lang/ruby30-base: security update Revisions pulled up: - lang/ruby/rubyversion.mk 1.248 - lang/ruby30-base/Makefile 1.6 - lang/ruby30-base/PLIST 1.7 - lang/ruby30-base/distinfo 1.8 - lang/ruby30/Makefile 1.3 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 14:52:27 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby30: Makefile pkgsrc/lang/ruby30-base: Makefile PLIST distinfo Log Message: lang/ruby30-base: update to 3.0.4 Ruby 3.0.4 has been released. This release includes security fixes. Please check the topics below for details. * CVE-2022-28738: Double free in Regexp compilation * CVE-2022-28739: Buffer overrun in String-to-Float conversion See the commit logs for further details. To generate a diff of this commit: cvs rdiff -u -r1.247 -r1.248 pkgsrc/lang/ruby/rubyversion.mk cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/ruby30/Makefile cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/ruby30-base/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/lang/ruby30-base/PLIST cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/ruby30-base/distinfo

lang/ruby27: security update Revisions pulled up: - lang/ruby/rubyversion.mk 1.247 - lang/ruby27-base/Makefile 1.9 - lang/ruby27-base/distinfo 1.10 - lang/ruby27/Makefile 1.3 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 14:21:00 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby27: Makefile pkgsrc/lang/ruby27-base: Makefile distinfo Log Message: lang/ruby27-base: update to 2.6.7 Ruby 2.7.6 has been released. This release includes a security fix. Please check the topics below for details. CVE-2022-28739: Buffer overrun in String-to-Float conversion This release also includes some bug fixes. See the commit logs for further details. After thies release, we end the normal maintenance phase of Ruby 2.7, and Ruby 2.7 enters the security maintenance phase. This means that we will no longer backport any bug fixes to Ruby 2.7 excpet security fixes. Ther term of the security maintenance pahse is scheduled for a year. Ruby 2.7 reaches EOL and its official support ends by the end of the security maintenance phase. Therefore, we recommend that you start to plan upgrade to Ruby 3.0 or 3.1. To generate a diff of this commit: cvs rdiff -u -r1.246 -r1.247 pkgsrc/lang/ruby/rubyversion.mk cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/ruby27/Makefile cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/ruby27-base/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/ruby27-base/distinfo

lang/ruby26-base: security-update Revisions pulled up: - lang/ruby/rubyversion.mk 1.246 - lang/ruby26-base/Makefile 1.17 - lang/ruby26-base/distinfo 1.16 - lang/ruby26/Makefile 1.6 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 14:16:44 UTC 2022 Modified Files: pkgsrc/lang/ruby26: Makefile pkgsrc/lang/ruby26-base: Makefile distinfo Log Message: lang/ruby26-base: update to 2.6.10 Here is release announce: Ruby 2.6.10 has been released. This release includes a security fix. Please check the topics below for details. CVE-2022-28739: Buffer overrun in String-to-Float conversion This release also includes a fix of a build problem with very old compilers and a fix of a regression of date library. See the commit logs for further details. After this release, Ruby 2.6 reaches EOL. In other words, this is expected to be the last release of Ruby 2.6 series. We will not release Ruby 2.6.11 even if a security vulnerability is found (but ocould release if a severe regression is found). We recommend all Ruby 2.6 users to start migration to Ruby 3.1, 3.0, or 2.7 immediately. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/ruby26/Makefile cvs rdiff -u -r1.16 -r1.17 pkgsrc/lang/ruby26-base/Makefile cvs rdiff -u -r1.15 -r1.16 pkgsrc/lang/ruby26-base/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Apr 12 14:19:26 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk Log Message: lang/ruby: forgot to commit for 2.6.10 To generate a diff of this commit: cvs rdiff -u -r1.245 -r1.246 pkgsrc/lang/ruby/rubyversion.mk

devel/java-subversion: security update devel/p5-subversion: security update devel/py-subversion: security update devel/ruby-subversion: security update devel/subversion-base: security update devel/subversion: security update Revisions pulled up: - devel/java-subversion/Makefile 1.62 - devel/p5-subversion/Makefile 1.122 - devel/py-subversion/Makefile 1.95 - devel/ruby-subversion/Makefile 1.84 - devel/subversion-base/Makefile 1.130 - devel/subversion/Makefile 1.68 - devel/subversion/Makefile.version 1.88 - devel/subversion/distinfo 1.119 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Tue Apr 12 16:24:29 UTC 2022 Modified Files: pkgsrc/devel/java-subversion: Makefile pkgsrc/devel/p5-subversion: Makefile pkgsrc/devel/py-subversion: Makefile pkgsrc/devel/ruby-subversion: Makefile pkgsrc/devel/subversion: Makefile.version distinfo pkgsrc/devel/subversion-base: Makefile Log Message: subversion: update to 1.4.2 (security). HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES: CVE-2021-28544 "SVN authz protected copyfrom paths regression" The full security advisory for CVE-2021-28544 is available at: https://subversion.apache.org/security/CVE-2021-28544-advisory.txt https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc A brief summary of this advisory follows: Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the `copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable. We recommend all users to upgrade to a known fixed release of the Subversion server. This issue was reported by Evgeny Kotkov CVE-2022-24070 "Subversion's mod_dav_svn is vulnerable to memory corruption" The full security advisory for CVE-2022-24070 is available at: https://subversion.apache.org/security/CVE-2022-24070-advisory.txt https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc A brief summary of this advisory follows: While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. We recommend all users to upgrade to a known fixed release of the Subversion server. This issue was reported by Thomas Weißschuh To generate a diff of this commit: cvs rdiff -u -r1.61 -r1.62 pkgsrc/devel/java-subversion/Makefile cvs rdiff -u -r1.121 -r1.122 pkgsrc/devel/p5-subversion/Makefile cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/py-subversion/Makefile cvs rdiff -u -r1.83 -r1.84 pkgsrc/devel/ruby-subversion/Makefile cvs rdiff -u -r1.87 -r1.88 pkgsrc/devel/subversion/Makefile.version cvs rdiff -u -r1.118 -r1.119 pkgsrc/devel/subversion/distinfo cvs rdiff -u -r1.129 -r1.130 pkgsrc/devel/subversion-base/Makefile ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Tue Apr 12 21:40:36 UTC 2022 Modified Files: pkgsrc/devel/subversion: Makefile Log Message: subversion: reset PKGREVISION after update To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 pkgsrc/devel/subversion/Makefile

mail/mutt: security update Revisions pulled up: - mail/mutt/Makefile 1.259 - mail/mutt/distinfo 1.107 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Wed Apr 13 08:24:37 UTC 2022 Modified Files: pkgsrc/mail/mutt: Makefile distinfo Log Message: mutt: Update to version 2.2.3 This is a bug-fix release, addressing CVE-2022-1328: a buffer overread in the uuencoded decoder routine. Also fixed were a possible integer overflow issue in the general iconv and rfc2047-conversion iconv functions. These are not believed to be exploitable. To generate a diff of this commit: cvs rdiff -u -r1.258 -r1.259 pkgsrc/mail/mutt/Makefile cvs rdiff -u -r1.106 -r1.107 pkgsrc/mail/mutt/distinfo

www/firefox91: security fix www/firefox91-l10n: dependent update Revisions pulled up: - www/firefox91-l10n/Makefile 1.10 - www/firefox91-l10n/distinfo 1.12 - www/firefox91/Makefile 1.16 - www/firefox91/distinfo 1.12 --- Module Name: pkgsrc Committed By: nia Date: Sun Apr 10 13:43:44 UTC 2022 Modified Files: pkgsrc/www/firefox91: Makefile distinfo pkgsrc/www/firefox91-l10n: Makefile distinfo Log Message: firefox91: update to 91.8.0 Security Vulnerabilities fixed in Firefox ESR 91.8 #CVE-2022-1097: Use-after-free in NSSToken objects #CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions #CVE-2022-1196: Use-after-free after VR Process destruction #CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument #CVE-2022-28285: Incorrect AliasSet used in JIT Codegen #CVE-2022-28286: iframe contents could be rendered outside the border #CVE-2022-24713: Denial of Service via complex regular expressions #CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

lang/ruby: NetBSD/arm build fix Revisions pulled up: - lang/ruby/rubyversion.mk 1.245 --- Module Name: pkgsrc Committed By: nia Date: Sat Apr 2 07:51:46 UTC 2022 Modified Files: pkgsrc/lang/ruby: rubyversion.mk Log Message: ruby: Do not append an ABI on NetBSD to the arch-specific extension directory. Failure seen in: http://victory.netbsd.org/pkgsrc/packages/reports/2022Q1/evbarm7-9.0/20220330.2134/ruby31-base-3.1.1/install.log

sysutils/ioping: build fix Revisions pulled up: - sysutils/ioping/distinfo 1.8 --- Module Name: pkgsrc Committed By: wiz Date: Tue Mar 29 17:48:53 UTC 2022 Modified Files: pkgsrc/sysutils/ioping: distinfo Log Message: ioping: fix patch checksum

www/gitea: build fix Revisions pulled up: - www/gitea/Makefile 1.69 - www/gitea/distinfo 1.30 - www/gitea/go-modules.mk 1.1 --- Module Name: pkgsrc Committed By: tnn Date: Mon Mar 28 15:59:22 UTC 2022 Modified Files: pkgsrc/www/gitea: Makefile distinfo Added Files: pkgsrc/www/gitea: go-modules.mk Log Message: gitea: don't download distfiles during build phase (convert to go-module.mk)

devel/SDL: NetBSD/i386 build fix Revisions pulled up: - devel/SDL/distinfo 1.86 - devel/SDL/patches/patch-build-scripts_strip__fPIC.sh 1.1 --- Module Name: pkgsrc Committed By: tnn Date: Mon Mar 28 14:34:13 UTC 2022 Modified Files: pkgsrc/devel/SDL: distinfo Added Files: pkgsrc/devel/SDL/patches: patch-build-scripts_strip__fPIC.sh Log Message: SDL: fix build on NetBSD/i386 XXX maybe pullup 2022Q1?

devel/R-tcltk2: mark as broken (infinite loop) Revisions pulled up: - devel/R-tcltk2/Makefile 1.5 --- Module Name: pkgsrc Committed By: wiz Date: Mon Mar 28 15:51:46 UTC 2022 Modified Files: pkgsrc/devel/R-tcltk2: Makefile Log Message: R-tcltk2: mark as BROKEN Infinite loop during build, see PR pkg/56696.