| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
textproc/libxml2: security fix
Revisions pulled up:
- textproc/libxml2/Makefile.common 1.4
- textproc/libxml2/distinfo 1.114
- textproc/libxml2/patches/patch-result_XPath_xptr_vidbase 1.1
- textproc/libxml2/patches/patch-test_XPath_xptr_vidbase 1.1
- textproc/libxml2/patches/patch-xpath.c 1.1
- textproc/libxml2/patches/patch-xpointer.c 1.4
---
Module Name: pkgsrc
Committed By: sevan
Date: Tue Dec 27 02:34:34 UTC 2016
Modified Files:
pkgsrc/textproc/libxml2: Makefile.common distinfo
Added Files:
pkgsrc/textproc/libxml2/patches: patch-result_XPath_xptr_vidbase
patch-test_XPath_xptr_vidbase patch-xpath.c patch-xpointer.c
Log Message:
Patch for CVE-2016-4658 & CVE-2016-5131
Bump rev
|
|
www/lynx: security fix
Revisions pulled up:
- www/lynx/Makefile 1.123-1.124
- www/lynx/distinfo 1.34-1.35
- www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c 1.1-1.2
- www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c 1.1
- www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h 1.1
- www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h 1.1
- www/lynx/patches/patch-src_LYUtils.c 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Wed Dec 21 11:25:25 UTC 2016
Modified Files:
pkgsrc/www/lynx: Makefile distinfo
Added Files:
pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c
patch-WWW_Library_Implementation_HTTP.c
patch-WWW_Library_Implementation_HTTP.h
patch-WWW_Library_Implementation_HTUTILS.h patch-src_LYUtils.c
Log Message:
Patch for POODLE & CVE-2016-9179.
Bump rev.
---
Module Name: pkgsrc
Committed By: sevan
Date: Thu Dec 22 17:30:52 UTC 2016
Modified Files:
pkgsrc/www/lynx: Makefile distinfo
pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c
Log Message:
Fix broken patch committed previously which resulted in lynx crashing.
Bump rev again.
Apologies to anyone caught out by this mistake.
Heads up by alnsn@
|
|
|
|
lang/go: security update
Revisions pulled up:
- lang/go/Makefile 1.48
- lang/go/PLIST 1.28
- lang/go/distinfo 1.42,1.41
- lang/go/patches/patch-src_net_http_h2__bundle.go deleted
- lang/go/version.mk 1.21,1.18
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bsiegert
Date: Sun Dec 4 16:08:55 UTC 2016
Modified Files:
pkgsrc/lang/go: distinfo version.mk
Log Message:
Update Go to 1.7.4.
Two security-related issues were recently reported, and to address these issues
we have just released Go 1.6.4 and Go 1.7.4.
We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.7.4).
The issues addressed by these releases are:
On Darwin, user's trust preferences for root certificates were not honored. If
the user had a root certificate loaded in their Keychain that was explicitly
not trusted, a Go program would still verify a connection using that root
certificate. This is addressed by https://golang.org/cl/33721, tracked in
https://golang.org/issue/18141.
Thanks to Xy Ziemba for identifying and reporting this issue.
The net/http package's Request.ParseMultipartForm method starts writing to
temporary files once the request body size surpasses the given "maxMemory"
limit. It was possible for an attacker to generate a multipart request crafted
such that the server ran out of file descriptors. This is addressed by
https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
Thanks to Simon Rawet for the report.
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 pkgsrc/lang/go/distinfo
cvs rdiff -u -r1.20 -r1.21 pkgsrc/lang/go/version.mk
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bsiegert
Date: Thu Oct 27 18:58:00 UTC 2016
Modified Files:
pkgsrc/lang/go: Makefile PLIST distinfo version.mk
Removed Files:
pkgsrc/lang/go/patches: patch-src_net_http_h2__bundle.go
Log Message:
Update Go to 1.7.3.
go1.7.2 should not be used. It was tagged but not fully released. The release
was deferred due to a last minute bug report. Use go1.7.3 instead, and refer to
the summary of changes below.
go1.7.3 (released 2016/10/19) includes fixes to the compiler, runtime, and the
crypto/cipher, crypto/tls, net/http, and strings packages. See the Go 1.7.3
milestone on our issue tracker for details.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 pkgsrc/lang/go/Makefile
cvs rdiff -u -r1.27 -r1.28 pkgsrc/lang/go/PLIST
cvs rdiff -u -r1.40 -r1.41 pkgsrc/lang/go/distinfo
cvs rdiff -u -r1.17 -r1.18 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.1 -r0 \
pkgsrc/lang/go/patches/patch-src_net_http_h2__bundle.go
|
|
|
|
games/criticalmass: security fix
Revisions pulled up:
- games/criticalmass/Makefile 1.38
- games/criticalmass/distinfo 1.14
- games/criticalmass/patches/patch-Makefile.am 1.1
- games/criticalmass/patches/patch-Makefile.in 1.1
- games/criticalmass/patches/patch-aa 1.5
- games/criticalmass/patches/patch-game_Makefile.am 1.1
- games/criticalmass/patches/patch-game_Makefile.in 1.1
- games/criticalmass/patches/patch-game_main.cpp 1.2
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: dholland
Date: Sat Dec 10 21:46:52 UTC 2016
Modified Files:
pkgsrc/games/criticalmass: Makefile distinfo
pkgsrc/games/criticalmass/patches: patch-aa patch-game_main.cpp
Added Files:
pkgsrc/games/criticalmass/patches: patch-Makefile.am patch-Makefile.in
patch-game_Makefile.am patch-game_Makefile.in
Log Message:
Remove use of ancient and highly insecure curl-7.14.0; use pkgsrc curl.
Also disable online update by default. (It can be re-enabled in the
config.) PKGREVISION -> 8.
To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 pkgsrc/games/criticalmass/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/games/criticalmass/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/games/criticalmass/patches/patch-Makefile.am \
pkgsrc/games/criticalmass/patches/patch-Makefile.in \
pkgsrc/games/criticalmass/patches/patch-game_Makefile.am \
pkgsrc/games/criticalmass/patches/patch-game_Makefile.in
cvs rdiff -u -r1.4 -r1.5 pkgsrc/games/criticalmass/patches/patch-aa
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/games/criticalmass/patches/patch-game_main.cpp
|
|
devel/hdf5: security update
Revisions pulled up:
- devel/hdf5/Makefile.common 1.13-1.14
- devel/hdf5/distinfo 1.37-1.38
- devel/hdf5/patches/patch-c++_examples_Makefile.in 1.4
- devel/hdf5/patches/patch-c++_examples_run-c++-ex.sh.in 1.3
- devel/hdf5/patches/patch-examples_Makefile.in 1.4
- devel/hdf5/patches/patch-examples_run-c-ex.sh.in 1.3
- devel/hdf5/patches/patch-hl_c++_examples_Makefile.in 1.4
- devel/hdf5/patches/patch-hl_c++_examples_run-hlc++-ex.sh.in 1.3
- devel/hdf5/patches/patch-hl_examples_Makefile.in 1.4
- devel/hdf5/patches/patch-hl_examples_run-hlc-ex.sh.in 1.3
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: alnsn
Date: Sun Oct 9 18:44:35 UTC 2016
Modified Files:
pkgsrc/devel/hdf5: Makefile.common distinfo
pkgsrc/devel/hdf5/patches: patch-c++_examples_Makefile.in
patch-c++_examples_run-c++-ex.sh.in patch-examples_Makefile.in
patch-examples_run-c-ex.sh.in patch-hl_c++_examples_Makefile.in
patch-hl_c++_examples_run-hlc++-ex.sh.in
patch-hl_examples_Makefile.in patch-hl_examples_run-hlc-ex.sh.in
Log Message:
Update hdf5 to 1.8.17.
New Features
============
Configuration
-------------
- Cmakehdf5: Added Ability to Run Multiple Make Commands
Added option --njobs to specify up to how many jobs to launch during
build (cmake) and testing (ctest).
(AKC - 2015/12/13, HDFFV-9612)
- Cmakehdf5: Added Szip Support and Verbose Option
Added --with-szlib to support the Szip library; and
--enable/disable-verbose to display all CMake process output.
(AKC - 2015/11/16, HDFFV-8932 and DAILYTEST-195)
- CMake minimum is now 3.1.0. (ADB - 2015/11/14)
- Large File System (LFS) Support has Changed in the Autotools
We assume that fseeko and ftello exist.
The *64 I/O functions and types are no longer explicitly used.
We now rely on a mapping provided by _FILE_OFFSET_BITS (or its
equivalent).
_LARGEFILE(64)_SOURCE is no longer exposed via AM_CPPFLAGS.
(DER - 2016/03/29, HDFFV-9626 and HDFFV-9541)
Library
-------
- New API Calls for Searching for External Dataset Storage
API calls that determine the search path for dataset external
storage were added. H5Pset/get_efile_prefix() API calls were added
to the library. These functions give control over the search path
for dataset external storage that has been configured with
H5Pset_external().
Additionally, the HDF5_EXTFILE_PREFIX environment variable can be
used to control the search path.
(DER - 2016/04/20, HDFFV-8740)
High-Level APIs
---------------
C Packet Table API
------------------
- Replacement of a Public Function with H5PTcreate
The existing function H5PTcreate_fl limits applications so they
can use the deflate compression only. The public function
H5PTcreate has been added to replace H5PTcreate_fl. H5PTcreate
takes a property list identifier to provide flexibility on
creation properties. This also removes the following warning:
"deprecated conversion from string constant to "char*"
[-Wwrite-strings]".
(BMR - 2016/04/25, HDFFV-9708, HDFFV-8615)
- New Public Functions: H5PTget_dataset and H5PTget_type
Two accessor functions have been added. H5PTget_dataset returns
the identifier of the dataset associated with the packet table,
and H5PTget_type returns the identifier of the datatype used by
the packet table.
(BMR - 2016/04/25, HDFFV-8623 patch 3)
- Regarding #ifdef VLPT_REMOVED
The #ifdef VLPT_REMOVED blocks have been removed from the packet
table (PT) library source except for the following functions:
+ H5PTis_varlen() has been made available again
+ H5PTfree_vlen_readbuff() is now H5PTfree_vlen_buff()
(BMR - 2016/04/25, HDFFV-442)
C++ Packet Table API
--------------------
- New Constructor in FL_PacketTable
An overloaded constructor has been added to FL_PacketTable and
takes a property list identifier to provide flexibility on
creation properties such as compression.
FL_PacketTable(hid_t fileID, const char* name, hid_t dtypeID,
hsize_t chunkSize = 0, hid_t plistID = H5P_DEFAULT)
(BMR - 2016/04/25, HDFFV-8623 patch 5)
- New Member Functions in PacketTable
Two accessor wrappers were added to class PacketTable.
PacketTable::GetDataset() returns the identifier of the dataset
associated with the packet table, and PacketTable::GetDatatype()
returns the identifier of the datatype that the packet table uses.
(BMR - 2016/04/25, HDFFV-8623 patch 4)
- New Member Functions with "char*" as an Argument
Overloaded functions were added to provide the "const char*"
argument; the existing version will be deprecated in future
releases. This also removes the following warning:
"deprecated conversion from string constant to "char*"
[-Wwrite-strings]".
(BMR - 2016/04/25, HDFFV-8623 patch 1, HDFFV-8615)
- Regarding #ifdef VLPT_REMOVED
The #ifdef VLPT_REMOVED blocks have been removed from the packet
table library source code except for the following functions:
+ VL_PacketTable::IsVariableLength() was moved to PacketTable
+ VL_PacketTable::FreeReadBuff() is now PacketTable::FreeBuff()
(BMR - 2016/04/25, HDFFV-442)
C++ API
-------
- New Member Function in DSetCreatPropList
DSetCreatPropList::setNbit() was added to setup N-bit compression for
a dataset.
(BMR - 2016/04/25, HDFFV-8623 patch 7)
- New Overloaded "const" Member Functions in ArrayType
The two following functions were added:
ArrayType::getArrayNDims() const
ArrayType::getArrayDims() const
to provide const version, and the non-const version was marked
deprecated. In-memory array information, ArrayType::rank and
ArrayType::dimensions, were removed. This is an implementation
detail and should not affect applications.
(BMR, 2016/04/25, HDFFV-9725)
- New member function added
The assignment operator ArrayType::operator= is added because ArrayType
has pointer data members.
(BMR, 2016/03/07, HDFFV-9562)
Support for New Platforms, Languages, and Compilers
===================================================
- Mac OS X El Capitan 10.11.4 with compilers Apple clang/clang++
version 7.3.0 from Xcode 7.3, gfortran GNU Fortran (GCC) 5.2.0
and Intel icc/icpc/ifort version 16.0.2
Bug Fixes since HDF5-1.8.16
===========================
Configuration
-------------
- Updated Linux Language Level Flags to Match the Autotools. Removed
Linux-specific Flags from OS X.
An addition to the flags simply being out of sync with the Autotools,
the Linux flags were used on OS X builds which led to symbols not being
found. Although this was non-fatal and compilation continued (implicit
definitions were used by the compiler and the symbols resolved at link
time), a large number of warnings were raised.
Linux changes:
* CHANGED: _POSIX_C_SOURCE (from 199605 to 200112L)
* ADDED: _GNU_SOURCE
* REMOVED: _BSD_SOURCE
* REMOVED: _DEFAULT_SOURCE
(DER - 2015/12/08, HDFFV-9627)
- The --enable-clear-file-buffers configure Option was Non-functional
so the Feature was Always Enabled (its default value).
Regardless of the configure flag, the setting was always enabled when
the Autotools were used to configure HDF5. This was due to the "no"
option being processed after the "*" option in configure.ac so "*"
matched first. CMake was unaffected.
The option now works correctly.
NOTE that builders are always advised to leave this option enabled.
When disabled, buffers that are written to disk may contain the
memory's previous contents, which may include secure information.
The performance overhead of the feature (a single memset call per
allocation) is minimal.
(DER - 2016/02/03, HDFFV-9676)
- Added a patch to remove '"'s from arguments for MPI compilers that
were causing errors compiling H5lib_settings.c with SGI MPT.
(LRK - 2016/04/20, HDFFV-9439)
Library
-------
- Fixed shared file pointer problem which caused a crash when running a
program provided by a user.
(VC - 2016/04/01, HDFFV-9469)
- Fixed some format string warnings that prevent compiling with
-Werror=format-security on gcc.
These only appeared in error messages and would not cause problems
under normal operation.
(DER - 2016/01/13, HDFFV-9640)
- Fixed a library segmentation fault when accessing a corrupted
file provided by a user.
(MSC - 2016/02/19, HDFFV-9670)
Tools
-----
- h5dump: Sub-setting Fixed for Dimensions Greater than Two
When a dataset has more than two dimensions, sub-setting would
incorrectly calculate the data that needed to be displayed.
Added in block and stride calculations that account for dimensions
greater than two. NOTE: lines that have line breaks inserted
because of display length calculations may have index info that
is incorrect until the next dimension break.
(ADB - 2016/03/07, HDFFV-9698)
- h5dump: Issue with Argument Segmentation Fault
When an argument with an optional value was at the end of the command
line with a value, h5dump would crash. Reworked check for remaining
arguments.
(ADB - 2016/03/07, HDFFV-9570, HDFFV-9684)
- h5dump: Issue with Default Fill Value
Added all default cases of fill value to the display of fill value.
(ADB -, 2016/03/07, HDFFV-9241)
- h5dump: Clarified Help
Clarified usage of -O F option in h5dump utility help.
(ADB - 2016/03/07, HDFFV-9066)
- h5dump: Issue with Double Free Fault
Added a check for filename not null before calling free().
(ADB - 2016/01/27, HDFFV-9639)
- VS2015 Release Changed how Timezone was Handled
Created a function, HDget_timezone, in H5system.c. Replaced
timezone variable usage with function call.
(ADB - 2015/11/02, HDFFV-9550)
C++ API
-------
- Removal of Obsolete Methods
The overloaded methods which had parameters that should be const
but were not have been removed.
(BMR - 2016/01/13, HDFFV-9789)
High-Level APIs:
---------------
- Fixed Memory Leak in Packet Table API
Applied user's patch to fix memory leak in the creation of a
packet table.
(BMR - 2016/04/25, HDFFV-9700)
Known Problems
==============
* On windows platforms in debug configurations, the VFD flush1 tests will fail
with the split and multi VFD drivers. These tests will display a modal debug
dialog which must be answered or wait for the test timeout to expire.
(ADB - 2014/06/23 - HDFFV-8851)
* CLANG compiler with the options -fcatch-undefined-behavior and -ftrapv
catches some undefined behavior in the alignment algorithm of the macro DETECT_I
in H5detect.c (Issue 8147). Since the algorithm is trying to detect the alignment
of integers, ideally the flag -fcatch-undefined-behavior shouldn't to be used for
H5detect.c. In the future, we can separate flags for H5detect.c from the rest of
the library. (SLU - 2013/10/16)
* Make provided by Solaris fails in "make check". Solaris users should use
gmake to build and install the HDF5 software. (AKC - 2013/10/08 - HDFFV-8534)
* The C++ and FORTRAN bindings are not currently working on FreeBSD with the
native release 8.2 compilers (4.2.1), but are working with gcc 4.6 from the
ports (and probably gcc releases after that).
(QAK - 2012/10/19)
* The following h5dump test case fails in BG/P machines (and potentially other
machines that use a command script to launch executables):
h5dump --no-compact-subset -d "AHFINDERDIRECT::ah_centroid_t[0] it=0 tl=0"
tno-subset.h5
This is due to the embedded spaces in the dataset name being interpreted
by the command script launcher as meta-characters, thus passing three
arguments to h5dump's -d flag. The command passes if run by hand, just
not via the test script.
(AKC - 2012/05/03)
* The STDIO VFD does not work on some architectures, possibly due to 32/64
bit or large file issues. The basic STDIO VFD test is known to fail on
64-bit SunOS 5.10 on SPARC when built with -m64 and 32-bit OS X/Darwin
10.7.0. The STDIO VFD test has been disabled while we investigate and
a fix should appear in a future release.
(DER - 2011/10/14 - HDFFV-8235)
* h5diff can report inconsistent results when comparing datasets of enum type
that contain invalid values. This is due to how enum types are handled in
the library and will be addressed in a future release.
(DER - 2011/10/14 - HDFFV-7527)
* The links test can fail under the stdio VFD due to some issues with external
links. This will be investigated and fixed in a future release.
(DER - 2011/10/14 - HDFFV-7768)
* After the shared library support was fixed for some bugs, it was discovered
that "make prefix=XXX install" no longer works for shared libraries. It
still works correctly for static libraries. Therefore, if you want to
install the HDF5 shared libraries in a location such as /usr/local/hdf5,
you need to specify the location via the --prefix option during configure
time. E.g, ./configure --prefix=/usr/local/hdf5 ...
(AKC - 2011/05/07 - HDFFV-7583)
* The parallel test, t_shapesame, in testpar/, may run for a long time and may
be terminated by the alarm signal. If that happens, one can increase the
alarm seconds (default is 1200 seconds = 20 minutes) by setting the
environment variable, $HDF5_ALARM_SECONDS, to a larger value such as 3600
(60 minutes). Note that the t_shapesame test may fail in some systems
(see the "While working on the 1.8.6 release..." problem below). If
it does, it will waste more time if $HDF5_ALARM_SECONDS is set
to a larger value.
(AKC - 2011/05/07)
* Shared Fortran libraries are not quite working on AIX. While they are
generated when --enable-shared is specified, the fortran and hl/fortran
tests fail. the issue. HL and C++ shared libraries should now be
working as intended, however.
(MAM - 2011/04/20)
* While working on the 1.8.6 release of HDF5, a bug was discovered that can
occur when reading from a dataset in parallel shortly after it has been
written to collectively. The issue was exposed by a new test in the parallel
HDF5 test suite, but had existed before that. We believe the problem lies with
certain MPI implementations and/or file systems.
We have provided a pure MPI test program, as well as a standalone HDF5
program, that can be used to determine if this is an issue on your system.
They should be run across multiple nodes with a varying number of processes.
These programs can be found at:
http://www.hdfgroup.org/ftp/HDF5/examples/known_problems/
(NAF - 2011/01/19)
* All the VFL drivers aren't backward compatible. In H5FDpublic.h, the
structure H5FD_class_t changed in 1.8. There is new parameter added to
get_eoa and set_eoa callback functions. A new callback function
get_type_map was added in. The public function H5FDrealloc was taken
out in 1.8. The problem only happens when users define their own driver
for 1.6 and try to plug in 1.8 library. Because there's only one user
complaining about it, we (Elena, Quincey, and I) decided to leave it as
it is (see bug report #1279). Quincey will make a plan for 1.10.
(SLU - 2010/02/02)
* The --enable-static-exec configure flag will only statically link libraries
if the static version of that library is present. If only the shared version
of a library exists (i.e., most system libraries on Solaris, AIX, and Mac,
for example, only have shared versions), the flag should still result in a
successful compilation, but note that the installed executables will not be
fully static. Thus, the only guarantee on these systems is that the
executable is statically linked with just the HDF5 library.
(MAM - 2009/11/04)
* A dataset created or rewritten with a v1.6.3 library or after cannot be read
with the v1.6.2 library or before when the Fletcher32 EDC filter is enabled.
There was a bug in the calculation of the Fletcher32 checksum in the
library before v1.6.3; the checksum value was not consistent between big-
endian and little-endian systems. This bug was fixed in Release 1.6.3.
However, after fixing the bug, the checksum value was no longer the same as
before on little-endian system. Library releases after 1.6.4 can still read
datasets created or rewritten with an HDF5 library of v1.6.2 or before.
(SLU - 2005/06/30)
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/hdf5/Makefile.common
cvs rdiff -u -r1.36 -r1.37 pkgsrc/devel/hdf5/distinfo
cvs rdiff -u -r1.3 -r1.4 \
pkgsrc/devel/hdf5/patches/patch-c++_examples_Makefile.in \
pkgsrc/devel/hdf5/patches/patch-examples_Makefile.in \
pkgsrc/devel/hdf5/patches/patch-hl_c++_examples_Makefile.in \
pkgsrc/devel/hdf5/patches/patch-hl_examples_Makefile.in
cvs rdiff -u -r1.2 -r1.3 \
pkgsrc/devel/hdf5/patches/patch-c++_examples_run-c++-ex.sh.in \
pkgsrc/devel/hdf5/patches/patch-examples_run-c-ex.sh.in \
pkgsrc/devel/hdf5/patches/patch-hl_c++_examples_run-hlc++-ex.sh.in \
pkgsrc/devel/hdf5/patches/patch-hl_examples_run-hlc-ex.sh.in
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: alnsn
Date: Sat Dec 3 18:56:36 UTC 2016
Modified Files:
pkgsrc/devel/hdf5: Makefile.common distinfo
Log Message:
Update devel/hdf5 and devel/hdf5-c++ to version 1.8.18.
New Features
============
Configuration
-------------
- CMake: Added NAMESPACE hdf5:: to package configuration files to allow
projects using installed HDF5 binaries built with CMake to link with
them without specifying the HDF5 library location via IMPORTED_LOCATION.
(ADB, 2016/10/17, HDFFV-10003)
- CMake: Changed the CTEST_BUILD_CONFIGURATION option to
CTEST_CONFIGURATION_TYPE as recommended by the CMake documentation.
(ADB, 2016/10/17, HDFFV-9971)
- CMake: Added support for GIT
(ADB, 2016/07/12)
Bug Fixes since HDF5-1.8.17
===========================
Configuration
-------------
- Fixed a problem preventing HDF5 to be built on 32-bit CYGWIN by
condensing cygwin configuration files into a single file and
removing outdated compiler settings.
(ABD, 2016/07/12, HDFFV-9946)
- CMake: Fixed a command length overflow error by converting custom
commands inside CMakeTest.cmake files into regular dependencies and
targets.
(ABD, 2016/07/12, HDFFV-9939)
- CMake: Fixed a timeout error that would occasionally occur when running
the virtual file driver tests simultaneously due to test directory and file
name collisions.
(ABD, 2016/09/19, HDFFV-9431)
Library
-------
- Fixed a memory leak that would occur when the library allocated memory
for an external file prefix (H5Pset_efile_prefix) and failed to free it.
(DER, 2016/04/29)
- Fixed an error that would occur when calling H5Adelete on an attribute
which is attached to an externally linked object in the target file and
whose datatype is a committed datatype in the main file.
(VC, 2016-07-04, HDFFV-9940)
- Fixed a problem where a plugin compiled into a DLL in the default plugin
directory could not be found by the HDF5 library at runtime on Windows
when the HDF5_PLUGIN_PATH environment variable was not set.
(ABD, 2016/08/01, HDFFV-9706)
- Fixed an issue where H5Pset_alignment could result in misaligned blocks
with some input combinations, causing an assertion failure in debug mode.
(NAF, 2016/08/11, HDFFV-9948)
- A number of issues were fixed when reading/writing from/to corrupted
files to ensure that the library fails gracefully in these cases:
* Writing to a corrupted file that has an object message which is
incorrectly marked as sharable on disk results in a buffer overflow /
invalid write instead of a clean error message.
* Decoding data from a corrupted file with a dataset encoded with the
H5Z_NBIT decoding can result in a code execution vulnerability under
the context of the application using the HDF5 library.
* When decoding an array datatype from a corrupted file, the HDF5 library
fails to return an error in production if the number of dimensions
decoded is greater than the maximum rank.
* When decoding an "old style" array datatype from a corrupted file, the
HDF5 library fails to return an error in production if the number of
dimensions decoded is greater than the maximum rank.
(NAF, 2016/10/06, HDFFV-9950, HDFFV-9951, HDFFV-9992, HDFFV-9993)
- Fixed an error that would occur when copying an object with an attribute
which is a compound datatype consisting of a variable length string.
(VC, 2016-10-17, HDFFV-7991)
Parallel Library
----------------
- Fixed a bug that could occur when allocating a chunked dataset in parallel
with an alignment set and an alignment threshold greater than the chunk
size but less than or equal to the raw data aggregator size.
(NAF, 2016/08/11, HDFFV-9969)
Performance
-------------
- None
Tools
-----
- Fixed an error in the compiler wrapper scripts (h5cc, h5fc, et al.)
in which they would erroneously drop the file argument specified via
the -o flag when the -o flag was specified before the -c flag on the
command line, resulting in a failure to compile.
(LRK, 2016/06/08, HDFFV-9938, HDFFV-9530)
- h5repack User Defined (UD) filter parameters were not parsed correctly.
The UD filter parameters were not being parsed correctly. Reworked coding
section to parse the correct values and verify number of parameters.
(ADB, 2016/10/19, HDFFV-9996, HDFFV-9974, HDFFV-9515, HDFFV-9039)
Fortran API
-----------
- Fortran library fails to compile and fails tests with NAG compiler.
* Removed the non-standard assumption that KIND=SIZEOF, in the HDF5
configure programs.
* Removed Fortran 66 character/integer conversions from tests.
* Removed the use of C_SIZEOF in the test programs
* Changed to using STORAGE_SIZE in the test programs if available. Otherwise,
uses C_SIZEOF or SIZEOF.
(MSB, 2016/9/22, HDFFV-9973)
- Fortran segfaults for F03 tests with NAG compiler
* Removed INTENT(OUT) from 'fillvalue' in F2003 interface
for H5Pget_fill_value_f.
(MSB, 2016/9/22, HDFFV-9980)
C++ API
-------
- The macro H5_NO_NAMESPACE is deprecated from the HDF5 C++ API library.
In future releases, the macros H5_NO_STD and OLD_HEADER_FILENAME may
also be removed.
(BMR, 2016/10/27, HDFFV-9532)
High-Level APIs:
---------------
- The high-level API Packet Table (PT) did not write data correctly when
the datatype is a compound type that has string type as one of the
members. This problem started in 1.8.15, after the fix of HDFFV-9042
was applied, which caused the Packet Table to use native type to access
the data. It should be up to the application to specify whether the
buffer to be read into memory in the machine’s native architecture.
Thus, the PT is fixed to not use native type but to make a copy of the
user's provided datatype during creation or the packet table's datatype
during opening. If an application wishes to use native type to read the
data, then the application will request that. However, the Packet Table
doesn't provide a way to specify memory datatype in this release. This
feature will be available in future releases, HDFFV-10023.
(BMR, 2016/10/27, HDFFV-9758)
Fortran High-Level APIs:
------------------------
- None
Testing
-------
- None
Supported Platforms
===================
The following platforms are supported and have been tested for this release.
They are built with the configure process unless specified otherwise.
Linux 2.6.32-573.22.1.el6 GNU C (gcc), Fortran (gfortran), C++ (g++)
#1 SMP x86_64 GNU/Linux compilers:
(platypus/mayll) Version 4.4.7 20120313
Versions 4.8.4, 4.9.3, 5.2.0
PGI C, Fortran, C++ for 64-bit target on
x86-64;
Version 15.7-0
Intel(R) C (icc), C++ (icpc), Fortran (icc)
compilers:
Version 15.0.3.187 Build 20150407
MPICH 3.1.4 compiled with GCC 4.9.3
Linux 2.6.32-573.18.1.el6 gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-16)
#1 SMP ppc64 GNU/Linux g++ (GCC) 4.4.7 20120313 (Red Hat 4.4.7-16)
(ostrich) GNU Fortran (GCC) 4.4.7 20120313 (Red Hat 4.4.7-16)
IBM XL C/C++ V13.1
IBM XL Fortran V15.1
Linux 3.10.0-327.10.1.el7 GNU C (gcc), Fortran (gfortran), C++ (g++)
#1 SMP x86_64 GNU/Linux compilers:
(kituo/moohan) Version 4.8.5 20150623 (Red Hat 4.8.5-4)
Versions 4.9.3, 5.2.0
Intel(R) C (icc), C++ (icpc), Fortran (icc)
compilers:
Version 15.0.3.187 Build 20150407
MPICH 3.1.4 compiled with GCC 4.9.3
SunOS 5.11 32- and 64-bit Sun C 5.12 SunOS_sparc
(emu) Sun Fortran 95 8.6 SunOS_sparc
Sun C++ 5.12 SunOS_sparc
Windows 7 Visual Studio 2012 w/ Intel Fortran 15 (cmake)
Visual Studio 2013 w/ Intel Fortran 15 (cmake)
Visual Studio 2015 w/ Intel Fortran 16 (cmake)
Cygwin(CYGWIN_NT-6.1 2.2.1(0.289/5/3) gcc(4.9.3) compiler and gfortran)
(cmake and autotools)
Windows 7 x64 Visual Studio 2012 w/ Intel Fortran 15 (cmake)
Visual Studio 2013 w/ Intel Fortran 15 (cmake)
Visual Studio 2015 w/ Intel Fortran 16 (cmake)
Windows 10 Visual Studio 2015 w/ Intel Fortran 16 (cmake)
Windows 10 x64 Visual Studio 2015 w/ Intel Fortran 16 (cmake)
Mac OS X Mt. Lion 10.8.5 Apple LLVM version 5.1 (clang-503.0.40)
64-bit gfortran GNU Fortran (GCC) 4.8.2
(swallow/kite) Intel icc/icpc/ifort version 15.0.3
Mac OS X Mavericks 10.9.5 Apple LLVM version 6.0 (clang-600.0.57)
64-bit gfortran GNU Fortran (GCC) 4.9.2
(wren/quail) Intel icc/icpc/ifort version 15.0.3
Mac OS X Yosemite 10.10.5 Apple LLVM version 6.1 (clang-602.0.53)
64-bit gfortran GNU Fortran (GCC) 4.9.2
(osx1010dev/osx1010test) Intel icc/icpc/ifort version 15.0.3
Mac OS X El Capitan 10.11.4 Apple LLVM version 7.3.0 (clang-703.0.29)
64-bit gfortran GNU Fortran (GCC) 5.2.0
(VM osx1011dev/osx1011test) Intel icc/icpc/ifort version 16.0.2
Tested Configuration Features Summary
=====================================
In the tables below
y = tested
n = not tested in this release
C = Cluster
W = Workstation
x = not working in this release
dna = does not apply
( ) = footnote appears below second table
<blank> = testing incomplete on this feature or platform
Platform C F90/ F90 C++ zlib SZIP
parallel F2003 parallel
SunOS 5.11 32-bit n y/y n y y y
SunOS 5.11 64-bit n y/y n y y y
Windows 7 y y/y n y y y
Windows 7 x64 y y/y n y y y
Windows 7 Cygwin n y/y n y y n
Windows 10 n y/y n y y y
Windows 10 x64 n y/y n y y y
Mac OS X Mountain Lion 10.8.5 64-bit n y/y n y y y
Mac OS X Mavericks 10.9.5 64-bit n y/y n y y y
Mac OS X Yosemite 10.10.5 64-bit n y/y n y y y
AIX 6.1 32- and 64-bit n y/n n y y y
CentOS 6.7 Linux 2.6.32 x86_64 GNU y y/y y y y y
CentOS 6.7 Linux 2.6.32 x86_64 Intel n y/y n y y y
CentOS 6.7 Linux 2.6.32 x86_64 PGI n y/y n y y y
CentOS 7.1 Linux 3.10.0 x86_64 GNU y y/y y y y y
CentOS 7.1 Linux 3.10.0 x86_64 Intel n y/y n y y y
Linux 2.6.32-431.11.2.el6.ppc64 n y/n n y y y
Platform Shared Shared Shared Thread-
C libs F90 libs C++ libs safe
SunOS 5.11 32-bit y y y y
SunOS 5.11 64-bit y y y y
Windows 7 y y y y
Windows 7 x64 y y y y
Windows 7 Cygwin n n n y
Windows 10 y y y y
Windows 10 x64 y y y y
Mac OS X Mountain Lion 10.8.5 64-bit y n y y
Mac OS X Mavericks 10.9.5 64-bit y n y y
Mac OS X Yosemite 10.10.5 64-bit y n y y
AIX 6.1 32- and 64-bit y n n y
CentOS 6.7 Linux 2.6.32 x86_64 GNU y y y y
CentOS 6.7 Linux 2.6.32 x86_64 Intel y y y y
CentOS 6.7 Linux 2.6.32 x86_64 PGI y y y y
CentOS 7.1 Linux 3.10.0 x86_64 GNU y y y y
CentOS 7.1 Linux 3.10.0 x86_64 Intel y y y y
Linux 2.6.32-431.11.2.el6.ppc64 y y y y
Compiler versions for each platform are listed in the preceding
"Supported Platforms" table.
More Tested Platforms
=====================
The following platforms are not supported but have been tested for this release.
Linux 2.6.32-573.22.1.el6 g95 (GCC 4.0.3 (g95 0.94!)
#1 SMP x86_64 GNU/Linux
(platypus)
Debian8.4.0 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1 x86_64 GNU/Linux
gcc (Debian 4.9.2-10) 4.9.2
GNU Fortran (Debian 4.9.2-10) 4.9.2
(cmake and autotools)
Fedora24 4.7.2-201.fc24.x86_64 #1 SMP x86_64 x86_64 x86_64 GNU/Linux
gcc (GCC) 6.1.1 20160621 (Red Hat 6.1.1-3)
GNU Fortran (GCC) 6.1.1 20160621 (Red Hat 6.1.1-3)
(cmake and autotools)
CentOS 7.2 3.10.0-327.28.2.el7.x86_64 #1 SMP x86_64 x86_64 x86_64 GNU/Linux
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4)
GNU Fortran (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4)
(cmake and autotools)
Ubuntu 16.04 4.4.0-38-generic #62-Ubuntu SMP x86_64 GNU/Linux
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.2) 5.4.0
GNU Fortran (Ubuntu 5.4.0-6ubuntu1~16.04.2) 5.4.0
(cmake and autotools)
Known Problems
==============
* On windows platforms in debug configurations, the VFD flush1 tests will fail
with the split and multi VFD drivers. These tests will display a modal debug
dialog which must be answered or wait for the test timeout to expire.
(ADB - 2014/06/23 - HDFFV-8851)
* CLANG compiler with the options -fcatch-undefined-behavior and -ftrapv
catches some undefined behavior in the alignment algorithm of the macro DETECT_I
in H5detect.c (Issue 8147). Since the algorithm is trying to detect the alignment
of integers, ideally the flag -fcatch-undefined-behavior shouldn't to be used for
H5detect.c. In the future, we can separate flags for H5detect.c from the rest of
the library. (SLU - 2013/10/16)
* Make provided by Solaris fails in "make check". Solaris users should use
gmake to build and install the HDF5 software. (AKC - 2013/10/08 - HDFFV-8534)
* The C++ and FORTRAN bindings are not currently working on FreeBSD with the
native release 8.2 compilers (4.2.1), but are working with gcc 4.6 from the
ports (and probably gcc releases after that).
(QAK - 2012/10/19)
* The following h5dump test case fails in BG/P machines (and potentially other
machines that use a command script to launch executables):
h5dump --no-compact-subset -d "AHFINDERDIRECT::ah_centroid_t[0] it=0 tl=0"
tno-subset.h5
This is due to the embedded spaces in the dataset name being interpreted
by the command script launcher as meta-characters, thus passing three
arguments to h5dump's -d flag. The command passes if run by hand, just
not via the test script.
(AKC - 2012/05/03)
* The STDIO VFD does not work on some architectures, possibly due to 32/64
bit or large file issues. The basic STDIO VFD test is known to fail on
64-bit SunOS 5.10 on SPARC when built with -m64 and 32-bit OS X/Darwin
10.7.0. The STDIO VFD test has been disabled while we investigate and
a fix should appear in a future release.
(DER - 2011/10/14 - HDFFV-8235)
* h5diff can report inconsistent results when comparing datasets of enum type
that contain invalid values. This is due to how enum types are handled in
the library and will be addressed in a future release.
(DER - 2011/10/14 - HDFFV-7527)
* The links test can fail under the stdio VFD due to some issues with external
links. This will be investigated and fixed in a future release.
(DER - 2011/10/14 - HDFFV-7768)
* After the shared library support was fixed for some bugs, it was discovered
that "make prefix=XXX install" no longer works for shared libraries. It
still works correctly for static libraries. Therefore, if you want to
install the HDF5 shared libraries in a location such as /usr/local/hdf5,
you need to specify the location via the --prefix option during configure
time. E.g, ./configure --prefix=/usr/local/hdf5 ...
(AKC - 2011/05/07 - HDFFV-7583)
* The parallel test, t_shapesame, in testpar/, may run for a long time and may
be terminated by the alarm signal. If that happens, one can increase the
alarm seconds (default is 1200 seconds = 20 minutes) by setting the
environment variable, $HDF5_ALARM_SECONDS, to a larger value such as 3600
(60 minutes). Note that the t_shapesame test may fail in some systems
(see the "While working on the 1.8.6 release..." problem below). If
it does, it will waste more time if $HDF5_ALARM_SECONDS is set
to a larger value.
(AKC - 2011/05/07)
* Shared Fortran libraries are not quite working on AIX. While they are
generated when --enable-shared is specified, the fortran and hl/fortran
tests fail. the issue. HL and C++ shared libraries should now be
working as intended, however.
(MAM - 2011/04/20)
* While working on the 1.8.6 release of HDF5, a bug was discovered that can
occur when reading from a dataset in parallel shortly after it has been
written to collectively. The issue was exposed by a new test in the parallel
HDF5 test suite, but had existed before that. We believe the problem lies with
certain MPI implementations and/or file systems.
We have provided a pure MPI test program, as well as a standalone HDF5
program, that can be used to determine if this is an issue on your system.
They should be run across multiple nodes with a varying number of processes.
These programs can be found at:
http://www.hdfgroup.org/ftp/HDF5/examples/known_problems/
(NAF - 2011/01/19)
* All the VFL drivers aren't backward compatible. In H5FDpublic.h, the
structure H5FD_class_t changed in 1.8. There is new parameter added to
get_eoa and set_eoa callback functions. A new callback function
get_type_map was added in. The public function H5FDrealloc was taken
out in 1.8. The problem only happens when users define their own driver
for 1.6 and try to plug in 1.8 library. Because there's only one user
complaining about it, we (Elena, Quincey, and I) decided to leave it as
it is (see bug report #1279). Quincey will make a plan for 1.10.
(SLU - 2010/02/02)
* The --enable-static-exec configure flag will only statically link libraries
if the static version of that library is present. If only the shared version
of a library exists (i.e., most system libraries on Solaris, AIX, and Mac,
for example, only have shared versions), the flag should still result in a
successful compilation, but note that the installed executables will not be
fully static. Thus, the only guarantee on these systems is that the
executable is statically linked with just the HDF5 library.
(MAM - 2009/11/04)
* A dataset created or rewritten with a v1.6.3 library or after cannot be read
with the v1.6.2 library or before when the Fletcher32 EDC filter is enabled.
There was a bug in the calculation of the Fletcher32 checksum in the
library before v1.6.3; the checksum value was not consistent between big-
endian and little-endian systems. This bug was fixed in Release 1.6.3.
However, after fixing the bug, the checksum value was no longer the same as
before on little-endian system. Library releases after 1.6.4 can still read
datasets created or rewritten with an HDF5 library of v1.6.2 or before.
(SLU - 2005/06/30)
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/hdf5/Makefile.common
cvs rdiff -u -r1.37 -r1.38 pkgsrc/devel/hdf5/distinfo
|
|
devel/subversion: security update
devel/p5-subversion: security update
devel/ruby-subversion: security update
Revisions pulled up:
- devel/p5-subversion/Makefile 1.94
- devel/ruby-subversion/Makefile 1.60
- devel/subversion/Makefile 1.61
- devel/subversion/Makefile.version 1.78
- devel/subversion/distinfo 1.106
- devel/subversion/files/build-outputs.mk 1.33
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bsiegert
Date: Tue Nov 29 20:12:41 UTC 2016
Modified Files:
pkgsrc/devel/p5-subversion: Makefile
pkgsrc/devel/ruby-subversion: Makefile
pkgsrc/devel/subversion: Makefile Makefile.version distinfo
pkgsrc/devel/subversion/files: build-outputs.mk
Log Message:
Update Subversion to 1.9.5.
This release fixes one security issue:
CVE-2016-8734:
Unrestricted XML entity expansion in mod_dontdothat and Subversion
clients using http(s)://
http://subversion.apache.org/security/CVE-2016-8734-advisory.txt
To generate a diff of this commit:
cvs rdiff -u -r1.93 -r1.94 pkgsrc/devel/p5-subversion/Makefile
cvs rdiff -u -r1.59 -r1.60 pkgsrc/devel/ruby-subversion/Makefile
cvs rdiff -u -r1.60 -r1.61 pkgsrc/devel/subversion/Makefile
cvs rdiff -u -r1.77 -r1.78 pkgsrc/devel/subversion/Makefile.version
cvs rdiff -u -r1.105 -r1.106 pkgsrc/devel/subversion/distinfo
cvs rdiff -u -r1.32 -r1.33 pkgsrc/devel/subversion/files/build-outputs.mk
|
|
lang/guile20: build fix
Revisions pulled up:
- lang/guile20/distinfo 1.4
- lang/guile20/patches/patch-libguile_stime.c 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: adam
Date: Wed Oct 19 14:55:27 UTC 2016
Modified Files:
pkgsrc/lang/guile20: distinfo
Log Message:
Fix building on Darwin.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/guile20/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: adam
Date: Wed Oct 19 14:56:17 UTC 2016
Added Files:
pkgsrc/lang/guile20/patches: patch-libguile_stime.c
Log Message:
Fix building on Darwin.
To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 pkgsrc/lang/guile20/patches/patch-libguile_stime.c
|
|
|
|
textproc/libxml2: security fix
Revisions pulled up:
- textproc/libxml2/Makefile.common 1.3
- textproc/libxml2/distinfo 1.113
- textproc/libxml2/patches/patch-parseInternals.c 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Wed Nov 30 14:46:22 UTC 2016
Modified Files:
pkgsrc/textproc/libxml2: Makefile.common distinfo
Added Files:
pkgsrc/textproc/libxml2/patches: patch-parseInternals.c
Log Message:
Patch CVE-2016-9318 https://bugzilla.gnome.org/show_bug.cgi?id=772726
Bump rev.
|
|
archivers/p7zip: security fix
Revisions pulled up:
- archivers/p7zip/Makefile 1.64
- archivers/p7zip/distinfo 1.51
- archivers/p7zip/patches/patch-CPP_7zip_Archive_7z_7zIn.cpp 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Wed Nov 30 14:29:09 UTC 2016
Modified Files:
pkgsrc/archivers/p7zip: Makefile distinfo
Added Files:
pkgsrc/archivers/p7zip/patches: patch-CPP_7zip_Archive_7z_7zIn.cpp
Log Message:
Add patch for CVE-2016-9296 https://sourceforge.net/p/p7zip/bugs/185/
Bump rev
|
|
textproc/php-mecab: build fix
Revisions pulled up:
- textproc/php-mecab/Makefile 1.12
- textproc/php-mecab/PLIST.extras 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Nov 27 14:55:30 UTC 2016
Modified Files:
pkgsrc/textproc/php-mecab: Makefile PLIST.extras
Log Message:
Solve build problem after enabling use of ${PREFIX}/etc/php.d and incomplete
fix of previous commit.
Bump PKGREVISION due to PLIST change.
|
|
www/drupal7: security fix
Revisions pulled up:
- www/drupal7/Makefile 1.40-1.42
- www/drupal7/PLIST 1.15
- www/drupal7/distinfo 1.31-1.32
---
Module Name: pkgsrc
Committed By: wen
Date: Fri Oct 21 14:31:30 UTC 2016
Modified Files:
pkgsrc/www/drupal7: Makefile PLIST distinfo
Log Message:
Update to 7.51
Upstream changes:
Drupal 7.51, 2016-10-05
-----------------------
- The Update module now also checks for updates to a disabled theme that is
used as an admin theme.
- Exceptions thrown in dblog_watchdog() are now caught and ignored.
- Clarified the warning that appears when modules are missing or have moved.
- Log messages are now XSS filtered on display.
- Draggable tables now work on touch screen devices.
- Added a setting for allowing double underscores in CSS identifiers
(https://www.drupal.org/node/2810369).
- If a user navigates away from a page while an Ajax request is running they
will no longer get an error message saying "An Ajax HTTP request terminated
abnormally".
- The system_region_list() API function now takes an optional third parameter
which allows region name translations to be skipped when they are not needed
(API addition: https://www.drupal.org/node/2810365).
- Numerous performance improvements.
- Numerous bug fixes.
- Numerous API documentation improvements.
- Additional automated test coverage.
Drupal 7.50, 2016-07-07
-----------------------
- Added a new "administer fields" permission for trusted users, which is
required in addition to other permissions to use the field UI
(https://www.drupal.org/node/2483307).
- Added clickjacking protection to Drupal core by setting the X-Frame-Options
header to SAMEORIGIN by default (https://www.drupal.org/node/2735873).
- Added support for full UTF-8 (emojis, Asian symbols, mathematical symbols) on
MySQL and other database drivers when the site and database are configured to
allow it (https://www.drupal.org/node/2761183).
- Improved performance by avoiding a re-scan of directories when a file is
missing; instead, trigger a PHP warning (minor API change:
https://www.drupal.org/node/2581445).
- Made it possible to use any PHP callable in Ajax form callbacks, form API
form-building functions, and form API wrapper callbacks (API addition:
https://www.drupal.org/node/2761169).
- Fixed that following a password reset link while logged in leaves users unable
to change their password (minor user interface change:
https://www.drupal.org/node/2759023).
- Implemented various fixes for automated test failures on PHP 5.4+ and PHP 7.
Drupal core automated tests now pass in these environments.
- Improved support for PHP 7 by fixing various problems.
- Fixed various bugs with PHP 5.5+ imagerotate(), including when incorrect
color indices are passed in.
- Fixed a regression introduced in Drupal 7.43 that allowed files uploaded by
anonymous users to be lost after form validation errors, and that also caused
regressions with certain contributed modules.
- Fixed a regression introduced in Drupal 7.36 which caused the default value
of hidden textarea fields to be ignored.
- Fixed robots.txt to allow search engines to access CSS, JavaScript and image
files.
- Changed wording on the Update Manager settings page to clarify that the
option to check for disabled module updates also applies to uninstalled
modules (administrative-facing translatable string change).
- Changed the help text when editing menu links and configuring URL redirect
actions so that it does not reference "Drupal" or the drupal.org website
(administrative-facing translatable string change).
- Fixed the locale safety check that is used to ensure that translations are
safe to allow for tokens in the href/src attributes of translated strings.
- Fixed that URL generation only works on port 80 when using domain based
language negotation.
- Made method="get" forms work inside the administrative overlay. The fix adds
a new hidden field to these forms when they appear inside the overlay (minor
data structure change).
- Increased maxlength of menu link title input fields in the node form and
menu link form from 128 to 255 characters.
- Removed meaningless post-check=0 and pre-check=0 cache control headers from
Drupal HTTP responses.
- Added a .editorconfig file to auto-configure editors that support it.
- Added --directory option to run-tests.sh for easier test discovery of all
tests within a project.
- Made run-tests.sh exit with a failure code when there are test fails or
problems running the script.
- Fixed that cookies from previous tests are still present when a new test
starts in DrupalWebTestCase.
- Improved performance of queries on the {authmap} database table.
- Fixed handling of missing files and functions inside the registry.
- Fixed Ajax handling for tableselect form elements that use checkboxes.
- Fixed a bug which caused ip_address() to return nothing when the client IP
address and proxy IP address are the same.
- Added a new option to format_xml_elements() to allow for already encoded
values.
- Changed the {history} table's node ID field to be an unsigned integer, to
match the same field in the {node} table and to prevent errors with very
large node IDs.
- Added an explicit page callback to the "admin/people/create" menu item in the
User module (minor data structure change). Previously this automatically
inherited the page callback from the parent "admin/people" menu item, which
broke contributed modules that override the "admin/people" page.
- Numerous small bug fixes.
- Numerous API documentation improvements.
- Additional automated test coverage.
---
Module Name: pkgsrc
Committed By: wen
Date: Sat Oct 22 07:44:03 UTC 2016
Modified Files:
pkgsrc/www/drupal7: Makefile
Log Message:
Add missing php module.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Nov 17 14:18:39 UTC 2016
Modified Files:
pkgsrc/www/drupal7: Makefile distinfo
Log Message:
Update drupal7 to 7.52 (Drupal 7.52), including security fix.
Drupal 7.52, 2016-11-16
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2016-005.
|
|
|
|
net/wpa_gui: security fix
Revisions pulled up:
- net/wpa_gui/Makefile 1.27-1.28
- net/wpa_gui/PLIST 1.2
- net/wpa_gui/distinfo 1.8
---
Module Name: pkgsrc
Committed By: abs
Date: Fri Oct 28 06:24:35 UTC 2016
Modified Files:
pkgsrc/net/wpa_gui: Makefile PLIST
Log Message:
Reduce some of the mystery of life for users of wpa_gui binary packages
- add the man page.
Bump pkgrevision
---
Module Name: pkgsrc
Committed By: maya
Date: Wed Nov 16 15:57:29 UTC 2016
Modified Files:
pkgsrc/net/wpa_gui: Makefile distinfo
Log Message:
wpa_gui: update to v2.6
ChangeLog for wpa_supplicant (and also _gui):
2016-10-02 - v2.6
* fixed WNM Sleep Mode processing when PMF is not enabled
[http://w1.fi/security/2015-6/] (CVE-2015-5310)
* fixed EAP-pwd last fragment validation
[http://w1.fi/security/2015-7/] (CVE-2015-5315)
* fixed EAP-pwd unexpected Confirm message processing
[http://w1.fi/security/2015-8/] (CVE-2015-5316)
* fixed WPS configuration update vulnerability with malformed passphrase
[http://w1.fi/security/2016-1/] (CVE-2016-4476)
* fixed configuration update vulnerability with malformed parameters set
over the local control interface
[http://w1.fi/security/2016-1/] (CVE-2016-4477)
* fixed TK configuration to the driver in EAPOL-Key 3/4 retry case
* extended channel switch support for P2P GO
* started to throttle control interface event message bursts to avoid
issues with monitor sockets running out of buffer space
* mesh mode fixes/improvements
- generate proper AID for peer
- enable WMM by default
- add VHT support
- fix PMKID derivation
- improve robustness on various exchanges
- fix peer link counting in reconnect case
- improve mesh joining behavior
- allow DTIM period to be configured
- allow HT to be disabled (disable_ht=1)
- add MESH_PEER_ADD and MESH_PEER_REMOVE commands
- add support for PMKSA caching
- add minimal support for SAE group negotiation
- allow pairwise/group cipher to be configured in the network profile
- use ieee80211w profile parameter to enable/disable PMF and derive
a separate TX IGTK if PMF is enabled instead of using MGTK
incorrectly
- fix AEK and MTK derivation
- remove GTKdata and IGTKdata from Mesh Peering Confirm/Close
- note: these changes are not fully backwards compatible for secure
(RSN) mesh network
* fixed PMKID derivation with SAE
* added support for requesting and fetching arbitrary ANQP-elements
without internal support in wpa_supplicant for the specific element
(anqp[265]=<hexdump> in "BSS <BSSID>" command output)
* P2P
- filter control characters in group client device names to be
consistent with other P2P peer cases
- support VHT 80+80 MHz and 160 MHz
- indicate group completion in P2P Client role after data association
instead of already after the WPS provisioning step
- improve group-join operation to use SSID, if known, to filter BSS
entries
- added optional ssid=<hexdump> argument to P2P_CONNECT for join case
- added P2P_GROUP_MEMBER command to fetch client interface address
* P2PS
- fix follow-on PD Response behavior
- fix PD Response generation for unknown peer
- fix persistent group reporting
- add channel policy to PD Request
- add group SSID to the P2PS-PROV-DONE event
- allow "P2P_CONNECT <addr> p2ps" to be used without specifying the
default PIN
* BoringSSL
- support for OCSP stapling
- support building of h20-osu-client
* D-Bus
- add ExpectDisconnect()
- add global config parameters as properties
- add SaveConfig()
- add VendorElemAdd(), VendorElemGet(), VendorElemRem()
* fixed Suite B 192-bit AKM to use proper PMK length
(note: this makes old releases incompatible with the fixed behavior)
* improved PMF behavior for cases where the AP and STA has different
configuration by not trying to connect in some corner cases where the
connection cannot succeed
* added option to reopen debug log (e.g., to rotate the file) upon
receipt of SIGHUP signal
* EAP-pwd: added support for Brainpool Elliptic Curves
(with OpenSSL 1.0.2 and newer)
* fixed EAPOL reauthentication after FT protocol run
* fixed FTIE generation for 4-way handshake after FT protocol run
* extended INTERFACE_ADD command to allow certain type (sta/ap)
interface to be created
* fixed and improved various FST operations
* added 80+80 MHz and 160 MHz VHT support for IBSS/mesh
* fixed SIGNAL_POLL in IBSS and mesh cases
* added an option to abort an ongoing scan (used to speed up connection
and can also be done with the new ABORT_SCAN command)
* TLS client
- do not verify CA certificates when ca_cert is not specified
- support validating server certificate hash
- support SHA384 and SHA512 hashes
- add signature_algorithms extension into ClientHello
- support TLS v1.2 signature algorithm with SHA384 and SHA512
- support server certificate probing
- allow specific TLS versions to be disabled with phase2 parameter
- support extKeyUsage
- support PKCS #5 v2.0 PBES2
- support PKCS #5 with PKCS #12 style key decryption
- minimal support for PKCS #12
- support OCSP stapling (including ocsp_multi)
* OpenSSL
- support OpenSSL 1.1 API changes
- drop support for OpenSSL 0.9.8
- drop support for OpenSSL 1.0.0
* added support for multiple schedule scan plans (sched_scan_plans)
* added support for external server certificate chain validation
(tls_ext_cert_check=1 in the network profile phase1 parameter)
* made phase2 parser more strict about correct use of auth=<val> and
autheap=<val> values
* improved GAS offchannel operations with comeback request
* added SIGNAL_MONITOR command to request signal strength monitoring
events
* added command for retrieving HS 2.0 icons with in-memory storage
(REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and
RX-HS20-ICON event)
* enabled ACS support for AP mode operations with wpa_supplicant
* EAP-PEAP: fixed interoperability issue with Windows 2012r2 server
("Invalid Compound_MAC in cryptobinding TLV")
* EAP-TTLS: fixed success after fragmented final Phase 2 message
* VHT: added interoperability workaround for 80+80 and 160 MHz channels
* WNM: workaround for broken AP operating class behavior
* added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE)
* nl80211:
- add support for full station state operations
- do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled
- add NL80211_ATTR_PREV_BSSID with Connect command
- fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
unencrypted EAPOL frames
* added initial MBO support; number of extensions to WNM BSS Transition
Management
* added support for PBSS/PCP and P2P on 60 GHz
* Interworking: add credential realm to EAP-TLS identity
* fixed EAPOL-Key Request Secure bit to be 1 if PTK is set
* HS 2.0: add support for configuring frame filters
* added POLL_STA command to check connectivity in AP mode
* added initial functionality for location related operations
* started to ignore pmf=1/2 parameter for non-RSN networks
* added wps_disabled=1 network profile parameter to allow AP mode to
be started without enabling WPS
* wpa_cli: added action script support for AP-ENABLED and AP-DISABLED
events
* improved Public Action frame addressing
- add gas_address3 configuration parameter to control Address 3
behavior
* number of small fixes
|
|
|
|
graphics/tiff: security fix
Revisions pulled up:
- graphics/tiff/Makefile 1.123-1.124
- graphics/tiff/PLIST 1.22
- graphics/tiff/distinfo 1.70
- graphics/tiff/patches/patch-libtiff_tif_luv.c deleted
---
Module Name: pkgsrc
Committed By: adam
Date: Sat Oct 8 06:20:39 UTC 2016
Modified Files:
pkgsrc/graphics/tiff: Makefile
Log Message:
Updated MASTER_SITES and HOMEPAGE; the old ones seem to be dead.
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Nov 22 15:19:54 UTC 2016
Modified Files:
pkgsrc/graphics/tiff: Makefile PLIST distinfo
Removed Files:
pkgsrc/graphics/tiff/patches: patch-libtiff_tif_luv.c
Log Message:
Updated tiff to 4.0.7.
MAJOR CHANGES:
• The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr
are completely removed from the distribution. These tools were written in
the late 1980s and early 1990s for test and demonstration purposes. In some
cases the tools were never updated to support updates to the file format,
or the file formats are now rarely used. In all cases these tools increased
the libtiff security and maintenance exposure beyond the value offered by
the tool.
CHANGES IN LIBTIFF:
• libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference NULL
pointer when values of tags with TIFF_SETGET_C16_ASCII /
TIFF_SETGET_C32_ASCII access are 0-byte arrays. Fixes http://
bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced by
previous fix done on 2016-11-11 for CVE-2016-9297). Reported by Henri Salo.
Assigned as CVE-2016-9448
• libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted() when requesting
Predictor tag and that the zip/lzw codec is not configured. Fixes http://
bugzilla.maptools.org/show_bug.cgi?id=2591
• libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that values of
tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are null
terminated, to avoid potential read outside buffer in _TIFFPrintField().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
• libtiff/tif_dirread.c: reject images with OJPEG compression that have no
TileOffsets/StripOffsets tag, when OJPEG compression is disabled. Prevent
null pointer dereference in TIFFReadRawStrip1() and other functions that
expect td_stripbytecount to be non NULL. Fixes http://bugzilla.maptools.org
/show_bug.cgi?id=2585
• libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
array in tiffsplit (or other utilities using TIFFNumberOfStrips()). Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2587 (CVE-2016-9273)
• libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime
checks to avoid assertions in debug mode, or buffer overflows in release
mode. Can happen when dealing with unusual tile size like YCbCr with
subsampling. Reported as MSVR 35105 by Axel Souchet & Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations
• libtiff/tif_dir.c: discard values of SMinSampleValue and SMaxSampleValue
when they have been read and the value of SamplesPerPixel is changed
afterwards (like when reading a OJPEG compressed image with a missing
SamplesPerPixel tag, and whose photometric is RGB or YCbCr, forcing
SamplesPerPixel being 3). Otherwise when rewriting the directory (for
example with tiffset, we will expect 3 values whereas the array had been
allocated with just one), thus causing a out of bound read access. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2500 (CVE-2014-8127,
duplicate: CVE-2016-3658)
• libtiff/tif_dirwrite.c: avoid null pointer dereference on td_stripoffset
when writing directory, if FIELD_STRIPOFFSETS was artificially set for a
hack case in OJPEG case. Fixes http://bugzilla.maptools.org/show_bug.cgi?id
=2500 (CVE-2014-8127, duplicate: CVE-2016-3658)
• libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to read floating
point images.
• libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3). Fixes CVE-2016-3622 "Divide
By Zero in the tiff2rgba tool."
• libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
• libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure
if that could happen in practice outside of the odd behaviour of
t2p_seekproc() of tiff2pdf). The report points that a better fix could be
to check the return value of TIFFFlushData1() in places where it isn't done
currently, but it seems this patch is enough. Reported as MSVR 35095.
Discovered by Axel Souchet & Vishal Chauhan & Suha Can from the MSRC
Vulnerabilities & Mitigations team.
• libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode if more
input samples are provided than expected by PixarLogSetupEncode. Idea based
on libtiff-CVE-2016-3990.patch from libtiff-4.0.3-25.el7_2.src.rpm by
Nikola Forro, but with different and simpler check. (bugzilla #2544)
• libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped files in
TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond
tmsize_t max value (reported by Mathias Svensson)
• libtiff/tif_read.c: make TIFFReadEncodedStrip() and TIFFReadEncodedTile()
directly use user provided buffer when no compression (and other
conditions) to save a memcpy()
• libtiff/tif_write.c: make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile
() directly use user provided buffer when no compression to save a memcpy
().
• libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid potential
invalid memory write on corrupted/unexpected images when using the
TIFFRGBAImageBegin() interface (reported by Clay Wood)
• libtiff/tif_pixarlog.c: fix potential buffer write overrun in
PixarLogDecode() on corrupted/unexpected images (reported by Mathias
Svensson) (CVE-2016-5875)
• libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64 to
libtiff.def
• libtiff/tif_config.vc.h (HAVE_SNPRINTF): Add a '1' to the HAVE_SNPRINTF
definition.
• libtiff/tif_config.vc.h (HAVE_SNPRINTF): Applied patch by Edward Lam to
define HAVE_SNPRINTF for Visual Studio 2015.
• libtiff/tif_dirread.c: when compiled with DEFER_STRILE_LOAD, fix
regression, introduced on 2014-12-23, when reading a one-strip file without
a StripByteCounts tag. GDAL #6490
• libtiff/*: upstream typo fixes (mostly contributed by Kurt Schwehr) coming
from GDAL internal libtiff
• libtiff/tif_fax3.h: make Param member of TIFFFaxTabEnt structure a uint16
to reduce size of the binary.
• libtiff/tif_read.c, tif_dirread.c: fix indentation issues raised by GCC 6
-Wmisleading-indentation
• libtiff/tif_pixarlog.c: avoid zlib error messages to pass a NULL string to
%s formatter, which is undefined behaviour in sprintf().
• libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (bugzilla #
2508)
• libtiff/tif_luv.c: fix potential out-of-bound writes in decode functions in
non debug builds by replacing assert()s by regular if checks (bugzilla #
2522). Fix potential out-of-bound reads in case of short input data.
• libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage interface
in case of unsupported values of SamplesPerPixel/ExtraSamples for LogLUV /
CIELab. Add explicit call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix
CVE-2015-8665 reported by limingxing and CVE-2015-8683 reported by zzf of
Alibaba.
• libtiff/tif_dirread.c: workaround false positive warning of Clang Static
Analyzer about null pointer dereference in TIFFCheckDirOffset().
• libtiff/tif_fax3.c: remove dead assignment in Fax3PutEOLgdal(). Found by
Clang Static Analyzer
• libtiff/tif_dirwrite.c: fix truncation to 32 bit of file offsets in
TIFFLinkDirectory() and TIFFWriteDirectorySec() when aligning directory
offsets on a even offset (affects BigTIFF). This was a regression of the
changeset of 2015-10-19.
• libtiff/tif_write.c: TIFFWriteEncodedStrip() and TIFFWriteEncodedTile()
should return -1 in case of failure of tif_encodestrip() as documented
• libtiff/tif_dumpmode.c: DumpModeEncode() should return 0 in case of failure
so that the above mentionned functions detect the error.
• libtiff/*.c: fix MSVC warnings related to cast shortening and assignment
within conditional expression
• libtiff/*.c: fix clang -Wshorten-64-to-32 warnings
• libtiff/tif_dirread.c: prevent reading ColorMap or TransferFunction if
BitsPerPixel > 24, so as to avoid huge memory allocation and file read
attempts
• libtiff/tif_dirread.c: remove duplicated assignment (reported by Clang
static analyzer)
• libtiff/tif_dir.c, libtiff/tif_dirinfo.c, libtiff/tif_compress.c, libtiff/
tif_jpeg_12.c: suppress warnings about 'no previous declaration/prototype'
• libtiff/tiffiop.h, libtiff/tif_dirwrite.c: suffix constants by U to fix
'warning: negative integer implicitly converted to unsigned type' warning
(part of -Wconversion)
• libtiff/tif_dir.c, libtiff/tif_dirread.c, libtiff/tif_getimage.c, libtiff/
tif_print.c: fix -Wshadow warnings (only in libtiff/)
CHANGES IN THE TOOLS:
• tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff, ras2tiff,
sgi2tiff, sgisv, and ycbcr are completely removed from the distribution.
The libtiff tools rgb2ycbcr and thumbnail are only built in the build tree
for testing. Old files are put in new 'archive' subdirectory of the source
repository, but not in distribution archives. These changes are made in
order to lessen the maintenance burden.
• tools/tiff2pdf.c: avoid undefined behaviour related to overlapping of
source and destination buffer in memcpy() call in t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
• tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds in
t2p_read_tiff_size() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=
2576
• tools/fax2tiff.c: fix segfault when specifying -r without argument. Patch
by Yuriy M. Kaminskiy. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=
2572
• tools/tiffinfo.c: fix out-of-bound read on some tiled images. (http://
bugzilla.maptools.org/show_bug.cgi?id=2517)
• tools/tiffcrop.c: fix multiple uint32 overflows in
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation. Fixes http://
bugzilla.maptools.org/show_bug.cgi?id=2592
• tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet &
Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
• tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG compressed
images. Reported by Tyler Bohan of Cisco Talos as TALOS-CAN-0187 /
CVE-2016-5652. Also prevents writing 2 extra uninitialized bytes to the
file stream.
• tools/tiffcp.c: fix out-of-bounds write on tiled images with odd tile width
vs image width. Reported as MSVR 35103 by Axel Souchet and Vishal Chauhan
from the MSRC Vulnerabilities & Mitigations team.
• tools/tiff2pdf.c: fix read -largely- outsize of buffer in
t2p_readwrite_pdf_image_tile(), causing crash, when reading a JPEG
compressed image with TIFFTAG_JPEGTABLES length being one. Reported as MSVR
35101 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
• tools/tiffcp.c: fix read of undefined variable in case of missing required
tags. Found on test case of MSVR 35100.
• tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel Souchet
from the MSRC Vulnerabilities & Mitigations team.
• tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities in heap
or stack allocated buffers. Reported as MSVR 35093, MSVR 35096 and MSVR
35097. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
• tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in heap allocate
buffer in t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations
team.
• tools/tiff2bw.c: fix weight computation that could result of color value
overflow (no security implication). Fix bugzilla #2550. Patch by Frank
Freudenberg.
• tools/rgb2ycbcr.c: validate values of -v and -h parameters to avoid
potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
• tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). From patch
libtiff-CVE-2016-3991.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola
Forro (bugzilla #2543)
• tools/tiff2rgba.c: Fix integer overflow in size of allocated buffer, when
-b mode is enabled, that could result in out-of-bounds write. Based
initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
tests that rejected valid files. (bugzilla #2545)
• tools/tiffcrop.c: Avoid access outside of stack allocated array on a tiled
separate TIFF with more than 8 samples per pixel. Reported by Kaixiang
Zhang of the Cloud Security Team, Qihoo 360 (CVE-2016-5321 / CVE-2016-5323
, bugzilla #2558 / #2559)
• tools/tiffdump.c: fix a few misaligned 64-bit reads warned by -fsanitize
• tools/tiffdump.c (ReadDirectory): Remove uint32 cast to _TIFFmalloc()
argument which resulted in Coverity report. Added more mutiplication
overflow checks.
|
|
www/w3m: security fix
www/w3m-img: security fix
Revisions pulled up:
- www/w3m-img/Makefile 1.29
- www/w3m-img/PLIST 1.1
- www/w3m/Makefile 1.78
- www/w3m/Makefile.common 1.62-1.63
- www/w3m/PLIST 1.17
- www/w3m/distinfo 1.27-1.29
- www/w3m/options.mk 1.15
- www/w3m/patches/patch-aa deleted
- www/w3m/patches/patch-ab deleted
- www/w3m/patches/patch-ac deleted
- www/w3m/patches/patch-ak deleted
- www/w3m/patches/patch-al deleted
- www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in deleted
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Nov 6 19:26:35 UTC 2016
Modified Files:
pkgsrc/www/w3m: Makefile Makefile.common PLIST distinfo options.mk
pkgsrc/www/w3m/patches: patch-ab
Log Message:
Updated w3m to 0.5.3.0.20161031.
Switch from dead sourceforge original to debian-maintained github version.
* new features
- support OSC 5379 remote imaging and sixel graphics
- support SGR style mouse handler
- support 32-bit color images
- support FreeBSD framebuffer
- support button element
- support meta charset
- add extbrowser4..9
- add display_borders to display 0 pixel table borders
- add siteconf feature
- add German translation for options setting panel
- add translations for de, zh_CN and zh_TW
* bug fixes
- fix segfaults with malformed text
- disable SSLv2 and SSLv3 by default [CVE-2014-3566]
- set ssl_verify_server to 1 by default
- disable RC4, export ciphers, and keys < 128 bits
- use SSL_OP_NO_COMPRESSION due to "CRIME attack" [CVE-2012-4929]
- use SSL_MODE_RELEASE_BUFFERS
- disable USE_EGD for LibreSSL
- appease gcc -Werror=format-security
- option -s is now "squeeze multiple blank lines" to work as pager, and
-j and -e are obsolete, so use -O{s|j|e} to specify display charset
- accept single quoted meta refresh URL
- assume "text" if a form input type is unknown
- accept cookies by default
- set use_dictcommand to 1 by default
- set default_url to 1 by default
- set argv_is_url to 1 by default
- set alt_entity to 0 by default
- fix build problems with Boehm GC 7.2, imlib2 1.4.6 and glibc 2.14
- fix parallel make failure
- fix incorrect ucs_ambwidth_map
- and many fixes
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Nov 6 19:27:16 UTC 2016
Modified Files:
pkgsrc/www/w3m-img: Makefile
Added Files:
pkgsrc/www/w3m-img: PLIST
Log Message:
Updated w3m-img to 0.5.3.0.20161031.
Changes same as for www/w3m.
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Nov 6 19:27:25 UTC 2016
Removed Files:
pkgsrc/www/w3m/patches: patch-aa patch-ac patch-ak patch-al
patch-scripts_w3mman_w3mman2html.cgi.in
Log Message:
Remove obsolete patches.
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Nov 6 19:30:42 UTC 2016
Modified Files:
pkgsrc/www/w3m: distinfo
pkgsrc/www/w3m/patches: patch-ab
Log Message:
Add upstream bug report URL.
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Nov 22 14:36:38 UTC 2016
Modified Files:
pkgsrc/www/w3m: Makefile.common distinfo
Log Message:
Updated w3m to 0.5.3.0.20161120.
Debian's w3m 0.5.3+git20161120
* bug fixes
- fix multiple flaws with malformed text
(stack overflow, buffer overflow, null deref, out of memory)
- fix stack overflow with nested table and textarea [CVE-2016-9439]
- fix suspend (^Z) behavior
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Nov 22 15:24:43 UTC 2016
Removed Files:
pkgsrc/www/w3m/patches: patch-ab
Log Message:
Remove integrated patch.
|
|
lang/php71: security fix
Revisions pulled up:
- lang/php71/Makefile 1.4
- lang/php71/distinfo 1.8-1.9
---
Module Name: pkgsrc
Committed By: jdolecek
Date: Sat Nov 5 14:30:31 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php71: Makefile distinfo
Log Message:
Update php71 to 7.1.0RC5.
Changes between RC4 and RC5:
- Core:
. Fixed bug #73350 (Exception::__toString() cause circular references).
(Laruence)
. Fixed bug #73329 ((Float)"Nano" == NAN). (Anatol)
- CLI Server:
. Fixed bug #73360 (Unable to work in root with unicode chars). (Anatol)
- SQLite3:
. Fixed bug #73333 (2147483647 is fetched as string). (cmb)
Change since RC3 and RC4:
- Core:
. Fixed bug #73288 (Segfault in __clone > Exception.toString > __get).
(Laruence)
. Fixed for #73240 (Write out of bounds at number_format). (Stas)
. Fix pthreads detection when cross-compiling (ffontaine)
. Fixed bug #73337 (try/catch not working with two exceptions inside a same
operation). (Dmitry)
- BCmath:
. Fix bug #73190 (memcpy negative parameter _bc_new_num_ex). (Stas)
- Date:
. Fixed bug #45554 (Inconsistent behavior of the u format char). (Derick)
. Fixed bug #48225 (DateTime parser doesn't set microseconds for "now").
(Derick)
. Fixed bug #52514 (microseconds are missing in DateTime class). (Derick)
. Fixed bug #52519 (microseconds in DateInterval are missing). (Derick)
. Fixed bug #60089 (DateTime::createFromFormat() U after u nukes microtime).
(Derick)
. Fixed bug #64887 (Allow DateTime modification with subsecond items).
(Derick)
. Fixed bug #68506 (General DateTime improvments needed for microseconds to
become useful). (Derick)
. Fixed bug #73109 (timelib_meridian doesn't parse dots correctly). (Derick)
. Fixed bug #73247 (DateTime constructor does not initialise microseconds
property). (Derick)
. Fixed bug #73147 (Use After Free in PHP7 unserialize()). (Stas)
. Fixed bug #73189 (Memcpy negative size parameter php_resolve_path). (Stas)
- DOM:
. Fixed bug #73150 (missing NULL check in dom_document_save_html). (Stas)
- GD:
. Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
. Fixed bug #73272 (imagescale() is not affected by, but affects
imagesetinterpolation()). (cmb)
. Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
. Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb)
- Intl:
. Fixed bug #73007 (add locale length check). (Stas)
. Fixed bug #73218 (add mitigation for ICU int overflow). (Stas)
- OCI8
. Fixed bug #71148 (Bind reference overwritten on PHP 7). (Oracle Corp.)
- OpenSSL:
. Fixed bug #73276 (crash in openssl_random_pseudo_bytes function). (Stas)
- Session:
. Fixed bug #73273 (session_unset() empties values from all variables in which
is $_session stored). (Nikita)
- SOAP:
. Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol)
. Fixed bug #73237 (Nested object in "any" element overwrites other fields).
(Keith Smiley)
. Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient)
(Keith Smiley)
- SimpleXML:
. Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
(Stas)
- SQLite3:
. Updated to SQLite3 3.15.0. (cmb)
- Standard:
. Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Nov 12 15:41:24 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php71: distinfo
Log Message:
Update php71 to 7.1.0rc6 (PHP 7.1.0RC6), including security fix.
10 Nov 2016, PHP 7.1.0RC6
- Core:
. Fixded bug #72736 (Slow performance when fetching large dataset with mysqli
/ PDO). (Dmitry)
- Date:
. Fixed bug #73426 (createFromFormat with 'z' format char results in
incorrect time). (Derick)
- JSON:
. Introduced encoder struct instead of global which fixes bugs #66025 and
#73254 related to pretty print indentation. (Jakub Zelenka)
- ODBC:
. Fixed bug #73448 (odbc_errormsg returns trash, always 513 bytes).
(Anatol)
- PCRE:
. Fixed bug #73392 (A use-after-free in zend allocator management).
(Laruence)
- PDO_Firebird:
. Fixed bug #73087, #61183, #71494 (Memory corruption in bindParam).
(Dorin Marcoci)
- SPL:
. Fixed bug #73423 (Reproducible crash with GDB backtrace). (Laruence)
|
|
lang/php70: security fix
Revisions pulled up:
- lang/php70/distinfo 1.21
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Nov 12 15:38:29 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php70: distinfo
Log Message:
Update php70 to 7.0.13 (PHP 7.0.13), including security fix (as usual).
10 Nov 2016 PHP 7.0.13
- Core:
. Fixed bug #73350 (Exception::__toString() cause circular references).
(Laruence)
. Fixed bug #73181 (parse_str() without a second argument leads to crash).
(Nikita)
. Fixed bug #66773 (Autoload with Opcache allows importing conflicting class
name to namespace). (Nikita)
. Fixed bug #66862 ((Sub-)Namespaces unexpected behaviour). (Nikita)
. Fix pthreads detection when cross-compiling (ffontaine)
. Fixed bug #73337 (try/catch not working with two exceptions inside a same
operation). (Dmitry)
. Fixed bug #73338 (Exception thrown from error handler causes valgrind
warnings (and crashes)). (Bob, Dmitry)
. Fixed bug #73329 ((Float)"Nano" == NAN). (Anatol)
- GD:
. Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
. Fixed bug #73272 (imagescale() is not affected by, but affects
imagesetinterpolation()). (cmb)
. Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
. Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb)
. Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine
overflow). (cmb)
. Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images).
(cmb)
- IMAP:
. Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads to crash).
(Anatol)
- OCI8
. Fixed bug #71148 (Bind reference overwritten on PHP 7). (Oracle Corp.)
- phpdbg:
. Properly allow for stdin input from a file. (Bob)
. Add -s command line option / stdin command for reading script from stdin.
(Bob)
. Ignore non-executable opcodes in line mode of phpdbg_end_oplog(). (Bob)
. Fixed bug #70776 (Simple SIGINT does not have any effect with -rr). (Bob)
. Fixed bug #71234 (INI files are loaded even invoked as -n --version). (Bob)
- Session:
. Fixed bug #73273 (session_unset() empties values from all variables in which
is $_session stored). (Nikita)
- SOAP:
. Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol)
. Fixed bug #73237 (Nested object in "any" element overwrites other fields).
(Keith Smiley)
. Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient)
(Keith Smiley)
- SQLite3:
. Fixed bug #73333 (2147483647 is fetched as string). (cmb)
- Standard:
. Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
. Fixed bug #71241 (array_replace_recursive sometimes mutates its parameters).
(adsr)
- Wddx:
. Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization
with PDORow). (Stas)
|
|
|
|
lang/php56: security fix
Revisions pulled up:
- lang/php56/distinfo 1.36
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Nov 12 15:34:00 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: distinfo
Log Message:
Update php56 to 5.6.28 (PHP 5.6.28), including security fix (as usual).
10 Nov 2016, PHP 5.6.28
- Core:
. Fixed bug #73337 (try/catch not working with two exceptions inside a same
operation). (Dmitry)
- Bz2:
. Fixed bug #73356 (crash in bzcompress function). (Stas)
-GD:
. Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
. Fixed bug #73272 (imagescale() is not affected by, but affects
imagesetinterpolation()). (cmb)
. Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
. Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb)
. Fixed bug #72482 (Illegal write/read access caused by gdImageAALine overflow).
(cmb)
. Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images). (cmb)
- Imap:
. Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads Heap Overflow).
(Anatol)
- SPL:
. Fixed bug #73144 (Use-after-free in ArrayObject Deserialization). (Stas)
- SOAP:
. Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol)
- SQLite3:
. Fixed bug #73333 (2147483647 is fetched as string). (cmb)
- Standard:
. Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
. Fixed bug #73188 (use after free in userspace streams). (Sara)
- Wddx:
. Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization
with PDORow). (Stas)
|
|
|
|
emulators/qemu: security fix
Revisions pulled up:
- emulators/qemu/Makefile 1.156
- emulators/qemu/distinfo 1.118
- emulators/qemu/patches/patch-CVE-2016-7423 1.1
- emulators/qemu/patches/patch-CVE-2016-7907 1.1
- emulators/qemu/patches/patch-CVE-2016-7908 1.1
- emulators/qemu/patches/patch-CVE-2016-7909 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Oct 30 14:48:01 UTC 2016
Modified Files:
pkgsrc/emulators/qemu: Makefile distinfo
Added Files:
pkgsrc/emulators/qemu/patches: patch-CVE-2016-7423 patch-CVE-2016-7907
patch-CVE-2016-7908 patch-CVE-2016-7909
Log Message:
add patches for CVE-2016-7423 and CVE-2016-790[789] from upstream
|
|
|
|
www/py-django: security fix
Revisions pulled up:
- www/py-django/Makefile 1.78
- www/py-django/distinfo 1.60
---
Module Name: pkgsrc
Committed By: wen
Date: Wed Nov 2 14:30:49 UTC 2016
Modified Files:
pkgsrc/www/py-django: Makefile distinfo
Log Message:
Update to 1.9.11(security update)
Upstream changes:
Django 1.9.11 release notes
November 1, 2016
Django 1.9.11 fixes two security issues in 1.9.10.
User with hardcoded password created when running tests on Oracle
DNS rebinding vulnerability when DEBUG=True
|
|
audio/taglib: build fix
Revisions pulled up:
- audio/taglib/Makefile 1.38
---
Module Name: pkgsrc
Committed By: maya
Date: Fri Nov 4 14:03:14 UTC 2016
Modified Files:
pkgsrc/audio/taglib: Makefile
Log Message:
taglib: require gcc 4.7 for our own use of -std=c++11.
the flag is needed, but was only introduced in gcc 4.7.
fixes build on netbsd 6.1.5
|
|
|
|
net/bind99: security fix
Revisions pulled up:
- net/bind99/Makefile 1.59-1.60
- net/bind99/distinfo 1.41
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Nov 2 00:06:09 UTC 2016
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Log Message:
Update bind99 to 9.9.9pl4 (BIND 9.9.9-P4).
--- 9.9.9-P4 released ---
4489. [security] It was possible to trigger assertions when processing
a response. (CVE-2016-8864) [RT #43465]
|
|
net/bind910: security fix
Revisions pulled up:
- net/bind910/Makefile 1.25-1.26
- net/bind910/distinfo 1.20
---
Committed By: taca
Date: Wed Nov 2 00:05:17 UTC 2016
Modified Files:
pkgsrc/net/bind910: Makefile distinfo
Log Message:
Update bind910 to 9.10.4pl4 (BIND 9.10.4-P4).
--- 9.10.4-P4 released ---
4489. [security] It was possible to trigger assertions when processing
a response. (CVE-2016-8864) [RT #43465]
|
|
net/wget: security fix
Revisions pulled up:
- net/wget/Makefile 1.133
- net/wget/distinfo 1.52
- net/wget/patches/patch-CVE-2016-7098 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Oct 30 20:55:39 UTC 2016
Modified Files:
pkgsrc/net/wget: Makefile distinfo
Added Files:
pkgsrc/net/wget/patches: patch-CVE-2016-7098
Log Message:
add a patch for CVE-2016-7098 from upstream
|
|
security/libcrack: security fix
Revisions pulled up:
- security/libcrack/Makefile 1.19
- security/libcrack/distinfo 1.8
- security/libcrack/patches/patch-CVE-2016-6318 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Oct 30 20:49:58 UTC 2016
Modified Files:
pkgsrc/security/libcrack: Makefile distinfo
Added Files:
pkgsrc/security/libcrack/patches: patch-CVE-2016-6318
Log Message:
add a patch for CVE-2016-6318 from
https://bugzilla.redhat.com/attachment.cgi?id=1188599
|
|
net/tor: security fix
Revisions pulled up:
- net/tor/Makefile 1.112-1.113
- net/tor/distinfo 1.73-1.74
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Sep 30 10:53:01 UTC 2016
Modified Files:
pkgsrc/net/tor: Makefile distinfo
Log Message:
Updated tor to 0.2.8.8.
Changes in version 0.2.8.8 - 2016-09-23
Tor 0.2.8.8 fixes two crash bugs present in previous versions of the
0.2.8.x series. Relays running 0.2.8.x should upgrade, as should users
who select public relays as their bridges.
o Major bugfixes (crash):
- Fix a complicated crash bug that could affect Tor clients
configured to use bridges when replacing a networkstatus consensus
in which one of their bridges was mentioned. OpenBSD users saw
more crashes here, but all platforms were potentially affected.
Fixes bug 20103; bugfix on 0.2.8.2-alpha.
o Major bugfixes (relay, OOM handler):
- Fix a timing-dependent assertion failure that could occur when we
tried to flush from a circuit after having freed its cells because
of an out-of-memory condition. Fixes bug 20203; bugfix on
0.2.8.1-alpha. Thanks to "cypherpunks" for help diagnosing
this one.
o Minor feature (fallback directories):
- Remove broken fallbacks from the hard-coded fallback directory
list. Closes ticket 20190; patch by teor.
o Minor features (geoip):
- Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2
Country database.
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Oct 19 10:58:14 UTC 2016
Modified Files:
pkgsrc/net/tor: Makefile distinfo
Log Message:
Updated tor to 0.2.8.9.
Changes in version 0.2.8.9 - 2016-10-17
Tor 0.2.8.9 backports a fix for a security hole in previous versions
of Tor that would allow a remote attacker to crash a Tor client,
hidden service, relay, or authority. All Tor users should upgrade to
this version, or to 0.2.9.4-alpha. Patches will be released for older
versions of Tor.
o Major features (security fixes, also in 0.2.9.4-alpha):
- Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At
least one such bug seems to be present in all currently used
versions of Tor, and would allow an attacker to remotely crash
most Tor instances, especially those compiled with extra compiler
hardening. With this defense in place, such bugs can't crash Tor,
though we should still fix them as they occur. Closes ticket
20384 (TROVE-2016-10-001).
o Minor features (geoip):
- Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
Country database.
|
|
|
|
|
|
multimedia/adobe-flash-plugin11: security update
Revisions pulled up:
- multimedia/adobe-flash-plugin11/Makefile 1.64
- multimedia/adobe-flash-plugin11/distinfo 1.61
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tsutsui
Date: Sat Oct 15 12:51:26 UTC 2016
Modified Files:
pkgsrc/multimedia/adobe-flash-plugin11: Makefile distinfo
Log Message:
Update adobe-flash-plugin11 to 11.2.202.637.
Upstream announcement:
https://helpx.adobe.com/security/products/flash-player/apsb16-32.html
Adobe Security Bulletin
Security updates available for Adobe Flash Player
Release date: October 11, 2016
Vulnerability identifier: APSB16-32
CVE number: CVE-2016-4273, CVE-2016-4286, CVE-2016-6981, CVE-2016-6982,
CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6987,
CVE-2016-6989, CVE-2016-6990, CVE-2016-6992
Platform: Windows, Macintosh, Linux and ChromeOS
To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 pkgsrc/multimedia/adobe-flash-plugin11/Makefile
cvs rdiff -u -r1.60 -r1.61 pkgsrc/multimedia/adobe-flash-plugin11/distinfo
|
|
|
|
|
|
===========================
Bugfixes:
---------
- Missing glue records in some responses
- Knsupdate prompt printing on non-terminal
- Mismatch between configuration policy item names and documentation
- Segfault on OS X (Sierra)
Improvements:
-------------
- Significant speed-up of conf-commit and conf-diff operations (in most cases)
- New EDNS Client Subnet libknot API
- Better semantic-checks error messages
Features:
---------
- Print TLS certificate hierarchy in kdig verbose mode
- New +subnet alias for +client
- New mod-whoami and mod-noudp modules
- New zone-purge control command
- New log-queries and log-responses options for mod-dnstap
|
|
databases/mysql56-client: security fix
databases/mysql56-server: security fix
Revisions pulled up:
- databases/mysql56-client/Makefile.common 1.36-1.37
- databases/mysql56-client/distinfo 1.38-1.39
- databases/mysql56-client/patches/patch-client_mysql.cc deleted
- databases/mysql56-client/patches/patch-cmake_readline.cmake 1.4
- databases/mysql56-server/PLIST 1.27
---
Module Name: pkgsrc
Committed By: fhajny
Date: Fri Sep 30 11:54:49 UTC 2016
Modified Files:
pkgsrc/databases/mysql56-client: Makefile.common distinfo
pkgsrc/databases/mysql56-client/patches: patch-cmake_readline.cmake
Removed Files:
pkgsrc/databases/mysql56-client/patches: patch-client_mysql.cc
Log Message:
Change the way readline/editline support is patched, based on what
mysql57-client has. This fixes at least SmartOS builds, no changes for
NetBSD (and presumably elsewhere).
---
Module Name: pkgsrc
Committed By: adam
Date: Wed Oct 12 16:58:21 UTC 2016
Modified Files:
pkgsrc/databases/mysql56-client: Makefile.common distinfo
pkgsrc/databases/mysql56-server: PLIST
Log Message:
Changes 5.6.34:
Packaging Notes
---------------
RPM and Debian packages now create the /var/lib/mysql-files directory, which is now the default value of the secure_file_priv system variable that specifies a directory for import and export operations.
Security Notes
--------------
Incompatible Change: The secure_file_priv system variable is used to limit the effect of data import and export operations.
Functionality Added or Changed
------------------------------
yaSSL was upgraded to version 2.4.2. This upgrade corrects issues with: Potential AES side channel leaks; DSA padding for unusual sizes; the SSL_CTX_load_verify_locations() OpenSSL compatibility function failing to handle long path directory names.
|
|
databases/mysql55-client: security fix
databases/mysql55-server: security fix
Revisions pulled up:
- databases/mysql55-client/Makefile.common 1.55
- databases/mysql55-client/distinfo 1.53
- databases/mysql55-server/PLIST 1.45
---
Module Name: pkgsrc
Committed By: adam
Date: Wed Oct 12 16:57:30 UTC 2016
Modified Files:
pkgsrc/databases/mysql55-client: Makefile.common distinfo
pkgsrc/databases/mysql55-server: PLIST
Log Message:
Changes 5.5.53:
Packaging Notes
---------------
RPM packages now create the /var/lib/mysql-files directory, which is now the default value of the secure_file_priv system variable that specifies a directory for import and export operations.
Security Notes
--------------
Incompatible Change: The secure_file_priv system variable is used to limit the effect of data import and export operations.
Functionality Added or Changed
------------------------------
yaSSL was upgraded to version 2.4.2. This upgrade corrects issues with: Potential AES side channel leaks; DSA padding for unusual sizes; the SSL_CTX_load_verify_locations() OpenSSL compatibility function failing to handle long path directory names.
|
|
lang/php56: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.161
- lang/php56/distinfo 1.35
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Oct 16 11:58:42 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: distinfo
Log Message:
Update php56 to 5.6.27.
13 Oct 2016, PHP 5.6.27
- Core:
. Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of
zend_virtual_cwd.c). (cmb)
. Fixed bug #73058 (crypt broken when salt is 'too' long). (Anatol)
. Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by
password_verify). (Anatol)
. Fixed bug #73189 (Memcpy negative size parameter php_resolve_path). (Stas)
. Fixed bug #73147 (Use After Free in unserialize()). (Stas)
- BCmath:
. Fixed bug #73190 (memcpy negative parameter _bc_new_num_ex). (Stas)
- DOM:
. Fixed bug #73150 (missing NULL check in dom_document_save_html). (Stas)
- Ereg:
. Fixed bug #73284 (heap overflow in php_ereg_replace function). (Stas)
- Filter:
. Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and
FILTER_FLAG_NO_PRIV_RANGE). (julien)
. Fixed bug #67167 (Wrong return value from FILTER_VALIDATE_BOOLEAN,
FILTER_NULL_ON_FAILURE). (levim, cmb)
. Fixed bug #73054 (default option ignored when object passed to int filter).
(cmb)
- GD:
. Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
(cmb)
. Fixed bug #50194 (imagettftext broken on transparent background w/o
alphablending). (cmb)
. Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab,
cmb)
. Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
(Mark Plomer, cmb)
. Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given). (cmb)
. Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries). (cmb)
. Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted
files). (cmb)
. Fixed bug #73161 (imagecreatefromgd2() may leak memory). (cmb)
- Intl:
. Fixed bug #73218 (add mitigation for ICU int overflow). (Stas)
- Imap:
. Fixed bug #73208 (integer overflow in imap_8bit caused heap corruption).
(Stas)
- Mbstring:
. Fixed bug #72994 (mbc_to_code() out of bounds read). (Laruence, cmb)
. Fixed bug #66964 (mb_convert_variables() cannot detect recursion). (Yasuo)
. Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
(Yasuo)
. Fixed bug #73082 (string length overflow in mb_encode_* function). (Stas)
- PCRE:
. Fixed bug #73174 (heap overflow in php_pcre_replace_impl). (Stas)
- Opcache:
. Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
(Keyur) (julien backport)
- OpenSSL:
. Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
(Jakub Zelenka)
. Fixed bug #73275 (crash in openssl_encrypt function). (Stas)
. Fixed bug #73276 (crash in openssl_random_pseudo_bytes function). (Stas)
- Session:
. Fixed bug #68015 (Session does not report invalid uid for files save handler).
(Yasuo)
. Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
(cmb)
- SimpleXML:
. Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
(Stas)
- SPL:
. Fixed bug #73073 (CachingIterator null dereference when convert to string).
(Stas)
- Standard:
. Fixed bug #73240 (Write out of bounds at number_format). (Stas)
. Fixed bug #73017 (memory corruption in wordwrap function). (Stas)
- Stream:
. Fixed bug #73069 (readfile() mangles files larger than 2G). (Laruence)
- Zip:
. Fixed bug #70752 (Depacking with wrong password leaves 0 length files).
(cmb)
|
|
lang/php70: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.160
- lang/php70/distinfo 1.20
- lang/php70/patches/patch-ext_pcre_pcrelib_config.h 1.3
---
Module Name: pkgsrc
Committed By: jdolecek
Date: Fri Oct 14 15:06:21 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php70: distinfo
pkgsrc/lang/php70/patches: patch-ext_pcre_pcrelib_config.h
Log Message:
Update php70 to 7.0.12
Changes:
Core:
Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify).
Fixed bug #73058 (crypt broken when salt is 'too' long).
Fixed bug #69579 (Invalid free in extension trait).
Fixed bug #73156 (segfault on undefined function).
Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value).
Fixed bug #73172 (parse error: Invalid numeric literal).
Fixed for #73240 (Write out of bounds at number_format).
Fixed bug #73147 (Use After Free in PHP7 unserialize()).
Fixed bug #73189 (Memcpy negative size parameter php_resolve_path).
BCmath:
Fixed bug #73190 (memcpy negative parameter _bc_new_num_ex).
COM:
Fixed bug #73126 (Cannot pass parameter 1 by reference).
Date:
Fixed bug #73091 (Unserializing DateInterval object may lead to __toString invocation).
DOM:
Fixed bug #73150 (missing NULL check in dom_document_save_html).
Filter:
Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE).
Fixed bug #73054 (default option ignored when object passed to int filter).
GD:
Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending).
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c).
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given).
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries).
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files).
Fixed bug #73161 (imagecreatefromgd2() may leak memory).
Intl:
Fixed bug #73218 (add mitigation for ICU int overflow).
Mbstring:
Fixed bug #66797 (mb_substr only takes 32-bit signed integer).
Fixed bug #66964 (mb_convert_variables() cannot detect recursion).
Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
Mysqlnd:
Fixed bug #72489 (PHP Crashes When Modifying Array Containing MySQLi Result Data).
Opcache:
Fixed bug #72982 (Memory leak in zend_accel_blacklist_update_regexp() function).
OpenSSL:
Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
Fixed bug #73276 (crash in openssl_random_pseudo_bytes function).
Fixed bug #73275 (crash in openssl_encrypt function).
PCRE:
Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390).
Fixed bug #73174 (heap overflow in php_pcre_replace_impl).
PDO_DBlib:
Fixed bug #72414 (Never quote values as raw binary data).
Allow \PDO::setAttribute() to set query timeouts.
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions.
Add common PDO test suite.
Free error and message strings when cleaning up PDO instances.
Fixed bug #67130 (\PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched).
Ignore potentially misleading dberr values.
phpdbg:
Fixed bug #72996 (phpdbg_prompt.c undefined reference to DL_LOAD).
Fixed next command not stopping when leaving function.
Session:
Fixed bug #68015 (Session does not report invalid uid for files save handler).
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
SimpleXML:
Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
SOAP:
Fixed bug #71711 (Soap Server Member variables reference bug).
Fixed bug #71996 (Using references in arrays doesn't work like expected).
SPL:
Fixed bug #73257, Fixed bug #73258 (SplObjectStorage unserialize allows use of non-object as key).
SQLite3:
Updated bundled SQLite3 to 3.14.2.
Zip:
Fixed bug #70752 (Depacking with wrong password leaves 0 length files).
|
|
lang/php71: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.159
- lang/php71/distinfo 1.7
- lang/php71/patches/patch-ext_pcre_pcrelib_config.h 1.2
---
Module Name: pkgsrc
Committed By: jdolecek
Date: Sat Oct 8 09:16:09 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php71: distinfo
pkgsrc/lang/php71/patches: patch-ext_pcre_pcrelib_config.h
Log Message:
Update php71 to 7.1.0RC3
Changes:
- Core:
. Fixed bug #73156 (segfault on undefined function). (Dmitry)
. Fixed bug #73163 (PHP hangs if error handler throws while accessing undef
const in default value). (Nikita)
. Fixed bug #73172 (parse error: Invalid numeric literal). (Nikita, Anatol)
. Fixed bug #73181 (parse_str() without a second argument leads to crash).
(Nikita)
- COM:
. Fixed bug #73126 (Cannot pass parameter 1 by reference). (Anatol)
. Fixed bug #69579 (Invalid free in extension trait). (John Boehr)
- GD:
. Fixed bug #50194 (imagettftext broken on transparent background w/o
alphablending). (cmb)
. Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab,
cmb)
. Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
(Mark Plomer, cmb)
. Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given). (cmb)
. Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries). (cmb)
. Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted
files). (cmb)
. Fixed bug #73161 (imagecreatefromgd2() may leak memory). (cmb)
- JSON:
. Fixed bug #73113 (Segfault with throwing JsonSerializable). (julien)
- PCRE:
. Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported
on s390). (Anatol)
- PDO_DBlib:
. Fixed bug #72414 (Never quote values as raw binary data). (Adam Baratz)
. Allow \PDO::setAttribute() to set query timeouts. (Adam Baratz)
. Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions.
(Adam Baratz)
. Add common PDO test suite. (Adam Baratz)
. Free error and message strings when cleaning up PDO instances.
(Adam Baratz)
. Fixed bug #67130 (\PDOStatement::nextRowset() should succeed when all rows
in current rowset haven't been fetched). (Peter LeBrun)
. Ignore potentially misleading dberr values. (Chris Kings-Lynne)
- phpdbg:
. Added generator command for inspection of currently alive generators. (Bob)
- Reflection
. Undo backwards compatiblity break in ReflectionType->__toString() and
deprecate via documentation instead. (Nikita)
- Session:
. Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
(cmb)
|
|
|
|
graphics/gdk-pixbuf2-xlib: security update
graphics/gdk-pixbuf2: security update
Revisions pulled up:
- graphics/gdk-pixbuf2-xlib/Makefile 1.18
- graphics/gdk-pixbuf2/Makefile 1.32
- graphics/gdk-pixbuf2/Makefile.version 1.13
- graphics/gdk-pixbuf2/PLIST 1.14
- graphics/gdk-pixbuf2/distinfo 1.31
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sun Oct 9 17:49:39 UTC 2016
Modified Files:
pkgsrc/graphics/gdk-pixbuf2: Makefile Makefile.version PLIST distinfo
pkgsrc/graphics/gdk-pixbuf2-xlib: Makefile
Log Message:
Update to 2.36.0
Changelog:
2.36.0
======
* Translation updates
2.35.5
======
* Fix undefined behavior in overflow checks (#770986)
* Fix a typo (#770756)
* Avoid segfault in some tests (#771026)
* Translation updates
2.35.4
======
* Translation updates
2.35.3
======
* Add API to determine supported save options (#683371)
* Add helper API for pixbuf options (#768043)
* Fix invalid gettext use (#758552)
* Fix a compiler warning in the xpm loader (#768042)
* Fix integer overflows in the bmp loader (#768688, #768738)
* Fix a crash in the ico loader (#769170)
* Translation updates
2.35.2
======
* Use compiler directives for exporting symbols (#767164)
* Fix a problem with nearest scaling (#766842)
* Avoid redundant property notification
* Translation updates
2.35.1
======
* Add non-varargs variant to save to stream (#683063)
* Add a common autotools module (#765034)
* Translation updates
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 pkgsrc/graphics/gdk-pixbuf2/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/graphics/gdk-pixbuf2/Makefile.version
cvs rdiff -u -r1.13 -r1.14 pkgsrc/graphics/gdk-pixbuf2/PLIST
cvs rdiff -u -r1.30 -r1.31 pkgsrc/graphics/gdk-pixbuf2/distinfo
cvs rdiff -u -r1.17 -r1.18 pkgsrc/graphics/gdk-pixbuf2-xlib/Makefile
|
|
graphics/openjpeg: security update
Revisions pulled up:
- graphics/openjpeg/Makefile 1.14
- graphics/openjpeg/distinfo 1.11
- graphics/openjpeg/patches/patch-src_lib_openjp2_CMakeLists.txt 1.2
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: adam
Date: Tue Oct 4 19:27:10 UTC 2016
Modified Files:
pkgsrc/graphics/openjpeg: Makefile distinfo
pkgsrc/graphics/openjpeg/patches: patch-src_lib_openjp2_CMakeLists.txt
Log Message:
v2.1.2 (2016-09-28)
Closed issues:
null ptr dereference in convert.c:1331
Out-of-Bounds Read in function bmp24toimage of convertbmp.c
Disable automatic compilation of t1_generate_luts in CMakeLists.txt
CVE-2016-7163 Integer overflow in opj_pi_create_decode
Security Advisory for OpenJPEG
Add dashboard with static lib
hidden visibility for the static library / building with -DOPJ_STATIC against shared lib
Optimization when building library from source
unsigned int16 on Solaris 11.2/sparc
appveyor
Please make a new release
FFMpeg will not link to 2.1.1 release built as shared library
API change since v2: opj_event_mgr_t not available
openjpeg.h needs dependencies
"master" does not build on ubuntu
Package 'openjp2', required by 'libopenjpip', not found
Merged pull requests:
Fix PNM file reading
Fix some issues reported by Coverity Scan
Fix potential out-of-bounds read (coverity)
Remove TODO for overflow check
Add overflow checks for opj_aligned_malloc
Flags in T1 shall be unsigned
Fix some warnings
Fix issue 833.
Add overflow checks for opj_aligned_malloc
Add test for issue 820
Add test for issue 826
Fix coverity 113065 (CWE-484)
Add sanity check for tile coordinates
Add test for P-R-818
Update to libpng 1.6.25
fix incrementing of "l_tcp->m_nb_mcc_records" in opj_j2k_read_mcc
Add overflow check in opj_tcd_init_tile
Fix leak & invalid behavior of opj_jp2_read_ihdr
Add overflow check in opj_j2k_update_image_data
Change 'restrict' define to 'OPJ_RESTRICT'
Switch to clang 3.8
Fix an integer overflow issue
Update to lcms 2.8
Update to libpng 1.6.24
Reenable clang-3.9 build on travis
Bit fields type
Add compilation test for standalone inclusion of openjpeg.h
jpwl: Remove non-portable data type u_int16_t
Fix dependency for pkg-config
Add .gitignore
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 pkgsrc/graphics/openjpeg/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/graphics/openjpeg/distinfo
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/graphics/openjpeg/patches/patch-src_lib_openjp2_CMakeLists.txt
|
|
mail/squirrelmail: build fix
Revisions pulled up:
- mail/squirrelmail/Makefile 1.130
- mail/squirrelmail/distinfo 1.66
- mail/squirrelmail/patches/patch-plugins_gpg_gpg_decrypt_attach.php deleted
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: manu
Date: Fri Sep 30 14:21:23 UTC 2016
Modified Files:
pkgsrc/mail/squirrelmail: Makefile distinfo
Removed Files:
pkgsrc/mail/squirrelmail/patches:
patch-plugins_gpg_gpg_decrypt_attach.php
Log Message:
Remove patch on a localy installed file that did not belong to the =
distribution
To generate a diff of this commit:
cvs rdiff -u -r1.129 -r1.130 pkgsrc/mail/squirrelmail/Makefile
cvs rdiff -u -r1.65 -r1.66 pkgsrc/mail/squirrelmail/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/mail/squirrelmail/patches/patch-plugins_gpg_gpg_decrypt_attach.php
|
