| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
sudo: security update
Revisions pulled up:
- security/sudo/Makefile 1.114
- security/sudo/PLIST 1.3
- security/sudo/distinfo 1.57
- security/sudo/options.mk 1.16
- security/sudo/patches/patch-aa 1.20
- security/sudo/patches/patch-af 1.21
- security/sudo/patches/patch-ag 1.13
- security/sudo/patches/patch-ai delete
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 5 13:48:12 UTC 2009
Modified Files:
pkgsrc/security/sudo: Makefile PLIST distinfo options.mk
pkgsrc/security/sudo/patches: patch-aa patch-af patch-ag
Removed Files:
pkgsrc/security/sudo/patches: patch-ai
Log Message:
Update security/sudo package to 1.7.0.
* pkgsrc change: relax restriction to kerberos package.
What's new in Sudo 1.7.0?
* Rewritten parser that converts sudoers into a set of data structures.
This eliminates a number of ordering issues and makes it possible to
apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications.
* Sudoers now supports a #include facility to allow the inclusion of other
sudoers-format files.
* Sudo's -l (list) flag has been enhanced:
o applicable Defaults options are now listed
o a command argument can be specified for testing whether a user
may run a specific command.
o a new -U flag can be used in conjunction with "sudo -l" to allow
root (or a user with "sudo ALL") list another user's privileges.
* A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
* A uid may now be used anywhere a username is valid.
* The "secure_path" run-time Defaults option has been restored.
* Password and group data is now cached for fast lookups.
* The file descriptor at which sudo starts closing all open files is now
configurable via sudoers and, optionally, the command line.
* Visudo will now warn about aliases that are defined but not used.
* The -i and -s command line flags now take an optional command
to be run via the shell. Previously, the argument was passed
to the shell as a script to run.
* Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
* Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is "files", even
when LDAP support is compiled in. This differs from sudo 1.6
where LDAP was always consulted first.
* Support for /etc/environment on AIX and Linux. If sudo is run
with the -i flag, the contents of /etc/environment are used to
populate the new environment that is passed to the command being
run.
* If no terminal is available or if the new -A flag is specified,
sudo will use a helper program to read the password if one is
configured. Typically, this is a graphical password prompter
such as ssh-askpass.
* A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used.
* A new Defaults option, "env_file" that refers to a file containing
environment variables to be set in the command being run.
* A new flag, -n, may be used to indicate that sudo should not
prompt the user for a password and, instead, exit with an error
if authentication is required.
* If sudo needs to prompt for a password and it is unable to disable
echo (and no askpass program is defined), it will refuse to run
unless the "visiblepw" Defaults option has been specified.
* Prior to version 1.7.0, hitting enter/return at the Password: prompt
would exit sudo. In sudo 1.7.0 and beyond, this is treated as
an empty password. To exit sudo, the user must press ^C or ^D
at the prompt.
* visudo will now check the sudoers file owner and mode in -c (check)
mode when the -s (strict) flag is specified.
|
|
openssl: security update
Revisions pulled up:
- security/openssl/Makefile 1.137
- security/openssl/PLIST.common 1.14
- security/openssl/distinfo 1.65
- security/openssl/patches/patch-af 1.22
- security/openssl/patches/patch-am 1.6
---
Module Name: pkgsrc
Committed By: tnn
Date: Thu Jan 8 16:38:22 UTC 2009
Modified Files:
pkgsrc/security/openssl: Makefile PLIST.common distinfo
pkgsrc/security/openssl/patches: patch-af patch-am
Log Message:
Update to openssl-0.9.8j. Fixes CVE-2008-5077.
|
|
amavisd-new-2.6.2 release notes
MAIN NEW FEATURES SUMMARY
- bounce killer: improved detection of nonstandard bounces;
- bounces to be killed no longer waste SpamAssassin time;
- tool to convert dkim-filter keysfile into amavisd configuration;
- compatibility with SpamAssassin 3.3 (CVS head) regained;
- rewritten and expanded documentation section on DKIM signing and
verification in amavisd-new-docs.html;
COMPATIBILITY WITH 2.6.1
- apart from small differences in logging and notifications, the
version 2.6.2 is compatible with 2.6.1, with its configuration file
and its environment;
- virus scanner entries were updated (as described below, most notably by
adding a regexp flag m), so be sure to update existing configuration file;
updated virus scanner entries can be used with 2.6.1 too;
- the %sql_clause default has changed in detail (see below), if its value
is overridden in a configuration file the setting may need updating;
See full release notes:
http://www.ijs.si/software/amavisd/release-notes.txt
|
|
|
|
|
|
|
|
Fix PolicyKit build on OSX.
|
|
Correct settings for file ownership (*OWN, *GRP in patch-aa and patch-ao).
Added missing installation directories in patch-aa.
Sorted PLIST to placate pkglint.
Adapted filename in patch-an to the way mkpatches generates nowadays.
|
|
|
|
Fixes PR#39223.
THIS IS A FUCKING HACK (nichts für die Goldwaage..)
Don't read the man-pages/*.pm's (they are dummy), check t/*
and fix OpenSSL.xs
Don't forget to try -
print OpenSSL::CRL::new_from_file("crl.pem")->info
- it's the only CRL stuff that's supported :)
OpenSSL::HMAC is dummy.
OpenSSL::BN is untested.
|
|
* gnutls: Fix chain verification for chains that ends with RSA-MD2 CAs.
* gnutls: Fix memory leak in PSK authentication.
* certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier.
It needs to be invoked before libgcrypt is initialized.
* gnutls-cli: Return non-zero exit code on error conditions.
* gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.
|
|
Should fix PR#40189.
Upstream changes:
2008-11-14 Gisle Aas <gisle@ActiveState.com>
Release 2.38
The 2.37 tarball was infected by various '._*' files.
Thank you, Mac OS X!
Applied warning fix from Geoff Richards [RT#19643]
Applied compatiblity fix from Alexandr Ciornii [RT#30348]
2008-11-12 Gisle Aas <gisle@ActiveState.com>
Release 2.37
Sync up with consting changes from the perl core.
|
|
Fixes PR#40188, though the dependency bump is not done
(is not reflected in the module's META.yml).
Upstream changes:
v1.18 2008.11.17
- fixed typo in argument: wildcars_in_cn -> wildcards_in_cn
http://rt.cpan.org/Ticket/Display.html?id=40997
thanks to ludwig[DOT]nussel[AT]suse[DOT]de for reporting
|
|
due to GCC 4), though those aren't mentioned in the upstream change log.
Other changes:
2007-06-09 gettextize <bug-gnu-gettext@gnu.org>
* m4/gettext.m4: New file, from gettext-0.16.1.
* m4/iconv.m4: New file, from gettext-0.16.1.
* m4/lib-ld.m4: New file, from gettext-0.16.1.
* m4/lib-link.m4: New file, from gettext-0.16.1.
* m4/lib-prefix.m4: New file, from gettext-0.16.1.
* m4/nls.m4: New file, from gettext-0.16.1.
* m4/po.m4: New file, from gettext-0.16.1.
* m4/progtest.m4: New file, from gettext-0.16.1.
2003-03-08 17:38 nmav
* Makefile.am:
Honor DESTDIR variable. Patch by Andrew W. Nosenko <awn@bcs.zp.ua>
2003-03-08 17:29 nmav
* src/mcrypt.c, NEWS:
Made the algorithm and mode command line input case insensitive.
2003-03-08 17:08 nmav
* doc/mcrypt.1:
some corrections in the manpage by Michael Mason
<mgm@eskimoman.net>
|
|
avoid that warning, the ints are first cast to size_t, which is more
likely to match the size of a pointer. Unfortunately, the intptr_t and
uintptr_t types are marked optional in C99.
|
|
* skeyprune is perl script, need runtime dependency on perl5.
* Fixes mis-use of config.h (patch-a[d-i]), avoid to use a mixture of
local hash function with system RMD header.
Fixes build failure reported by PR 39872 and PR 39953.
Bump PKGREVISION.
|
|
|
|
|
|
|
|
|
|
lib/krb5/os/dnsglue.c uses statbuf structure before zeroing it.
Solaris requires it be zeroed first... all kerberos programs that
use dns lookup crash. Zeroing before use does not break anything
on any other platforms.
Bump PKGREVISION.
|
|
Change to install into vendor and use packlist.
|
|
|
|
PKGREVISION++
|
|
|
|
forwards them to another (local or remote) TCP port, or UNIX domain socket.
|
|
to hicolor-icon-them. Bump PKGREVISION.
|
|
* DESTDIR support
* Bump PKGREVISION
|
|
|
|
- Add libtasn1-config for compatibility.
Please stop use it as it will disappear in v2.0!
Use standard AC_CHECK_FUNCS autoconf tests or pkg-config instead.
- Read PKCS-12 blob as binary file, fixes self-tests under Mingw.
- Fix use of __attribute__ ((deprecated)) to work on non-GCC.
Changes 1.6:
- Fixed namespace violation for MAX_NAME_SIZE and MAX_ERROR_DESCRIPTION_SIZE.
The new names are ASN1_MAX_NAME_SIZE and ASN1_MAX_ERROR_DESCRIPTION_SIZE.
- Fixed namespace violation for libtasn1_perror and libtasn1_strerror.
The new names are asn1_perror and asn1_strerror.
- Fix namespace violation for LIBASN1_VERSION.
The new name is ASN1_VERSION.
- Decoder can now decode BER encoded octet strings.
- doc: Change license on the manual to GFDLv1.3+.
- doc: Sync gdoc script with GnuTLS, changes license on man-pages to GAP.
- doc: Improve gtk-doc manual.
- Assumes system has strdup and string.h.
- Remove libtasn1-config and libtasn1.m4,
use standard AC_CHECK_FUNCS autoconf tests or pkg-config instead.
- Change detection of when to use a linker version script,
use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.
|
|
the man pages. No PKGREVISION bump because package didn't package.
|
|
|
|
Fix a problem with PK's strndup() implementation assuming all strings
passed to it would be NUL-terminated. This is known to fix crashes with
polkit-gnome-authorization and clock-applet.
|
|
* Fix permissions of suid/sgid binaries
* Bump PKGREVISION
|
|
for root, password authentication for users in group wheel, and deny access
to all others.
|
|
|
|
|
|
|
|
PolicyKit is an application-level toolkit for defining and handling the
policy that allows unprivileged processes to speak to privileged processes:
It is a framework for centralizing the decision making process with respect
to granting access to privileged operations for unprivileged applications.
PolicyKit is specifically targeting applications in rich desktop environments
on multi-user UNIX-like operating systems. It does not imply or rely on any
exotic kernel features.
This package provides a D-Bus session bus service for bringing up
authentication dialogs used for obtaining privileges.
|
|
PolicyKit is an application-level toolkit for defining and handling the
policy that allows unprivileged processes to speak to privileged processes:
It is a framework for centralizing the decision making process with respect
to granting access to privileged operations for unprivileged applications.
PolicyKit is specifically targeting applications in rich desktop environments
on multi-user UNIX-like operating systems. It does not imply or rely on any
exotic kernel features.
|
|
against recent openpam headers produce non functioning pam_ldap.so
on NetBSD 4.99.47(?) or more recent systems.
There's something really fishy in the headers...
|
|
|
|
PR 38622 for some time.
|
|
Pkgsrc changes:
o Adapt patch-aa, still needed for non-hanging tests...
Upstream changes:
1.33 2008.10.21
- Fix open() calls (rt.cpan.org #40020)
- Fix non-shell problem (rt.cpan.org #39980)
- Allow full agent forwarding (rt.cpan.org #32190)
- Handle hashed known_hosts files (Greg Sabino Mullane, rt.cpan.org #25175)
1.32 2008.10.16
- Add IO::Handle to Perl.pm (rt.cpan.org #40057, #35985)
- Minor test cleanups.
1.31 2008.10.02
- New co-maintainer, Greg Sabino Mullane (TURNSTEP).
- Prevent t/03-packet.t from hanging due to high file descriptor.
(altblue at n0i.net, rt.cpan.org #6101)
- Skip some tests if Math::GMP not installed (e.g. from choosing only
protocol 2 in Makefile.PL) (Greg Sabino Mullane, reported in
rt.cpan.org #25152)
- If ENV{HOME} is not set, use getpwuid. If both fail and the dir
is needed, we croak. (Greg Sabino Mullane, expanded from patch
by dgehl at inverse.ca in rt.cpan.org #25174)
- Fix incorrect logical/bitwise AND mixup (Peter.Haydon at uk.fujitsu.com,
rt.cpan.org #31490)
- Allow empty stdin for SSH2 (rcp at rcable.co.uk, rt.cpan.org #32730)
- Adjust terminal dimensions dynamically if Term::ReadKey is available
(john at sackheads.org, rt.cpan.org #34874)
|
|
|
|
Authen::PluggableCaptcha is a fully modularized and extensible
system for making Pluggable Catpcha (Completely Automated Public
Turing Test to Tell Computers and Humans Apart) tests.
Pluggable? All Captcha objects are instantiated and interfaced via
the main module, and then manipulated to require various submodules
as plug-ins.
Authen::PluggableCaptcha borrows from the functionality in
Apache::Session::Flex.
|
|
Patch provided by Aleksey Cheusov in PR pkg/39905.
|
|
* Version 2.6.2 (released 2008-11-12)
** libgnutls: Fix crash in X.509 validation code for self-signed certificates.
The patch to fix the security problem GNUTLS-SA-2008-3 introduced a
problem for certificate chains that contained just one self-signed
certificate. Reported by Michael Meskes <meskes@debian.org> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279>.
** API and ABI modifications:
No changes since last version.
|
|
Changes since 0.0.14:
* epa-mail-encrypt now skips unusable keys.
* epa-file now uses canonical file names as keys for passphrase cache.
* Fixed a load-error of epa on XEmacs.
* epa-file bug fixes.
* Prepare auto-mode-alist to strip .gpg suffix when choosing major-modes.
* Don't signal an error when opening a nonexistent file via Tramp.
* epa-verify-region now decodes the plaintext with
coding-system-for-read or one saved as epa-coding-system-used.
|
|
|
