| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
lang/php55: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.80 via patch
- lang/php55/distinfo 1.32
- lang/php55/patches/patch-ext_phar_Makefile.frag 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Dec 19 16:10:39 UTC 2014
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php55: distinfo
pkgsrc/lang/php55/patches: patch-ext_phar_Makefile.frag
Log Message:
Update php55 to 5.5.20, including security fix.
17 Dec 2014, PHP 5.5.20
- Core:
. Fixed bug #68091 (Some Zend headers lack appropriate extern "C" blocks).
(Adam)
. Fixed bug #68185 ("Inconsistent insteadof definition."- incorrectly
triggered). (Julien)
. Fixed bug #68370 ("unset($this)" can make the program crash). (Laruence)
. Fixed bug #68545 (NULL pointer dereference in unserialize.c). (Anatol)
. Fixed bug #68594 (Use after free vulnerability in unserialize()).
(CVE-2014-8142) (Stefan Esser)
- Date:
. Fixed day_of_week function as it could sometimes return negative values
internally. (Derick)
- FPM:
. Fixed bug #68381 (fpm_unix_init_main ignores log_level).
(David Zuelke, Remi)
. Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all
addresses). (Remi)
. Fixed bug #68421 (access.format='%R' doesn't log ipv6 address). (Remi)
. Fixed bug #68423 (PHP-FPM will no longer load all pools). (Remi)
. Fixed bug #68428 (listen.allowed_clients is IPv4 only). (Remi)
. Fixed bug #68452 (php-fpm man page is oudated). (Remi)
. Fixed request #68458 (Change pm.start_servers default warning to
notice). (David Zuelke, Remi)
. Fixed bug #68463 (listen.allowed_clients can silently result
in no allowed access). (Remi)
. Fixed request #68391 (php-fpm conf files loading order).
(Florian Margaine, Remi)
. Fixed bug #68478 (access.log don't use prefix). (Remi)
- Mcrypt:
. Fixed possible read after end of buffer and use after free. (Dmitry)
- PDO_pgsql:
. Fixed bug #66584 (Segmentation fault on statement deallocation) (Matteo)
. Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception
when not in transaction) (Matteo)
. Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving)
(Matteo)
- zlib:
. Fixed bug #53829 (Compiling PHP with large file support will replace
function gzopen by gzopen64) (Sascha Kettler, Matteo)
|
|
|
|
lang/php54: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.79
- lang/php54/distinfo 1.50
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Dec 19 16:08:35 UTC 2014
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php54: distinfo
Log Message:
Update php54 to 5.4.36, including security fix.
18 Dec 2014 PHP 5.4.36
- Core:
. Upgraded crypt_blowfish to version 1.3. (Leigh)
. Fixed bug #68545 (NULL pointer dereference in unserialize.c). (Anatol)
. Fixed bug #68594 (Use after free vulnerability in unserialize()).
(CVE-2014-8142) (Stefan Esser)
13 Nov 2014 PHP 5.4.35
- Core:
. Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in
zend_hash_copy). (Dmitry)
- Fileinfo:
. Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers).
(CVE-2014-3710) (Remi)
- GMP:
. Fixed bug #63595 (GMP memory management conflicts with other libraries
using GMP). (Remi)
- PDO_pgsql:
. Fixed bug #66584 (Segmentation fault on statement deallocation) (Matteo)
|
|
www/typo3_45: security update
Revisions pulled up:
- www/typo3_45/Makefile 1.33
- www/typo3_45/distinfo 1.28
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Dec 14 11:58:29 UTC 2014
Modified Files:
pkgsrc/www/typo3_45: Makefile distinfo
Log Message:
Update typo345 package to 4.5.39.
2014-12-10 d72f00c [RELEASE] Release of TYPO3 4.5.39 (TYPO3 Release Team)
2014-12-10 63ae7dd #62723 [!!!][SECURITY] Fix link spoofing in prefixLocalAnchors (Helmut Hummel)
2014-12-08 5c267d2 #62967 [BUGFIX] Exclude CDATA from t3lib_parsehtml->XHTML_clean (Nicole Cordes)
2014-11-27 7d66912 [RELEASE] Release of TYPO3 4.5.38 (TYPO3 Release Team)
2014-11-19 61d8b25 #58053 [BUGFIX] Handle opacity for IE in prototype.js (Jigal van Hemert)
2014-11-15 42de3e0 #62984 [BUGFIX] PHP warning on saving TypoScript with t3editor (Oliver Hader)
2014-11-13 152b14b #62032 [BUGFIX] Fix PHP warning with date function in FormEngine (Oliver Hader)
2014-11-03 79ba882 #62391 [BUGFIX] Ensure PHP 5.2 compatibility in php-openid (Michael Stucki)
2014-10-31 f56c52f #62513 [BUGFIX] Too many tags by identifier in CacheBackends (Michael Stucki)
2014-10-23 528429b #57006 [BUGFIX] softrefproc typolink lacks support for separation by line feed (Marc Bastian Heinrichs)
2014-10-22 a62c19e #62391 [BUGFIX] Ensure PHP 5.2 compatibility in makeInstance (Helmut Hummel)
|
|
mail/roundcube: security update
Revisions pulled up:
- mail/roundcube/Makefile 1.64-1.65
- mail/roundcube/PLIST 1.33
- mail/roundcube/distinfo 1.37-1.38
---
Module Name: pkgsrc
Committed By: adam
Date: Tue Oct 7 10:22:49 UTC 2014
Modified Files:
pkgsrc/mail/roundcube: Makefile distinfo
Log Message:
Changes 1.0.3:
- Fix insert-signature command in external compose window if opened from inline compose screen
- Initialize HTML editor before restoring a message from localStorage
- Add 'sig_max_lines' config option to default config file
- Add option to specify IMAP connection socket parameters - imap_conn_options
- Add option to set default message list mode - default_list_mode
- Enable contextmenu plugin for TinyMCE editor
- Fix some mime-type to extension mapping checks in Installer
- Fix errors when using localStorage in Safari's private browsing mode
- Fix bug where $Forwarded flag was being set even if server didn't support it
- Fix various iCloud vCard issues, added fallback for external photos
- Fix invalid Content-Type header when send_format_flowed=false
- Fix errors when adding/updating contacts in active search
- Fix incorrect thumbnail rotation with GD and exif orientation data
- Fix contacts list update after adding/deleting/moving a contact
- Fix handling of email addresses with quoted domain part
- Fix comm_path update on task switch
- Fix error in MSSQL update script 2013061000.sql
- Fix validation of email addresses with IDNA domains
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Dec 19 03:32:00 UTC 2014
Modified Files:
pkgsrc/mail/roundcube: Makefile PLIST distinfo
Log Message:
Update roundcube to 1.0.4, which contains fix for possible CSRF attack.
RELEASE 1.0.4
-------------
- Disable TinyMCE contextmenu plugin as there are more cons than pros in using it (#1490118)
- Fix bug where show_real_foldernames setting wasn't honored on compose page (#1490153)
- Fix issue where Archive folder wasn't protected in Folder Manager (#1490154)
- Fix compatibility with PHP 5.2. in rcube_imap_generic (#1490115)
- Fix setting flags on servers with no PERMANENTFLAGS response (#1490087)
- Fix regression in SHAA password generation in ldap driver of password plugin (#1490094)
- Fix displaying of HTML messages with absolutely positioned elements in Larry skin (#1490103)
- Fix font style display issue in HTML messages with styled <span> elements (#1490101)
- Fix download of attachments that are part of TNEF message (#1490091)
- Fix handling of uuencoded messages if messages_cache is enabled (#1490108)
- Fix handling of base64-encoded attachments with extra spaces (#1490111)
- Fix handling of UNKNOWN-CTE response, try do decode content client-side (#1490046)
- Fix bug where creating subfolders in shared folders wasn't possible without ACL extension (#1490113)
- Fix reply scrolling issue with text mode and start message below the quote (#1490114)
- Fix possible issues in skin/skin_path config handling (#1490125)
- Fix lack of delimiter for recipient addresses in smtp_log (#1490150)
- Fix generation of Blowfish-based password hashes (#1490184)
- Fix bugs where CSRF attacks were still possible on some requests
|
|
|
|
|
|
net/powerdns-recursor: security patch
Revisions pulled up:
- net/powerdns-recursor/Makefile 1.16
- net/powerdns-recursor/distinfo 1.12
- net/powerdns-recursor/patches/patch-CVE-2014-8601 1.1
---
Module Name: pkgsrc
Committed By: roy
Date: Thu Dec 11 20:18:17 UTC 2014
Modified Files:
pkgsrc/net/powerdns-recursor: Makefile distinfo
Added Files:
pkgsrc/net/powerdns-recursor/patches: patch-CVE-2014-8601
Log Message:
Add upstream patch to fix CVE-2014-8601.
Remove myself as maintainer.
|
|
|
|
comms/asterisk: security update
Revisions pulled up:
- comms/asterisk/Makefile 1.116
- comms/asterisk/distinfo 1.70
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Fri Dec 12 22:12:56 UTC 2014
Modified Files:
pkgsrc/comms/asterisk: Makefile distinfo
Log Message:
Update to Asterisk 11.14.2: this is a security fix release.
The Asterisk Development Team has announced security releases for
Certified Asterisk 11.6 and Asterisk 11, 12, and 13. The available
security releases are released as versions 11.6-cert9, 11.14.2,
12.7.2, and 13.0.2.
The release of these versions resolves the following security vulnerability:
* AST-2014-019: Remote Crash Vulnerability in WebSocket Server
When handling a WebSocket frame the res_http_websocket module
dynamically changes the size of the memory used to allow the
provided payload to fit. If a payload length of zero was received
the code would incorrectly attempt to resize to zero. This
operation would succeed and end up freeing the memory but be
treated as a failure. When the session was subsequently torn down
this memory would get freed yet again causing a crash.
For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the Change Logs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
Thank you for your continued support of Asterisk!
|
|
security/libksba: security patch
Revisions pulled up:
- security/libksba/Makefile 1.30
- security/libksba/distinfo 1.17
- security/libksba/patches/patch-aa 1.2
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Nov 25 14:35:37 UTC 2014
Modified Files:
pkgsrc/security/libksba: Makefile distinfo
pkgsrc/security/libksba/patches: patch-aa
Log Message:
Update to 1.3.2. Add comment to patch.
Noteworthy changes in version 1.3.2 (2014-11-25) [C19/A11/R3]
------------------------------------------------
* Fixed a buffer overflow in ksba_oid_to_str.
Noteworthy changes in version 1.3.1 (2014-09-18)
------------------------------------------------
* Fixed memory leak in CRL parsing.
* Build fixes for Windows, Android, and ppc64el.
|
|
|
|
databases/phpmyadmin: security update
Revisions pulled up:
- databases/phpmyadmin/Makefile 1.139-1.140
- databases/phpmyadmin/distinfo 1.96-1.97
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Sun Dec 7 12:37:54 UTC 2014
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile distinfo
Log Message:
Update "phpmyadmin" package to version 4.2.13.1. Changes since version 4.2.=
12:
- bug #4604 Query history not being deleted
- bug #4057 db/table query string parameters no longer work
- bug #4605 Unseen messages in tracking
- bug #4606 Tracking report export as SQL dump does not work
- bug #4607 Syntax error during db_copy operation
- bug #4608 SELECT permission issues with relations and restricted access
- bug #4612 [security] XSS vulnerability in redirection mechanism
- bug #4611 [security] DOS attack with long passwords
To generate a diff of this commit:
cvs rdiff -u -r1.138 -r1.139 pkgsrc/databases/phpmyadmin/Makefile
cvs rdiff -u -r1.95 -r1.96 pkgsrc/databases/phpmyadmin/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Sun Dec 7 14:27:29 UTC 2014
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile distinfo
Log Message:
Use significantly smaller ".tar.xz" distribution file now that downloads
=66rom the master site are working again.
To generate a diff of this commit:
cvs rdiff -u -r1.139 -r1.140 pkgsrc/databases/phpmyadmin/Makefile
cvs rdiff -u -r1.96 -r1.97 pkgsrc/databases/phpmyadmin/distinfo
|
|
|
|
net/unbound: security patch
Revisions pulled up:
- net/unbound/Makefile 1.32
- net/unbound/distinfo 1.24
---
Module Name: pkgsrc
Committed By: pettai
Date: Tue Dec 9 10:11:27 UTC 2014
Modified Files:
pkgsrc/net/unbound: Makefile distinfo
Log Message:
Add fix for CVE-2014-8602
|
|
|
|
net/bind910: security update
Revisions pulled up:
- net/bind910/Makefile 1.2-1.3
- net/bind910/PLIST 1.2-1.3
- net/bind910/distinfo 1.2-1.3
- net/bind910/patches/patch-bin_tests_system_Makefile.in 1.2
- net/bind910/patches/patch-configure 1.2
- net/bind910/patches/patch-lib_bind9_Makefile.in deleted
- net/bind910/patches/patch-lib_dns_Makefile.in deleted
- net/bind910/patches/patch-lib_dns_rbt.c 1.2
- net/bind910/patches/patch-lib_isc_Makefile.in deleted
- net/bind910/patches/patch-lib_isccc_Makefile.in deleted
- net/bind910/patches/patch-lib_isccfg_Makefile.in deleted
- net/bind910/patches/patch-lib_lwres_Makefile.in deleted
- net/bind910/patches/patch-lib_lwres_getaddrinfo.c 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Oct 14 16:23:19 UTC 2014
Modified Files:
pkgsrc/net/bind910: Makefile PLIST distinfo
pkgsrc/net/bind910/patches: patch-bin_tests_system_Makefile.in
patch-configure patch-lib_dns_rbt.c patch-lib_lwres_getaddrinfo.c
Removed Files:
pkgsrc/net/bind910/patches: patch-lib_bind9_Makefile.in
patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in
patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in
patch-lib_lwres_Makefile.in
Log Message:
Update bind910 to 9.10.1.
Security Fixes
A query specially crafted to exploit a defect in EDNS option
processing could cause named to terminate with an assertion
failure, due to a missing isc_buffer_availablelength() check
when formatting packet contents for logging. For more information,
see the security advisory at https://kb.isc.org/article/AA-01166/.
[CVE-2014-3859] [RT #36078]
A programming error in the prefetch feature could cause named
to crash with a "REQUIRE" assertion failure in name.c. For more
information, see the security advisory at
https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]
New Features
Support for CAA record types, as described in RFC 6844 "DNS
Certification Authority Authorization (CAA) Resource Record",
was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements
where it is not valid (it is only valid for slave and redirect
zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For
details see the proposed Informational Internet-Draft "Automating
DNSSEC Delegation Trust Maintenance" at
http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
[RT #36333]
Added version printing options to various BIND utilities. [RT #26057]
[RT #10686]
Optionally allows libseccomp-based (secure computing mode)
system-call filtering on Linux. This sandboxing mechanism may
be used to isolate "named" from various system resources. Use
"configure --enable-seccomp" at build time to enable it. Thank you
to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]
Feature Changes
"geoip asnum" ACL elements would not match unless the full
organization name was specified. They can now match against the
AS number alone (e.g., AS1234). [RT #36945]
Adds RPZ SOA to the additional section of responses to clearly
indicate the use of RPZ in a manner that is intended to avoid
causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone
name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
When an SPF record exists in a zone but no equivalent TXT record
does, a warning will be issued. The warning for the reverse
condition is no longer issued. See the check-spf option in the
documentation for details. [RT #36210]
Aging of smoothed round-trip time measurements is now limited
to no more than once per second, to improve accuracy in selecting
the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication
date are no longer presumed to be publishable. [RT #35063]
Bug Fixes
The Makefile in bin/python was changed to work around a bmake
bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
Corrected bugs in the handling of wildcard records by the DNSSEC
validator: invalid wildcard expansions could be treated as valid
if signed, and valid wildcard expansions in NSEC3 opt-out ranges
had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
An assertion failure could occur if a route event arrived while
shutting down. [RT #36887]
When resigning, dnssec-signzone was removing all signatures from
delegation nodes. It now retains DS and (if applicable) NSEC
signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard,
draft-faltstrom-uri-08, and allows the value field to be zero
length [RT #36642] [RT #36737]
On some platforms, overhead from DSCP tagging caused a performance
regression between BIND 9.9 and BIND 9.10. [RT #36534]
RRSIG sets that were not loaded in a single transaction at start
up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
Fixed a bug where some updated policy zone contents could be
ignored due to stale RPZ summary information [RT #35885]
A race condition could cause a crash in isc_event_free during
shutdown. [RT #36720]
Addresses some problems with unrecoverable lookup failures. [RT #36330]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading
a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in
nameserver clauses in resolv.conf. [RT #36039]
Disable the GCC 4.9 "delete null pointer check" optimizer option,
and refactor dns_rdataslab_fromrdataset() to separate out the
handling of an rdataset with no records. This fixes problems
when using GNU GCC 4.9.0 where its compiler code optimizations
may cause crashes in BIND. For more information, see the operational
advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in
dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding
was disabled. [RT #35979]
Fixed a bug that caused GeoIP ACLs not to work when referenced
indirectly via named or nested ACLs. [RT #35879]
FIxed a bug that could cause problems with cache cleaning when
SIT was enabled. [RT #35858]
Fixed a bug that caused SERVFAILs when using RPZ on a system
configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation
that could cause named to fail to start when configured to use
more sockets than the system could accomodate. [RT #35878]
Fixed a bug that could cause an assertion failure when inserting
and deleting parent and child nodes in a response-policy zone.
[RT #36272]
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Dec 8 21:59:09 UTC 2014
Modified Files:
pkgsrc/net/bind910: Makefile PLIST distinfo
Log Message:
Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1).
--- 9.10.1-P1 released ---
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option, and the query limit
via the "max-recursion-queries" option. [RT #37580]
4003. [security] When geoip-directory was reconfigured during
named run-time, the previously loaded GeoIP
data could remain, potentially causing wrong
ACLs to be used or wrong results to be served
based on geolocation (CVE-2014-8680). [RT #37720]
4002. [security] Lookups in GeoIP databases that were not
loaded could cause an assertion failure
(CVE-2014-8680). [RT #37679]
4001. [security] The caching of GeoIP lookups did not always
handle address families correctly, potentially
resulting in an assertion failure (CVE-2014-8680).
[RT #37672]
|
|
|
|
net/bind99: security update
Revisions pulled up:
- net/bind99/Makefile 1.39-1.40
- net/bind99/PLIST 1.8-1.9
- net/bind99/distinfo 1.25-1.26
- net/bind99/patches/patch-bin_tests_system_Makefile.in 1.5
- net/bind99/patches/patch-configure 1.9
- net/bind99/patches/patch-lib_bind9_Makefile.in deleted
- net/bind99/patches/patch-lib_dns_Makefile.in deleted
- net/bind99/patches/patch-lib_isc_Makefile.in deleted
- net/bind99/patches/patch-lib_isccc_Makefile.in deleted
- net/bind99/patches/patch-lib_isccfg_Makefile.in deleted
- net/bind99/patches/patch-lib_lwres_Makefile.in deleted
- net/bind99/patches/patch-lib_lwres_getaddrinfo.c 1.2
- net/bind99/patches/patch-lib_lwres_getnameinfo.c 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Oct 14 16:21:02 UTC 2014
Modified Files:
pkgsrc/net/bind99: Makefile PLIST distinfo
pkgsrc/net/bind99/patches: patch-bin_tests_system_Makefile.in
patch-configure patch-lib_lwres_getaddrinfo.c
patch-lib_lwres_getnameinfo.c
Removed Files:
pkgsrc/net/bind99/patches: patch-lib_bind9_Makefile.in
patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in
patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in
patch-lib_lwres_Makefile.in
Log Message:
Update bind99 to 9.9.6.
New Features
Support for CAA record types, as described in RFC 6844 "DNS
Certification Authority Authorization (CAA) Resource Record",
was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements
where it is not valid (it is only valid for slave and redirect
zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For
details see the proposed Informational Internet-Draft "Automating
DNSSEC Delegation Trust Maintenance" at
http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
[RT #36333]
Added version printing options to various BIND utilities. [RT #26057]
[RT #10686]
On Windows, enable the Python tools "dnssec-coverage" and
"dnssec-checkds". [RT #34355]
Added a "no-case-compress" ACL, which causes named to use
case-insensitive compression (disabling change #3645) for specified
clients. (This is useful when dealing with broken client
implementations that use case-sensitive name comparisons, rejecting
responses that fail to match the capitalization of the query
that was sent.) [RT #35300]
Feature Changes
Adds RPZ SOA to the additional section of responses to clearly
indicate the use of RPZ in a manner that is intended to avoid
causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone
name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
The Windows installer now places files in the Program Files area
rather than system services. [RT #35361]
When an SPF record exists in a zone but no equivalent TXT record
does, a warning will be issued. The warning for the reverse
condition is no longer issued. See the check-spf option in the
documentation for details. [RT #36210]
"named" will now log explicitly when using rndc.key to configure
command channel. [RT #35316]
The default setting for the -U option (setting the number of UDP
listeners per interface) has been adjusted to improve performance.
[RT #35417]
Aging of smoothed round-trip time measurements is now limited
to no more than once per second, to improve accuracy in selecting
the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication
date are no longer presumed to be publishable. [RT #35063]
Bug Fixes
The Makefile in bin/python was changed to work around a bmake
bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
Corrected bugs in the handling of wildcard records by the DNSSEC
validator: invalid wildcard expansions could be treated as valid
if signed, and valid wildcard expansions in NSEC3 opt-out ranges
had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
When resigning, dnssec-signzone was removing all signatures from
delegation nodes. It now retains DS and (if applicable) NSEC
signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard,
draft-faltstrom-uri-08, and allows the value field to be zero
length [RT #36642] [RT #36737]
RRSIG sets that were not loaded in a single transaction at start
up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
A race condition could cause a crash in isc_event_free during
shutdown. [RT #36720]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading
a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in
nameserver clauses in resolv.conf. [RT #36039]
Buffers in isc_print_vsnprintf were not properly initialized
leading to potential overflows when printing out quad values.
[RT #36505]
Don't call qsort() with a null pointer, and disable the GCC 4.9
"delete null pointer check" optimizer option. This fixes problems
when using GNU GCC 4.9.0 where its compiler code optimizations
may cause crashes in BIND. For more information, see the operational
advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in
dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding
was disabled. [RT #35979]
Fixed a bug that caused SERVFAILs when using RPZ on a system
configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation
that could cause named to fail to start when configured to use
more sockets than the system could accomodate. [RT #35878]
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Dec 8 21:58:18 UTC 2014
Modified Files:
pkgsrc/net/bind99: Makefile PLIST distinfo
Log Message:
Update bind99 to 9.9.6p1 (BIND 9.9.6-P1).
--- 9.9.6-P1 released ---
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option, and the query limit
via the "max-recursion-queries" option. [RT #37580]
|
|
|
|
comms/asterisk:: security update
comms/asterisk18: security update
Revisions pulled up:
- comms/asterisk/Makefile 1.113-1.115
- comms/asterisk/PLIST 1.9
- comms/asterisk/distinfo 1.67-1.69
- comms/asterisk/patches/patch-contrib_scripts_autosupport deleted
- comms/asterisk18/Makefile 1.88-1.90
- comms/asterisk18/PLIST 1.25
- comms/asterisk18/distinfo 1.56-1.58
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Tue Oct 14 03:35:05 UTC 2014
Modified Files:
pkgsrc/comms/asterisk18: Makefile PLIST distinfo
Log Message:
Update Asterisk to 1.8.31.0. This is mostly a bugfix release:
The Asterisk Development Team has announced the release of Asterisk 1.8.31.0.
The release of Asterisk 1.8.31.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-24211 - testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.31.0
Thank you for your continued support of Asterisk!
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Tue Oct 14 03:36:40 UTC 2014
Modified Files:
pkgsrc/comms/asterisk: Makefile PLIST distinfo
Log Message:
Update Asterisk to 11.13.0. This is mostly a bugfix release:
The Asterisk Development Team has announced the release of Asterisk 11.13.0.
The release of Asterisk 11.13.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 - res_musiconhold cleanup - REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23997 - chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 - [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24211 - testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 - res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 - With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24301 - Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)
Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.13.0
Thank you for your continued support of Asterisk!
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Wed Nov 19 08:30:57 UTC 2014
Modified Files:
pkgsrc/comms/asterisk18: Makefile distinfo
Log Message:
Update to Asterisk 1.8.32.0: this is mostly a bug fix release.
The Asterisk Development Team has announced the release of Asterisk 1.8.32.0.
The release of Asterisk 1.8.32.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24348 - Built-in editline tab complete segfault with
MALLOC_DEBUG (Reported by Walter Doekes)
* ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
INVITE retransmissions of rejected calls (Reported by Torrey
Searle)
* ASTERISK-23768 - [patch] Asterisk man page contains a (new)
unquoted minus sign (Reported by Jeremy Lainé)
* ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
(Reported by Jeremy Lainé)
* ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
realtime peers (Reported by ibercom)
* ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
* ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
high on linux systems with lots of RAM (Reported by Michael
Myles)
* ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
results in a SIP channel leak (Reported by NITESH BANSAL)
* ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
Re-INVITE results in a SIP channel leak (Reported by Torrey
Searle)
* ASTERISK-24406 - Some caller ID strings are parsed differently
since 11.13.0 (Reported by Etienne Lessard)
* ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
(Reported by Tzafrir Cohen)
* ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
Tzafrir Cohen)
* ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
(Reported by Paolo Compagnini)
* ASTERISK-18923 - res_fax_spandsp usage counter is wrong
(Reported by Grigoriy Puzankin)
* ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
(Reported by Dmitry Melekhov)
* ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
when sending qualify requests (Reported by Damian Ivereigh)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.32.0
Thank you for your continued support of Asterisk!
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Wed Nov 19 08:32:48 UTC 2014
Modified Files:
pkgsrc/comms/asterisk: Makefile distinfo
Removed Files:
pkgsrc/comms/asterisk/patches: patch-contrib_scripts_autosupport
Log Message:
Update to Asterisk 11.14.0: this is mostly a bugfix release.
The Asterisk Development Team has announced the release of Asterisk 11.14.0.
The release of Asterisk 11.14.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24348 - Built-in editline tab complete segfault with
MALLOC_DEBUG (Reported by Walter Doekes)
* ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
INVITE retransmissions of rejected calls (Reported by Torrey
Searle)
* ASTERISK-23768 - [patch] Asterisk man page contains a (new)
unquoted minus sign (Reported by Jeremy Lainé)
* ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
(Reported by Jeremy Lainé)
* ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir
Cohen)
* ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
realtime peers (Reported by ibercom)
* ASTERISK-24384 - chan_motif: format capabilities leak on module
load error (Reported by Corey Farrell)
* ASTERISK-24385 - chan_sip: process_sdp leaks on an error path
(Reported by Corey Farrell)
* ASTERISK-24378 - Release AMI connections on shutdown (Reported
by Corey Farrell)
* ASTERISK-24354 - AMI sendMessage closes AMI connection on error
(Reported by Peter Katzmann)
* ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
* ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are
incorrectly attempted (Reported by Joshua Colp)
* ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
high on linux systems with lots of RAM (Reported by Michael
Myles)
* ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates
received for component (Reported by Kevin Harwell)
* ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
results in a SIP channel leak (Reported by NITESH BANSAL)
* ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
Re-INVITE results in a SIP channel leak (Reported by Torrey
Searle)
* ASTERISK-24406 - Some caller ID strings are parsed differently
since 11.13.0 (Reported by Etienne Lessard)
* ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
(Reported by Tzafrir Cohen)
* ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
Tzafrir Cohen)
* ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
(Reported by Paolo Compagnini)
* ASTERISK-18923 - res_fax_spandsp usage counter is wrong
(Reported by Grigoriy Puzankin)
* ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by
Corey Farrell)
* ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
(Reported by Dmitry Melekhov)
* ASTERISK-23846 - Unistim multilines. Loss of voice after second
call drops (on a second line). (Reported by Rustam Khankishyiev)
* ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
when sending qualify requests (Reported by Damian Ivereigh)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing
leak (Reported by Corey Farrell)
* ASTERISK-24430 - missing letter "p" in word response in
OriginateResponse event documentation (Reported by Dafi Ni)
* ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by
Corey Farrell)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24304 - asterisk crashing randomly because of unistim
channel (Reported by dhanapathy sathya)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24466 - app_queue: fix a couple leaks to struct
call_queue (Reported by Corey Farrell)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0
Thank you for your continued support of Asterisk!
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Wed Dec 3 01:00:23 UTC 2014
Modified Files:
pkgsrc/comms/asterisk18: Makefile distinfo
Log Message:
Update to Asterisk 1.8.32.1: this is a security fix release.
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
11.14.1, 12.7.1, and 13.0.1.
The release of these versions resolves the following security vulnerabilities:
* AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
address families
Many modules in Asterisk that service incoming IP traffic have ACL options
("permit" and "deny") that can be used to whitelist or blacklist address
ranges. A bug has been discovered where the address family of incoming
packets is only compared to the IP address family of the first entry in the
list of access control rules. If the source IP address for an incoming
packet is not of the same address as the first ACL entry, that packet
bypasses all ACL rules.
* AST-2014-018: Permission Escalation through DB dialplan function
The DB dialplan function when executed from an external protocol, such as AMI,
could result in a privilege escalation. Users with a lower class authorization
in AMI can access the internal Asterisk database without the required SYSTEM
class authorization.
For more information about the details of these vulnerabilities, please read
security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-018.pdf
Thank you for your continued support of Asterisk!
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Wed Dec 3 01:57:37 UTC 2014
Modified Files:
pkgsrc/comms/asterisk: Makefile distinfo
Log Message:
Update to Asterisk 11.14.1: this is a security fix release.
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
11.14.1, 12.7.1, and 13.0.1.
The release of these versions resolves the following security vulnerabilities:
* AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
address families
Many modules in Asterisk that service incoming IP traffic have ACL options
("permit" and "deny") that can be used to whitelist or blacklist address
ranges. A bug has been discovered where the address family of incoming
packets is only compared to the IP address family of the first entry in the
list of access control rules. If the source IP address for an incoming
packet is not of the same address as the first ACL entry, that packet
bypasses all ACL rules.
* AST-2014-018: Permission Escalation through DB dialplan function
The DB dialplan function when executed from an external protocol, such as AMI,
could result in a privilege escalation. Users with a lower class authorization
in AMI can access the internal Asterisk database without the required SYSTEM
class authorization.
In addition, the release of 11.6-cert8 and 11.14.1 resolves the following
security vulnerability:
* AST-2014-014: High call load with ConfBridge can result in resource exhaustion
The ConfBridge application uses an internal bridging API to implement
conference bridges. This internal API uses a state model for channels within
the conference bridge and transitions between states as different things
occur. Unload load it is possible for some state transitions to be delayed
causing the channel to transition from being hung up to waiting for media. As
the channel has been hung up remotely no further media will arrive and the
channel will stay within ConfBridge indefinitely.
In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves
the following security vulnerability:
* AST-2014-017: Permission Escalation via ConfBridge dialplan function and
AMI ConfbridgeStartRecord Action
The CONFBRIDGE dialplan function when executed from an external protocol (such
as AMI) can result in a privilege escalation as certain options within that
function can affect the underlying system. Additionally, the AMI
ConfbridgeStartRecord action has options that would allow modification of the
underlying system, and does not require SYSTEM class authorization in AMI.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-014.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-017.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-018.pdf
Thank you for your continued support of Asterisk!
|
|
|
|
devel/pcre: security update
Revisions pulled up:
- devel/pcre/Makefile 1.73,1.75
- devel/pcre/distinfo 1.54-1.55
- devel/pcre/patches/patch-CVE-2014-8964 1.1
- devel/pcre/patches/patch-aa 1.16
- devel/pcre/patches/patch-ab 1.9
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Oct 1 11:45:00 UTC 2014
Modified Files:
pkgsrc/devel/pcre: Makefile distinfo
Log Message:
Update to 8.36:
Version 8.36 26-September-2014
------------------------------
1. Got rid of some compiler warnings in the C++ modules that were shown up by
-Wmissing-field-initializers and -Wunused-parameter.
2. The tests for quantifiers being too big (greater than 65535) were being
applied after reading the number, and stupidly assuming that integer
overflow would give a negative number. The tests are now applied as the
numbers are read.
3. Tidy code in pcre_exec.c where two branches that used to be different are
now the same.
4. The JIT compiler did not generate match limit checks for certain
bracketed expressions with quantifiers. This may lead to exponential
backtracking, instead of returning with PCRE_ERROR_MATCHLIMIT. This
issue should be resolved now.
5. Fixed an issue, which occures when nested alternatives are optimized
with table jumps.
6. Inserted two casts and changed some ints to size_t in the light of some
reported 64-bit compiler warnings (Bugzilla 1477).
7. Fixed a bug concerned with zero-minimum possessive groups that could match
an empty string, which sometimes were behaving incorrectly in the
interpreter (though correctly in the JIT matcher). This pcretest input is
an example:
'\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
NON QUOTED "QUOT""ED" AFTER "NOT MATCHED
the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
for an empty string was breaking the inner loop and carrying on at a lower
level, when possessive repeated groups should always return to a higher
level as they have no backtrack points in them. The empty string test now
occurs at the outer level.
8. Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
^\w+(?>\s*)(?<=\w) which caused it not to match "test test".
9. Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
doesn't).
10. Change 8.34/15 introduced a bug that caused the amount of memory needed
to hold a pattern to be incorrectly computed (too small) when there were
named back references to duplicated names. This could cause "internal
error: code overflow" or "double free or corruption" or other memory
handling errors.
11. When named subpatterns had the same prefixes, back references could be
confused. For example, in this pattern:
/(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/
the reference to 'Name' was incorrectly treated as a reference to a
duplicate name.
12. A pattern such as /^s?c/mi8 where the optional character has more than
one "other case" was incorrectly compiled such that it would only try to
match starting at "c".
13. When a pattern starting with \s was studied, VT was not included in the
list of possible starting characters; this should have been part of the
8.34/18 patch.
14. If a character class started [\Qx]... where x is any character, the class
was incorrectly terminated at the ].
15. If a pattern that started with a caseless match for a character with more
than one "other case" was studied, PCRE did not set up the starting code
unit bit map for the list of possible characters. Now it does. This is an
optimization improvement, not a bug fix.
16. The Unicode data tables have been updated to Unicode 7.0.0.
17. Fixed a number of memory leaks in pcregrep.
18. Avoid a compiler warning (from some compilers) for a function call with
a cast that removes "const" from an lvalue by using an intermediate
variable (to which the compiler does not object).
19. Incorrect code was compiled if a group that contained an internal recursive
back reference was optional (had quantifier with a minimum of zero). This
example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
caused segmentation faults because of stack overflows at compile time.
20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
group that is quantified with an indefinite repeat, caused a compile-time
loop which used up all the system stack and provoked a segmentation fault.
This was not the same bug as 19 above.
21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
Patch by Mike Frysinger.
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Nov 30 14:48:43 UTC 2014
Modified Files:
pkgsrc/devel/pcre: Makefile distinfo
pkgsrc/devel/pcre/patches: patch-aa patch-ab
Added Files:
pkgsrc/devel/pcre/patches: patch-CVE-2014-8964
Log Message:
patch for CVE-2014-8964 from upstream
also, patch refresh
|
|
|
|
textproc/antiword: security patch
Revisions pulled up:
- textproc/antiword/Makefile 1.25
- textproc/antiword/distinfo 1.21
- textproc/antiword/patches/patch-wordole.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Dec 2 23:48:49 UTC 2014
Modified Files:
pkgsrc/textproc/antiword: Makefile distinfo
Added Files:
pkgsrc/textproc/antiword/patches: patch-wordole.c
Log Message:
Add fix for CVE-2014-8123 from Fabian Keil.
Bump PKGREVISION.
|
|
|
|
lang/mono2: security patch
Revisions pulled up:
- lang/mono2/Makefile 1.15 via patch
- lang/mono2/distinfo 1.6
- lang/mono2/patches/patch-CVE-2012-3382 1.1
- lang/mono2/patches/patch-mcs_class_System.Web_System.Web.UI_Page.cs 1.1
- lang/mono2/patches/patch-mcs_class_System.Web_System.Web.Util_SecureHashCodeProvider.cs 1.1
- lang/mono2/patches/patch-mcs_class_System.Web_System.Web.dll.sources 1.1
- lang/mono2/patches/patch-mcs_class_System.Web_System.Web_WebROCollection.cs 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Nov 30 21:51:44 UTC 2014
Modified Files:
pkgsrc/lang/mono2: Makefile distinfo
Added Files:
pkgsrc/lang/mono2/patches: patch-CVE-2012-3382
patch-mcs_class_System.Web_System.Web.UI_Page.cs
patch-mcs_class_System.Web_System.Web.Util_SecureHashCodeProvider.cs
patch-mcs_class_System.Web_System.Web.dll.sources
patch-mcs_class_System.Web_System.Web_WebROCollection.cs
Log Message:
add patches for CVE-2012-3543 and CVE-2012-3382 from upstream
|
|
|
|
x11/qt4-libs: security patch
Revisions pulled up:
- x11/qt4-libs/Makefile 1.102
- x11/qt4-libs/distinfo 1.95
- x11/qt4-libs/patches/patch-CVE-2014-0190 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Fri Nov 28 21:07:52 UTC 2014
Modified Files:
pkgsrc/x11/qt4-libs: Makefile distinfo
Added Files:
pkgsrc/x11/qt4-libs/patches: patch-CVE-2014-0190
Log Message:
add the fix for CVE-2014-0190 from upstream
can be dropped again with the next qt4 release
|
|
|
|
graphics/graphviz: security patch
Revisions pulled up:
- graphics/graphviz/Makefile 1.146 via patch
- graphics/graphviz/distinfo 1.53
- graphics/graphviz/patches/patch-lib_cgraph_scan.l 1.4
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Dec 1 08:45:04 UTC 2014
Modified Files:
pkgsrc/graphics/graphviz: Makefile distinfo
Added Files:
pkgsrc/graphics/graphviz/patches: patch-lib_cgraph_scan.l
Log Message:
Fix format string vulnerability.
>From upstream git.
Bump PKGREVISION.
|
|
|
|
www/curl: security update
Revisions pulled up:
- www/curl/Makefile 1.143
- www/curl/PLIST 1.45
- www/curl/distinfo 1.99
---
Module Name: pkgsrc
Committed By: adam
Date: Fri Nov 7 14:10:16 UTC 2014
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
Log Message:
Changes 7.39.0:
* SSLv3 is disabled by default
* CURLOPT_COOKIELIST: Added "RELOAD" command [5]
* build: Added WinIDN build configuration options to Visual Studio projects
* ssh: improve key file search
* SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
* vtls: remove QsoSSL support, use gskit!
* mk-ca-bundle: added SHA-384 signature algorithm
* docs: added many examples for libcurl opts and other doc improvements
* build: Added VC ssh2 target to main Makefile
* MinGW: Added support to build with nghttp2
* NetWare: Added support to build with nghttp2
* build: added Watcom support to build with WinSSL
* build: Added optional specific version generation of VC project files
Bugfixes:
* curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds [9]
* openssl: build fix for versions < 0.9.8e [1]
* newlines: fix mixed newlines to LF-only [2]
* ntlm: Fixed HTTP proxy authentication when using Windows SSPI [3]
* sasl_sspi: Fixed Unicode build [4]
* file: reject paths using embedded %00
* threaded-resolver: revert Curl_expire_latest() switch [6]
* configure: allow --with-ca-path with PolarSSL too
* HTTP/2: Fix busy loop when EOF is encountered
* CURLOPT_CAPATH: return failure if set without backend support
* nss: do not fail if a CRL is already cached
* smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
* fixed 20+ nits/memory leaks identified by Coverity scans
* curl_schannel.c: Fixed possible memory or handle leak
* multi-uv.c: call curl_multi_info_read() better
* Cmake: Check for OpenSSL before OpenLDAP
* Cmake: Fix library list provided to cURL tests
* Cmake: Avoid cycle directory dependencies
* Cmake: Build with GSS-API libraries (MIT or Heimdal)
* vtls: provide backend defines for internal source code
* nss: fix a connection failure when FTPS handle is reused
* tests/http_pipe.py: Python 3 support
* cmake: build tool_hugehelp (ENABLE_MANUAL)
* cmake: enable IPv6 by default if available
* tests: move TESTCASES to Makefile.inc, add show for cmake
* ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
* ntlm: Fixed empty/bad base-64 decoded buffer return codes
* ntlm: Fixed empty type-2 decoded message info text
* cmake: add CMake/Macros.cmake to the release tarball
* cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
* cmake: use LIBCURL_VERSION from curlver.h
* cmake: generate pkg-config and curl-config
* fixed several superfluous variable assignements identified by cppcheck
* cleanup of 'CURLcode result' return code
* pipelining: only output "is not blacklisted" in debug builds
* SSL: Remove SSLv3 from SSL default due to POODLE attack
* gskit.c: remove SSLv3 from SSL default
* darwinssl: detect possible future removal of SSLv3 from the framework
* ntlm: Only define ntlm data structure when USE_NTLM is defined
* ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
* ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
* sspi: Only call CompleteAuthToken() when complete is needed
* http_negotiate: Fixed missing check for USE_SPNEGO
* HTTP: return larger than 3 digit response codes too [7]
* openssl: Check for NPN / ALPN via OpenSSL version number
* openssl: enable NPN separately from ALPN
* sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
* sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
* resume: consider a resume from [content-length] to be OK [8]
* sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
* build-openssl.bat: Fix x64 release build
* cmake: drop _BSD_SOURCE macro usage
* cmake: fix gethostby{addr,name}_r in CurlTests
* cmake: clean OtherTests, fixing -Werror
* cmake: fix struct sockaddr_storage check
* Curl_single_getsock: fix hold/pause sock handling
* SSL: PolarSSL default min SSL version TLS 1.0
* cmake: fix ZLIB_INCLUDE_DIRS use [10]
* buildconf: stop checking for libtool
|
|
|
|
www/wordpress: security update
Revisions pulled up:
- www/wordpress/Makefile 1.43
- www/wordpress/distinfo 1.35
---
Module Name: pkgsrc
Committed By: morr
Date: Mon Nov 24 19:08:53 UTC 2014
Modified Files:
pkgsrc/www/wordpress: Makefile distinfo
Log Message:
Security update to 4.0.1.
Changes:
- Three cross-site scripting issues that a contributor or author could use to
compromise a site.
- A cross-site request forgery that could be used to trick a user into changing
their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress
makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s account to be
compromised, that also required that they haven’t logged in since 2008 (I
wish I were kidding).
- WordPress now invalidates the links in a password reset email if the user
remembers their password, logs in, and changes their email address.
More details on http://codex.wordpress.org/Version_4.0.1.
|
|
www/contao33: security update
Revisions pulled up:
- www/contao/Makefile.common 1.83,1.85 via patch
- www/contao33/Makefile 1.6
- www/contao33/PLIST 1.7
- www/contao33/distinfo 1.7-1.8
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Nov 2 01:19:55 UTC 2014
Modified Files:
pkgsrc/www/contao: Makefile.common
pkgsrc/www/contao33: PLIST distinfo
Log Message:
Update contao33 to 3.3.6.
Version 3.3.6 (2014-10-31)
--------------------------
### Fixed
Always pass a DC object in the `toggleVisibility` callback (see #7314).
### Fixed
Correctly render the "read more" and article navigation links (see #7300).
### Fixed
Fix the markup of the form submit button (see #7396).
### Fixed
Do not generally remove insert tags from page titles (see #7198).
### Fixed
Consider the `useSSL` flag of the root page when generating URLs (see #7390).
### Fixed
Correctly create the template object in `BaseTemplate::insert()` (see #7366).
### Updated
Updated TinyMCE to version 4.1.6 and added the "lists" plugin (see #7349).
### Fixed
Fixed the FAQ sorting in the back end (see #7362).
### Fixed
Added the `Widget::__isset()` method (see #7290).
### Fixed
Correctly handle dynamic parent tables in the `DC_Table` driver (see #7335).
### Fixed
Correctly shortend HTML strings in `String::substrHtml()` (see #7311).
### Updated
Updated MooTools to version 1.5.1 (see #7267).
### Fixed
Updated swipe.js to version 2.0.1 (see #7307).
### Fixed
Use an `.invisible` class which plays nicely with screen readers (see #7372).
### Fixed
Handle disabled modules in the module loader (see #7380).
### Fixed
Fixed the "link_target" insert tag.
### Fixed
Correctly mark CAPTCHA fields as mandatory (see #7283).
### Updated
Updated the ACE editor to version 1.1.6 (see #7278).
### Fixed
Fix the `Database::list_fields()` method (see #7277).
### Fixed
Correctly assign "col_first" and "col_last" in the image gallery (see #7250).
### Fixed
Set the correct path to TCPDF in `system/config/tcpdf.php` (see #7264).
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Nov 24 13:30:49 UTC 2014
Modified Files:
pkgsrc/www/contao: Makefile.common
pkgsrc/www/contao33: Makefile distinfo
Log Message:
Update contao33 to 3.3.7, security release.
Version 3.3.7 (2014-11-24)
--------------------------
### Fixed
Fixed a potential directory traversal vulnerability.
### Fixed
Fixed a severe XSS vulnerability. In this context, the insert tag flags
`base64_encode` and `base64_decode` have been removed.
### Fixed
Handle nested insert tags in strip_insert_tags().
### Fixed
Correctly store the model in Dbafs::addResource() (see #7440).
### Fixed
Send the request token when toggling the visibility of an element (see #7406).
### Fixed
Always apply the IE security fix in the Environment class (see #7453).
### Fixed
Correctly handle archives being part of multiple RSS feeds (see #7398).
### Fixed
Correctly handle `0` in utf8_convert_encoding() (see #7403).
### Fixed
Send a 301 redirect to forward to the language root page (see #7420).
|
|
www/contao32: security update
Revisions pulled up:
- www/contao/Makefile.common patch
- www/contao32/PLIST 1.9
- www/contao32/distinfo 1.16-1.17
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Nov 2 01:17:44 UTC 2014
Modified Files:
pkgsrc/www/contao: Makefile.common
pkgsrc/www/contao32: PLIST distinfo
Log Message:
Update contao32 to 3.2.15.
Version 3.2.15 (2014-10-31)
---------------------------
### Fixed
Always pass a DC object in the `toggleVisibility` callback (see #7314).
### Fixed
Correctly render the "read more" and article navigation links (see #7300).
### Fixed
Consider the `useSSL` flag of the root page when generating URLs (see #7390).
### Fixed
Fixed the FAQ sorting in the back end (see #7362).
### Fixed
Added the `Widget::__isset()` method (see #7290).
### Fixed
Correctly handle dynamic parent tables in the `DC_Table` driver (see #7335).
### Fixed
Correctly shortend HTML strings in `String::substrHtml()` (see #7311).
### Updated
Updated MooTools to version 1.5.1 (see #7267).
### Fixed
Updated swipe.js to version 2.0.1 (see #7307).
### Fixed
Use an `.invisible` class which plays nicely with screen readers (see #7372).
### Fixed
Handle disabled modules in the module loader (see #7380).
### Fixed
Fixed the "link_target" insert tag.
### Updated
Updated the ACE editor to version 1.1.6 (see #7278).
### Fixed
Fix the `Database::list_fields()` method (see #7277).
### Fixed
Correctly assign "col_first" and "col_last" in the image gallery (see #7250).
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Nov 24 13:29:08 UTC 2014
Modified Files:
pkgsrc/www/contao: Makefile.common
pkgsrc/www/contao32: distinfo
Log Message:
Update contao32 to 3.2.16, security release.
Version 3.2.16 (2014-11-24)
---------------------------
### Fixed
Fixed a potential directory traversal vulnerability.
### Fixed
Fixed a severe XSS vulnerability. In this context, the insert tag flags
`base64_encode` and `base64_decode` have been removed.
### Fixed
Handle nested insert tags in strip_insert_tags().
### Fixed
Correctly store the model in Dbafs::addResource() (see #7440).
### Fixed
Send the request token when toggling the visibility of an element (see #7406).
### Fixed
Always apply the IE security fix in the Environment class (see #7453).
### Fixed
Correctly handle archives being part of multiple RSS feeds (see #7398).
### Fixed
Correctly handle `0` in utf8_convert_encoding() (see #7403).
### Fixed
Send a 301 redirect to forward to the language root page (see #7420).
|
|
www/drupal7: security update
Revisions pulled up:
- www/drupal7/Makefile 1.30
- www/drupal7/PLIST 1.11
- www/drupal7/distinfo 1.23
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Nov 23 16:40:10 UTC 2014
Modified Files:
pkgsrc/www/drupal7: Makefile PLIST distinfo
Log Message:
Update drupal7 to 7.34.
Drupal 7.34, 2014-11-19
----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2014-006.
Drupal 7.33, 2014-11-07
-----------------------
- Began storing the file modification time of each module and theme in the
{system} database table so that contributed modules can use it to identify
recently changed modules and themes (minor data structure change to the
return value of system_get_info() and other related functions).
- Added a "Did you mean?" feature to the run-tests.sh script for running
automated tests from the command line, to help developers who are attempting
to run a particular test class or group.
- Changed the date format used in various HTTP headers output by Drupal core
from RFC 1123 format to RFC 7231 format.
- Added a "block_cache_bypass_node_grants" variable to allow sites which have
node access modules enabled to use the block cache if desired (API addition).
- Made image derivative generation HTTP requests return a 404 error (rather
than a 500 error) when the source image does not exist.
- Fixed a bug which caused user pictures to be removed from the user object
after saving, and resulted in data loss if the user account was subsequently
re-saved.
- Fixed a bug in which field_has_data() did not return TRUE for fields that
only had data in older entity revisions, leading to loss of the field's data
when the field configuration was edited.
- Fixed a bug which caused the Ajax progress throbber to appear misaligned in
many situatons (minor styling change).
- Prevented the Bartik theme from lower-casing the "Permalink" link on
comments, for improved multilingual support (minor UI change).
- Added a "preferred_menu_links" tag to the database query that is used by
menu_link_get_preferred() to find the preferred menu link for a given path,
to make it easier to alter.
- Increased the maximum allowed length of block titles to 255 characters
(database schema change to the {block} table).
- Removed the Field module's field_modules_uninstalled() function, since it did
not do anything when it was invoked.
- Added a "theme_hook_original" variable to templates and theme functions and
an optional sitewide theme debug mode, to provide contextual information in
the page's HTML to theme developers. The theme debug mode is based on the one
used with Twig in Drupal 8 and can be accessed by setting the "theme_debug"
variable to TRUE (API addition).
- Added an entity_view_mode_prepare() API function to allow entity-defining
modules to properly invoke hook_entity_view_mode_alter(), and used it
throughout Drupal core to fix bugs with the invocation of that hook (API
change: https://www.drupal.org/node/2369141).
- Security improvement: Made the database API's orderBy() method sanitize the
sort direction ("ASC" or "DESC") for queries built with db_select(), so that
calling code does not have to.
- Changed the RDF module to consistently output RDF metadata for nodes and
comments near where the node is rendered in the HTML (minor markup and data
structure change).
- Added an HTML class to RDFa metatags throughout Drupal to prevent them from
accidentally affecting the site appearance (minor markup change).
- Fixed a bug in the Unicode requirements check which prevented installing
Drupal on PHP 5.6.
- Fixed a bug which caused drupal_get_bootstrap_phase() to abort the bootstrap
when called early in the page request.
- Renamed the "Search result" view mode to "Search result highlighting input"
to better reflect how it is used (UI change).
- Improved database queries generated by EntityFieldQuery in the case where
delta or language condition groups are used, to reduce the number of INNER
JOINs (this is a minor data structure change affecting code which implements
hook_query_alter() on these queries).
- Removed special-case behavior for file uploads which allowed user #1 to
bypass maximum file size and user quota limits.
- Numerous small bug fixes.
- Numerous API documentation improvements.
- Additional automated test coverage.
|
|
www/drupal6: security update
Revisions pulled up:
- www/drupal6/Makefile 1.50
- www/drupal6/distinfo 1.33
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Nov 23 16:38:59 UTC 2014
Modified Files:
pkgsrc/www/drupal6: Makefile distinfo
Log Message:
Update drupal6 to 6.34.
Drupal 6.34, 2014-11-19
----------------------
- Fixed security issues (session hijacking). See SA-CORE-2014-006.
|
|
|
|
databases/phpmyadmin: security update
Revisions pulled up:
- databases/phpmyadmin/Makefile 1.138
- databases/phpmyadmin/distinfo 1.95
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Sun Nov 23 13:17:21 UTC 2014
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile distinfo
Log Message:
Update "phpmyadmin" package to version 4.2.12.
The following bugs have been fixed since version 4.2.10.1:
- bug #4574 Blank/white page when JavaScript disabled
- bug #4577 Multi row actions cause full page reloads
- bug ReferenceError: targeurl is not defined
- bug Incorrect text/icon display in Tracking report
- bug #4404 Recordset return from procedure display nothing
- bug #4584 Edit dialog for routines is too long for smaller displays
- bug #4586 Javascript error after moving a column
- bug #4576 Issue with long comments on table columns
- bug #4599 Input field unnecessarily selected on focus
- bug #4602 Exporting selected rows exports all rows of the query
- bug #4444 No insert statement produced in SQL export for queries with ali=
as
- bug #4603 Field disabled when internal relations used
- bug #4596 [security] XSS through exception stack
- bug #4595 [security] Path traversal can lead to leakage of line count
- bug #4578 [security] XSS vulnerability in table print view
- bug #4579 [security] XSS vulnerability in zoom search page
- bug #4594 [security] Path traversal in file inclusion of GIS factory
- bug #4598 [security] XSS in multi submit
- bug #4597 [security] XSS through pma_fontsize cookie
- bug ReferenceError: Table_onover is not defined
- bug #4552 Incorrect routines display for database due to case insensitive
checks
- bug #4259 reCaptcha sound session expired problem
- bug #4557 PHP fatal error, undefined function __()
- bug #4568 Date displayed incorrectly when charting a timeline
- bug #4571 Database Privileges link does not work
- bug makegrid.js: where_clause is undefined
- bug #4572 missing trailing slash (import and open_basedir)
To generate a diff of this commit:
cvs rdiff -u -r1.137 -r1.138 pkgsrc/databases/phpmyadmin/Makefile
cvs rdiff -u -r1.94 -r1.95 pkgsrc/databases/phpmyadmin/distinfo
|
|
net/wireshark: security update
Revisions pulled up:
- net/wireshark/Makefile 1.127
- net/wireshark/distinfo 1.78
- net/wireshark/patches/patch-aa 1.14
- net/wireshark/patches/patch-ab deleted
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Fri Nov 14 12:06:10 UTC 2014
Modified Files:
pkgsrc/net/wireshark: Makefile distinfo
pkgsrc/net/wireshark/patches: patch-aa
Removed Files:
pkgsrc/net/wireshark/patches: patch-ab
Log Message:
Update "wireshark" package to version 1.10.11. Changes since 1.10.10:
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2014-20
SigComp UDVM buffer overflow. (Bug 10662)
CVE-2014-8710
* wnpa-sec-2014-21
AMQP crash. (Bug 10582) CVE-2014-8711
* wnpa-sec-2014-22
NCP crashes. (Bug 10552, Bug 10628) CVE-2014-8712
CVE-2014-8713
* wnpa-sec-2014-23
TN5250 infinite loops. (Bug 10596) CVE-2014-8714
The following bugs have been fixed:
* 6LoWPAN Mesh headers not treated as encapsulating address.
(Bug 10462)
* UCP dissector bug of operation 31 - PID 0639 not
recognized. (Bug 10463)
* iSCSI dissector rejects PDUs with "expected data transfer
length" > 16M. (Bug 10469)
* GTPv2: trigging_tree under Trace information has wrong
length. (Bug 10470)
* Attempt to render an SMS-DELIVER-REPORT instead of an
SMS-DELIVER. (Bug 10547)
* IPv6 Mobility Option IPv6 Address/Prefix marks too many
bytes for the address/prefix field. (Bug 10576)
* IPv6 Mobility Option Binding Authorization Data for FMIPv6
Authenticator field is read beyond the option data.
(Bug 10577)
* IPv6 Mobility Option Mobile Node Link Layer Identifier
Link-layer Identifier field is read beyond the option data.
(Bug 10578)
* Malformed PTPoE announce packet. (Bug 10611)
* IPv6 Permanent Home Keygen Token mobility option includes
too many bytes for the token field. (Bug 10619)
* IPv6 Redirect Mobility Option K and N bits are parsed
incorrectly. (Bug 10622)
* IPv6 Care Of Test mobility option includes too many bytes
for the Keygen Token field. (Bug 10624)
* IPv6 MESG-ID mobility option is parsed incorrectly.
(Bug 10625)
* IPv6 AUTH mobility option parses Mobility SPI and
Authentication Data incorrectly. (Bug 10626)
* IPv6 DNS-UPDATE-TYPE mobility option includes too many
bytes for the MD identity field. (Bug 10629)
* IPv6 Local Mobility Anchor Address mobility option's code
and reserved fields are parsed as 2 bytes instead of 1.
(Bug 10630)
* TShark crashes when running with PDML on a specific packet.
(Bug 10651)
* IPv6 Mobility Option Context Request reads an extra
request. (Bug 10676)
- Updated Protocol Support
6LoWPAN, AMQP, GSM MAP, GTPv2, H.223, IEEE 802.11, iSCSI, MIH,
Mobile IPv6, PTPoE, TN5250, and UCP
- New and Updated Capture File Support
Catapult DCT2000, HP-UX nettl, pcap-ng, and Sniffer (DOS)
To generate a diff of this commit:
cvs rdiff -u -r1.126 -r1.127 pkgsrc/net/wireshark/Makefile
cvs rdiff -u -r1.77 -r1.78 pkgsrc/net/wireshark/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/net/wireshark/patches/patch-aa
cvs rdiff -u -r1.4 -r0 pkgsrc/net/wireshark/patches/patch-ab
|
|
|
|
shells/bash: build fix
Revisions pulled up:
- shells/bash/distinfo 1.39
- shells/bash/patches/patch-configure 1.1
---
Module Name: pkgsrc
Committed By: dholland
Date: Sun Nov 23 00:43:57 UTC 2014
Modified Files:
pkgsrc/shells/bash: distinfo
Added Files:
pkgsrc/shells/bash/patches: patch-configure
Log Message:
Use -Wl,-R instead of just -R to avoid breaking the build on FreeBSD.
>From Dennis Lindroos in PR 49375.
|
|
|
|
www/ruby-rails32: security update
Revisions pulled up:
- databases/ruby-activerecord32/distinfo 1.19
- devel/ruby-activemodel32/distinfo 1.19
- devel/ruby-activesupport32/distinfo 1.19
- devel/ruby-railties32/distinfo 1.19
- lang/ruby/rails.mk 1.51
- mail/ruby-actionmailer32/distinfo 1.19
- www/ruby-actionpack32/distinfo 1.19
- www/ruby-activeresource32/distinfo 1.19
- www/ruby-rails32/distinfo 1.19
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Nov 18 15:41:34 UTC 2014
Modified Files:
pkgsrc/lang/ruby: rails.mk
Log Message:
Start update of Ruby on Rails to 3.2.21.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Nov 18 15:43:47 UTC 2014
Modified Files:
pkgsrc/devel/ruby-activesupport32: distinfo
Log Message:
Update ruby-activesupport32 to 3.2.21. No change except version number.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Nov 18 15:44:09 UTC 2014
Modified Files:
pkgsrc/devel/ruby-activemodel32: distinfo
Log Message:
Update ruby-activemodel32 to 3.2.21. No change except version number.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Nov 18 15:44:57 UTC 2014
Modified Files:
pkgsrc/databases/ruby-activerecord32: distinfo
Log Message:
Update ruby-activerecord32 to 3.2.21. No change except version number.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Nov 18 15:45:29 UTC 2014
Modified Files:
pkgsrc/www/ruby-activeresource32: distinfo
Log Message:
Update ruby-activeresource32 to 3.2.21. No change except version number.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Nov 18 15:46:18 UTC 2014
Modified Files:
pkgsrc/www/ruby-actionpack32: distinfo
Log Message:
Update ruby-actionpack32 to 3.2.21.
Fix CVE-2014-7829 security problem.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Nov 18 15:46:44 UTC 2014
Modified Files:
pkgsrc/mail/ruby-actionmailer32: distinfo
Log Message:
Update ruby-actionmailer32 to 3.2.21. No change except version number.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Nov 18 15:47:04 UTC 2014
Modified Files:
pkgsrc/devel/ruby-railties32: distinfo
Log Message:
Update ruby-railties32 to 3.2.21. No change except version number.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Nov 18 15:47:30 UTC 2014
Modified Files:
pkgsrc/www/ruby-rails32: distinfo
Log Message:
Update ruby-rails32 to 3.2.21. No change except version number.
|
|
|
|
lang/php55: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.77
- lang/php55/PLIST 1.4
- lang/php55/distinfo 1.31
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Nov 15 14:53:12 UTC 2014
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php55: PLIST distinfo
Log Message:
Update php55 to 5.5.19.
13 Nov 2014, PHP 5.5.19
- Core:
. Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in
php_getopt()). (Stas)
. Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined). (Nikita)
. Fixed bug #68129 (parse_url() - incomplete support for empty usernames
and passwords) (Tjerk)
Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in
zend_hash_copy). (Dmitry)
- Fileinfo:
. Fixed bug #66242 (libmagic: don't assume char is signed). (ArdB)
. Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers).
(CVE-2014-3710) (Remi)
- FPM:
. Implemented FR #55508 (listen and listen.allowed_clients should take IPv6
addresses). (Robin Gloster)
- GD:
. Fixed bug #65171 (imagescale() fails without height param). (Remi)
- GMP:
. Fixed bug #63595 (GMP memory management conflicts with other libraries
using GMP). (Remi)
- Mysqli:
. Fixed bug #68114 (linker error on some OS X machines with fixed width
decimal support) (Keyur Govande)
- ODBC:
. Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by
a VARCHAR column) (Keyur Govande)
- SPL:
. Fixed bug #68128 (Regression in RecursiveRegexIterator) (Tjerk)
- CURL:
. Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and
CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl (Rasmus)
|
|
lang/php54: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.76
- lang/php54/distinfo 1.49
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Nov 15 14:49:45 UTC 2014
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php54: distinfo
Log Message:
Update php54 to 5.4.35 (PHP 5.4.35).
13 Nov 2014 PHP 5.4.35
- Core:
. Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in
zend_hash_copy). (Dmitry)
- Fileinfo:
. Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers).
(CVE-2014-3710) (Remi)
- GMP:
. Fixed bug #63595 (GMP memory management conflicts with other libraries
using GMP). (Remi)
- PDO_pgsql:
. Fixed bug #66584 (Segmentation fault on statement deallocation) (Matteo)
|
