summaryrefslogtreecommitdiff
path: root/security
AgeCommit message (Collapse)AuthorFilesLines
2012-01-31add HP-UX handling for Configure parameterssno1-1/+20
2012-01-26Use SET_LIBDIR to get rid of lib64sbd1-1/+2
2012-01-26Updated to 0.22rhaen2-7/+6
Changes: 0.21 Sat Aug 13, 2011 Mike McCauley - Changes to TacacsPlus.pm to permit multiple servers to be specified in new(). Patches provided by Paulo A Ferreira. 0.22 Wed Jan 18, 2012 Mike McCauley - Fixed warning under perl 5.14
2012-01-26Use SET_LIBDIR with packages that want to use to lib64sbd1-4/+2
2012-01-26In the section of configure that decides whether a libdir suffix should besbd3-1/+29
used, force it to be an empty (i.e no suffix).
2012-01-24Recursive dependency bump for databases/gdbm ABI_DEPENDS change.sbd6-11/+12
2012-01-23OpenDNSSEC 1.3.5pettai2-7/+7
* Auditor: Include the zone name in the log messages. * ldns 1.6.12 is required for bugfixes. * ods-ksmutil: Suppress database connection information when no -v flag is given. * ods-enforcerd: Stop multiple instances of the enforcer running by checking for the pidfile at startup. If you want to run multiple instances then a different pidfile will need to be specified with the -P flag. * ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is put back the signer will not pick up the old file. * Signer Engine: Verbosity can now be set via conf.xml, default is 3. Bugfixes: * Bugfix OPENDNSSEC-174: Configure the location for conf.xml with --config or -c when starting the signer. * Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that becomes opt-out. * Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals. * Signer Engine: A file descriptor for sockets with value zero is allowed. * Signer Engine: Only log messages about a full signing queue in debug mode. * Signer Engine: Fix time issues, make sure that the internal serial does not wander off after a failed audit. * Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms with extra long signature expiration dates. More information in separate announcement.
2012-01-23SoftHSM 1.3.1pettai3-9/+8
* The library is now installed in $libdir/softhsm/. Bugfixes: * Do not give a warning about the schema version if the token has not been initialized yet. * The tools now return the correct exit code.
2012-01-22Update py-m2crypto from 0.13.1 to 0.21.1.apb8-197/+47
Too many changes to list. The master site has moved too: -HOMEPAGE= http://sandbox.rulemaker.net/ngps/m2/ +HOMEPAGE= http://chandlerproject.org/bin/view/Projects/MeTooCrypto -MASTER_SITES= http://sandbox.rulemaker.net/ngps/Dist/ +MASTER_SITES= http://pypi.python.org/packages/source/M/M2Crypto/
2012-01-20remove restrictions related to idea and mdc2 patents - both are expireddrochner3-20/+3
2012-01-20Update php-suhosin package to 0.9.33 to fix security problem.taca2-7/+6
SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow Release Date: 2012/01/19 Last Modified: 2012/01/19 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: Suhosin Extension <= 0.9.32.1 Severity: A possible stack buffer overflow in Suhosin extension's transparent cookie encryption that can only be triggered in an uncommon and weakened Suhosin configuration can lead to arbitrary remote code execution, if the FORTIFY_SOURCE compile option was not used when Suhosin was compiled. Risk: Medium Vendor Status: Suhosin Extension 0.9.33 was released which fixes this vulnerability Reference: http://www.suhosin.org/ https://github.com/stefanesser/suhosin
2012-01-19Bump API dependency due to eggdbus dependency removed.reed1-2/+2
2012-01-19Update security/openssl package to 0.9.8t.taca2-6/+6
OpenSSL CHANGES _______________ Changes between 0.9.8s and 0.9.8t [18 Jan 2012] *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. (CVE-2012-0050) [Antonio Martin]
2012-01-18Revbump after updating db5adam1-3/+2
2012-01-18Revbump after db5 updateadam1-2/+2
2012-01-17Convert packages with add --libdir=* to CONFIGURE_ARGS to usesbd2-5/+5
GNU_CONFIGURE_LIBDIR or GNU_CONFIGURE_LIBSUBDIR.
2012-01-17update to 2.12.16drochner2-7/+6
changes: bugfixes
2012-01-16Fix building with Clang; Fix installing on Mac OS Xadam4-2/+31
2012-01-14gsed related clean up.obache2-2/+10
* Stop to treat NetBSD's sed as GNU sed, not full compatible. * Then, no need to reset TOOLS_PLATFORM.gsed for NetBSD if USE_TOOLS+=gsed and real GNU sed is required. * In addition, convert simple USE_TOOLS+=gsed to conditionally, without NetBSD. * convert {BUILD_,}DEPENDS+=gsed to USE_TOOLS, all tools from gsed are real gsed.
2012-01-14Convert the remaining few packages that explicitly set DEPENDS orhans1-3/+1
BUILD_DEPENDS on bison to USE_TOOLS=bison. The minimum bison version required in mk/tools/bison.mk is good enough for all of them.
2012-01-13Recursive bump from audio/libaudiofile, x11/qt4-libs and x11/qt4-tools ABI bump.obache16-32/+32
2012-01-12Version 1.10.5pettai2-6/+6
* Build fixes from Linus Nordberg and Arno Hautala. * Update gnulib files.
2012-01-12Update p5-Mozilla-CA to 20111025.hiramatsu2-6/+6
Change from previous: --------------------- 20111025 - Do not add CA's only trusted for email and/or code signing (RT#70967) (if you need that, please let us know and we can see about putting it in as an option)
2012-01-11+racoon2drochner1-1/+2
2012-01-11add the latest snapshot of racoon2 (IKEv2 daemon), from John R. Shannondrochner10-0/+333
(just added DESTDIR support)
2012-01-09Re-enable PAM support, as it works fine provided one does not mix multiplemanu3-12/+5
versions of libcrypto in sshd. This can happen if OpenSSH is linked with pkgsrc's OpenSSL and if using nss_ldap, which pulls base-system OpenSSL through kerberos libraries. One needs to disable the krb5 of nss_ldap in order to fix that.
2012-01-08Uses <sys/vnode.h> -- mark BSD-only and HPUX-only.shattered1-1/+3
2012-01-08Add missing devel/ncurses buildlink.sbd4-8/+12
Bump PKGREVISION
2012-01-06Update openssl pacakge to 0.9.8s.taca4-67/+6
OpenSSL CHANGES _______________ Changes between 0.9.8r and 0.9.8s [4 Jan 2012] *) Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing. A research paper describing this attack can be found at: http://www.isg.rhul.ac.uk/~kp/dtls.pdf Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> for preparing the fix. (CVE-2011-4108) [Robin Seggelmann, Michael Tuexen] *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) [Ben Laurie, Kasper <ekasper@google.com>] *) Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) [Adam Langley (Google)] *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) [Adam Langley (Google)] *) Prevent malformed RFC3779 data triggering an assertion failure. Thanks to Andrew Chi, BBN Technologies, for discovering the flaw and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) [Rob Austein <sra@hactrn.net>] *) Fix ssl_ciph.c set-up race. [Adam Langley (Google)] *) Fix spurious failures in ecdsatest.c. [Emilia Käóper (Google)] *) Fix the BIO_f_buffer() implementation (which was mixing different interpretations of the '..._len' fields). [Adam Langley (Google)] *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent threads won't reuse the same blinding coefficients. This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING lock to call BN_BLINDING_invert_ex, and avoids one use of BN_BLINDING_update for each BN_BLINDING structure (previously, the last update always remained unused). [Emilia Käóper (Google)] *) Fix SSL memory handling for (EC)DH ciphersuites, in particular for multi-threaded use of ECDH. [Adam Langley (Google)] *) Fix x509_name_ex_d2i memory leak on bad inputs. [Bodo Moeller] *) Add protection against ECDSA timing attacks as mentioned in the paper by Billy Bob Brumley and Nicola Tuveri, see: http://eprint.iacr.org/2011/232.pdf [Billy Bob Brumley and Nicola Tuveri] Changes between 0.9.8q and 0.9.8r [8 Feb 2011] *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 [Neel Mehta, Adam Langley, Bodo Moeller (Google)] *) Fix bug in string printing code: if *any* escaping is enabled we must escape the escape character (backslash) or the resulting string is ambiguous. [Steve Henson] Changes between 0.9.8p and 0.9.8q [2 Dec 2010] *) Disable code workaround for ancient and obsolete Netscape browsers and servers: an attacker can use it in a ciphersuite downgrade attack. Thanks to Martin Rex for discovering this bug. CVE-2010-4180 [Steve Henson] *) Fixed J-PAKE implementation error, originally discovered by Sebastien Martini, further info and confirmation from Stefan Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 [Ben Laurie]
2012-01-02Fixes a segfault in gssapi.c, taken from upstream Git repo.obache3-2/+29
PR#45765. Bump PKGREVISION of cy2-gssapi plugin package.
2011-12-30Fix for CVE-2011-4862 from FreeBSDtez3-3/+23
When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer.
2011-12-29Also point configure to dnssec-signzonejoerg1-1/+2
2011-12-28Drop the sed calls that want to be gsed specific, since they don'tjoerg3-3/+28
actually seem to change anything (with gsed).
2011-12-28Because of adding gsed to USE_TOOLS there's no need for patch-ah or having asbd3-21/+3
build dependence on gsed. Bump PKGREVISION.
2011-12-26If something is patched to use gsed then gsed must be added to USE_TOOLS.sbd1-2/+2
2011-12-25Include deve/ncurses/buildlink3.mk not mk/curses.buildlink3.mk.sbd1-2/+2
Note: pinentry may need INCOMPAT_CURSES to be set for some platforms.
2011-12-23Fix for CVE-2011-4862 from FreeBSDtez3-3/+23
When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. This is a remote root exploit that is being actively exploited in the wild.
2011-12-22Fix build with newer heimdaljoerg2-1/+14
2011-12-22Unprivileged users don't have /usr/sbin in PATH on NetBSD, so dealjoerg1-1/+5
with it.
2011-12-21Disable probe for gmake; PR 45729dholland2-6/+10
2011-12-21Set LICENSE, from Pierre Pronchery in PR 45729.wiz1-1/+2
2011-12-21Fix PLIST on NetBSD-5.99.58.wiz3-7/+6
Remove line from distinfo for non-existing patch. I guess the non-existing patch might have fixed it up, but as it's not there....
2011-12-18Don't use "bool" as a variable name. This package now builds. (at long last)dholland2-1/+23
2011-12-18Include mk/curses.buildlink3.mk not mk/termcap.buildlink3.mk.sbd1-2/+2
2011-12-17Add missing mk/curses buildlink.sbd1-1/+3
Bump PKGREVISION
2011-12-17Add missing mk/termcap buildlink.sbd1-2/+3
Bump PKGREVISION
2011-12-17security/botan: Fix DragonFlymarino4-2/+32
1) Update two configuration files to include DragonFly, which results in additional generated files. 2) Update PLIST.DragonFly (it was wrong in any case)
2011-12-17Change default PKGNAME scheme for PECL packages.obache1-1/+2
Drop ${PHP_BASE_VARS} from PKGVERSION by default. It used to be required to support multiple php version. But after PHP version based ${PHP_PKG_PREFIX} was introduced, such trick is not required anymore. In addition to this, such version name schme invokes unwanted version bump when base php version is bumped, plus, such version scheme is hard to use for DEPENDS pattern. To avoid downgrading of package using such legacy version scheme, PECL_LEGACY_VERSION_SCHEME is introduced. If it is defined, current version scheme is still used for currently supported PHP version (5 and 53), but instead of ${PHP_BASE_VARS}, current fixed PHP base version in pkgsrc is used to avoid unwanted version bump from update of PHP base package. With newer PHP (54, or so on), new version scheme will be used if it is defined. This trick will not be required and should be removed after php5 and php53 will be gone away from pkgsrc.
2011-12-17security/qca2-ossl: Support OpenSSL 1.0marino3-7/+262
DragonFly in on OpenSSL 1.0 and this package wasn't building due to the missing MD5 digest that no longer builds by default on the latest versions of OpenSSL. FreeBSD already ran into this and patched qca-ossl, and this ports their fix to pkgsrc.
2011-12-17Add missing mk/termcap buildlink.sbd2-8/+6
Bump PKGREVISION