| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Fix build on systems with disabled X11
Reported by <schmonz>, Andreas Kusalananda Kahari
Tested by Andreas Kusalananda Kahari
Possible direction is to make this switch by default disabled on Darwin.
|
|
This release contains bug-fixes for the LLVM 3.8.0 release. This
release is API and ABI compatible with 3.8.0.
|
|
MODNAME, but use PKGMODNAME as the base for extension file to load; this deals with modules like apcu_bc, which has extension name 'apc', but needs to be loaded after 'apcu' since it uses it's symbols
|
|
|
|
|
|
|
|
Bumped PKGREVISION.
|
|
Byterun is a pure-Python implementation of a Python bytecode execution
virtual machine. It was started to get a better understanding of
bytecodes to fix branch coverage bugs in coverage.py.
|
|
PKGMODNAME such as php-pdflib; problem reported by Uwe Klaus
|
|
|
|
comment there
|
|
required by recode library is provided unconditionally; it should not depend on whether or not program without this symbol happens to compile
|
|
21 Jul 2016 PHP 7.0.9
- Core:
. Fixed bug #72508 (strange references after recursive function call and
"switch" statement). (Laruence)
. Fixed bug #72513 (Stack-based buffer overflow vulnerability in
virtual_file_ex). (Stas)
. Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries
and applications). (Stas)
- bz2:
. Fixed bug #72613 (Inadequate error handling in bzread()). (Stas)
- CLI:
. Fixed bug #72484 (SCRIPT_FILENAME shows wrong path if the user specify
router.php). (Laruence)
- COM:
. Fixed bug #72498 (variant_date_from_timestamp null dereference). (Anatol)
- Curl:
. Fixed bug #72541 (size_t overflow lead to heap corruption). (Stas)
- Exif:
. Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
(Stas)
. Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
(Stas)
- GD:
. Fixed bug #43475 (Thick styled lines have scrambled patterns). (cmb)
. Fixed bug #53640 (XBM images require width to be multiple of 8). (cmb)
. Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line). (cmb)
. Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read
access). (Pierre)
. Fixed bug #72519 (imagegif/output out-of-bounds access). (Pierre)
. Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
(Pierre)
. Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine
overflow). (Pierre)
. Fixed bug #72494 (imagecropauto out-of-bounds access). (Pierre)
- Intl:
. Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (Stas)
- Mbstring:
. Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) -
oob read access). (Laruence)
. Fixed bug #72399 (Use-After-Free in MBString (search_re)). (Laruence)
- mcrypt:
. Fixed bug #72551, bug #72552 (In correct casting from size_t to int lead to
heap overflow in mdecrypt_generic). (Stas)
- PDO_pgsql:
. Fixed bug #72570 (Segmentation fault when binding parameters on a query
without placeholders). (Matteo)
- PCRE:
. Fixed bug #72476 (Memleak in jit_stack). (Laruence)
. Fixed bug #72463 (mail fails with invalid argument). (Anatol)
- Readline:
. Fixed bug #72538 (readline_redisplay crashes php). (Laruence)
- Standard:
. Fixed bug #72505 (readfile() mangles files larger than 2G). (Cschneid)
. Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
(Laruence)
- Session:
. Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). (Laruence)
. Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
Deserialization). (Stas)
- SNMP:
. Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
unserialize()). (Stas)
- Streams:
. Fixed bug #72439 (Stream socket with remote address leads to a segmentation
fault). (Laruence)
- XMLRPC:
. Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn
simplestring.c). (Stas)
- Zip:
. Fixed bug #72520 (Stack-based buffer overflow vulnerability in
php_stream_zip_opener). (Stas)
|
|
21 Jul 2016, PHP 5.6.24
- Core:
. Fixed bug #71936 (Segmentation fault destroying HTTP_RAW_POST_DATA).
(mike dot laspina at gmail dot com, Remi)
. Fixed bug #72496 (Cannot declare public method with signature incompatible
with parent private method). (Pedro Magalhães)
. Fixed bug #72138 (Integer Overflow in Length of String-typed ZVAL). (Stas)
. Fixed bug #72513 (Stack-based buffer overflow vulnerability in
virtual_file_ex). (loianhtuan at gmail dot com)
. Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
Deserialization). (taoguangchen at icloud dot com)
. Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and
applications). (CVE-2016-5385) (Stas)
- bz2:
. Fixed bug #72447 (Type Confusion in php_bz2_filter_create()). (gogil at
stealien dot com).
. Fixed bug #72613 (Inadequate error handling in bzread()). (Stas)
- EXIF:
. Fixed bug #50845 (exif_read_data() returns corrupted exif headers).
(Bartosz Dziewoński)
- EXIF:
. Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
(Stas)
. Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
(Stas)
- GD:
. Fixed bug #43475 (Thick styled lines have scrambled patterns). (cmb)
. Fixed bug #53640 (XBM images require width to be multiple of 8). (cmb)
. Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line). (cmb)
. Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read
access). (Pierre)
. Fixed bug #72519 (imagegif/output out-of-bounds access). (Pierre)
. Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
(CVE-2016-6207) (Pierre)
- Intl:
. Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (Stas)
- ODBC:
. Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)
- OpenSSL:
. Fixed bug #71915 (openssl_random_pseudo_bytes is not fork-safe).
(Jakub Zelenka)
. Fixed bug #72336 (openssl_pkey_new does not fail for invalid DSA params).
(Jakub Zelenka)
- SNMP:
. Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
unserialize()). (taoguangchen at icloud dot com)
- SPL:
. Fixed bug #55701 (GlobIterator throws LogicException). (Valentin VĂLCIU)
- SQLite3:
. Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work).
(cmb)
- Streams:
. Fixed bug #72439 (Stream socket with remote address leads to a segmentation
fault). (Laruence)
- Xmlrpc:
. Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).
(Stas)
- Zip:
. Fixed bug #72520 (Stack-based buffer overflow vulnerability in
php_stream_zip_opener). (loianhtuan at gmail dot com)
|
|
Quote from release note:
Note that according to our release schedule, PHP 5.5.38 is the last release
of the PHP 5.5 branch. There may be additional release if we discover
important security issues that warrant it, otherwise this release will be
the final one in the PHP 5.5 branch. If your PHP installation is based on
PHP 5.5, it may be a good time to start making the plans for the upgrade to
PHP 5.6 or PHP 7.0.
21 Jul 2016, PHP 5.5.38
- BZip2:
. Fixed bug #72613 (Inadequate error handling in bzread()). (Stas)
- Core:
. Fixed bug #70480 (php_url_parse_ex() buffer overflow read). (Stas)
. Fixed bug #72513 (Stack-based buffer overflow vulnerability in
virtual_file_ex). (loianhtuan at gmail dot com)
. Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
Deserialization). (taoguangchen at icloud dot com)
. Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and
applications). (CVE-2016-5385) (Stas)
- EXIF:
. Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
(Stas)
. Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
(Stas)
- GD:
. Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read
access). (Pierre)
. Fixed bug #72519 (imagegif/output out-of-bounds access). (Pierre)
. Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
(CVE-2016-6207) (Pierre)
- Intl:
. Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (Stas)
- ODBC:
. Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)
- SNMP:
. Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
unserialize()). (taoguangchen at icloud dot com)
- Xmlrpc:
. Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).
(Stas)
- Zip:
. Fixed bug #72520 (Stack-based buffer overflow vulnerability in
php_stream_zip_opener). (loianhtuan at gmail dot com)
|
|
Noted by <wiz>
Solution suggested by <leot>
|
|
A Python code can dynamically load shared libraries and it's wrapped with
a plain dlopen(3) call. The holder of this interface (_ctypes module)
without rpath set to X11BASE cannot detect libs like 'GL'.
This might be the last step to fix issues with running GUI Python
applications on NetBSD.
Bump PKGREVISION.
|
|
This isn't addressing Python's wrapper for dlopen(3).
This possibily addresses mostly NetBSD as other popular OSes have ldconfig.
Testing commands:
- before applying the patch
>>> from ctypes.util import find_library
>>> find_library("m")
'libm.so.0'
>>> find_library("crypto")
'libcrypto.so.11'
>>> find_library("GL")
>>> find_library("curl")
- after applying the patch
>>> from ctypes.util import find_library
>>> find_library("m")
'libm.so.0'
>>> find_library("crypto")
'libcrypto.so.11'
>>> find_library("GL")
'libGL.so.2'
>>> find_library("curl")
'libcurl.so.4'
This patch doesn't solve the case of custom dirs like $PREFIX/qt5/lib.
However it's solving most common cases of using this call.
A possible solution is to parse the output "pkg_info -La"... however it's
very slow. In other words a cache with libraries might be needed to handle
it efficiently.
Bump PKGREVISION.
|
|
|
|
|
|
|
|
|
|
Qore 0.8.12 is a major new release with many new features and hundreds of bug
fixes as well as packaging fixes. Highlights include:
* The most significant innovation in this release comes in the form of support
for Prompt Collection
* Support for Bulk DML (large volume SQL operations in one server round-trip)
in the Mapper, TableMapper, SqlUtil and the new BulkSqlUtil modules
* Standardized function naming convention, many significant design and
implementation fixes and improvements
* Numerous new functions, methods, constants, operators, and user modules
* Hundreds of bug fixes
|
|
|
|
A security-related issue was recently reported in Go's net/http/cgi package and
net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 contain
a fix for this issue.
Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in
the CGI components resulting in the HTTP_PROXY environment variable being set
by the incoming Proxy header. This environment variable was also used to set
the outgoing proxy, enabling an attacker to insert a proxy into outgoing
requests of a CGI program.
This is CVE-2016-5386 and was addressed by this change:
https://golang.org/cl/25010, tracked in this issue:
https://golang.org/issue/16405
The Go team would like to thank Dominic Scheirlinck for coordinating disclosure
of this issue across multiple languages and CGI environments. Read more about
"httpoxy" here: https://httpoxy.org/
Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354
for details.
|
|
|
|
instead of requiring manual configuration of ${PKG_SYSCONFDIR}/php.ini - put a module-specific .ini file for this into ${PKG_SYSCONFDIR}/php.d
|
|
|
|
Changes in 2.0.12 (since 2.0.11):
* Notable changes
** FFI: Add support for functions that set 'errno'
When accessing POSIX functions from a system's libc via Guile's dynamic
FFI, you commonly want to access the 'errno' variable to be able to
produce useful diagnostic messages.
This is now possible using 'pointer->procedure' or
'scm_pointer_to_procedure_with_errno'. See "Dynamic FFI" in the manual.
** The #!r6rs directive now influences read syntax
The #!r6rs directive now changes the per-port reader options to make
Guile's reader conform more closely to the R6RS syntax. In particular:
- It makes the reader case sensitive.
- It disables the recognition of keyword syntax in conflict with the
R6RS (and R5RS).
- It enables the `square-brackets', `hungry-eol-escapes' and
`r6rs-hex-escapes' reader options.
** 'read' now accepts "\(" as equivalent to "("
This is indented for use at the beginning of lines in multi-line strings
to avoid confusing Emacs' lisp modes. Previously "\(" was an error.
** SRFI-14 character data set upgraded to Unicode 8.0.0
** SRFI-19 table of leap seconds updated
** 'string-hash', 'read-string', and 'write' have been optimized
** GOOPS bug fix for inherited accessor methods
In the port of GOOPS to Guile 2.0, we introduced a bug related to
accessor methods. The bug resulted in GOOPS assuming that a slot S in
an object whose class is C would always be present in instances of all
subclasses C, and allocated to the same struct index. This is not the
case for multiple inheritance. This behavior has been fixed to be as it
was in 1.8.
One aspect of this change may cause confusion among users. Previously
if you defined a class C:
(use-modules (oop goops))
(define-class C ()
(a #:getter get-a))
And now you define a subclass, intending to provide an #:init-value for
the slot A:
(define-class D ()
(a #:init-value 42))
Really what you have done is define in D a new slot with the same name,
overriding the existing slot. The problem comes in that before fixing
this bug (but not in 1.8), the getter 'get-a' would succeed for
instances of D, even though 'get-a' should only work for the slot 'a'
that is defined on class C, not any other slot that happens to have the
same name and be in a class with C as a superclass.
It would be possible to "merge" the slot definitions on C and D, but
that part of the meta-object protocol (`compute-slots' et al) is not
fully implemented.
Somewhat relatedly, GOOPS also had a fix around #:init-value on
class-allocated slots. GOOPS was re-initializing the value of slots
with #:class or #:each-subclass allocation every time instances of that
class was allocated. This has been fixed.
* New interfaces
** New SRFI-28 string formatting implementation
See "SRFI-28" in the manual.
** New (ice-9 unicode) module
See "Characters" in the manual.
** Web server
The (web server) module now exports 'make-server-impl', 'server-impl?',
and related procedures. Likewise, (web server http) exports 'http'.
** New procedures: 'string-utf8-length' and 'scm_c_string_utf8_length'
See "Bytevectors as Strings" in the manual, for more.
** New 'EXIT_SUCCESS' and 'EXIT_FAILURE' Scheme variables
See "Processes" in the manual.
** New C functions to disable automatic SMOB finalization
The new 'scm_set_automatic_finalization_enabled' C function allows you
to choose whether automatic object finalization should be enabled (as
was the case until now, and still is by default.) This is meant for
applications that are not thread-safe nor async-safe; such applications
can disable automatic finalization and call the new 'scm_run_finalizers'
function when appropriate.
See the "Garbage Collecting Smobs" and "Smobs" sections in the manual.
** Cross-compilation to ARM
More ARM cross-compilation targets are supported: "arm.*eb",
"^aarch64.*be", and "aarch64".
* New deprecation
** The undocumented and unused C function 'scm_string_hash' is now deprecated
* Bugs fixed
** Compiler
*** 'call-with-prompt' does not truncate multiple-value returns
(<http://bugs.gnu.org/14347>)
*** Use permissions of source file for compiled file
(<http://bugs.gnu.org/18477>)
*** Fix bug when inlining some functions with optional arguments
(<http://bugs.gnu.org/17634>)
*** Avoid quadratic expansion time in 'and' and 'or' macros
(<http://bugs.gnu.org/17147>)
*** Fix expander bug introduced when adding support for tail patterns
(<http://lists.gnu.org/archive/html/guile-user/2015-09/msg00017.html>)
*** Handle ~p in 'format' warnings (<http://bugs.gnu.org/18299>)
*** Fix bug that exposed `list' invocations to CSE
(<http://bugs.gnu.org/21899>)
*** Reduce eq? and eqv? over constants using equal?
(<http://bugs.gnu.org/21855>)
*** Skip invalid .go files found in GUILE_LOAD_COMPILED_PATH
** Threads
*** Fix data races leading to corruption (<http://bugs.gnu.org/22152>)
** Memory management
*** Fix race between SMOB marking and finalization
(<http://bugs.gnu.org/19883>)
** Ports
*** Setting GUILE_INSTALL_LOCALE=1 sets port default charset from locale
*** Fix port position handling on binary input ports
(<http://bugs.gnu.org/20302>)
*** Bytevector and custom binary ports to use ISO-8859-1
(<http://bugs.gnu.org/20200>)
*** Fix buffer overrun with unbuffered custom binary input ports
(<http://bugs.gnu.org/19621>)
*** Fix memory corruption that arose when using 'get-bytevector-n'
(<http://bugs.gnu.org/17466>)
** System
*** {get,set}sockopt now expect type 'int' for SO_SNDBUF/SO_RCVBUF
*** 'system*' now available on MS-Windows
*** 'open-pipe' now available on MS-Windows
*** Better support for file names containing backslashes on Windows
** Web
*** 'split-and-decode-uri-path' no longer decodes "+" to space
*** HTTP: Support date strings with a leading space for hours
(<http://bugs.gnu.org/23421>)
*** HTTP: Accept empty reason phrases (<http://bugs.gnu.org/22273>)
*** HTTP: 'Location' header can now contain URI references, not just
absolute URIs
*** HTTP: Improve chunked-mode support (<http://bugs.gnu.org/19939>)
*** HTTP: 'open-socket-for-uri' now sets better OS buffering parameters
(<http://bugs.gnu.org/15368>)
** Miscellaneous
*** Fix 'atan' procedure when applied to complex numbers
*** Fix Texinfo to HTML conversion for @itemize and @acronym
(<http://bugs.gnu.org/21772>)
*** 'bytevector-fill!' accepts fill arguments greater than 127
(<http://bugs.gnu.org/19027>)
*** 'bytevector-copy' correctly copies SRFI-4 homogeneous vectors
(<http://bugs.gnu.org/18866>)
*** 'strerror' no longer hangs when passed a non-integer argument
(<http://bugs.gnu.org/18065>)
*** 'scm_boot_guile' now gracefully handles argc == 0
(<http://bugs.gnu.org/18680>)
*** Fix 'SCM_SMOB_OBJECT_LOC' definition (<http://bugs.gnu.org/18495>)
*** Fix bug where 'bit-count*' was not using its second argument
*** SRFI-1 'length+' raises an error for non-lists and dotted lists
(<http://bugs.gnu.org/17296>)
*** Add documentation for SXPath (<http://bugs.gnu.org/19478>)
|
|
|
|
Bump PKGREVISION.
|
|
|
|
|
|
pkgsrc changes:
- Update MASTER_SITES (again!) similar to the one also used by py35-html-docs
(unlike previous MASTER_SITES this one also contain distfiles for later
Python 3.4 versions)
Changes:
No changelog was available. Sync with lang/python34 version.
|
|
|
|
HTML Documentation for Python 3.5
|
|
pkgsrc changes:
- Use a MASTER_SITES similar to other lang/py*-html-docs
- Add a LICENSE
Changes:
No changelog was available, just the latest python34 documentation more in sync
with lang/python34 (despite the latest Python 3.4 stable release is 3.4.5 the
latest documentation published is 3.4.3).
|
|
We no longer have lang/python33 so it is less useful now.
Discussed with <wiz>
|
|
According to sem_open(3) man page, NetBSD supports 15 chars length.
Fix SemLock errno 63 ENAMETOOLONG under NetBSD.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
and passing incompatible ld arguments. Bump PKGREVISION.
|
