| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
devel/exctags: security patch
Revisions pulled up:
- devel/exctags/Makefile 1.27
- devel/exctags/distinfo 1.13
- devel/exctags/patches/patch-CVE-2014-7204 1.1
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sun Mar 29 09:19:06 UTC 2015
Modified Files:
pkgsrc/devel/exctags: Makefile distinfo
Added Files:
pkgsrc/devel/exctags/patches: patch-CVE-2014-7204
Log Message:
SECURITY: Fix CVE-2014-7204 (DoS in JavaScript parser) in exuberant-ctags.
|
|
|
|
sysutils/file: security update
Revisions pulled up:
- sysutils/file/Makefile 1.34
- sysutils/file/distinfo 1.21
- sysutils/file/patches/patch-config.h.in deleted
- sysutils/file/patches/patch-configure deleted
- sysutils/file/patches/patch-configure.ac deleted
- sysutils/file/patches/patch-src_file.c deleted
- sysutils/file/patches/patch-src_file.h deleted
- sysutils/file/patches/patch-src_getline.c deleted
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sun Mar 22 09:48:52 UTC 2015
Modified Files:
pkgsrc/sysutils/file: Makefile distinfo
Removed Files:
pkgsrc/sysutils/file/patches: patch-config.h.in patch-configure
patch-configure.ac patch-src_file.c patch-src_file.h
patch-src_getline.c
Log Message:
SECURITY: Update file to 5.22.
Bugs fixed:
* restructure elf note printing to avoid repeated messages
* add note limit, suggested by Alexander Cherepanov
* Bail out on partial pread()'s (Alexander Cherepanov)
* Fix incorrect bounds check in file_printable (Alexander Cherepanov)
* PR/405: ignore SIGPIPE from uncompress programs
* change printable -> file_printable and use it in
more places for safety
* Fix for CVE-2014-9620.
|
|
|
|
net/ntp4: security update
Revisions pulled up:
- net/ntp4/Makefile 1.84
- net/ntp4/PLIST 1.17
- net/ntp4/distinfo 1.20
- net/ntp4/patches/patch-ntpd_ntp__io.c deleted
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Mar 21 20:49:28 UTC 2015
Modified Files:
pkgsrc/net/ntp4: Makefile PLIST distinfo
Removed Files:
pkgsrc/net/ntp4/patches: patch-ntpd_ntp__io.c
Log Message:
SECURITY: Update ntpd to 4.2.8p1.
* [Sec 2671] vallen in extension fields are not validated.
* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.
|
|
|
|
net/lftp: security patch
Revisions pulled up:
- net/lftp/Makefile 1.109
- net/lftp/distinfo 1.62
- net/lftp/patches/patch-src_SSH__Access.cc 1.1
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Mar 21 20:04:39 UTC 2015
Modified Files:
pkgsrc/net/lftp: Makefile distinfo
Added Files:
pkgsrc/net/lftp/patches: patch-src_SSH__Access.cc
Log Message:
SECURITY: add a patch to prevent saving of unknown host keys without user
intervention.
Bump PKGREVISION.
|
|
|
|
audio/vorbis-tools: security patch
Revisions pulled up:
- audio/vorbis-tools/Makefile 1.61
- audio/vorbis-tools/distinfo 1.24
- audio/vorbis-tools/patches/patch-ac 1.10
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Mar 21 19:06:54 UTC 2015
Modified Files:
pkgsrc/audio/vorbis-tools: Makefile distinfo
pkgsrc/audio/vorbis-tools/patches: patch-ac
Log Message:
SECURITY: Fix CVE-2014-9640.
https://trac.xiph.org/changeset/19117
oggenc: fix crash on raw file close, reported by Hanno in issue #2009. pointer
to a non-static struct was escaping its scope.
|
|
|
|
www/drupal7: security update
Revisions pulled up:
- www/drupal7/Makefile 1.31
- www/drupal7/distinfo 1.24
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Mar 19 15:36:41 UTC 2015
Modified Files:
pkgsrc/www/drupal7: Makefile distinfo
Log Message:
Update drupal7 to 7.35 (Drupal 7.35), security fix release.
Drupal 7.35, 2015-03-18
----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-001.
|
|
|
|
www/drupal6: security update
Revisions pulled up:
- www/drupal6/Makefile 1.51
- www/drupal6/distinfo 1.34
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Mar 19 15:35:56 UTC 2015
Modified Files:
pkgsrc/www/drupal6: Makefile distinfo
Log Message:
Update drupal6 to 6.35 (Drupal 6.35), security fix release.
Drupal 6.35, 2015-03-18
----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-001.
|
|
|
|
devel/tcllib: security update
Revisions pulled up:
- devel/tcllib/Makefile 1.14
- devel/tcllib/distinfo 1.6
- devel/tcllib/patches/patch-modules_html_html.tcl 1.1
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Mar 21 17:14:04 UTC 2015
Modified Files:
pkgsrc/devel/tcllib: Makefile distinfo
Added Files:
pkgsrc/devel/tcllib/patches: patch-modules_html_html.tcl
Log Message:
SECURITY: Apply patch for XSS in html::textarea as of
http://core.tcl.tk/tcllib/info/09110adc43.
Bump PKGREVISION.
|
|
|
|
net/wireshark: security update
Revisions pulled up:
- net/wireshark/Makefile 1.129
- net/wireshark/distinfo 1.80
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Mon Mar 9 09:04:25 UTC 2015
Modified Files:
pkgsrc/net/wireshark: Makefile distinfo
Log Message:
Update "wireshark" package to version 1.10.13. Changes since 1.10.12:
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2015-07
The WCP dissector could crash. (Bug 10844) CVE-2015-2188
* wnpa-sec-2015-08
The pcapng file parser could crash. (Bug 10895) CVE-2015-2189
* wnpa-sec-2015-10
The TNEF dissector could go into an infinite loop. Discovered by
Vlad Tsyrklevich. (Bug 11023) CVE-2015-2190
The following bugs have been fixed:
* IPv6 AUTH mobility option parses Mobility SPI and Authentication
Data incorrectly. (Bug 10626)
* DHCP Option 125 Suboption: (1) option-len always expects 1 but
specification allows for more. (Bug 10784)
* Little-endian OS X Bluetooth PacketLogger files aren't handled.
(Bug 10861)
* X.509 certificate serial number incorrectly interpreted as negative
number. (Bug 10862)
* H.248 "ServiceChangeReasonStr" messages are not shown in text
generated by tshark. (Bug 10879)
* Clang ASAN : AddressSanitizer: global-buffer-overflow ANSI.
(Bug 10897)
* MEGACO wrong decoding on media port. (Bug 10898)
* Wrong media format. (Bug 10899)
* BSSGP Status PDU decoding fault (missing Mandatory element (0x04)
BVCI for proper packet). (Bug 10903)
* Packets on OpenBSD loopback decoded as raw not null. (Bug
10956)
* Display Filter Macro unable to edit. (Bug 10957)
* IPv6 Local Mobility Anchor Address mobility option code is treated
incorrectly. (Bug 10961)
* Juniper Packet Mirror dissector expects ipv6 flow label =3D 0.
(Bug 10976)
* Infinite loop DoS in TNEF dissector. (Bug 11023)
- Updated Protocol Support
ANSI IS-637-A, DHCP, GSM MAP, H.248, IPv6, Juniper Jmirror, and X.509AF
- New and Updated Capture File Support
PacketLogger, and Pcapng
To generate a diff of this commit:
cvs rdiff -u -r1.128 -r1.129 pkgsrc/net/wireshark/Makefile
cvs rdiff -u -r1.79 -r1.80 pkgsrc/net/wireshark/distinfo
|
|
|
|
multimedia/adobe-flash-plugin11: security update
Revisions pulled up:
- multimedia/adobe-flash-plugin11/Makefile 1.38-1.43
- multimedia/adobe-flash-plugin11/distinfo 1.36-1.40
---
Module Name: pkgsrc
Committed By: dholland
Date: Sun Jan 4 03:41:59 UTC 2015
Modified Files:
pkgsrc/multimedia/adobe-flash-plugin11: Makefile
Log Message:
document NOT_FOR_PLATFORM
---
Module Name: pkgsrc
Committed By: obache
Date: Wed Jan 14 09:30:03 UTC 2015
Modified Files:
pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo
Log Message:
Update adobe-flash-plugin11 to 11.2.202.429 for APSB15-01.
---
Module Name: pkgsrc
Committed By: obache
Date: Fri Jan 23 06:08:40 UTC 2015
Modified Files:
pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo
Log Message:
Update adobe-flash-plugin11 to 11.2.202.438 for APSB15-02.
---
Module Name: pkgsrc
Committed By: obache
Date: Tue Jan 27 11:24:57 UTC 2015
Modified Files:
pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo
Log Message:
Update adobe-flash-plugin11 to 11.2.202.440 for APSA15-01 (CVE-2015-0311).
---
Module Name: pkgsrc
Committed By: tsutsui
Date: Sat Feb 28 19:21:32 UTC 2015
Modified Files:
pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo
Log Message:
Update adobe-flash-plugin11 to 11.2.202.442.
Upstream announcement:
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Security updates available for Adobe Flash Player
Release date: February 5, 2015
Last updated: February 19, 2015
Vulnerability identifier: APSB15-04
CVE number: CVE-2015-0313, CVE-2015-0314, CVE-2015-0315, CVE-2015-0316,
CVE-2015-0317, CVE-2015-0318, CVE-2015-0319, CVE-2015-0320, CVE-2015-0321,
CVE-2015-0322, CVE-2015-0323, CVE-2015-0324, CVE-2015-0325, CVE-2015-0326,
CVE-2015-0327, CVE-2015-0328, CVE-2015-0329, CVE-2015-0330, CVE-2015-0331
Platform: All Platforms
---
Module Name: pkgsrc
Committed By: tnn
Date: Sat Mar 14 16:36:59 UTC 2015
Modified Files:
pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo
Log Message:
Update to adobe-flash-plugin-11.2.202.451. Fixes security problems:
CVE-2015-0332, CVE-2015-0333, CVE-2015-0334, CVE-2015-0335, CVE-2015-0336,
CVE-2015-0337, CVE-2015-0338, CVE-2015-0339, CVE-2015-0340, CVE-2015-0341,
CVE-2015-0342.
|
|
multimedia/ffmpeg010: security update
Revisions pulled up:
- multimedia/ffmpeg010/Makefile 1.21
- multimedia/ffmpeg010/Makefile.common 1.11
- multimedia/ffmpeg010/distinfo 1.12
---
Module Name: pkgsrc
Committed By: tnn
Date: Sat Mar 14 16:14:43 UTC 2015
Modified Files:
pkgsrc/multimedia/ffmpeg010: Makefile Makefile.common distinfo
Log Message:
Update to ffmpeg010-20150312.0.10.16 "Freedom"
This is a patch release from the old 0.10 branch which contains backported
fixes for security problems reported in the 1.x and 1.2 branches.
|
|
|
|
security/libgcrypt: security update
Revisions pulled up:
- security/libgcrypt/Makefile 1.69-1.70
- security/libgcrypt/distinfo 1.55-1.56
- security/libgcrypt/patches/patch-ab deleted
- security/libgcrypt/patches/patch-random_rndunix.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Jan 5 21:56:16 UTC 2015
Modified Files:
pkgsrc/security/libgcrypt: Makefile distinfo
Added Files:
pkgsrc/security/libgcrypt/patches: patch-random_rndunix.c
Removed Files:
pkgsrc/security/libgcrypt/patches: patch-ab
Log Message:
Replace patch-ab with upstream version, see
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=817472358a093438e802380caecf7139406400cf;hp=8c5eee51d9a25b143e41ffb7ff4a6b2a29b82d83
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: wiz
Date: Sat Feb 28 00:14:25 UTC 2015
Modified Files:
pkgsrc/security/libgcrypt: Makefile distinfo
Log Message:
Update to 1.6.3:
Noteworthy changes in version 1.6.3 (2015-02-27) [C20/A0/R3]
------------------------------------------------
* Use ciphertext blinding for Elgamal decryption [CVE-2014-3591].
See http://www.cs.tau.ac.il/~tromer/radioexp/ for details.
* Fixed data-dependent timing variations in modular exponentiation
[related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
are Practical].
* Improved asm support for older toolchains.
|
|
textproc/icu: security patch
Revisions pulled up:
- textproc/icu/Makefile 1.96
- textproc/icu/distinfo 1.52
- textproc/icu/patches/patch-CVE-2014-7923+7926 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Fri Mar 6 14:43:15 UTC 2015
Modified Files:
pkgsrc/textproc/icu: Makefile distinfo
Added Files:
pkgsrc/textproc/icu/patches: patch-CVE-2014-7923+7926
Log Message:
add patch for CVE-2014-7923 and CVE-2014-7926 found at
https://chromium.googlesource.com/chromium/deps/icu52/+/6242e2fbb36f486f2c0addd1c3cef67fc4ed33fb
|
|
security/gnupg: security update
Revisions pulled up:
- security/gnupg/Makefile 1.128
- security/gnupg/PLIST 1.28
- security/gnupg/distinfo 1.66
---
Module Name: pkgsrc
Committed By: wiz
Date: Sat Feb 28 00:13:25 UTC 2015
Modified Files:
pkgsrc/security/gnupg: Makefile PLIST distinfo
Log Message:
Update to 1.4.19:
Noteworthy changes in version 1.4.19 (2015-02-27)
-------------------------------------------------
* Use ciphertext blinding for Elgamal decryption [CVE-2014-3591].
See http://www.cs.tau.ac.il/~tromer/radioexp/ for details.
* Fixed data-dependent timing variations in modular exponentiation
[related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
are Practical].
* Detect faulty use of --verify on detached signatures.
* Changed the PKA method to use CERT records and hashed names.
* New import option "keep-ownertrust".
* Support algorithm names when generating keys using the --command-fd
method.
* Updated many translations.
* Updated build system.
* Fixed a regression in keyserver import
* Fixed argument parsing for option --debug-level.
* Fixed DoS based on bogus and overlong key packets.
* Fixed bugs related to bogus keyrings.
* The usual minor minor bug fixes.
|
|
|
|
net/samba: security update
Revisions pulled up:
- net/samba/Makefile 1.253
- net/samba/distinfo 1.102
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Feb 24 09:54:47 UTC 2015
Modified Files:
pkgsrc/net/samba: Makefile distinfo
Log Message:
Update samba package to 3.6.25.
==============================
Release Notes for Samba 3.6.25
February 23, 2015
==============================
This is a security release in order to address CVE-2015-0240 (Unexpected
code execution in smbd).
o CVE-2015-0240:
All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
unexpected code execution vulnerability in the smbd file server
daemon.
A malicious client could send packets that may set up the stack in
such a way that the freeing of memory in a subsequent anonymous
netlogon packet could allow execution of arbitrary code. This code
would execute with root privileges.
o CVE-2014-0178:
In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
response field. The uninitialized buffer is sent back to the client.
A non-default VFS module providing the get_shadow_copy_data_fn() hook
must be explicitly enabled for Samba to process the aforementioned
client requests. Therefore, only configurations with "shadow_copy" or
"shadow_copy2" specified for the "vfs objects" parameter are vulnerable.
|
|
lang/php56: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.88
- lang/php56/Makefile 1.4
- lang/php56/PLIST 1.2
- lang/php56/distinfo 1.6
- lang/php56/patches/patch-ext_date_php_date.c deleted
- lang/php56/patches/patch-ext_date_tests_bug68942.phpt deleted
- lang/php56/patches/patch-ext_date_tests_bug68942_2.phpt deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Feb 20 01:17:50 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: Makefile PLIST distinfo
Removed Files:
pkgsrc/lang/php56/patches: patch-ext_date_php_date.c
patch-ext_date_tests_bug68942.phpt
patch-ext_date_tests_bug68942_2.phpt
Log Message:
Update php56 to 5.6.6 (PHP 5.6.6).
19 Feb 2015, PHP 5.6.6
- Core:
. Removed support for multi-line headers, as the are deprecated by RFC 7230.
(Stas)
. Fixed bug #67068 (getClosure returns somethings that's not a closure).
(Danack at basereality dot com)
. Fixed bug #68942 (Use after free vulnerability in unserialize() with
DateTimeZone). (CVE-2015-0273) (Stas)
. Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
buffer overflow). (Stas)
. Fixed Bug #67988 (htmlspecialchars() does not respect default_charset
specified by ini_set) (Yasuo)
. Added NULL byte protection to exec, system and passthru. (Yasuo)
- Dba:
. Fixed bug #68711 (useless comparisons). (bugreports at internot dot info)
- Enchant:
. Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()).
(Antony)
- Fileinfo:
. Fixed bug #68827 (Double free with disabled ZMM). (Joshua Rogers)
. Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files
correctly). (Anatol)
. Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some
gifs). (Anatol)
- FPM:
. Fixed bug #66479 (Wrong response to FCGI_GET_VALUES). (Frank Stolle)
. Fixed bug #68571 (core dump when webserver close the socket).
(redfoxli069 at gmail dot com, Laruence)
- JSON:
. Fixed bug #50224 (json_encode() does not always encode a float as a float)
by adding JSON_PRESERVE_ZERO_FRACTION. (Juan Basso)
- LIBXML:
. Fixed bug #64938 (libxml_disable_entity_loader setting is shared
between threads). (Martin Jansen)
- Mysqli:
. Fixed bug #68114 (linker error on some OS X machines with fixed
width decimal support) (Keyur Govande)
. Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient
has rounding errors) (Keyur Govande)
- Opcache:
. Fixed bug with try blocks being removed when extended_info opcode
generation is turned on. (Laruence)
- PDO_mysql:
. Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of
named pipes). (steffenb198 at aol dot com)
- Phar:
. Fixed bug #68901 (use after free). (bugreports at internot dot info)
- Pgsql:
. Fixed Bug #65199 (pg_copy_from() modifies input array variable) (Yasuo)
- Session:
. Fixed bug #68941 (mod_files.sh is a bash-script) (bugzilla at ii.nl, Yasuo)
. Fixed Bug #66623 (no EINTR check on flock) (Yasuo)
. Fixed bug #68063 (Empty session IDs do still start sessions) (Yasuo)
- Sqlite3:
. Fixed bug #68260 (SQLite3Result::fetchArray declares wrong
required_num_args). (Julien)
- Standard:
. Fixed bug #65272 (flock() out parameter not set correctly in windows).
(Daniel Lowrey)
. Fixed bug #69033 (Request may get env. variables from previous requests
if PHP works as FastCGI). (Anatol)
- Streams:
. Fixed bug which caused call after final close on streams filter. (Bob)
|
|
|
|
lang/php55: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.87
- lang/php55/Makefile 1.19
- lang/php55/PLIST 1.5
- lang/php55/distinfo 1.35
- lang/php55/patches/patch-ext_date_php_date.c deleted
- lang/php55/patches/patch-ext_date_tests_bug68942.phpt deleted
- lang/php55/patches/patch-ext_date_tests_bug68942_2.phpt deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 19 13:35:24 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php55: Makefile PLIST distinfo
Removed Files:
pkgsrc/lang/php55/patches: patch-ext_date_php_date.c
patch-ext_date_tests_bug68942.phpt
patch-ext_date_tests_bug68942_2.phpt
Log Message:
Update php55 to 5.5.22 (PHP 5.5.22).
19 Feb 2015, PHP 5.5.22
- Core:
. Fixed bug #67068 (getClosure returns somethings that's not a closure).
(Danack at basereality dot com)
. Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
buffer overflow). (Stas)
. Fixed bug #68942 (Use after free vulnerability in unserialize() with
DateTimeZone). (CVE-2015-0273) (Stas)
. Added NULL byte protection to exec, system and passthru. (Yasuo)
. Removed support for multi-line headers, as the are deprecated by RFC 7230.
(Stas)
- Date:
. Fixed bug #45081 (strtotime incorrectly interprets SGT time zone). (Derick)
- Dba:
. Fixed bug #68711 (useless comparisons). (bugreports at internot dot info)
- Enchant:
. Fixed bug #6855 (heap buffer overflow in enchant_broker_request_dict()).
(Antony)
- Fileinfo:
. Fixed bug #68827 (Double free with disabled ZMM). (Joshua Rogers)
- FPM:
. Fixed bug #66479 (Wrong response to FCGI_GET_VALUES). (Frank Stolle)
. Fixed bug #68571 (core dump when webserver close the socket).
(redfoxli069 at gmail dot com, Laruence)
- Libxml:
. Fixed bug #64938 (libxml_disable_entity_loader setting is shared
between threads). (Martin Jansen)
- OpenSSL:
. Fixed bug #55618 (use case-insensitive cert name matching).
(Daniel Lowrey)
- PDO_mysql:
. Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of
named pipes). (steffenb198@aol.com)
- Phar:
. Fixed bug #68901 (use after free). (bugreports at internot dot info)
- Pgsql:
. Fixed Bug #65199 'pg_copy_from() modifies input array variable). (Yasuo)
- Sqlite3:
. Fixed bug #68260 (SQLite3Result::fetchArray declares wrong
required_num_args). (Julien)
- Mysqli:
. Fixed bug #68114 (linker error on some OS X machines with fixed
width decimal support) (Keyur Govande)
. Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient
has rounding errors) (Keyur Govande)
- Session:
. Fixed bug #68941 (mod_files.sh is a bash-script) (bugzilla at ii.nl, Yasuo)
. Fixed Bug #66623 (no EINTR check on flock) (Yasuo)
. Fixed bug #68063 (Empty session IDs do still start sessions) (Yasuo)
- Standard:
. Fixed bug #65272 (flock() out parameter not set correctly in windows).
(Daniel Lowrey)
. Fixed bug #69033 (Request may get env. variables from previous requests
if PHP works as FastCGI)
- Streams:
. Fixed bug which caused call after final close on streams filter. (Bob)
|
|
|
|
lang/php54: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.86
- lang/php54/Makefile 1.27
- lang/php54/distinfo 1.53
- lang/php54/patches/patch-ext_date_php_date.c deleted
- lang/php54/patches/patch-ext_date_tests_bug68942_2.phpt deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 19 09:37:36 UTC 2015
Modified Files:
pkgsrc/lang/php54: Makefile distinfo
Removed Files:
pkgsrc/lang/php54/patches: patch-ext_date_php_date.c
patch-ext_date_tests_bug68942_2.phpt
Log Message:
Update php54 to 5.4.38 (PHP 5.4.38).
19 Feb 2015 PHP 5.4.38
- Core:
. Removed support for multi-line headers, as the are deprecated by RFC 7230.
(Stas)
. Added NULL byte protection to exec, system and passthru. (Yasuo)
. Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
buffer overflow). (Stas)
. Fixed bug #67827 (broken detection of system crypt sha256/sha512 support).
(ncopa at alpinelinux dot org)
. Fixed bug #68942 (Use after free vulnerability in unserialize() with
DateTimeZone). (Stas)
- Enchant:
. Fixed bug #6855 (heap buffer overflow in enchant_broker_request_dict()).
(Antony)
- SOAP:
. Fixed bug #67427 (SoapServer cannot handle large messages)
(brandt at docoloc dot de)
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 19 13:15:00 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
Log Message:
Forgot to commit with php54 update.
|
|
security/clamav: security update
Revisions pulled up:
- security/clamav/Makefile 1.21
- security/clamav/distinfo 1.16
---
Module Name: pkgsrc
Committed By: hiramatsu
Date: Tue Feb 24 07:28:59 UTC 2015
Modified Files:
pkgsrc/security/clamav: Makefile distinfo
Log Message:
Update clamav to 0.98.6.
Changes from 0.98.5.
--------------------
- library shared object revisions.
- installation issues on some Mac OS X and FreeBSD platforms.
- includes a patch from Sebastian Andrzej Siewior making
ClamAV pid files compatible with systemd.
- Fix a heap out of bounds condition with crafted Yoda's
crypter files. This issue was discovered by Felix Groebert
of the Google Security Team.
- Fix a heap out of bounds condition with crafted mew packer
files. This issue was discovered by Felix Groebert of the
Google Security Team.
- Fix a heap out of bounds condition with crafted upx packer
files. This issue was discovered by Kevin Szkudlapski of
Quarkslab.
- Fix a heap out of bounds condition with crafted upack packer
files. This issue was discovered by Sebastian Andrzej Siewior.
CVE-2014-9328.
- Compensate a crash due to incorrect compiler optimization when
handling crafted petite packer files. This issue was discovered
by Sebastian Andrzej Siewior.
|
|
|
|
This was 7 years old and there is no evidence that anyone has even
tried to use it in a very long time.
CVS: ----------------------------------------------------------------------
CVS: CVSROOT cvs.NetBSD.org:/cvsroot
CVS: please use "PR category/123" to have the commitmsg appended to PR 123
|
|
Add Joyent bulk build links.
CVS: CVSROOT cvs.NetBSD.org:/cvsroot
CVS: please use "PR category/123" to have the commitmsg appended to PR 123
|
|
|
|
www/typo3_45: security update
Revisions pulled up:
- www/typo3_45/Makefile 1.34-1.35
- www/typo3_45/distinfo 1.29
---
Module Name: pkgsrc
Committed By: tnn
Date: Sat Feb 7 22:06:52 UTC 2015
Modified Files:
pkgsrc/databases/p5-Search-QueryParser-SQL: Makefile
pkgsrc/databases/py-elixir: Makefile
pkgsrc/ham/gnuradio-companion: Makefile
pkgsrc/net/py-softlayer: Makefile
pkgsrc/www/typo3_45: Makefile
pkgsrc/www/typo3_47: Makefile
pkgsrc/www/typo3_60: Makefile
pkgsrc/www/typo3_61: Makefile
Log Message:
Drop trailing '/' from DEPENDS lines. Found by Bernhard Riedel.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 19 09:41:01 UTC 2015
Modified Files:
pkgsrc/www/typo3_45: Makefile distinfo
Log Message:
Update typo3_45 package to 4.5.20.
pkgsrc change: supports PHP < 5.6.
Fix security problem:
* TYPO3-CORE-SA-2015-001: Authentication Bypass in TYPO3 CMS 4.5
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-cor=
e-sa-2015-001/
2015-02-19 1b8a673 [RELEASE] Release of TYPO3 4.5.40 =
(TYPO3 Release Team)
2015-02-19 3fbd91c #65113 [SECURITY] Prevent login with semi=
-empty values (Nicole Cordes)
2015-01-29 6cf78f6 #64597 [TASK] Update TYPO3 copyright in a=
ll branches (Benjamin Mack)
2015-01-29 38e1cb1 #64573 [BUGFIX] Travis tests for PHP 5.5 =
(Stephan Gro=DFberndt)
2015-01-19 fc33980 [TASK] Post travis notification to=
#typo3-cms-coredev channel (Helmut Hummel)
2015-01-15 c7615b6 #63896 [BUGFIX] Fix regression in prefixL=
ocalAchors feature (Helmut Hummel)
2014-12-17 583d1bf #59186 [BUGFIX] Add case insensitive flag=
to trustedHostsPattern (Dietrich Heise)
|
|
www/squid3: security update
Revisions pulled up:
- www/squid3/Makefile patch
- www/squid3/distinfo patch
- www/squid3/patches/patch-compat_compat.h new file
- www/squid3/patches/patch-src_ip_Intercept.cc patch
---
Apply patch:
- Fix buidling when IPF is turned on
- Update to version 3.4.12
|
|
|
|
lang/ruby18-base: security patch
Revisions pulled up:
- lang/ruby18-base/Makefile 1.83
- lang/ruby18-base/distinfo 1.61
- lang/ruby18-base/patches/patch-lib_rexml_entity.rb 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Feb 16 14:03:32 UTC 2015
Modified Files:
pkgsrc/lang/ruby18-base: Makefile distinfo
Added Files:
pkgsrc/lang/ruby18-base/patches: patch-lib_rexml_entity.rb
Log Message:
Add fix for CVE-2015-1426.
Bump PKGREVISION.
|
|
sysutils/ruby-facter: security update
Revisions pulled up:
- sysutils/ruby-facter/ALTERNATIVES 1.1
- sysutils/ruby-facter/Makefile 1.23
- sysutils/ruby-facter/PLIST 1.23
- sysutils/ruby-facter/distinfo 1.22
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Feb 13 13:55:58 UTC 2015
Modified Files:
pkgsrc/sysutils/ruby-facter: Makefile PLIST distinfo
Added Files:
pkgsrc/sysutils/ruby-facter: ALTERNATIVES
Log Message:
Update ruby-facter to 2.4.1.
pkgsrc change: reduce conflict with adding pkg_alternatives support.
Changes from 1.7.5 are too many to write here, but version 2.4.1 fixes
CVE-2015-1426 security problem.
|
|
devel/patch: build fix
Revisions pulled up:
- devel/patch/Makefile 1.42
---
Module Name: pkgsrc
Committed By: tnn
Date: Fri Feb 20 07:09:19 UTC 2015
Modified Files:
pkgsrc/devel/patch: Makefile
Log Message:
PR pkg/49672: OSX build fix (already reported and fixed upstream)
While here simplify Interix fix by overriding autoconf test instead of
manually patching the sources.
|
|
graphics/jasper: security patch
Revisions pulled up:
- graphics/jasper/Makefile 1.39-1.40
- graphics/jasper/distinfo 1.16-1.17
- graphics/jasper/patches/patch-CVE-2014-9029 deleted
- graphics/jasper/patches/patch-ad deleted
- graphics/jasper/patches/patch-ae deleted
- graphics/jasper/patches/patch-ag deleted
- graphics/jasper/patches/patch-ah deleted
- graphics/jasper/patches/patch-ai deleted
- graphics/jasper/patches/patch-aj deleted
- graphics/jasper/patches/patch-configure 1.1
- graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c 1.1
- graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c 1.1
- graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c 1.1
- graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c 1.1-1.2
- graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Thu Jan 1 14:15:27 UTC 2015
Modified Files:
pkgsrc/graphics/jasper: Makefile distinfo
Added Files:
pkgsrc/graphics/jasper/patches: patch-configure
patch-src_libjasper_jp2_jp2__cod.c
patch-src_libjasper_jp2_jp2__dec.c
patch-src_libjasper_jpc_jpc__cs.c
patch-src_libjasper_jpc_jpc__dec.c
Removed Files:
pkgsrc/graphics/jasper/patches: patch-CVE-2014-9029 patch-ad patch-ae
patch-ag patch-ah patch-ai patch-aj
Log Message:
Rename patches to conform to the "new" style.
Add comments to the patches.
Add fix for oCERT-2014-012, pulled from RedHat.
Add fix from Debian bug 469786.
Add LICENSE setting, I think modified-bsd is fitting.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: snj
Date: Sun Feb 8 23:04:22 UTC 2015
Modified Files:
pkgsrc/graphics/jasper: Makefile distinfo
pkgsrc/graphics/jasper/patches: patch-src_libjasper_jpc_jpc__dec.c
Added Files:
pkgsrc/graphics/jasper/patches: patch-src_libjasper_jpc_jpc__qmfb.c
Log Message:
Fix CVE-2014-8157 and CVE-2014-8158. Bump PKGREVISION to 10.
|
|
|
|
net/bind910: security update
Revisions pulled up:
- net/bind910/Makefile 1.5
- net/bind910/distinfo 1.4
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 19 00:37:17 UTC 2015
Modified Files:
pkgsrc/net/bind910: Makefile distinfo
Log Message:
Update bind910 to 9.10.1pl2 (BIND 9.10.1-P2).
--- 9.10.1-P2 released ---
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
|
|
|
|
net/bind99: security update
Revisions pulled up:
- net/bind99/Makefile 1.42
- net/bind99/distinfo 1.27
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 19 00:36:27 UTC 2015
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Log Message:
Update bind99 to 9.9.6pl2 (BIND 9.9.6-P2).
--- 9.9.6-P2 released ---
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
|
|
lang/php56: security patch
Revisions pulled up:
- lang/php56/Makefile 1.3
- lang/php56/distinfo 1.5
- lang/php56/patches/patch-ext_date_php_date.c 1.1
- lang/php56/patches/patch-ext_date_tests_bug68942.phpt 1.1
- lang/php56/patches/patch-ext_date_tests_bug68942_2.phpt 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Thu Feb 19 00:23:20 UTC 2015
Modified Files:
pkgsrc/lang/php56: Makefile distinfo
Added Files:
pkgsrc/lang/php56/patches: patch-ext_date_php_date.c
patch-ext_date_tests_bug68942.phpt
patch-ext_date_tests_bug68942_2.phpt
Log Message:
Fix CVE-2015-0273 php: #68942 Use after free vulnerability in
unserialize() with DateTimeZone
Reviewed by wiz@
|
|
|
