| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
devel/libgit2: security fix
Revisions pulled up:
- devel/libgit2/Makefile 1.14-1.16
- devel/libgit2/PLIST 1.6
- devel/libgit2/distinfo 1.8
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Jan 1 14:44:09 UTC 2017
Modified Files:
[...]
pkgsrc/devel/libgit2: Makefile
[...]
Log Message:
Add python-3.6 to incompatible versions.
---
Module Name: pkgsrc
Committed By: adam
Date: Sun Jan 1 16:06:40 UTC 2017
Modified Files:
[...]
pkgsrc/devel/libgit2: Makefile
[...]
Log Message:
Revbump after boost update
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Jan 11 00:11:24 UTC 2017
Modified Files:
pkgsrc/devel/libgit2: Makefile PLIST distinfo
Log Message:
Update libgit2 to 0.25.1, it includes security problem.
For full changes, please refer CHANGESLOG.md file.
* libgit2 v0.24.6 and libgit2 v0.25.1, January 9th, 2017
Includes two fixes, one performs extra sanitization for some edge cases in
the Git Smart Protocol which can lead to attempting to parse outside of the
buffer.
The second fix affects the certificate check callback. It provides a valid
parameter to indicate whether the native cryptographic library considered
the certificate to be correct. This parameter is always 1/true before these
releases leading to a possible MITM.
This does not affect you if you do not use the custom certificate callback
or if you do not take this value into account. This does affect you if you
use pygit2 or git2go regardless of whether you specify a certificate check
callback.
|
|
net/bind99: security fix
Revisions pulled up:
- net/bind99/Makefile 1.62
- net/bind99/distinfo 1.42
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jan 12 00:05:46 UTC 2017
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Log Message:
Update bind99 to 9.9.9pl5 (BIND 9.9.9-P5), including security fixes.
--- 9.9.9-P5 released ---
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
[RT #43779]
4528. [bug] Only set the flag bits for the i/o we are waiting
for on EPOLLERR or EPOLLHUP. [RT #43617]
4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
4517. [security] Named could mishandle authority sections that were
missing RRSIGs triggering an assertion failure.
(CVE-2016-9444) [RT # 43632]
4510. [security] Named mishandled some responses where covering RRSIG
records are returned without the requested data
resulting in a assertion failure. (CVE-2016-9147)
[RT #43548]
4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
a class mismatch. (CVE-2016-9131) [RT #43522]
|
|
net/bind910: security fix
Revisions pulled up:
- net/bind910/Makefile 1.28
- net/bind910/distinfo 1.21
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jan 12 00:04:43 UTC 2017
Modified Files:
pkgsrc/net/bind910: Makefile distinfo
Log Message:
Update bind910 to 9.10.4pl5 (BIND 9.10.4-P5), including security fixes.
--- 9.10.4-P5 released ---
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
[RT #43779]
4528. [bug] Only set the flag bits for the i/o we are waiting
for on EPOLLERR or EPOLLHUP. [RT #43617]
4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
4517. [security] Named could mishandle authority sections that were
missing RRSIGs triggering an assertion failure.
(CVE-2016-9444) [RT # 43632]
4510. [security] Named mishandled some responses where covering RRSIG
records are returned without the requested data
resulting in a assertion failure. (CVE-2016-9147)
[RT #43548]
4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
a class mismatch. (CVE-2016-9131) [RT #43522]
|
|
www/ruby-jekyll-watch: build fix (for www/ruby-jekyll)
Revisions pulled up:
- www/ruby-jekyll-watch/Makefile 1.6
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 9 15:04:44 UTC 2017
Modified Files:
pkgsrc/www/ruby-jekyll-watch: Makefile
Log Message:
Fix dependency in gemspec.
Bump PKGREVISION.
|
|
sysutils/ruby-listen: build fix (for www/ruby-jekyll)
Revisions pulled up:
- sysutils/ruby-listen/Makefile 1.12
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 9 15:02:32 UTC 2017
Modified Files:
pkgsrc/sysutils/ruby-listen: Makefile
Log Message:
Now depends on both ruby-rb-fsevent and ruby-rb-inotify since it really
require both package's codes.
Bump PKGREVISION.
|
|
devel/ruby-rb-fsevent: build fix (for www/ruby-jekyll)
Revisions pulled up:
- devel/ruby-rb-fsevent/Makefile 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 9 14:58:11 UTC 2017
Modified Files:
pkgsrc/devel/ruby-rb-fsevent: Makefile
Log Message:
Do not restrict this package to Darwin.
Although functionality of this package only works on Darwin, there is
othere package to expect existence of this package (and it fails).
|
|
devel/cmake: build fix
Revisions pulled up:
- devel/cmake/Makefile 1.129
- devel/cmake/distinfo 1.95
- devel/cmake/patches/patch-Modules_FindCurses.cmake 1.1
- devel/ncurses/builtin.mk 1.40
---
Module Name: pkgsrc
Committed By: joerg
Date: Thu Jan 5 22:18:03 UTC 2017
Modified Files:
pkgsrc/devel/ncurses: builtin.mk
Log Message:
Drop buildlink-ncurses-fake-libs, it didn't get applied due to a typo
and it doesn't help with the directory scanning of cmake anyway, since
that one only looks in the real prefix.
---
Module Name: pkgsrc
Committed By: joerg
Date: Thu Jan 5 22:34:25 UTC 2017
Modified Files:
pkgsrc/devel/cmake: Makefile distinfo
Added Files:
pkgsrc/devel/cmake/patches: patch-Modules_FindCurses.cmake
Log Message:
Recognize libgnuform as valid implementation of a form library to match
devel/ncurses. This is necessary due to cmake's insistance of scanning
PREFIX/lib directly. Bump revision.
|
|
|
|
chat/irssi: security fix
chat/irssi-icb: security fix
chat/irssi-xmpp: security fix
Revisions pulled up:
- chat/irssi-icb/Makefile 1.40
- chat/irssi-icb/distinfo 1.25
- chat/irssi-xmpp/Makefile 1.11
- chat/irssi-xmpp/distinfo 1.7
- chat/irssi/Makefile 1.75
- chat/irssi/Makefile.common 1.19
- chat/irssi/distinfo 1.38
- chat/irssi/patches/patch-scripts_buf.pl deleted
---
Module Name: pkgsrc
Committed By: maya
Date: Thu Jan 5 15:49:47 UTC 2017
Modified Files:
pkgsrc/chat/irssi-xmpp: Makefile distinfo
Log Message:
irssi-xmpp: catch up with irssi changes.
bump PKGREVISION to ensure it is rebuilt.
---
Module Name: pkgsrc
Committed By: maya
Date: Thu Jan 5 15:48:34 UTC 2017
Modified Files:
pkgsrc/chat/irssi-icb: Makefile distinfo
Log Message:
irssi-icb: catch up with irssi changes.
bump PKGREVISION to ensure it is rebuilt.
---
Module Name: pkgsrc
Committed By: maya
Date: Thu Jan 5 15:46:10 UTC 2017
Modified Files:
pkgsrc/chat/irssi: Makefile Makefile.common distinfo
Removed Files:
pkgsrc/chat/irssi/patches: patch-scripts_buf.pl
Log Message:
irssi: update to 0.8.21.
irssi 0.8.21 is a maintenance release without any new features.
Changes:
- Correct a NULL pointer dereference in the nickcmp function found by
Joseph Bisch (GL#1)
- Correct an out of bounds read in certain incomplete control codes
found by Joseph Bisch (GL#2)
- Correct an out of bounds read in certain incomplete character
sequences found by Hanno Böck and independently by J. Bisch (GL#3)
- Correct an error when receiving invalid nick message (GL#4, #466)
|
|
www/contao43: security fix
Revisions pulled up:
- www/contao43/Makefile 1.4
- www/contao43/PLIST 1.3
- www/contao43/distinfo 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Dec 30 04:48:24 UTC 2016
Modified Files:
pkgsrc/www/contao43: Makefile PLIST distinfo
Log Message:
Update contao43 to 4.3.2, including fix for CVE-2016-10074.
* Raise the minimum SwiftMailer version.
* Remove some left-over settings labels.
* Go back to using the stable channel of Composer now that version 1.3 has
been released.
* Reduce the filter menu width if preceded by the submit panel.
|
|
www/contao35: security fix
Revisions pulled up:
- www/contao35/Makefile 1.22
- www/contao35/distinfo 1.18
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Dec 30 04:46:20 UTC 2016
Modified Files:
pkgsrc/www/contao35: Makefile distinfo
Log Message:
Update contao35 to 3.5.21.
Version 3.5.21 (2016-12-29)
---------------------------
### Updated
Update SwiftMailer to version 5.4.5 (fixes CVE-2016-10074).
|
|
databases/phpmyadmin: security fix
Revisions pulled up:
- databases/phpmyadmin/Makefile 1.151
- databases/phpmyadmin/PLIST 1.45
- databases/phpmyadmin/distinfo 1.106
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Dec 30 04:44:43 UTC 2016
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile PLIST distinfo
Log Message:
Update phpmyadmin to 4.6.5.2, including security fixes.
4.6.5.2 (2016-12-05)
- issue #12765 Fixed SQL export with newlines
4.6.5.1 (2016-11-25)
- issue #12735 Incorrect parameters to escapeString in Node.php
- issue #12734 Fix PHP error when mbstring is not installed
- issue #12736 Don't force partition count to be specified when creating a new table
4.6.5 (2016-11-24)
- issue Remove potentionally license problematic sRGB profile
- issue #12459 Display read only fields as read only when editing
- issue #12384 Fix expanding of navigation pane when clicking on database
- issue #12430 Impove partitioning support
- issue #12374 Reintroduced simplified PmaAbsoluteUri configuration directive
- issue Always use UTC time in HTTP headers
- issue #12479 Simplified validation of external links
- issue #12483 Fix browsing tables with built in transformations
- issue #12485 Do not show warning about short blowfish_secret if none is set
- issue #12251 Fixed random logouts due to wrong cookie path
- issue #12480 Fixed editing of ENUM/SET/DECIMAL fields structure
- issue #12497 Missing escaping of configuration used in SQL (hide_db and only_db)
- issue #12476 Add error checking in reading advisory rules file
- issue #12477 Add checking missing elements and confirming element types from json_decode
- issue #12251 Automatically save SQL query in browser local storage rather than in cookie
- issue #12292 Unable to edit transformations
- issue #12502 Remove unused paramenter when connecting to MySQLi
- issue #12303 Fix number formatting with different settings of precision in PHP
- issue #12405 Use single quotes in PHP code
- issue #12534 Option for the dropped column is not removed from 'after_field' select, after the column is dropped
- issue #12531 Properly detect DROP DATABASE queries
- issue #12470 Fix possible race condition in setting URL hash
- issue #11924 Remove caching of server information
- issue #11628 Proper parsing of INSERT ... ON DUPLICATE KEY queries
- issue #12545 Proper parsing of CREATE TABLE ... PARTITION queries
- issue #12473 Code can throw unhandled exception
- issue #12550 Do not try to keep alive session even after expiry
- issue #12512 Fixed rendering BBCode links in setup
- issue #12518 Fixed copy of table with generated columns
- issue #12221 Fixed export of table with generated columns
- issue #12320 Copying a user does not copy usergroup
- issue #12272 Adding a new row with default enum goes to no selection when you want to add more then 2 rows
- issue #12487 Drag and drop import prevents file dropping to blob column file selector on the insert tab
- issue #12554 Absence of scrolling makes it impossible to read longer text values in grid editing
- issue #12530 "Edit routine" crashes when the current user is not the definer, even if privileges are adequate
- issue #12300 Export selective tables by-default dumps Events also
- issue #12298 Fixed export of view definitions
- issue #12242 Edit routine detail dialog does not fill "Return length" field in mysql functions
- issue #12575 New index Confirm adds whitespace around the field name
- issue #12382 Bug in zoom search
- issue #12321 Assign LIMIT clause only to syntactically correct queries
- issue #12461 Can't Execute SQL With Sub-Query Due To "LIMIT 0,25" Inserted At Wrong Place
- issue #12511 Clarify documentation on ArbitraryServerRegexp
- issue #12508 Remove duplicate code in SQL escaping
- issue #12475 Cleanup code for getting table information
- issue #12579 phpMyAdmin's export of a Select statment without a FROM clause generates Wrong SQL
- issue #12316 Correct export of complex SELECT statements
- issue #12080 Fixed parsing of subselect queries
- issue #11740 Fixed handling DELETE ... USING queries
- issue #12100 Fixed handling of CASE operator
- issue #12455 Query history stores separate entry for every letter typed
- issue #12327 Create PHP code no longer works
- issue #12179 Fixed bookmarking of query with multiple statements
- issue #12419 Wrong description on GRANT OPTION
- issue #12615 Fixed regexp for matching browser versions
- issue #12569 Avoid showing import errors twice
- issue #12362 prefs_manage.php can leave an orphaned temporary file
- issue #12619 Unable to export csv when using union select
- issue #12625 Broken Edit links in query results of JOIN query
- issue #12634 Drop DB error in import if DB doesn't exist
- issue #12338 Designer reverts to first saved ER after EACH relation create or delete
- issue #12639 'Show trace' in Console generates JS error for functions in query's trace called without any arguments
- issue #12366 Fix user creation with certain MariaDB setups
- issue #12616 Refuse to work with mbstring.func_overload enabled
- issue #12472 Properly report connection without password in setup
- issue #12365 Fix records count for large tables
- issue #12533 Fix records count for complex queries
- issue #12454 Query history not updated in console until page refresh
- issue #12344 Fixed parsing of labels in loop
- issue #12228 Fixed parsing of BEGIN labels
- issue #12637 Fixed editing some timestamp values
- issue #12622 Fixed javascript error in designer
- issue #12334 Missing page indicator or VIEWs
- issue #12610 Export of tables with Timestamp/Datetime/Time columns defined with ON UPDATE clause with precision fails
- issue #12661 Error inserting into pma__history after timeout
- issue #12195 Row_format = fixed not visible
- issue #12665 Cannot add a foreign key - non-indexed fields not listed in InnoDB tables
- issue #12674 Allow for proper MySQL-allowed strings as identifiers
- issue #12651 Allow for partial dates on table insert page
- issue #12681 Fixed designer with tables using special chars
- issue #12652 Fixed visual query builder for foreign keys with more fields
- issue #12257 Improved search page performance
- issue #12322 Avoid selecting default function for foreign keys
- issue #12453 Fixed escaping of SQL parts in some corner cases
- issue #12542 Missing table name in account privileges editor
- issue #12691 Remove ksort call on empty array in PMA_getPlugins function
- issue #12443 Check parameter type before processing
- issue #12299 Avoid generating too long URLs in search
- issue #12361 Fix self SQL injection in table-specific privileges
- issue #12698 Add link to release notes and download on new version notification
- issue #12712 Error when trying to setup replication (fatal error in call to an old PMA_DBI_connect function)
- issue [security] Unsafe generation of $cfg['blowfish_secret'], see PMASA-2016-58
- issue [security] phpMyAdmin's phpinfo functionality is removed, see PMASA-2016-59
- issue [security] AllowRoot and allow/deny rule bypass with specially-crafted username, see PMASA-2016-60
- issue [security] Username matching weaknesses with allow/deny rules, see PMASA-2016-61
- issue [security] Possible to bypass logout timeout, see PMASA-2016-62
- issue [security] Full path disclosure (FPD) weaknesses, see PMASA-2016-63
- issue [security] Multiple XSS weaknesses, see PMASA-2016-64
- issue [security] Multiple denial-of-service (DOS) vulnerabilities, see PMASA-2016-65
- issue [security] Possible to bypass white-list protection for URL redirection, see PMASA-2016-66
- issue [security] BBCode injection to login page, see PMASA-2016-67
- issue [security] Denial-of-service (DOS) vulnerability in table partitioning, see PMASA-2016-68
- issue [security] Multiple SQL injection vulnerabilities, see PMASA-2016-69
- issue [security] Incorrect serialized string parsing, see PMASA-2016-70
- issue [security] CSRF token not stripped from the URL, see PMASA-2016-71
|
|
security/openssh: security fix
Revisions pulled up:
- security/openssh/Makefile 1.250
- security/openssh/distinfo 1.103
- security/openssh/options.mk 1.34
- security/openssh/patches/patch-auth1.c deleted
- security/openssh/patches/patch-clientloop.c 1.5
- security/openssh/patches/patch-openbsd-compat_bsd-openpty.c 1.4
- security/openssh/patches/patch-session.c 1.8
- security/openssh/patches/patch-sshd.c 1.8
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Dec 30 04:43:16 UTC 2016
Modified Files:
pkgsrc/security/openssh: Makefile distinfo options.mk
pkgsrc/security/openssh/patches: patch-clientloop.c
patch-openbsd-compat_bsd-openpty.c patch-session.c patch-sshd.c
Removed Files:
pkgsrc/security/openssh/patches: patch-auth1.c
Log Message:
Update openssh to 7.4.1 (7.4p1), including security fixes.
For full changes, please refer ChangeLog file.
Future deprecation notice
=========================
We plan on retiring more legacy cryptography in future releases,
specifically:
* In approximately August 2017, removing remaining support for the
SSH v.1 protocol (client-only and currently compile-time disabled).
* In the same release, removing support for Blowfish and RC4 ciphers
and the RIPE-MD160 HMAC. (These are currently run-time disabled).
* Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)
* The next release of OpenSSH will remove support for running sshd(8)
with privilege separation disabled.
* The next release of portable OpenSSH will remove support for
OpenSSL version prior to 1.0.1.
This list reflects our current intentions, but please check the final
release notes for future releases.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* This release removes server support for the SSH v.1 protocol.
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
only mandatory cipher in the SSH RFCs, this may cause problems
connecting to older devices using the default configuration,
but it's highly likely that such devices already need explicit
configuration for key exchange and hostkey algorithms already
anyway.
* sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist
of trusted paths by default. The path whitelist may be specified
at run-time.
* sshd(8): When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, sshd will now
refuse to accept the certificate unless they are identical.
The previous (documented) behaviour of having the certificate
forced-command override the other could be a bit confusing and
error-prone.
* sshd(8): Remove the UseLogin configuration directive and support
for having /bin/login manage login sessions.
Changes since OpenSSH 7.3
=========================
This is primarily a bugfix release.
Security
--------
* ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
outside a trusted whitelist (run-time configurable). Requests to
load modules could be passed via agent forwarding and an attacker
could attempt to load a hostile PKCS#11 module across the forwarded
agent channel: PKCS#11 modules are shared libraries, so this would
result in code execution on the system running the ssh-agent if the
attacker has control of the forwarded agent-socket (on the host
running the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the ssh
client). Reported by Jann Horn of Project Zero.
* sshd(8): When privilege separation is disabled, forwarded Unix-
domain sockets would be created by sshd(8) with the privileges of
'root' instead of the authenticated user. This release refuses
Unix-domain socket forwarding when privilege separation is disabled
(Privilege separation has been enabled by default for 14 years).
Reported by Jann Horn of Project Zero.
* sshd(8): Avoid theoretical leak of host private key material to
privilege-separated child processes via realloc() when reading
keys. No such leak was observed in practice for normal-sized keys,
nor does a leak to the child processes directly expose key material
to unprivileged users. Reported by Jann Horn of Project Zero.
* sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided by
some optimising compilers. Additionally, this memory manager was
incorrectly accessible when pre-authentication compression was
disabled. This could potentially allow attacks against the
privileged monitor process from the sandboxed privilege-separation
process (a compromise of the latter would be required first).
This release removes support for pre-authentication compression
from sshd(8). Reported by Guido Vranken using the Stack unstable
optimisation identification tool (http://css.csail.mit.edu/stack/)
* sshd(8): Fix denial-of-service condition where an attacker who
sends multiple KEXINIT messages may consume up to 128MB per
connection. Reported by Shi Lei of Gear Team, Qihoo 360.
* sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept invalid
ones. It was previously possible to specify invalid CIDR address
ranges (e.g. user@127.1.2.3/55) and these would always match,
possibly resulting in granting access where it was not intended.
Reported by Laurence Parry.
|
|
|
|
editors/emacs: build fix
PR pkg/51757.
Revisions pulled up:
- editors/emacs/Makefile.common 1.41
---
Module Name: pkgsrc
Committed By: tron
Date: Sun Jan 1 02:06:46 UTC 2017
Modified Files:
pkgsrc/editors/emacs: Makefile.common
Log Message:
Use the package "editors/emacs25" and not "editors/emacs-snapshot" for
the new default "emacs25".
|
|
lang/llvm: build fix
Revisions pulled up:
- lang/llvm/Makefile 1.11
---
Module Name: pkgsrc
Committed By: gdt
Date: Mon Jan 2 00:03:42 UTC 2017
Modified Files:
pkgsrc/lang/llvm: Makefile
Log Message:
On i386, use -march=i586 for 64-bit CAS
This matches tnn's change to lang/libLLVM. No PKGREVISION; no change
on !i386 and on i386 this did not build before.
|
|
|
|
|
|
Version 1.6.27beta01 [November 2, 2016]
Restrict the new ADLER32-skipping to IDAT chunks. It broke iCCP chunk
handling: an erroneous iCCP chunk would throw a png_error and reject the
entire PNG image instead of rejecting just the iCCP chunk with a warning,
if built with zlib-1.2.8.1.
Version 1.6.27rc01 [December 27, 2016]
Control ADLER32 checking with new PNG_IGNORE_ADLER32 option.
Removed the use of a macro containing the pre-processor 'defined'
operator. It is unclear whether this is valid; a macro that
"generates" 'defined' is not permitted, but the use of the word
"generates" within the C90 standard seems to imply more than simple
substitution of an expression itself containing a well-formed defined
operation.
Added ARM support to CMakeLists.txt (Andreas Franek).
Version 1.6.27 [December 29, 2016]
Fixed a potential null pointer dereference in png_set_text_2() (bug report
and patch by Patrick Keshishian).
|
|
OK from wiz@
|
|
|
|
problem. Sorry for the noise.
|
|
|
|
Bump rev
|
|
sysctl as well)
|
|
This breaks www/firefox for ECDSA https connection, for example, *.google.com.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fix sysconfdir setting.
|
|
|
|
|
|
### 4.3.1 (2016-12-22)
* Preserve uppercase characters in custom sections IDs (see #639).
* Always show the section title instead of its ID (see #640).
* Correctly handle DropZone file uploads (see #637).
* Fix the markup of the CSV importers (see #645).
* Correctly symlink the logs directory under Windows (see #634).
|
|
|
|
Bump PKGREVISION.
|
|
|
|
|
|
|
|
|
|
|
|
Security update to address CVE-2016-9963
Exim version 4.88
-----------------
JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
supports it and a size is available (ie. the sending peer gave us one).
JH/02 The obsolete acl condition "demime" is removed (finally, after ten
years of being deprecated). The replacements are the ACLs
acl_smtp_mime and acl_not_smtp_mime.
JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
a downgraded non-dane trust-anchor for the TLS connection (CA-style)
or even an in-clear connection were permitted. Now, if the host lookup
was dnssec and dane was requested then the host is only used if the
TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority
MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
if one fails this test.
This means that a poorly-configured remote DNS will make it incommunicado;
but it protects against a DNS-interception attack on it.
JH/04 Bug 1810: make continued-use of an open smtp transport connection
non-noisy when a race steals the message being considered.
JH/05 If main configuration option tls_certificate is unset, generate a
self-signed certificate for inbound TLS connections.
JH/06 Bug 165: hide more cases of password exposure - this time in expansions
in rewrites and routers.
JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
and logged a warning sing 4.83; now they are a configuration file error.
JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
(lacking @domain). Apply the same qualification processing as RCPT.
JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
JH/10 Support ${sha256:} applied to a string (as well as the previous
certificate).
JH/11 Cutthrough: avoid using the callout hints db on a verify callout when
a cutthrough deliver is pending, as we always want to make a connection.
This also avoids re-routing the message when later placing the cutthrough
connection after a verify cache hit.
Do not update it with the verify result either.
JH/12 Cutthrough: disable when verify option success_on_redirect is used, and
when routing results in more than one destination address.
JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim
signing (which inhibits the cutthrough capability). Previously only
the presence of an option was tested; now an expansion evaluating as
empty is permissible (obviously it should depend only on data available
when the cutthrough connection is made).
JH/14 Fix logging of errors under PIPELINING. Previously the log line giving
the relevant preceding SMTP command did not note the pipelining mode.
JH/15 Fix counting of empty lines in $body_linecount and $message_linecount.
Previously they were not counted.
JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
as one having no matching records. Previously we deferred the message
that needed the lookup.
JH/17 Fakereject: previously logged as a norml message arrival "<="; now
distinguished as "(=".
JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work
for missing MX records. Previously it only worked for missing A records.
JH/19 Bug 1850: support Radius libraries that return REJECT_RC.
JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops
after the data-go-ahead and data-ack. Patch from Jason Betts.
JH/21 Bug 1846: Send DMARC forensic reports for reject and quaratine results,
even for a "none" policy. Patch from Tony Meyer.
JH/22 Fix continued use of a connection for further deliveries. If a port was
specified by a router, it must also match for the delivery to be
compatible.
JH/23 Bug 1874: fix continued use of a connection for further deliveries.
When one of the recipients of a message was unsuitable for the connection
(has no matching addresses), we lost track of needing to mark it
deferred. As a result mail would be lost.
JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO.
JH/25 Decoding ACL controls is now done using a binary search; the source code
takes up less space and should be simpler to maintain. Merge the ACL
condition decode tables also, with similar effect.
JH/26 Fix problem with one_time used on a redirect router which returned the
parent address unchanged. A retry would see the parent address marked as
delivered, so not attempt the (identical) child. As a result mail would
be lost.
JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(
JH/28 Enable {spool,log} filesystem space and inode checks as default.
Main config options check_{log,spool}_{inodes,space} are now
100 inodes, 10MB unless set otherwise in the configuration.
JH/29 Fix the connection_reject log selector to apply to the connect ACL.
Previously it only applied to the main-section connection policy
options.
JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
by me. Added RFC7919 DH primes as an alternative.
PP/02 Unbreak build via pkg-config with new hash support when crypto headers
are not in the system include path.
JH/31 Fix longstanding bug with aborted TLS server connection handling. Under
GnuTLS, when a session startup failed (eg because the client disconnected)
Exim did stdio operations after fclose. This was exposed by a recent
change which nulled out the file handle after the fclose.
JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is
signed directly by the cert-signing cert, rather than an intermediate
OCSP-signing cert. This is the model used by LetsEncrypt.
JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT.
HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on
an incoming connection.
HS/02 Bug 1802: Do not half-close the connection after sending a request
to rspamd.
HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
fallback to "prime256v1".
JH/34 SECURITY: Use proper copy of DATA command in error message.
Could leak key material. Remotely explaoitable. CVE-2016-9963.
ok wiz@
|
|
graphviz-2.40.1, libgcrypt-1.7.5, libgpg-error-1.26, lighttpd-1.4.44,
notmuch-0.23.4, p5-DBD-SQLite-1.54, p5-Scalar-List-Utils-1.47,
p5-YAML-1.21, py-dulwich-0.16.0, py-hypothesis-3.6.1, py-idna-2.2,
py-lxml-3.7.1, py-numpy-1.11.3, qemu-2.8.0, tor-0.2.9.8,
unifont-9.0.06, x264-devel-20161224.
|
|
|
|
|
|
Changelog:
Changes from 5.2 to 5.3
-----------------------
It is possible to enable character width support for Unicode 9 by
configuring with `--enable-unicode9'; this compiles in some additional
tables. At some point this support may move into a module, in which
case the configure option will be changed to cause the module to be
permanently loaded. This option is not useful unless your terminal also
supports Unicode 9.
The new word modifier ':P' computes the physical path of the argument.
It is different from the existing ':a' modifier which always resolves
'/before/here/../after' to '/before/after', and differs from the
existing ':A' modifier which resolves symlinks only after 'here/..' is
removed, even when /before/here is itself a symbolic link. It is
recommended to review uses of ':A' and, if appropriate, convert them
to ':P' as soon as compatibility with 5.2 is no longer a requirement.
The output of "typeset -p" uses "export" commands or the "-g" option
for parameters that are not local to the current scope. Previously,
all output was in the form of "typeset" commands, never using "-g".
vi-repeat-change can repeat user-defined widgets if the widget calls
zle -f vichange.
The parameter $registers now makes the contents of vi register buffers
available to user-defined widgets.
New vi-up-case and vi-down-case builtin widgets bound to gU/gu (or U/u
in visual mode) for doing case conversion.
A new select-word-match function provides vim-style text objects with
configurable word boundaries using the existing match-words-by-style
mechanism.
Support for the conditional expression [[ -v var ]] to test if a
variable is set for compatibility with other shells.
The print and printf builtins have a new option -v to assign the output
to a variable. This is for bash compatibility but with the additional
feature that, for an array, a separate element is used each time the
format is reused.
New x: syntax in completion match specifications make it possible to
disable match specifications hardcoded in completion functions.
|
|
|
