| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
net/bind99: security fix
Revisions pulled up:
- net/bind99/Makefile 1.54
- net/bind99/distinfo 1.37
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Mar 10 00:50:35 UTC 2016
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Log Message:
Update bind99 package to 9.9.8pl4 (BIND 9.9.8-P4).
--- 9.9.8-P4 released ---
4319. [security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
4318. [security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
|
|
net/bind910: security fix
Revisions pulled up:
- net/bind910/Makefile 1.18
- net/bind910/distinfo 1.15
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Mar 10 00:48:41 UTC 2016
Modified Files:
pkgsrc/net/bind910: Makefile distinfo
Log Message:
Update bind910 to 9.10.3pl4 (BIND 9.10.3-P4), security release.
--- 9.10.3-P4 released ---
4322. [security] Duplicate EDNS COOKIE options in a response could
trigger an assertion failure. (CVE-2016-2088)
[RT #41809]
4319. [security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
4318. [security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
|
|
net/nagios-base: bugfix
net/nagios-plugins: fix packaging issue
Revisions pulled up:
- net/nagios-base/Makefile 1.63
- net/nagios-base/distinfo 1.30
- net/nagios-base/patches/patch-base_checks.c 1.2
- net/nagios-base/patches/patch-base_events.c 1.2
- net/nagios-base/patches/patch-base_logging.c 1.3
- net/nagios-base/patches/patch-base_nerd.c 1.2
- net/nagios-base/patches/patch-cgi_avail.c 1.4
- net/nagios-base/patches/patch-cgi_histogram.c 1.4
- net/nagios-base/patches/patch-cgi_trends.c 1.4
- net/nagios-base/patches/patch-common_downtime.c 1.2
- net/nagios-base/patches/patch-html_Makefile.in 1.4
- net/nagios-base/patches/patch-lib_test-squeue.c 1.2
- net/nagios-base/patches/patch-lib_worker.c 1.2
- net/nagios-plugins/Makefile 1.41
- net/nagios-plugins/distinfo 1.19
- net/nagios-plugins/patches/patch-plugins-root_Makefile.in 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Tue Feb 9 10:12:53 UTC 2016
Modified Files:
pkgsrc/net/nagios-base: Makefile distinfo
pkgsrc/net/nagios-base/patches: patch-base_checks.c patch-base_events.c
patch-base_logging.c patch-base_nerd.c patch-cgi_avail.c
patch-cgi_histogram.c patch-cgi_trends.c patch-common_downtime.c
patch-html_Makefile.in patch-lib_test-squeue.c patch-lib_worker.c
Log Message:
Bug fix for workers busy-waiting for child completion: when read()ing a
non-bloking descriptor after a poll(), don't loop forever on EAGAIN
as poll() may return POLLIN for a descriptor which doesn't have data
to be read. Bump PKGREVISION.
While there add user-destdir support.
---
Module Name: pkgsrc
Committed By: bouyer
Date: Tue Feb 9 10:13:17 UTC 2016
Modified Files:
pkgsrc/net/nagios-plugins: Makefile distinfo
Added Files:
pkgsrc/net/nagios-plugins/patches: patch-plugins-root_Makefile.in
Log Message:
Add user-destdir support
|
|
net/nagios-base: build fix
Revisions pulled up:
- net/nagios-base/Makefile 1.62
- net/nagios-base/distinfo 1.28-1.29
- net/nagios-base/patches/patch-base_checks.c 1.1
- net/nagios-base/patches/patch-base_events.c 1.1
- net/nagios-base/patches/patch-base_logging.c 1.1-1.2
- net/nagios-base/patches/patch-base_nerd.c 1.1
- net/nagios-base/patches/patch-cgi_avail.c 1.3
- net/nagios-base/patches/patch-cgi_cmd.c 1.5
- net/nagios-base/patches/patch-cgi_histogram.c 1.3
- net/nagios-base/patches/patch-cgi_trends.c 1.3
- net/nagios-base/patches/patch-common_downtime.c 1.1
- net/nagios-base/patches/patch-lib_test-squeue.c 1.1
- net/nagios-base/patches/patch-lib_worker.c 1.1
- net/nagios-base/patches/patch-xdata_xrddefault.c 1.2
- net/nagios-base/patches/patch-xdata_xsddefault.c 1.2
---
Module Name: pkgsrc
Committed By: bouyer
Date: Sun Feb 7 12:41:11 UTC 2016
Modified Files:
pkgsrc/net/nagios-base: Makefile distinfo
Added Files:
pkgsrc/net/nagios-base/patches: patch-base_logging.c
Log Message:
Workaround for 64bit time_t bug on i386, causing logs to be filled with
"(null)" instead of the message.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: bouyer
Date: Sun Feb 7 21:52:06 UTC 2016
Modified Files:
pkgsrc/net/nagios-base: distinfo
pkgsrc/net/nagios-base/patches: patch-base_logging.c patch-cgi_cmd.c
patch-xdata_xrddefault.c patch-xdata_xsddefault.c
Added Files:
pkgsrc/net/nagios-base/patches: patch-base_checks.c patch-base_events.c
patch-base_nerd.c patch-cgi_avail.c patch-cgi_histogram.c
patch-cgi_trends.c patch-common_downtime.c patch-lib_test-squeue.c
patch-lib_worker.c
Log Message:
more 64bit time_t fixes. Now compiles without -Wformat warnings.
Ride previous PKGREVISION bump
|
|
net/bind99: security fix
Revisions pulled up:
- net/bind99/Makefile 1.51
- net/bind99/distinfo 1.36
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Jan 20 02:17:12 UTC 2016
Modified Files:
pkgsrc/net/bind99: Makefile distinfo
Log Message:
Update bind99 to 9.9.8pl3 (BIND 9.9.8-P3).
Security Fixes
* Specific APL data could trigger an INSIST. This flaw was discovered
by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
* Named is potentially vulnerable to the OpenSSL vulnerabilty
described in CVE-2015-3193.
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
New Features
* None
Feature Changes
* Updated the compiled in addresses for H.ROOT-SERVERS.NET.
Bug Fixes
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
|
|
net/bind910: security fix
Revisions pulled up:
- net/bind910/Makefile 1.15
- net/bind910/distinfo 1.14
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Jan 20 02:15:58 UTC 2016
Modified Files:
pkgsrc/net/bind910: Makefile distinfo
Log Message:
Update bind910 to 9.10.3pl3 (BIND 9.10.3-P3).
Security Fixes
* Specific APL data could trigger an INSIST. This flaw was discovered
by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
* Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could be
mishandled, resulting in an assertion failure. This flaw was
discovered by Brian Mitchell and is disclosed in CVE-2015-8705. [RT
#41397]
* Named is potentially vulnerable to the OpenSSL vulnerabilty
described in CVE-2015-3193.
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
New Features
* None.
Feature Changes
* Updated the compiled in addresses for H.ROOT-SERVERS.NET.
Bug Fixes
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
|
|
net/ntp4: security fix
Revisions pulled up:
- net/ntp4/Makefile 1.90
- net/ntp4/distinfo 1.25
- net/ntp4/patches/patch-ntpd-ntpd.c deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jan 9 15:49:27 UTC 2016
Modified Files:
pkgsrc/net/ntp4: Makefile distinfo
Removed Files:
pkgsrc/net/ntp4/patches: patch-ntpd-ntpd.c
Log Message:
Update ntp4 to 4.2.8p5.
NTP 4.2.8p5
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
In addition to bug fixes and enhancements, this release fixes the
following medium-severity vulnerability:
* Small-step/big-step. Close the panic gate earlier.
References: Sec 2956, CVE-2015-5300
Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
4.3.0 up to, but not including 4.3.78
CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
Summary: If ntpd is always started with the -g option, which is
common and against long-standing recommendation, and if at the
moment ntpd is restarted an attacker can immediately respond to
enough requests from enough sources trusted by the target, which
is difficult and not common, there is a window of opportunity
where the attacker can cause ntpd to set the time to an
arbitrary value. Similarly, if an attacker is able to respond
to enough requests from enough sources trusted by the target,
the attacker can cause ntpd to abort and restart, at which
point it can tell the target to set the time to an arbitrary
value if and only if ntpd was re-started against long-standing
recommendation with the -g flag, or if ntpd was not given the
-g flag, the attacker can move the target system's time by at
most 900 seconds' time per attack.
Mitigation:
Configure ntpd to get time from multiple sources.
Upgrade to 4.2.8p5, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
As we've long documented, only use the -g option to ntpd in
cold-start situations.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aanchal Malhotra,
Isaac E. Cohen, and Sharon Goldberg at Boston University.
NOTE WELL: The -g flag disables the limit check on the panic_gate
in ntpd, which is 900 seconds by default. The bug identified by
the researchers at Boston University is that the panic_gate
check was only re-enabled after the first change to the system
clock that was greater than 128 milliseconds, by default. The
correct behavior is that the panic_gate check should be
re-enabled after any initial time correction.
If an attacker is able to inject consistent but erroneous time
responses to your systems via the network or "over the air",
perhaps by spoofing radio, cellphone, or navigation satellite
transmissions, they are in a great position to affect your
system's clock. There comes a point where your very best
defenses include:
Configure ntpd to get time from multiple sources.
Monitor your ntpd instances.
Other fixes:
* Coverity submission process updated from Coverity 5 to Coverity 7.
The NTP codebase has been undergoing regular Coverity scans on an
ongoing basis since 2006. As part of our recent upgrade from
Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
the newly-written Unity test programs. These were fixed.
* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org
* [Bug 2887] stratum -1 config results as showing value 99
- fudge stratum should only accept values [0..16]. perlinger@ntp.org
* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
- applied patch by Christos Zoulas. perlinger@ntp.org
* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
- fixed data race conditions in threaded DNS worker. perlinger@ntp.org
- limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
- accept key file only if there are no parsing errors
- fixed size_t/u_int format clash
- fixed wrong use of 'strlcpy'
* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
- fixed several other warnings (cast-alignment, missing const, missing prototypes)
- promote use of 'size_t' for values that express a size
- use ptr-to-const for read-only arguments
- make sure SOCKET values are not truncated (win32-specific)
- format string fixes
* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki.
* [Bug 2967] ntpdate command suffers an assertion failure
- fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with
lots of clients. perlinger@ntp.org
* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
- changed stacked/nested handling of CTRL-C. perlinger@ntp.org
* Unity cleanup for FreeBSD-6.4. Harlan Stenn.
* Unity test cleanup. Harlan Stenn.
* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn.
* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
* Quiet a warning from clang. Harlan Stenn.
|
|
net/samba4: security fix
Revisions pulled up:
- net/samba4/Makefile 1.14
- net/samba4/distinfo 1.7
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Dec 29 23:58:32 UTC 2015
Modified Files:
pkgsrc/net/samba4: Makefile distinfo
Log Message:
Update samba4 to 4.3.3.
=============================
Release Notes for Samba 4.3.3
December 16, 2015
=============================
This is a security release in order to address the following CVEs:
o CVE-2015-3223 (Denial of service in Samba Active Directory
server)
o CVE-2015-5252 (Insufficient symlink verification in smbd)
o CVE-2015-5299 (Missing access control check in shadow copy
code)
o CVE-2015-5296 (Samba client requesting encryption vulnerable
to downgrade attack)
o CVE-2015-8467 (Denial of service attack against Windows
Active Directory server)
o CVE-2015-5330 (Remote memory read in Samba LDAP server)
Please note that if building against a system libldb, the required
version has been bumped to ldb-1.1.24. This is needed to ensure
we build against a system ldb library that contains the fixes
for CVE-2015-5330 and CVE-2015-3223.
=======
Details
=======
o CVE-2015-3223:
All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
ldb versions up to 1.1.23 inclusive) are vulnerable to
a denial of service attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the
samba daemon process to become unresponsive, preventing the server
from servicing any other requests.
This flaw is not exploitable beyond causing the code to loop expending
CPU resources.
o CVE-2015-5252:
All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
a bug in symlink verification, which under certain circumstances could
allow client access to files outside the exported share path.
If a Samba share is configured with a path that shares a common path
prefix with another directory on the file system, the smbd daemon may
allow the client to follow a symlink pointing to a file or directory
in that other directory, even if the share parameter "wide links" is
set to "no" (the default).
o CVE-2015-5299:
All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
a missing access control check in the vfs_shadow_copy2 module. When
looking for the shadow copy directory under the share path the current
accessing user should have DIRECTORY_LIST access rights in order to
view the current snapshots.
This was not being checked in the affected versions of Samba.
o CVE-2015-5296:
Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
signing is negotiated when creating an encrypted client connection to
a server.
Without this a man-in-the-middle attack could downgrade the connection
and connect using the supplied credentials as an unsigned, unencrypted
connection.
o CVE-2015-8467:
Samba, operating as an AD DC, is sometimes operated in a domain with a
mix of Samba and Windows Active Directory Domain Controllers.
All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
an AD DC in the same domain with Windows DCs, could be used to
override the protection against the MS15-096 / CVE-2015-2535 security
issue in Windows.
Prior to MS16-096 it was possible to bypass the quota of machine
accounts a non-administrative user could create. Pure Samba domains
are not impacted, as Samba does not implement the
SeMachineAccountPrivilege functionality to allow non-administrator
users to create new computer objects.
o CVE-2015-5330:
All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
ldb versions up to 1.1.23 inclusive) are vulnerable to
a remote memory read attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the
samba daemon process to return heap memory beyond the length of the
requested value.
This memory may contain data that the client should not be allowed to
see, allowing compromise of the server.
The memory may either be returned to the client in an error string, or
stored in the database by a suitabily privileged user. If untrusted
users can create objects in your database, please confirm that all DN
and name attributes are reasonable.
Changes since 4.3.2:
--------------------
o Andrew Bartlett <abartlet@samba.org>
* BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for
userAccountControl.
o Jeremy Allison <jra@samba.org>
* BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS.
* BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file
access outside the share).
* BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on
snapdir.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB.
o Stefan Metzmacher <metze@samba.org>
* BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing
smb encryption on the client side.
|
|
Changelog:
elease 2.1.0 December 3rd 2015
GUI: Added a separate view for not synced items, ignores, errors
GUI: Improved upload/download progress UI (#3403, #3569)
Allowed sharing with ownCloud internal users and groups from Desktop
Changed files starting in .* to be considered hidden on all platforms (#4023)
Reflect read-only permissions in filesystem (#3244)
Blacklist: Clear on successful chunk upload (#3934)
Improved reconnecting after network change/disconnect (#4167 #3969 ...)
Improved performance in Windows file system discovery
Removed libneon-based propagator. As a consequence, The client can no longer provide bandwith limiting on Linux-distributions where it is using Qt < 5.4
Performance improvements in the logging functions
Ensured that local disk space problems are handled gracefully (#2939)
Improved handling of checksums: transport validation, db (#3735)
For *eml-files don't reupload if size and checksum are unchanged (#3235)
Ensured 403 reply code is handled properly (File Firewall) (#3490)
Reduced number of PROPFIND requests to server(#3964)
GUI: Added Account toolbox widget to keep account actions (#4139)
Tray Menu: Added fixes for Recent Activity menu (#4093, #3969)
FolderMan: Fixed infinite wait on pause (#4093)
Renamed env variables to include unit (#2939)
FolderStatusModel: Attempt to detect removed undecided files (#3612)
SyncEngine: Don't whipe the white list if the sync was aborted (#4018)
Quota: Handle special negative value for the quota (#3940)
State app name in update notification (#4020)
PropagateUpload: Fixed double-emission of finished (#3844)
GUI: Ensured folder names which are excluded from sync can be clicked
Shell Integration: Dolphin support, requires KF 5.16 and KDE Application 15.12
FolderStatusModel: Ensured reset also if a folder was renamed (#4011)
GUI: Fixed accessiblity of remaing items in full settings toolbar (#3795)
Introduced the term "folder sync connection" in more places (#3757)
AccountSettings: Don't disable pause when offline (#4010)
Fixed handling of hidden files (#3980)
Handle download errors while resuming as soft errors (#4000)
SocketAPI: Ensured that the command isn't trimmed (#3297)
Shutdown socket API before removing the db (#3824)
GUI: Made "Keep" default in the delete-all dialog (#3824)
owncloudcmd: Introduced return code 0 for --version and --help
owncloudcmd: Added --max-sync-retries (#4037)
owncloudcmd: Don't do a check that file are older than 2s (#4160)
Fixed getting size for selective sync (#3986)
Re-added close button in the settings window (#3713)
Added abililty to handle storage limitations gracefully (#3736)
Updated 3rdparty dependencies: sqlite version 3.9.1
Organized patches to our base Qt version into admin/qt/patches
Plus: A lot of unmentioned improvements and fixes
|
|
LongLong for the intermediate and let the compiler figure out how to
cast to it from long.
|
|
32bit vs 64bit differences between the BSDs.
|
|
distfile patch) owing to volume.
PKGREVISION -> 1 as it might have built before on old OSes running on
32-bit (only) platforms. Maybe.
|
|
isn't 64 bits. Required to build omniNotify, which has C++ overloading
code that reasonably assumes that "long" and "LONGLONG" aren't the
same type.
|
|
to try to support passing a format and va_list pair as the data for a
custom printf format in its own private printf clone.
The offending code was unused and removed upstream in 2004, but the
initial import of our package in 2005 included, without explanation, a
patch reverting this. So the code has still been there, and (being
illegal) it has now stopped compiling with clang.
Delete the offending patch section. (And while here, add comments for
the rest of this patch.)
|
|
|
|
Changelog:
NEWS for rsync 3.1.2 (21 Dec 2015)
Protocol: 31 (unchanged)
Changes since 3.1.1:
SECURITY FIXES:
- Make sure that all transferred files use only path names from inside the
transfer. This makes it impossible for a malicious sender to try to make
the receiver use an unsafe destination path for a transferred file, such
as a just-sent symlink.
BUG FIXES:
- Change the checksum seed order in the per-block checksums. This prevents
someone from trying to create checksum blocks that match in sum but not
content.
- Fixed a with the per-dir filter files (using -FF) that could trigger an
assert failure.
- Only skip set_modtime() on a transferred file if the time is exactly
right.
- Don't create an empty backup dir for a transferred file that doesn't
exist yet.
- Fixed a bug where --link-dest and --xattrs could cause rsync to exit if
a filename had a matching dir of the same name in the alt-dest area.
- Allow more than 32 group IDs per user in the daemon's gid=LIST config.
- Fix the logging of %b & %c via --log-file (daemon logging was already
correct, as was --out-format='%b/%c').
- Fix erroneous acceptance of --info=5 & --debug=5 (an empty flag name is
not valid).
ENHANCEMENTS:
- Added "(DRY RUN)" info to the --debug=exit output line.
- Use usleep() for our msleep() function if it is available.
- Added a few extra long-option names to rrsync script, which will make
BackupPC happier.
- Made configure choose to use linux xattrs on netbsd (rather than not
supporting xattrs).
- Added -wo (write-only) option to rrsync support script.
- Misc. manpage tweaks.
DEVELOPER RELATED:
- Fixed a bug with the Makefile's use of INSTALL_STRIP.
- Improve a test in the suite that could get an erroneous timestamp error.
- Tweaks for newer versions of git in the packaging tools.
- Improved the m4 generation rules and some autoconf idioms.
|
|
* mikutter's faked appearance crashed
|
|
Bump PKGREVISION
|
|
Update during the freeze approved by jperkin@
(while strictly speaking net/youtube-dl is a leaf package there are various
possible consumers, e.g. multimedia/mpv)
Changes:
2015.12.18:
o Misc bugfixes and improvements (most user visible change is the fixes
for #7900 and #7901 that fixes extraction of various youtube videos)
2015.12.13
o New [funimation] extractor
o Misc bugfixes and improvements
2015.12.10:
o Misc bugfixes and improvements
|
|
|
|
* no response on clicking mouse over icons on some environments
* fix a spello method
|
|
Ok joerg@
|
|
|
|
this value to 1024 to accommodate larger deployments until we get a proper
tunable.
|
|
--- 9.9.8-P2 released ---
4270. [security] Update allowed OpenSSL versions as named is
potentially vulnerable to CVE-2015-3193.
4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
[RT #40556]
4260. [security] Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253. [security] Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
--- 9.9.8-P1 (withdrawn) ---
|
|
--- 9.10.3-P2 released ---
4270. [security] Update allowed OpenSSL versions as named is
potentially vulnerable to CVE-2015-3193.
4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
[RT #40556]
4260. [security] Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253. [security] Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
--- 9.10.3-P1 (withdrawn) ---
|
|
Changes in version 0.2.7.6 - 2015-12-10
Tor version 0.2.7.6 fixes a major bug in entry guard selection, as
well as a minor bug in hidden service reliability.
o Major bugfixes (guard selection):
- Actually look at the Guard flag when selecting a new directory
guard. When we implemented the directory guard design, we
accidentally started treating all relays as if they have the Guard
flag during guard selection, leading to weaker anonymity and worse
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
by Mohsen Imani.
o Minor features (geoip):
- Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation):
- When checking for net/pfvar.h, include netinet/in.h if possible.
This fixes transparent proxy detection on OpenBSD. Fixes bug
17551; bugfix on 0.1.2.1-alpha. Patch from "rubiate".
- Fix a compilation warning with Clang 3.6: Do not check the
presence of an address which can never be NULL. Fixes bug 17781.
o Minor bugfixes (correctness):
- When displaying an IPv6 exit policy, include the mask bits
correctly even when the number is greater than 31. Fixes bug
16056; bugfix on 0.2.4.7-alpha. Patch from "gturner".
- The wrong list was used when looking up expired intro points in a
rend service object, causing what we think could be reachability
issues for hidden services, and triggering a BUG log. Fixes bug
16702; bugfix on 0.2.7.2-alpha.
- Fix undefined behavior in the tor_cert_checksig function. Fixes
bug 17722; bugfix on 0.2.7.2-alpha.
|
|
Security Fixes
* An incorrect boundary check in the OPENPGPKEY rdatatype could
trigger an assertion failure. This flaw is disclosed in
CVE-2015-5986. [RT #40286]
* A buffer accounting error could trigger an assertion failure when
parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and
is disclosed in CVE-2015-5722. [RT #40212]
* A specially crafted query could trigger an assertion failure in
message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #40046]
* On servers configured to perform DNSSEC validation, an assertion
failure could be triggered on answers from a specially configured
server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
New Features
* New quotas have been added to limit the queries that are sent by
recursive resolvers to authoritative servers experiencing
denial-of-service attacks. When configured, these options can both
reduce the harm done to authoritative servers and also avoid the
resource exhaustion that can be experienced by recursives when they
are being used as a vehicle for such an attack.
NOTE: These options are not available by default; use configure
--enable-fetchlimit to include them in the build.
+ fetches-per-server limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the fetch-quota-params option.
+ fetches-per-zone limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
Statistics counters have also been added to track the number of
queries affected by these quotas.
* An --enable-querytrace configure switch is now available to enable
very verbose query tracelogging. This option can only be set at
compile time. This option has a negative performance impact and
should be used only for debugging.
* EDNS COOKIE options content is now displayed as "COOKIE:
<hexvalue>".
Feature Changes
* Large inline-signing changes should be less disruptive. Signature
generation is now done incrementally; the number of signatures to
be generated in each quantum is controlled by
"sig-signing-signatures number;". [RT #37927]
* Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
* Active Directory names of the form gc._msdcs.<forest> are now
accepted as valid hostnames when using the check-names option.
<forest> is still restricted to letters, digits and hyphens.
* Names containing rich text are now accepted as valid hostnames in
PTR records in DNS-SD reverse lookup zones, as specified in RFC
6763. [RT #37889]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone
load was already in progress; this could trigger a crash in zt.c.
[RT #37573]
* A race during shutdown or reconfiguration could cause an assertion
failure in mem.c. [RT #38979]
* Some answer formatting options didn't work correctly with dig
+short. [RT #39291]
* Malformed records of some types, including NSAP and UNSPEC, could
trigger assertion failures when loading text zone files. [RT
#40274] [RT #40285]
* Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
being removed from the wrong rate limiter queue. [RT #40350]
* The default rrset-order of random was inconsistently applied. [RT
#40456]
* BADVERS responses from broken authoritative name servers were not
handled correctly. [RT #40427]
|
|
Security Fixes
* An incorrect boundary check in the OPENPGPKEY rdatatype could
trigger an assertion failure. This flaw is disclosed in
CVE-2015-5986. [RT #40286]
* A buffer accounting error could trigger an assertion failure when
parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and
is disclosed in CVE-2015-5722. [RT #40212]
* A specially crafted query could trigger an assertion failure in
message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #40046]
* On servers configured to perform DNSSEC validation, an assertion
failure could be triggered on answers from a specially configured
server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
New Features
* New quotas have been added to limit the queries that are sent by
recursive resolvers to authoritative servers experiencing
denial-of-service attacks. When configured, these options can both
reduce the harm done to authoritative servers and also avoid the
resource exhaustion that can be experienced by recursives when they
are being used as a vehicle for such an attack.
NOTE: These options are not available by default; use configure
--enable-fetchlimit to include them in the build.
+ fetches-per-server limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the fetch-quota-params option.
+ fetches-per-zone limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
Statistics counters have also been added to track the number of
queries affected by these quotas.
* dig +ednsflags can now be used to set yet-to-be-defined EDNS flags
in DNS requests.
* dig +[no]ednsnegotiation can now be used enable / disable EDNS
version negotiation.
* An --enable-querytrace configure switch is now available to enable
very verbose query tracelogging. This option can only be set at
compile time. This option has a negative performance impact and
should be used only for debugging.
Feature Changes
* Large inline-signing changes should be less disruptive. Signature
generation is now done incrementally; the number of signatures to
be generated in each quantum is controlled by
"sig-signing-signatures number;". [RT #37927]
* The experimental SIT extension now uses the EDNS COOKIE option code
point (10) and is displayed as "COOKIE: <value>". The existing
named.conf directives; "request-sit", "sit-secret" and
"nosit-udp-size", are still valid and will be replaced by
"send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND
9.11. The existing dig directive "+sit" is still valid and will be
replaced with "+cookie" in BIND 9.11.
* When retrying a query via TCP due to the first answer being
truncated, dig will now correctly send the COOKIE value returned by
the server in the prior response. [RT #39047]
* Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
* Active Directory names of the form gc._msdcs.<forest> are now
accepted as valid hostnames when using the check-names option.
<forest> is still restricted to letters, digits and hyphens.
* Names containing rich text are now accepted as valid hostnames in
PTR records in DNS-SD reverse lookup zones, as specified in RFC
6763. [RT #37889]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone
load was already in progress; this could trigger a crash in zt.c.
[RT #37573]
* A race during shutdown or reconfiguration could cause an assertion
failure in mem.c. [RT #38979]
* Some answer formatting options didn't work correctly with dig
+short. [RT #39291]
* Malformed records of some types, including NSAP and UNSPEC, could
trigger assertion failures when loading text zone files. [RT
#40274] [RT #40285]
* Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
being removed from the wrong rate limiter queue. [RT #40350]
* The default rrset-order of random was inconsistently applied. [RT
#40456]
* BADVERS responses from broken authoritative name servers were not
handled correctly. [RT #40427]
* Several bugs have been fixed in the RPZ implementation:
+ Policy zones that did not specifically require recursion could
be treated as if they did; consequently, setting
qname-wait-recurse no; was sometimes ineffective. This has
been corrected. In most configurations, behavioral changes due
to this fix will not be noticeable. [RT #39229]
+ The server could crash if policy zones were updated (e.g. via
rndc reload or an incoming zone transfer) while RPZ processing
was still ongoing for an active query. [RT #39415]
+ On servers with one or more policy zones configured as slaves,
if a policy zone updated during regular operation (rather than
at startup) using a full zone reload, such as via AXFR, a bug
could allow the RPZ summary data to fall out of sync,
potentially leading to an assertion failure in rpz.c when
further incremental updates were made to the zone, such as via
IXFR. [RT #39567]
+ The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an unexpected
action could be taken. This has been corrected. [RT #39481]
+ The server could crash if a reload of an RPZ zone was
initiated while another reload of the same zone was already in
progress. [RT #39649]
+ Query names could match against the wrong policy zone if
wildcard records were present. [RT #40357]
|
|
=== 1.0.11 2015-10-19
* bugfix search #65
=== 1.0.10 2015-10-18
* support a timezone #66
* thank you for contributing @kaihar4
|
|
0.11.0 10/29/15
===============
Respect NETRC environment variable
Fix for JRuby PernGen Space
|
|
While here, comment a patch.
Changes since 4.3.1:
--------------------
o Michael Adam <obnox@samba.org>
* BUG 11577: ctdb: Open the RO tracking db with perms 0600 instead of 0000.
o Jeremy Allison <jra@samba.org>
* BUG 11452: s3-smbd: Fix old DOS client doing wildcard delete - gives an
attribute type of zero.
* BUG 11565: auth: gensec: Fix a memory leak.
* BUG 11566: lib: util: Make non-critical message a warning.
* BUG 11589: s3: smbd: If EAs are turned off on a share don't allow an SMB2
create containing them.
* BUG 11615: s3: smbd: have_file_open_below() fails to enumerate open files
below an open directory handle.
o Ralph Boehme <slow@samba.org>
* BUG 11562: s4:lib/messaging: Use correct path for names.tdb.
* BUG 11564: async_req: Fix non-blocking connect().
o Volker Lendecke <vl@samba.org>
* BUG 11243: vfs_gpfs: Re-enable share modes.
* BUG 11570: smbd: Send SMB2 oplock breaks unencrypted.
* BUG 11612: winbind: Fix crash on invalid idmap configs.
o YvanM <yvan.masson@openmailbox.org>
* BUG 11584: manpage: Correct small typo error.
o Stefan Metzmacher <metze@samba.org>
* BUG 11327: dcerpc.idl: Accept invalid dcerpc_bind_nak pdus.
* BUG 11581: s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE()
clearer.
o Marc Muehlfeld <mmuehlfeld@samba.org>
* BUG 9912: Changing log level of two entries to DBG_NOTICE.
* BUG 11581: s3-smbd: Fix use after issue in smbd_smb2_request_dispatch().
o Noel Power <noel.power@suse.com>
* BUG 11569: Fix winbindd crashes with samlogon for trusted domain user.
* BUG 11597: Backport some valgrind fixes from upstream master.
o Andreas Schneider <asn@samba.org
* BUG 11563: Fix segfault of 'net ads (join|leave) -S INVALID' with
nss_wins.
o Tom Schulz <schulz@adi.com>
* BUG 11511: Add libreplace dependency to texpect, fixes a linking error on
Solaris.
* BUG 11512: s4: Fix linking of 'smbtorture' on Solaris.
o Uri Simchoni <uri@samba.org>
* BUG 11608: auth: Consistent handling of well-known alias as primary gid.
Changes since 4.3.0:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 10252: s3: smbd: Fix our access-based enumeration on "hide unreadable"
to match Windows.
* BUG 10634: smbd: Fix file name buflen and padding in notify repsonse.
* BUG 11486: s3: smbd: Fix mkdir race condition.
* BUG 11522: s3: smbd: Fix opening/creating :stream files on the root share
directory.
* BUG 11535: s3: smbd: Fix NULL pointer bug introduced by previous 'raw'
* stream fix (bug #11522).
* BUG 11555: s3: lsa: lookup_name() logic for unqualified (no DOMAIN\
component) names is incorrect.
o Ralph Boehme <slow@samba.org>
* BUG 11535: s3: smbd: Fix a crash in unix_convert().
* BUG 11543: vfs_fruit: Return value of ad_pack in vfs_fruit.c.
* BUG 11549: s3:locking: Initialize lease pointer in
share_mode_traverse_fn().
* BUG 11550: s3:smbstatus: Add stream name to share_entry_forall().
* BUG 11555: s3:lib: Validate domain name in lookup_wellknown_name().
o Günther Deschner <gd@samba.org>
* BUG 11038: kerberos: Make sure we only use prompter type when available.
o Volker Lendecke <vl@samba.org>
* BUG 11038: winbind: Fix 100% loop.
* BUG 11053: source3/lib/msghdr.c: Fix compiling error on Solaris.
o Stefan Metzmacher <metze@samba.org>
* BUG 11316: s3:ctdbd_conn: make sure we destroy tevent_fd before closing
the socket.
* BUG 11515: s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging
related subdirs.
* BUG 11526: lib/param: Fix hiding of FLAG_SYNONYM values.
o Björn Jacke <bj@sernet.de>
* BUG 10365: nss_winbind: Fix hang on Solaris on big groups.
* BUG 11355: build: Use as-needed linker flag also on OpenBSD.
o Har Gagan Sahai <SHarGagan@novell.com>
* BUG 11509: s3: dfs: Fix a crash when the dfs targets are disabled.
o Andreas Schneider <asn@samba.org>
* BUG 11502: pam_winbind: Fix a segfault if initialization fails.
o Uri Simchoni <uri@samba.org>
* BUG 11528: net: Fix a crash with 'net ads keytab create'.
* BUG 11547: vfs_commit: set the fd on open before calling SMB_VFS_FSTAT.
|
|
* Changes in Wget 1.17.1
* Fix compile error when IPv6 is disabled or SSL is not present.
* Fix HSTS memory leak.
* Fix progress output in non-C locales.
* Fix SIGSEGV when -N and --content-disposition are used together.
* Add --check-certificate=quiet to tell wget to not print any warning about
invalid certificates.
|
|
|
|
|
|
Bitmessage is a P2P communications protocol used to send encrypted messages to
another person or to many subscribers. It is decentralized and trustless,
meaning that you need-not inherently trust any entities like root certificate
authorities. It uses strong authentication, which means that the sender of a
message cannot be spoofed, and it aims to hide "non-content" data, like the
sender and receiver of messages, from passive eavesdroppers like those running
warrantless wiretapping programs.
|
|
==============
Bugfixes:
---------
- Out-of-bound read in packet parser for malformed NAPTR records (LibFuzzer)
|
|
=========
FEATURES:
- support configure --with-dbfile="" for nodb mode by default, where
there is no binary database, but nsd reads and writes zonefiles.
- reuseport: no is the default, because the feature is not troublefree.
- configure --enable-ratelimit-default-is-off with --enable-ratelimit
to set the default ratelimit to disabled but available in nsd.conf.
- version: "string" option to set chaos version query reply string.
BUG FIXES:
- Fix zones updates from nsd parent event loop when there are a lot
of interfaces.
- portability fixes.
- patch from Doug Hogan for SSL_OP_NO_SSLvx options, for the new
defaults in the ssl libraries.
- updated contrib/nsd.spec, with new configure options.
- Allocate less memory for TSIG digest.
- Fix #721: Fix wrong error code (FORMERR) returned for unknown
opcode. NOTIMP expected.
- Fix zonec ttl mismatch printout to include more information.
- Fix TCP responses when REUSEPORT is in use by turning it off.
- Document default in manpage for rrl-slip, ip4 and 6 prefixlength.
- Explain rrl-slip better in documentation.
- Document that ratelimit qps and slip are updated in reconfig.
- Fix up defaults in manpage.
|
|
=============
Features:
- Fix #594. libunbound: optionally use libnettle for crypto.
Added --with-nettle for use with --with-libunbound-only.
- Implemented qname minimisation
Bug Fixes:
- Fix #712: unbound-anchor appears to not fsync root.key.
- Fix #714: Document config to block private-address for IPv4
mapped IPv6 addresses.
- portability, replace snprintf if return value broken
- portability fixes.
- detect libexpat without xml_StopParser function.
- isblank() compat implementation.
- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
- Fix #716: nodata proof with empty non-terminals and wildcards.
- Fix #718: Fix unbound-control-setup with support for env
without HEREDOC bash support.
- ACX_SSL_CHECKS no longer adds -ldl needlessly.
- Change example.conf: ftp.internic.net to https://www.internic.net
- Fix for lenient accept of reverse order DNAME and CNAME.
- spelling fixes from Igor Sobrado Delgado.
- Fix that malformed EDNS query gets a response without malformed EDNS.
- Added assert on rrset cache correctness.
- Fix #720: add windows scripts to zip bundle,
and fix unbound-control-setup windows batch file.
- Fix for #724: conf syntax to read files from run dir (on Windows).
And fix PCA prompt for unbound-service-install.exe.
And add Changelog to windows binary dist.
- .gitignore for git users.
- iana portlist update.
- Removed unneeded whitespace from example.conf.
- Do not minimise forwarded requests.
|
|
=== Net::LDAP 0.12.1
* Whitespace formatting cleanup
{#236}[https://github.com/ruby-ldap/ruby-net-ldap/pull/236]
* Set operation result if LDAP server is not accessible
{#232}[https://github.com/ruby-ldap/ruby-net-ldap/pull/232]
=== Net::LDAP 0.12.0
* DRY up connection handling logic
{#224}[https://github.com/ruby-ldap/ruby-net-ldap/pull/224]
* Define auth adapters
{#226}[https://github.com/ruby-ldap/ruby-net-ldap/pull/226]
* add slash to attribute value filter
{#225}[https://github.com/ruby-ldap/ruby-net-ldap/pull/225]
* Add the ability to provide a list of hosts for a connection
{#223}[https://github.com/ruby-ldap/ruby-net-ldap/pull/223]
* Specify the port of LDAP server by giving INTEGRATION_PORT
{#221}[https://github.com/ruby-ldap/ruby-net-ldap/pull/221]
* Correctly set BerIdentifiedString values to UTF-8
{#212}[https://github.com/ruby-ldap/ruby-net-ldap/pull/212]
* Raise Net::LDAP::ConnectionRefusedError when new connection is
refused. {#213}[https://github.com/ruby-ldap/ruby-net-ldap/pull/213]
* obscure auth password upon #inspect, added test, closes #216
{#217}[https://github.com/ruby-ldap/ruby-net-ldap/pull/217]
* Fixing incorrect error class name
{#207}[https://github.com/ruby-ldap/ruby-net-ldap/pull/207]
* Travis update {#205}[https://github.com/ruby-ldap/ruby-net-ldap/pull/205]
* Remove obsolete rbx-19mode from Travis
{#204}[https://github.com/ruby-ldap/ruby-net-ldap/pull/204]
* mv "sudo" from script/install-openldap to .travis.yml
{#199}[https://github.com/ruby-ldap/ruby-net-ldap/pull/199]
* Remove meaningless shebang
{#200}[https://github.com/ruby-ldap/ruby-net-ldap/pull/200]
* Fix Travis CI build
{#202}[https://github.com/ruby-ldap/ruby-net-ldap/pull/202]
* README.rdoc: fix travis link
{#195}[https://github.com/ruby-ldap/ruby-net-ldap/pull/195]
|
|
0.5.25
* Change the TLD with only 1 rule from .cy to .bd.
* Update the eTLD database to 2015-09-29T17:22:03Z.
* Update the eTLD database to 2015-04-29T23:56:05Z.
* Alter licenses into a machine readable set of license names.
* Restrict i18n < 0.7.0 on ruby 1.8.
|
|
pkgsrc change: license to apache-2.0.
## v1.59.0
* Add LICENSE file
* Add Cache max_size (gihub issue 64)
* Disable caching for SOA lookups in demo check_soa.rb
* Fix for invalid nameserver in config
* Fix encoding for OPT data (thanks Craig Despeaux)
* Various test system fixes
* OPT fixes
* DNSSEC verification failure handling wrt lack of DS chain
* DNSSEC validation policy name constants
* Fix for BOGUS DLV chains
* demo upgrades
* Resolver hints improvements
|
|
# Addressable 2.4.0
- support for 1.8.x dropped
- double quotes in a host now raises an error
- newlines in host will no longer get unescaped during normalization
- stricter handling of bogus scheme values
- stricter handling of encoded port values
- calling `require 'addressable'` will now load both the URI and Template files
- assigning to the `hostname` component with an `IPAddr` object is now supported
- assigning to the `origin` component is now supported
- fixed minor bug where an exception would be thrown for a missing ACE suffix
- better partial expansion of URI templates
|
|
|
|
AMQP-compliant peer or broker such as QPid, OpenAMQ, or RabbitMQ
using Twisted.
|
|
Mention upstream bug reports filed for them.
Addresses PR 50521 by Uwe Toenjes.
While here, add reload command to rc.d script and bump PKGREVISION.
|
|
|
|
|
|
* fix 403 forbidden
* Add support for referer protected videos wuth explicit SMIL
* Smuggle referer
* Clarify verbose log requirements
* Add another theplatform pattern
* Fix extraction
* Extend _VALID_URL
* Add another coveplayer pattern
* Add support for all member stations
|
|
**** 1.04 December 8, 2015
Fix rt.cpan.org #109183
Semantics of "retry" and "retrans" options has changed with 1.03
Fix rt.cpan.org #109152
Deprecated method make_query_packet breaks calling code
Fix rt.cpan.org #109135
Resolver behaves differently with long and short IPv6 address format
Fix rt.cpan.org #108745
Net::DNS::Resolver bgsend
|
