Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
security fix for proftpd
- pkgsrc/net/proftpd/Makefile 1.41
- pkgsrc/net/proftpd/distinfo 1.23
- pkgsrc/net/proftpd/patches/patch-ad 1.3
- pkgsrc/net/proftpd/patches/patch-ae 1.3
- pkgsrc/net/proftpd/patches/patch-af 1.1
Module Name: pkgsrc
Committed By: lkundrak
Date: Tue Jun 26 23:25:57 UTC 2007
Modified Files:
pkgsrc/net/proftpd: Makefile distinfo
Added Files:
pkgsrc/net/proftpd/patches: patch-ad patch-ae patch-af
Log Message:
Fix for a CVE-2007-2165 security issue grabbed from upstream #2922.
|
|
|
|
security fix for sudo
- pkgsrc/security/sudo/Makefile 1.90
- pkgsrc/security/sudo/distinfo 1.35
- pkgsrc/security/sudo/patches/patch-ah 1.5
- pkgsrc/security/sudo/patches/patch-ai 1.1
Module Name: pkgsrc
Committed By: tls
Date: Mon Jun 25 09:53:42 UTC 2007
Modified Files:
pkgsrc/security/sudo: Makefile distinfo
pkgsrc/security/sudo/patches: patch-ah
Log Message:
Fix privilege-escalation vulnerability with PKG_OPTIONS.sudo=kerberos:
cleanse environment of variables that alter behavior of Kerberos library
so the user can't override the default keytab location, and do *not*
ignore missing keytab errors. Prevents root compromise via spoofed KDC
on systems with Kerberos libraries but no host key in keytab, no keytab,
or keytab overidden via environment.
Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES
only.
Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch
of sudo (presently beta) but equivalent (though not as clean).
---
Module Name: pkgsrc
Committed By: tls
Date: Mon Jun 25 23:53:28 UTC 2007
Added Files:
pkgsrc/security/sudo/patches: patch-ai
Log Message:
Add file omitted from previous commit.
|
|
|
|
security fix for bitchx
- pkgsrc/chat/bitchx/Makefile 1.42
- pkgsrc/chat/bitchx/distinfo 1.16
- pkgsrc/chat/bitchx/patches/patch-ar 1.1
Module Name: pkgsrc
Committed By: lkundrak
Date: Mon Jun 25 14:15:21 UTC 2007
Modified Files:
pkgsrc/chat/bitchx: Makefile distinfo
Added Files:
pkgsrc/chat/bitchx/patches: patch-ar
Log Message:
Fix for a security issue, CVE-2007-3360. A malicious server could direct
the client into executing arbitrary code.
|
|
|
|
security update for openoffice2
Updated via patch from hira, the MAINTAINER.
Module Name: pkgsrc
Committed By: hira
Date: Fri Jun 22 03:52:21 UTC 2007
Modified Files:
pkgsrc/misc/openoffice2: Makefile distinfo
Log Message:
Update to 2.2.1 during freeze because of security fixes (CVE-2007-0245
and CVE-2007-2754).
Changes from 2.2.0:
* freetypettg: fix CVE-2007-2754 for the internal freetype copy
* autotext02: A showstopper fix for OOo2.2.1
* l10n77316fix: contains fix for i77316
* notepaint: Fix for invisible text in Calc notes while editing
* macosxpbuildrepair_OOF680:
This cws fixes broken Mac OS X 10.3 build, and does contain :
- a fix for a build breaker in slideshow ( fixed by thb ) #i74325#
- gcc-3.3 parser fixes #i75990#
- a complete fix in sal for security.c ( with sb help ) #i76159#
- a fix for broken linking ( because of extra symbols, due to bad
filtering ) #i72922#
- a fix for main.applescript ( build borken on Panther ) #i75972#
All issue targeted 2.2.1 ( supposing the changes will be integrated
in SRC680 too)
* ause078_OOF680: quick and small to get back correct dependencies
* os95_OOF680,plthes: add license-fixed polish thesaurus
* olenoserver: A fix for a regression.
* hro15: Unicode command line support fix for Windows only.
* custompropsfix: Small bug fix in Word import for import of document
variables
* dba221b: fix issue 73722, in its incarnation as issue 76434, for 2.2.1.
* swvalgrind: Fix for i76133
* calc221: Calc fixes for OOo2.2.1
* fix75967: fix issue 75967
* c03v8,c07v012,native86,nativebroffice: New Product BrOffice.org
* impress120: Bugfix workspace for OOo 2.2.1
sj->wg: the performance test hasn|t been finished yet, but I think
it should be no problem to hand over this issue without the test.
* larsbehr01: Bugfix for i66661: Slideshow bug fixing for 2.2.1
* dba221a: ongoing DBA-related bugfixing towards OOo 2.2.1
* sch17: Fixes for sch
* tbe29: OOo 2.2.1 accessibility bug fixes
* impress119: Bug fixes for OOo 2.2.1.
* printhelpfix: Bugfix for 134037.
* autotext01: A showstopper cws related to autotext bug.
* native79: Preparing OOo 2.2.1 and SO 8 Update 7
* vcl73_OOF680: 2.2.1 issues
* cmcfixes32_OOF680: minor customized build fixes
* jl57_OOF680: Contains a patch for building with an older gcc compiler.
* fsfixes06_OOF680: Fix for a bug in WordPerfect typedetection that caused
us to crash on unsupported documents instead of refusing
them with grace
* jl62,oasisrng02: Fixes of violations of the RelaxNG schema in ODF.
* aw050: OOo 2.2.1 BugFixing
* swqbugfix01: Issues in Writer regarding saving of documents
|
|
|
|
security update for openoffice2-bin
Revisions pulled up:
- pkgsrc/misc/openoffice2-bin/Makefile 1.29
- pkgsrc/misc/openoffice2-bin/distinfo 1.11
Module Name: pkgsrc
Committed By: tron
Date: Wed Jun 20 18:15:31 UTC 2007
Modified Files:
pkgsrc/misc/openoffice2-bin: Makefile distinfo
Log Message:
Update öpenoffice2-bin" package to version 2.2.1.
This an update release for OpenOffice 2.2.0. It addresses the security
vulnerabilities reported in CVE-2007-0245 and CVE-2007-2754 and fixes
many other bugs. The complete release notes are available under
<http://development.openoffice.org/releases/2.2.1.html>.
|
|
|
|
security update for apache-tomcat55
Revisions pulled up:
- pkgsrc/www/apache-tomcat55/Makefile 1.11
- pkgsrc/www/apache-tomcat55/PLIST 1.3
- pkgsrc/www/apache-tomcat55/distinfo 1.4
Module Name: pkgsrc
Committed By: obache
Date: Wed Apr 25 06:14:45 UTC 2007
Modified Files:
pkgsrc/www/apache-tomcat55: Makefile PLIST distinfo
Log Message:
Update apache-tomcat55 to 5.5.23.
Tomcat 5.5.23 (fhanik)
Catalina
41608 Make log levels consistent when Servlet.service() throws
an exception. (markt)
41666 Correct handling of boundary conditions for If-Unmodified-Since
and If-Modified-Since headers. Patch provided by Suzuki Yuichiro.
(markt)
41674 Fix error messages when parsing context.xml that incorrectly
referred to web.xml. (markt)
41739 Correct handling of servlets with a load-on-startup value of zero.
These are now the first servlets to be started. (markt)
Coyote
Requests with multiple content-length headers are now rejected. (markt)
Tomcat 5.5.22 (fhanik)
General
Fix regression in build that prevented connectors from building. (markt)
Tomcat 5.5.21 (fhanik)
Catalina
41401: StandardService.getConnectorNames() return array of Connector JMX
objectnames. (pero)
29727: If env-entry values in web.xml are changed then ensure new values
are applied when context is reloaded. (markt)
34956: Ensure request and response objects passed to a RequestDispatcher
meet the requirements of SRV.8.2 and SRV.14.2.5.1. This is
disabled by default. The Java option
-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true is required
to enable this test. (markt)
36274: When including static content with the DefaultServlet also treat
content types ending in xml as text. (markt)
36976: Don't use CATALINA_OPTS when stopping Tomcat. This allows options
for starting and stopping to be set on JAVA_OPTS and options for
starting only to be set on CATALINA_OPTS. Without this fix, some
startup options (eg the port for remote JMX) would cause stop to
fail. Based on a fix suggested by Michael Vorburger. (markt)
37070: Update mbean name documentation to include the StandardWrapper.
(markt)
37356: Ensure sessions time out correctly. This has been fixed by
removing the accessCount feature by default. This feature prevents
the session from timing out whilst requests that last longer than
the session time out are being processed. This feature is enabled
by setting the Java option
-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true The feature
is now implemented with synchronization which addresses the thread
safety issues associated with the original bug report. (markt)
37439: Update documentation for Engine component to add the requirement
that the name must be unique. (markt)
37458: Add syncs to the WebappClassloader to address rare issues when
multiple threads attempt to load the same class concurrently.
(markt)
37509: Do not remove whitespace from the end of values defined in
logging.properties files. (markt)
38198: Add reference to Context documentation from Host documentation
that explains how Context name is obtained from the Context
filename. (markt)
39088: Prevent infinte loops when an exception is thrown that returns
itself for getRootCause(). Based on a patch by Wouter Zelle.
(markt)
39436: Correct MIME type for SVG. (markt)
39627: JULI no longer ignores a ".level=XXX" directive in
logging.properties. Patch provided by Roger Keays and Richard
Fearn. (markt)
39724: Removing the last valve from a pipeline did not return the pipeline
to the original state. Patch provided by David Gagon. (markt)
40367: Update JK auto configuration documentation to clarify that
workers.properties must also exist. (markt)
40524: HttpServletRequest.getAuthType() now returns CLIENT_CERT rather
than CLIENT-CERT for certificate authentication as per the spec.
Note that web.xml continues to use CLIENT-CERT to specify the
certificate authentication should be used. (markt)
40526: Add support for JPDA_OPTS to catalina.bat and add a JPDA_SUSPEND
environment variable to both startup scripts. Patch provided by
Kurt Roy. (markt)
40528: Add missing message localisations as provided by Ben Clifford.
(markt)
40585: Fix parameterised constructor for o.a.juli.FileHandler so
parameters have an effect. (markt)
40625: Stop CGIServlet swallowing the root cause of an exception. Patch
provided by Takayoshi Kimura. (markt)
40723: Correct table creation example in JavaDoc for JDBCAccessLogValve.
(markt)
40802: Add jsp-api.jar to fileset in catalina-tasks.xml as provided by
Daniel Santos. (pero)
40817: Correct problem where CGI scripts in the root of the ROOT context
threw a StringIndexOutOfBoundsException. (markt)
Set the SCRIPT_FILENAME environment variable required by PHP when using
the CGIServlet to execute PHP. (markt)
40823: Update context doc to clarify use of ROOT.xml, multi-level context
paths and to further discourage use of server.xml (markt)
40844: Add additional syncs to JDBCRealm to resolve NPE when two users
try to authenticate using DIGEST authentication at the same time.
(markt)
40860: Log exceptions and other problems during parameter processing.
(markt)
40901: Encode directory listing output. Based on a patch provided by
Chris Halstead. (markt)
40929: Correct JavaDoc for StandardCalssLoader. (markt)
41008: Allow POST to be used for indexed queries with CGI Servlet. Patch
provided by Chris Halstead. (markt)
41020: Improve error message when custom error report Valve fails to load.
Also remove requirement that custom error report Valves extend
ValveBase. (markt)
41217: Set secure attribute on SSO cookie when cookie is created during
a secure request. Patch provided by Chris Halstead. (markt)
Ensure Accept-Language headers conform to RFC 2616. Ignore them if they
do not. (markt)
Make provided instances of RequestDisvs)
40160: add reference to the Filter proposed in this Bugzilla item to the
WebdavServlet. While at it, give the WebdavServlet some
long-overdue TLC by cleaning up some of the old datl JDK
1.4-compliant) interfaces. (yoavs)
Add a virtual hosting how-to contributed by Hassan Schroeder. (markt)
Cluster
Add clustered SSO code and backport feature from Tomcat 6.0.x, subn (pero)
Add better recovery at FastAsyncQueueSender. Made the startegy more robust
for temporary connection problems (pero)
|
|
security fix for mplayer
- pkgsrc/multimedia/gmplayer/Makefile 1.60
- pkgsrc/multimedia/gmplayer/distinfo 1.47
- pkgsrc/multimedia/mplayer/Makefile 1.42-1.43
- pkgsrc/multimedia/mplayer-share/distinfo 1.40
- pkgsrc/multimedia/mplayer-share/patches/patch-ae 1.7
Module Name: pkgsrc
Committed By: tron
Date: Thu Jun 7 13:19:55 UTC 2007
Modified Files:
pkgsrc/multimedia/gmplayer: Makefile distinfo
pkgsrc/multimedia/mplayer: Makefile
Added Files:
pkgsrc/multimedia/mplayer-share/patches: patch-ae
Log Message:
Add patch from the MPlayer SVN repository to fix an overflow in the
CDDB code reported in CVE-2007-2948. Bump package revision.
---
Module Name: pkgsrc
Committed By: tron
Date: Fri Jun 8 10:07:17 UTC 2007
Modified Files:
pkgsrc/multimedia/mplayer: Makefile
pkgsrc/multimedia/mplayer-share: distinfo
Log Message:
Regenerate the "distinfo" for the "mplayer" package, too. Bump the
package revision again because the patch didn't get applied previously.
Problem pointed out by Geert Hendrickx.
|
|
|
|
security update for file
Revisions pulled up:
- pkgsrc/sysutils/file/Makefile 1.15
- pkgsrc/sysutils/file/distinfo 1.8
Module Name: pkgsrc
Committed By: adrianp
Date: Thu Jun 14 16:29:42 UTC 2007
Modified Files:
pkgsrc/sysutils/file: Makefile distinfo
Log Message:
Update to 4.21
+2007-05-24 10:00 Christos Zoulas <christos@zoulas.com>
+
+ * Fix another integer overflow (Colin Percival)
+
+2007-03-26 13:58 Christos Zoulas <christos@zoulas.com>
+
+ * make sure that all of struct magic_set is initialized
appropriately
+ (Brett)
+
+2007-03-25 17:44 Christos Zoulas <christos@zoulas.com>
+
+ * reset left bytes in the buffer (Dmitry V. Levin)
+
+ * compilation failed with COMPILE_ONLY and ENABLE_CONDITIONALS
+ (Peter Avalos)
+
+2007-03-15 10:51 Christos Zoulas <christos@zoulas.com>
+
+ * fix fortran and nroff reversed tests (Dmitry V. Levin)
+
+ * fix exclude option (Dmitry V. Levin)
|
|
|
|
security update for php5
Revisions pulled up:
- pkgsrc/lang/php5/Makefile 1.52, 1.53, 1.54, 1.55
- pkgsrc/lang/php5/Makefile.common 1.26
- pkgsrc/lang/php5/distinfo 1.41, 1.42, 1.43, 1.44
- pkgsrc/lang/php5/patches/patch-am 1.3
- pkgsrc/lang/php5/patches/patch-an 1.3, 1.4
Module Name: pkgsrc
Committed By: adrianp
Date: Wed Jun 6 19:33:13 UTC 2007
Modified Files:
pkgsrc/lang/php5: Makefile Makefile.common distinfo
Log Message:
Update to php-5.2.3
Security Fixes
* Fixed an integer overflow inside chunk_split() (by Gerhard Wagner,
CVE-2007-2872)
* Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche,
CVE-2007-2756)
* Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan
Esser, CVE-2007-1900)
* Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath())
(by bugs dot php dot net at chsc dot dk)
* Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
* Added mysql_set_charset() to allow runtime altering of connection
encoding.
* Upgraded bundled SQLite 3 to version 3.3.17. (Ilia)
* Fixed gd build when used with freetype 1.x (Pierre, Tony)
And a fair few bugs fixed, see: http://www.php.net/ChangeLog-5.php#5.2.3
for all the details.
---
Module Name: pkgsrc
Committed By: adrianp
Date: Thu Jun 7 10:45:18 UTC 2007
Added Files:
pkgsrc/lang/php5/patches: patch-am
Log Message:
Add in the correct patch to fix CVE-2007-2872
Spotted by Takahiro Kambe
---
Module Name: pkgsrc
Committed By: adrianp
Date: Thu Jun 7 10:45:42 UTC 2007
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
Log Message:
Add in the correct patch to fix CVE-2007-2872
Spotted by Takahiro Kambe
---
Module Name: pkgsrc
Committed By: adrianp
Date: Fri Jun 8 12:29:53 UTC 2007
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
Added Files:
pkgsrc/lang/php5/patches: patch-an
Log Message:
Fix the install path for the CGI binary so it ends up where we want it.
Pointed out by schmonz@ and taca@
Bump PKGREVISION
---
Module Name: pkgsrc
Committed By: heinz
Date: Mon Jun 11 17:45:30 UTC 2007
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
pkgsrc/lang/php5/patches: patch-an
Log Message:
Added support for installation to DESTDIR. patch-an had removed correct
support for this before, probably unintentionally.
|
|
|
|
deal with Xrandr cvs repo move on HEAD
Revisions pulled up:
- pkgsrc/x11/Makefile 1.505
- pkgsrc/x11/libXrandr/buildlink3.mk 1.3
- pkgsrc/x11/liboldXrandr/DESCR 1.1
- pkgsrc/x11/liboldXrandr/Makefile 1.1
- pkgsrc/x11/liboldXrandr/PLIST 1.1
- pkgsrc/x11/liboldXrandr/buildlink3.mk 1.1, 1.2
- pkgsrc/x11/liboldXrandr/builtin.mk 1.1
- pkgsrc/x11/liboldXrandr/distinfo 1.1
- pkgsrc/x11/liboldXrandr/patches/patch-aa 1.1
- pkgsrc/x11/liboldXrandr/patches/patch-ab 1.1
- pkgsrc/x11/Xrandr/* gone (repo copy)
- pkgsrc/x11/Xrandr-mixedcase/* removed (repo copy)
Module Name: pkgsrc
Committed By: schmonz
Date: Wed May 30 01:22:13 UTC 2007
Modified Files:
pkgsrc/x11: Makefile
pkgsrc/x11/libXrandr: buildlink3.mk
Added Files:
pkgsrc/x11/liboldXrandr: DESCR Makefile PLIST buildlink3.mk builtin.mk
distinfo
pkgsrc/x11/liboldXrandr/patches: patch-aa patch-ab
Removed Files:
pkgsrc/x11/Xrandr: DESCR Makefile PLIST buildlink3.mk builtin.mk
distinfo
pkgsrc/x11/Xrandr/patches: patch-aa patch-ab
Log Message:
Move Xrandr to liboldXrandr (name suggested by joerg) so it can be
checked out on a case-insensitive filesystem without interfering
with lowercase xrandr. PKGNAME stays the same.
---
Module Name: pkgsrc
Committed By: seb
Date: Wed May 30 16:00:51 UTC 2007
Modified Files:
pkgsrc/x11/liboldXrandr: buildlink3.mk
Log Message:
Fix path to self in BUILDLINK_PKGSRCDIR.Xrandr after move of this
package from x11/Xrandr to x11/liboldXrandr.
|
|
|
|
security update for thunderbird
Updated via patch provided by the submitter, packages in HEAD were renamed.
Module Name: pkgsrc
Committed By: ghen
Date: Thu May 31 21:36:52 UTC 2007
Modified Files:
pkgsrc/mail/thunderbird15: Makefile Makefile-thunderbird.common
distinfo
pkgsrc/mail/thunderbird15-gtk1: Makefile
Log Message:
Update thunderbird15 and thunderbird15-gtk1 to 1.5.0.12 (they skipped .11
to stay on par with Firefox?).
Security fixes in this version:
MFSA 2007-15 Security Vulnerability in APOP Authentication
MFSA 2007-12 Crashes with evidence of memory corruption
For more info, see http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html
|
|
|
|
security update for seamonkey
Revisions pulled up:
- pkgsrc/www/seamonkey/Makefile 1.22
- pkgsrc/www/seamonkey/Makefile-seamonkey.common 1.10
- pkgsrc/www/seamonkey/PLIST 1.12
- pkgsrc/www/seamonkey/distinfo 1.21, 1.22
- pkgsrc/www/seamonkey/patches/patch-ab 1.7
- pkgsrc/www/seamonkey/patches/patch-cn 1.3
- pkgsrc/www/seamonkey-gtk1/Makefile 1.15
- pkgsrc/www/seamonkey-gtk1/PLIST 1.7
- pkgsrc/www/seamonkey-bin/Makefile 1.13
- pkgsrc/www/seamonkey-bin/distinfo 1.11
Module Name: pkgsrc
Committed By: rillig
Date: Sun Apr 15 12:17:06 UTC 2007
Modified Files:
pkgsrc/www/seamonkey: distinfo
pkgsrc/www/seamonkey/patches: patch-ab
Log Message:
Fixed the build on Solaris. The same fix is already in patch-ab from
www/firefox.
---
Module Name: pkgsrc
Committed By: ghen
Date: Thu May 31 12:29:39 UTC 2007
Modified Files:
pkgsrc/www/seamonkey: Makefile Makefile-seamonkey.common PLIST
distinfo
pkgsrc/www/seamonkey-bin: Makefile distinfo
pkgsrc/www/seamonkey-gtk1: Makefile PLIST
pkgsrc/www/seamonkey/patches: patch-cn
Log Message:
Update seamonkey, seamonkey-bin and seamonkey-gtk1 to Seamonkey 1.1.2.
Security fixes in this version:
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-15 Security Vulnerability in APOP Authentication
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-12 Crashes with evidence of memory corruption
For the complete changelog, see
http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.1.2/changelog.html
|
|
|
|
security updates for firefox
Updated via patch provided by the submitter, packages in HEAD were renamed.
Module Name: pkgsrc
Committed By: ghen
Date: Thu May 31 07:26:46 UTC 2007
Modified Files:
pkgsrc/www/firefox15: DESCR Makefile-firefox.common distinfo
pkgsrc/www/firefox15-bin: DESCR Makefile distinfo
pkgsrc/www/firefox15-gtk1: DESCR
pkgsrc/www/firefox15/patches: patch-cn
Log Message:
Update firefox15, firefox15-bin and firefox15-gtk1 to 1.5.0.12.
Security fixes in this version:
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.12.html
Note: Firefox 1.5.0.x will be maintained with security and stability updates
until June 2007. All users are strongly encouraged to upgrade to Firefox 2.
---
Module Name: pkgsrc
Committed By: ghen
Date: Thu May 31 07:25:10 UTC 2007
Modified Files:
pkgsrc/www/firefox: Makefile Makefile-firefox.common PLIST distinfo
pkgsrc/www/firefox-bin: Makefile distinfo
pkgsrc/www/firefox-gtk1: Makefile PLIST
pkgsrc/www/firefox/patches: patch-cn
Log Message:
Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.4.
Security fixes in this version:
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.4/releasenotes/
|
|
|
|
security fix for apache22
Revisions pulled up:
- pkgsrc/www/apache22/Makefile 1.12
- pkgsrc/www/apache22/distinfo 1.5
- pkgsrc/www/apache22/patches/patch-an 1.1
Module Name: pkgsrc
Committed By: lkundrak
Date: Tue Jun 5 01:43:45 UTC 2007
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Added Files:
pkgsrc/www/apache22/patches: patch-an
Log Message:
Bump apache22 to 2.2.4nb4 due to:
Security fix for CVE-2007-1862 sensitive information disclosure
http://issues.apache.org/bugzilla/show_bug.cgi?id=41551
http://issues.apache.org/bugzilla/attachment.cgi?id=20065
|
|
|
|
security update for spamassassin
- pkgsrc/mail/spamassassin/Makefile patch
- pkgsrc/mail/spamassassin/distinfo patch
Update to SpamAssassin 3.1.9 to fix a denial of service vulnerability. The
package has been updated to SpamAssassin 3.2.1 on pkgsrc-HEAD but this major
new version will not be pulled up to the stable branch.
Changes in Spamassassin 3.1.9:
- bug 5480: fix for CVE-2007-2873: a local user symlink-attack DoS
vulnerability. It only affects systems where spamd is run as root, is used
with vpopmail or virtual users via the "-v"/"--vpopmail" OR
"--virtual-config-dir" switch, AND with the "-x"/"--no-user-config AND
WITHOUT the "-u"/"--username" switch AND with the "-l"/"--allow-tell"
switch. This is not default on any distro package, and is not a common
configuration. More details of the vulnerability can be read at
<http://spamassassin.apache.org/advisories/cve-2007-2873.txt>.
- bug 5353 - meta rule parsing should handle not equal ("!=") syntax.
- set the score for URI_TRUNCATED to 0.001.
- bug 5337: change the start order for Fedora such that spamd starts before
the MTA.
|
|
|
|
security fix for mplayer
- pkgsrc/multimedia/gmplayer/Makefile 1.60
- pkgsrc/multimedia/gmplayer/distinfo 1.47
- pkgsrc/multimedia/mplayer/Makefile 1.42-1.43
- pkgsrc/multimedia/mplayer-share/distinfo 1.40
- pkgsrc/multimedia/mplayer-share/patches/patch-ae 1.7
Module Name: pkgsrc
Committed By: tron
Date: Thu Jun 7 13:19:55 UTC 2007
Modified Files:
pkgsrc/multimedia/gmplayer: Makefile distinfo
pkgsrc/multimedia/mplayer: Makefile
Added Files:
pkgsrc/multimedia/mplayer-share/patches: patch-ae
Log Message:
Add patch from the MPlayer SVN repository to fix an overflow in the
CDDB code reported in CVE-2007-2948. Bump package revision.
---
Module Name: pkgsrc
Committed By: tron
Date: Fri Jun 8 10:07:17 UTC 2007
Modified Files:
pkgsrc/multimedia/mplayer: Makefile
pkgsrc/multimedia/mplayer-share: distinfo
Log Message:
Regenerate the "distinfo" for the "mplayer" package, too. Bump the
package revision again because the patch didn't get applied previously.
Problem pointed out by Geert Hendrickx.
|
|
|
|
rc.d script fix for clamsmtp
Revisions pulled up:
- pkgsrc/mail/clamsmtp/Makefile 1.30
- pkgsrc/mail/clamsmtp/files/clamsmtpd.sh 1.6
Module Name: pkgsrc
Committed By: martti
Date: Wed May 30 06:07:08 UTC 2007
Modified Files:
pkgsrc/mail/clamsmtp: Makefile
pkgsrc/mail/clamsmtp/files: clamsmtpd.sh
Log Message:
Updated mail/clamsmtp to 1.8nb1
* Make sure clamd is really running before starting clamsmtpd (pkg/36292)
|
|
|
|
security update for clamav
Revisions pulled up:
- pkgsrc/mail/clamav/Makefile 1.73
- pkgsrc/mail/clamav/buildlink3.mk 1.13
- pkgsrc/mail/clamav/distinfo 1.44
- pkgsrc/mail/clamav/options.mk 1.2
Module Name: pkgsrc
Committed By: martti
Date: Thu May 31 05:26:46 UTC 2007
Modified Files:
pkgsrc/mail/clamav: Makefile distinfo options.mk
Log Message:
Updated mail/clamav to 0.90.3
Lots of bug fixes since 0.90.2. For details, see ChangeLog.
---
Module Name: pkgsrc
Committed By: martti
Date: Thu May 31 05:28:09 UTC 2007
Modified Files:
pkgsrc/mail/clamav: buildlink3.mk
Log Message:
Regenerated.
|
|
|
|
security update for binutils
Revisions pulled up:
- pkgsrc/devel/binutils/Makefile 1.33
- pkgsrc/devel/binutils/PLIST.common 1.13
- pkgsrc/devel/binutils/builtin.mk 1.5
- pkgsrc/devel/binutils/distinfo 1.8
- pkgsrc/devel/binutils/patches/patch-aa 1.4
- pkgsrc/devel/binutils/patches/patch-ab 1.2
- pkgsrc/devel/binutils/patches/patch-ac 1.2
- pkgsrc/devel/binutils/patches/patch-ad 1.2
- pkgsrc/devel/binutils/patches/patch-ae 1.2
Module Name: pkgsrc
Committed By: martti
Date: Tue May 29 12:25:04 UTC 2007
Modified Files:
pkgsrc/devel/binutils: Makefile PLIST.common builtin.mk distinfo
pkgsrc/devel/binutils/patches: patch-aa patch-ab patch-ac patch-ad
patch-ae
Log Message:
Updated devel/binutils to 2.17
List of changes unknown. Should fix CVE-2006-2362.
|
|
|
|
security update for ap-jk
Revisions pulled up:
- pkgsrc/www/ap-jk/Makefile.common 1.5, 1.6
- pkgsrc/www/ap-jk/distinfo 1.8, 1.9
- pkgsrc/www/ap-jk/patches/patch-aa 1.5
Module Name: pkgsrc
Committed By: obache
Date: Wed Apr 25 06:24:02 UTC 2007
Modified Files:
pkgsrc/www/ap-jk: Makefile.common distinfo
pkgsrc/www/ap-jk/patches: patch-aa
Log Message:
Update ap-jk to 1.2.22.
Changes between 1.2.21 and 1.2.22
Native
Refactor line endings logging to make it correct for all platforms and
webservers. (mturk)
Added command line windows make files. (mturk)
Allow fail_on_status directive to be multi line. (mturk)
42076: Fix name of new option from ForwardCertChain to
ForwardSSLCertChain as documented. (rjung)
Docs: Fix a couple of typos, change format of a few tables, fix links to
news pages. (rjung)
Fix correct URL for TC 6 examples in new IIS rewrite.properties
configuration example file. (rjung)
Add svn properties to several files. (rjung)
Add TC 6 examples to uriworkermap.properties in config examples. (rjung)
Allow multiple status codes for fail_on_status directive. The status
codes can be delimited by space or comma characters. (mturk)
IIS. Added pcre like regular expressions for url rewrite rules. (mturk)
41922: Apache 1.3. Enable JkEnvVar. (mturk)
Apache. Add --enable-flock configure parameter for explicit compilation
of faster flock() system calls for OS supporting those calls. By default
the fcntl system call for locking will be used that is a little bit slower
but it can work on NFS mounted volumes as well. (mturk)
41562: Add Debug logging for read from client in ISAPI Redirector.
Contributed by Tim Whittington. (mturk)
Apache. Add ForwardSSLCertChain JkOption. Contributed by Patrik
Schnellmann. (mturk)
IIS. Do not forbid access to web-inf or meta-inf if there is no mapped
worker. This allows to have resource with those names that are outside
mapped contexts. (mturk)
Apache. Use process id for creating shared memory name and delete shared
memory and shared memory lock files on exit. (mturk)
IIS. Fix Keep-Alive regression introduced in 1.2.21. (mturk)
Delete unused check for empty init_map during startup. (rjung)
41770: Fix startup error if no JkWorkersFile is used. (rjung)
Use JK_TRUE/JK_FALSE instead of OK/!OK as return values in init_jk().
(rjung)
Minor adjustments to apache startup log messages (when to use STDERR,
remove deprecated NOERRNO flag, shm warning and warnings for usage of
default files). (rjung)
Replace APR precompiler directive by httpd mpm_query to detect MPM
threading. Add a debug log message about auto-detected pool size. (rjung)
Make MMN check easier to understand and a little more precise (for new
ap_get_server_banner()/ap_get_server_description()). We use the new API
only for Apache httpd 2.3. This way our binaries are not tightly coupled
to a minor 2.0 version, and we don't use ap_get_server_banner() any way.
(rjung)
Use the full description string ap_get_server_description() instead of
the truncated info from ap_get_server_banner(), because this info gets
used internally (status worker display and ajp14 backend communication)
and is not send back to the normal user. (rjung)
41757: Document the "--enable-prefork" flag of configure. (rjung)
Enhance log messages for failures when parsing attribute maps. (rjung)
Correct log message during worker initialization, in case remote host
could not be resolved. We logged the default host name "localhost" instead
of the configured one. (rjung)
41770: Fix the second part of the bug: local_worker and local_worker_only
is missing from the list of deprecated attributes (and not supported
either), so prevents the web server from startup. (rjung)
Changes between 1.2.20 and 1.2.21
Native
CVE-2007-0774 : A denial of service and critical remote code execution
vulnerability. Caused by buffer overflow in map_uri_to_worker() when URL
were longer that 4095 bytes. Reported by ZDI (www.zerodayintiative.com).
Please note this issue only affected versions 1.2.19 and 1.2.20 of the
Apache Tomcat JK Web Server Connector and not previous versions. Tomcat
5.5.20 and Tomcat 4.1.34 included a vulnerable version in their source
packages. Other versions of Tomcat were not affected.
Check the worker. parameters and don't start if the parameter is not a
valid one. (jfclere)
41439: Allow session IDs to get stripped off URLs of static content in
Apache by adding JkStripSession directive (configurable per vhost). (mturk)
Change semantics of empty defaults for JkEnvVar variables. Until 1.2.19:
not allowed. In 1.2.20: send variables as empty strings, if neither set to
non empty in config, nor during runtime. Starting with 1.2.21: If config
has no second argument only send variable if set (even when set to empty
string) during runtime. Allows good combination with condition attribute
in tomcat access log. (rjung)
41610: Fix incorrect detection of missing Content-Length header leading
to duplicate headers. Contributed by Boris Maras. (rjung)
Better build support for SunONE (Netscape/iPlanet) webservers. (jim)
Add warning if duplicate map keys are read and are not allowed, e.g. when
parsing uriworkermap.properties. (rjung)
Don't concat worker names, if uriworkermap.properties has a duplicate
pattern, instead overwrite the worker. (rjung)
Log deprecation message even in duplication case. (rjung)
uriworkermap.properties: Fix off-by-one problem when deleting URL mapping
during reloading of uriworkermap.properties. (rjung)
41439: Allow session IDs to get stripped off URLs of static content in
IIS (configurable). (rjung)
41333: Re New attribute user (list) denies access, if the request
user in the sense of remote_user is not in this list. Empty list = no deny
(rjung)
Status Worker: New attribute read_only di (rjung)
36121: Don't change main uri when mod_jk serves included uri. (markt)
Apache VHosts: Merge JkOptions +base - -base + +vhost - -vhost. (rjung)
Apache Docs: Adding requirements, context information, default values and
inheritance rules tpe to status worker, remove the redundant
"context" column in the map listing (context=uri). (rjung)
uriworkermap: On reload of the file, all old entries from the previous
file versiops and exclusion maps internally separate. Don't treat them
as the same when adding a rule. (rjung)
Status Worker: Display mapping rules also for non-lb workers and in
global view. (r the main log. (rjung)
Apache VHosts: Allow individual timestamp formats by refactoring the
formatting method. (rjung)
Apache VHosts: Adding all missing config items to the virtual host level.
Don't overwrite the settings from the global server, but inherit them in
case they are not set in the virtual host. (rjung)
Apache: remove unnecessary function names from log messages. (rjung)
Apache: add a default log file location and a message, if the default
gets used. (rjung)
Apache: add missing JK_IS_DEBUG_LEVEL() (rjung)
Apache VHosts: Allow JkWorkersFile, JKWorkerProperty, JkShmFile and
JkShmFileSize only in global virtual server. (rjung)
Add some more jk_close_socket() and reduce log level for some info
messages. (rjung)
Load Balancer: Added the Sessions strategy. Contributed by Takayuki
Kaneko. (rjung)
Docs: Minor enhancements and syncing with more recent versions. (rjung)
40997: Separate uri mappings from their '!' counterpart when checking for
duplicates in(rjung)
40877: Make sure the shared memory is reset on attach for multiple web
server child processes. (mturk)
IIS: Added shm_size property to be able to deal with over 64 workers
case default thread count to 250, so its the same as Apache
Httpd default configuration. (mturk)
40966: Fix socket descriptor checks on windows. (mturk)
40965: Initialize missing servi(mturk)
40938: Fix releasing of rewrite map. Thanks to Chris Adams for spotting
that. (mturk)
Apache: Added +FlushHeader JkOptions. (mturk)
Added explicit flush when AJP body packet sensitivity bug in URL mapping. (rjung)
40793: Documentation: Improvements to Apache HowTo provided by Paul
Charles Leddy. (markt)
40774: Fixing wrong recursion termination. This one restricted the
"reference" feature unintentionally to 20 wor 40716: Adding "reference" feature to IIS and Netscape. (rjung)
Documentation: Corrected SetEnvIf syntax in JK_WORKER_NAME example.
(rjung)
Documentation: Added forgotten STATE and A Apache. (rjung)
Apache: Use instdso.sh instead libtool: libtool does not work on HP-UX
for example. (jfclere)
---
Module Name: pkgsrc
Committed By: obache
Date: Tue May 29 02:22:22 UTC 2007
Modified Files:
pkgsrc/www/ap-jk: Makefile.common distinfo
Log Message:
Update ap-jk to 1.2.23.
It fixes an Important vulnerability.
Changes between 1.2.22 and 1.2.23
Native
Change the default value of JkOptions to ForwardURICompatUnparsed. The
old default value was ForwardURICompat. This should make URL
interpretation between Apache httpd and Tomcat consistent (prevent
double decoding problems). (rjung)
|
|
|
|
security update for mutt
- pkgsrc/mail/mutt/Makefile 1.149
- pkgsrc/mail/mutt/distinfo 1.34
- pkgsrc/mail/mutt/patches/patch-ab 1.14
Module Name: pkgsrc
Committed By: tron
Date: Sun May 27 13:34:17 UTC 2007
Modified Files:
pkgsrc/mail/mutt: Makefile distinfo
pkgsrc/mail/mutt/patches: patch-ab
Log Message:
Update "mutt" package to version 1.4.2.3. The new version fixes the
security vulnerabilities reported in CVE-2007-1558 and CVE-2007-2683.
|
|
|
|
security fix for gimp
- pkgsrc/graphics/gimp/Makefile patch
- pkgsrc/graphics/gimp/distinfo 1.33 via patch
- pkgsrc/graphics/gimp/patches/patch-ac 1.14
Module Name: pkgsrc
Committed By: tron
Date: Sat May 26 15:00:23 UTC 2007
Modified Files:
pkgsrc/graphics/gimp: Makefile distinfo
Added Files:
pkgsrc/graphics/gimp/patches: patch-ac
Log Message:
Add patch from GIMP SVN repository to fix the vulnerability reported
in CVE-2007-2356. Bump package revision.
|
|
|
|
security fix for eggdrop
- pkgsrc/chat/eggdrop/Makefile 1.26
- pkgsrc/chat/eggdrop/distinfo 1.11
- pkgsrc/chat/eggdrop/patches/patch-al 1.1
- pkgsrc/chat/eggdrop/patches/patch-am 1.1
Module Name: pkgsrc
Committed By: lkundrak
Date: Tue May 22 16:47:05 UTC 2007
Modified Files:
pkgsrc/chat/eggdrop: Makefile distinfo
Added Files:
pkgsrc/chat/eggdrop/patches: patch-al patch-am
Log Message:
Fix for the following:
eggdrop<=1.6.18 arbitrary-code-execution http://www.eggheads.org/bugzilla/show_bug.cgi?id=462
|
|
|
|
|
|
security update for quagga-devel
- pkgsrc/net/quagga-devel/Makefile 1.4
- pkgsrc/net/quagga-devel/PLIST 1.3
- pkgsrc/net/quagga-devel/distinfo 1.5
- pkgsrc/net/quagga-devel/patches/patch-aa removed
- pkgsrc/net/quagga-devel/patches/patch-ab removed
Module Name: pkgsrc
Committed By: gdt
Date: Wed May 23 10:44:19 UTC 2007
Modified Files:
pkgsrc/net/quagga-devel: Makefile PLIST distinfo
Removed Files:
pkgsrc/net/quagga-devel/patches: patch-aa patch-ab
Log Message:
Update to 0.99.7.
* bgpd
o Minor performance improvement patch
o bug #352: IPv6/Multicast address-family config not written out
o V. quick route flap gets mistaken for duplicate, route is then ignored
o Bug #354: Take care to keep reads of MP_(UN)REACH_NLRI in bounds
o Peer delete can race with reconfig leading to crash
* zebra
o For solaris IPv6 PtP interfaces, try to support prefixlen != 128
o IRDP should ignore non-IPv4 addresses
o Bug #351: Don't redistribute routes to ipv4 link-local prefixes
o Only suppress adding a connected route to the kernel if it is
o Fix interface metric bug on BSD
o Retain configured IPv4 address upon removal by kernel
o MTU change should propogate to zserv client on BSD/Solaris
* ospfd
o Fix bug: should exit immediately on SIGTERM if OSPF not actually running
o Return SNMP standard neighbor state values, not quagga internal ones
o Fix bug in 'passive-interface default' behavior
o Bug #330: SPF must consider that nexthop-calc may fail
o Fix regression in SPF introduced by bug#330 fixes
o Bug #330 regression: failure to calculate routes through networks
* ospf6d
o Bug 322: ospf6d show ipv6 neighbour showing wrong times
o Fix string comparison bug in ospf6_lsa_handler_name.
* ripd
o Fix "show ip rip status" display of time until next update
o Fix the display of route timeout in "show ip rip".
* ripngd
o Fix the display of some timers.
* general
o Better comment explaining that GNU awk is really required.
o de-support NetBSD 1.6, and note that FreeBSD 4 is on thin ice.
o [PtP over ethernet] New peer flag allows much more addressing flexibility
o [logging] Add new "log timestamp precision" command for subsecond timestamps
# 2006-12-09: Quagga 0.99.6 Released
Quagga 0.99.6 has been released, see the full changelog for the details. A summary of the changes:
* bgpd
o Bug #302, bgpd can get stuck in state Clearing
o Implement 'debug bgp zebra' to log all messages to and from zebra.
o Fix bug where a deleted route that was quickly re-added was being lost
o trivial: non C99 u_int.._t should be uint.._t
o struct peer must have bgp field valid (redistribute crash)
o Coverity CID #64: Needless NULL check, CID #64: Deref of potentially NULL pointer.
o CID#73, potential crash in bgp statistics if called for AFI/SAFI with emtpy table
o Bug #302 fixes. ClearingCompleted event gets flushed, leaving peers stuck in Clearing.
o Trivial fix of printf format/arg mismatch
o reduce the process queue hold time to something more sensible
o RIB statistics address space size shouldnt double count space
o simplify peer refcounts, squash slow peer leak
o Fix 0.99 shutdown regression, introduce Clearing and Deleted states
o Add RIB reporting commands, show bgp ... statistics
o Handle pcount as flags are changed, fixing pcount issues
o Add 'show ... neighbor .... prefix-counts' command
* ospfd
o Consider all connected addresses when creating ospf interfaces
o Add debug messages for a few zebra messages that had been overlooked
o Fix bug in passive-interface default commands.
o Stop losing subsequent default-information originate 'always' info
o Add passive-interface default support
o Improve some warning messages.
o Fix assertion in DB-exchange fix, hit by ogier-db-ex-opt commit
* isisd: Fix compiler warnings and allow v4-only compilation
* zebra
o Changes of nexthops of static routes didnt take effect
o Compile fix for PF_ROUTE
* ripd
o bug #293: routemap set metric doesn't check for underflow correctly
o bug #278: remove gratuitous use of mid-function declaration
* general
o [daemon startup] Add --dry-run/-C argument to daemons, to check config file syntax
o Handle upgrade from SUNWzebra to Quagga for 'interface fooX:Y' commands
o [snmp] Fix asn_build calls to pass correct variable sizes (fixes 64-bit issues)
o [doc] Add recent NetBSD/FreeBSD versions to list of what ought to work.
* 2006-09-17: Quagga 0.99.5 Released
Quagga 0.99.5 was released on the 28th of August, see the release
announcement (version with HTML links). A small regression in ospfd
was quickly reported and fixed by a user, available in CVS.
Additionally, the final 0.99 BGP regressions mentioned in the 0.99.5
announcement are believed to be fixed in CVS, see this mail to
quagga-dev. Testing of bgpd in CVS snapshots dated 2006-09-14 or later
would be appreciated.
BGP users of 0.99 are strongly encouraged to upgrade to 0.99.5, due to
an important fix for an AS-Path loop-checking regression, or even a
CVS snapshot, to assist in testing. OSPF 0.99-CVS is believed to be
stable at this point.
|