Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
lang/ruby27-base: security fix
Revisions pulled up:
- lang/ruby/rubyversion.mk 1.258
- lang/ruby27-base/distinfo 1.11
- lang/ruby27-base/patches/patch-configure 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Nov 26 13:09:59 UTC 2022
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby27-base: distinfo
pkgsrc/lang/ruby27-base/patches: patch-configure
Log Message:
lang/ruby27-base: update to 2.7.7
Ruby 2.7.7 Released (2022-11-24)
Ruby 2.7.7 has been released.
This release includes a security fix. Please check the topics below for
details.
* CVE-2021-33621: HTTP response splitting in CGI
This release also includes some build problem fixes. They are not
considered to affect compatibility with previous versions. See the commit
logs for further details.
|
|
lang/ruby30-base: security fix
Revisions pulled up:
- lang/ruby/Makefile 1.74
- lang/ruby/rubyversion.mk 1.257
- lang/ruby30-base/Makefile 1.9
- lang/ruby30-base/distinfo 1.11
- lang/ruby30-base/patches/patch-configure 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Nov 26 13:07:52 UTC 2022
Modified Files:
pkgsrc/lang/ruby: Makefile rubyversion.mk
pkgsrc/lang/ruby30-base: Makefile distinfo
pkgsrc/lang/ruby30-base/patches: patch-configure
Log Message:
lang/ruby30-base: update to 3.0.5
Ruby 3.0.5 Released (2022-11-24)
Ruby 3.0.5 has been released.
This release includes a security fix. Please check the topics below for
details.
* CVE-2021-33621: HTTP response splitting in CGI
This release also includes some bug fixes. See the commit logs for further
details.
|
|
lang/ruby31-base: security fix
Revisions pulled up:
- lang/ruby/rubyversion.mk 1.256
- lang/ruby31-base/Makefile 1.7
- lang/ruby31-base/PLIST 1.3
- lang/ruby31-base/distinfo 1.8
- lang/ruby31-base/patches/patch-configure 1.3
- lang/ruby31-base/patches/patch-lib_rubygems.rb 1.2
- lang/ruby31-base/patches/patch-lib_rubygems_commands_setup__command.rb 1.2
- lang/ruby31-base/patches/patch-lib_rubygems_install__update__options.rb 1.2
- lang/ruby31-base/patches/patch-lib_rubygems_installer.rb 1.2
- lang/ruby31-base/patches/patch-lib_rubygems_platform.rb 1.3
- lang/ruby31-base/patches/patch-test_rubygems_test__gem.rb 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Nov 26 13:02:49 UTC 2022
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby31-base: Makefile PLIST distinfo
pkgsrc/lang/ruby31-base/patches: patch-configure patch-lib_rubygems.rb
patch-lib_rubygems_commands_setup__command.rb
patch-lib_rubygems_install__update__options.rb
patch-lib_rubygems_installer.rb patch-lib_rubygems_platform.rb
patch-test_rubygems_test__gem.rb
Log Message:
lang/ruby31-base: update to 3.1.3
Ruby 3.1.3 Released (2022-11-24)
Ruby 3.1.3 has been released.
This release includes a security fix. Please check the topics below for
details.
* CVE-2021-33621: HTTP response splitting in CGI
This release also includes a fix for build failure with Xcode 14 and macOS
13 (Ventura). See the related ticket for more details.
|
|
|
|
databases/redis: security update
Revisions pulled up:
- databases/redis/Makefile 1.74
- databases/redis/distinfo 1.67
- databases/redis/patches/patch-src_Makefile 1.6
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: adam
Date: Tue Nov 22 19:11:11 UTC 2022
Modified Files:
pkgsrc/databases/redis: Makefile distinfo
pkgsrc/databases/redis/patches: patch-src_Makefile
Log Message:
redis: updated to 7.0.5
Redis 7.0.5 Released Wed Sep 21 20:00:00 IST 2022
========================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific
state, with a specially crafted COUNT argument, may cause an integer overflow,
a subsequent heap overflow, and potentially lead to remote code execution.
The problem affects Redis versions 7.0.0 or newer
[reported by Xion (SeungHyun Lee) of KAIST GoN].
Module API changes
=========
* Fix RM_Call execution of scripts when used with M/W/S flags to properly
handle script flags
* Fix RM_SetAbsExpire and RM_GetAbsExpire API registration
Bug Fixes
====
* Fix a hang when eviction is combined with lazy-free and
maxmemory-eviction-tenacity is set to 100
* Fix a crash when a replica may attempt to set itself as its master
as a result of a manual failover
* Fix a bug where a cluster-enabled replica node may permanently set
its master's hostname to '?'
* Fix a crash when a Lua script returns a meta-table
Fixes for issues in previous releases of Redis 7.0
--------------------------------------------------
* Fix redis-cli to do DNS lookup before sending CLUSTER MEET
* Fix crash when a key is lazy expired during cluster key migration
* Fix AOF rewrite to fsync the old AOF file when a new one is created
* Fix some crashes involving a list containing entries larger than 1GB
* Correctly handle scripts with a non-read-only shebang on a cluster replica
* Fix memory leak when unloading a module
* Fix bug with scripts ignoring client tracking NOLOOP
* Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL /
SWAPDB is used inside MULTI-EXEC
* Fix ACL: BITFIELD with GET and also SET / INCRBY can be executed
with read-only key permission
* Fix missing sections for INFO ALL when also requesting a module info section
========================================
Redis 7.0.4 Released Monday Jul 18 12:00:00 IST 2022
========================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream
key in a specific state may result with heap overflow, and potentially
remote code execution. The problem affects Redis versions 7.0.0 or newer.
========================================
Redis 7.0.3 Released Monday Jul 11 12:00:00 IST 2022
========================================
Upgrade urgency: MODERATE, specifically if you're using a previous release of
Redis 7.0, contains fixes for bugs in previous 7.0 releases.
Performance and resource utilization improvements
========================
* Optimize zset conversion on large ZRANGESTORE
* Optimize the performance of sending PING on large clusters
* Allow for faster restart of Redis in cluster mode
INFO fields and introspection changes
==================
* Add missing sharded pubsub keychannel count to CLIENT LIST
* Add missing pubsubshard_channels field in INFO STATS
Module API changes
=========
* Add RM_StringToULongLong and RM_CreateStringFromULongLong
* Add RM_SetClientNameById and RM_GetClientNameById
Changes in CLI tools
==========
* Add missing cluster-port support to redis-cli --cluster
Other General Improvements
=============
* Account sharded pubsub channels memory consumption
* Allow ECHO in loading and stale modes
* Cluster: Throw -TRYAGAIN instead of -ASK on migrating nodes for multi-key
commands when the node only has some of the keys
Bug Fixes
====
* TLS: Notify clients on connection shutdown
* Fsync directory while persisting AOF manifest, RDB file, and config file
* Script that made modification will not break with unexpected NOREPLICAS error
* Cluster: Fix a bug where nodes may not acknowledge a CLUSTER FAILOVER TAKEOVER
after a replica reboots
* Cluster: Fix crash during handshake and cluster shards call
Fixes for issues in previous releases of Redis 7.0
--------------------------------------------------
* TLS: Fix issues with large replies
* Correctly report the startup warning for vm.overcommit_memory
* redis-server command line allow passing config name and value in the
same argument
* Support --save command line argument with no value for backwards compatibility
* Fix CLUSTER RESET command regression requiring an argument
========================================
Redis 7.0.2 Released Sunday Jun 12 12:00:00 IST 2022
========================================
Upgrade urgency: MODERATE, specifically if you're using a previous release of
Redis 7.0, contains fixes for bugs in previous 7.0 releases.
Bug Fixes
====
* Fixed SET and BITFIELD commands being wrongly marked movablekeys
Regression in 7.0 possibly resulting in excessive roundtrip from
cluster clients.
* Fix crash when /proc/sys/vm/overcommit_memory is inaccessible
Regression in 7.0.1 resulting in crash on startup on some configurations.
========================================
Redis 7.0.1 Released Wed Jun 8 12:00:00 IST 2022
========================================
Upgrade urgency: MODERATE, specifically if you're using a previous release of
Redis 7.0, contains some behavior changes for new 7.0 features and important
fixes for bugs in previous 7.0 releases.
Improvements
======
* Add warning for suspected slow system clocksource setting
Add --check-system command line option.
* Allow read-only scripts (*_RO commands, and ones with `no-writes` flag)
during CLIENT PAUSE WRITE
* Add `readonly` flag in COMMAND command for EVAL_RO, EVALSHA_RO and FCALL_RO
* redis-server command line arguments now accept one string with spaces
for multi-arg configs
Potentially Breaking Changes
==============
* Omitting a config option value in command line argument no longer works
* Hide the `may_replicate` flag from the COMMAND command response
Potentially Breaking Changes for new Redis 7.0 features
-------------------------------------------------------
* Protocol: Sharded pubsub publish emits `smessage` instead of `message`
* CLUSTER SHARDS returns slots as RESP integers, not strings
* Block PFCOUNT and PUBLISH in read-only scripts (*_RO commands, and no-writes)
* Scripts that declare the `no-writes` flag are implicitly `allow-oom` too
Changes in CLI tools
==========
* redis-cli --bigkeys, --memkeys, --hotkeys, --scan. Finish nicely after Ctrl+C
Platform / toolchain support related improvements
========================
* Support tcp-keepalive config interval on MacOs
* Support RSS metrics on Haiku OS
INFO fields and introspection changes
==================
* Add isolated network metrics for replication.
Module API changes
=========
* Add two more new checks to RM_Call script mode
* Add new RM_Call flag to let Redis automatically refuse `deny-oom` commands
* Add module API RM_MallocUsableSize
* Add missing REDISMODULE_NOTIFY_NEW
* Fix cursor type in RedisModuleScanCursor to handle more than 2^31 elements
* Fix RM_Yield bugs and RM_Call("EVAL") OOM check bug
* Fix bugs in enum configs with overlapping bit flags
Bug Fixes
====
* FLUSHALL correctly resets rdb_changes_since_last_save INFO field
* FLUSHDB is now propagated to replicas / AOF, even if the db is empty
* Replica fail and retry the PSYNC if the master is unresponsive
* Fix ZRANGESTORE crash when zset_max_listpack_entries is 0
Fixes for issues in previous releases of Redis 7.0
--------------------------------------------------
* CONFIG REWRITE could cause a config change to be dropped for aliased configs
* CONFIG REWRITE would omit rename-command and include lines
NOTE: Affected users who used Redis 7.0.0 to rewrite their configuration file
should review and fix the file.
* Fix broken protocol after MISCONF (persistence) error
* Fix --save command line regression
* Fix possible regression around TLS config changes. re-load files even if the
file name didn't change.
* Re-add SENTINEL SLAVES command, missing in redis 7.0
* BZMPOP gets unblocked by non-key args and returns them
* Fix possible memory leak in XADD and XTRIM
========================================
Redis 7.0.0 GA Released Wed Apr 27 12:00:00 IST 2022
========================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
can cause NULL pointer dereference which will result with a crash of the
redis-server process. This issue affects all versions of Redis.
[reported by Aviv Yahav].
* (CVE-2022-24735) By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject Lua code that will
execute with the (potentially higher) privileges of another Redis user.
[reported by Aviv Yahav].
New Features
======
* Keyspace event for new keys
Command replies that have been extended
---------------------------------------
* COMMAND DOCS shows deprecated_since field in command args
* COMMAND DOCS shows module name where applicable
Potentially Breaking Changes
==============
* Replicas panic when they fail writing persistence
* Prevent cross slot operations in functions and scripts with shebang
* Rephrased some error responses about invalid commands or args
* Lua scripts do not have access to the print() function
Performance and resource utilization improvements
========================
* Speed optimization in streams
* Speed optimization in command execution pipeline
* Speed optimization in listpack encoded sorted
* Speed optimization in latency tracking at INFO (relevant for 7.0 RCs)
* Speed optimization when there are many replicas (relevant for 7.0 RCs)
New configuration options
============
* Allow ignoring disk persistence errors on replicas
* Allow abort with panic when replica fails to execute a command sent
by the master
* Allow configuring shutdown flags of SIGTERM and SIGINT
* Allow attaching an operating system-specific identifier to Redis sockets
Module API changes
=========
* Add argument specifying ACL reason for module log entry
Breaking API compatibility with 7.0 RCs
* Add the deprecated_since field in command args of COMMAND DOCS
Breaking API/ABI compatibility with 7.0 RCs
* Add module API flag for using enum configs as bit flags
* Add RM_PublishMessageShard
* Add RM_MallocSizeString, RM_MallocSizeDict
* Add RM_TryAlloc
Bug Fixes
====
* Replica report disk persistence errors in PING
* Fixes around rejecting commands on replicas and AOF when they must
be respected
* Durability fixes for appendfsync=always policy
Fixes for issues in previous release candidates of Redis 7.0
------------------------------------------------------------
* Fix possible crash on CONFIG REWRITE
* Fix regression not aborting transaction on errors
* Fix auto-aof-rewrite-percentage based AOFRW trigger after restart
* Fix bugs when AOF enabled after startup, in case of failure before
the first rewrite completes
* Fix RM_Yield module API bug processing future commands of the current client
To generate a diff of this commit:
cvs rdiff -u -r1.73 -r1.74 pkgsrc/databases/redis/Makefile
cvs rdiff -u -r1.66 -r1.67 pkgsrc/databases/redis/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/databases/redis/patches/patch-src_Makefile
|
|
textproc/expat: security update
Revisions pulled up:
- textproc/expat/Makefile 1.54
- textproc/expat/distinfo 1.47
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Wed Oct 26 10:37:47 UTC 2022
Modified Files:
pkgsrc/textproc/expat: Makefile distinfo
Log Message:
expat: update to 2.5.0.
Release 2.5.0 Tue October 25 2022
Security fixes:
#616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager
destruction of a shared DTD in function
XML_ExternalEntityParserCreate in out-of-memory situations.
Expected impact is denial of service or potentially
arbitrary code execution.
Bug fixes:
#612 #645 Fix curruption from undefined entities
#613 #654 Fix case when parsing was suspended while processing nested
entities
#616 #652 #653 Stop leaking opening tag bindings after a closing tag
mismatch error where a parser is reset through
XML_ParserReset and then reused to parse
#656 CMake: Fix generation of pkg-config file
#658 MinGW|CMake: Fix static library name
Other changes:
#663 Protect header expat_config.h from multiple inclusion
#666 examples: Make use of XML_GetBuffer and be more
consistent across examples
#648 Address compiler warnings
#667 #668 Version info bumped from 9:9:8 to 9:10:8;
see https://verbump.de/ for what these numbers do
Special thanks to:
Jann Horn
Mark Brand
Osyotr
Rhodri James
and
Google Project Zero
To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.46 -r1.47 pkgsrc/textproc/expat/distinfo
|
|
|
|
www/gitea: security fix, build fix
Revisions pulled up:
- www/gitea/Makefile 1.81
- www/gitea/distinfo 1.32-1.33
- www/gitea/patches/patch-Makefile 1.4
---
Module Name: pkgsrc
Committed By: khorben
Date: Wed Nov 9 23:26:15 UTC 2022
Modified Files:
pkgsrc/www/gitea: Makefile distinfo
Log Message:
gitea: update to 1.16.9
Changes since 1.16.8:
SECURITY
* Add write check for creating Commit status (#20332) (#20334)
* Check for permission when fetching user controlled issues (#20133) (#20196)
BUGFIXES
* Hide notify mail setting ui if not enabled (#20138) (#20337)
* Add write check for creating Commit status (#20332) (#20334)
* Only show Followers that current user can access (#20220) (#20253)
* Release page show all tags in compare dropdown (#20070) (#20071)
* Fix permission check for delete tag (#19985) (#20001)
* Only log non ErrNotExist errors in git.GetNote (#19884) (#19905)
* Use exact search instead of fuzzy search for branch filter dropdown (#19885) (#19893)
* Set Setpgid on child git processes (#19865) (#19881)
* Import git from alpine 3.16 repository as 2.30.4 is needed for safe.directory = '*' to work but alpine 3.13 has 2.30.3 (#19876)
* Ensure responses are context.ResponseWriters (#19843) (#19859)
* Fix incorrect usage of Count function (#19850)
* Fix raw endpoint PDF file headers (#19825) (#19826)
* Make WIP prefixes case insensitive, e.g. allow Draft as a WIP prefix (#19780) (#19811)
* Don’t return 500 on NotificationUnreadCount (#19802)
* Prevent NPE when cache service is disabled (#19703) (#19783)
* Detect truncated utf-8 characters at the end of content as still representing utf-8 (#19773) (#19774)
* Fix doctor pq: syntax error at or near “.” quote user table name (#19765) (#19770)
* Fix bug with assigneees (#19757)
---
Module Name: pkgsrc
Committed By: khorben
Date: Thu Nov 10 21:12:54 UTC 2022
Modified Files:
pkgsrc/www/gitea: distinfo
pkgsrc/www/gitea/patches: patch-Makefile
Log Message:
gitea: use find(1) in a more portable way
Verified on NetBSD, Linux (Debian 10.13), and macOS (all amd64).
No changes to the package observed, so no revision bump.
|
|
mail/evolution: build fix
Revisions pulled up:
- mail/evolution/Makefile 1.263
- mail/evolution/buildlink3.mk 1.103
- mail/evolution/distinfo 1.90
- mail/evolution/patches/patch-src-modules-book-config-carddav-evolution-book-config-carddav-c 1.1
- mail/evolution/patches/patch-src-modules-cal-config-caldav-evolution-cal-config-caldav-c 1.1
- mail/evolution/patches/patch-src-modules-cal-config-google-e-google-chooser-button-c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Nov 9 13:00:58 UTC 2022
Modified Files:
pkgsrc/mail/evolution: Makefile buildlink3.mk distinfo
Added Files:
pkgsrc/mail/evolution/patches:
patch-src-modules-book-config-carddav-evolution-book-config-carddav-c
patch-src-modules-cal-config-caldav-evolution-cal-config-caldav-c
patch-src-modules-cal-config-google-e-google-chooser-button-c
Log Message:
evolution: fix build with latest evolution-data-server
Patches from Dave Tyson on tech-pkg.
Remove BROKEN tag, bump PKGREVISION.
|
|
|
|
security/sudo: security fix
Revisions pulled up:
- security/sudo/Makefile 1.191-1.192
- security/sudo/PLIST 1.23
- security/sudo/distinfo 1.123-1.124
- security/sudo/patches/patch-plugins_sudoers_auth_passwd.c 1.1
---
Module Name: pkgsrc
Committed By: adam
Date: Mon Oct 24 10:29:20 UTC 2022
Modified Files:
pkgsrc/security/sudo: Makefile PLIST distinfo
Log Message:
sudo: updated to 1.9.12
What's new in Sudo 1.9.12
* Fixed a bug in the ptrace-based intercept mode where the current
working directory could include garbage at the end.
* Fixed a compilation error on systems that lack the stdint.h
header.
* Fixed a bug when logging the command's exit status in intercept
mode. The wrong command could be logged with the exit status.
* For ptrace-based intercept mode, sudo will now attempt to
verify that the command path name, arguments and environment
have not changed from the time when they were authorized by the
security policy. The new "intercept_verify" sudoers setting can
be used to control this behavior.
* Fixed running commands with a relative path (e.g. ./foo) in
intercept mode. Previously, this would fail if sudo's current
working directory was different from that of the command.
* Sudo now supports passing the execve(2) system call the NULL
pointer for the `argv` and/or `envp` arguments when in intercept
mode. Linux treats a NULL pointer like an empty array.
* The sudoers LDAP schema now allows sudoUser, sudoRunasUser and
sudoRunasGroup to include UTF-8 characters, not just 7-bit ASCII.
* Fixed a problem with "sudo -i" on SELinux when the target user's
home directory is not searchable by sudo.
* Neovim has been added to the list of visudo editors that support
passing the line number on the command line.
* Fixed a bug in sudo's SHA384 and SHA512 message digest padding.
* Added a new "-N" (--no-update) command line option to sudo which
can be used to prevent sudo from updating the user's cached
credentials. It is now possible to determine whether or not a
user's cached credentials are currently valid by running:
$ sudo -Nnv
and checking the exit value. One use case for this is to indicate
in a shell prompt that sudo is "active" for the user.
* PAM approval modules are no longer invoked when running sub-commands
in intercept mode unless the "intercept_authenticate" option is set.
There is a substantial performance penalty for calling into PAM
for each command run. PAM approval modules are still called for
the initial command.
* Intercept mode on Linux now uses process_vm_readv(2) and
process_vm_writev(2) if available.
* The XDG_CURRENT_DESKTOP environment variable is now preserved
by default. This makes it possible for graphical applications
to choose the correct theme when run via sudo.
* On 64-bit systems, if sudo fails to load a sudoers group plugin,
it will use system-specific heuristics to try to locate a 64-bit
version of the plugin.
* The cvtsudoers manual now documents the JSON and CSV output
formats.
* Fixed a bug where sub-commands were not being logged to a remote
log server when log_subcmds was enabled.
* The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout
sudoers settings can be used to support more fine-grained I/O logging.
The sudo front-end no longer allocates a pseudo-terminal when running
a command if the I/O logging plugin requests logging of stdin, stdout,
or stderr but not terminal input/output.
* Quieted a libgcrypt run-time initialization warning.
* Fixed a bug in visudo that caused literal backslashes to be removed
from the EDITOR environment variable.
* The sudo Python plugin now implements the "find_spec" method instead
of the the deprecated "find_module". This fixes a test failure when
a newer version of setuptools that doesn't include "find_module" is
found on the system.
* Fixed a bug introduced in sudo 1.9.9 where sudo_logsrvd created
the process ID file, usually /var/run/sudo/sudo_logsrvd.pid, as
a directory instead of a plain file. The same bug could result
in I/O log directories that end in six or more X's being created
literally in addition to the name being used as a template for
the mkdtemp(3) function.
* Fixed a long-standing bug where a sudoers rule with a command
line argument of "", which indicates the command may be run with
no arguments, would also match a literal "" on the command line.
* Added the -I option to visudo which only edits the main sudoers
file. Include files are not edited unless a syntax error is found.
* Fixed "sudo -l -U otheruser" output when the runas list is empty.
Previously, sudo would list the invoking user instead of the
list user.
* Fixed the display of command tags and options in "sudo -l" output
when the RunAs user or group changes. A new line is started for
RunAs changes which means we need to display the command tags
and options again.
* The sesh helper program now uses getopt_long(3) to parse the
command line options.
* The embedded copy of zlib has been updated to version 1.2.13.
* Fixed a bug that prevented event log data from being sent to the
log server when I/O logging was not enabled. This only affected
systems without PAM or configurations where the pam_session and
pam_setcred options were disabled in the sudoers file.
* Fixed a bug where "sudo -l" output included a carriage return
after the newline. This is only needed when displaying to a
terminal in raw mode.
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Nov 4 00:58:00 UTC 2022
Modified Files:
pkgsrc/security/sudo: Makefile distinfo
Added Files:
pkgsrc/security/sudo/patches: patch-plugins_sudoers_auth_passwd.c
Log Message:
security/sudo: add fix for CVE-2022-43995
Add patch from upstream to fix CVE-2022-43995.
Bump PKGREVISION.
|
|
lang/php74: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.380
- lang/php56/Makefile 1.30
- lang/php74/Makefile 1.17
- lang/php74/distinfo 1.39
- lang/php80/Makefile 1.10
- lang/php81/Makefile 1.8
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Oct 30 10:50:01 UTC 2022
Modified Files:
pkgsrc/lang/php56: Makefile
pkgsrc/lang/php74: Makefile
pkgsrc/lang/php80: Makefile
pkgsrc/lang/php81: Makefile
Log Message:
lang/php: post-install clean up
Do not manually install executable files and manual.
These are already done by php's Makefile from some time ago.
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Nov 4 00:40:58 UTC 2022
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php74: distinfo
Log Message:
lang/php74: update to 7.4.33
7.4.33 (2022-11-03)
- GD:
. Fixed bug #81739: OOB read due to insufficient input validation in
imageloadfont(). (CVE-2022-31630) (cmb)
- Hash:
. Fixed bug #81738: buffer overflow in hash_update() on long parameter.
(CVE-2022-37454) (nicky at mouha dot be)
|
|
lang/php80: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.379
- lang/php80/distinfo 1.26
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Oct 30 10:18:35 UTC 2022
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php80: distinfo
Log Message:
lang/php80: update to 8.0.25
8.0.25 (2022-10-27)
- GD:
. Fixed bug #81739: OOB read due to insufficient input validation in
imageloadfont(). (CVE-2022-31630) (cmb)
- Hash:
. Fixed bug #81738: buffer overflow in hash_update() on long parameter.
(CVE-2022-37454) (nicky at mouha dot be)
- Session:
. Fixed bug GH-9583 (session_create_id() fails with user defined save handler
that doesn't have a validateId() method). (Girgias)
- Streams:
. Fixed bug GH-9590 (stream_select does not abort upon exception or empty
valid fd set). (Arnaud)
|
|
lang/php81: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.378
- lang/php81/distinfo 1.14
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Oct 30 10:16:24 UTC 2022
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php81: distinfo
Log Message:
lang/php81: update to 8.1.12
8.1.12 (2022-10-27)
- Core:
. Fixes segfault with Fiber on FreeBSD i386 architecture. (David Carlier)
- Fileinfo:
. Fixed bug GH-8805 (finfo returns wrong mime type for woff/woff2 files).
(Anatol)
- GD:
. Fixed bug #81739: OOB read due to insufficient input validation in
imageloadfont(). (CVE-2022-31630) (cmb)
- Hash:
. Fixed bug #81738: buffer overflow in hash_update() on long parameter.
(CVE-2022-37454) (nicky at mouha dot be)
- MBString:
- Fixed bug GH-9683 (Problem when ISO-2022-JP-MS is specified in
mb_ encode_mimeheader). (Alex Dowad)
- Opcache:
. Added indirect call reduction for jit on x86 architectures. (wxue1)
- Session:
. Fixed bug GH-9583 (session_create_id() fails with user defined save handler
that doesn't have a validateId() method). (Girgias)
- Streams:
. Fixed bug GH-9590 (stream_select does not abort upon exception or empty
valid fd set). (Arnaud)
|
|
www/curl: security fix
Revisions pulled up:
- www/curl/Makefile 1.262
- www/curl/PLIST 1.92
- www/curl/distinfo 1.186
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Oct 26 07:44:01 UTC 2022
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
Log Message:
curl: update to 7.86.0.
Changes:
NPN: remove support for and use of
Websockets: initial support
Bugfixes:
altsvc: reject bad port numbers
altsvc: use 'h3' for h3
amiga: do not hardcode openssl/zlib into the os config
amiga: set SIZEOF_CURL_OFF_T=8 by default
amigaos: add missing curl header
asyn-ares: set hint flags when calling ares_getaddrinfo
autotools: allow --enable-symbol-hiding with windows
autotools: allow unix sockets on Windows
autotools: reduce brute-force when detecting recv/send arg list
aws_sigv4: fix header computation
bearssl: make it proper C89 compliant
CI/GHA: cancel outdated CI runs on new PR changes
CI/GHA: merge msh3 and openssl3 builds into linux workflow
cirrus-ci: add macOS build with m1
cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS
cli tool: do not use disabled protocols
cmake: add missing inet_ntop check
cmake: add the check of HAVE_SOCKETPAIR
cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h
cmake: delete duplicate HAVE_GETADDRINFO test
cmake: enable more detection on Windows
cmake: fix original MinGW builds
cmake: improve usability of CMake build as a sub-project
cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows
cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows
cmake: sync HAVE_SIGNAL detection with autotools
cmdline/docs: add a required 'multi' keyword for each option
configure: correct the wording when checking grep -E
configure: deprecate builds with small curl_off_t
configure: fail if '--without-ssl' + explicit parameter for an ssl lib
configure: the ngtcp2 option should default to 'no'
connect: change verbose IPv6 address:port to [address]:port
connect: fix builds without AF_INET6
connect: fix Curl_updateconninfo for TRNSPRT_UNIX
connect: fix the wrong error message on connect failures
content_encoding: use writer struct subclasses for different encodings
cookie: reject cookie names or content with TAB characters
ctype: remove all use of <ctype.h>, use our own versions
curl-compilers.m4: for gcc + want warnings, set gnu89 standard
curl-compilers.m4: use -O2 as default optimize for clang
curl-wolfssl.m4: error out if wolfSSL is not usable
curl.h: fix mention of wrong error code in comment
curl/add_file_name_to_url: use the libcurl URL parser
curl/add_parallel_transfers: better error handling
curl/get_url_file_name: use libcurl URL parser
curl: warn for --ssl use, considered insecure
curl_ctype: convert to macros-only
curl_easy_pause.3: unpausing is as fast as possible
curl_escape.3: fix typo
curl_setup: disable use of FLOSS for 64-bit NonStop builds
curl_setup: include curl.h after platform setup headers
curl_setup: include only system.h instead of curl.h
curl_strequal.3: fix argument typo
curl_url_set.3: document CURLU_APPENDQUERY proper
CURLMOPT_PIPELINING.3: dedup manpage xref
CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five
CURLOPT_AUTOREFERER.3: highlight the privacy leak risk
CURLOPT_COOKIEFILE: insist on "" for enable-without-file
CURLOPT_COOKIELIST.3: fix formatting mistake
CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols
CURLOPT_MIMEPOST.3: add an (inline) example
CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST
CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies
CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes
CURLSHOPT_UNLOCKFUNC.3: the callback has no 'access' argument
DEPRECATE.md: Support for systems without 64 bit data types
docs/examples: avoid deprecated options in examples where possible
docs/INSTALL: update Android Instructions for newer NDKs
docs/libcurl/symbols-in-versions: add several missing symbols
docs: 100+ spellfixes
docs: correct missing uppercase in Markdown files
docs: document more server names for test files
docs: fix deprecation versions inconsistencies
docs: make sure libcurl opts examples pass in long arguments
docs: remove mentions of deprecated '--without-openssl' parameter
docs: tag curl options better in man pages
docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR.
docs: update sourceforge project links
easy: fix the #include order
easy: fix the altsvc init for curl_easy_duphandle
easy_lock: check for HAVE_STDATOMIC_H as well
examples/chkspeed: improve portability
formdata: fix warning: 'CURLformoption' is promoted to 'int'
ftp: ignore a 550 response to MDTM
ftp: remove redundant if
functypes: provide the recv and send arg and return types
getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
GHA: build tests in a separate step from the running of them
GHA: run proselint on markdown files
github: initial CODEOWNERS setup for CI configuration
header: define public API functions as extern c
headers: reset the requests counter at transfer start
hostip: guard PF_INET6 use
hostip: lazily wait to figure out if IPv6 works until needed
http, vauth: always provide Curl_allow_auth_to_host() functionality
http2: make nghttp2 less picky about field whitespace
HTTP3.md: update Caddy example
http: try parsing Retry-After: as a number first
http_proxy: restore the protocol pointer on error
httpput-postfields.c: shorten string for C89 compliance
ldap: delete stray CURL_HAS_MOZILLA_LDAP reference
lib1560: extended to verify detect/reject of unknown schemes
lib517: fix C89 constant signedness
lib: add missing limits.h includes
lib: add required Win32 setup definitions in setup-win32.h
lib: prepare the incoming of additional protocols
lib: sanitize conditional exclusion around MIME
lib: set more flags in config-win32.h
lib: the number four in a sequence is the "fourth"
libssh: if sftp_init fails, don't get the sftp error code
Makefile.m32: deduplicate build rules
Makefile.m32: drop CROSSPREFIX and our CC/AR defaults
Makefile.m32: exclude libs & libpaths for shared mode exes
Makefile.m32: fix regression with tool_hugehelp
Makefile.m32: major rework
Makefile.m32: reintroduce CROSSPREFIX and -W -Wall
Makefile.m32: support more options
manpage-syntax.pl: all libcurl option symbols should be \fI-tagged
manpages: Fix spelling of "allows to" -> "allows one to"
misc: ISSPACE() => ISBLANK()
misc: use the term "null-terminate" consistently
mprintf: reject two kinds of precision for the same argument
mprintf: use snprintf if available
mqtt: return error for too long topic
mqtt: spell out CONNECT in comments
msh3: change the static_assert to make the code C89
netrc: compare user name case sensitively
netrc: replace fgets with Curl_get_line
netrc: use the URL-decoded user
ngtcp2: fix build errors due to changes in ngtcp2 library
ngtcp2: fix C89 compliance nit
noproxy: support proxies specified using cidr notation
openssl: make certinfo available for QUIC
README.md: add GHA status badges for Linux and macOS builds
RELEASE-PROCEDURE.md: mention patch releases
resolve: make forced IPv4 resolve only use A queries
runtests: fix uninitialized value on ignored tests
schannel: ban server ALPN change during recv renegotiation
schannel: don't reset recv/send function pointers on renegotiation
schannel: when importing PFX, disable key persistence
scripts: use `grep -E` instead of `egrep`
setopt: use the handler table for protocol name to number conversions
setopt: when POST is set, reset the 'upload' field
setup-win32: no longer define UNICODE/_UNICODE implicitly
single_transfer: use the libcurl URL parser when appending query parts
smb: replace CURL_WIN32 with WIN32
strcase: add and use Curl_timestrcmp
strerror: improve two URL API error messages
symbol-scan.pl: also check for LIBCURL* symbols
symbol-scan.pl: scan and verify .3 man pages
symbols-in-versions: add missing LIBCURL* symbols
symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6
test1119: scan all public headers
test1275: verify uppercase after period in markdown
test972: verify the output without using external tool
tests/certs/scripts: insert standard curl source headers
tests/Makefile: remove run time stats from ci-test
tests: avoid CreateThread if _beginthreadex is available
tests: fix tag syntax errors in test files
tests: skip mime/form tests when mime is not built-in
tidy-up: delete parallel/unused feature flags
tidy-up: delete unused HAVE_STRUCT_POLLFD
TODO: provide the error body from a CONNECT response
tool: avoid generating ambiguous escaped characters in --libcurl
tool: remove dead code
tool: reorganize function c_escape around a dynbuf
tool_hugehelp: make hugehelp a blank macro when disabled
tool_main: exit at once if out of file descriptors
tool_operate: avoid a few #ifdefs for disabled-libcurl builds
tool_operate: more transfer cleanup after parallel transfer fail
tool_operate: prevent over-queuing in parallel mode
tool_operate: reduce errorbuffer allocs
tool_paramhelp: asserts verify maximum sizes for string loading
tool_paramhelp: make the max argument a 'double'
tool_progress: remove 'Qd' from the parallel progress bar
tool_setopt: use better English in --libcurl source comments
tool_xattr: save the original URL, not the final redirected one
unit test 1655: make it C89-compliant
url: a zero-length userinfo part in the URL is still a (blank) user
url: allow non-HTTPS HSTS-matching for debug builds
url: rename function due to name-clash in Watt-32
url: use IDN decoded names for HSTS checks
urlapi: detect scheme better when not guessing
urlapi: fix parsing URL without slash with CURLU_URLENCODE
urlapi: leaner with fewer allocs
urlapi: reject more bad characters from the host name field
winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths
winbuild: use NMake batch-rules for compilation
windows: add .rc support to autotools builds
windows: adjust name of two internal public functions
windows: autotools .rc warnings fixup
wolfSSL: fix session management bug.
|
|
www/arcticfox: arm build fix
Revisions pulled up:
- www/arcticfox/Makefile 1.16
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Oct 26 13:55:17 UTC 2022
Modified Files:
pkgsrc/www/arcticfox: Makefile
Log Message:
arcticfox: Use latest versions of config.guess/config.sub from pkgsrc.
Should help armv[6-7] builds, since arcticfox's embedded copy of ICU
still contains versions from 2013 that don't know about NetBSD arm
variants.
|
|
devel/samba4: security fix
via patch -- update to 4.16.6
---
Samba 4.16.6 fixes these security problems.
4.16.6 (2022-10-25)
This is a security release in order to address the following defect:
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
Changes since 4.16.5
---------------------
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15134: CVE-2022-3437.
|
|
devel/git: security fix
via patch -- update to 2.37.4
---
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.
|
|
|
|
www/ruby-jekyll: critical bugfix
Revisions pulled up:
- www/ruby-jekyll/Makefile 1.43
- www/ruby-jekyll/distinfo 1.28
- www/ruby-jekyll/patches/patch-lib_jekyll_commands_serve.rb 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Oct 16 04:17:23 UTC 2022
Modified Files:
pkgsrc/www/ruby-jekyll: Makefile distinfo
Added Files:
pkgsrc/www/ruby-jekyll/patches: patch-lib_jekyll_commands_serve.rb
Log Message:
www/ruby-jekyll: fix "jekyll server"
Fix "jekyll server".
* Require ruby-webrick on Ruby 3.0 and lator.
* Explicitly require webrick".
Bump PKGREVISION.
|
|
www/firefox102: security fix
Revisions pulled up:
- www/firefox102-l10n/Makefile 1.6
- www/firefox102-l10n/distinfo 1.5
- www/firefox102/Makefile 1.9
- www/firefox102/distinfo 1.6
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Oct 22 15:59:27 UTC 2022
Modified Files:
pkgsrc/www/firefox102: Makefile distinfo
pkgsrc/www/firefox102-l10n: Makefile distinfo
Log Message:
firefox102: Update to 102.4.0
Security Vulnerabilities fixed in Firefox ESR 102.4
#CVE-2022-42927: Same-origin policy violation could have leaked cross-origin
URLs
#CVE-2022-42928: Memory Corruption in JS Engine
#CVE-2022-42929: Denial of Service via window.print
#CVE-2022-42932: Memory safety bugs fixed in Firefox 106 and Firefox ESR
102.4
|
|
devel/ruby-redmine50: security fix
Revisions pulled up:
- devel/ruby-redmine50/Makefile 1.4
- devel/ruby-redmine50/PLIST 1.2
- devel/ruby-redmine50/distinfo 1.3
- devel/ruby-redmine50/patches/patch-Gemfile 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Oct 9 15:32:55 UTC 2022
Modified Files:
pkgsrc/devel/ruby-redmine50: Makefile PLIST distinfo
pkgsrc/devel/ruby-redmine50/patches: patch-Gemfile
Log Message:
devel/ruby-redmine50: update to 5.0.3
5.0.3 (2022-10-02)
[Code cleanup/refactoring]
* Defect #37609: Remove obsolete remnant public/images/openid-bg.gif
* Defect #37449: Passing a wrong parameter to `with_settings` in
UserTest::test_random_password_include_required_characters
[Filters]
* Defect #36940: Chained custom field filter doesn't work for User fields
* Defect #37349: Chained custom field filter for User fields returns 500
internal server error when filtering after a float value
[Issues]
* Defect #37369: Mention auto-complete not works in bulk-edit comments
* Defect #37499: Default query should not be applied if the query is not
allowed to be set as the default
* Defect #37473: Focus IssueId not working when linking issues
[Issues list]
* Defect #37268: Performance problem with Redmine 4.2.7 and 5.0.2
[Rails support]
* Patch #37452: Update Rails to 6.1.7
[Security]
* Defect #37492: Update jQuery UI to 1.13.2
[SCM]
* Defect #33953: Repository tab is not displayed if no repository is set as
the main repository
* Defect #36258: Support revision without any message in Mercurial
repositories
* Defect #37585: Do not show "History" tab for content in Filesystem
repository
* Defect #37626: Diff of a javascript file in repository module is not
displayed with layout
* Defect #37718: Repository browser does not show "+" (plus sign) in
filename
[SCM extra]
* Defect #37562: POST Requests to repository WS fail with "Can't verify CSRF
token authenticity"
[Text formatting]
* Defect #37237: Common Markdown Formatter does not render all properties on
HTML elements
* Patch #37713: Add rel="noopener" to all external links that would open a
new tab/window
* Defect #37379: Thumbnail macro does not work when a file is attached and
preview is displayed immediately
[Translations]
* Defect #37529: Fix mistranslation of label button_create_and_follow in
Russian translation
* Defect #37603: Missing translation for label_default_queries.for_this_user
* Patch #35613: German translation update of Wiki syntax help for 5.0-stable
* Patch #37263: Lithuanian translation update for 5.0-stable
* Patch #37698: Persian translation update for 4.2-stable
[UI]
* Defect #36901: Jump to project is misaligned in Safari 15.4 and later
* Defect #37282: Subtask isn't displayed correctly since 4.2.7
* Defect #37481: Fix the unintentional selection of rows with the context
menu
* Defect #37566: The number of the ordered list in the project description
is not displayed and the indentation does not match the unordered list
|
|
www/webkit-gtk: aarch64 build fix
Revisions pulled up:
- www/webkit-gtk/Makefile 1.239
- www/webkit-gtk/distinfo 1.172
- www/webkit-gtk/patches/patch-Source_cmake_OptionsCommon.cmake 1.7
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Oct 8 11:06:36 UTC 2022
Modified Files:
pkgsrc/www/webkit-gtk: Makefile distinfo
pkgsrc/www/webkit-gtk/patches: patch-Source_cmake_OptionsCommon.cmake
Log Message:
webkit-gtk: Attempt to fix the build on NetBSD 9 aarch64 by avoiding
the compiler builtin __int128_t implementation
related to PR toolchain/57022
|
|
devel/ruby-redmine42: security fix
Revisions pulled up:
- devel/ruby-redmine42/Makefile 1.15
- devel/ruby-redmine42/PLIST 1.4
- devel/ruby-redmine42/distinfo 1.11
- devel/ruby-redmine42/patches/patch-Gemfile 1.7
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Oct 9 15:31:47 UTC 2022
Modified Files:
pkgsrc/devel/ruby-redmine42: Makefile PLIST distinfo
pkgsrc/devel/ruby-redmine42/patches: patch-Gemfile
Log Message:
devel/ruby-redmine42: update to 4.2.8
4.2.8 (2022-10-02)
[Code cleanup/refactoring]¶
* Defect #37449: Passing a wrong parameter to `with_settings` in
UserTest::test_random_password_include_required_characters
[Filters]
* Defect #36940: Chained custom field filter doesn't work for User fields
* Defect #37349: Chained custom field filter for User fields returns 500
internal server error when filtering after a float value
[Issues]
* Defect #37473: Focus IssueId not working when linking issues
[Issues list]
* Defect #37268: Performance problem with Redmine 4.2.7 and 5.0.2
[Rails support]
* Patch #37465: Update Rails to 5.2.8.1
[Security]
* Defect #37492: Update jQuery UI to 1.13.2
[SCM]
* Defect #37718: Repository browser does not show "+" (plus sign) in
filename
[Text formatting]
* Defect #37379: Thumbnail macro does not work when a file is attached and
preview is displayed immediately
[Translations]
* Patch #37698: Persian translation update for 4.2-stable
[UI]
* Defect #36901: Jump to project is misaligned in Safari 15.4 and later
* Defect #37282: Subtask isn't displayed correctly since 4.2.7
* Defect #37481: Fix the unintentional selection of rows with the context
menu
* Defect #37566: The number of the ordered list in the project description
is not displayed and the indentation does not match the unordered list
|
|
databases/sqlite3: security fix (for ruby-sqlite3)
Revisions pulled up:
- databases/sqlite3-docs/PLIST 1.118
- databases/sqlite3-docs/distinfo 1.121
- databases/sqlite3-tcl/distinfo 1.133
- databases/sqlite3/Makefile.common 1.95
- databases/sqlite3/distinfo 1.188
- devel/lemon/distinfo 1.62
---
Module Name: pkgsrc
Committed By: adam
Date: Mon Oct 3 12:27:52 UTC 2022
Modified Files:
pkgsrc/databases/sqlite3: Makefile.common distinfo
pkgsrc/databases/sqlite3-docs: PLIST distinfo
pkgsrc/databases/sqlite3-tcl: distinfo
pkgsrc/devel/lemon: distinfo
Log Message:
sqlite3: updated to 3.39.4
Changes in version 3.39.4 (2022-09-29):
Fix the build on Windows so that it works with -DSQLITE_OMIT_AUTOINIT
Fix a long-standing problem in the btree balancer that might, in rare cases, cause database corruption if the application uses an application-defined page cache.
Enhance SQLITE_DBCONFIG_DEFENSIVE so that it disallows CREATE TRIGGER statements if one or more of the statements in the body of the trigger write into shadow tables.
Fix a possible integer overflow in the size computation for a memory allocation in FTS3.
Fix a misuse of the sqlite3_set_auxdata() interface in the ICU Extension.
|
|
lang/ocaml: evbarm build fix
Revisions pulled up:
- lang/ocaml/Makefile 1.146
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Oct 8 11:11:16 UTC 2022
Modified Files:
pkgsrc/lang/ocaml: Makefile
Log Message:
ocaml: Needs imprecise-c99-float-ops to build on NetBSD/arm
|
|
lang/openjdk8: build fix
Revisions pulled up:
- lang/openjdk8/distinfo 1.93
- lang/openjdk8/patches/patch-hotspot_src_os__cpu_bsd__zero_vm_os__bsd__zero.cpp 1.5
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Oct 8 11:20:07 UTC 2022
Modified Files:
pkgsrc/lang/openjdk8: distinfo
pkgsrc/lang/openjdk8/patches:
patch-hotspot_src_os__cpu_bsd__zero_vm_os__bsd__zero.cpp
Log Message:
openjdk: fix building "zero" vm with GCC < 10
|
|
graphics/babl: evbarm build fix
Revisions pulled up:
- graphics/babl/Makefile 1.53
- graphics/babl/PLIST 1.24
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Oct 8 11:15:53 UTC 2022
Modified Files:
pkgsrc/graphics/babl: Makefile PLIST
Log Message:
babl: Fix PLIST on 32-bit ARM
|
|
|
|
graphics/cairo-gobject: macOS build fix
Revisions pulled up:
- graphics/cairo-gobject/Makefile 1.41
- graphics/cairo/buildlink3.mk 1.62
- graphics/cairo/options.mk 1.23
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Oct 4 07:13:52 UTC 2022
Modified Files:
pkgsrc/graphics/cairo: options.mk
Log Message:
cairo: turn off xcb on macOS too by default
since it implies x11
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Oct 4 07:14:11 UTC 2022
Modified Files:
pkgsrc/graphics/cairo: buildlink3.mk
Log Message:
cairo: make buildlink3 logic for xcb match options.mk
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Oct 4 07:34:07 UTC 2022
Modified Files:
pkgsrc/graphics/cairo-gobject: Makefile
Log Message:
cairo-gobject: fix some pkglint
|
|
www/drupal9: security fix
Revisions pulled up:
- www/drupal9/Makefile 1.6
- www/drupal9/PLIST 1.4
- www/drupal9/distinfo 1.4
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Oct 6 14:09:50 UTC 2022
Modified Files:
pkgsrc/www/drupal9: Makefile PLIST distinfo
Log Message:
www/drupal9: update to 9.3.22
9.3.21 (2022-08-03)
* Issue #3301495 by lauriii, nod_: Update CKEditor 5 to 35.0.1
* Issue #3300773 by bradjones1, xjm, catch, andypost, Spokje: Fix failed
test on `symfony/http-foundation` 4.4.44/6.1.3 and later
9.3.22 (2022-09-28)
This release fixes security vulnerabilities. Sites are urged to update
immediately after reading the notes below and the security announcement:
* Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016
No other fixes are included.
|
|
lang/go119: security fix
Revisions pulled up:
- lang/go/version.mk 1.163
- lang/go119/PLIST 1.3
- lang/go119/distinfo 1.3
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Wed Oct 5 11:20:24 UTC 2022
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go119: PLIST distinfo
Log Message:
Update go119 to 1.19.2
This minor release includes 3 security fixes following the security policy:
- archive/tar: unbounded memory consumption when reading headers
Reader.Read did not set a limit on the maximum size of file headers.
A maliciously crafted archive could cause Read to allocate unbounded
amounts of memory, potentially causing resource exhaustion or panics.
Reader.Read now limits the maximum size of header blocks to 1 MiB.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.
- net/http/httputil: ReverseProxy should not forward unparseable query parameters
Requests forwarded by ReverseProxy included the raw query parameters from the
inbound request, including unparseable parameters rejected by net/http. This
could permit query parameter smuggling when a Go proxy forwards a parameter
with an unparseable value.
ReverseProxy will now sanitize the query parameters in the forwarded query
when the outbound request's Form field is set after the ReverseProxy.Director
function returns, indicating that the proxy has parsed the query parameters.
Proxies which do not parse query parameters continue to forward the original
query parameters unchanged.
Thanks to Gal Goldstein (Security Researcher, Oxeye) and
Daniel Abeles (Head of Research, Oxeye) for reporting this issue.
This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.
- regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size of the input,
but in some cases the constant factor can be as high as 40,000,
making relatively small regexps consume much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB memory footprint.
Regular expressions whose representation would use more space than that
are now rejected. Normal use of regular expressions is unaffected.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
|
|
net/isc-dhcp4: security fix
Revisions pulled up:
- net/isc-dhcp4/Makefile.common 1.45
- net/isc-dhcp4/distinfo 1.34
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Oct 5 16:16:54 UTC 2022
Modified Files:
pkgsrc/net/isc-dhcp4: Makefile.common distinfo
Log Message:
net/isc-dhcp4: update to 4.4.3p1
4.4.3p1 (ISC DHCP 4.4.3-P1), 2022-10-05
Changes since 4.4.3 (Bug Fixes)
! Corrected a reference count leak that occurs when the server builds
responses to leasequery packets. Thanks to VictorV of Cyber Kunlun
Lab for reporting the issue.
[Gitlab #253]
CVE: CVE-2022-2928
! Corrected a memory leak that occurs when unpacking a packet that has an
FQDN option (81) that contains a label with length greater than 63 bytes.
Thanks to VictorV of Cyber Kunlun Lab for reporting the issue.
[Gitlab #254]
CVE: CVE-2022-2929
|
|
lang/go118: security fix
Revisions pulled up:
- lang/go/version.mk 1.162
- lang/go118/PLIST 1.8
- lang/go118/distinfo 1.8
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Wed Oct 5 09:51:52 UTC 2022
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go118: PLIST distinfo
Log Message:
go118: update to 1.18.7
This minor release includes 3 security fixes following the security policy:
- archive/tar: unbounded memory consumption when reading headers
Reader.Read did not set a limit on the maximum size of file headers.
A maliciously crafted archive could cause Read to allocate unbounded
amounts of memory, potentially causing resource exhaustion or panics.
Reader.Read now limits the maximum size of header blocks to 1 MiB.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.
- net/http/httputil: ReverseProxy should not forward unparseable query parameters
Requests forwarded by ReverseProxy included the raw query parameters from the
inbound request, including unparseable parameters rejected by net/http. This
could permit query parameter smuggling when a Go proxy forwards a parameter
with an unparseable value.
ReverseProxy will now sanitize the query parameters in the forwarded query
when the outbound request's Form field is set after the ReverseProxy.Director
function returns, indicating that the proxy has parsed the query parameters.
Proxies which do not parse query parameters continue to forward the original
query parameters unchanged.
Thanks to Gal Goldstein (Security Researcher, Oxeye) and
Daniel Abeles (Head of Research, Oxeye) for reporting this issue.
This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.
- regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size of the input,
but in some cases the constant factor can be as high as 40,000,
making relatively small regexps consume much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB memory footprint.
Regular expressions whose representation would use more space than that
are now rejected. Normal use of regular expressions is unaffected.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
|
|
I hereby declare this stable branch open :)
|
|
lang/nodejs: security fix
Revisions pulled up:
- lang/nodejs/Makefile 1.241
- lang/nodejs/PLIST 1.65
- lang/nodejs/distinfo 1.222
---
Module Name: pkgsrc
Committed By: adam
Date: Tue Sep 27 07:59:10 UTC 2022
Modified Files:
pkgsrc/lang/nodejs: Makefile PLIST distinfo
Log Message:
nodejs: updated to 18.9.1
Version 18.9.1 (Current)
This is a security release.
Notable changes
The following CVEs are fixed in this release:
CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
Insufficient fix for macOS devices on v18.5.0
CVE-2022-32222: Node 18 reads openssl.cnf from /home/iojs/build/ upon startup on MacOS (Medium)
CVE-2022-32213: HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)
Insufficient fix on v18.5.0
CVE-2022-32215: HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)
Insufficient fix on v18.5.0
CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
CVE-2022-35255: Weak randomness in WebCrypto keygen
|
|
lang/php80: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.377
- lang/php80/distinfo 1.25
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Oct 1 00:28:12 UTC 2022
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php80: distinfo
Log Message:
lang/php80: update to 8.0.24
29 Sep 2022, PHP 8.0.24
- Core:
. Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
(Tim Starling)
. Fixed bug GH-9361 (Segmentation fault on script exit #9379). (cmb,
Christian Schneider)
. Fixed bug GH-9407 (LSP error in eval'd code refers to wrong class for static
type). (ilutov)
. Fix #81727 (Don't mangle semantically meaningful HTTP var names). (derick)
- DOM:
. Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).
(Nathan Freeman)
- FPM:
. Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to
error_log after daemon reload). (Dmitry Menshikov)
. Fixed bug #77780 ("Headers already sent..." when previous connection was
aborted). (Jakub Zelenka)
- GMP
. Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed
to gmp_init()). (Girgias)
- Intl
. Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
(Girgias)
- Phar:
. Fix #81726 (DOS when using quine gzip file). (cmb)
- PDO_PGSQL:
. Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
(Yurunsoft)
- Reflection:
. Fixed bug GH-8932 (ReflectionFunction provides no way to get the called
class of a Closure). (cmb, Nicolas Grekas)
. Fixed bug GH-9409 (Private method is incorrectly dumped as "overwrites").
(ilutov)
- Streams:
. Fixed bug GH-9316 ($http_response_header is wrong for long status line).
(cmb, timwolla)
|
|
lang/php81: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.376
- lang/php81/distinfo 1.13
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Oct 1 00:27:05 UTC 2022
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php81: distinfo
Log Message:
lang/php81: update to 8.1.11
29 Sep 2022, PHP 8.1.11
- Core:
. Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
(CVE-2022-31628). (cmb)
. Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
that have a specific semantic meaning. (CVE-2022-31629). (Derick)
. Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
(Tim Starling)
. Fixed bug GH-9361 (Segmentation fault on script exit #9379). (cmb,
Christian Schneider)
. Fixed bug GH-9447 (Invalid class FQN emitted by AST dump for new and class
constants in constant expressions). (ilutov)
- DOM:
. Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).
(Nathan Freeman)
- FPM:
. Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to
error_log after daemon reload). (Dmitry Menshikov)
. Fixed bug #77780 ("Headers already sent..." when previous connection was
aborted). (Jakub Zelenka)
- GMP
. Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed
to gmp_init()). (Girgias)
- Intl
. Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
(Girgias)
- PCRE:
. Fixed pcre.jit on Apple Silicon. (Niklas Keller)
- PDO_PGSQL:
. Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
(Yurunsoft)
- Reflection:
. Fixed bug GH-8932 (ReflectionFunction provides no way to get the called
class of a Closure). (cmb, Nicolas Grekas)
- Streams:
. Fixed bug GH-9316 ($http_response_header is wrong for long status line).
(cmb, timwolla)
|
|
lang/php74: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.375
- lang/php74/distinfo 1.38
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Oct 1 00:25:22 UTC 2022
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php74: distinfo
Log Message:
29 Sep 2022, PHP 7.4.32
- Core:
. Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
(CVE-2022-31628). (cmb)
. Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
that have a specific semantic meaning. (CVE-2022-31629). (Derick)
|
|
lang/nodejs14: security fix
Revisions pulled up:
- lang/nodejs14/Makefile 1.5
- lang/nodejs14/distinfo 1.4
---
Module Name: pkgsrc
Committed By: adam
Date: Tue Sep 27 07:54:19 UTC 2022
Modified Files:
pkgsrc/lang/nodejs14: Makefile distinfo
Log Message:
nodejs14: updated to 14.20.1
Version 14.20.1 'Fermium' (LTS)
This is a security release.
Notable changes
The following CVEs are fixed in this release:
CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
CVE-2022-32213: bypass via obs-fold mechanic (Medium)
CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)
|
|
blas: build fix for BLAS_TYPE=openblas_pthread
Revisions pulled up:
- mk/blas.buildlink3.mk 1.4
---
Module Name: pkgsrc
Committed By: thor
Date: Mon Sep 26 09:33:01 UTC 2022
Modified Files:
pkgsrc/mk: blas.buildlink3.mk
Log Message:
blas.bl3: Fix BLAS_INCLUDES for openblas_pthread with 32 bit (default) indices
|
|
|
|
|
|
|
|
Updated www/nginx-devel to 1.23.1nb2
|
|
ChangeLog: https://github.com/openresty/lua-nginx-module/compare/v0.10.21...v0.10.22
Bump PKGREVISIONs.
|
|
This re-orders the two tests for altivec to first try with
<altivec.h> included, and the second without.
The configure script is hand-patched, corresponding to configure.ac;
I could not generate a working configure script...
|
|
|
|
|