Age | Commit message (Collapse) | Author | Files | Lines |
|
www/lynx: security fix
Revisions pulled up:
- www/lynx/Makefile 1.123-1.124
- www/lynx/distinfo 1.34-1.35
- www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c 1.1-1.2
- www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c 1.1
- www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h 1.1
- www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h 1.1
- www/lynx/patches/patch-src_LYUtils.c 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Wed Dec 21 11:25:25 UTC 2016
Modified Files:
pkgsrc/www/lynx: Makefile distinfo
Added Files:
pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c
patch-WWW_Library_Implementation_HTTP.c
patch-WWW_Library_Implementation_HTTP.h
patch-WWW_Library_Implementation_HTUTILS.h patch-src_LYUtils.c
Log Message:
Patch for POODLE & CVE-2016-9179.
Bump rev.
---
Module Name: pkgsrc
Committed By: sevan
Date: Thu Dec 22 17:30:52 UTC 2016
Modified Files:
pkgsrc/www/lynx: Makefile distinfo
pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c
Log Message:
Fix broken patch committed previously which resulted in lynx crashing.
Bump rev again.
Apologies to anyone caught out by this mistake.
Heads up by alnsn@
|
|
www/drupal7: security fix
Revisions pulled up:
- www/drupal7/Makefile 1.40-1.42
- www/drupal7/PLIST 1.15
- www/drupal7/distinfo 1.31-1.32
---
Module Name: pkgsrc
Committed By: wen
Date: Fri Oct 21 14:31:30 UTC 2016
Modified Files:
pkgsrc/www/drupal7: Makefile PLIST distinfo
Log Message:
Update to 7.51
Upstream changes:
Drupal 7.51, 2016-10-05
-----------------------
- The Update module now also checks for updates to a disabled theme that is
used as an admin theme.
- Exceptions thrown in dblog_watchdog() are now caught and ignored.
- Clarified the warning that appears when modules are missing or have moved.
- Log messages are now XSS filtered on display.
- Draggable tables now work on touch screen devices.
- Added a setting for allowing double underscores in CSS identifiers
(https://www.drupal.org/node/2810369).
- If a user navigates away from a page while an Ajax request is running they
will no longer get an error message saying "An Ajax HTTP request terminated
abnormally".
- The system_region_list() API function now takes an optional third parameter
which allows region name translations to be skipped when they are not needed
(API addition: https://www.drupal.org/node/2810365).
- Numerous performance improvements.
- Numerous bug fixes.
- Numerous API documentation improvements.
- Additional automated test coverage.
Drupal 7.50, 2016-07-07
-----------------------
- Added a new "administer fields" permission for trusted users, which is
required in addition to other permissions to use the field UI
(https://www.drupal.org/node/2483307).
- Added clickjacking protection to Drupal core by setting the X-Frame-Options
header to SAMEORIGIN by default (https://www.drupal.org/node/2735873).
- Added support for full UTF-8 (emojis, Asian symbols, mathematical symbols) on
MySQL and other database drivers when the site and database are configured to
allow it (https://www.drupal.org/node/2761183).
- Improved performance by avoiding a re-scan of directories when a file is
missing; instead, trigger a PHP warning (minor API change:
https://www.drupal.org/node/2581445).
- Made it possible to use any PHP callable in Ajax form callbacks, form API
form-building functions, and form API wrapper callbacks (API addition:
https://www.drupal.org/node/2761169).
- Fixed that following a password reset link while logged in leaves users unable
to change their password (minor user interface change:
https://www.drupal.org/node/2759023).
- Implemented various fixes for automated test failures on PHP 5.4+ and PHP 7.
Drupal core automated tests now pass in these environments.
- Improved support for PHP 7 by fixing various problems.
- Fixed various bugs with PHP 5.5+ imagerotate(), including when incorrect
color indices are passed in.
- Fixed a regression introduced in Drupal 7.43 that allowed files uploaded by
anonymous users to be lost after form validation errors, and that also caused
regressions with certain contributed modules.
- Fixed a regression introduced in Drupal 7.36 which caused the default value
of hidden textarea fields to be ignored.
- Fixed robots.txt to allow search engines to access CSS, JavaScript and image
files.
- Changed wording on the Update Manager settings page to clarify that the
option to check for disabled module updates also applies to uninstalled
modules (administrative-facing translatable string change).
- Changed the help text when editing menu links and configuring URL redirect
actions so that it does not reference "Drupal" or the drupal.org website
(administrative-facing translatable string change).
- Fixed the locale safety check that is used to ensure that translations are
safe to allow for tokens in the href/src attributes of translated strings.
- Fixed that URL generation only works on port 80 when using domain based
language negotation.
- Made method="get" forms work inside the administrative overlay. The fix adds
a new hidden field to these forms when they appear inside the overlay (minor
data structure change).
- Increased maxlength of menu link title input fields in the node form and
menu link form from 128 to 255 characters.
- Removed meaningless post-check=0 and pre-check=0 cache control headers from
Drupal HTTP responses.
- Added a .editorconfig file to auto-configure editors that support it.
- Added --directory option to run-tests.sh for easier test discovery of all
tests within a project.
- Made run-tests.sh exit with a failure code when there are test fails or
problems running the script.
- Fixed that cookies from previous tests are still present when a new test
starts in DrupalWebTestCase.
- Improved performance of queries on the {authmap} database table.
- Fixed handling of missing files and functions inside the registry.
- Fixed Ajax handling for tableselect form elements that use checkboxes.
- Fixed a bug which caused ip_address() to return nothing when the client IP
address and proxy IP address are the same.
- Added a new option to format_xml_elements() to allow for already encoded
values.
- Changed the {history} table's node ID field to be an unsigned integer, to
match the same field in the {node} table and to prevent errors with very
large node IDs.
- Added an explicit page callback to the "admin/people/create" menu item in the
User module (minor data structure change). Previously this automatically
inherited the page callback from the parent "admin/people" menu item, which
broke contributed modules that override the "admin/people" page.
- Numerous small bug fixes.
- Numerous API documentation improvements.
- Additional automated test coverage.
---
Module Name: pkgsrc
Committed By: wen
Date: Sat Oct 22 07:44:03 UTC 2016
Modified Files:
pkgsrc/www/drupal7: Makefile
Log Message:
Add missing php module.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Nov 17 14:18:39 UTC 2016
Modified Files:
pkgsrc/www/drupal7: Makefile distinfo
Log Message:
Update drupal7 to 7.52 (Drupal 7.52), including security fix.
Drupal 7.52, 2016-11-16
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2016-005.
|
|
www/w3m: security fix
www/w3m-img: security fix
Revisions pulled up:
- www/w3m-img/Makefile 1.29
- www/w3m-img/PLIST 1.1
- www/w3m/Makefile 1.78
- www/w3m/Makefile.common 1.62-1.63
- www/w3m/PLIST 1.17
- www/w3m/distinfo 1.27-1.29
- www/w3m/options.mk 1.15
- www/w3m/patches/patch-aa deleted
- www/w3m/patches/patch-ab deleted
- www/w3m/patches/patch-ac deleted
- www/w3m/patches/patch-ak deleted
- www/w3m/patches/patch-al deleted
- www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in deleted
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Nov 6 19:26:35 UTC 2016
Modified Files:
pkgsrc/www/w3m: Makefile Makefile.common PLIST distinfo options.mk
pkgsrc/www/w3m/patches: patch-ab
Log Message:
Updated w3m to 0.5.3.0.20161031.
Switch from dead sourceforge original to debian-maintained github version.
* new features
- support OSC 5379 remote imaging and sixel graphics
- support SGR style mouse handler
- support 32-bit color images
- support FreeBSD framebuffer
- support button element
- support meta charset
- add extbrowser4..9
- add display_borders to display 0 pixel table borders
- add siteconf feature
- add German translation for options setting panel
- add translations for de, zh_CN and zh_TW
* bug fixes
- fix segfaults with malformed text
- disable SSLv2 and SSLv3 by default [CVE-2014-3566]
- set ssl_verify_server to 1 by default
- disable RC4, export ciphers, and keys < 128 bits
- use SSL_OP_NO_COMPRESSION due to "CRIME attack" [CVE-2012-4929]
- use SSL_MODE_RELEASE_BUFFERS
- disable USE_EGD for LibreSSL
- appease gcc -Werror=format-security
- option -s is now "squeeze multiple blank lines" to work as pager, and
-j and -e are obsolete, so use -O{s|j|e} to specify display charset
- accept single quoted meta refresh URL
- assume "text" if a form input type is unknown
- accept cookies by default
- set use_dictcommand to 1 by default
- set default_url to 1 by default
- set argv_is_url to 1 by default
- set alt_entity to 0 by default
- fix build problems with Boehm GC 7.2, imlib2 1.4.6 and glibc 2.14
- fix parallel make failure
- fix incorrect ucs_ambwidth_map
- and many fixes
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Nov 6 19:27:16 UTC 2016
Modified Files:
pkgsrc/www/w3m-img: Makefile
Added Files:
pkgsrc/www/w3m-img: PLIST
Log Message:
Updated w3m-img to 0.5.3.0.20161031.
Changes same as for www/w3m.
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Nov 6 19:27:25 UTC 2016
Removed Files:
pkgsrc/www/w3m/patches: patch-aa patch-ac patch-ak patch-al
patch-scripts_w3mman_w3mman2html.cgi.in
Log Message:
Remove obsolete patches.
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Nov 6 19:30:42 UTC 2016
Modified Files:
pkgsrc/www/w3m: distinfo
pkgsrc/www/w3m/patches: patch-ab
Log Message:
Add upstream bug report URL.
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Nov 22 14:36:38 UTC 2016
Modified Files:
pkgsrc/www/w3m: Makefile.common distinfo
Log Message:
Updated w3m to 0.5.3.0.20161120.
Debian's w3m 0.5.3+git20161120
* bug fixes
- fix multiple flaws with malformed text
(stack overflow, buffer overflow, null deref, out of memory)
- fix stack overflow with nested table and textarea [CVE-2016-9439]
- fix suspend (^Z) behavior
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Nov 22 15:24:43 UTC 2016
Removed Files:
pkgsrc/www/w3m/patches: patch-ab
Log Message:
Remove integrated patch.
|
|
www/py-django: security fix
Revisions pulled up:
- www/py-django/Makefile 1.78
- www/py-django/distinfo 1.60
---
Module Name: pkgsrc
Committed By: wen
Date: Wed Nov 2 14:30:49 UTC 2016
Modified Files:
pkgsrc/www/py-django: Makefile distinfo
Log Message:
Update to 1.9.11(security update)
Upstream changes:
Django 1.9.11 release notes
November 1, 2016
Django 1.9.11 fixes two security issues in 1.9.10.
User with hardcoded password created when running tests on Oracle
DNS rebinding vulnerability when DEBUG=True
|
|
www/ruby-http-cookie: security fix
Revisions pulled up:
- www/ruby-http-cookie/Makefile 1.2
- www/ruby-http-cookie/distinfo 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Sep 30 15:36:59 UTC 2016
Modified Files:
pkgsrc/www/ruby-http-cookie: Makefile distinfo
Log Message:
Update ruby-http-cookie to 1.0.3.
## 1.0.3 (2016-09-30)
- Treat comma as normal character in HTTP::Cookie.cookie_value_to_hash
instead of key-value pair separator. This should fix the problem
described in CVE-2016-7401.
|
|
WordPress versions 4.6 and earlier are affected by two security issues:
a cross-site scripting vulnerability via image filename, reported by SumOfPwn
researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade
package uploader, reported by Dominik Schilling from the WordPress security
team.
WordPress 4.6.1 also fixes 15 bugs from Version 4.6, including:
Bootstrap/Load
#37680 – PHP Warning: ini_get_all() has been disabled for security reasons
- Database
#37683 – $collate and $charset can be undefined in wpdb::init_charset()
#37689 – Issues with utf8mb4 collation and the 4.6 update
- Editor
#37690 – Backspace causes jumping
- Email
#37736 – Emails fail on certain server setups
- External Libraries
#37700 – Warning: curl_exec() has been disabled for security reasons (Requests library)
#37720 – The minified version of the Masonry shim was not updated in #37666 (Masonry library)
- HTTP API
#37733 – cURL error 3: malformed for remote requests
#37768 – HTTP API no longer accepts integer and float values for the cookies argument
- Post Thumbnails
#37697 – Strange behavior with thumbnails on preview in 4.6
- Script Loader
#37800 – Close “link rel” dns-prefetch tag
- Taxonomy
#37721 – Improve error handling of is_object_in_term in taxonomy.php
- Themes
#37755 – Visual Editor: Weird unicode (Vietnamese) characters display on WordPress 4.6
- TinyMCE
#37760 – Problem with RTL
- Upgrade/Install
#37731 – Infinite loop in _wp_json_sanity_check() during plugin install
|
|
* Remove contact and calendar distfiles
* Remove replace commands for code sining, fix PR pkg/51032
Changelog:
Version 9.1.1 Sep 20 2016
Core: Remove OCS response body for HTTP status 204 and 304 which disturbed some firewalls - core/#25835
Core: Map Oracle driver options to params - core/#23938
Core: Log cron job class name for easier troubleshooting - core/#25743
Core: Skip version and trash expiry for users that never logged in - core/#25741
Core: Added white download icons for apps to use - core/#23891
Core: Fix warning about undefined offset in LoginController - core/#25714
Core: Fix warning about undefined two factor providers - core/#25606
Core: Load app before executing its repair steps - core/#25674
Core: Fix "defaultapp" setting - core/#25562
Core: Fix issue when opening some file app links received in share emails - core/#25200
Core: Reconnect DB in occ files:scan to avoid DB timeouts - core/#25853
Core: Fix status.php page redirection with non-standard port - core/#25946
Core: Improve users page loading performance with many groups - core/#25922
Core: Don't log credentials from tryLogin - core/#25895
Core: Fix password recovery with case sensitive user names - core/#25684
Core: Fix two factor page cyclic reload with some providers - core/#25893
Core: Add visual feedback when updating password in users page - core/#25532
Core: Fix useless warning when overwriting file when open_basedir is set - core/#26033
Files: Display hidden files in footer and selection summary - core/#25855
Files: Fix hidden files handling with insertion or selection - core/#25856
DAV: Faster classification migration in CalDAV - core/#25638
DAV: Error message about forbidden password login is now logged in debug level - core/#25486
DAV: Return "data-fingerprint" property on any file related element - core/#25482
DAV: Fix missing properties in CalDAV subscriptions - core/#24469
DAV: Improve performance of chunking in new DAV endpoint- core/#26072
Sharing: Fixed wrong insufficient storage error - core/#25582
Sharing: Prevent shared storage recursions to avoid memory issues and crashes - core/#25557
Sharing: Group received shares which have same source and target - core/#25113
Sharing: Fix sharing over API when dealing with trailing slashes - core/#25464
Sharing: Fix public upload issue with quota in some scenarios - core/#24751
Sharing: Fix issue where videos did not play from share links with PHP 7 - core/#25483
Sharing: Fix BadMethodCallException in cron or scanner - core/#25506
Sharing: Prevent ghost mounts for deleted/orphaned shares - core/#26001
Sharing: Fix fatal error for users with older existing shares from OC <= 8.2 - core/#25933
Sharing: Always allow share owner to increase permissions - core/#25542
Sharing: Properly retry federated shares after they were unavailable - core/#26037
Sharing: Reallow spaces in federated share autocomplete in share dialog - core/#25955
Encryption: OCC command for decryption now doesn't decrypt received shares - core/#25599
Files_external: Removed reference magic to avoid potential infinite loops - core/#25844
Files_external: Added conditional trace logging for debugging SMB on production systems - core/#25758
Files_external: Fix config database issue when using Oracle - core/#25764
Files_external: SMB subfolders with read-only attribute are now writeable in OC to match spec - core/#24608
Files_external: Fix "save in session" mode when using Webdav without cookies/session - core/#25511
Files_external: Respect theme for external folder icon - core/#25461
Files_external: Disable NFD encoding wrapper that was enabled by mistake for local storages - core/#25819
Files_external: Some SMB fixes and better debug logging - core/#25817
Files_trashbin: Add occ command to trigger trashbin retention expiration - core/#25878
Files_versions: Add occ command to trigger versions retention expiration - core/#25878
LDAP: Fix login issue when dealing with display name of deleted users - core/#23248
LDAP: Prevent triggering email change events at login time for unchanged email - core/#25553
LDAP: Fix login and logging issue with big avatars by reducing their size - core/#25857
LDAP: Hide LDAP admin password in wizard - core/#25702
Provisioning API: Fixed issue where subadmins could not change group memberships - core/#25496
Provisioning API: Added flag to enable/disable two-factor auth for users - core/#25876
Activity: Fix owner name processing for received federated shares - core/#24938
Updater: Fix web update issue with filesystem apps - updater/#371
Antivirus: Fix incorrect report of file size - files_antivirus/#120
Antivirus: Fix background scan - files_antivirus/#109
Version 9.1.0 Jul 21 2016
General
Background jobs (cron) can now run in parallel
Update notifications in client via API - You can now be notified in your desktop client about available updates for core and apps. The notifications are made available via the notifications API.
Multi bucket support for primary objectstore integration
Authentication
Pluggable authentication: plugin system that supports different authentication schemes
Token-based authentication
Ability to invalidate sessions
List connected browsers/devices in the personal settings page. Allows the user to disconnect browsers/devices.
Device-specific passwords/tokens, can be generated in the personal page and revoked
Disable users and automatically revoke their sessions
Detect disabled LDAP users or password changes and revoke their sessions
Log in with email address
Configuration option to enforce token-based login outside the web UI
Two Factor authentication plug-in system
OCC command added to (temporarily) disable/enable two-factor authentication for single users
Note: the current desktop and mobile client versions do not support two-factor yet, this will be added later. It is already possible to generate a device specific password and enter that in the current client versions.
Files app
Ability to toggle displaying hidden files
Remember sort order
Permalinks for internal shares
Visual cue when dragging in files app
Autoscroll file list when dragging files
Upload progress estimate
Federated sharing
Ability to create federated shares with CRUDS permissions
Resharing a federated share does not create a chain of shares any more but connects the share owner's server to the reshare recipient
External storage
UTF-8 NFD encoding compatibility support for NFD file names stored directly on external storages (new mount option in external storage admin page)
Direct links to the configuration pages for setting up a GDrive or Dropbox app for use with ownCloud
Some performance and memory usage improvements for GDrive, stream download and chunk upload
Performance and memory usage improvements for Dropbox with stream download
GDrive library update provides exponential backoff which will reduce rate limit errors
Minor additions
Support for print style sheets
Command line based update will now be suggested if the instance is bigger to avoid potential timeouts
Web updater will be disabled if LDAP or shibboleth are installed
DB/app update process now shows better progress information
Added occ files:scan --unscanned to only scan folders that haven't yet been explored on external storages
Chunk cache TTL can now be configured
Added warning for wrongly configured database transactions, helps prevent "database is locked" issues
Use a capped memory cache to reduce memory usage especially in background jobs and the file scanner
Allow login by email
Respect CLASS property in calendar events
Allow addressbook export using VCFExportPlugin
Birthdays are also generated based on shared addressbooks
For developers
New DAV endpoint with a new chunking protocol aiming to solve many issues like timeouts (not used by clients yet)
New webdav property for share permissions
Background repair steps can be specified info.xml
Background jobs (cron) can now be declared in info.xml
Apps can now define repair steps to run at install/uninstall time
Export contact images via sabre dav plugin
Sabre DAV's browser plugin is available in debug mode to allow easier development around webdav
Technical debt
PSR-4 autoloading forced for OC\ and OCP\, optional for OCA\ docs at https://doc.owncloud.org/server/9.1/developer_manual/app/classloader.html
More cleanup of the sharing code (ongoing)
|
|
### 4.2.4 (2016-09-21)
* Handle special character passwords in the "close account" module (see contao/core#8455).
* Handle broken SVG files in the Image and File class (see contao/core#8470).
* Reduce the maximum field length by the file extension length (see contao/core#8472).
* Fall back to the field name if there is no label (see contao/core#8461).
* Do not assume NULL by default for binary fields (see contao/core#8477).
* Correctly render the diff view if not the latest version is active (see contao/core#8481).
* Update the list of countries and languages (see contao/core#8453).
* Correctly set up the MooTools CDN URL (see contao/core#8458).
* Also check the URL length when determining the search URL (see contao/core#8460).
* Only regenerate the session ID upon login.
|
|
Version 3.5.17 (2016-09-20)
---------------------------
### Fixed
Handle special character passwords in the "close account" module (see #8455).
### Fixed
Handle broken SVG files in the Image and File class (see #8470).
### Fixed
Reduce the maximum field length by the file extension length (see #8472).
### Fixed
Fall back to the field name if there is no label (see #8461).
### Fixed
Do not assume NULL by default for binary fields (see #8477).
### Fixed
Correctly render the diff view if not the latest version is active (see #8481).
### Fixed
Update the list of countries and languages (see #8453).
### Fixed
Correctly set up the MooTools CDN URL (see #8458).
### Fixed
Also check the URL length when determining the search URL (see #8460).
### Fixed
Only regenerate the session ID upon login.
|
|
|
|
* Sync with firefox45-45.4.0
|
|
Changelog:
Security vulnerabilities fixed in Firefox ESR 45.4
Announced
September 13, 2016
Impact
Critical
Products
Firefox ESR
Fixed in
Firefox ESR 45.4
Description
CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]
Reporter: Atte Kettunen
Description: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016]
CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
Reporter: Abhishek Arya
Description: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934]
CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
Reporter: Nils
Description: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721]
CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
Reporter: Nils
Description: A use-after-free issue in web animations during restyling. [1282076]
CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
Reporter: Nils
Description: A user-after-free vulnerability with web animations when destroying a timeline [1291665]
CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
Reporter: Nils
Description: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677]
CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
Reporter: Mei Wang
Description: Use-after-free vulnerability when changing text direction [1289970]
CVE-2016-5281 - use-after-free in DOMSVGLength [high]
Reporter: Brian Carpenter
Description: Use-after-free vulnerability when manipulating SVG format content through script [1284690]
CVE-2016-5284 - Add-on update site certificate pin expiration [high]
Reporter: Multiple people
Description: Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. [1303127]
CVE-2016-5250 - Resource Timing API is storing resources sent by the previous page [moderate]
Reporter: Catalin Dumitru
Description: URLs of resources loaded after a navigation started can leak to the following page through the Resource Timing API, leading to potential information disclosure. [1254688]
CVE-2016-5261 - Integer overflow and memory corruption in WebSocketChannel [high]
Reporter: Samuel Groß
Description: An integer overflow error in WebSockets during data buffering on incoming packets resulting in attacker controlled data being written at a known offset in the allocated buffer. [1287266]
CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]
Reporter: Mozilla developers
Description: Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4]
|
|
* Sync with firefox-49.0
|
|
Changelog:
New
Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. It’s one more way Firefox is supporting Let’s Encrypt and helping users transition to a more secure web.
Added features to Reader Mode that make it easier on the eyes and the ears
Controls that allow users to adjust the width and line spacing of text
Narrate, which reads the content of a page out loud
Improved video performance for users on systems that support SSSE3 without hardware acceleration
Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed
Enhancements for Mac users
Improved performance on OS X systems without hardware acceleration
Improved appearance of anti-aliased OS X fonts
Improvements in about:memory reports for tracking font memory usage
Improve performance on Windows systems without hardware acceleration
Fixed
Fixed an issue that prevented users from updating Firefox for Mac unless they originally installed Firefox. Now, those users as well as any user with administrative credentials can update Firefox.
Various security fixes
Changed
Ended Firefox for Mac support for OS X 10.6, 10.7, and 10.8.
Ended Firefox for Windows support for SSE processors
Removed Firefox Hello
Re-enabled the default for Graphite2 font shaping
Developer
Added a Cause column to the Network Monitor to show what caused each network request
Introduced web speech synthesis API
Fixed in Firefox 49
2016-85 Security vulnerabilities fixed in Firefox 49
CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]
Reporter: Atte Kettunen
Description: A content security policy (CSP) containing a referrer directive with no values can cause a non-exploitable crash. [1289085]
CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]
Reporter: Atte Kettunen
Description: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016]
CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]
Reporter: Abhishek Arya
Description: An out-of-bounds read during the processing of text runs in some pages using display:contents. [1288946]
CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
Reporter: Abhishek Arya
Description: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934]
CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]
Reporter: Nils
Description: A potentially exploitable crash in accessibility [1280387]
CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
Reporter: Nils
Description: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721]
CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
Reporter: Nils
Description: A use-after-free issue in web animations during restyling. [1282076]
CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
Reporter: Nils
Description: A user-after-free vulnerability with web animations when destroying a timeline [1291665]
CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]
Reporter: Nils
Description: A buffer overflow when working with empty filters during canvas rendering [1287316]
CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
Reporter: Nils
Description: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677]
CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]
Reporter: Rafael Gieschke
Description: The full path to local files is available to scripts when local files are drag and dropped into Firefox [1249522]
CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
Reporter: Mei Wang
Description: Use-after-free vulnerability when changing text direction [1289970]
CVE-2016-5281 - use-after-free in DOMSVGLength [high]
Reporter: Brian Carpenter
Description: Use-after-free vulnerability when manipulating SVG format content through script [1284690]
CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]
Reporter: Richard Newman
Description: Favicons can be loaded through non-whitelisted protocols, such as jar: [932335]
CVE-2016-5283 - <iframe src> fragment timing attack can reveal cross-origin data [high]
Reporter: Gavin Sharp
Description: A timing attack vulnerability using iframes to potentially reveal private data using document resizes and link colors [928187]
CVE-2016-5284 - Add-on update site certificate pin expiration [high]
Reporter: Ryan Duff
Description: Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. [1303127]
CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]
Reporter: Mozilla developers
Description: Mozilla developers Christoph Diehl, Christian Holler, Gary Kwong, Nathan Froyd, Honza Bambas, Seth Fowler, and Michael Smith reported memory safety bugs present in Firefox 48. Some of these bugs showed evidence of memory corruption under certain circumstances could potentially exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49]
CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]
Reporter: Mozilla developers
Description: Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4]
|
|
|
|
|
|
|
|
|
|
Bump PKGREVISION to 7
|
|
|
|
|
|
--------------------------------------
3.10, 2016-08-17
David Precious (BIGPRESH) taking over maintainership, kind thanks to Nate
(NWIGER) for handing over the reins.
[ BUG FIXES]
- Avoid CGI.pm warning if param() used in list context (GH-5, netangel)
|
|
|
|
------------------------------------
2.23 Sun Aug 28 11:30:33 CEST 2016
- relative redirects used the proxy schema instead of the request
url schema to generate the new url, which is wrong (analyzed by Felix
Ostmann).
- fix download example (reported by Felix Ostmann).
|
|
----------------------------------
7.06 2016-09-17
- Fixed bug where Mojolicious::Renderer would wrap text in layouts.
- Fixed a few test description encoding bugs in Test::Mojo.
|
|
|
|
I can't believe both copies are needed.
Addresses "pkgsrc cannot be checked out on a case-insensitive file system"
by Jonathan Schleifer, PR 51485.
|
|
|
|
|
|
Fixes duplicated output of nspluginwrapper -l.
Bump PKGREVISION.
|
|
------------------------
2.0.4 2016-09-14 08:00:00+0000
- [security fix][core] fix DoS attack vector CVE-2016-4864 (Frederik Deweerdt, Kazuho Oku)
- [libh2o] fix crash on connect timeout #960 (disigma)
|
|
-----------------------------------
1.007 2016-09-16 02:26:28Z
- fix handling of filename option in the Gist command (Zakariyya
Mughal, PR#13)
|
|
---------------------------
4.33 2016-09-16
[ DOCUMENTATION ]
- clarify that ->param will return the first value if there are
multiple values (when not called in list context)
|
|
* [ Joey Hess ]
* Fix installation when prefix includes a string metacharacter.
Thanks, Sam Hathaway.
* [ Simon McVittie ]
* Use git log --no-renames to generate recentchanges, fixing the git
test-case with git 2.9 (Closes: #835612)
|
|
- [file] don't use `readdir_r` on Linux, Solaris #1046 #1052
(Frederik Deweerdt, Kazuho Oku)
- [http2] fix negative error code sent when cancelling a pushed
stream #1039 (Frederik Deweerdt)
- [http2] fix a bug that may cause a stream to stall #1040 (Frederik
Deweerdt)
- [http2] fix a bug that reset the stream when receiving HEADERS
after PRIORITY #1043 (Frederik Deweerdt)
- [mruby] fix mruby handler becoming unusable after failed connection
in http_request on FreeBSD #1062 (Kazuho Oku)
|
|
Curl and libcurl 7.50.3
This release includes the following bugfixes:
o CVE-2016-7167: escape and unescape integer overflows [8]
o mk-ca-bundle.pl: use SHA256 instead of SHA1
o checksrc: detect strtok() use
o errors: new alias CURLE_WEIRD_SERVER_REPLY [1]
o http2: support > 64bit sized uploads [2]
o openssl: fix bad memory free (regression) [3]
o CMake: hide private library symbols [4]
o http: refuse to pass on response body with NO_NODY was set [5]
o cmake: fix curl-config --static-libs [6]
o mbedtls: switch off NTLM in build if md4 isn't available [7]
o curl: --create-dirs on windows groks both forward and backward slashes [9]
|
|
2016-09-13 46b333a [RELEASE] Release of TYPO3 6.2.27 (TYPO3 Release Team)
2016-09-13 8aecd0c #76462 [!!!][SECURITY] Mitigate potential cache flooding (Benni Mack)
2016-09-13 b04d394 #77906 [SECURITY] Fix select_key XSS in PageLayoutView (Georg Ringer)
2016-09-13 67e63a9 #77204 [BUGFIX] Prevent orphaned tags in Typo3DatabaseBackend (Thomas Schlumberger)
2016-09-02 44949df #64176 [BUGFIX] Prevent fatal error if no column in page layout is defined (Nicole Cordes)
2016-09-02 0f77d52 #77755 [BUGFIX] Check for null in debug_check_recordset (Morton Jonuschat)
2016-08-23 b495775 #77588 [BUGFIX] Fix sql error in EXT:linkvalidator (Daniel Windloff)
2016-08-19 b2c9915 #76441 [BUGFIX] Index all file mounts in FAL indexer scheduler task (Hannes Bochmann)
2016-08-18 dc83c6d #76928 [BUGFIX] Allow URL path segments like "typo3" (Mathias Brodala)
2016-08-18 ba4521b #67894 [BUGFIX] Felogin form with default layout is not visible (Michiel Roos)
2016-07-19 95c3944 #77098 [BUGFIX] Prepend current path to versionNumberInFilename RewriteRule (Marco Huber)
|
|
* 1473: ``HTTPError`` now also works as a context manager.
* 1487: The sessions tool now accepts a ``storage_class``
parameter, which supersedes the new deprecated
``storage_type`` parameter. The ``storage_class`` should
be the actual Session subclass to be used.
* Releases now use ``setuptools_scm`` to track the release
versions. Therefore, releases can be cut by simply tagging
a commit in the repo. Versions numbers are now stored in
exactly one place.
|
|
In this release, we fixed the bug which causes GOAWAY race with new incoming stream on server side. The bug has been reported in GH-681. This is a regression introduced in 16c4611. We were happy with that commit since nghttp2 server passed all strict mode h2spec tests. However, it turned out that it could not handle some cases well, and one of them is GOAWAY race on server side. We reverted part of that commit to fix this issue. This bug only affects nghttp2 server side session. The client side nghttp2 session is not affected by this bug.
|
|
2.3.14 (2016-08-17)
-------------------
New features
- [eas] added folder merging capabilities
Enhancements
- [web] expunge drafts mailbox when a draft is sent and deleted
- [web] style cancelled events in Calendar module (#2800)
- [web] updated CKEditor to version 4.5.10
Bug fixes
- [eas] fixed long GUID issue preventing sometimes synchronisation (#3460)
- [web] improved extraction of HTML signature in Preferences module
- [web] really delete mailboxes being deleted from the Trash folder (#595, #1189, #641)
- [core] fixing sogo-tool backup with multi-domain configuration but domain-less logins
- [core] during event scheduling, use 409 instead of 403 so Lightning doesn't fail silently
- [core] correctly calculate recurrence exceptions when not overlapping the recurrence id
- [core] prevent invalid SENT-BY handling during event invitations (#3759)
2.3.13 (2016-07-06)
-------------------
New features
- [core] now possible to set default Sieve script (#2949)
- [core] new sogo-tool truncate-calendar feature (#1513, #3141)
- [eas] initial Out-of-Office support in EAS
Enhancements
- [core] avoid showing bundle loading info when not needed (#3726)
- [core] when restoring data using sogo-tool, regenerate Sieve script (#3029)
- [eas] use the preferred email identity in EAS if valid (#3698)
- [eas] handle inline attachments during EAS content generation
- [web] update jQuery File Upload library to 9.12.5
Bug fixes
- [web] fixed crash when an attachment filename has no extension
- [web] dragging a toolbar button was blocking the mail editor in Firefox
- [eas] handle base64 EAS protocol version
|
|
Unknown
|
|
|
|
Added css regression tests framework
Fixed an issue with datetime fields being displayed incorrectly
Fixed a bug with related-widget add/change buttons inside changelist
Fixed an issue with login screen on Django 1.9
Fixed an issue with calendar display in Django 1.9
Fixed inline grouped field with
Synced translations with Transifex
|
|
Upstream changes:
3.1.2
Highlights
MDL-37250 - Lessons: save students attempts if they timeout
MDL-54977 - Fixed bug with navigation tree not working in some cases
MDL-50586 - Warn teachers about removing level 0 in rubrics as it leads to unexpected grades.
MDL-41174 - Update the calendar event when inline changing activity name or duplicating activity
MDL-33741 - Allow teacher to access course files in hidden categories using Server files repository in filepicker
MDL-55333 - Fixed error when trying to view/export feedback responses with over 60 questions using mariadb/mysql
Security issues
MSA-16-0022 Web service tokens should be invalidated when the user password is changed or forced to be changed
Fixes and improvements
MDL-55312 - Bugfix: Load timeout for modules: core/first occurs after purge caches
MDL-55229 - Bugfix: Meta Enrolment - Search for course produces error
MDL-55707 - Bugfix: Possible to get in "recalculating grades" infinite loop
MDL-55292 - Include tideways profiler along with xhprof for PHP7 profiling
MDL-54892 - Uninstall scheduled tasks when plugin is uninstalled
MDL-22183 - Prevent stats from running later and later - use scheduled task time only
MDL-47371 - Bugfix: The character & is displayed as " & amp ; " in book module
MDL-52544 - Resolved problems of Oracle driver in PHP7 environment
MDL-55246 - Bugfix: Unoconv fails on files with spaces in the name.
MDL-51078 - Add "All changes" option to the Action selector in report_log (was present in 2.6 and removed in 2.7+)
MDL-52105 - Remove CAP_PROHIBIT in manager role for capability 'enrol/self:holdkey'
MDL-54847 - Allow students to insert HTML audio and video tags
MDL-55273 - Default setting for cookiesecure should be on
MDL-55520 - Assignment module no longer resets max grade to 100 during module editing
MDL-55245 - Attempting to select text in PDF annotation comments drags the comment box
|
|
|
|
Changes to squid-3.5.21 (08 Sep 2016):
- Bug 4563: duplicate code in httpMakeVaryMark
- Bug 4542: authentication credentials IP TTL updated incorrectly
- Bug 4534: assertion failure in xcalloc when using many cache_dir
- Bug 4428: mal-formed Cache-Control:stale-if-error header
- Bug 3025: Proxy-Authenticate problem using ICAP server
- Fix segfault via Ftp::Client::readControlReply()
- Fix SSL-Bump failure results in SEGFAULT
- HTTP/1.1: MUST always revalidate Cache-Control:no-cache responses
- HTTP/1.1: do not allow Proxy-Connection to override Connection header
- SSL: CN wildcard must only match a single domain component [fragment]
|
|
|
|
Change requested by Frederic Cambus.
|
|
There were muliple variables set from before the egg/distutils files
were improved years ago, which are now redundant. Separate
pyversion.mk, application.mk and egg.mk settings.
(This commit has no functional change.)
|
|
|