| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
www/typo3: security update
Revisions pulled up:
- www/typo3/Makefile patch
- www/typo3/distinfo patch
----
Update typo3 package to 4.3.7, security fix.
Dear TYPO3 community,
The TYPO3 core team has just released TYPO3 versions 4.2.15,
4.3.7 and 4.4.4, which are now ready for you to download. All versions
are maintenance releases and contain bugfixes and security fixes.
IMPORTANT:
These versions include important security fixes to the TYPO3 core. A
security announcement has just been released:
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020
|
|
apache-tomcat6: security update
Revisions pulled up:
- www/apache-tomcat6/Makefile 1.7
- www/apache-tomcat6/PLIST 1.4
- www/apache-tomcat6/distinfo 1.4
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Sep 19 14:32:04 UTC 2010
Modified Files:
pkgsrc/www/apache-tomcat6: Makefile PLIST distinfo
Log Message:
Update of apache-tomcat to version 6.0.29
(and a little Makefile cosmetics)
fixes two of the currently known security issues
Upstream changelog:
Tomcat 6.0.29 (jfclere) released 2010-07-22
Catalina
add 48960: Add a new option to the SSI Servlet and SSI Filter to
allow the disabling of the exec command. This is now disabled
by default. Based on a patch by Yair Lenga. (markt)
fix 49551: Allow default context.xml location to be specified using
an absolute path. (markt)
fix 49598: When session is changed and the session cookie is
replaced, ensure that the new Set-Cookie header overwrites the
old Set-Cookie header. (markt)
fix Fix order when listing Webapp loader search URLs. (rjung)
add Add support for *.jar pattern in VirtualWebappLoader. (kkolinko)
Tomcat 6.0.28 (jfclere) released 2010-07-09
Catalina
fix Arrange filter logic. (jfclere)
fix 49230: Enhance JRE leak prevention listener with protection for
the keep-alive thread started by sun.net.www.http.HttpClient.
Patch provided by Rob Kooper. (markt)
fix 49351: Fix possible NPe when embedding and no name is specified
for the Service. (markt)
fix 49424: Avoid NPE if client provides no data with a chunked
POST request. (markt)
fix 49414: Differentiate between request threads and application
created threads when warning about still running threads when
an application stops. (markt)
fix 49443: Use remoteIpHeader rather than remoteIPHeader
consistently. (markt)
add Add property searchExternalFirst to WebappLoader. If set,
the external repositories will be searched before the WEB-INF
ones. (rjung)
Cluster
fix 49445: When session ID is changed after authentication, ensure
the DeltaManager replicates the change in ID to the other nodes
in the cluster. (kfujino)
Webapps
fix 49213: Grant permissions required by manager application when
running under a security manager. (markt/kkolinko)
fix 49436: Correct documented default for readonly attribute of
the UserDatabase component. (markt)
Tomcat 6.0.27 (jfclere) not released
General
update Update DBCP to 1.3. (markt)
Catalina
fix Fix CVE-2010-1157. Prevent possible disclosure of host name
or IP address via the HTTP WWW-Authenticate header when using
BASIC or DIGEST authentication. (markt)
add Include context name when reporting memory leaks to aid root
cause identification. (markt)
fix Improve exception handling on session de-serialization to
assist in identifying the root cause of 48007. (kkolinko)
add 48379: Make session cookie name, domain and path configurable
per context. (markt)
fix 48589: Make JNDIRealm easier to extend. Based on a patch by
Candid Dauth. (markt/kkolinko)
fix 48629: Allow user names as well as DNs to be used with the
nested role search. Add roleNested to the documentation.
Patch provided by Felix Schumacher. (markt)
fix 48661: Make error page behavior consistent, regardless of how
the error page is defined. If a response has been committed,
always include the error page. (markt)
fix 48729: Return roles defined by both userRoleName and roleName
mechanisms. Patch provided by 'eric'. Also make user's role
list immutable.(markt)
fix 48760: Fix potential multi-threading issue in static resource
serving where multiple threads could try to use the the same
InputStream. (markt)
fix 48790: Fix thread safety issue in the count of the maximum
number of active session. (markt/kkolinko)
fix 48793: Make catalina.sh more robust to different return values
on different platforms. Patch provided by Thomas GL. (markt)
fix 48840: Swallow output (if any) from use of cd when determining
$CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts.
Based on patch provided by mdietze. (markt/kkolinko)
fix 48895: Make clearing of ThreadLocals that are causing memory
leaks on web application stop, reload or undeploy configurable
since the process of clearing them is not thread-safe. (markt)
fix 48903: Fix deadlock in webapp class loader. (rjung)
fix 48971: Make stopping of leaking Timer threads optional and
disabled by default. (markt)
fix 48976: Document JAVA_ENDORSED_DIRS in start-up scripts.
Patch provided by Laurent Vaills. (markt)
fix 48983: Improve debug logging for situations when RemoteIpValve
is bypassed. Patch provided by Cyrille Le Clerc. (markt)
fix 49018: Fix processing of time argument in the Expire sessions
action in the Manager web application. (kkolinko)
fix 49116: If session is already invalid, expire session to prevent
memory leak. (kfujino)
fix 49158: Ensure only one session cookie is returned for a single
request. (markt/fhanik)
fix 49245: Fix session expiration check in cross-context requests.
(markt)
fix 49398: ByteChunk.indexOf(String, int, int, int) could not find
a string of length 1. (kkolinko)
fix Fix possible overflows when calculating session statistics.
(kkolinko)
add Log unexpected exceptions when providing access to web
application resources in ApplicationContext. (kkolinko)
fix Improve exception handling in CatalinaShutdownHook. (kkolinko)
add Expose properties of VirtualWebappLoader and WebappClassLoader
via JMX. (rjung)
Coyote
fix 48839: Correctly handle HTTP header folding in the NIO connector.
Patch suggested by Richa Baronia. (markt)
fix 48843: Prevent possible deadlock for worker allocation in
connectors. (kkolinko)
fix 48843: Fix handling of add queues in AprEndpoint.Poller and
AprEndpoint.Sendfile. Do not miss wakeups. (kkolinko)
add 48862: Add support for the backlog parameter to the AJP
connector. (pero/markt)
fix 48917: Correct name of mod_jk module in ApacheConfig.
Patch provided by Todd Hicks. (markt)
fix 49095: AprEndpoint did not wakeup acceptors during shutdown
when deferAccept option was enabled. Based on a patch provided
by Ruediger Pluem. (kkolinko)
add Use chunked encoding for http 1.1 requests with no
content-length (regardless of keep-alive) so client can
differentiate between complete and partial responses. (markt)
fix Correct the SSL session timeout attribute name so the code
agrees with the documentation. (markt)
add CoyotePrincipal now implements Serializable. (fhanik)
fix Enable the BIO AJP connector to run under a security manager.
(markt)
Jasper
fix 45015: Correct a regression in quote handling caused by the
re-factoring of attribute parsing. (markt)
fix 48701: Add a system property to allow disabling enforcement
of JSP.5.3. The specification recommends, but does not require,
this enforcement. (kkolinko)
fix 48737: Don't assume paths that start with /META-INF/... are
always in JARs. This is not true for some IDEs.
Patch provided by Fabrizio Giustina. (markt)
fix 49081: Correctly handle EL expressions of the form #${...}. (markt)
fix 49196: Avoid NullPointerException in PageContext.getErrorData()
if an error-handling JSP page is called directly. (markt)
Cluster
fix 48717: When a node joins a cluster and it receives all the
current sessions, ensure the sessionCreated event is fired
if the Manager is configured to replicate session events. (markt)
fix 48934: Previous fix to handle dropped connections incorrectly
permanently disabled session replication. (fhanik)
fix 49051: memberAlive is not called if member has not already
existed in membership. (kfujino)
fix 49151: Avoid ClassCastException in BackupManager#stop. (kfujino)
fix 49170: Do not send duplicated session. (kfujino)
fix Add missing messages and ensure cluster listeners log messages
to correct logger. (markt)
Webapps
add Use underscores instead of spaces in anchor names in Tomcat
documentation. (kkolinko)
add Add support for displaying the Spring Security user name
(if present) in the Manager application. (markt)
update Improve the ChatServlet Comet example (/examples/jsp/chat/).
(kkolinko)
Other
update Update to Commons Daemon 1.0.2. Use service launcher (procrun)
from the Commons Daemon release. Do not keep a copy of it in
our source tree. (mturk/kkolinko)
update Update to NSIS 2.46. (kkolinko)
fix 48990: Fix the skip.installer build property so if set, only
the Windows installer is skipped. (markt)
fix 49178: Provide in catalina.policy an example of additional
permissions that might be needed for code located in
$CATALINA_BASE/lib. (markt)
fix 49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
fix Remove unused code from org.apache.tomcat.util.buf classes.
(kkolinko)
update Rearrange tomcat-juli.jar permissions and wrap long lines in
the conf/catalina.policy file, to make the text more readable
when cited in documentation. (kkolinko)
fix Do not evaluate the execute.installer property when building
a release. The skip.installer property is used instead. (kkolinko)
Tomcat 6.0.26 (jfclere) released 2010-03-11
Catalina
fix Close security hole in unreleased 6.0.25 by ensuring new find
leaks functionality is protected by a security constraint.
(kkolinko)
fix 48831: Improve logging shutdown behaviour. Use Catalina's
shutdown hook to shutdown JULI. This enables them to be shutdown
in the correct order. Do not shutdown global handlers several
times. (markt/kkolinko)
Coyote
fix 48584: Prevent the APR connector logging an error if the
acceptor fails during shutdown since this is expected. (mturk)
fix 48660: Using compression should not overwrite any Vary header
set by a web application. (markt)
Jasper
fix 48371: Ensure generated servlet mappings are inserted at the
correct location when using JspC and allow the option that
controls this to be configured on the command line.
Also allow the encoding of web.xml to be configured when using
JspC and deprecate some unused JspC methods. (markt/kkolinko)
fix 48498: Avoid ArrayIndexOutOfBoundsException triggered by a
Java 6/7 XML parser bug. (markt/kkolinko)
fix 48668: Additional fixes to ensure deferred syntax is handled
correctly. (kkolinko)
fix 48827: Correct a regression in the fix for 47977 that caused
an incorrect non-empty body error to be reported for valid
JSP documents. (markt)
Webapps
add Make changelog.xml be directly rendered as HTML by certain
browsers. (kkolinko)
add Add support for automated generation of TOC tables and for
links to svn revisions to tomcat-docs.xsl in documentation.
(kkolinko/fhanik)
add Move Manager application JSPs that are not intended to be
accessed directly under the WEB-INF directory. (kkolinko)
fix Improve the messages displayed by the find leaks diagnostic
in the Manager application. (kkolinko)
Other
fix Encode all property files using ascii escaped UTF-8. Also
fixes deployment problem when using French locale. (jfclere/rjung)
Tomcat 6.0.25 (jfclere) not released
Catalina
fix 48039: Return immediately if start() is called on an already
started StandardService. (markt)
fix 48109: Ensure InputStream is closed on error condition in web
application class loader. (markt)
fix 48179: Clean up dead code that was used to read tldCache file.
(kkolinko)
fix 48318: Handle case where WebDAV resource is in directory
listing but is not accessible. (markt)
add 48384: Add a per context xslt option for directory listings.
Make the fallback options work as described in the
documentation. (markt)
fix 48577: Filter URL when displaying missing included page. (markt)
fix 48612: Prevent exception on shutdown if the address attribute
is specified for a connector. (markt)
fix 48613: Further fixes to ensure APRLifecycleListener is only
used if defined in server.xml. (fhanik)
fix 48614: Correct JULI log file buffering so default behaviour
is no buffering. (fhanik)
fix 48625: Provide an option to exit if an error occurs during
the initialization phase. (fhanik)
fix 48645: Use specified encoding rather than null in calls to
RequestUtil.URLDecode(byte[] bytes, String enc) (markt)
fix 48653: Force request.secure and request.scheme to false and
http if the X-Forwarded-Proto header has the value http.
Patch provided by Cyrille Le Clerc. (markt)
fix 48678: Remove duplicate server field from
org.apache.catalina.startup.Catalina. (markt)
fix 48694: Remove potential deadlock in web application class
loader. (markt)
add 48716: Provide additional configuration options for JULI. (markt)
fix 48726: Prevent OOME when uploading large WAR files with the
deployer. Patch provided by adam. (markt)
add Improve memory leak protection by safely stopping threads
started via java.util.Timer that an application starts but
fails to stop and by clearing references retained due to the
use of java.util.ResourceBundle. (markt)
update Modify ThreadLocal memory leak detection to not report false
positives and to simplify implementation. (markt/kkolinko)
add Basic memory leak detection was added to the standard Host
implementation and exposed via JMX to detect memory leaks on
web application reload. (markt/kkolinko)
Coyote
update Update the native/APR library version bundled with Tomcat to
1.1.20. (kkolinko)
Jasper
add Add some debug logging to the compiler where exceptions were
previously swallowed. (markt)
fix 48170: Remove unnecessary synchronization that is causing
issues under load. (markt)
fix 48580: Prevent AccessControlException if first access is to
a JSP that uses a FunctionMapper. (markt)
fix 48582: Avoid NPE on background compilation failure. (markt)
fix 48616: Don't declare or synchronize scripting variables for
JSP fragments since they are scriptless. This is an alternative
fix for 42390 that avoids both the original problem and the
regression in the first fix. (kkolinko)
fix 48627: Fix regression in re-factored EL parsing. Keep literals
as literals and handle deferredSyntaxAllowedAsLiteral. (kkolinko)
fix 48668: When parsing JSPs only parse EL as EL if EL is enabled
else strings such as ${ will be silently dropped. (markt)
fix Various EL TCK failures. (markt)
Cluster
fix Force a disconnect if an error occurs during replication such
as a firewall dropping the connection. (fhanik)
Webapps
add Add new "Find leaks" command to the Manager application.
It allows to detect web applications that have caused memory
leaks on stop, reload or undeploy. (markt/kkolinko)
Other
fix Ensure files in conf directory have CRLF line endings when
using the Windows installer. (kkolinko)
fix Allow special characters recognized by the Windows command-line
shell to be present in the names of CATALINA_HOME/_BASE and
the current directory used to call the Tomcat scripts. (kkolinko)
fix Don't use @Deprecated annotations in javax.servlet.jsp.JspContext
since the specification does not include them in the API
definition. (markt)
add Improve the information in the JAR manifest files. (markt)
|
|
www/mediawiki: security update
Revisions pulled up:
- www/mediawiki/Makefile 1.13
- www/mediawiki/distinfo 1.9
- www/mediawiki/patches/patch-aa 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Sep 16 14:52:02 UTC 2010
Modified Files:
pkgsrc/www/mediawiki: Makefile distinfo
Added Files:
pkgsrc/www/mediawiki/patches: patch-aa
Log Message:
Update mediawiki to 1.15.5.
== MediaWiki 1.15.5 ==
2010-07-28
This is a security and maintenance release.
MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.
Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments
will be made on the development trunk and appear in the next quarterly release.
Those wishing to use the latest code instead of a branch release can obtain
it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
|
|
security update
Revisions pulled up:
- pkgsrc/www/seamonkey/Makefile 1.39
- pkgsrc/www/seamonkey/distinfo 1.55
- pkgsrc/www/seamonkey/patches/patch-ap 1.8
- pkgsrc/www/seamonkey/patches/patch-mm 1.2
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tnn
Date: Thu Sep 9 11:12:27 UTC 2010
Modified Files:
pkgsrc/www/seamonkey: Makefile distinfo
pkgsrc/www/seamonkey/patches: patch-ap patch-mm
Log Message:
Update to seamonkey-2.0.7.
* Message-ID searches on Google Groups work again
* Add-ons preferences button for Lightning should work now
* Security fixes:
MFSA 2010-63 Information leak via XMLHttpRequest statusText
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
MFSA 2010-61 UTF-7 XSS by overriding document charset using <object> type
attribute
MFSA 2010-60 XSS using SJOW scripted function
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 pkgsrc/www/seamonkey/Makefile
cvs rdiff -u -r1.54 -r1.55 pkgsrc/www/seamonkey/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/seamonkey/patches/patch-ap
cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/seamonkey/patches/patch-mm
|
|
security update
Revisions pulled up:
- pkgsrc/www/squid/options.mk 1.20
- pkgsrc/www/squid31/Makefile 1.26
- pkgsrc/www/squid31/distinfo 1.24
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: adam
Date: Wed Jul 28 10:16:14 UTC 2010
Modified Files:
pkgsrc/www/squid: options.mk
pkgsrc/www/squid31: Makefile distinfo
Log Message:
Changes 3.1.5.1:
* SourceFormat Enforcement
* Replace most USE_IPV6 with run-time support probing
* Translations: sync with 3.HEAD language updates
* Split-Stack enable DNS and http(s)_port sockets.
* Bug: --with-valgrind-debug failures ignored
* Fixed comm.cc:377: "fd_table[fd].halfClosedReader !=3D NULL" assertion
* Kludge: try to detect system acinclude path, to fix libtool brokenness.
* Bug: search scope for digest_ldap_auth didn't work
* Update libtool autoconf macros to libtool2 style
* Correction documentation of QoS disable-preserve-miss
* Remove .so from SASL build checks
* Bug: AIX support: c only c++ style comments test case
* Bug: AIX support: check libm for log()
* Do not stop accepting just because we got COMM_NOMESSAGE.
* Bug: AIX support: uchar is already define (more)
* Bug: AIX support: uchar is already define
* Bug: crash handling NULL write callback
* Correct Joomla DB auth handling
* Fixed memory leak related to retried requests.
* Prevent memory leaks when cloning Range requests.
* Fixed memory leaks related to Range requests.
Changes 3.1.5:
* Bug: Fix context leak in HttpStateData::processReplyHeader
* Bug: raw-IPv6 address URL with append_domain broken
* Bug: does not send indirect X-Client-Ip in ICAP respmod
* Fix free memory corruption and off-by-on error when comparing SNMP OIDs
* Restart DNS retransmission count when restarting the query as an A lookup
* Bug: HTTP responses with no Date, L-M or Expires can now be cached
* Maintenance: Formater skip libltdl dirs
* SourceFormat Enforcement
* Bug: Fails to detect chunked encoding if not given in all lower case
* Port from 2.7: max_filedescriptor config option
* persistent_connection_after_error is meant to be on by default
* kFreeBSD does not have linux headers. Wrap properly.
* Maintenance: Use system MD5 instead of hard-coded python paths
* Bug: ICAP tokens not logged when using multiple access
* SourceFormat Enforcement
* OpenBSD: Fix build mem.cc warning: converting of negative value
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/squid/options.mk
cvs rdiff -u -r1.22 -r1.23 pkgsrc/www/squid31/Makefile
cvs rdiff -u -r1.20 -r1.21 pkgsrc/www/squid31/distinfo
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Wed Aug 4 11:36:08 UTC 2010
Modified Files:
pkgsrc/www/squid31: Makefile distinfo
Log Message:
Update "squid31" package to version 3.1.6. Changes since 3.1.5.1:
- Bug 2994, 2995: IPv4-only regressions
- Bug 2991: Wrong parameters to fcntl() in commSetCloseOnExec()
- Bug 2975: chunked requests not supported after regular ones
- Fix: 32-bit overflow in reported bytes received from next hop
- Fix Libtool build regressions
- Limited split-stack IPv6 support.
- squid_db_auth support MD5 encrypted passwords
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 pkgsrc/www/squid31/Makefile
cvs rdiff -u -r1.21 -r1.22 pkgsrc/www/squid31/distinfo
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Wed Aug 25 17:53:44 UTC 2010
Modified Files:
pkgsrc/www/squid31: Makefile distinfo
Log Message:
Update "squid31" package to version 3.1.7. Change since 3.1.6:
- Regression Bug 3021: Large DNS reply causes crash
- Regression Bug 3011: ICAP, HTTPS, cache_peer probe IPv4-only port fixes
- Regression Bug 2997: visible_hostname directive no longer matches docs
- Bug 3012: deprecate sslBump and support ssl-bump spelling in http_port
- Bug 3006: handle IPV6_V6ONLY definition missing
- Bug 3004: Solaris 9 SunStudio 12 build failure
- Bug 3003: inconsistent concepts in documentation of cache_dir
- Bug 3001: dnsserver link issues
- HTTP/1.1: default keep-alive for 1.1 clients (bug 3016)
- HTTP/1.1: Improved Range header field validation
- HTTP/1.1: Forward multiple unknown Cache-Control directives
- HTTP/1.1: Stop sending Proxy-Connection header
- Fix 32-bit wrap in refresh_pattern min/max values
- ... and several documentation corrections.
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 pkgsrc/www/squid31/Makefile
cvs rdiff -u -r1.22 -r1.23 pkgsrc/www/squid31/distinfo
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Tue Sep 7 19:55:17 UTC 2010
Modified Files:
pkgsrc/www/squid31: Makefile distinfo
Log Message:
Update "squid31" package to version 3.1.8. Changes since 3.1.7:
- Security fixes:
- Fixes for the request processing vulnerability tagged SQUID-2010:3.
http://www.squid-cache.org/Advisories/SQUID-2010_3.txt
- A hardening of the DNS client against packet queueing approaches
used to enable attacks. This completes the protection against attacks
published by Yamaguchi late in 2009.
- An HTTP request-line parser hardened against several categories of
request attack. This greatly increasing the speed of detection and
reducing resources used to detect these categories of attack.
- Fixes for the following bugs:
- Bug 3020: Segmentation fault: nameservers[vc->ns].vc =3D NULL
- Bug 3005,2972: Locate LTDL headers correctly (again)
- Bug 2872: leaking file descriptors
- Bug 2583: pure virtual method called
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 pkgsrc/www/squid31/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/www/squid31/distinfo
|
|
www/drupal6: security update
Revisions pulled up:
- www/drupal6/Makefile 1.22
- www/drupal6/distinfo 1.17
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Aug 11 21:56:28 UTC 2010
Modified Files:
pkgsrc/www/drupal6: Makefile distinfo
Log Message:
Update drupal6 package to 6.18.
Drupal 6.18, 2010-08-11
----------------------
- Fixed security issues (OpenID authentication bypass, File download access
bypass, Comment unpublishing bypass, Actions cross site scripting),
see SA-CORE-2010-002.
|
|
www/typolight27: security patch
Revisions pulled up:
- www/typolight27/Makefile patch
- www/typolight27/distinfo patch
- www/typolight27/patches/patch-ab new file
---
Apply patch to fix XSS vulnerability.
|
|
www/typolight28: security update
Revisions pulled up:
- www/typolight28/Makefile 1.10-1.11
- www/typolight28/Makefile.version 1.7
- www/typolight28/distinfo 1.8-1.9
- www/typolight28/patches/patch-ad 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jul 3 04:00:09 UTC 2010
Modified Files:
pkgsrc/www/typolight28: Makefile Makefile.version distinfo
Log Message:
Update typolight28 to 2.8.4.
Version 2.8.4 (2010-06-30)
--------------------------
- Back-ported the Safe Mode Hack improvements from version 2.9
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Jul 28 16:24:20 UTC 2010
Modified Files:
pkgsrc/www/typolight28: Makefile distinfo
Added Files:
pkgsrc/www/typolight28/patches: patch-ad
Log Message:
Add a patch from Contao(TYPOlight) repository to fix possible
XSS problem on frontend module.
Bump PKGREVISION.
|
|
www/typo3: security update
Pulled up:
- www/typo3/Makefile patch
- www/typo3/PLIST patch
- www/typo3/distinfo patch
---
Update typo3 package to 4.3.4:
Due to several security issues found in the TYPO3 Core, there was a
combined release of TYPO3 4.1.14, 4.2.14, 4.3.4 and 4.4.1.
Find more details in the security bulletin:
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-012/
For full change please refer:
http://wiki.typo3.org/index.php/TYPO3_4.3.4#Changelog
|
|
www/py-paste: security update
Revisions pulled up:
- www/py-paste/Makefile 1.7
- www/py-paste/PLIST 1.5
- www/py-paste/distinfo 1.3
---
Module Name: pkgsrc
Committed By: obache
Date: Mon Jul 26 12:38:42 UTC 2010
Modified Files:
pkgsrc/www/py-paste: Makefile PLIST distinfo
Log Message:
Update py-Paste to 1.7.4.
While here, set LICENSE=mit.
1.7.4
-----
* Fix XSS bug (security issue) with not found handlers for
:class:`paste.urlparser.StaticURLParser` and
:class:`paste.urlmap.URLMap`. If you ask for a path with
``/--><script>...`` that will be inserted in the error page and can
execute Javascript. Reported by Tim Wintle.
* Replaced :func:`paste.util.mimeparse.desired_match`
1.7.3.1
-------
* Removed directory name from 404 errors in
:class:`paste.urlparser.StaticURLParser`.
* Fixed packaging to include Javascript and images for
:mod:`paste.evalexception`
1.7.3
-----
* I got a fever and the only prescription is more :mod:`paste.cowbell`!
* Fix :mod:`paste.httpserver` on Python 2.6.
* Fix :mod:`paste.auth.cookie`, which would insert newlines for long
cookies.
* :mod:`paste.util.mimeparse` parses a single ``*`` in Accept headers
(sent by IE 6).
* Fix some problems with the ``wdg_validate`` middleware.
* Improvements to :mod:`paste.auth.auth_tkt`: add httponly support,
don't always aggressively set cookies without the
``wildcard_cookie`` option. Also on logout, make cookies expire.
* In :class:`paste.proxy.Proxy` handle Content-Length of -1.
* In :mod:`paste.httpexceptions` avoid some unicode errors.
* In :mod:`paste.httpserver` handle ``.read()`` from 100 Continue
properly (because of a typo it was doing a readline).
* Update ``paste.util.mimeparse`` from `upstream
<http://code.google.com/p/mimeparse/>`_.
|
|
security update
Revisions pulled up:
- pkgsrc/www/apache22/Makefile 1.61
- pkgsrc/www/apache22/distinfo 1.34
Files deleted:
pkgsrc/www/apache22/patches/patch-af
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Mon Jul 26 21:38:52 UTC 2010
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Removed Files:
pkgsrc/www/apache22/patches: patch-af
Log Message:
Update "apache22" package to version 2.2.16. Changes since version 2.2.15:
- SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav, mod_cache: Fix Handling of requests without a path segment.
PR: 49246 [Mark Drayton, Jeff Trawick]
- SECURITY: CVE-2010-2068 (cve.mitre.org)
mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung]
- core: Filter init functions are now run strictly once per request
before handler invocation. The init functions are no longer run
for connection filters. PR 49328. [Joe Orton]
- mod_filter: enable it to act on non-200 responses.
PR 48377 [Nick Kew]
- mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
title page only) when any mod_ldap directives were used in VirtualHost
context. [Eric Covener]
- mod_ssl: Fix segfault at startup if proxy client certs are shared
across multiple vhosts. PR 39915. [Joe Orton]
- mod_proxy_http: Log the port of the remote server in various messages.
PR 48812. [Igor Gali?? <i galic brainsware org>]
- apxs: Fix -A and -a options to ignore whitespace in httpd.conf
[Philip M. Gollucci]
- mod_dir: add FallbackResource directive, to enable admin to specify
an action to happen when a URL maps to no file, without resorting
to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
- mod_rewrite: Allow to set environment variables without explicitely
giving a value. [Rainer Jung]
To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 pkgsrc/www/apache22/Makefile
cvs rdiff -u -r1.33 -r1.34 pkgsrc/www/apache22/distinfo
cvs rdiff -u -r1.3 -r0 pkgsrc/www/apache22/patches/patch-af
|
|
www/seamonkey: security update and build fix
Revisions pulled up:
- www/seamonkey/Makefile 1.38
- www/seamonkey/distinfo 1.51-1.54
- www/seamonkey/patches/patch-directory_c-sdk_configure.in 1.1-1.2
- www/seamonkey/patches/patch-directory_c-sdk_ldap_include_portable.h 1.1-1.3
- www/seamonkey/patches/patch-directory_c-sdk_ldap_libraries_libldap_Makefile.in 1.1-1.2
- www/seamonkey/patches/patch-mp 1.2
---
Module Name: pkgsrc
Committed By: tnn
Date: Mon Jul 12 11:57:00 UTC 2010
Modified Files:
pkgsrc/www/seamonkey: distinfo
Added Files:
pkgsrc/www/seamonkey/patches: patch-directory_c-sdk_configure.in
patch-directory_c-sdk_ldap_include_portable.h
patch-directory_c-sdk_ldap_libraries_libldap_Makefile.in
Log Message:
Add some DragonFlyBSD fixes, contributed by Francois Tigeot.
---
Module Name: pkgsrc
Committed By: tnn
Date: Mon Jul 12 13:57:29 UTC 2010
Modified Files:
pkgsrc/www/seamonkey: distinfo
pkgsrc/www/seamonkey/patches: patch-directory_c-sdk_configure.in
patch-directory_c-sdk_ldap_include_portable.h
patch-directory_c-sdk_ldap_libraries_libldap_Makefile.in
Log Message:
Add upstream bug ref.
---
Module Name: pkgsrc
Committed By: tnn
Date: Wed Jul 21 11:48:06 UTC 2010
Modified Files:
pkgsrc/www/seamonkey: distinfo
pkgsrc/www/seamonkey/patches:
patch-directory_c-sdk_ldap_include_portable.h
Log Message:
Fix undefined reference to re_comp/re_exec on dragonfly.
Reported by Francois Tigeot.
---
Module Name: pkgsrc
Committed By: tnn
Date: Wed Jul 21 18:25:06 UTC 2010
Modified Files:
pkgsrc/www/seamonkey: Makefile distinfo
pkgsrc/www/seamonkey/patches: patch-mp
Log Message:
Update to seamonkey-2.0.6
MFSA 2010-47 Cross-origin data leakage from script filename in error messages
MFSA 2010-46 Cross-domain data theft using CSS
MFSA 2010-45 Multiple location bar spoofing vulnerabilities
MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts
MFSA 2010-41 Remote code execution using malformed PNG image
MFSA 2010-40 nsTreeSelection dangling pointer remote code execution
MFSA 2010-39 nsCSSValue::Array index integer overflow
MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution
MFSA 2010-36 Use-after-free error in NodeIterator
MFSA 2010-35 DOM attribute cloning remote code execution vulnerability
MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)
|
|
www/py-moin: security update
Revisions pulled up:
- www/py-moin/Makefile 1.14
- www/py-moin/PLIST 1.7
- www/py-moin/distinfo 1.6
---
Module Name: pkgsrc
Committed By: obache
Date: Fri Jul 9 11:38:36 UTC 2010
Modified Files:
pkgsrc/www/py-moin: Makefile PLIST distinfo
Log Message:
Update py-moin to 1.9.3.
PR#43524 by Wen Heping.
Known main issues:
* The GUI WYSIWYG editor has still some issues and limitations.
If you can't live with those, you can simply switch it off by using:
editor_force = True
editor_default = 'text' # internal default, just for completeness
Version 1.9.3:
Fixes:
* Fix XSS in Despam action (CVE-2010-0828).
* Fix XSS issues (see MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg):
* by escaping template name in messages
* by fixing other places that had similar issues
* Make moin compatible to werkzeug 0.5 .. 0.6.2 (1.9.2 had issues
with xmlrpc when used with werkzeug 0.6.x).
* MoinMoin.util.filesys: disable usage of dircache, deprecate dc* functions,
because the dircache stdlib module can't work correctly for fast updates of
directories.
* rss_rc and sisterpages actions: fix Content-Type header (mimetype)
* Fix associating OpenID identity with user, wasn't adapted to werkzeug yet.
* openidrp auth: fix undefined _ (gettext)
* Fix auth.cas and userprefs.oidserv request object usage.
* highlight parser: fixed MoinMoinBugs/LineNumberSpansForProcessInstructionsMissed
* Pygments syntax highlighting: add missing code files
* Notifications: use same email subject format for every notification
* Fix docbook formatter crashing, see MoinMoinPatch/IncludeMacroWithDocBookFormatter
* Fix regex content search for xapian search.
* Get rid of the empty line at the end of code highlights.
* GUI editor: compute editor height like the text editor does.
* Added help texts for: standalone server and moin migration.
* script.maint.cleancache: clean also i18n cache files
* Improved formatter.text_plain, see FeatureRequests/TextPlainFormatterRewrite
(fixes many issues of this formatter).
* text_html_text_moin_wiki: fixed index error for width="", see also:
MoinMoinBugs/GUI_convertor_list_index_out_of_range
* xmlrpc: disable editor backup for putPage, renamePage and revertPage
because if pages get uploaded by xmlrpc then the draft cache file can
rapidly increase in size, causing high memory usage because it needs to
get loaded into memory for updating/processing.
* Emit Content-Type header (with charset) for SlideShow action and many other
actions that just call send_title().
* ActionBase: better compatibility to moin 1.8, use request.values by
default, optionally use request.form data only
New features:
* RenamePage action: added ability to create redirect pages when renaming
(turned off by default, see show_rename_redirect config option).
* formatter/text_html: Added line number links to code blocks.
* diff action:
* Fixed whitespace in generated (html) diff view table so white-space: pre
can be used (and whitespace in diffs preserved).
* Added links to first/last revision.
* MoinMoin.widget.browser: introduced feature for sorting tables, see:
http://moinmo.in/FeatureRequests/SortableTables
* SystemAdmin user and attachment browsers: sorting feature used there now
* Scrolling the text editor to the double clicked line.
* Enable double-click-editing by default.
* WikiConfigHelp macro: make heading and description display optional,
heading level as a parameter (default 2)
* If edit ticket check fails, send the editor with the current content.
* moin import wikipage - use this script to import local files as a wiki page
Other changes:
* upgraded pygments from 1.2.2 to 1.3.1
* upgraded FCKeditor from 2.6.4.1 to 2.6.6
* added configuration snippet for ldap authentication against 2 servers
* improved script help output
|
|
error, and to sync with reality.
|
|
with pkgsrc conventions.
While we are here, fix python egg installer related PLIST entries.
|
|
|
|
MFSA 2010-33 User tracking across sites using Math.random()
MFSA 2010-32 Content-Disposition: attachment ignored
if Content-Type: multipart also present
MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes
MFSA 2010-30 Integer Overflow in XSLT Node Sorting
MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
MFSA 2010-28 Freed object reuse across plugin instances
MFSA 2010-27 Use-after-free error in nsCycleCollector::MarkRoots()
MFSA 2010-26 Crashes with evidence of memory corruption
MFSA 2010-25 Re-use of freed object due to scope confusion
|
|
MFSA 2010-33 User tracking across sites using Math.random()
MFSA 2010-32 Content-Disposition: attachment ignored
if Content-Type: multipart also present
MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes
MFSA 2010-30 Integer Overflow in XSLT Node Sorting
MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
MFSA 2010-28 Freed object reuse across plugin instances
MFSA 2010-26 Crashes with evidence of memory corruption
|
|
for the "squid31" package as intented.
|
|
for a handful of bugfixes, to 3.20100623. From the changelog:
* openid: Add openid_realm and openid_cgiurl configuration options,
useful in a few edge case setups.
* attachment: Show files from underlay in attachments list.
* img: Support hspace and vspace attributes.
* editpage: Rename "comments" field to avoid CSS conflict with the
comments div.
* edittemplate: Make silent mode not disable display when the template
page does not exist, so it can be easily created.
* edittemplate: Look for template pages under templates/ like everything
else (still looks in old location for backwards compatibility).
* attachment: When inserting links, insert img directives for images,
if that plugin is enabled.
* websetup: Allow enabling plugins listed in disable_plugins.
* editpage, comments: Fix broken links in sidebar (due to forcebaseurl).
(Thanks, privat)
* calendar: Tune archive_pagespec to only match pages, not other files.
* Fix issues with combining unicode srcdirs and source files.
(Workaround bug #586045)
* Make --gettime be honored after initial setup.
* git: Fix --gettime to properly support utf8 filenames.
* attachment: Support Windows paths when taking basename of client-supplied
file name.
* theme: New plugin, allows easily themeing a site via the underlay.
* Added actiontabs theme by Svend Sorensen.
* Added blueview theme by Bernd Zeimetz.
* mercurial: Fix buggy getctime code. Closes: #586279
* link: Enhanced to handle URLs and email addresses. (Bernd Zeimetz)
|
|
|
|
o properly fully disable multi-file mode for now
o fix the -t and -U options when used without the -e option, broken since
the library-ifcation
o be explicit that logs go to the FTP facility in syslog
|
|
PKGREVISION as no PLIST or binary package changes with default options.
|
|
|
|
bump PKGREVISION
|
|
|
|
o fix some compile issues
o fix SSL mode. from rtr
o fix some cgi-bin issues, as seen with cvsweb
o disable multi-file daemon mode for now, it breaks
o return 404's instead of 403's when chdir of ~user dirs fail
o remove "noreturn" attribute from bozo_http_error() that was
causing incorrect runtime behaviour
with approval from agc.
|
|
|
|
- Support multiple database in one Django instance
- Model validation inspired by the Form validation
- Vastly improved protection against Cross-Site Request Forgery
- New user "message" framework, incl. support for anonymous users
- Hooks for object-level permissions and permissions for anonymous users
- Customization of e-mail sending via the new e-mail backend
- Smarter if template tag
|
|
* Translation of Trac in your language using Babel (http://babel.edgewall.org)
* Multiple Repository Support per environment
* Improved Wiki, more powerful syntax and nicer user interface with automatic
preview in side-by-side editing mode
* Improved Ticket user interface, with editable comments and automatic preview
|
|
change: use pkgsrc neon
|
|
* Some general minor bugs fixed in different areas.
* Four security fixes (see below).
Some of these vulnerabilities are potentially serious so we strongly
recommend you upgrade.
Full details to be released soon.
|
|
- Support non-yielding applications better
- UDP logging
- uwsgi_error() for improved diagnostics
- fix a potential segmentation fault
- Add --version
|
|
- New http_uwsgi_module, replacing the (optional) external one
- New ngx_http_split_clients module
- Support "map" directive with keys longer than 255 charecters
- Allow overriding client request header in fastcgi_param
- New "proxy_no_cache" and "fastcgi_no_cache" directives
- Automatically redirect from "rewrite" if $scheme is used
- Various bugfixes
|
|
|
|
PyBlosxom is a file-based blogging system in the spirit of Blosxom.
PyBlosxom uses directory tree to represent the category hierarchy.
All entries in a PyBlosxom blog are text files where the first line is
the title of the blog entry and the rest is the body of the entry.
PyBlosxom runs as a CGI script and WSGI application.
PyBlosxom can run as a "static renderer" and compile your blog into
HTML pages for any web server. This is a good solution for blogs with
millions of entries or servers that are really slow or don't have a
way to run applications.
PyBlosxom supports templates (called flavours) to change the look and
feel of your blog.
PyBlosxom supports plugins to modify the existing default behavior.
|
|
Improve Makefile and fix some bugs in conf file
While here, comment out destdir-ready flag, since the package chowns.
Bump PKGREVISION.
|
|
(missed those and *emacs* the first time round because they pull
in their png dependencies via default-on options; they were included
in the test bulk build though)
|
|
Pkgsrc changes:
- adjust dependencies wrt to minimum required perl package version
Upstream changes:
0.22 Thu Jun 10 12:58:99 2010
Add NOPASTE_SSH_MODE for chmod'ing after uploading (Thomas Sibley)
Doc fixes (Thomas Sibley)
0.21 Sat May 1 09:32:10 2010
Add a --list_services/-L option (David Bremner) [rt.cpan.org #55562]
Add --private support, used in Gist (John Goulah)
Doc fix (Salvatore Bonaccorso) [rt.cpan.org #53249]
Doc fix (Fabien Wernli) [rt.cpan.org #54928]
Mention 'nopaste' script (Damyan Ivanov) [rt.cpan.org #51065]
|
|
Also add some patches to remove use of deprecated symbols and fix other
problems when looking for or compiling against libpng-1.4.x.
|
|
|
|
Div is a simple Web Application framework with dRuby and ERB.
You can write web application like GUI programming.
|
|
reported in CVE-2010-2068.
|
|
* creation_day() etc use local time, not gmtime. To match calendars, which
use local time.
* img: Fill in missing height or width when scaling image.
* Remove example blog tag pages; allow autotag creation to create them
when used.
* Fix support for globbing in tagged() pagespecs.
* Fix display of sidebar when previewing page edit. (Thanks, privat)
* relativedate: Fix problem with localised dates not working.
* editpage: Avoid storing accidental state changes when previewing pages.
* page.tmpl: Add a div around the page content, and comments, to aide in
sidebar styling.
* style.css: Improvements to make floating sidebar fit much better on
pages with inlines.
* calendar: Shorten day names, and improve styling of month calendar.
* style.css: Reduced sidebar width back to 20ex from 30; the month calendar
will now fit in the smaller width, and 30 was feeling too large.
|
|
- Bug 2933: Verification of the max. port number for WCCP2 dynamic service
- Bug 2924: RADIUS helper compile issues
- Bug 2922: Fix assertion failed: HttpHeader.cc: "Headers[id].stat.aliveCount"
- Bug 2919: tcp_outgoing_address ACLs not obeying acl_uses_indirect_client
- Bug 2896: Fix assertion failed: comm.cc:2063: "!fd_table[fd].closing()"
- Bug 2879: pt2: 3.0 regression in headers end finding
- Bug 2877: pt2: only output zero-size warning on reverse-proxy requests
- Bug 2876: FD_SETSIZE override not working on all linux distributions
- Bug 2810: common log format generates 2 lines of syslog
- Bug 2789: Optimize unlimited memory pools, and correctly handle limits over 2GB
- Bug 2753: Fall back on IPv4 if IPv6 is not present
- Bug 2697: Adaptation leaks and extra requests after reconfiguration
- Bug 2633: Fix Ecap::HeaderRep::value(name) fails when there is no named header field
- Change LDAP helpers to default to LDAP version 3 if available
- Add Joomla and Salted Hash support to squid_db_auth helper
- Fixed IpAddress port printing for ports higher than 9999
- Disable chunked memory pooling by default.
- ... and several build errors.
|
|
|
|
|
|
Patch by Wen Heping in PR 43442.
|
|
* Update Spanish, Swedish and Turkish language files.
* Update HOMEPAGE and MASTER_SITES since www.TYPOlight.org migrated to
www.contao.org.
|
|
www.contao.org.
No PKGREVISION bump since no functional change at all.
|
