| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
www/apache22: security update
Revisions pulled up:
- www/apache22/Makefile 1.105
- www/apache22/distinfo 1.62
- www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c deleted
---
Module Name: pkgsrc
Committed By: adam
Date: Mon Jul 20 18:28:59 UTC 2015
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Removed Files:
pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c
Log Message:
Changes with Apache 2.2.31
*) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
Changes with Apache 2.2.30 (not released)
*) SECURITY: CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.
*) http: Fix LimitRequestBody checks when there is no more bytes to read.
*) core: Allow spaces after chunk-size for compatibility with implementations
using a pre-filled buffer.
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts.
*) http: Make ap_die() robust against any HTTP error code and not modify
response status (finally logged) when nothing is to be done.
*) core, modules: Avoid error response/document handling by the core if some
handler or input filter already did it while reading the request (causing
a double response body).
*) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
5+ instead of just for FreeBSD 5.
*) mod_proxy: use the original (non absolute) form of the request-line's URI
for requests embedded in CONNECT payloads used to connect SSL backends via
a ProxyRemote forward-proxy.
*) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
internationalization.
*) mod_log_config: Implement logging for sub second timestamps and
request end time.
*) mod_log_config: Ensure that time data is consistent if multiple
duration patterns are used in combination, e.g. %D and %{ms}T.
*) mod_log_config: Add "%{UNIT}T" format to output request duration in
seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
*) In alignment with RFC 7525, the default recommended SSLCipherSuite
and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
default recommended SSLProtocol and SSLProxyProtocol directives now
exclude SSLv3. Existing configurations must be adjusted by the
administrator.
*) core: Avoid potential use of uninitialized (NULL) request data in
request line error path.
*) mod_proxy_http: Use the "Connection: close" header for requests to
backends not recycling connections (disablereuse), including the default
reverse and forward proxies.
*) mod_proxy: Add ap_connection_reusable() for checking if a connection
is reusable as of this point in processing.
*) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
graceful restarts, even if new workers are added, old ones removed, or
the order changes.
*) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
*) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
allowing custom parameters to be configured via SSLCertificateFile,
and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
Unless custom parameters are configured, the standardized parameters
are applied based on the certificate's RSA/DSA key size.
*) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
keys, and unconditionally disable aNULL, eNULL and EXP ciphers
(not overridable via SSLCipherSuite).
*) mod_ssl: Add support for configuring persistent TLS session ticket
encryption/decryption keys (useful for clustered environments).
*) SSLProtocol and SSLCipherSuite recommendations in the example/default
conf/extra/httpd-ssl.conf file are now global in scope, affecting all
VirtualHosts (matching 2.4 default configuration).
*) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
selected DB engine.
*) Turn static function get_server_name_for_url() into public
ap_get_server_name_for_url() and use it where appropriate. This
fixes mod_rewrite generating invalid URLs for redirects to IPv6
literal addresses.
*) dav_validate_request: avoid validating locks and ETags when there are
no If headers providing them on a resource we aren't modifying.
*) mod_ssl: New directive SSLSessionTickets (On|Off).
The directive controls the use of TLS session tickets (RFC 5077),
default value is "On" (unchanged behavior).
Session ticket creation uses a random key created during web
server startup and recreated during restarts. No other key
recreation mechanism is available currently. Therefore using session
tickets without restarting the web server with an appropriate frequency
(e.g. daily) compromises perfect forward secrecy.
*) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
compile against APR-1.2.x (minimum required version).
*) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
computed for subsequent requests.
|
|
www/curl: security update
Revisions pulled up:
- www/curl/Makefile 1.153-1.154
- www/curl/PLIST 1.52-1.53
- www/curl/distinfo 1.108-1.109
- www/curl/patches/patch-aa 1.33-1.34
- www/curl/patches/patch-curl-config.in 1.7
- www/curl/patches/patch-lib_hostcheck.c 1.4
- www/curl/patches/patch-lib_http2.c deleted
---
Module Name: pkgsrc
Committed By: spz
Date: Sat Aug 8 02:44:16 UTC 2015
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
pkgsrc/www/curl/patches: patch-aa patch-curl-config.in
patch-lib_hostcheck.c
Added Files:
pkgsrc/www/curl/patches: patch-lib_multi.c patch-lib_transfer.c
Removed Files:
pkgsrc/www/curl/patches: patch-lib_http2.c
Log Message:
reanimate curl-7.43.0 and add the upstream fix for
http://curl.haxx.se/mail/lib-2015-06/0122.html found in
https://github.com/bagder/curl/commit/903b6e05565bf826b4194447864288642214b094
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Aug 17 15:43:27 UTC 2015
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
pkgsrc/www/curl/patches: patch-aa
Removed Files:
pkgsrc/www/curl/patches: patch-lib_multi.c patch-lib_transfer.c
Log Message:
Update to 7.44.0:
Curl and libcurl 7.44.0
Public curl releases: 148
Command line options: 176
curl_easy_setopt() options: 219
Public functions in libcurl: 58
Contributors: 1291
This release includes the following changes:
o http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA [6]
o examples: added http2-serverpush.c [7]
o http2: added curl_pushheader_byname() and curl_pushheader_bynum()
o docs: added CODE_OF_CONDUCT.md [8]
o curl: Add --ssl-no-revoke to disable certificate revocation checks [5]
o libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS [9]
o makefile: Added support for VC14
o build: Added Visual Studio 2015 (VC14) project files
o build: Added wolfSSL configurations to VC10+ project files [18]
This release includes the following bugfixes:
o FTP: fix HTTP CONNECT logic regression [1]
o openssl: Fix build with openssl < ~ 0.9.8f
o openssl: fix build with BoringSSL
o curl_easy_setopt.3: option order doesn't matter
o openssl: fix use of uninitialized buffer [2]
o RTSP: removed dead code
o Makefile.m32: add support for CURL_LDFLAG_EXTRAS
o curl: always provide negotiate/kerberos options
o cookie: Fix bug in export if any-domain cookie is present
o curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
o INSTALL: Advise use of non-native SSL for Windows <= XP
o tool_help: fix --tlsv1 help text to use >= for TLSv1
o HTTP: POSTFIELDSIZE set after added to multi handle [3]
o SSL-PROBLEMS: mention WinSSL problems in WinXP
o setup-vms.h: Symbol case fixups
o SSL: Pinned public key hash support
o libtest: call PR_Cleanup() on exit if NSPR is used
o ntlm_wb: Fix theoretical memory leak
o runtests: Allow for spaces in curl custom path
o http2: add stream != NULL checks for reliability
o schannel: Replace deprecated GetVersion with VerifyVersionInfo
o http2: verify success of strchr() in http2_send()
o configure: add --disable-rt option
o openssl: work around MSVC warning
o HTTP: ignore "Content-Encoding: compress"
o configure: check if OpenSSL linking wants -ldl
o build-openssl.bat: Show syntax if required args are missing
o test1902: attempt to make the test more reliable
o libcurl-thread.3: Consolidate thread safety info
o maketgz: Fixed some VC makefiles missing from the release tarball
o libcurl-multi.3: mention curl_multi_wait [10]
o ABI doc: use secure URL
o http: move HTTP/2 cleanup code off http_disconnect() [11]
o libcurl-thread.3: Warn memory functions must be thread safe [12]
o curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs [13]
o docs: formpost needs the full size at start of upload [14]
o curl_gssapi: remove 'const' to fix compiler warnings
o SSH: three state machine fixups [15]
o libcurl.3: fix a single typo [16]
o generate.bat: Only clean prerequisite files when in ALL mode
o curl_slist_append.3: add error checking to the example
o buildconf.bat: Added support for file clean-up via -clean
o generate.bat: Use buildconf.bat for prerequisite file clean-up
o NTLM: handle auth for only a single request [17]
o curl_multi_remove_handle.3: fix formatting [19]
o checksrc.bat: Fixed error when [directory] isn't a curl source directory
o checksrc.bat: Fixed error when missing *.c and *.h files
o CURLOPT_RESOLVE.3: Note removal support was added in 7.42 [20]
o test46: update cookie expire time
o SFTP: fix range request off-by-one in size check [21]
o CMake: fix GSSAPI builds [22]
o build: refer to fixed libidn versions [4]
o http2: discard frames with no SessionHandle [23]
o curl_easy_recv.3: fix formatting
o libcurl-tutorial.3: fix formatting [24]
o curl_formget.3: correct return code [25]
|
|
|
|
net/bind910: security update
Revisions pulled up:
- net/bind910/Makefile 1.11-1.12
- net/bind910/distinfo 1.9-1.10
- net/bind910/patches/patch-lib_dns_hmac_link.c deleted
- net/bind910/patches/patch-lib_dns_include_dst_dst.h deleted
- net/bind910/patches/patch-lib_dns_ncache.c deleted
- net/bind910/patches/patch-lib_dns_openssldh_link.c deleted
- net/bind910/patches/patch-lib_dns_openssldsa_link.c deleted
- net/bind910/patches/patch-lib_dns_opensslecdsa_link.c deleted
- net/bind910/patches/patch-lib_dns_opensslrsa_link.c deleted
- net/bind910/patches/patch-lib_dns_pkcs11dh_link.c deleted
- net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c deleted
- net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c deleted
- net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c deleted
- net/bind910/patches/patch-lib_dns_resolver.c deleted
---
Module Name: pkgsrc
Committed By: sevan
Date: Wed Sep 2 19:46:44 UTC 2015
Modified Files:
pkgsrc/net/bind910: Makefile distinfo
Added Files:
pkgsrc/net/bind910/patches: patch-lib_dns_hmac_link.c
patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c
patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c
patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslrsa_link.c
patch-lib_dns_pkcs11dh_link.c patch-lib_dns_pkcs11dsa_link.c
patch-lib_dns_pkcs11rsa_link.c
patch-lib_dns_rdata_generic_openpgpkey_61.c
patch-lib_dns_resolver.c
Log Message:
Patch CVE-2015-5722 & CVE-2015-5986
Bump rev
CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
assertion in buffer.c
https://kb.isc.org/article/AA-01287/0
CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
failure in openpgpkey_61.c
https://kb.isc.org/article/AA-01291/0
Reviewed by wiz@
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Sep 3 00:33:32 UTC 2015
Modified Files:
pkgsrc/net/bind910: Makefile distinfo
Removed Files:
pkgsrc/net/bind910/patches: patch-lib_dns_hmac_link.c
patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c
patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c
patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslrsa_link.c
patch-lib_dns_pkcs11dh_link.c patch-lib_dns_pkcs11dsa_link.c
patch-lib_dns_pkcs11rsa_link.c
patch-lib_dns_rdata_generic_openpgpkey_61.c
patch-lib_dns_resolver.c
Log Message:
Update bind910 to 9.10.2pl4 (BIND 9.10.2-P4).
(Already fixed by bind-9.10.2pl3nb1.)
--- 9.10.2-P4 released ---
4170. [security] An incorrect boundary check in the OPENPGPKEY
rdatatype could trigger an assertion failure.
(CVE-2015-5986) [RT #40286]
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
|
|
net/bind99: security update
Revisions pulled up:
- net/bind99/Makefile 1.47-1.48
- net/bind99/distinfo 1.31-1.32
- net/bind99/patches/patch-lib_dns_hmac_link.c deleted
- net/bind99/patches/patch-lib_dns_include_dst_dst.h deleted
- net/bind99/patches/patch-lib_dns_ncache.c deleted
- net/bind99/patches/patch-lib_dns_openssldh_link.c deleted
- net/bind99/patches/patch-lib_dns_openssldsa_link.c deleted
- net/bind99/patches/patch-lib_dns_opensslecdsa_link.c deleted
- net/bind99/patches/patch-lib_dns_opensslsslrsa_link.c deleted
- net/bind99/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c deleted
- net/bind99/patches/patch-lib_dns_resolver.c deleted
---
Module Name: pkgsrc
Committed By: sevan
Date: Wed Sep 2 19:44:28 UTC 2015
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Added Files:
pkgsrc/net/bind99/patches: patch-lib_dns_hmac_link.c
patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c
patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c
patch-lib_dns_opensslecdsa_link.c
patch-lib_dns_opensslsslrsa_link.c
patch-lib_dns_rdata_generic_openpgpkey_61.c
patch-lib_dns_resolver.c
Log Message:
Patch CVE-2015-5722 & CVE-2015-5986
Bump rev
CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
assertion in buffer.c
https://kb.isc.org/article/AA-01287/0
CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
failure in openpgpkey_61.c
https://kb.isc.org/article/AA-01291/0
Reviewed by wiz@
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Sep 3 00:35:03 UTC 2015
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Removed Files:
pkgsrc/net/bind99/patches: patch-lib_dns_hmac_link.c
patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c
patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c
patch-lib_dns_opensslecdsa_link.c
patch-lib_dns_opensslsslrsa_link.c
patch-lib_dns_rdata_generic_openpgpkey_61.c
patch-lib_dns_resolver.c
Log Message:
Update bind99 to 9.9.7pl3 (BIND 9.9.7-P3).
(These security fixes are already done by bind-9.9.7pl2nb1.)
--- 9.9.7-P3 released ---
4170. [security] An incorrect boundary check in the OPENPGPKEY
rdatatype could trigger an assertion failure.
(CVE-2015-5986) [RT #40286]
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
|
|
sysutils/testdisk: security update
Revisions pulled up:
- sysutils/testdisk/Makefile 1.11 via patch
- sysutils/testdisk/PLIST 1.3
- sysutils/testdisk/distinfo 1.3
---
Module Name: pkgsrc
Committed By: leot
Date: Mon Aug 24 19:54:14 UTC 2015
Modified Files:
pkgsrc/sysutils/testdisk: Makefile PLIST distinfo
Log Message:
Update sysutils/testdisk to testdisk-7.0.
Changes:
== 7.0 ==
=== General Improvements ===
Various fix including security fix, thanks to
* Coverity scan (Static Analysis of source code)
* afl-fuzz (security-oriented fuzzer).
* Denis Andzakovic from Security Assessment for reporting an
exploitable Stack Buffer Overflow
=== TestDisk ===
==== Improvements ====
* exFAT: better support
* ext4: handle 64 bit blocks or 64 KiB blocksize. Fix detection and file
listing
==== Bug fixes ====
* Avoid erroneous error when writing 512 bytes on hard disk using 4k sector
* FAT, NTFS: avoid NULL pointer dereference if localtime() returns NULL.
Thanks to Graham Sutherland for reporting this bug.
=== PhotoRec & QPhotoRec ===
QPhotoRec is a Graphical User Interface (Qt based GUI) version of PhotoRec.
More user friendly, it recognizes the same file formats.
PhotoRec remains recommended for advanced users, it can stop a recovery and
resume it later, it recovers more fragmented files when brute-force technology
is enabled and expert mode is available.
==== Improvements ====
* Reduced false positives for more than 80 file formats.
* .gif: fix filesize detection
* .flv: add Flash filesize detection
* .mpg: detect filesize for MPEG
* .ra: detect filesize for RealAudio3
* Improved algorithm to deal with data fragmentation resulting in a general
speed increased
* Speedup brute-force mode. Brute-force mode can recover more fragmented
files, but it's still slow and not 100% reliable. You can enable it in
PhotoRec Options menu.
New file formats recovered by PhotoRec:
* .3dm: Rhino / openNURBS
* .ari: ARRI Raw Video
* .camrec: Camtasia Studio
* .dad: Micae DVR
* .dcm: Digital Imaging and Communications in Medicine (DICOM)
* .fp12: File Maker Pro 12
* .kra: Krita
* .mlv: Magic Lantern Video
* .notebook: SMART notebook
* .ora: Mypaint
* .red: RED2 video format
* .rlv: Revelation password
* .vbm: Veeam Backup Metadata
* .woff: Web Open Font Format
|
|
security/openssh: build fix patch
Revisions pulled up:
- security/openssh/distinfo 1.97
- security/openssh/options.mk 1.31
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Aug 22 05:17:22 UTC 2015
Modified Files:
pkgsrc/security/openssh: distinfo options.mk
Log Message:
Revive hpn-patch patch although not yet tested well.
|
|
www/drupal7: security update
Revisions pulled up:
- www/drupal7/Makefile 1.33
- www/drupal7/distinfo 1.26
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Aug 20 15:34:11 UTC 2015
Modified Files:
pkgsrc/www/drupal7: Makefile distinfo
Log Message:
Update drupal7 package to 7.39 (Drupal 7.39).
Drupal 7.39, 2015-08-19
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-003.
|
|
www/drupal6: security update
Revisions pulled up:
- www/drupal6/Makefile 1.54
- www/drupal6/distinfo 1.36
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Aug 20 15:33:33 UTC 2015
Modified Files:
pkgsrc/www/drupal6: Makefile distinfo
Log Message:
Update drupal6 package to 6.37 (Drupal 6.37).
Drupal 6.37, 2015-08-19
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-003.
|
|
lang/ruby22-base: security update
Revisions pulled up:
- lang/ruby/rubyversion.mk 1.147
- lang/ruby22-base/Makefile 1.4
- lang/ruby22-base/distinfo 1.6-1.7
- lang/ruby22-base/patches/patch-configure 1.3
- lang/ruby22-base/patches/patch-lib_rubygems_remote__fetcher.rb deleted
---
Module Name: pkgsrc
Committed By: jperkin
Date: Tue Jun 30 19:41:32 UTC 2015
Modified Files:
pkgsrc/lang/ruby22-base: distinfo
pkgsrc/lang/ruby22-base/patches: patch-configure
Log Message:
Disable CPU detection on Darwin, the result for 32-bit (i486) is incompatible
with pkgsrc MACHINE_ARCH (i386). Fixes 32-bit build, no change for 64-bit.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Aug 20 15:30:47 UTC 2015
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby22-base: Makefile distinfo
Removed Files:
pkgsrc/lang/ruby22-base/patches: patch-lib_rubygems_remote__fetcher.rb
Log Message:
Update ruby22-base to 2.2.3 (Ruby 2.2.3).
Release note:
Ruby 2.2.3 Released
Posted by nagachika on 18 Aug 2015
We are pleased to announce the release of Ruby 2.2.3. This is a TEENY
version release of the stable 2.2 series.
This release includes the security fix for a RubyGems domain name
verification vulnerability.
CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier
There are also some bugfixes. See ChangeLog for details.
|
|
lang/ruby21-base: security update
Revisions pulled up:
- lang/ruby/rubyversion.mk 1.146
- lang/ruby21-base/Makefile 1.15
- lang/ruby21-base/PLIST 1.7
- lang/ruby21-base/distinfo 1.19
- lang/ruby21-base/patches/patch-ext_tk_extconf.rb deleted
- lang/ruby21-base/patches/patch-ext_tk_lib_tk.rb deleted
- lang/ruby21-base/patches/patch-ext_tk_tcltklib.c deleted
- lang/ruby21-base/patches/patch-lib_rubygems_remote__fetcher.rb deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Aug 20 15:27:43 UTC 2015
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby21-base: Makefile PLIST distinfo
Removed Files:
pkgsrc/lang/ruby21-base/patches: patch-ext_tk_extconf.rb
patch-ext_tk_lib_tk.rb patch-ext_tk_tcltklib.c
patch-lib_rubygems_remote__fetcher.rb
Log Message:
Update ruby21-base to 2.1.7 (Ruby 2.1.7).
Release announce:
Ruby 2.1.7 Released
Posted by usa on 18 Aug 2015
Ruby 2.1.7 has been released.
This release includes the security fix for a RubyGems domain name
verification vulnerability. Please view the topic below for more details.
CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier
And, many bug fixes are also included. See tickets and ChangeLog for details.
|
|
lang/ruby200-base: security update
Revisions pulled up:
- lang/ruby/rubyversion.mk 1.145
- lang/ruby200-base/Makefile 1.20
- lang/ruby200-base/distinfo 1.27
- lang/ruby200-base/patches/patch-lib_rubygems_remote__fetcher.rb deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Aug 20 15:22:16 UTC 2015
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby200-base: Makefile distinfo
Removed Files:
pkgsrc/lang/ruby200-base/patches: patch-lib_rubygems_remote__fetcher.rb
Log Message:
Update ruby200-base-2.0.0p647 to (Ruby 2.0.0-p647).
Release announce:
Ruby 2.0.0-p647 Released
Posted by usa on 18 Aug 2015
We are pleased to announce the release of Ruby 2.0.0-p647.
This release includes the security fix for a RubyGems domain name
verification vulnerability. Please view the topic below for more details.
CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier
And, this release also includes the fix for a regression of lib/resolv.rb.
Uninitialized constant bug introduced by typo in backport of [#10712]
Ruby 2.0.0 is now under the state of the security maintenance phase, until
Feb. 24th, 2016. After the date, maintenance of Ruby 2.0.0 will be ended. We
recommend you start planning migration to newer versions of Ruby, such as
2.1 or 2.2.
|
|
|
|
print/tex-tetex: compatibility fix
Revisions pulled up:
- print/tex-tetex/Makefile 1.23
- print/tex-tetex/PLIST 1.10
---
Module Name: pkgsrc
Committed By: markd
Date: Wed Jul 1 10:49:05 UTC 2015
Modified Files:
pkgsrc/print/tex-tetex: Makefile PLIST
Log Message:
Put back mktexfmt symlink. Bump PKGREVISION.
|
|
databases/openldap-smbk5pwd: build fix
Revisions pulled up:
- databases/openldap-smbk5pwd/Makefile 1.18
- databases/openldap/distinfo 1.100 patch
- databases/openldap/patches/patch-de deleted
---
Module Name: pkgsrc
Committed By: manu
Date: Mon Aug 10 12:47:51 UTC 2015
Modified Files:
pkgsrc/databases/openldap: distinfo
pkgsrc/databases/openldap-smbk5pwd: Makefile
Removed Files:
pkgsrc/databases/openldap/patches: patch-de
Log Message:
Use OpenSSL libcrypto instead of libdes on NetBSD
All recent NetBSD releases now have an OpenSSL recent enough so
that the DES symbols required by slapo-smbk5pwd can be found in
OpenSSL's libcrypto. We therefore do not need to link with -ldes
anymore, especialy since it now causes a build failure.
|
|
|
|
net/netatalk30: build fix
Revisions pulled up:
- net/netatalk30/Makefile 1.6
- net/netatalk30/distinfo 1.3
- net/netatalk30/patches/patch-etc_uams_uams__randnum.c 1.2
---
Module Name: pkgsrc
Committed By: fhajny
Date: Fri Aug 7 09:52:23 UTC 2015
Modified Files:
pkgsrc/net/netatalk30: Makefile
Log Message:
netatalk requires libevent 2.x, the builtin one on NetBSD<7 is older.
Fixes pkg/50084.
---
Module Name: pkgsrc
Committed By: manu
Date: Mon Aug 10 15:09:42 UTC 2015
Modified Files:
pkgsrc/net/netatalk30: distinfo
pkgsrc/net/netatalk30/patches: patch-etc_uams_uams__randnum.c
Log Message:
Fix build problem with libdes migration
This package was partially migrated from libdes to OpenSSL and therefore
still exhibited some build failites: bin/afppasswd/afppasswd.c was
patched
but not etc/uams/uams_randnum.c. Update the later to work around the
problem.
|
|
sysutils/tarsnap: security update
Revisions pulled up:
- sysutils/tarsnap/Makefile 1.10-1.11
- sysutils/tarsnap/distinfo 1.6-1.7
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Aug 21 14:43:17 UTC 2015
Modified Files:
pkgsrc/sysutils/tarsnap: Makefile distinfo
Log Message:
Update to 1.0.36:
1. SECURITY FIX: When constructing paths of objects being archived, a buffer
could overflow by one byte upon encountering 1024, 2048, 4096, etc. byte
paths. Theoretically this could be exploited by an unprivileged user whose
files are being archived; I do not believe it is exploitable in practice,
but I am offering a $1000 bounty for the first person who can prove me wrong:
http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html
2. SECURITY FIX: An attacker with a machine's write keys, or with read keys
and control of the tarsnap service, could make tarsnap allocate a large
amount of memory upon listing archives or reading an archive the attacker
created; on 32-bit machines, tarsnap can be caused to crash under the
aforementioned conditions.
3. BUG FIX: Tarsnap no longer crashes if its first DNS lookup fails.
4. BUG FIX: Tarsnap no longer exits with "Callbacks uninitialized" when
running on a dual-stack network if the first IP stack it attempts fails to
connect.
5. tarsnap now avoids opening devices nodes on linux if it is instructed to
archive /dev/. This change may prevent "watchdog"-triggered reboots.
6. tarsnap -c --dry-run can now run without a keyfile, allowing users to
predict how much Tarsnap will cost before signing up.
7. tarsnap now has bash completion scripts.
8. tarsnap now takes a --retry-forever option.
9. tarsnap now automatically detects and uses AESNI and SSE2.
As usual, there are also many minor build fixes, harmless bug fixes, and code
refactoring / cleanup changes. For a full listing of changes, consult the
tarsnap git repository: https://github.com/Tarsnap/tarsnap
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Aug 21 18:03:22 UTC 2015
Modified Files:
pkgsrc/sysutils/tarsnap: Makefile distinfo
Log Message:
Update to 1.0.36.1:
OS X lacks the POSIX-mandated clock_gettime function, and tarsnap is
not using libcperciva's "support broken operating systems" compatibility
mechanism yet. Add -DPOSIXFAIL_CLOCK_REALTIME to the build.
|
|
security/openssh: security update
Revisions pulled up:
- security/openssh/Makefile patch
- security/openssh/PLIST patch
- security/openssh/distinfo patch
- security/openssh/files/org.openssh.sshd.sb.in patch
- security/openssh/patches/patch-auth2-chall.c patch
- security/openssh/patches/patch-auth2.c patch
- security/openssh/patches/patch-loginrec.c patch
- security/openssh/patches/patch-openbsd-compat_bsd-openpty.c patch
- security/openssh/patches/patch-sandbox-darwin.c patch
- security/openssh/patches/patch-sftp-common.c patch
- security/openssh/patches/patch-sshd.c patch
- security/openssh/patches/patch-uidswap.c patch
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Aug 21 08:12:09 UTC 2015
Modified Files:
pkgsrc/security/openssh: Makefile distinfo
Removed Files:
pkgsrc/security/openssh/patches: patch-auth2-chall.c
Log Message:
Update to 7.1p1:
Changes since OpenSSH 7.0
=========================
This is a bugfix release.
Security
--------
* sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin=
prohibit-password/without-password that could, depending on
compile-time configuration, permit password authentication to
root while preventing other forms of authentication. This problem
was reported by Mantas Mikulenas.
Bugfixes
--------
* ssh(1), sshd(8): add compatability workarounds for FuTTY
* ssh(1), sshd(8): refine compatability workarounds for WinSCP
* Fix a number of memory faults (double-free, free of uninitialised
memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz
Kocielski.
|
|
devel/libidn: security update
Revisions pulled up:
- devel/libidn/Makefile 1.93-1.94
- devel/libidn/distinfo 1.60-1.61
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu Jul 9 14:02:04 UTC 2015
Modified Files:
pkgsrc/devel/libidn: Makefile distinfo
Log Message:
Update to 1.31:
* Version 1.31 (released 2015-07-08) [bet
** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059
This function has always been documented to not validate that the
input UTF-8 string is actually valid UTF-8. Like the rest of the API,
when you call a function that works on UTF-8 data, you have to pass it
valid UTF-8 data. Application writers appear to have difficulties
using interfaces designed like that, as bugs triggered by invalid
UTF-8 has been identified in a number of projects (jabberd2, gnutls,
wget, and curl). While we could introduce a new API to perform UTF-8
validation, so that applications can easily implement the proper
checks, this appear error prone because there is a risk that the check
will be forgotten. Instead, we took the more radical approach of
modifying the documentation and the implementation of the API. The
intention is that all functions that accepts UTF-8 data should
validate it before use. This will solve the problem for applications,
without needing to change them. This change has the unfortunate
side-effect that Surrogate codes (see section 5.5 of RFC 3454) no
longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but
instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error
code, as the gnulib/libunistring-based code that we use to test
UTF-8-compliance rejects Surrogate codes. We hope that this is an
acceptable cost to live with in order to improve application security.
We welcome feedback on this solution, and we are marking this release
as beta rather than stable to signal that we may reconsider this
approach if people disagree. Reported by several people including
Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos
Mavrogiannopoulos.
** libidn: Added STRINGPREP_ICONV_ERROR error code.
** libidn: Workaround valgrind/gcc/glibc issue.
Valgrind reported a 'Invalid read of size 4' that was caused by
optimized strlen implementation. Reported and patch by Alessandro
Ghedini <alessandro@ghedini.me>.
** build: Use LOG_COMPILER instead of TESTS_ENVIRONMENT to fix valgrind use.
Errors caught by valgrind did not always trigger 'make check' failures
before.
** i18n: Updated Danish translation.
Thanks to Joe Hansen.
** API and ABI is backwards compatible with the previous version.
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu Aug 6 07:54:57 UTC 2015
Modified Files:
pkgsrc/devel/libidn: Makefile distinfo
Log Message:
Update to 1.32:
* Version 1.32 (released 2015-08-01) [beta]
** libidn: Fix crash in idna_to_unicode_8z8z and idna_to_unicode_8zlz.
This problem was introduced in 1.31. Reported by Adam Sampson.
** API and ABI is backwards compatible with the previous version.
|
|
|
|
comms/hylafax: build fix
Revisions pulled up:
- comms/hylafax/distinfo 1.27
- comms/hylafax/patches/patch-ae 1.19
---
Module Name: pkgsrc
Committed By: dholland
Date: Mon Aug 10 05:03:36 UTC 2015
Modified Files:
pkgsrc/comms/hylafax: distinfo
pkgsrc/comms/hylafax/patches: patch-ae
Log Message:
Fix broken build, caused by wrapper reordering of .a files vs. -l options.
Symptom: HYLAFAX_VERSION_STRING not found while linking.
|
|
|
|
lang/php56: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.108
- lang/php56/distinfo 1.14
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Aug 8 00:13:36 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: distinfo
Log Message:
Update php56 to 5.6.12.
06 Aug 2015, PHP 5.6.12
- Core:
. Fixed bug #70012 (Exception lost with nested finally block). (Laruence)
. Fixed bug #70002 (TS issues with temporary dir handling). (Anatol)
. Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive
method calls). (Stas)
. Fixed bug #69892 (Different arrays compare indentical due to integer key
truncation). (Nikita)
. Fixed bug #70121 (unserialize() could lead to unexpected methods execution
/ NULL pointer deref). (Stas)
- CLI server:
. Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL). (cmb)
. Fixed bug #64878 (304 responses return Content-Type header). (cmb)
- GD:
. Fixed bug #53156 (imagerectangle problem with point ordering). (cmb)
. Fixed bug #66387 (Stack overflow with imagefilltoborder). (cmb)
. Fixed bug #70102 (imagecreatefromwebm() shifts colors). (cmb)
. Fixed bug #66590 (imagewebp() doesn't pad to even length). (cmb)
. Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). (cmb)
. Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory). (cmb)
. Fixed bug #69024 (imagescale segfault with palette based image). (cmb)
. Fixed bug #53154 (Zero-height rectangle has whiskers). (cmb)
. Fixed bug #67447 (imagecrop() add a black line when cropping). (cmb)
. Fixed bug #68714 (copy 'n paste error). (cmb)
. Fixed bug #66339 (PHP segfaults in imagexbm). (cmb)
. Fixed bug #70047 (gd_info() doesn't report WebP support). (cmb)
- ODBC:
. Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined
columns). (cmb)
- OpenSSL:
. Fixed bug #69882 (OpenSSL error “key values mismatch” after
openssl_pkcs12_read with extra cert) (Tomasz Sawicki)
. Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically
secure). (Stas)
- Phar:
. Improved fix for bug #69441. (Anatol Belski)
. Fixed bug #70019 (Files extracted from archive may be placed outside of
destination directory). (Anatol Belski)
- SOAP:
. Fixed bug #70081 (SoapClient info leak / null pointer dereference via
multiple type confusions). (Stas)
- SPL:
. Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject
items). (sean.heelan)
. Fixed bug #70166 (Use After Free Vulnerability in unserialize() with
SPLArrayObject). (taoguangchen at icloud dot com)
. Fixed bug #70168 (Use After Free Vulnerability in unserialize() with
SplObjectStorage). (taoguangchen at icloud dot com)
. Fixed bug #70169 (Use After Free Vulnerability in unserialize() with
SplDoublyLinkedList). (taoguangchen at icloud dot com)
- Standard:
. Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes). (cmb)
|
|
lang/php55: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.107
- lang/php55/distinfo 1.44
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Aug 8 00:12:22 UTC 2015
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php55: distinfo
Log Message:
Update php55 to 5.5.28.
06 Aug 2015, PHP 5.5.28
- Core:
. Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive
method calls). (Stas)
. Fixed bug #69892 (Different arrays compare indentical due to integer key
truncation). (Nikita)
. Fixed bug #70002 (TS issues with temporary dir handling). (Anatol)
. Fixed bug #70121 (unserialize() could lead to unexpected methods execution
/ NULL pointer deref). (Stas)
- OpenSSL:
. Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically
secure). (Stas)
- Phar:
. Improved fix for bug #69441. (Anatol Belski)
. Fixed bug #70019 (Files extracted from archive may be placed outside of
destination directory). (Anatol Belski)
- SOAP:
. Fixed bug #70081 (SoapClient info leak / null pointer dereference via
multiple type confusions). (Stas)
- SPL:
. Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject
items). (sean.heelan)
. Fixed bug #70166 (Use After Free Vulnerability in unserialize() with
SPLArrayObject). (taoguangchen at icloud dot com)
. Fixed bug #70168 (Use After Free Vulnerability in unserialize() with
SplObjectStorage). (taoguangchen at icloud dot com)
. Fixed bug #70169 (Use After Free Vulnerability in unserialize() with
SplDoublyLinkedList). (taoguangchen at icloud dot com)
|
|
lang/php54: security update
Revisions pulled up:
- lang/php/phpversion.mk 1.106
- lang/php54/distinfo 1.62
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Aug 8 00:11:29 UTC 2015
Modified Files:
pkgsrc/lang/php: pear.mk phpversion.mk
pkgsrc/lang/php54: distinfo
Log Message:
Update phpt54 to 5.4.44.
06 Aug 2015 PHP 5.4.44
- Core:
. Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive
method calls). (Stas)
. Fixed bug #69892 (Different arrays compare indentical due to integer key
truncation). (Nikita)
. Fixed bug #70121 (unserialize() could lead to unexpected methods execution
/ NULL pointer deref). (Stas)
- OpenSSL:
. Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically
secure). (Stas)
- Phar:
. Improved fix for bug #69441. (Anatol Belski)
. Fixed bug #70019 (Files extracted from archive may be placed outside of
destination directory). (Anatol Belski)
- SOAP:
. Fixed bug #70081 (SoapClient info leak / null pointer dereference via
multiple type confusions). (Stas)
- SPL:
. Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject
items). (sean.heelan)
. Fixed bug #70166 (Use After Free Vulnerability in unserialize() with
SPLArrayObject). (taoguangchen at icloud dot com)
. Fixed bug #70168 (Use After Free Vulnerability in unserialize() with
SplObjectStorage). (taoguangchen at icloud dot com)
. Fixed bug #70169 (Use After Free Vulnerability in unserialize() with
SplDoublyLinkedList). (taoguangchen at icloud dot com)
|
|
lang/perl5: bug fix patch
Revisions pulled up:
- lang/perl5/hacks.mk 1.17
---
Module Name: pkgsrc
Committed By: mrg
Date: Fri Aug 7 22:11:23 UTC 2015
Modified Files:
pkgsrc/lang/perl5: hacks.mk
Log Message:
use -fno-reorder-blocks for sparc64, mips, and vax and GCC 4.5*.
something in op.c (as miniop.c) is mis-compiled with this option which
is enabled by -O2, when using GCC 4.5. i didn't try to figure out
exactly what as op.c is 419,359 bytes long and the assembler output
is almost 100% different and approximiately 1.5MB either way (the
diff of the asm output is larger than the combined inputs), so for now
we have this hack. this problem doesn't appear to occur in newer GCC.
XXX: pullup to 2015Q2.
|
|
|
|
|
|
emulators/suse131_base: security update
emulators/suse131_freetype2: security update
emulators/suse131_glib2: security update
emulators/suse131_glx: security update
emulators/suse131_gtk2: security update
emulators/suse131_krb5: security update
emulators/suse131_libSDL: security update
emulators/suse131_libcups: security update
emulators/suse131_libcurl: security update
emulators/suse131_libdbus: security update
emulators/suse131_libidn: security update
emulators/suse131_libjpeg: security update
emulators/suse131_libsndfile: security update
emulators/suse131_libssh: security update
emulators/suse131_libtiff: security update
emulators/suse131_locale: security update
emulators/suse131_mozilla-nspr: security update
emulators/suse131_mozilla-nss: security update
emulators/suse131_openssl: security update
emulators/suse131_qt4: security update
emulators/suse131_x11: security update
Revisions pulled up:
- emulators/suse131_base/Makefile 1.15
- emulators/suse131_base/distinfo 1.11
- emulators/suse131_freetype2/Makefile 1.5
- emulators/suse131_freetype2/distinfo 1.2
- emulators/suse131_glib2/Makefile 1.5
- emulators/suse131_glib2/distinfo 1.2
- emulators/suse131_glx/Makefile 1.10
- emulators/suse131_glx/distinfo 1.5
- emulators/suse131_gtk2/Makefile 1.11
- emulators/suse131_gtk2/distinfo 1.7
- emulators/suse131_krb5/Makefile 1.7
- emulators/suse131_krb5/distinfo 1.4
- emulators/suse131_libSDL/Makefile 1.5
- emulators/suse131_libSDL/distinfo 1.2
- emulators/suse131_libcups/Makefile 1.5
- emulators/suse131_libcups/distinfo 1.2
- emulators/suse131_libcurl/Makefile 1.10
- emulators/suse131_libcurl/distinfo 1.7
- emulators/suse131_libdbus/Makefile 1.12
- emulators/suse131_libdbus/distinfo 1.8
- emulators/suse131_libidn/Makefile 1.5
- emulators/suse131_libidn/distinfo 1.2
- emulators/suse131_libjpeg/Makefile 1.5
- emulators/suse131_libjpeg/distinfo 1.2
- emulators/suse131_libsndfile/Makefile 1.6
- emulators/suse131_libsndfile/distinfo 1.3
- emulators/suse131_libssh/Makefile 1.5
- emulators/suse131_libssh/distinfo 1.2
- emulators/suse131_libtiff/Makefile 1.6
- emulators/suse131_libtiff/distinfo 1.3
- emulators/suse131_locale/Makefile 1.5
- emulators/suse131_locale/distinfo 1.2
- emulators/suse131_mozilla-nspr/Makefile 1.8
- emulators/suse131_mozilla-nspr/distinfo 1.5
- emulators/suse131_mozilla-nss/Makefile 1.9
- emulators/suse131_mozilla-nss/distinfo 1.6
- emulators/suse131_openssl/Makefile 1.17
- emulators/suse131_openssl/distinfo 1.14
- emulators/suse131_qt4/Makefile 1.8
- emulators/suse131_qt4/distinfo 1.5
- emulators/suse131_x11/Makefile 1.11
- emulators/suse131_x11/distinfo 1.7
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Jul 28 08:49:16 UTC 2015
Modified Files:
pkgsrc/emulators/suse131_base: Makefile distinfo
pkgsrc/emulators/suse131_freetype2: Makefile distinfo
pkgsrc/emulators/suse131_glib2: Makefile distinfo
pkgsrc/emulators/suse131_glx: Makefile distinfo
pkgsrc/emulators/suse131_gtk2: Makefile distinfo
pkgsrc/emulators/suse131_krb5: Makefile distinfo
pkgsrc/emulators/suse131_libSDL: Makefile distinfo
pkgsrc/emulators/suse131_libcups: Makefile distinfo
pkgsrc/emulators/suse131_libcurl: Makefile distinfo
pkgsrc/emulators/suse131_libdbus: Makefile distinfo
pkgsrc/emulators/suse131_libidn: Makefile distinfo
pkgsrc/emulators/suse131_libjpeg: Makefile distinfo
pkgsrc/emulators/suse131_libsndfile: Makefile distinfo
pkgsrc/emulators/suse131_libssh: Makefile distinfo
pkgsrc/emulators/suse131_libtiff: Makefile distinfo
pkgsrc/emulators/suse131_locale: Makefile distinfo
pkgsrc/emulators/suse131_mozilla-nspr: Makefile distinfo
pkgsrc/emulators/suse131_mozilla-nss: Makefile distinfo
pkgsrc/emulators/suse131_openssl: Makefile distinfo
pkgsrc/emulators/suse131_qt4: Makefile distinfo
pkgsrc/emulators/suse131_x11: Makefile distinfo
Log Message:
Update RPMs from latest openSUSE 13.1 files.
>From Rin Okuyama in PR 50082.
|
|
security/openssh: security patch
Revisions pulled up:
- security/openssh/Makefile 1.234
- security/openssh/distinfo 1.94
- security/openssh/patches/patch-auth2-chall.c 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jul 30 03:20:36 UTC 2015
Modified Files:
pkgsrc/security/openssh: Makefile distinfo
Added Files:
pkgsrc/security/openssh/patches: patch-auth2-chall.c
Log Message:
Add fix for CVE-2015-5600 from FreeBSD via NetBSD base.
Bump PKGREVISION.
|
|
net/bind910: security update
Revisions pulled up:
- net/bind910/Makefile 1.10
- net/bind910/distinfo 1.8
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Jul 28 22:36:38 UTC 2015
Modified Files:
pkgsrc/net/bind910: Makefile distinfo
Log Message:
Update bind910 to 9.10.2pl3 (BIND 9.10.2-P3).
--- 9.10.2-P3 released ---
4165. [security] A failure to reset a value to NULL in tkey.c could
result in an assertion failure. (CVE-2015-5477)
[RT #40046]
|
|
net/bind99: security update
Revisions pulled up:
- net/bind99/Makefile 1.46
- net/bind99/distinfo 1.30
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Jul 28 22:35:36 UTC 2015
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Log Message:
Update bind99 to 9.9.7pl2 (BIND 9.9.7-P2).
--- 9.9.7-P2 released ---
4165. [security] A failure to reset a value to NULL in tkey.c could
result in an assertion failure. (CVE-2015-5477)
[RT #40046]
|
|
multimedia/adobe-flash-plugin11: security update
Revisions pulled up:
- multimedia/adobe-flash-plugin11/Makefile 1.47-1.48
- multimedia/adobe-flash-plugin11/distinfo 1.44-1.45
---
Module Name: pkgsrc
Committed By: tsutsui
Date: Wed Jul 8 17:22:37 UTC 2015
Modified Files:
pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo
Log Message:
Update adobe-flash-plugin11 to 11.2.202.481.
Upstream announcement for 11.2.202.481:
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
Security Advisory for Adobe Flash Player
Release date: July 7, 2015
Vulnerability identifier: APSA15-03
CVE number: CVE-2015-5119
Platform: Windows, Macintosh and Linux
Upstream announcement for 11.2.202.468:
https://helpx.adobe.com/security/products/flash-player/apsb15-14.html
Security updates available for Adobe Flash Player
Release date: June 23, 2015
Vulnerability identifier: APSB15-14
CVE number: CVE-2015-3113
Platform: Windows, Macintosh and Linux
---
Module Name: pkgsrc
Committed By: tsutsui
Date: Fri Jul 17 02:01:55 UTC 2015
Modified Files:
pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo
Log Message:
Update adobe-flash-plugin11 to 11.2.202.491.
Upstream announcement for 11.2.202.491:
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
Adobe Security Bulletin
Security updates available for Adobe Flash Player
Release date: July 14, 2015
Last updated: July 16, 2015
Vulnerability identifier: APSB15-18
CVE number: CVE-2015-5122, CVE-2015-5123
Platform: Windows, Macintosh and Linux
|
|
|
|
net/socat: security update
Revisions pulled up:
- net/socat/Makefile 1.35
- net/socat/distinfo 1.21
- net/socat/patches/patch-configure deleted
- net/socat/patches/patch-mytypes.h 1.3
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Jul 25 14:43:23 UTC 2015
Modified Files:
pkgsrc/net/socat: Makefile distinfo
pkgsrc/net/socat/patches: patch-mytypes.h
Removed Files:
pkgsrc/net/socat/patches: patch-configure
Log Message:
Update socat to 1.7.3.0. From Ben Gergely in PR pkg/49996.
####################### V 1.7.3.0:
security:
(CVE Id pending)
Fixed problems with signal handling caused by use of not async signal
safe functions in signal handlers that could freeze socat, allowing
denial of service attacks.
Many changes in signal handling and the diagnostic messages system were
applied to make the code async signal safe but still provide detailled
logging from signal handlers:
Coded function vsnprintf_r() as async signal safe incomplete substitute
of libc vsnprintf()
Coded function snprinterr() to replace %m in strings with a system error
message
Instead of gettimeofday() use clock_gettime() when available
Pass Diagnostic messages from signal handler per unix socket to the main
program flow
Use sigaction() instead of signal() for better control
Turn off nested signal handler invocations
Thanks to Peter Lobsinger for reporting and explaining this issue.
Red Hat issue 1019975: add TLS host name checks
OpenSSL client checks if the server certificates names in
extensions/subjectAltName/DNS or in subject/commonName match the name
used to connect or the value of the openssl-commonname option.
Test: OPENSSL_CN_CLIENT_SECURITY
OpenSSL server checks if the client certificates names in
extensions/subjectAltNames/DNS or subject/commonName match the value of
the openssl-commonname option when it is used.
Test: OPENSSL_CN_SERVER_SECURITY
Red Hat issue 1019964: socat now uses the system certificate store with
OPENSSL when neither options cafile nor capath are used
Red Hat issue 1019972: needs to specify OpenSSL cipher suites
Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
prevent downgrade attacks
new features:
OpenSSL addresses set couple of environment variables from values in
peer certificate, e.g.:
SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
SOCAT_OPENSSL_X509_COMMONNAME,
SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
Tests: OPENSSL_METHOD_*
Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
by Andrey Arapov.
Added a new option termios-rawer for ptys.
Thanks to Christian Vogelgsang for pointing me to this requirement
corrections:
Bind with ABSTRACT commands used non-abstract namespace (Linux).
Test: ABSTRACT_BIND
Thanks to Denis Shatov for reporting this bug.
Fixed return value of nestlex()
Option ignoreeof on the right address hung.
Test: IGNOREEOF_REV
Thanks to Franz Fasching for reporting this bug.
Address SYSTEM, when terminating, shut down its parent addresses,
e.g. an SSL connection which the parent assumed to still be active.
Test: SYSTEM_SHUTDOWN
Passive (listening or receiving) addresses with empty port field bound
to a random port instead of terminating with error.
Test: TCP4_NOPORT
configure with some combination of disable options produced config
files that failed to compile due to missing IPPROTO_TCP.
Thanks to Thierry Fournier for report and patch.
fixed a few minor bugs with OpenSSL in configure and with messages
Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
is required. Thanks to Zhigang Wang for reporting and sending a patch.
Christophe Leroy provided a patch that fixes memory leaks reported by
valgrind
Help for filan -L was bad, is now corrected to:
"follow symbolic links instead of showing their properties"
Address options fdin and fdout were silently ignored when not applicable
due to -u or -U option. Now these combinations are caught as errors.
Test: FDOUT_ERROR
Issue reported by Hendrik.
Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
over option raw which is now obsolote. On SysV systems this call is
simulated by appropriate setting.
Thanks to Youfu Zhang for reporting issue with option raw.
porting:
Socat included <sys/poll.h> instead of POSIX <poll.h>
Thanks to John Spencer for reporting this issue.
Version 1.7.2.4 changed the check for gcc in configure.ac; this
broke cross compiling. The particular check gets reverted.
Thanks to Ross Burton and Danomi Manchego for reporting this issue.
Debian Bug#764251: Set the build timestamp to a deterministic time:
support external BUILD_DATE env var to allow to build reproducable
binaries
Joachim Fenkes provided an new adapted spec file.
Type bool and macros Min and Max are defined by socat which led to
compile errors when they were already provided by build framework.
Thanks to Liyu Liu for providing a patch.
David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
support and appropriate files in Config/
Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
on Illumos
Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
_POSIX_PTHREAD_SEMANTICS; and minor changes
Red Hat issue 1182005: socat 1.7.2.4 build failure missing
linux/errqueue.h
Socat failed to compile on on PPC due to new requirements for
including <linux/errqueue.h> and a weakness in the conditional code.
Thanks to Michel Normand for reporting this issue.
doc:
In the man page the PTY example was badly formatted. Thanks to
J.F.Sebastian for sending a patch.
Added missing CVE ids to security issues in CHANGES
testing:
Do not distribute testcert.conf with socat source but generate it
(and new testcert6.conf) during test.sh run.
####################### V 1.7.2.4:
corrections:
LISTEN based addresses applied some address options, e.g. so-keepalive,
to the listening file descriptor instead of the connected file
descriptor
Thanks to Ulises Alonso for reporting this bug
make failed after configure with non gcc compiler due to missing
include. Thanks to Horacio Mijail for reporting this problem
configure checked for --disable-rawsocket but printed
--disable-genericsocket in the help text. Thanks to Ben Gardiner for
reporting and patching this bug
In xioshutdown() a wrong branch was chosen after RECVFROM type
addresses.
Probably no impact.
Thanks to David Binderman for reproting this issue.
procan could not cleanly format ulimit values longer than 16 decimal
digits. Thanks to Frank Dana for providing a patch that increases field
width to 24 digits.
OPENSSL-CONNECT with bind option failed on some systems,
eg.FreeBSD, with
"Invalid argument"
Thanks to Emile den Tex for reporting this bug.
Changed some variable definitions to make gcc -O2 aliasing checker happy
Thanks to Ilya Gordeev for reporting these warnings
On big endian platforms with type long >32bit the range option applied a
bad base address. Thanks to hejia hejia for reporting and
fixing this bug.
Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
Red Hat issue 1022063: out-of-range shifts on net mask bits
Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
uses
Red Hat issue 1021958: fixed a bug with faulty buffer/data length
calculation in xio-ascii.c:_xiodump()
Red Hat issue 1021972: fixed a missing NUL termination in return string
of sysutils.c:sockaddr_info() for the AF_UNIX case
fixed some typos and minor issues, including:
Red Hat issue 1021967: formatting error in manual page
UNIX-LISTEN with fork option did not remove the socket file system entry
when exiting. Other file system based passive address types had similar
issues or failed to apply options umask, user e.a.
Thanks to Lorenzo Monti for pointing me to this issue
porting:
Red Hat issue 1020203: configure checks fail with some compilers.
Use case: clang
Performed changes for Fedora release 19
Adapted, improved test.sh script
Red Hat issue 1021429: getgroupent fails with large number of groups;
use getgrouplist() when available instead of sequence of calls to
getgrent()
Red Hat issue 1021948: snprintf API change;
Implemented xio_snprintf() function as wrapper that tries to emulate C99
behaviour on old glibc systems, and adapted all affected calls
appropriately
Mike Frysinger provided a patch that supports long long for time_t,
socklen_t and a few other libc types.
Artem Mygaiev extended Cedril Priscals Android build script
with pty code
The check for fips.h required stddef.h
Thanks to Matt Hilt for reporting this issue and sending a patch
Check for linux/errqueue.h failed on some systems due to lack of
linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
autoconf now prefers configure.ac over configure.in
Thanks to Michael Vastola for sending a patch.
type of struct cmsghdr.cmsg is system dependend, determine it with
configure; some more print format corrections
docu:
libwrap always logs to syslog
added actual text version of GPLv2
|
|
net/gcloud-golang-metadata: build fix
Revisions pulled up:
- net/gcloud-golang-metadata/Makefile 1.2
---
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Jul 25 14:23:58 UTC 2015
Modified Files:
pkgsrc/net/gcloud-golang-metadata: Makefile
Log Message:
Fix build on NetBSD, PR pkg/49909.
It turns out that [^a]* matches all files not beginning with a on Darwin
and all files beginning with a on NetBSD. Work around this by crafting
a for loop with a case expression.
|
|
graphics/libwmf: security patch
Revisions pulled up:
- graphics/libwmf/Makefile 1.77
- graphics/libwmf/distinfo 1.20
- graphics/libwmf/patches/patch-aa 1.8
- graphics/libwmf/patches/patch-src_extra_gd_gd.c 1.1
- graphics/libwmf/patches/patch-src_extra_gd_gd_gd.c 1.1
- graphics/libwmf/patches/patch-src_extra_gd_gd_png.c 1.1
- graphics/libwmf/patches/patch-src_extra_gd_gdft.c 1.1
- graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.c 1.1
- graphics/libwmf/patches/patch-src_extra_gd_gdhelpers.h 1.1
- graphics/libwmf/patches/patch-src_ipa_ipa.h 1.1
- graphics/libwmf/patches/patch-src_player_meta.h 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Fri Jul 17 12:33:47 UTC 2015
Modified Files:
pkgsrc/graphics/libwmf: Makefile distinfo
pkgsrc/graphics/libwmf/patches: patch-aa
Added Files:
pkgsrc/graphics/libwmf/patches: patch-src_extra_gd_gd.c
patch-src_extra_gd_gd_gd.c patch-src_extra_gd_gd_png.c
patch-src_extra_gd_gdft.c patch-src_extra_gd_gdhelpers.c
patch-src_extra_gd_gdhelpers.h patch-src_ipa_ipa.h
patch-src_player_meta.h
Log Message:
Patch the following CVEs
CVE-2004-0941
CVE-2007-0455
CVE-2007-2756
CVE-2007-3472
CVE-2007-3473
CVE-2007-3477
CVE-2009-3546
CVE-2015-0848
CVE-2015-4588
CVE-2015-4695
CVE-2015-4696
Obtained from:
CentOS libwmf RPM git
Debian Bug 784205
Debian Bug 784192
Red Hat Bug 1227243
via Jason Unovitch in FreeBSD bug 201513
Reviewed by bsiegert@
|
|
net/haproxy: security fix
Revisions pulled up:
- net/haproxy/Makefile 1.21
- net/haproxy/distinfo 1.16
- net/haproxy/patches/patch-standard_h deleted
---
Module Name: pkgsrc
Committed By: morr
Date: Sat Jul 4 13:13:53 UTC 2015
Modified Files:
pkgsrc/net/haproxy: Makefile distinfo
Removed Files:
pkgsrc/net/haproxy/patches: patch-standard_h
Log Message:
Security update to newest version.
Changes:
Released version 1.5.14 with the following main changes :
- BUILD/MINOR: tools: rename popcount to my_popcountl
- BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
Released version 1.5.13 with the following main changes :
- BUG/MINOR: check: fix tcpcheck error message
- CLEANUP: deinit: remove codes for cleaning p->block_rules
- DOC: Update doc about weight, act and bck fields in the statistics
- MINOR: ssl: add a destructor to free allocated SSL ressources
- BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
- MEDIUM: ssl: replace standards DH groups with custom ones
- BUG/MINOR: debug: display (null) in place of "meth"
- BUG/MINOR: cfgparse: fix typo in 'option httplog' error message
- BUG/MEDIUM: cfgparse: segfault when userlist is misused
- BUG/MEDIUM: stats: properly initialize the scope before dumping stats
- BUG/MEDIUM: http: don't forward client shutdown without NOLINGER except for tunnels
- CLEANUP: checks: fix double usage of cur / current_step in tcp-checks
- BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end
- CLEANUP: checks: simplify the loop processing of tcp-checks
- BUG/MAJOR: checks: always check for end of list before proceeding
- BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct
- BUG/MEDIUM: peers: apply a random reconnection timeout
- BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id
- MEDIUM: init: don't stop proxies in parent process when exiting
- MINOR: peers: store the pointer to the signal handler
- MEDIUM: peers: unregister peers that were never started
- MEDIUM: config: propagate the table's process list to the peers sections
- MEDIUM: init: stop any peers section not bound to the correct process
- MEDIUM: config: validate that peers sections are bound to exactly one process
- MAJOR: peers: allow peers section to be used with nbproc > 1
- DOC: relax the peers restriction to single-process
- CLEANUP: config: fix misleading information in error message.
- MINOR: config: report the number of processes using a peers section in the error case
- BUG/MEDIUM: config: properly compute the default number of processes for a proxy
pkgsrc changes:
Thanks to "rename popcount to my_popcountl" one of patches can be removed.
|
|
|
|
mail/postfix: security update
Revisions pulled up:
- mail/postfix/Makefile 1.284
- mail/postfix/distinfo 1.160
- mail/postfix/patches/patch-ai 1.33
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Jul 22 00:25:37 UTC 2015
Modified Files:
pkgsrc/mail/postfix: Makefile distinfo
pkgsrc/mail/postfix/patches: patch-ai
Log Message:
Update postfix to 2.11.6, security release.
With all supported Postfix releases, the default settings have been
updated so that they no longer enable export-grade ciphers, and no
longer enable the SSLv2 and SSLv3 protocols. These ciphers and
protocols have little if any legitimate use today, and have instead
become a vehicle for downgrade attacks. There are no other code
changes.
Postfix documentation has been updated to reflect the new default
settings and their rationale; the RELEASE_NOTES give suggestions
for how to enable the old ciphers and protocols if your infrastructure
requires them.
Finally, abandoning deprecated ciphers and protocols does not really
improve TLS security without measures to better authenticate remote
servers. Secure DNS and TLSA are steps in that direction.
|
|
www/apache24: security update
Revisions pulled up:
- www/apache24/Makefile 1.37
- www/apache24/distinfo 1.21
- www/apache24/patches/patch-CVE-2015-0228 deleted
- www/apache24/patches/patch-server_core__filters.c deleted
- www/apache24/patches/patch-server_protocol.c deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jul 20 00:08:35 UTC 2015
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Removed Files:
pkgsrc/www/apache24/patches: patch-CVE-2015-0228
patch-server_core__filters.c patch-server_protocol.c
Log Message:
Update apache24 to 2.4.16 (Apache HTTP Server 2.4.16).
Apache HTTP Server 2.4.16 Released
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.16 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a security, feature and bug fix release. NOTE: versions
2.4.13, 2.4.14 and 2.4.15 were not released.
CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.
CVE-2015-3185 (cve.mitre.org)
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook.
CVE-2015-0253 (cve.mitre.org)
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
CVE-2015-0228 (cve.mitre.org)
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.
Also in this release are some exciting new features including:
*) Better default recommended SSLCipherSuite and SSLProxyCipherSuite
*) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
response header to be used by the application
*) Event MPM improvements
*) Various mod_proxy_* improvements
*) mod_log_config: Add "%{UNIT}T" format to output request duration in
seconds, milliseconds or microseconds depending on UNIT ("s", "ms",
"us")
|
|
mail/fml4: bug fix patch
Revisions pulled up:
- mail/fml4/Makefile 1.14
- mail/fml4/distinfo 1.6
- mail/fml4/patches/patch-ac 1.3
- mail/fml4/patches/patch-ag 1.3
- mail/fml4/patches/patch-src_jcode.pl 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jul 20 00:06:18 UTC 2015
Modified Files:
pkgsrc/mail/fml4: Makefile distinfo
pkgsrc/mail/fml4/patches: patch-ac patch-ag
Added Files:
pkgsrc/mail/fml4/patches: patch-src_jcode.pl
Log Message:
Fix runtime problem with perl 5.22.
Bump PKGREVISION.
|
|
|
|
www/squid3: security update
Revisions pulled up:
- www/squid3/Makefile 1.49
- www/squid3/PLIST 1.11
- www/squid3/distinfo 1.35
- www/squid3/patches/patch-configure 1.8
---
Module Name: pkgsrc
Committed By: adam
Date: Mon Jul 6 09:39:40 UTC 2015
Modified Files:
pkgsrc/www/squid3: Makefile PLIST distinfo
pkgsrc/www/squid3/patches: patch-configure
Log Message:
Changes 3.5.6:
* ext_edirectory_userip_acl: fix uninitialized variable
* Do not blindly forward cache peer CONNECT responses.
* Bug 3483: assertion failed store.cc:1866: 'isEmpty()'
* Use relative-URL in errorpage.css for SN.png
* Bug 4193: Memory leak on FTP listings
* Bug 4274: ssl_crtd.8 not being installed
* Fix CONNECT failover to IPv4 after trying broken IPv6 servers
* Bug 4183: segfault when freeing https_port clientca on reconfigure or exit.
* TLS: Disable client-initiated renegotiation
* Translations: add Spanish US dialect alias
* Cleanup: replace __DATE__ and __TIME__ macros
* Fix assertion String.cc:221: "str"
* Fix assertion comm.cc:759: "Comm::IsConnOpen(conn)" in ConnStateData::getSslContextDone
* Bug 3875: bad mimeLoadIconFile error handling
* Support custom OIDs in *_cert ACLs
* Bug 3329: The server side pinned connection is not closed properly
|
|
|
|
databases/mysql56-client: bug fix patch
databases/mysql56-server: bug fix patch
Revisions pulled up:
- databases/mysql56-client/Makefile 1.17
- databases/mysql56-client/distinfo 1.25
- databases/mysql56-client/patches/patch-include_violite.h 1.1
- databases/mysql56-client/patches/patch-vio_viosslfactories.c 1.1
- databases/mysql56-server/Makefile 1.25
---
Module Name: pkgsrc
Committed By: manu
Date: Tue Jul 14 12:09:24 UTC 2015
Modified Files:
pkgsrc/databases/mysql56-client: Makefile distinfo
Added Files:
pkgsrc/databases/mysql56-client/patches: patch-include_violite.h
patch-vio_viosslfactories.c
Log Message:
Restore SSL functionnality with OpenSSL 1.0.1p
With OpenSSL 1.0.1p upgrade, DH parameters below 1024 bits are now
refused. MySQL hardcodes 512 bits DH parameters and will therefore
fail to run SSL connexions with OpenSSL 1.0.1p
Apply fix from upstream:
https://github.com/mysql/mysql-server/commit/
866b988a76e8e7e217017a7883a52a12ec5024b9
---
Module Name: pkgsrc
Committed By: manu
Date: Tue Jul 14 16:38:56 UTC 2015
Modified Files:
pkgsrc/databases/mysql56-server: Makefile
Log Message:
Restore SSL functionnality with OpenSSL 1.0.1p (revision bump)
This changes just bumps PKGREVISION after patches were added
in mysql56-client/patches which impact mysql56-server.
For the record, the commit log or that patches:
> With OpenSSL 1.0.1p upgrade, DH parameters below 1024 bits are now
> refused. MySQL hardcodes 512 bits DH parameters and will therefore
> fail to run SSL connexions with OpenSSL 1.0.1p
>
> Apply fix from upstream:
> https://github.com/mysql/mysql-server/commit/
866b988a76e8e7e217017a7883a52a12ec5024b9
|
|
|
