Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
security update for mysqladmin
Patch provided by the submitter.
Module Name: pkgsrc
Committed By: tron
Date: Sun Mar 26 17:55:28 UTC 2006
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile distinfo
Added Files:
pkgsrc/databases/phpmyadmin/patches: patch-aa
Log Message:
Update "phpmyadmin" package to version 2.8.0.2.
Changes since version 2.8.0.1:
- XSS vulnerability (set_theme)
- mysqli problems with zend.ze1_compatibility_mode enabled
- setup script did not save the mysql/mysqli extension
Package source related changes:
- incooperate fix for phpMyAdmin bug #1436279 to make the package usable
with Safari under Mac OS X again
---
Module Name: pkgsrc
Committed By: tron
Date: Wed Mar 29 14:04:48 UTC 2006
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile
Log Message:
Remove ".orig" files from work directory before installation so they
don't get installed. This fixes a package list problem reported by
Lubomir Sedlacik in private e-mail. Bump package revision.
|
|
|
|
security fix for sendmail
Revisions pulled up:
- pkgsrc/mail/sendmail/Makefile 1.84
- pkgsrc/mail/sendmail/Makefile.common 1.32
- pkgsrc/mail/sendmail/distinfo 1.27
Module Name: pkgsrc
Committed By: adrianp
Date: Wed Mar 22 19:56:37 UTC 2006
Modified Files:
pkgsrc/mail/sendmail: Makefile Makefile.common distinfo
Log Message:
Update sendmail to address the current security issue
Bump to nb2
This will change the internal version of sendmail to 8.13.5.20060308
> SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server
> and client side of sendmail with timeouts in the libsm I/O
> layer and fix problems in that code. Also fix handling of
> a buffer in sm_syslog() which could have been used as an
> attack vector to exploit the unsafe handling of
> setjmp(3)/longjmp(3) in combination with signals.
> Problem detected by Mark Dowd of ISS X-Force.
> Handle theoretical integer overflows that could triggered if
> the server accepted headers larger than the maximum
> (signed) integer value. This is prevented in the default
> configuration by restricting the size of a header, and on
> most machines memory allocations would fail before reaching
> those values. Problems found by Phil Brass of ISS.
|
|
security fix for sendmail812
Revisions pulled up:
- pkgsrc/mail/sendmail812/Makefile 1.8
- pkgsrc/mail/sendmail812/Makefile.common 1.10
- pkgsrc/mail/sendmail812/distinfo 1.4
Module Name: pkgsrc
Committed By: tv
Date: Wed Mar 22 21:19:06 UTC 2006
Modified Files:
pkgsrc/mail/sendmail812: Makefile Makefile.common distinfo
Log Message:
Update sendmail (with vendor patch) to address the current security issue:
http://www.kb.cert.org/vuls/id/834865
Bump to nb2.
This will change the internal version of sendmail to 8.12.11.20060308.
> SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server
> and client side of sendmail with timeouts in the libsm I/O
> layer and fix problems in that code. Also fix handling of
> a buffer in sm_syslog() which could have been used as an
> attack vector to exploit the unsafe handling of
> setjmp(3)/longjmp(3) in combination with signals.
> Problem detected by Mark Dowd of ISS X-Force.
> Handle theoretical integer overflows that could triggered if
> the server accepted headers larger than the maximum
> (signed) integer value. This is prevented in the default
> configuration by restricting the size of a header, and on
> most machines memory allocations would fail before reaching
> those values. Problems found by Phil Brass of ISS.
|
|
|
|
security update for curl
Revisions pulled up:
- pkgsrc/www/curl/Makefile 1.62, 1.63
- pkgsrc/www/curl/PLIST 1.19
- pkgsrc/www/curl/distinfo 1.43, 1.44
- pkgsrc/www/curl/patches/patch-aa removed
- pkgsrc/www/curl/patches/patch-ac removed
Module Name: pkgsrc
Committed By: wiz
Date: Fri Mar 3 22:26:08 UTC 2006
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
Removed Files:
pkgsrc/www/curl/patches: patch-aa
Log Message:
Update to 7.15.2:
Version 7.15.2 (27 February 2005)
Daniel (22 February 2006)
- Lots of work and analysis by "xbx___" in bug #1431750
(http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
different but related bugs:
1) Removing an easy handle from a multi handle before the transfer is done
could leave a connection in the connection cache for that handle that is
in a state that isn't suitable for re-use. A subsequent re-use could then
read from a NULL pointer and segfault.
2) When an easy handle was removed from the multi handle, there could be an
outstanding c-ares DNS name resolve request. When the response arrived,
it caused havoc since the connection struct it "belonged" to could've
been freed already.
Now Curl_done() is called when an easy handle is removed from a multi handle
pre-maturely (that is, before the transfer was complteted). Curl_done() also
makes sure to cancel all (if any) outstanding c-ares requests.
Daniel (21 February 2006)
- Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
type to the already provided type CURLPROXY_SOCKS4.
I added a --socks4 option that works like the current --socks5 option but
instead use the socks4 protocol.
Daniel (20 February 2006)
- Shmulik Regev fixed an issue with multi-pass authentication and compressed
content when libcurl didn't honor the internal ignorebody flag.
Daniel (18 February 2006)
- Ulf Härnhammar fixed a format string (printf style) problem in the Negotiate
code. It should however not be the cause of any troubles. He also fixed a
few similar problems in the HTTP test server code.
Daniel (17 February 2006)
- Shmulik Regev provided a fix for the DNS cache when using short life times,
as previously it could be holding on to old cached entries longer than
requested.
Daniel (11 February 2006)
- Karl Moerder added the CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET options
that an app can use to let libcurl only connect to a remote host and then
extract the socket from libcurl. libcurl will then not attempt to do any
transfer at all after the connect is done.
- Kent Boortz improved the configure check for GnuTLS to properly set LIBS
instead of LDFLAGS.
Daniel (8 February 2006)
- Philippe Vaucher provided a brilliant piece of test code that show a problem
with re-used FTP connections. If the second request on the same connection
was set not to fetch a "body", libcurl could get confused and consider it an
attempt to use a dead connection and would go acting mighty strange.
Daniel (2 February 2006)
- Make --limit-rate [num] mean bytes. It used to be that but it broke in my
change done in November 2005.
Daniel (30 January 2006)
- Added CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE to libcurl. Set with the
curl tool with --local-port. Plain and simply set the range of ports to bind
the local end of connections to. Implemented on to popular demand.
- Based on an error report by Philippe Vaucher, we no longer count a retried
connection setup as a follow-redirect. It turns out 1) this fails when a FTP
connection is re-setup and 2) it does make the max-redirs counter behave
wrong.
Daniel (24 January 2006)
- Michal Marek provided a patch for FTP that makes libcurl continue to try
PASV even after EPSV returned a positive response code, if libcurl failed to
connect to the port number the EPSV response said. Obviously some people are
going through protocol-sensitive firewalls (or similar) that don't
understand EPSV and then they don't allow the second connection unless PASV
was used. This also called for a minor fix of test case 238.
Daniel (20 January 2006)
- Duane Cathey was one of our friends who reported that curl -P [IP]
(CURLOPT_FTPPORT) didn't work for ipv6-enabed curls if the IP wasn't a
"native" IP while it works fine for ipv6-disabled builds!
In the process of fixing this, I removed the support for LPRT since I can't
think of many reasons to keep doing it and asking on the mailing list didn't
reveal anyone else that could either. The code that sends EPRT and PORT is
now also a lot simpler than before (IMHO).
Daniel (19 January 2006)
- Jon Turner pointed out that doing -P [hostname] (CURLOPT_FTPPORT) with curl
(built ipv4-only) didn't work.
Daniel (18 January 2006)
- As reported in bug #1408742 (http://curl.haxx.se/bug/view.cgi?id=1408742),
the configure script complained about a missing "missing" script if you ran
configure within a path whose name included one or more spaces. This is due
to a flaw in automake (1.9.6 and earlier). I've now worked around it by
including an "overloaded" version of the AM_MISSING_HAS_RUN script that'll
be used instead of the one automake ships with. This kludge needs to be
removed once we get an automake version with this problem corrected.
Possibly we'll then need to convert this into a kludge depending on what
automake version that is used and that is gonna be painful and I don't even
want to think about that now...!
Daniel (17 January 2006)
- David Shaw: Here is the latest libcurl.m4 autoconf tests. It is updated with
the latest features and protocols that libcurl supports and has a minor fix
to better deal with the obscure case where someone has more than one libcurl
installed at the same time.
Daniel (16 January 2006)
- David Shaw finally removed all traces of Gopher and we are now officially
not supporting it. It hasn't been functioning for years anyway, so this is
just finally stating what already was true. And a cleanup at the same time.
- Bryan Henderson turned the 'initialized' variable for curl_global_init()
into a counter, and thus you can now do multiple curl_global_init() and you
are then supposed to dot of calls to curl_global_cleanup().
Bryan has also updated the docs accordingly.
Daniel (13 January 2006)
- Andrew Benham fixed a race condition in the test suite that could cause the
ript to kill all processes in the current process group!
Daniel (12 January 2006)
- Michael Jahn:
Fixed FTP_SKIP_PASV_IP and FTP_USE_EPSV to "do right" when used on FTP thru
HTTP proxh a proxy. It would
previously overwrite internal memory and cause unpredicted behaviour!
Daniel (11 January 2006)
- I decided to document the "secret option" here now, as I've receivedts from November 2005:
I'm looking for feedback and comments. I added some experimental code the
other day, that allows a libcurl user to select what method libcurl should
use to reality is available in CVS code and in recent daily snapshots.
Let me explain...
The current name for the option is CURLOPT_FTP_FILEMETHOD (--ftp-method for
the command line tool) andt do this:
1 multicwd - like today, curl will do a single CWD operation for each path
part in the given URL. For deep hierarchies this means very many
commands. This is how RFC1738 says it should be done. This is the
- no CWD at all is done, curl will do SIZE, RETR, STOR etc and give
a full path to the server.
3 singlecwd - make one CWD with the full target directory and then operate
on the file "normally".
(With the command line tool you do --ftp-method [METHOD], where [METHOD] is
one of "multicwd", "nocwd" or "singlecwd".)
What feedback I'm interested in:vers where one of these don't work?
2 - What would proper names for the option and its arguments be, if we
consider this feature good enough to get included and documented in
ses?
3 - Should we make libcurl able to "walk through" these options in case of
(path related) failures, or should it fail and let the user redo any
possible retries?
(Thi any man page just yet since I'm not sure
these names will be used or if the functionality will end up exactly like
this. And for the same reasons we have no test cases for these yet.)
Daniel (10 January 2006)
- When using a bad path over FTP, asinto all
given subdirs, libcurl would still "remember" the full path as if it is the
current directory libcurl is in so that the next curl_easy_perform() would
get really confused if
---
Module Name: pkgsrc
Committed By: recht
Date: Tue Mar 21 21:49:47 UTC 2006
Modified Files:
pkgsrc/www/curl: Makefile distinfo
Removed Files:
pkgsrc/www/curl/patches: patch-ac
Log Message:
update to curl 7.15.3
Fixes a TFTP packet buffer overflow vulnerability.
See http://curl.haxx.se/docs/adv_20060320.html for details.
Changes:
- added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD
Bugfixes:
- TFTP Packet Buffer Overflow Vulnerability
- properly detecting problems with sending the FTP command USER
- wrong error message shown when certificate verification failed
- multi-part formpost with multi interface crash
- the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged
- "SSL: couldn't set callback" is now treated as a less serious problem
- Interix build fix
- fixed curl "hang" when out of file handles at start
- prevent FTP uploads to URLs with trailing slash
|
|
|
|
fix namazu2 dependency on File::MMagic
Revisions pulled up:
- pkgsrc/textproc/namazu2/Makefile 1.30
Module Name: pkgsrc
Committed By: wiz
Date: Sat Mar 18 22:22:31 UTC 2006
Modified Files:
pkgsrc/textproc/namazu2: Makefile
Log Message:
Depend on p5-File-MMagic>=1.25, from ISIHARA Takanori in PR 33099.
No PKGREVISION bump since older versions broke configure (-> no binary pkg).
|
|
|
|
security update for namazu2
Revisions pulled up:
- pkgsrc/textproc/namazu2/Makefile 1.27, 1.29
- pkgsrc/textproc/namazu2/PLIST 1.11
- pkgsrc/textproc/namazu2/distinfo 1.8, 1.9
- pkgsrc/textproc/namazu2/patches/patch-ac removed
- pkgsrc/textproc/namazu2/patches/patch-ad removed
- pkgsrc/textproc/namazu2/patches/patch-ae removed
- pkgsrc/textproc/namazu2/patches/patch-af removed
- pkgsrc/textproc/namazu2/patches/patch-ag removed
- pkgsrc/textproc/namazu2/patches/patch-ah removed
- pkgsrc/textproc/namazu2/patches/patch-ai removed
- pkgsrc/textproc/namazu2/patches/patch-aj removed
- pkgsrc/textproc/namazu2/patches/patch-ak removed
Module Name: pkgsrc
Committed By: taca
Date: Thu Mar 2 16:02:37 UTC 2006
Modified Files:
pkgsrc/textproc/namazu2: Makefile PLIST distinfo
Removed Files:
pkgsrc/textproc/namazu2/patches: patch-ac patch-ad patch-ae patch-af
patch-ag patch-ah patch-ai patch-aj patch-ak
Log Message:
Update namazu2 pacakge to 2.0.15.
Overview of Changes in Namazu 2.0.15 - Jan. 29, 2006
* The mistake of the document concerning ISO-8859-* is corrected.
* RedHat software namazu.spec was taken in.
The unnecessary patch was deleted.
* Include File::MMagic 1.25.
* Support MeCab.
* Add -b and --use-mecab options for mknmz.
* Add --norc option for mknmz and namazu.
* Add --decode-base64 option for mknmz.
* Add new filters (Gnumeric, Koffice, Mainman/Pipermail, Zip, Visio).
* Add new directives for mknmzrc (MECAB, DENY_DDN).
To skip when filename is DDN.
* Add sorting function by date of field.
* Added new files (nmzcat, nmzegrep).
* Adapt new filter programs (wvWare 1.0.3, xlhtml 0.5.1, xpdf 3.01).
* For Windows of filter (msword.pl, excel.pl, powerpoint.pl,
postscript.pl, etc...).
* Ole control filter renewal.
* ';' can have been used for the delimiter of QUERY_STRING.
* Add the Perl version test program (pltests).
* Fix some bugs.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Mar 12 14:36:54 UTC 2006
Modified Files:
pkgsrc/textproc/namazu2: Makefile distinfo
Log Message:
Update namazu to 2.0.16.
Overview of Changes in Namazu 2.0.16 - Mar 12, 2006
* Directory traversal problem by lang and result of CGI parameter
is corrected.
* Substitution of "-r" that doesn't correspond to ACL of NTFS.
* It corresponds to the file name including space.
* For MeCab-perl-0.90rc10.
|
|
|
|
security update for libextractor
Patch provided by the submitter.
Module Name: pkgsrc
Committed By: adam
Date: Sun Mar 5 22:06:38 UTC 2006
Modified Files:
pkgsrc/devel/libextractor: Makefile PLIST buildlink3.mk distinfo
pkgsrc/devel/libextractor/patches: patch-ab patch-ac
Removed Files:
pkgsrc/devel/libextractor/patches: patch-aa patch-ad patch-ae
Log Message:
Changes 0.5.10:
* Yet another round of XPDF-related security fixes.
* Mis-detection of man pages as part of TAR archives fixed.
* More Mime-types for the OLE2 extractor. Also ignore (harmless)
libc errors in plugins when extracting.
* More TAR improvements: keywords 'date' and 'format' are
extracted. More checksums variants were added. Long filenames
as produced by GNU and Schilling tar (possibly Solaris pax also)
are extracted.
Changes 0.5.9:
* Made TAR extractor parsing more robust.
* Fixing crash in MIME-extractor due to typo in the code.
* Fixed security problems in PDF extractor
---
Module Name: pkgsrc
Committed By: joerg
Date: Thu Mar 16 14:04:58 UTC 2006
Modified Files:
pkgsrc/devel/libextractor: distinfo
Added Files:
pkgsrc/devel/libextractor/patches: patch-aa
Log Message:
Stupid code using zlib's prototype header. Patch away.
|
|
|
|
|
|
security update for php4
Patch provided by the submitter.
Module Name: pkgsrc
Committed By: cube
Date: Fri Mar 3 07:11:34 UTC 2006
Modified Files:
pkgsrc/www/php4: Makefile Makefile.common PLIST distinfo
Added Files:
pkgsrc/www/php4/patches: patch-ao patch-ap
Removed Files:
pkgsrc/www/php4/patches: patch-ab patch-am patch-an
Log Message:
Update to version 4.4.2. Ok'd by jdolecek@.
This is a bug fix release, which addresses some security problems too.
The major points that this release corrects are:
* Prevent header injection by limiting each header to a single line.
* Possible XSS inside error reporting functionality.
* Missing safe_mode/open_basedir checks into cURL extension.
* Apache 2 regression with sub-request handling on non-Linux systems.
* key() and current() regression related to references.
This release also fixes about 30 other defects.
---
Module Name: pkgsrc
Committed By: cube
Date: Mon Mar 6 15:57:58 UTC 2006
Modified Files:
pkgsrc/www/php4: distinfo
pkgsrc/www/php4/patches: patch-ao
Log Message:
Increase memory limit when installing PEAR packages. This allows the
installation to go through on NetBSD/sparc64 (well, at least mine).
Failure reported by Joel Carnat.
|
|
|
|
security update for bugzilla
Revisions pulled up:
- pkgsrc/devel/bugzilla/Makefile 1.17
- pkgsrc/devel/bugzilla/PLIST 1.8
- pkgsrc/devel/bugzilla/distinfo 1.10
Module Name: pkgsrc
Committed By: adrianp
Date: Tue Feb 21 16:48:55 UTC 2006
Modified Files:
pkgsrc/devel/bugzilla: Makefile PLIST distinfo
Log Message:
Update to 2.20.1
Make pkglint happer
This also fixes a number of security issues:
http://www.securityfocus.com/archive/1/425584/30/0/threaded
> Version 2.20.1
> --------------
>
> + Many PostgreSQL fixes, including fixing whine.pl on Pg 8
> (bug 301062) and fixing the --regenerate option of collectstats.pl
> for all versions of Pg (bug 316971). However, users who want full
> PostgreSQL support are encouraged to use the 2.22 series, as
> certain PostgreSQL bugs were discovered that will not be fixed
> in 2.20 (their fixes were too complex).
>
> + In Bugzilla 2.20, the "administrator" user created by checksetup.pl
> would not ever be sent email, because their email preferences were
> left blank. This has been fixed for 2.20.1. However, if you created
> this administrative user with Bugzilla 2.20, make sure to go back
> and enable their Email Preferences. (bug 317489)
>
> + The bzdbcopy.pl script mentioned in these release notes
> has now actually been checked-in to the 2.20 branch, and so
> it's included in this release. (bug 291776)
>
> + When there's only one Classification, you now won't be required
> to pick a Classification on bug entry. (bug 311489)
>
> + You can no longer add dependencies on bugs you can't see.
> (bug 141593)
>
> + The CC list is included in "New" bug emails, again. (bug 313661)
>
> + In the original 2.20, certain scripts were not correctly using
> the "shadow database," if it was specified. This has been fixed
> in 2.20.1. (bug 313695)
>
> + "Saved Searches" that were saved before Bugzilla 2.20, would throw
> an error if they contained "Days Since Bug Changed." as part of their
> criteria. This has been fixed in Bugzilla 2.20.1. (bug 302599)
>
> + You can now successfully delete a product even when Target Milestones
> are turned off. (bug 317025)
>
> + checksetup.pl now correctly pre-compiles templates for languages other
> than English. (bug 304417)
>
> + The "All Closed" chart that is created by default in New Charts
> now actually represents all closed bugs, and not all bugs in the
> product. (bug 300473)
>
> + CSV bug lists with more than 1000 dates now work properly. (bug 257813)
>
> + Various bugs with upgrading from previous versions of Bugzilla
> have been fixed. (bug 307662, bug 311047, bug 310108)
>
> + Many, many other bug fixes. See
> http://www.bugzilla.org/status/changes.html
> for details on what was fixed between 2.20 and 2.20.1.
|
|
|
|
security update for monotone
Patch provided by the submitter.
Module Name: pkgsrc
Committed By: jmmv
Date: Thu Mar 9 20:30:16 UTC 2006
Modified Files:
pkgsrc/devel/monotone: Makefile distinfo
Log Message:
Update to 0.25.2:
0.25.2 release. Important security fix for Windows and OS X
users.
With versions of monotone prior to this release, a person with
commit access could commit a malicious file with a name like
"mt/monotonerc". When anybody else then checked out this
revision on a system with a case-folding filesystem --
usually, this means, "on Windows or OS X" -- then their
monotone would run arbitrary Lua code stored in this file.
The _only_ change in this release as compared to 0.25 is that
the existing checks against files in MT are now extended to
check for mt, Mt, and mT.
All users on Windows and OS X, or otherwise checking out
versioned source on a case-insensitive filesystem, are
recommended to upgrade immediately. Binaries used only for
serving, or only on case-insensitive filesystems (i.e., most
Unix users), are not affected.
(0.25.1 was never released in source form. The original
0.25 build for Windows was found to have problems on NT 4, and
0.25.1 was Windows-only rebuild with NT 4 compatible
libraries.)
|
|
|
|
security update for sun-j{re,dk}14
Revisions pulled up:
- pkgsrc/lang/sun-jdk14/Makefile 1.30, 1.31, 1.32
- pkgsrc/lang/sun-jdk14/PLIST 1.10
- pkgsrc/lang/sun-jdk14/buildlink3.mk 1.4, 1.5
- pkgsrc/lang/sun-jdk14/distinfo 1.16
- pkgsrc/lang/sun-jdk14/files/common 1.3
- pkgsrc/lang/sun-jre14/Makefile 1.35
- pkgsrc/lang/sun-jre14/PLIST 1.17
- pkgsrc/lang/sun-jre14/buildlink3.mk 1.4
- pkgsrc/lang/sun-jre14/distinfo 1.20
Module Name: pkgsrc
Committed By: wiz
Date: Thu Mar 2 21:37:01 UTC 2006
Modified Files:
pkgsrc/lang/sun-jdk14: Makefile PLIST
pkgsrc/lang/sun-jdk14/files: common
Log Message:
Fix PLIST. Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu Mar 2 21:37:31 UTC 2006
Modified Files:
pkgsrc/lang/sun-jdk14: Makefile buildlink3.mk
Log Message:
pkgdelint.
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Mar 7 03:22:31 UTC 2006
Modified Files:
pkgsrc/lang/sun-jdk14: Makefile distinfo
pkgsrc/lang/sun-jre14: Makefile PLIST distinfo
Log Message:
Update sun-j{re,dk}14 to 1.4.11:
Changes in 1.4.2_11
Exception message's size is more than doubled everytime an exception is thrown
CMS: assert during mark-word restoration
returning out of memory when -XX:+UseConcMarkSweepGC is used.
Concurrently memory allocation and JNI CS provoke OOM
Gc tests crashes on linux-ia64 at concurrentMarkSweepGeneration.cpp with -Xcongc
RFE: Stall allocation requests while heap is full and GC locker is held
Reduce default code cache sizes on 64-bit platforms
Intel IA64(Montecito) failed with 1.4.2_09
VM uselessly traps SIGCHLD on Linux (cleanup)
Linux build does not optimize AWT and other essential libraries
REGRESSION: ClassCastException in JISAutoDetect.java on 1.4.2_10
decodeText() doesn't convert from iso-2022-jp to Unicode for some Japanese chars
Increase compiler optimisation level for libfontmanager to improve runtime performance
Mouse Cursor should be the default cursor when ALT key is pressed, on win32
PIT: Default cursor is shown but changing when ALT key is down, on win32
RE 1.5.0_04 copy and paste fails in Modal JDialog
REGRESSION: 6 JCK14a api/java_lang/StrictMath tests fail on tiger
java.net.Socket checks for old-style impls
InetAddress never caches hostnames with upper case characters
(coll) Exception thrown while deserializing HashMap
(coll) The writeObject() specification in HashMap.java was changed in 1.4.2_11
Correction to the new Azerbaijani currency
(tz) Regression test java/util/TimeZone/SolarisTZVM.sh is failing on Solaris 10
GregorianCalendar doesn't work in non-lenient due to timezone bounds checking
(tz) Support tzdata2005n
(tz) java/util/TimeZone/WinTZVM.sh fails on amd64
New Azerbaijani currency
Cannot deserialize a Calendar with Security on
(tz) Incorrect default timezone for Santiago, Chile on Win32.
REGRESSION: serious performance degradation as GZIPInputStream is slower
Problem with jre 1.4.2_08 install/unistall script
The official version number is not correct in release notes
Java Process terminates abnormally, related to Attach/detatch operation in jni.cpp
realloc should not be used in cjavajni.cpp
Socket timeouts for SSLSockets causes data corruption
Changes in 1.4.2_10
hotspot crashes when c1 compiler thread is running in 6.0b26
hotspot crashes(SIGSEGV) when many local variables are used in one java program
JVM 1.4.2_06 crash in C2 compiler at IdealLoopTree::policy_do_remove_empty_loop
HotSpot compiler error (Error ID : 4F530E43505002EF 01) uploading large files
Full GC causes core
Hotspot problem with loop-variables of type long on jdk1.4.2/Itanium
CMS: perm gen expansion without explicit GC, but with concurrent cycle initiation.
CMS: more helpful message for concurrent mode failures
JVM crash in "instanceof" codelet, array of secondary supertypes at end of heap.
deadlock at VM startup when JVMPI / JDWP both enabled
Performance problems with com.sun.corba.se.impl packages in 5.0
1.4.2xx only: org.omg.CORBA.OBJECT_NOT_EXIST errors when using -Dcom.sun.CORBA.ORBServerPort
1.4.2xx only - Sun ORB Hang
Memory Leak in Class Loaders with RMI-IIOP
Worse performance of isSupported for JISAutoDetect (1.4.X)
ArrayIndexOutOfBoundsException when opening PrintDialog with HP LaserJet 1300
nsk/regression/b4305163 test dumps core on solx86
Font.equals in 1.4.2 needs tightening to include the native font pointer.
NPE thrown when opening PrintDialog with HP LaserJet 8000N
java.awt.color.ICC_Profile should define serialVersionUID
Color Management code is not thread safe in HT/SMP machine
Component.removeNotify() should always deactivate InputContext
problem with DefaultPersistenceDelegate use of reflection
JRE 1.4.2_07 lacks support for Japanese on RHEL-4
(fs) FileChannelImpl.c: off64_t should be used for flock64 (F_SETLK64) in 1.4.2_07 (lnx)
(so) client does not see (NIO-created) socket close with SO_TIMEOUT
REGRESSION: Lock.java is failing with 1.4.2_10-b01 and passing with 1.4.2_09-b05
(se) DevPollSelectorProvider stops being the default on Solaris 10
Cannot Ctrl-Shift-Click to create disjoint selection interval in list
gif files not found error message displayed at console
Problem with applet interaction with system selection clipboard
New currencies for Afghanistan and East Timor
(rb) Update javadoc for java.util.ListResourceBundle class
ListResourceBundle subclasses should have protected getContents() returning Object[][] copy
GZipOutputStream/InputStream goes critical(calls JNI_Get*Critical) and causes slowness
GZipOutputStream/InputStream goes critical(calls JNI_Get*Critical) and causes slowness
GZipOutputStream/InputStream goes critical(calls JNI_Get*Critical) and causes slowness
Auto regression test 5098318 was failing with 142_10-b01
Auto regression test case 6282891 was failing with 142_10-b01(Compilation failed)
Auto regression test case 6232446 was failing with 142_10-b01 on Sol10-sparc
Manual regression testcase 4902977 scripts(runTest.ksh) has to be modified to support Suse9.3
Manual regression Testcase (4861802) is failing on Solaris10-sparc with 5.0u6_b02 and 1.4.2-10_b01
Manual Regression test 4974531 instructions need modification
TESTBUG: 6291034 testcase is failing with exit code1
SubClasses of ListResourceBundle should fix getContents()
Subclasses of ListResourceBundle should fix getContents()
FileCacheImageInputStream and FileCacheImageOutputStream should avoid File.deleteOnExit
JAR verification causes significant footprint increases
1.4.2_10 nightly build failed
creating JVM via C program "steals" space from main thread stack rendering JNI useless
Auto regression testcases(sun/tools/jps/jps-*.sh) is failing.
java launcher should define -Dsun.java.launcher
IFrame in Applet flickers
Applet will not reauthenticate user when returning from another applet
java web start cannot start on linux with newer glibc
SubClasses of ListResourceBundle should fix getContents()
Testcase TestMaliciousSigObj.java in JCE workspace has an extra closing brace
Cached Jar file should be released on appl. exit even that is opended by Cipher
intermittent "RSA PreMasterSecret error" during ssl handshake
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Mar 7 04:36:21 UTC 2006
Modified Files:
pkgsrc/lang/sun-jre14: buildlink3.mk
Log Message:
Bump BUILDLINK_RECOMMENDED for security fix.
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Mar 7 04:39:19 UTC 2006
Modified Files:
pkgsrc/lang/sun-jdk14: buildlink3.mk
Log Message:
Bump BUILDLINK_RECOMMENDED for security fix.
|
|
|
|
security update for squirrelmail
Revisions pulled up:
- pkgsrc/mail/squirrelmail/Makefile 1.65, 1.66, 1.68, 1.69
- pkgsrc/mail/squirrelmail/PLIST 1.17
- pkgsrc/mail/squirrelmail/buildlink3.mk 1.6, 1.7
- pkgsrc/mail/squirrelmail/distinfo 1.30
- pkgsrc/mail/squirrelmail/patches/patch-ab removed
- pkgsrc/mail/squirrelmail/patches/patch-ac removed
- pkgsrc/mail/squirrelmail/patches/patch-ad removed
- pkgsrc/mail/squirrelmail/patches/patch-ae removed
- pkgsrc/mail/squirrelmail/patches/patch-af removed
- pkgsrc/mail/squirrelmail/patches/patch-ag removed
- pkgsrc/mail/squirrelmail/patches/patch-ah removed
- pkgsrc/mail/squirrelmail/plugin.mk 1.3
- pkgsrc/mail/squirrelmail-decode/Makefile 1.3
- pkgsrc/mail/squirrelmail-locales/Makefile 1.11, 1.12, 1.13, 1.14
- pkgsrc/mail/squirrelmail-locales/PLIST 1.5, 1.6, 1.7
- pkgsrc/mail/squirrelmail-locales/distinfo 1.4
- pkgsrc/mail/ja-squirrelmail/Makefile 1.23, 1.24, 1.26
Module Name: pkgsrc
Committed By: joerg
Date: Fri Jan 20 23:56:59 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail: Makefile
Log Message:
Use SUBST framework. Replace some "find foo | xargs bar" with
"find foo -exec bar {} \;" while here, the former is faster, but can't
cope with all quoting issues and is also more likely to hit argument
length limits. CONFLICT to ja-squirrelmail.
---
Module Name: pkgsrc
Committed By: joerg
Date: Fri Jan 20 23:57:26 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile
Log Message:
Use SUBST. Use find foo -exec bar {} \; instead of find foo | xargs bar.
---
Module Name: pkgsrc
Committed By: martti
Date: Fri Feb 3 10:26:17 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail: Makefile
Log Message:
s/SMDIRDIR/SMDIR/ and bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: martti
Date: Fri Feb 3 10:26:44 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile
Log Message:
s/SMDIRDIR/SMDIR/ and bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: martti
Date: Fri Feb 17 07:04:25 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile
pkgsrc/mail/squirrelmail: Makefile buildlink3.mk plugin.mk
pkgsrc/mail/squirrelmail-locales: Makefile
Log Message:
Fixed warnings found by pkglint -Wall.
---
Module Name: pkgsrc
Committed By: martti
Date: Mon Feb 27 07:12:14 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail: Makefile PLIST buildlink3.mk distinfo
Removed Files:
pkgsrc/mail/squirrelmail/patches: patch-ab patch-ac patch-ad patch-ae
patch-af patch-ag patch-ah
Log Message:
Updated squirrelmail to 1.4.6
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
---
Module Name: pkgsrc
Committed By: martti
Date: Mon Feb 27 07:13:00 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail-locales: Makefile PLIST distinfo
Log Message:
Updated squirrelmail-locales to 1.4.6
* sync with squirrelmail 1.4.6
---
Module Name: pkgsrc
Committed By: cube
Date: Wed Mar 1 06:39:52 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail-locales: Makefile PLIST
Log Message:
Fix PLIST.
---
Module Name: pkgsrc
Committed By: martti
Date: Thu Mar 2 07:41:44 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail-decode: Makefile
Log Message:
Fix pkglint -Wall warnings.
---
Module Name: pkgsrc
Committed By: salo
Date: Wed Mar 15 11:48:29 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail-locales: Makefile PLIST
Log Message:
Fix PLIST. (hi cube and martti!)
|
|
|
|
security updates for sun-j{re,dk}13
Revisions pulled up:
- pkgsrc/lang/sun-jre13/Makefile 1.43
- pkgsrc/lang/sun-jre13/distinfo 1.16
- pkgsrc/lang/sun-jdk13/Makefile 1.38
- pkgsrc/lang/sun-jdk13/distinfo 1.18
Module Name: pkgsrc
Committed By: abs
Date: Wed Dec 28 09:21:57 UTC 2005
Modified Files:
pkgsrc/lang/sun-jre13: Makefile distinfo
Log Message:
Update lang/sun-jre13 to sun-jre13-1.0.17.
Changes since sun-jre13-1.0.16
- REGRESSION: hotspot c2 crash running rmi JCK tests
- server VM crashes with -Xcomp in 1.4.2_05
- Crashes at Function name=JVM_GetCPFieldSignatureUTF in jdk 1.3.1_13
- Exception message's size is more than doubled everytime an
exception is thrown
- RFE: Stall allocation requests while heap is full and GC locker
is held
- VolanoTest OOM with mustang b14
- JVMPI obj_frees come before method_exits
- improve the performance of GC_locker
- JRE/Browser crash during repaint - IE/XP on MP or HT systems.
- GregorianCalendar returns bad WEEK_OF_YEAR
- Escalation: broken for time zone issue with date on windows
- Memory leak due to unreferenced Objects created via 1.3.1 ActiveX
bridge
- Possible regression in ActiveX Bridge 1.3.1_13 and higher
- Beans extending JPanel class are not released when created via
1.3.1 ActiveX bridge
---
Module Name: pkgsrc
Committed By: abs
Date: Wed Dec 28 09:22:31 UTC 2005
Modified Files:
pkgsrc/lang/sun-jdk13: Makefile distinfo
Log Message:
Update lang/sun-jdk13 to sun-jre13-1.0.17.
Changes since sun-jdk13-1.0.16
- REGRESSION: hotspot c2 crash running rmi JCK tests
- server VM crashes with -Xcomp in 1.4.2_05
- Crashes at Function name=JVM_GetCPFieldSignatureUTF in jdk 1.3.1_13
- Exception message's size is more than doubled everytime an
exception is thrown
- RFE: Stall allocation requests while heap is full and GC locker
is held
- VolanoTest OOM with mustang b14
- JVMPI obj_frees come before method_exits
- improve the performance of GC_locker
- JRE/Browser crash during repaint - IE/XP on MP or HT systems.
- GregorianCalendar returns bad WEEK_OF_YEAR
- Escalation: broken for time zone issue with date on windows
- Memory leak due to unreferenced Objects created via 1.3.1 ActiveX
bridge
- Possible regression in ActiveX Bridge 1.3.1_13 and higher
- Beans extending JPanel class are not released when created via
1.3.1 ActiveX bridge
|
|
|
|
security fix for libast
Revisions pulled up:
- pkgsrc/devel/libast/Makefile 1.20
- pkgsrc/devel/libast/distinfo 1.4
- pkgsrc/devel/libast/patches/patch-aa 1.3
Module Name: pkgsrc
Committed By: joerg
Date: Tue Mar 7 02:30:41 UTC 2006
Modified Files:
pkgsrc/devel/libast: Makefile distinfo
Added Files:
pkgsrc/devel/libast/patches: patch-aa
Log Message:
Backport fix for CVE-20060224.
|
|
|
|
security fix for exim3
Revisions pulled up:
- pkgsrc/mail/exim3/Makefile 1.31
- pkgsrc/mail/exim3/distinfo 1.9
- pkgsrc/mail/exim3/patches/patch-ao 1.1
- pkgsrc/mail/exim3/patches/patch-ap 1.1
Module Name: pkgsrc
Committed By: joerg
Date: Mon Mar 6 22:49:16 UTC 2006
Modified Files:
pkgsrc/mail/exim3: Makefile distinfo
Added Files:
pkgsrc/mail/exim3/patches: patch-ao patch-ap
Log Message:
Fix parsing of IPv6 address possibly result in privilege escalation.
|
|
|
|
security fix for tuxpaint
Revisions pulled up:
- pkgsrc/graphics/tuxpaint/Makefile 1.35
- pkgsrc/graphics/tuxpaint/distinfo 1.18
- pkgsrc/graphics/tuxpaint/patches/patch-ac 1.1
Module Name: pkgsrc
Committed By: adrianp
Date: Tue Jan 17 22:48:57 UTC 2006
Modified Files:
pkgsrc/graphics/tuxpaint: Makefile distinfo
Added Files:
pkgsrc/graphics/tuxpaint/patches: patch-ac
Log Message:
Add a patch via Debain to address:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3340
"The vulnerability is caused due to temporary files being created insecurely
in the "/tmp" directory by the tuxpaint-import.sh script. This can be
exploited via symlink attacks to create or overwrite arbitrary files with
the privileges of the user running the affected script."
Bump to nb6.
|
|
|
|
security update for snort
Revisions pulled up:
- pkgsrc/net/snort/distinfo 1.33, 1.34
- pkgsrc/net/snort/patches/patch-aa 1.13
- pkgsrc/net/snort/Makefile.common 1.32
Module Name: pkgsrc
Committed By: joerg
Date: Thu Feb 16 20:45:52 UTC 2006
Modified Files:
pkgsrc/net/snort: distinfo
pkgsrc/net/snort/patches: patch-aa
Log Message:
Fix errno.
---
Module Name: pkgsrc
Committed By: adrianp
Date: Thu Mar 9 09:37:44 UTC 2006
Modified Files:
pkgsrc/net/snort: Makefile.common distinfo
Log Message:
Update to 2.4.4
This includes the fix for:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0839
> +2006-02-20 Steven Sturges <ssturges@sourcefire.com>
> + * src/preprocessors/spp_frag3.c:
> + * configure.in:
> + Fix ip options handling. Thanks to Vyacheslav Burdjanadze for
> + finding the issue.
> +
> +2006-01-09 Steven Sturges <ssturges@sourcefire.com>
> + * src/sfutil/mwm.c:
> + Fixed bug with multiple recurring patterns in Wu-Manbher
> + implementation.
> + Thanks to Evan Stawnyczy for pointing it out an Marc Norton for
> + the fix.
> + * src/parser/IpAddrSet.c:
> + Fixed problem with parsing conf file and rules when DNS is not
> + working.
> + Thanks Martin Olsson for mentioning this and testing the fix.
> + * src/preprocessors/spp_perfmonitor.c:
> + * src/preprocessors/perf-base.c:
> + Handle wrapping on 64-bit platforms
> +
> +2005-11-17 Andrew Mullican <amullican@sourcefire.com>
> + * src/sfutil/sfxhash.c:
> + * src/preprocessors/portscan.c:
> + Add tracker without using bogus data, to avoid internal buffer
> + overrun.
> + Thanks Sandro Poppi for the find.
> +
> +2005-11-11 Steven Sturges <ssturges@sourcefire.com>
> + * src/snort.c:
> + Allow value of 0 to be used with -G flag
> + * src/preprocessors/spp_bo.c:
> + Code Cleanup
> + * src/preprocessors/spp_frag3.c:
> + Fix memory leak and mishandling of IP Options. Thanks Yin
> + Zhaohui for the find.
|
|
|
|
security update for gnupg
Changes:
- pkgsrc/security/gnupg/Makefile 1.82
- pkgsrc/security/gnupg/distinfo 1.38
Module Name: pkgsrc
Committed By: ghen
Date: Fri Mar 10 15:10:08 UTC 2006
Modified Files:
pkgsrc/security/gnupg: Makefile distinfo
Log Message:
Update gnupg to 1.4.2.2, fixing another vulnerability:
* Files containing several signed messages are not allowed any
longer as there is no clean way to report the status of such
files back to the caller. To partly revert to the old behaviour
the new option --allow-multisig-verification may be used.
|
|
|
|
mostly sync databases/postgresql73{,-client,-docs,-lib,-plperl,-pltcl,-server}, databases/{tcl,tk}-postgresql73 with HEAD, via patch, including security fix.
|
|
|
|
|
|
mostly sync databases/postgresql80{,-client,-plperl,-plpython,-pltcl,-server} with HEAD, via patch, including security fix.
|
|
|
|
mostly sync databases/postgresql74, databases/tcl-postgresql74, and databases/postgresql74-{client,contrib,docs,lib,plperl,plpython,server} with HEAD, via patch, including security fix.
|
|
|
|
PLIST fix for xfce4-print
Revisions pulled up:
- pkgsrc/print/xfce4-print/Makefile 1.16
- pkgsrc/print/xfce4-print/PLIST 1.13
Module Name: pkgsrc
Committed By: martti
Date: Mon Feb 20 08:17:09 UTC 2006
Modified Files:
pkgsrc/print/xfce4-print: Makefile PLIST
Log Message:
Fix build problems on Solaris (pkg/32875).
This change does not affect other platforms and as it was not building
correctly on Solaris I see no reason for PKGREVISION bump.
|
|
|
|
security fix for bomberclone
Revisions pulled up:
- pkgsrc/games/bomberclone/Makefile 1.20
- pkgsrc/games/bomberclone/distinfo 1.10
- pkgsrc/games/bomberclone/patches/patch-ac 1.1
- pkgsrc/games/bomberclone/patches/patch-ad 1.1
Module Name: pkgsrc
Committed By: wiz
Date: Tue Feb 21 22:44:53 UTC 2006
Modified Files:
pkgsrc/games/bomberclone: Makefile distinfo
Added Files:
pkgsrc/games/bomberclone/patches: patch-ac patch-ad
Log Message:
Add patches for fixing
http://www.gentoo.org/security/en/glsa/glsa-200602-09.xml
from Gentoo.
|
|
|
|
security update for opera
Revisions pulled up:
- pkgsrc/www/opera/Makefile 1.53, 1.54
- pkgsrc/www/opera/distinfo 1.13
Module Name: pkgsrc
Committed By: ghen
Date: Tue Feb 21 10:13:43 UTC 2006
Modified Files:
pkgsrc/www/opera: Makefile distinfo
Log Message:
Update to Opera 8.52.
This release is a recommended security upgrade.
Changes since 8.51:
Display
* Fixed drop-down list problem affecting Bloglines subscription
sorting.
Security
* Replaced expired certificates from TrustCenter.
* Solved status bar issue described in Secunia Advisory 17571.
* Implemented stricter handling of the Online Certificate Status
Protocol (OCSP).
Miscellaneous
* Fixed problem with missing keypresses when switching between
applications.
* Fixed GDI leak issue with favicons causing slowdowns and crashes.
* Fixed Gmail loading problem.
---
Module Name: pkgsrc
Committed By: ghen
Date: Tue Feb 21 10:31:22 UTC 2006
Modified Files:
pkgsrc/www/opera: Makefile
Log Message:
Static and shared builds are in separate download directories now,
so update OPERA_DIR.
|
|
|