| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
by the author. Bump PKGREVISION.
|
|
* Sync with mail/thunderbird-l10n-68.10.0.
|
|
Changelog:
Fixes
fixed Chat: Topics displayed some characters improperly
fixed Calendar: Filtering tasks did not work when "Incomplete Tasks" was selected
Security fixes:
CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64
#CVE-2020-12418: Information disclosure due to manipulated URL object
#CVE-2020-12419: Use-after-free in nsGlobalWindowInner
#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
#MFSA-2020-0001: Automatic account setup leaks Microsoft Exchange login credentials
#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates
|
|
|
|
|
|
|
|
|
|
Update pear-Mail_Mime to 1.10.9.
1.10.9 (2020-06-27 04:37 UTC)
Changelog:
* Added a workaround for an opcache bug on OpenSuse 15.1 [alec]
|
|
Update postfix to 3.5.4.
Fixed in Postfix 3.5.4, 3.4.14:
* The connection_reuse attribute in smtp_tls_policy_maps always
resulted in an "invalid attribute name" error. Fix by Thorsten
Habich.
* SMTP over TLS connection reuse always failed for Postfix SMTP
client configurations that specify explicit trust anchors (remote
SMTP server certificates or public keys). Reported by Thorsten
Habich.
Fixed in Postfix versions 3.5.4, 3.4.14, 3.3.12, 3.2.17:
* The Postfix SMTP client's DANE implementation would always send
an SNI option with the name in a destination's MX record, even
if the MX record pointed to a CNAME record. MX records that
point to CNAME records are not conformant with RFC5321, and so
are rare.
Based on the DANE survey of ~2 million hosts it was found that
with the corrected SMTP client behavior, sending SNI with the
CNAME-expanded name, the SMTP server would not send a different
certificate. This fix should therefore be safe.
|
|
|
|
thanks jperkin for the hint.
|
|
doesn't actually append).
|
|
Instead:
1. Package makefiles including their own options.mk
2. Packages say "SUBST_CLASSES+=djberrno" to get the hack, if needed
3. Packages adjust SUBST_FILES.djberrno, if needed
Should fix bulk build failures due to multiple inclusions of options.mk
and/or incorrect definitions of DJB_ERRNO_HACK.
Approved during the freeze by wiz@.
|
|
This release fixes a regression from the 1.14.3 release. Encryption settings
are no longer checked when using $tunnel to connect to a preauthenticated IMAP
server.
|
|
Remove some patches that would get voting rights soon.
Remove support for NetBSD 1.5.
pkglint cleanup.
XXX: someone should send the remaining patches upstream.
Mutt 1.14.4 was released on June 18, 2020. This is an important
bug-fix release. It fixes a possible machine-in-the-middle response
injection attack when using STARTTLS with IMAP, POP3, and SMTP
(CVE-2020-14954).
Mutt 1.14.3 was released on June 14, 2020. This is an important
bug-fix release. It fixes a possible IMAP fcc/postpone
machine-in-the-middle attack (CVE-2020-14093). It also fixes some
GnuTLS certificate prompt issues.
Mutt 1.14.2 was released on May 25, 2020. This is a bug-fix release,
fixing a few prompt buffer-size issues and adding a potential DoS
mitigation.
Mutt 1.14.1 was released on May 16, 2020. This is a bug-fix release,
fixing a documentation build issue and a few other small bugs.
Mutt 1.14.0 was released on May 2, 2020. This release has new
features and bug fixes. See the UPDATING file, or for more details
see the release notes page.
|
|
2020-06-19 Richard Russon <rich@flatcap.org>
* Security
- Abort GnuTLS certificate check if a cert in the chain is rejected
- TLS: clear data after a starttls acknowledgement
- Prevent possible IMAP MITM via PREAUTH response
* Features
- add config operations +=/-= for number,long
- Address book has a comment field
- Query menu has a comment field
* Contrib
- sample.neomuttrc-starter: Do not echo promted password
* Bug Fixes
- make "news://" and "nntp://" schemes interchangeable
- Fix CRLF to LF conversion in base64 decoding
- Double comma in query
- compose: fix redraw after history
- Crash inside empty query menu
- mmdf: fix creating new mailbox
- mh: fix creating new mailbox
- mbox: error out when an mbox/mmdf is a pipe
- Fix list-reply by correct parsing of List-Post headers
- Decode references according to RFC2047
- fix tagged message count
- hcache: fix keylen not being considered when building the full key
- sidebar: fix path comparison
- Don't mess with the original pattern when running IMAP searches
- Handle IMAP "NO" resps by issuing a msg instead of failing badly
- imap: use the connection delimiter if provided
- Memory leaks
* Changed Config
- `$alias_format` default changed to include `%c` comment
- `$query_format` default changed to include `%e` extra info
* Translations
- 100% Lithuanian
- 84% French
- Log the translation in use
* Docs
- Add missing commands unbind, unmacro to man pages
* Build
- Check size of long using `LONG_MAX` instead of `__WORDSIZE`
- Allow ./configure to not record cflags
- fix out-of-tree build
- Avoid locating gdbm symbols in qdbm library
* Code
- Refactor unsafe TAILQ returns
- add window notifications
- flip negative ifs
- Update to latest acutest.h
- test: add store tests
- test: add compression tests
- graphviz: email
- make more opcode info available
- refactor: `main_change_folder()`
- refactor: `mutt_mailbox_next()`
- refactor: `generate_body()`
- compress: add `{min,max}_level` to ComprOps
- emphasise empty loops: "// do nothing"
- prex: convert `is_from()` to use regex
- Refactor IMAP's search routines
2020-05-01 Richard Russon <rich@flatcap.org>
* Bug Fixes
- Make sure buffers are initialized on error
- fix(sidebar): use abbreviated path if possible
* Translations
- 100% Lithuanian
* Docs
- make header cache config more explicit
|
|
|
|
pkgsrc changes:
- Update MASTER_SITES and HOMEPAGE to current ones
Changes:
Version 1.4.10:
- Improved handling of temporary files on Windows systems.
- Re-enabled support for systems lacking vasprintf(), such as IBM i PASE.
Version 1.4.9:
- No significant changes.
Version 1.4.8:
- Added a new socket command and --socket option to connect via local sockets.
- Added a new tls_host_override command and --tls-host-override option to
override the host name used for TLS verification.
- Fixed the source_ip command for proxies.
Version 1.4.7:
- Minor bug fixes.
Version 1.4.6:
- Minor bug fixes.
Version 1.4.5:
- Fixed OAUTHBEARER.
- Support for TLS client certificates via PKCS11 devices, e.g. smart cards.
- Various small bug fixes and improvements.
Version 1.4.4:
- Added support for the OAUTHBEARER authentication method.
- Several minor bug fixes.
Version 1.4.3:
- This version fixes a security problem that affects version 1.4.2 (older
versions are not affected): when the new default value system for
tls_trust_file is used, the result of certificate verification was not
properly checked.
Version 1.4.2:
- To simplify TLS setup, the tls_trust_file command has a new default value
'system' that selects the system default trust. Now you just need tls=on to
use TLS; the other TLS options are only required in special cases.
To make this work without breaking compatibility with older mpop versions,
tls_fingerprint now overrides tls_trust_file, and tls_certcheck=off overrides
both (previously, you could not specify contradicting options).
- To simplify setup, a new option '--configure <mailaddress>' was added that
automatically generates a configuration file for a given mail address.
However, this only works if the mail domain publishes appropriate SRV records.
Version 1.4.1:
- Fixed our TLS code to support TLS 1.3 with GnuTLS.
Version 1.4.0:
- Using OpenSSL is discouraged and may not be supported in the future. Please
use GnuTLS instead. The reasons are explained here:
https://marlam.de/mpop/news/openssl-discouraged/
- As using GNU SASL is most likely unnecessary, it is disabled by default now.
Since everything uses TLS nowadays and thus can use PLAIN authentication, you
really only need it for GSSAPI.
- If your system requires a library for IDN support, libidn2 is now used instead
of the older libidn.
- The APOP and CRAM-MD5 authentication method are marked as obsolete / insecure
and will not be chosen automatically anymore.
- The passwordeval command does not require the password to be terminated by a
new line character anymore.
- Builtin default port numbers are now used instead of consulting /etc/services.
- Support for DJGPP and for systems lacking vasprintf(), mkstemp(), or tmpfile()
is removed.
Version 1.2.8:
- Fix support for ~/.config/mpop/config as configuration file
- Add --source-ip option and source_ip command to bind the outgoing connection
to a specific source IP address.
- Enable SNI for TLS
Version 1.2.7:
- Add support for ~/.config/mpop/config as configuration file
- Add network timeout handling on Windows
- Fix command line handling of SHA256 TLS fingerprints
- Update german translation
Discussed and ok with <reed>, thanks!
|
|
Update Ruby on Rails to 6.0.3.2.
www/ruby-actionpack60 is the really updated package and other packages
have no change except version.
CHANGELOG of www/ruby-actionpack60 is here:
## Rails 6.0.3.2 (June 17, 2020) ##
* [CVE-2020-8185] Only allow ActionableErrors if
show_detailed_exceptions is enabled
|
|
|
|
|
|
- Re-enable multiprocess mode
- Drop hacks for crossprocess semaphores on NetBSD
- Drop OSS support
- Drop unused gnome option
Bump PKGREVISION
|
|
Update postfix and related pacakges to 3.5.3.
Quote freom release announce.
Postfix 3.5.3, 3.4.13:
* TLS handshake failure in the Postfix SMTP server during SNI
processing, after the server-side TLS engine sent a TLSv1.3
HelloRetryRequest (HRR) to a remote SMTP client. Reported by
J??n M??t??, fixed by Viktor Dukhovni.
Postfix versions 3.5.3, 3.4.13, 3.3.11, 3.2.16:
* The command "postfix tls deploy-server-cert" did not handle a
missing optional argument. This bug was introduced in Postfix
3.1.
|
|
|
|
Update pear-Mail_Mime to 1.10.8.
1.10.8 (2020-06-13 03:00 UTC)
Changelog:
* Fix encoding issues with ISO-2022-JP-MS input labelled with ISO-2022-JP
[shirosaki]
|
|
|
|
Changelog:
Version 1.8.11:
- Add a new undisclosed_recipients command and --undisclosed-recipients option
to replace To, Cc, Bcc with a single "To: undisclosed-recipients:;" header.
- Improved handling of temporary files on Windows systems.
- Re-enabled support for systems lacking vasprintf(), such as IBM i PASE.
|
|
changes unknown
|
|
|
|
|
|
|
|
Update roundcube to 1.14.6.
RELEASE 1.4.6
-------------
- Installer: Fix regression in SMTP test section (#7417)
|
|
Update roundcube-plugin-password to 1.4.5
RELEASE 1.4.5
-------------
- Password: Fix issue with Modoboa driver (#7372)
|
|
Update roundcube to 1.4.5, including some security fixes.
pkgsrc change:
* Proper replace PHP interpreter.
* Fix php-sockets option to work.
RELEASE 1.4.5
-------------
- Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
- Fix so the database setup description is compatible with MySQL 8 (#7340)
- Markasjunk: Fix regression in jsevent driver (#7361)
- Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
- Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
- Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
- Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
- Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
- Fix error when user-configured skin does not exist anymore (#7271)
- Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
- Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
- Security: Fix a couple of XSS issues in Installer (#7406)
- Security: Fix XSS issue in template object 'username' (#7406)
- Security: Better fix for CVE-2020-12641
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
|
|
|
|
Note: the release strategy of Thunderbird has changed and there
will be no more non-extended-support releases, so mail/thunderbird
contains the most recent extended support release, derived from firefox68
|
|
- Add NO_BUILD=yes
- Move SUBST_STAGE to pre-configure target
|
|
|
|
* Sync with mail/thunderbird-68.9.0.
|
|
Changelog:
Fixes
fixed Custom headers added for searching or filtering could not be removed
fixed Calendar: Today Pane updated prior to loading all data
fixed Stability improvements
fixed Various security fixes
Security fixes:
#CVE-2020-12399: Timing attack on DSA signatures in NSS library
#CVE-2020-12405: Use-after-free in SharedWorkerService
#CVE-2020-12406: JavaScript Type confusion with NativeTypes
#CVE-2020-12410: Memory safety bugs fixed in Thunderbird 68.9.0
#CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to information leakage
|
|
While here, clean up options.mk.
Bump PKGREVISIONs
|
|
Provided by erwinlem in joyent/pkgsrc#267.
|
|
|
|
Security fix for https://sympa-community.github.io/security/2020-002.html
Translation updates
|
|
|
|
Exim version 4.94
-----------------
JH/01 Avoid costly startup code when not strictly needed. This reduces time
for some exim process initialisations. It does mean that the logging
of TLS configuration problems is only done for the daemon startup.
JH/02 Early-pipelining support code is now included unless disabled in Makefile.
JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
RFC 8301. They can still be enabled, using the dkim_verify_hashes main
option.
JH/04 Support CHUNKING from an smtp transport using a transport_filter, when
DKIM signing is being done. Previously a transport_filter would always
disable CHUNKING, falling back to traditional DATA.
JH/05 Regard command-line receipients as tainted.
JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
JH/12 Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
JH/13 Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
JH/14 Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and
check for 452 responses. This slightly helps the inefficieny of doing
a large alias-expansion into a recipient-limited target. The max_rcpt
transport option still applies (and at the current default, will override
the new feature). The check is done for either cause of synch, and forces
a fast-retry of all 452'd recipients using a new MAIL FROM on the same
connection. The new facility is not tunable at this time.
JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
JH/17 Logging: when the deliver_time selector ise set, include the DT= field
on delivery deferred (==) and failed (**) lines (if a delivery was
attemtped). Previously it was only on completion (=>) lines.
JH/18 Authentication: the gsasl driver not provides the $authN variables in time
for the expansion of the server_scram_iter and server_scram_salt options.
WB/01 SPF: DNS lookups for the obsolete SPF RR type done by the libspf2 library
are now specifically given a NO_DATA response without hitting the system
resolver. The library goes on to do the now-standard TXT lookup.
Use of dnsdb lookups is not affected.
JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
only retrieve the errormessage once. Previously two calls to dlerror()
were used, and the second one (for mainlog/paniclog) retrieved null
information.
JH/20 Taint checking: disallow use of tainted data for
- the appendfile transport file and directory options
- the pipe transport command
- the autoreply transport file, log and once options
- file names used by the redirect router (including filter files)
- named-queue names
- paths used by single-key lookups
Previously this was permitted.
JH/21 Bug 2501: Fix init call in the heimdal authenticator. Previously it
adjusted the size of a major service buffer; this failed because the
buffer was in use at the time. Change to a compile-time increase in the
buffer size, when this authenticator is compiled into exim.
JH/22 Taint-checking: move to safe-mode taint checking on all platforms. The
previous fast-mode was untenable in the face of glibs using mmap to
support larger malloc requests.
PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c.
New values supported, if defined on system where compiled:
allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat,
no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding
JH/23 Performance improvement in the initial phase of a two-pass queue run. By
running a limited number of proceses in parallel, a benefit is gained. The
amount varies with the platform hardware and load. The use of the option
queue_run_in_order means we cannot do this, as ordering becomes
indeterminate.
JH/24 Bug 2524: fix the cyrus_sasl auth driver gssapi usage. A previous fix
had introduced a string-copy (for ensuring NUL-termination) which was not
appropriate for that case, which can include embedded NUL bytes in the
block of data. Investigation showed the copy to actually be needless, the
data being length-specified.
JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was
done during a receiving connection, and both used TLS, global info was
used rather than per-connection info for tracking the state of data
queued for transmission. This could result in a connection hang.
JH/26 Fix use of the SIZE parameter on MAIL commands, on continued connections.
Previously, when delivering serveral messages down a single connection
only the first would provide a SIZE. This was due to the size information
not being properly tracked.
JH/27 Bug 2530: When operating in a timezone with sub-minute offset, such as
TAI (at 37 seconds currently), pretend to be in UTC for time-related
expansion and logging. Previously, spurious values such as a future
minute could be seen.
JH/28 Bug 2533: Fix expansion of ${tr } item. When called in some situations
it could crash from a null-deref. This could also affect the
${addresses: } operator and ${readsock } item.
JH/29 Bug 2537: Fix $mime_part_count. When a single connection had a non-mime
message following a mime one, the variable was not reset.
JH/30 When an pipelined-connect fails at the first response, assume incorrect
cached capability (perhaps the peer reneged?) and immediately retry in
non-pipelined mode.
JH/31 Fix spurious detection of timeout while writing to transport filter.
JH/32 Bug 2541: Fix segfault on bad cmdline -f (sender) argument. Previously
an attempt to copy the string was made before checking it.
JH/33 Fix the dsearch lookup to return an untainted result. Previously the
taint of the lookup key was maintained; we now regard the presence in the
filesystem as sufficient validation.
JH/34 Fix the readsocket expansion to not segfault when an empty "options"
argument is supplied.
JH/35 The dsearch lookup now requires that the directory is an absolute path.
Previously this was not checked, and nonempty relative paths made an
access under Exim's current working directory.
JH/36 Bug 2554: Fix msg:defer event for the hosts_max_try_hardlimit case.
Previously no event was raised.
JH/37 Bug 2552: Fix the check on spool space during reception to use the SIZE
parameter supplied by the sender MAIL FROM command. Previously it was
ignored, and only the check_spool_space option value for the required
leeway checked.
JH/38 Fix $dkim_key_length. This should, after a DKIM verification, present
the size of the signing public-key. Previously it was instead giving
the size of the signature hash.
JH/39 DKIM verification: the RFC 8301 restriction on sizes of RSA keys is now
the default. See the (new) dkim_verify_min_keysizes option.
JH/40 Fix a memory-handling bug: when a connection carried multiple messages
and an ACL use a lookup for checking either the local_part or domain,
stale data could be accessed. Ensure that variable references are
dropped between messages.
JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied
by the client was not checked as pointing within response data before
being used. A malicious client could thus cause an out-of-bounds read and
possibly gain authentication. Fix by adding the check.
JH/42 Internationalisation: change the default for downconversion in the smtp
transport to be "if needed". Previously it was "as previously set" for
the message, which usually meant "if needed" for message-submission but
"no" for everything else. However, MTAs have been seen using SMTPUTF8
even when the envelope addresses did not need it, resulting in forwarding
failures to non-supporting MTAs. A downconvert in such cases will be
a no-op on the addresses, merely dropping the use of SMTPUTF8 by the
transport. The change does mean that addresses needing conversion will
be converted when previously a delivery failure would occur.
JH/43 Fix possible long line in DSN. Previously when a very long SMTP error
response was received it would be used unchecked in a fail-DSN, violating
standards on line-length limits. Truncate if needed.
HS/01 Remove parameters of the link to www.open-spf.org. The linked form
doesn't work. (Additionally add a new main config option to configure the
spf_smtp_comment)
|
|
The correct option would be --enable-lock=flock.
|
|
|
|
|
|
|
