summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2015-10-04Note update of lang/pcc-current to 20151003.pkgsrc_2015Q2he1-1/+2
2015-09-09Pullup tickets #4812 #4813.tron1-1/+5
2015-09-09Pullup ticket #4813 - requested by hetron3-85/+6
www/apache22: security update Revisions pulled up: - www/apache22/Makefile 1.105 - www/apache22/distinfo 1.62 - www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c deleted --- Module Name: pkgsrc Committed By: adam Date: Mon Jul 20 18:28:59 UTC 2015 Modified Files: pkgsrc/www/apache22: Makefile distinfo Removed Files: pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c Log Message: Changes with Apache 2.2.31 *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers. Changes with Apache 2.2.30 (not released) *) SECURITY: CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. *) http: Fix LimitRequestBody checks when there is no more bytes to read. *) core: Allow spaces after chunk-size for compatibility with implementations using a pre-filled buffer. *) mod_ssl: bring SNI behavior into better conformance with RFC 6066: no longer send warning-level unrecognized_name(112) alerts. *) http: Make ap_die() robust against any HTTP error code and not modify response status (finally logged) when nothing is to be done. *) core, modules: Avoid error response/document handling by the core if some handler or input filter already did it while reading the request (causing a double response body). *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions 5+ instead of just for FreeBSD 5. *) mod_proxy: use the original (non absolute) form of the request-line's URI for requests embedded in CONNECT payloads used to connect SSL backends via a ProxyRemote forward-proxy. *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for internationalization. *) mod_log_config: Implement logging for sub second timestamps and request end time. *) mod_log_config: Ensure that time data is consistent if multiple duration patterns are used in combination, e.g. %D and %{ms}T. *) mod_log_config: Add "%{UNIT}T" format to output request duration in seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us"). *) In alignment with RFC 7525, the default recommended SSLCipherSuite and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the default recommended SSLProtocol and SSLProxyProtocol directives now exclude SSLv3. Existing configurations must be adjusted by the administrator. *) core: Avoid potential use of uninitialized (NULL) request data in request line error path. *) mod_proxy_http: Use the "Connection: close" header for requests to backends not recycling connections (disablereuse), including the default reverse and forward proxies. *) mod_proxy: Add ap_connection_reusable() for checking if a connection is reusable as of this point in processing. *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across graceful restarts, even if new workers are added, old ones removed, or the order changes. *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by allowing custom parameters to be configured via SSLCertificateFile, and by adding standardized DH parameters for 1024/2048/3072/4096 bits. Unless custom parameters are configured, the standardized parameters are applied based on the certificate's RSA/DSA key size. *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA keys, and unconditionally disable aNULL, eNULL and EXP ciphers (not overridable via SSLCipherSuite). *) mod_ssl: Add support for configuring persistent TLS session ticket encryption/decryption keys (useful for clustered environments). *) SSLProtocol and SSLCipherSuite recommendations in the example/default conf/extra/httpd-ssl.conf file are now global in scope, affecting all VirtualHosts (matching 2.4 default configuration). *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the selected DB engine. *) Turn static function get_server_name_for_url() into public ap_get_server_name_for_url() and use it where appropriate. This fixes mod_rewrite generating invalid URLs for redirects to IPv6 literal addresses. *) dav_validate_request: avoid validating locks and ETags when there are no If headers providing them on a resource we aren't modifying. *) mod_ssl: New directive SSLSessionTickets (On|Off). The directive controls the use of TLS session tickets (RFC 5077), default value is "On" (unchanged behavior). Session ticket creation uses a random key created during web server startup and recreated during restarts. No other key recreation mechanism is available currently. Therefore using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to compile against APR-1.2.x (minimum required version). *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts computed for subsequent requests.
2015-09-09Pullup ticket #4812 - requested by hetron7-57/+44
www/curl: security update Revisions pulled up: - www/curl/Makefile 1.153-1.154 - www/curl/PLIST 1.52-1.53 - www/curl/distinfo 1.108-1.109 - www/curl/patches/patch-aa 1.33-1.34 - www/curl/patches/patch-curl-config.in 1.7 - www/curl/patches/patch-lib_hostcheck.c 1.4 - www/curl/patches/patch-lib_http2.c deleted --- Module Name: pkgsrc Committed By: spz Date: Sat Aug 8 02:44:16 UTC 2015 Modified Files: pkgsrc/www/curl: Makefile PLIST distinfo pkgsrc/www/curl/patches: patch-aa patch-curl-config.in patch-lib_hostcheck.c Added Files: pkgsrc/www/curl/patches: patch-lib_multi.c patch-lib_transfer.c Removed Files: pkgsrc/www/curl/patches: patch-lib_http2.c Log Message: reanimate curl-7.43.0 and add the upstream fix for http://curl.haxx.se/mail/lib-2015-06/0122.html found in https://github.com/bagder/curl/commit/903b6e05565bf826b4194447864288642214b094 --- Module Name: pkgsrc Committed By: wiz Date: Mon Aug 17 15:43:27 UTC 2015 Modified Files: pkgsrc/www/curl: Makefile PLIST distinfo pkgsrc/www/curl/patches: patch-aa Removed Files: pkgsrc/www/curl/patches: patch-lib_multi.c patch-lib_transfer.c Log Message: Update to 7.44.0: Curl and libcurl 7.44.0 Public curl releases: 148 Command line options: 176 curl_easy_setopt() options: 219 Public functions in libcurl: 58 Contributors: 1291 This release includes the following changes: o http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA [6] o examples: added http2-serverpush.c [7] o http2: added curl_pushheader_byname() and curl_pushheader_bynum() o docs: added CODE_OF_CONDUCT.md [8] o curl: Add --ssl-no-revoke to disable certificate revocation checks [5] o libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS [9] o makefile: Added support for VC14 o build: Added Visual Studio 2015 (VC14) project files o build: Added wolfSSL configurations to VC10+ project files [18] This release includes the following bugfixes: o FTP: fix HTTP CONNECT logic regression [1] o openssl: Fix build with openssl < ~ 0.9.8f o openssl: fix build with BoringSSL o curl_easy_setopt.3: option order doesn't matter o openssl: fix use of uninitialized buffer [2] o RTSP: removed dead code o Makefile.m32: add support for CURL_LDFLAG_EXTRAS o curl: always provide negotiate/kerberos options o cookie: Fix bug in export if any-domain cookie is present o curl_easy_setopt.3: mention CURLOPT_PIPEWAIT o INSTALL: Advise use of non-native SSL for Windows <= XP o tool_help: fix --tlsv1 help text to use >= for TLSv1 o HTTP: POSTFIELDSIZE set after added to multi handle [3] o SSL-PROBLEMS: mention WinSSL problems in WinXP o setup-vms.h: Symbol case fixups o SSL: Pinned public key hash support o libtest: call PR_Cleanup() on exit if NSPR is used o ntlm_wb: Fix theoretical memory leak o runtests: Allow for spaces in curl custom path o http2: add stream != NULL checks for reliability o schannel: Replace deprecated GetVersion with VerifyVersionInfo o http2: verify success of strchr() in http2_send() o configure: add --disable-rt option o openssl: work around MSVC warning o HTTP: ignore "Content-Encoding: compress" o configure: check if OpenSSL linking wants -ldl o build-openssl.bat: Show syntax if required args are missing o test1902: attempt to make the test more reliable o libcurl-thread.3: Consolidate thread safety info o maketgz: Fixed some VC makefiles missing from the release tarball o libcurl-multi.3: mention curl_multi_wait [10] o ABI doc: use secure URL o http: move HTTP/2 cleanup code off http_disconnect() [11] o libcurl-thread.3: Warn memory functions must be thread safe [12] o curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs [13] o docs: formpost needs the full size at start of upload [14] o curl_gssapi: remove 'const' to fix compiler warnings o SSH: three state machine fixups [15] o libcurl.3: fix a single typo [16] o generate.bat: Only clean prerequisite files when in ALL mode o curl_slist_append.3: add error checking to the example o buildconf.bat: Added support for file clean-up via -clean o generate.bat: Use buildconf.bat for prerequisite file clean-up o NTLM: handle auth for only a single request [17] o curl_multi_remove_handle.3: fix formatting [19] o checksrc.bat: Fixed error when [directory] isn't a curl source directory o checksrc.bat: Fixed error when missing *.c and *.h files o CURLOPT_RESOLVE.3: Note removal support was added in 7.42 [20] o test46: update cookie expire time o SFTP: fix range request off-by-one in size check [21] o CMake: fix GSSAPI builds [22] o build: refer to fixed libidn versions [4] o http2: discard frames with no SessionHandle [23] o curl_easy_recv.3: fix formatting o libcurl-tutorial.3: fix formatting [24] o curl_formget.3: correct return code [25]
2015-09-03Pullup tickets #4802, #4803, #4804, #4804, #4806, #4807, #4808, #4810 and #4811.tron1-1/+19
2015-09-03Pullup ticket #4811 - requested by sevantron2-6/+6
net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.11-1.12 - net/bind910/distinfo 1.9-1.10 - net/bind910/patches/patch-lib_dns_hmac_link.c deleted - net/bind910/patches/patch-lib_dns_include_dst_dst.h deleted - net/bind910/patches/patch-lib_dns_ncache.c deleted - net/bind910/patches/patch-lib_dns_openssldh_link.c deleted - net/bind910/patches/patch-lib_dns_openssldsa_link.c deleted - net/bind910/patches/patch-lib_dns_opensslecdsa_link.c deleted - net/bind910/patches/patch-lib_dns_opensslrsa_link.c deleted - net/bind910/patches/patch-lib_dns_pkcs11dh_link.c deleted - net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c deleted - net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c deleted - net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c deleted - net/bind910/patches/patch-lib_dns_resolver.c deleted --- Module Name: pkgsrc Committed By: sevan Date: Wed Sep 2 19:46:44 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Added Files: pkgsrc/net/bind910/patches: patch-lib_dns_hmac_link.c patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslrsa_link.c patch-lib_dns_pkcs11dh_link.c patch-lib_dns_pkcs11dsa_link.c patch-lib_dns_pkcs11rsa_link.c patch-lib_dns_rdata_generic_openpgpkey_61.c patch-lib_dns_resolver.c Log Message: Patch CVE-2015-5722 & CVE-2015-5986 Bump rev CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c https://kb.isc.org/article/AA-01287/0 CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c https://kb.isc.org/article/AA-01291/0 Reviewed by wiz@ --- Module Name: pkgsrc Committed By: taca Date: Thu Sep 3 00:33:32 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Removed Files: pkgsrc/net/bind910/patches: patch-lib_dns_hmac_link.c patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslrsa_link.c patch-lib_dns_pkcs11dh_link.c patch-lib_dns_pkcs11dsa_link.c patch-lib_dns_pkcs11rsa_link.c patch-lib_dns_rdata_generic_openpgpkey_61.c patch-lib_dns_resolver.c Log Message: Update bind910 to 9.10.2pl4 (BIND 9.10.2-P4). (Already fixed by bind-9.10.2pl3nb1.) --- 9.10.2-P4 released --- 4170. [security] An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. (CVE-2015-5986) [RT #40286] 4168. [security] A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. (CVE-2015-5722) [RT #40212]
2015-09-03Pullup ticket #4810 - requested by sevan & tacatron2-6/+6
net/bind99: security update Revisions pulled up: - net/bind99/Makefile 1.47-1.48 - net/bind99/distinfo 1.31-1.32 - net/bind99/patches/patch-lib_dns_hmac_link.c deleted - net/bind99/patches/patch-lib_dns_include_dst_dst.h deleted - net/bind99/patches/patch-lib_dns_ncache.c deleted - net/bind99/patches/patch-lib_dns_openssldh_link.c deleted - net/bind99/patches/patch-lib_dns_openssldsa_link.c deleted - net/bind99/patches/patch-lib_dns_opensslecdsa_link.c deleted - net/bind99/patches/patch-lib_dns_opensslsslrsa_link.c deleted - net/bind99/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c deleted - net/bind99/patches/patch-lib_dns_resolver.c deleted --- Module Name: pkgsrc Committed By: sevan Date: Wed Sep 2 19:44:28 UTC 2015 Modified Files: pkgsrc/net/bind99: Makefile distinfo Added Files: pkgsrc/net/bind99/patches: patch-lib_dns_hmac_link.c patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslsslrsa_link.c patch-lib_dns_rdata_generic_openpgpkey_61.c patch-lib_dns_resolver.c Log Message: Patch CVE-2015-5722 & CVE-2015-5986 Bump rev CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c https://kb.isc.org/article/AA-01287/0 CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c https://kb.isc.org/article/AA-01291/0 Reviewed by wiz@ --- Module Name: pkgsrc Committed By: taca Date: Thu Sep 3 00:35:03 UTC 2015 Modified Files: pkgsrc/net/bind99: Makefile distinfo Removed Files: pkgsrc/net/bind99/patches: patch-lib_dns_hmac_link.c patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslsslrsa_link.c patch-lib_dns_rdata_generic_openpgpkey_61.c patch-lib_dns_resolver.c Log Message: Update bind99 to 9.9.7pl3 (BIND 9.9.7-P3). (These security fixes are already done by bind-9.9.7pl2nb1.) --- 9.9.7-P3 released --- 4170. [security] An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. (CVE-2015-5986) [RT #40286] 4168. [security] A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. (CVE-2015-5722) [RT #40212]
2015-09-03Pullup ticket #4808 - requested by tacatron3-14/+23
sysutils/testdisk: security update Revisions pulled up: - sysutils/testdisk/Makefile 1.11 via patch - sysutils/testdisk/PLIST 1.3 - sysutils/testdisk/distinfo 1.3 --- Module Name: pkgsrc Committed By: leot Date: Mon Aug 24 19:54:14 UTC 2015 Modified Files: pkgsrc/sysutils/testdisk: Makefile PLIST distinfo Log Message: Update sysutils/testdisk to testdisk-7.0. Changes: == 7.0 == === General Improvements === Various fix including security fix, thanks to * Coverity scan (Static Analysis of source code) * afl-fuzz (security-oriented fuzzer). * Denis Andzakovic from Security Assessment for reporting an exploitable Stack Buffer Overflow === TestDisk === ==== Improvements ==== * exFAT: better support * ext4: handle 64 bit blocks or 64 KiB blocksize. Fix detection and file listing ==== Bug fixes ==== * Avoid erroneous error when writing 512 bytes on hard disk using 4k sector * FAT, NTFS: avoid NULL pointer dereference if localtime() returns NULL. Thanks to Graham Sutherland for reporting this bug. === PhotoRec & QPhotoRec === QPhotoRec is a Graphical User Interface (Qt based GUI) version of PhotoRec. More user friendly, it recognizes the same file formats. PhotoRec remains recommended for advanced users, it can stop a recovery and resume it later, it recovers more fragmented files when brute-force technology is enabled and expert mode is available. ==== Improvements ==== * Reduced false positives for more than 80 file formats. * .gif: fix filesize detection * .flv: add Flash filesize detection * .mpg: detect filesize for MPEG * .ra: detect filesize for RealAudio3 * Improved algorithm to deal with data fragmentation resulting in a general speed increased * Speedup brute-force mode. Brute-force mode can recover more fragmented files, but it's still slow and not 100% reliable. You can enable it in PhotoRec Options menu. New file formats recovered by PhotoRec: * .3dm: Rhino / openNURBS * .ari: ARRI Raw Video * .camrec: Camtasia Studio * .dad: Micae DVR * .dcm: Digital Imaging and Communications in Medicine (DICOM) * .fp12: File Maker Pro 12 * .kra: Krita * .mlv: Magic Lantern Video * .notebook: SMART notebook * .ora: Mypaint * .red: RED2 video format * .rlv: Revelation password * .vbm: Veeam Backup Metadata * .woff: Web Open Font Format
2015-09-03Pullup ticket #4807 - requested by tacatron2-3/+6
security/openssh: build fix patch Revisions pulled up: - security/openssh/distinfo 1.97 - security/openssh/options.mk 1.31 --- Module Name: pkgsrc Committed By: taca Date: Sat Aug 22 05:17:22 UTC 2015 Modified Files: pkgsrc/security/openssh: distinfo options.mk Log Message: Revive hpn-patch patch although not yet tested well.
2015-09-03Pullup ticket #4806 - requested by tacatron2-6/+6
www/drupal7: security update Revisions pulled up: - www/drupal7/Makefile 1.33 - www/drupal7/distinfo 1.26 --- Module Name: pkgsrc Committed By: taca Date: Thu Aug 20 15:34:11 UTC 2015 Modified Files: pkgsrc/www/drupal7: Makefile distinfo Log Message: Update drupal7 package to 7.39 (Drupal 7.39). Drupal 7.39, 2015-08-19 ----------------------- - Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-003.
2015-09-03Pullup ticket #4805 - requested by tacatron2-6/+6
www/drupal6: security update Revisions pulled up: - www/drupal6/Makefile 1.54 - www/drupal6/distinfo 1.36 --- Module Name: pkgsrc Committed By: taca Date: Thu Aug 20 15:33:33 UTC 2015 Modified Files: pkgsrc/www/drupal6: Makefile distinfo Log Message: Update drupal6 package to 6.37 (Drupal 6.37). Drupal 6.37, 2015-08-19 ----------------------- - Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-003.
2015-09-03Pullup ticket #4804 - requested by tacatron5-33/+19
lang/ruby22-base: security update Revisions pulled up: - lang/ruby/rubyversion.mk 1.147 - lang/ruby22-base/Makefile 1.4 - lang/ruby22-base/distinfo 1.6-1.7 - lang/ruby22-base/patches/patch-configure 1.3 - lang/ruby22-base/patches/patch-lib_rubygems_remote__fetcher.rb deleted --- Module Name: pkgsrc Committed By: jperkin Date: Tue Jun 30 19:41:32 UTC 2015 Modified Files: pkgsrc/lang/ruby22-base: distinfo pkgsrc/lang/ruby22-base/patches: patch-configure Log Message: Disable CPU detection on Darwin, the result for 32-bit (i486) is incompatible with pkgsrc MACHINE_ARCH (i386). Fixes 32-bit build, no change for 64-bit. --- Module Name: pkgsrc Committed By: taca Date: Thu Aug 20 15:30:47 UTC 2015 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby22-base: Makefile distinfo Removed Files: pkgsrc/lang/ruby22-base/patches: patch-lib_rubygems_remote__fetcher.rb Log Message: Update ruby22-base to 2.2.3 (Ruby 2.2.3). Release note: Ruby 2.2.3 Released Posted by nagachika on 18 Aug 2015 We are pleased to announce the release of Ruby 2.2.3. This is a TEENY version release of the stable 2.2 series. This release includes the security fix for a RubyGems domain name verification vulnerability. CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier There are also some bugfixes. See ChangeLog for details.
2015-09-03Pullup ticket #4803 - requested by tacatron8-281/+10
lang/ruby21-base: security update Revisions pulled up: - lang/ruby/rubyversion.mk 1.146 - lang/ruby21-base/Makefile 1.15 - lang/ruby21-base/PLIST 1.7 - lang/ruby21-base/distinfo 1.19 - lang/ruby21-base/patches/patch-ext_tk_extconf.rb deleted - lang/ruby21-base/patches/patch-ext_tk_lib_tk.rb deleted - lang/ruby21-base/patches/patch-ext_tk_tcltklib.c deleted - lang/ruby21-base/patches/patch-lib_rubygems_remote__fetcher.rb deleted --- Module Name: pkgsrc Committed By: taca Date: Thu Aug 20 15:27:43 UTC 2015 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby21-base: Makefile PLIST distinfo Removed Files: pkgsrc/lang/ruby21-base/patches: patch-ext_tk_extconf.rb patch-ext_tk_lib_tk.rb patch-ext_tk_tcltklib.c patch-lib_rubygems_remote__fetcher.rb Log Message: Update ruby21-base to 2.1.7 (Ruby 2.1.7). Release announce: Ruby 2.1.7 Released Posted by usa on 18 Aug 2015 Ruby 2.1.7 has been released. This release includes the security fix for a RubyGems domain name verification vulnerability. Please view the topic below for more details. CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier And, many bug fixes are also included. See tickets and ChangeLog for details.
2015-09-03Pullup ticket #4802 - requested by tacatron4-32/+7
lang/ruby200-base: security update Revisions pulled up: - lang/ruby/rubyversion.mk 1.145 - lang/ruby200-base/Makefile 1.20 - lang/ruby200-base/distinfo 1.27 - lang/ruby200-base/patches/patch-lib_rubygems_remote__fetcher.rb deleted --- Module Name: pkgsrc Committed By: taca Date: Thu Aug 20 15:22:16 UTC 2015 Modified Files: pkgsrc/lang/ruby: rubyversion.mk pkgsrc/lang/ruby200-base: Makefile distinfo Removed Files: pkgsrc/lang/ruby200-base/patches: patch-lib_rubygems_remote__fetcher.rb Log Message: Update ruby200-base-2.0.0p647 to (Ruby 2.0.0-p647). Release announce: Ruby 2.0.0-p647 Released Posted by usa on 18 Aug 2015 We are pleased to announce the release of Ruby 2.0.0-p647. This release includes the security fix for a RubyGems domain name verification vulnerability. Please view the topic below for more details. CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier And, this release also includes the fix for a regression of lib/resolv.rb. Uninitialized constant bug introduced by typo in backport of [#10712] Ruby 2.0.0 is now under the state of the security maintenance phase, until Feb. 24th, 2016. After the date, maintenance of Ruby 2.0.0 will be ended. We recommend you start planning migration to newer versions of Ruby, such as 2.1 or 2.2.
2015-08-25Pullup tickets #4799 and #4801.tron1-1/+5
2015-08-25Pullup ticket #4801 - requested by joergtron2-2/+5
print/tex-tetex: compatibility fix Revisions pulled up: - print/tex-tetex/Makefile 1.23 - print/tex-tetex/PLIST 1.10 --- Module Name: pkgsrc Committed By: markd Date: Wed Jul 1 10:49:05 UTC 2015 Modified Files: pkgsrc/print/tex-tetex: Makefile PLIST Log Message: Put back mktexfmt symlink. Bump PKGREVISION.
2015-08-25Pullup ticket #4799 - requested by manutron3-27/+3
databases/openldap-smbk5pwd: build fix Revisions pulled up: - databases/openldap-smbk5pwd/Makefile 1.18 - databases/openldap/distinfo 1.100 patch - databases/openldap/patches/patch-de deleted --- Module Name: pkgsrc Committed By: manu Date: Mon Aug 10 12:47:51 UTC 2015 Modified Files: pkgsrc/databases/openldap: distinfo pkgsrc/databases/openldap-smbk5pwd: Makefile Removed Files: pkgsrc/databases/openldap/patches: patch-de Log Message: Use OpenSSL libcrypto instead of libdes on NetBSD All recent NetBSD releases now have an OpenSSL recent enough so that the DES symbols required by slapo-smbk5pwd can be found in OpenSSL's libcrypto. We therefore do not need to link with -ldes anymore, especialy since it now causes a build failure.
2015-08-24Pullup tickets #4795, #4796, #4797 and #4800.tron1-1/+9
2015-08-24Pullup ticket #4800 - requested by manutron3-7/+126
net/netatalk30: build fix Revisions pulled up: - net/netatalk30/Makefile 1.6 - net/netatalk30/distinfo 1.3 - net/netatalk30/patches/patch-etc_uams_uams__randnum.c 1.2 --- Module Name: pkgsrc Committed By: fhajny Date: Fri Aug 7 09:52:23 UTC 2015 Modified Files: pkgsrc/net/netatalk30: Makefile Log Message: netatalk requires libevent 2.x, the builtin one on NetBSD<7 is older. Fixes pkg/50084. --- Module Name: pkgsrc Committed By: manu Date: Mon Aug 10 15:09:42 UTC 2015 Modified Files: pkgsrc/net/netatalk30: distinfo pkgsrc/net/netatalk30/patches: patch-etc_uams_uams__randnum.c Log Message: Fix build problem with libdes migration This package was partially migrated from libdes to OpenSSL and therefore still exhibited some build failites: bin/afppasswd/afppasswd.c was patched but not etc/uams/uams_randnum.c. Update the later to work around the problem.
2015-08-24Pullup ticket #4797 - requested by wiztron2-6/+6
sysutils/tarsnap: security update Revisions pulled up: - sysutils/tarsnap/Makefile 1.10-1.11 - sysutils/tarsnap/distinfo 1.6-1.7 --- Module Name: pkgsrc Committed By: wiz Date: Fri Aug 21 14:43:17 UTC 2015 Modified Files: pkgsrc/sysutils/tarsnap: Makefile distinfo Log Message: Update to 1.0.36: 1. SECURITY FIX: When constructing paths of objects being archived, a buffer could overflow by one byte upon encountering 1024, 2048, 4096, etc. byte paths. Theoretically this could be exploited by an unprivileged user whose files are being archived; I do not believe it is exploitable in practice, but I am offering a $1000 bounty for the first person who can prove me wrong: http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html 2. SECURITY FIX: An attacker with a machine's write keys, or with read keys and control of the tarsnap service, could make tarsnap allocate a large amount of memory upon listing archives or reading an archive the attacker created; on 32-bit machines, tarsnap can be caused to crash under the aforementioned conditions. 3. BUG FIX: Tarsnap no longer crashes if its first DNS lookup fails. 4. BUG FIX: Tarsnap no longer exits with "Callbacks uninitialized" when running on a dual-stack network if the first IP stack it attempts fails to connect. 5. tarsnap now avoids opening devices nodes on linux if it is instructed to archive /dev/. This change may prevent "watchdog"-triggered reboots. 6. tarsnap -c --dry-run can now run without a keyfile, allowing users to predict how much Tarsnap will cost before signing up. 7. tarsnap now has bash completion scripts. 8. tarsnap now takes a --retry-forever option. 9. tarsnap now automatically detects and uses AESNI and SSE2. As usual, there are also many minor build fixes, harmless bug fixes, and code refactoring / cleanup changes. For a full listing of changes, consult the tarsnap git repository: https://github.com/Tarsnap/tarsnap --- Module Name: pkgsrc Committed By: wiz Date: Fri Aug 21 18:03:22 UTC 2015 Modified Files: pkgsrc/sysutils/tarsnap: Makefile distinfo Log Message: Update to 1.0.36.1: OS X lacks the POSIX-mandated clock_gettime function, and tarsnap is not using libcperciva's "support broken operating systems" compatibility mechanism yet. Add -DPOSIXFAIL_CLOCK_REALTIME to the build.
2015-08-24Pullup ticket #4796 - requested by wiztron12-77/+118
security/openssh: security update Revisions pulled up: - security/openssh/Makefile patch - security/openssh/PLIST patch - security/openssh/distinfo patch - security/openssh/files/org.openssh.sshd.sb.in patch - security/openssh/patches/patch-auth2-chall.c patch - security/openssh/patches/patch-auth2.c patch - security/openssh/patches/patch-loginrec.c patch - security/openssh/patches/patch-openbsd-compat_bsd-openpty.c patch - security/openssh/patches/patch-sandbox-darwin.c patch - security/openssh/patches/patch-sftp-common.c patch - security/openssh/patches/patch-sshd.c patch - security/openssh/patches/patch-uidswap.c patch --- Module Name: pkgsrc Committed By: wiz Date: Fri Aug 21 08:12:09 UTC 2015 Modified Files: pkgsrc/security/openssh: Makefile distinfo Removed Files: pkgsrc/security/openssh/patches: patch-auth2-chall.c Log Message: Update to 7.1p1: Changes since OpenSSH 7.0 ========================= This is a bugfix release. Security -------- * sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin= prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication. This problem was reported by Mantas Mikulenas. Bugfixes -------- * ssh(1), sshd(8): add compatability workarounds for FuTTY * ssh(1), sshd(8): refine compatability workarounds for WinSCP * Fix a number of memory faults (double-free, free of uninitialised memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz Kocielski.
2015-08-24Pullup ticket #4795 - requested by hetron2-7/+6
devel/libidn: security update Revisions pulled up: - devel/libidn/Makefile 1.93-1.94 - devel/libidn/distinfo 1.60-1.61 --- Module Name: pkgsrc Committed By: wiz Date: Thu Jul 9 14:02:04 UTC 2015 Modified Files: pkgsrc/devel/libidn: Makefile distinfo Log Message: Update to 1.31: * Version 1.31 (released 2015-07-08) [bet ** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059 This function has always been documented to not validate that the input UTF-8 string is actually valid UTF-8. Like the rest of the API, when you call a function that works on UTF-8 data, you have to pass it valid UTF-8 data. Application writers appear to have difficulties using interfaces designed like that, as bugs triggered by invalid UTF-8 has been identified in a number of projects (jabberd2, gnutls, wget, and curl). While we could introduce a new API to perform UTF-8 validation, so that applications can easily implement the proper checks, this appear error prone because there is a risk that the check will be forgotten. Instead, we took the more radical approach of modifying the documentation and the implementation of the API. The intention is that all functions that accepts UTF-8 data should validate it before use. This will solve the problem for applications, without needing to change them. This change has the unfortunate side-effect that Surrogate codes (see section 5.5 of RFC 3454) no longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error code, as the gnulib/libunistring-based code that we use to test UTF-8-compliance rejects Surrogate codes. We hope that this is an acceptable cost to live with in order to improve application security. We welcome feedback on this solution, and we are marking this release as beta rather than stable to signal that we may reconsider this approach if people disagree. Reported by several people including Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos. ** libidn: Added STRINGPREP_ICONV_ERROR error code. ** libidn: Workaround valgrind/gcc/glibc issue. Valgrind reported a 'Invalid read of size 4' that was caused by optimized strlen implementation. Reported and patch by Alessandro Ghedini <alessandro@ghedini.me>. ** build: Use LOG_COMPILER instead of TESTS_ENVIRONMENT to fix valgrind use. Errors caught by valgrind did not always trigger 'make check' failures before. ** i18n: Updated Danish translation. Thanks to Joe Hansen. ** API and ABI is backwards compatible with the previous version. --- Module Name: pkgsrc Committed By: wiz Date: Thu Aug 6 07:54:57 UTC 2015 Modified Files: pkgsrc/devel/libidn: Makefile distinfo Log Message: Update to 1.32: * Version 1.32 (released 2015-08-01) [beta] ** libidn: Fix crash in idna_to_unicode_8z8z and idna_to_unicode_8zlz. This problem was introduced in 1.31. Reported by Adam Sampson. ** API and ABI is backwards compatible with the previous version.
2015-08-19Pullup ticket #4794.tron1-1/+3
2015-08-19Pullup ticket #4794 - requested by istron2-3/+16
comms/hylafax: build fix Revisions pulled up: - comms/hylafax/distinfo 1.27 - comms/hylafax/patches/patch-ae 1.19 --- Module Name: pkgsrc Committed By: dholland Date: Mon Aug 10 05:03:36 UTC 2015 Modified Files: pkgsrc/comms/hylafax: distinfo pkgsrc/comms/hylafax/patches: patch-ae Log Message: Fix broken build, caused by wrapper reordering of .a files vs. -l options. Symptom: HYLAFAX_VERSION_STRING not found while linking.
2015-08-12Pullup ticket #4790, #4791 and #4792.tron1-1/+7
2015-08-12Pullup ticket #4792 - requested by tacatron2-6/+6
lang/php56: security update Revisions pulled up: - lang/php/phpversion.mk 1.108 - lang/php56/distinfo 1.14 --- Module Name: pkgsrc Committed By: taca Date: Sat Aug 8 00:13:36 UTC 2015 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php56: distinfo Log Message: Update php56 to 5.6.12. 06 Aug 2015, PHP 5.6.12 - Core: . Fixed bug #70012 (Exception lost with nested finally block). (Laruence) . Fixed bug #70002 (TS issues with temporary dir handling). (Anatol) . Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls). (Stas) . Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). (Nikita) . Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref). (Stas) - CLI server: . Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL). (cmb) . Fixed bug #64878 (304 responses return Content-Type header). (cmb) - GD: . Fixed bug #53156 (imagerectangle problem with point ordering). (cmb) . Fixed bug #66387 (Stack overflow with imagefilltoborder). (cmb) . Fixed bug #70102 (imagecreatefromwebm() shifts colors). (cmb) . Fixed bug #66590 (imagewebp() doesn't pad to even length). (cmb) . Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). (cmb) . Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory). (cmb) . Fixed bug #69024 (imagescale segfault with palette based image). (cmb) . Fixed bug #53154 (Zero-height rectangle has whiskers). (cmb) . Fixed bug #67447 (imagecrop() add a black line when cropping). (cmb) . Fixed bug #68714 (copy 'n paste error). (cmb) . Fixed bug #66339 (PHP segfaults in imagexbm). (cmb) . Fixed bug #70047 (gd_info() doesn't report WebP support). (cmb) - ODBC: . Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns). (cmb) - OpenSSL: . Fixed bug #69882 (OpenSSL error “key values mismatch” after openssl_pkcs12_read with extra cert) (Tomasz Sawicki) . Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (Stas) - Phar: . Improved fix for bug #69441. (Anatol Belski) . Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (Anatol Belski) - SOAP: . Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions). (Stas) - SPL: . Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (sean.heelan) . Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (taoguangchen at icloud dot com) . Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (taoguangchen at icloud dot com) . Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (taoguangchen at icloud dot com) - Standard: . Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes). (cmb)
2015-08-12Pullup ticket #4791 - requested by tacatron2-6/+6
lang/php55: security update Revisions pulled up: - lang/php/phpversion.mk 1.107 - lang/php55/distinfo 1.44 --- Module Name: pkgsrc Committed By: taca Date: Sat Aug 8 00:12:22 UTC 2015 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php55: distinfo Log Message: Update php55 to 5.5.28. 06 Aug 2015, PHP 5.5.28 - Core: . Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls). (Stas) . Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). (Nikita) . Fixed bug #70002 (TS issues with temporary dir handling). (Anatol) . Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref). (Stas) - OpenSSL: . Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (Stas) - Phar: . Improved fix for bug #69441. (Anatol Belski) . Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (Anatol Belski) - SOAP: . Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions). (Stas) - SPL: . Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (sean.heelan) . Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (taoguangchen at icloud dot com) . Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (taoguangchen at icloud dot com) . Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (taoguangchen at icloud dot com)
2015-08-12Pullup ticket #4790 - requested by tacatron2-6/+6
lang/php54: security update Revisions pulled up: - lang/php/phpversion.mk 1.106 - lang/php54/distinfo 1.62 --- Module Name: pkgsrc Committed By: taca Date: Sat Aug 8 00:11:29 UTC 2015 Modified Files: pkgsrc/lang/php: pear.mk phpversion.mk pkgsrc/lang/php54: distinfo Log Message: Update phpt54 to 5.4.44. 06 Aug 2015 PHP 5.4.44 - Core: . Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls). (Stas) . Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). (Nikita) . Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref). (Stas) - OpenSSL: . Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (Stas) - Phar: . Improved fix for bug #69441. (Anatol Belski) . Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (Anatol Belski) - SOAP: . Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions). (Stas) - SPL: . Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (sean.heelan) . Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (taoguangchen at icloud dot com) . Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (taoguangchen at icloud dot com) . Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (taoguangchen at icloud dot com)
2015-08-09Pullup ticket #4789 - requested by mrgtron1-1/+14
lang/perl5: bug fix patch Revisions pulled up: - lang/perl5/hacks.mk 1.17 --- Module Name: pkgsrc Committed By: mrg Date: Fri Aug 7 22:11:23 UTC 2015 Modified Files: pkgsrc/lang/perl5: hacks.mk Log Message: use -fno-reorder-blocks for sparc64, mips, and vax and GCC 4.5*. something in op.c (as miniop.c) is mis-compiled with this option which is enabled by -O2, when using GCC 4.5. i didn't try to figure out exactly what as op.c is 419,359 bytes long and the assembler output is almost 100% different and approximiately 1.5MB either way (the diff of the asm output is larger than the combined inputs), so for now we have this hack. this problem doesn't appear to occur in newer GCC. XXX: pullup to 2015Q2.
2015-08-09Pullup ticket #4789.tron1-1/+3
2015-08-01Pullup tickets #4783, #4784, #4785, #4786 and #4787.tron1-1/+31
2015-08-01Pullup ticket #4787 - requested by wiztron42-394/+396
emulators/suse131_base: security update emulators/suse131_freetype2: security update emulators/suse131_glib2: security update emulators/suse131_glx: security update emulators/suse131_gtk2: security update emulators/suse131_krb5: security update emulators/suse131_libSDL: security update emulators/suse131_libcups: security update emulators/suse131_libcurl: security update emulators/suse131_libdbus: security update emulators/suse131_libidn: security update emulators/suse131_libjpeg: security update emulators/suse131_libsndfile: security update emulators/suse131_libssh: security update emulators/suse131_libtiff: security update emulators/suse131_locale: security update emulators/suse131_mozilla-nspr: security update emulators/suse131_mozilla-nss: security update emulators/suse131_openssl: security update emulators/suse131_qt4: security update emulators/suse131_x11: security update Revisions pulled up: - emulators/suse131_base/Makefile 1.15 - emulators/suse131_base/distinfo 1.11 - emulators/suse131_freetype2/Makefile 1.5 - emulators/suse131_freetype2/distinfo 1.2 - emulators/suse131_glib2/Makefile 1.5 - emulators/suse131_glib2/distinfo 1.2 - emulators/suse131_glx/Makefile 1.10 - emulators/suse131_glx/distinfo 1.5 - emulators/suse131_gtk2/Makefile 1.11 - emulators/suse131_gtk2/distinfo 1.7 - emulators/suse131_krb5/Makefile 1.7 - emulators/suse131_krb5/distinfo 1.4 - emulators/suse131_libSDL/Makefile 1.5 - emulators/suse131_libSDL/distinfo 1.2 - emulators/suse131_libcups/Makefile 1.5 - emulators/suse131_libcups/distinfo 1.2 - emulators/suse131_libcurl/Makefile 1.10 - emulators/suse131_libcurl/distinfo 1.7 - emulators/suse131_libdbus/Makefile 1.12 - emulators/suse131_libdbus/distinfo 1.8 - emulators/suse131_libidn/Makefile 1.5 - emulators/suse131_libidn/distinfo 1.2 - emulators/suse131_libjpeg/Makefile 1.5 - emulators/suse131_libjpeg/distinfo 1.2 - emulators/suse131_libsndfile/Makefile 1.6 - emulators/suse131_libsndfile/distinfo 1.3 - emulators/suse131_libssh/Makefile 1.5 - emulators/suse131_libssh/distinfo 1.2 - emulators/suse131_libtiff/Makefile 1.6 - emulators/suse131_libtiff/distinfo 1.3 - emulators/suse131_locale/Makefile 1.5 - emulators/suse131_locale/distinfo 1.2 - emulators/suse131_mozilla-nspr/Makefile 1.8 - emulators/suse131_mozilla-nspr/distinfo 1.5 - emulators/suse131_mozilla-nss/Makefile 1.9 - emulators/suse131_mozilla-nss/distinfo 1.6 - emulators/suse131_openssl/Makefile 1.17 - emulators/suse131_openssl/distinfo 1.14 - emulators/suse131_qt4/Makefile 1.8 - emulators/suse131_qt4/distinfo 1.5 - emulators/suse131_x11/Makefile 1.11 - emulators/suse131_x11/distinfo 1.7 --- Module Name: pkgsrc Committed By: wiz Date: Tue Jul 28 08:49:16 UTC 2015 Modified Files: pkgsrc/emulators/suse131_base: Makefile distinfo pkgsrc/emulators/suse131_freetype2: Makefile distinfo pkgsrc/emulators/suse131_glib2: Makefile distinfo pkgsrc/emulators/suse131_glx: Makefile distinfo pkgsrc/emulators/suse131_gtk2: Makefile distinfo pkgsrc/emulators/suse131_krb5: Makefile distinfo pkgsrc/emulators/suse131_libSDL: Makefile distinfo pkgsrc/emulators/suse131_libcups: Makefile distinfo pkgsrc/emulators/suse131_libcurl: Makefile distinfo pkgsrc/emulators/suse131_libdbus: Makefile distinfo pkgsrc/emulators/suse131_libidn: Makefile distinfo pkgsrc/emulators/suse131_libjpeg: Makefile distinfo pkgsrc/emulators/suse131_libsndfile: Makefile distinfo pkgsrc/emulators/suse131_libssh: Makefile distinfo pkgsrc/emulators/suse131_libtiff: Makefile distinfo pkgsrc/emulators/suse131_locale: Makefile distinfo pkgsrc/emulators/suse131_mozilla-nspr: Makefile distinfo pkgsrc/emulators/suse131_mozilla-nss: Makefile distinfo pkgsrc/emulators/suse131_openssl: Makefile distinfo pkgsrc/emulators/suse131_qt4: Makefile distinfo pkgsrc/emulators/suse131_x11: Makefile distinfo Log Message: Update RPMs from latest openSUSE 13.1 files. >From Rin Okuyama in PR 50082.
2015-08-01Pullup ticket #4786 - requested by tacatron3-2/+36
security/openssh: security patch Revisions pulled up: - security/openssh/Makefile 1.234 - security/openssh/distinfo 1.94 - security/openssh/patches/patch-auth2-chall.c 1.1 --- Module Name: pkgsrc Committed By: taca Date: Thu Jul 30 03:20:36 UTC 2015 Modified Files: pkgsrc/security/openssh: Makefile distinfo Added Files: pkgsrc/security/openssh/patches: patch-auth2-chall.c Log Message: Add fix for CVE-2015-5600 from FreeBSD via NetBSD base. Bump PKGREVISION.
2015-08-01Pullup ticket #4785 - requested by tacatron2-6/+6
net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.10 - net/bind910/distinfo 1.8 --- Module Name: pkgsrc Committed By: taca Date: Tue Jul 28 22:36:38 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.2pl3 (BIND 9.10.2-P3). --- 9.10.2-P3 released --- 4165. [security] A failure to reset a value to NULL in tkey.c could result in an assertion failure. (CVE-2015-5477) [RT #40046]
2015-08-01Pullup ticket #4784 - requested by tacatron2-6/+6
net/bind99: security update Revisions pulled up: - net/bind99/Makefile 1.46 - net/bind99/distinfo 1.30 --- Module Name: pkgsrc Committed By: taca Date: Tue Jul 28 22:35:36 UTC 2015 Modified Files: pkgsrc/net/bind99: Makefile distinfo Log Message: Update bind99 to 9.9.7pl2 (BIND 9.9.7-P2). --- 9.9.7-P2 released --- 4165. [security] A failure to reset a value to NULL in tkey.c could result in an assertion failure. (CVE-2015-5477) [RT #40046]
2015-08-01Pullup ticket #4783 - requested by hetron2-6/+6
multimedia/adobe-flash-plugin11: security update Revisions pulled up: - multimedia/adobe-flash-plugin11/Makefile 1.47-1.48 - multimedia/adobe-flash-plugin11/distinfo 1.44-1.45 --- Module Name: pkgsrc Committed By: tsutsui Date: Wed Jul 8 17:22:37 UTC 2015 Modified Files: pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo Log Message: Update adobe-flash-plugin11 to 11.2.202.481. Upstream announcement for 11.2.202.481: https://helpx.adobe.com/security/products/flash-player/apsa15-03.html Security Advisory for Adobe Flash Player Release date: July 7, 2015 Vulnerability identifier: APSA15-03 CVE number: CVE-2015-5119 Platform: Windows, Macintosh and Linux Upstream announcement for 11.2.202.468: https://helpx.adobe.com/security/products/flash-player/apsb15-14.html Security updates available for Adobe Flash Player Release date: June 23, 2015 Vulnerability identifier: APSB15-14 CVE number: CVE-2015-3113 Platform: Windows, Macintosh and Linux --- Module Name: pkgsrc Committed By: tsutsui Date: Fri Jul 17 02:01:55 UTC 2015 Modified Files: pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo Log Message: Update adobe-flash-plugin11 to 11.2.202.491. Upstream announcement for 11.2.202.491: https://helpx.adobe.com/security/products/flash-player/apsb15-18.html Adobe Security Bulletin Security updates available for Adobe Flash Player Release date: July 14, 2015 Last updated: July 16, 2015 Vulnerability identifier: APSB15-18 CVE number: CVE-2015-5122, CVE-2015-5123 Platform: Windows, Macintosh and Linux
2015-07-26Pullup tickest #4775, #4781 and #4782.tron1-1/+7
2015-07-26Pullup ticket #4782 - requested by bsiegerttron4-35/+14
net/socat: security update Revisions pulled up: - net/socat/Makefile 1.35 - net/socat/distinfo 1.21 - net/socat/patches/patch-configure deleted - net/socat/patches/patch-mytypes.h 1.3 --- Module Name: pkgsrc Committed By: bsiegert Date: Sat Jul 25 14:43:23 UTC 2015 Modified Files: pkgsrc/net/socat: Makefile distinfo pkgsrc/net/socat/patches: patch-mytypes.h Removed Files: pkgsrc/net/socat/patches: patch-configure Log Message: Update socat to 1.7.3.0. From Ben Gergely in PR pkg/49996. ####################### V 1.7.3.0: security: (CVE Id pending) Fixed problems with signal handling caused by use of not async signal safe functions in signal handlers that could freeze socat, allowing denial of service attacks. Many changes in signal handling and the diagnostic messages system were applied to make the code async signal safe but still provide detailled logging from signal handlers: Coded function vsnprintf_r() as async signal safe incomplete substitute of libc vsnprintf() Coded function snprinterr() to replace %m in strings with a system error message Instead of gettimeofday() use clock_gettime() when available Pass Diagnostic messages from signal handler per unix socket to the main program flow Use sigaction() instead of signal() for better control Turn off nested signal handler invocations Thanks to Peter Lobsinger for reporting and explaining this issue. Red Hat issue 1019975: add TLS host name checks OpenSSL client checks if the server certificates names in extensions/subjectAltName/DNS or in subject/commonName match the name used to connect or the value of the openssl-commonname option. Test: OPENSSL_CN_CLIENT_SECURITY OpenSSL server checks if the client certificates names in extensions/subjectAltNames/DNS or subject/commonName match the value of the openssl-commonname option when it is used. Test: OPENSSL_CN_SERVER_SECURITY Red Hat issue 1019964: socat now uses the system certificate store with OPENSSL when neither options cafile nor capath are used Red Hat issue 1019972: needs to specify OpenSSL cipher suites Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to prevent downgrade attacks new features: OpenSSL addresses set couple of environment variables from values in peer certificate, e.g.: SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER, SOCAT_OPENSSL_X509_COMMONNAME, SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_* Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1 Tests: OPENSSL_METHOD_* Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested by Andrey Arapov. Added a new option termios-rawer for ptys. Thanks to Christian Vogelgsang for pointing me to this requirement corrections: Bind with ABSTRACT commands used non-abstract namespace (Linux). Test: ABSTRACT_BIND Thanks to Denis Shatov for reporting this bug. Fixed return value of nestlex() Option ignoreeof on the right address hung. Test: IGNOREEOF_REV Thanks to Franz Fasching for reporting this bug. Address SYSTEM, when terminating, shut down its parent addresses, e.g. an SSL connection which the parent assumed to still be active. Test: SYSTEM_SHUTDOWN Passive (listening or receiving) addresses with empty port field bound to a random port instead of terminating with error. Test: TCP4_NOPORT configure with some combination of disable options produced config files that failed to compile due to missing IPPROTO_TCP. Thanks to Thierry Fournier for report and patch. fixed a few minor bugs with OpenSSL in configure and with messages Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime is required. Thanks to Zhigang Wang for reporting and sending a patch. Christophe Leroy provided a patch that fixes memory leaks reported by valgrind Help for filan -L was bad, is now corrected to: "follow symbolic links instead of showing their properties" Address options fdin and fdout were silently ignored when not applicable due to -u or -U option. Now these combinations are caught as errors. Test: FDOUT_ERROR Issue reported by Hendrik. Added option termios-cfmakeraw that calls cfmakeraw() and is preferred over option raw which is now obsolote. On SysV systems this call is simulated by appropriate setting. Thanks to Youfu Zhang for reporting issue with option raw. porting: Socat included <sys/poll.h> instead of POSIX <poll.h> Thanks to John Spencer for reporting this issue. Version 1.7.2.4 changed the check for gcc in configure.ac; this broke cross compiling. The particular check gets reverted. Thanks to Ross Burton and Danomi Manchego for reporting this issue. Debian Bug#764251: Set the build timestamp to a deterministic time: support external BUILD_DATE env var to allow to build reproducable binaries Joachim Fenkes provided an new adapted spec file. Type bool and macros Min and Max are defined by socat which led to compile errors when they were already provided by build framework. Thanks to Liyu Liu for providing a patch. David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h support and appropriate files in Config/ Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h on Illumos Changes for Openindiana: define _XPG4_2, __EXTENSIONS__, _POSIX_PTHREAD_SEMANTICS; and minor changes Red Hat issue 1182005: socat 1.7.2.4 build failure missing linux/errqueue.h Socat failed to compile on on PPC due to new requirements for including <linux/errqueue.h> and a weakness in the conditional code. Thanks to Michel Normand for reporting this issue. doc: In the man page the PTY example was badly formatted. Thanks to J.F.Sebastian for sending a patch. Added missing CVE ids to security issues in CHANGES testing: Do not distribute testcert.conf with socat source but generate it (and new testcert6.conf) during test.sh run. ####################### V 1.7.2.4: corrections: LISTEN based addresses applied some address options, e.g. so-keepalive, to the listening file descriptor instead of the connected file descriptor Thanks to Ulises Alonso for reporting this bug make failed after configure with non gcc compiler due to missing include. Thanks to Horacio Mijail for reporting this problem configure checked for --disable-rawsocket but printed --disable-genericsocket in the help text. Thanks to Ben Gardiner for reporting and patching this bug In xioshutdown() a wrong branch was chosen after RECVFROM type addresses. Probably no impact. Thanks to David Binderman for reproting this issue. procan could not cleanly format ulimit values longer than 16 decimal digits. Thanks to Frank Dana for providing a patch that increases field width to 24 digits. OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with "Invalid argument" Thanks to Emile den Tex for reporting this bug. Changed some variable definitions to make gcc -O2 aliasing checker happy Thanks to Ilya Gordeev for reporting these warnings On big endian platforms with type long >32bit the range option applied a bad base address. Thanks to hejia hejia for reporting and fixing this bug. Red Hat issue 1022070: missing length check in xiolog_ancillary_socket() Red Hat issue 1022063: out-of-range shifts on net mask bits Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4() Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy() uses Red Hat issue 1021958: fixed a bug with faulty buffer/data length calculation in xio-ascii.c:_xiodump() Red Hat issue 1021972: fixed a missing NUL termination in return string of sysutils.c:sockaddr_info() for the AF_UNIX case fixed some typos and minor issues, including: Red Hat issue 1021967: formatting error in manual page UNIX-LISTEN with fork option did not remove the socket file system entry when exiting. Other file system based passive address types had similar issues or failed to apply options umask, user e.a. Thanks to Lorenzo Monti for pointing me to this issue porting: Red Hat issue 1020203: configure checks fail with some compilers. Use case: clang Performed changes for Fedora release 19 Adapted, improved test.sh script Red Hat issue 1021429: getgroupent fails with large number of groups; use getgrouplist() when available instead of sequence of calls to getgrent() Red Hat issue 1021948: snprintf API change; Implemented xio_snprintf() function as wrapper that tries to emulate C99 behaviour on old glibc systems, and adapted all affected calls appropriately Mike Frysinger provided a patch that supports long long for time_t, socklen_t and a few other libc types. Artem Mygaiev extended Cedril Priscals Android build script with pty code The check for fips.h required stddef.h Thanks to Matt Hilt for reporting this issue and sending a patch Check for linux/errqueue.h failed on some systems due to lack of linux/types.h inclusion. Thanks to Michael Vastola for sending a patch. autoconf now prefers configure.ac over configure.in Thanks to Michael Vastola for sending a patch. type of struct cmsghdr.cmsg is system dependend, determine it with configure; some more print format corrections docu: libwrap always logs to syslog added actual text version of GPLv2
2015-07-26Pullup ticket #4781 - requested by bsiegerttron1-2/+8
net/gcloud-golang-metadata: build fix Revisions pulled up: - net/gcloud-golang-metadata/Makefile 1.2 --- Module Name: pkgsrc Committed By: bsiegert Date: Sat Jul 25 14:23:58 UTC 2015 Modified Files: pkgsrc/net/gcloud-golang-metadata: Makefile Log Message: Fix build on NetBSD, PR pkg/49909. It turns out that [^a]* matches all files not beginning with a on Darwin and all files beginning with a on NetBSD. Work around this by crafting a for loop with a case expression.
2015-07-26Pullup ticket #4775 - requested by sevantron11-6/+429
graphics/libwmf: security patch Revisions pulled up: - graphics/libwmf/Makefile 1.77 - graphics/libwmf/distinfo 1.20 - graphics/libwmf/patches/patch-aa 1.8 - graphics/libwmf/patches/patch-src_extra_gd_gd.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gd_png.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gdft.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c 1.1 - graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h 1.1 - graphics/libwmf/patches/patch-src_ipa_ipa.h 1.1 - graphics/libwmf/patches/patch-src_player_meta.h 1.1 --- Module Name: pkgsrc Committed By: sevan Date: Fri Jul 17 12:33:47 UTC 2015 Modified Files: pkgsrc/graphics/libwmf: Makefile distinfo pkgsrc/graphics/libwmf/patches: patch-aa Added Files: pkgsrc/graphics/libwmf/patches: patch-src_extra_gd_gd.c patch-src_extra_gd_gd_gd.c patch-src_extra_gd_gd_png.c patch-src_extra_gd_gdft.c patch-src_extra_gd_gdhelpers.c patch-src_extra_gd_gdhelpers.h patch-src_ipa_ipa.h patch-src_player_meta.h Log Message: Patch the following CVEs CVE-2004-0941 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472 CVE-2007-3473 CVE-2007-3477 CVE-2009-3546 CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 Obtained from: CentOS libwmf RPM git Debian Bug 784205 Debian Bug 784192 Red Hat Bug 1227243 via Jason Unovitch in FreeBSD bug 201513 Reviewed by bsiegert@
2015-07-26Pullup ticket #4759 - requested by morrbsiegert4-38/+9
net/haproxy: security fix Revisions pulled up: - net/haproxy/Makefile 1.21 - net/haproxy/distinfo 1.16 - net/haproxy/patches/patch-standard_h deleted --- Module Name: pkgsrc Committed By: morr Date: Sat Jul 4 13:13:53 UTC 2015 Modified Files: pkgsrc/net/haproxy: Makefile distinfo Removed Files: pkgsrc/net/haproxy/patches: patch-standard_h Log Message: Security update to newest version. Changes: Released version 1.5.14 with the following main changes : - BUILD/MINOR: tools: rename popcount to my_popcountl - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data Released version 1.5.13 with the following main changes : - BUG/MINOR: check: fix tcpcheck error message - CLEANUP: deinit: remove codes for cleaning p->block_rules - DOC: Update doc about weight, act and bck fields in the statistics - MINOR: ssl: add a destructor to free allocated SSL ressources - BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten - MEDIUM: ssl: replace standards DH groups with custom ones - BUG/MINOR: debug: display (null) in place of "meth" - BUG/MINOR: cfgparse: fix typo in 'option httplog' error message - BUG/MEDIUM: cfgparse: segfault when userlist is misused - BUG/MEDIUM: stats: properly initialize the scope before dumping stats - BUG/MEDIUM: http: don't forward client shutdown without NOLINGER except for tunnels - CLEANUP: checks: fix double usage of cur / current_step in tcp-checks - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end - CLEANUP: checks: simplify the loop processing of tcp-checks - BUG/MAJOR: checks: always check for end of list before proceeding - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct - BUG/MEDIUM: peers: apply a random reconnection timeout - BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id - MEDIUM: init: don't stop proxies in parent process when exiting - MINOR: peers: store the pointer to the signal handler - MEDIUM: peers: unregister peers that were never started - MEDIUM: config: propagate the table's process list to the peers sections - MEDIUM: init: stop any peers section not bound to the correct process - MEDIUM: config: validate that peers sections are bound to exactly one process - MAJOR: peers: allow peers section to be used with nbproc > 1 - DOC: relax the peers restriction to single-process - CLEANUP: config: fix misleading information in error message. - MINOR: config: report the number of processes using a peers section in the error case - BUG/MEDIUM: config: properly compute the default number of processes for a proxy pkgsrc changes: Thanks to "rename popcount to my_popcountl" one of patches can be removed.
2015-07-22Pullup ticket #4778, #4779 and #4780.tron1-1/+7
2015-07-22Pullup ticket #4780 - requested by tacatron3-17/+16
mail/postfix: security update Revisions pulled up: - mail/postfix/Makefile 1.284 - mail/postfix/distinfo 1.160 - mail/postfix/patches/patch-ai 1.33 --- Module Name: pkgsrc Committed By: taca Date: Wed Jul 22 00:25:37 UTC 2015 Modified Files: pkgsrc/mail/postfix: Makefile distinfo pkgsrc/mail/postfix/patches: patch-ai Log Message: Update postfix to 2.11.6, security release. With all supported Postfix releases, the default settings have been updated so that they no longer enable export-grade ciphers, and no longer enable the SSLv2 and SSLv3 protocols. These ciphers and protocols have little if any legitimate use today, and have instead become a vehicle for downgrade attacks. There are no other code changes. Postfix documentation has been updated to reflect the new default settings and their rationale; the RELEASE_NOTES give suggestions for how to enable the old ciphers and protocols if your infrastructure requires them. Finally, abandoning deprecated ciphers and protocols does not really improve TLS security without measures to better authenticate remote servers. Secure DNS and TLSA are steps in that direction.
2015-07-22Pullup ticket #4779 - requested by tacatron5-96/+6
www/apache24: security update Revisions pulled up: - www/apache24/Makefile 1.37 - www/apache24/distinfo 1.21 - www/apache24/patches/patch-CVE-2015-0228 deleted - www/apache24/patches/patch-server_core__filters.c deleted - www/apache24/patches/patch-server_protocol.c deleted --- Module Name: pkgsrc Committed By: taca Date: Mon Jul 20 00:08:35 UTC 2015 Modified Files: pkgsrc/www/apache24: Makefile distinfo Removed Files: pkgsrc/www/apache24/patches: patch-CVE-2015-0228 patch-server_core__filters.c patch-server_protocol.c Log Message: Update apache24 to 2.4.16 (Apache HTTP Server 2.4.16). Apache HTTP Server 2.4.16 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.16 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is principally a security, feature and bug fix release. NOTE: versions 2.4.13, 2.4.14 and 2.4.15 were not released. CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. CVE-2015-3185 (cve.mitre.org) Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook. CVE-2015-0253 (cve.mitre.org) core: Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. CVE-2015-0228 (cve.mitre.org) mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash. Also in this release are some exciting new features including: *) Better default recommended SSLCipherSuite and SSLProxyCipherSuite *) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate response header to be used by the application *) Event MPM improvements *) Various mod_proxy_* improvements *) mod_log_config: Add "%{UNIT}T" format to output request duration in seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us")
2015-07-22Pullup ticket #4778 - requested by tacatron5-11/+41
mail/fml4: bug fix patch Revisions pulled up: - mail/fml4/Makefile 1.14 - mail/fml4/distinfo 1.6 - mail/fml4/patches/patch-ac 1.3 - mail/fml4/patches/patch-ag 1.3 - mail/fml4/patches/patch-src_jcode.pl 1.1 --- Module Name: pkgsrc Committed By: taca Date: Mon Jul 20 00:06:18 UTC 2015 Modified Files: pkgsrc/mail/fml4: Makefile distinfo pkgsrc/mail/fml4/patches: patch-ac patch-ag Added Files: pkgsrc/mail/fml4/patches: patch-src_jcode.pl Log Message: Fix runtime problem with perl 5.22. Bump PKGREVISION.
2015-07-21Pullup ticket #4777.tron1-1/+3
2015-07-21Pullup ticket #4777 - requested by tacatron4-25/+10
www/squid3: security update Revisions pulled up: - www/squid3/Makefile 1.49 - www/squid3/PLIST 1.11 - www/squid3/distinfo 1.35 - www/squid3/patches/patch-configure 1.8 --- Module Name: pkgsrc Committed By: adam Date: Mon Jul 6 09:39:40 UTC 2015 Modified Files: pkgsrc/www/squid3: Makefile PLIST distinfo pkgsrc/www/squid3/patches: patch-configure Log Message: Changes 3.5.6: * ext_edirectory_userip_acl: fix uninitialized variable * Do not blindly forward cache peer CONNECT responses. * Bug 3483: assertion failed store.cc:1866: 'isEmpty()' * Use relative-URL in errorpage.css for SN.png * Bug 4193: Memory leak on FTP listings * Bug 4274: ssl_crtd.8 not being installed * Fix CONNECT failover to IPv4 after trying broken IPv6 servers * Bug 4183: segfault when freeing https_port clientca on reconfigure or exit. * TLS: Disable client-initiated renegotiation * Translations: add Spanish US dialect alias * Cleanup: replace __DATE__ and __TIME__ macros * Fix assertion String.cc:221: "str" * Fix assertion comm.cc:759: "Comm::IsConnOpen(conn)" in ConnStateData::getSslContextDone * Bug 3875: bad mimeLoadIconFile error handling * Support custom OIDs in *_cert ACLs * Bug 3329: The server side pinned connection is not closed properly
2015-07-19Pullup ticket #4776.tron1-1/+4
2015-07-19Pullup ticket #4776 - requested by manutron5-4/+158
databases/mysql56-client: bug fix patch databases/mysql56-server: bug fix patch Revisions pulled up: - databases/mysql56-client/Makefile 1.17 - databases/mysql56-client/distinfo 1.25 - databases/mysql56-client/patches/patch-include_violite.h 1.1 - databases/mysql56-client/patches/patch-vio_viosslfactories.c 1.1 - databases/mysql56-server/Makefile 1.25 --- Module Name: pkgsrc Committed By: manu Date: Tue Jul 14 12:09:24 UTC 2015 Modified Files: pkgsrc/databases/mysql56-client: Makefile distinfo Added Files: pkgsrc/databases/mysql56-client/patches: patch-include_violite.h patch-vio_viosslfactories.c Log Message: Restore SSL functionnality with OpenSSL 1.0.1p With OpenSSL 1.0.1p upgrade, DH parameters below 1024 bits are now refused. MySQL hardcodes 512 bits DH parameters and will therefore fail to run SSL connexions with OpenSSL 1.0.1p Apply fix from upstream: https://github.com/mysql/mysql-server/commit/ 866b988a76e8e7e217017a7883a52a12ec5024b9 --- Module Name: pkgsrc Committed By: manu Date: Tue Jul 14 16:38:56 UTC 2015 Modified Files: pkgsrc/databases/mysql56-server: Makefile Log Message: Restore SSL functionnality with OpenSSL 1.0.1p (revision bump) This changes just bumps PKGREVISION after patches were added in mysql56-client/patches which impact mysql56-server. For the record, the commit log or that patches: > With OpenSSL 1.0.1p upgrade, DH parameters below 1024 bits are now > refused. MySQL hardcodes 512 bits DH parameters and will therefore > fail to run SSL connexions with OpenSSL 1.0.1p > > Apply fix from upstream: > https://github.com/mysql/mysql-server/commit/ 866b988a76e8e7e217017a7883a52a12ec5024b9
2015-07-15Pullup tickets #4762, #4763 and #4766.tron1-1/+7