spz [Sun, 4 Oct 2009 13:27:51 +0000]
pullup #2908
spz [Sun, 4 Oct 2009 13:26:13 +0000]
Pullup ticket 2908 - requested by tron
security update
Revisions pulled up:
- pkgsrc/www/apache22/Makefile by patch to 1.52
- pkgsrc/www/apache22/distinfo by patch to 1.27
- pkgsrc/www/apache22/patches/patch-ab by patch to 1.14
Files removed:
pkgsrc/www/apache22/patches/patch-av
pkgsrc/www/apache22/patches/patch-ba
pkgsrc/www/apache22/patches/patch-bb
The patches update the package to the state in HEAD.
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Sun Oct 4 12:21:35 UTC 2009
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
pkgsrc/www/apache22/patches: patch-ab
Log Message:
Add patch from the Apache SVN repository to the vulnerability reported
in CVE-2009-3095.
To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 pkgsrc/www/apache22/Makefile
cvs rdiff -u -r1.26 -r1.27 pkgsrc/www/apache22/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/apache22/patches/patch-ab
tron [Fri, 2 Oct 2009 10:06:59 +0000]
Pullup tickets #2904, #2906 and #2906.
tron [Fri, 2 Oct 2009 10:04:31 +0000]
Pullup ticket #2906 - requested by taca
drupal6-translations: match update of "drupal6" package
Revisions pulled up:
- www/drupal6-translations/Makefile 1.12
- www/drupal6-translations/PLIST.hr 1.1
- www/drupal6-translations/PLIST.pt-pt 1.3
- www/drupal6-translations/PLIST.uk 1.2
- www/drupal6-translations/distinfo 1.12
- www/drupal6-translations/options.mk 1.9
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Sep 29 13:47:03 UTC 2009
Modified Files:
pkgsrc/www/drupal6-translations: Makefile PLIST.uk distinfo options.mk
Added Files:
pkgsrc/www/drupal6-translations: PLIST.hr PLIST.pt-pt
Log Message:
Update www/drupal6-translations package to
20090926.
* Add Croatian(hr)
* Update Catalan(ca), German(de), Greek(el), Hungarian(hu), Italian(it),
Japanese(ja), Dutch(nl), Portuguese(pt-pt), Swedish(sv), Ukrainian(uk)
and Chinese(zh-tw).
tron [Fri, 2 Oct 2009 09:58:32 +0000]
Pullup ticket #2905 - requested by taca
drupal6: security update
Revisions pulled up:
- www/drupal6/Makefile 1.17
- www/drupal6/distinfo 1.13
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Sep 29 13:41:00 UTC 2009
Modified Files:
pkgsrc/www/drupal6: Makefile distinfo
Log Message:
Update www/drupal6 package to fix security problem.
pkgsrc change: add LICENSE.
Drupal 6.14, 2009-09-16
----------------------
- Fixed security issues (OpenID association cross site request forgeries,
OpenID impersonation and File upload), see SA-CORE-2009-008.
- Changed the system modules page to not run all cache rebuilds; use the
button on the performance settings page to achieve the same effect.
- Added support for PHP 5.3.0 out of the box.
- Fixed a variety of small bugs.
tron [Fri, 2 Oct 2009 09:52:28 +0000]
Pullup ticket #2904 - requested by taca
drupal: security update
Revisions pulled up:
- www/drupal/Makefile 1.41
- www/drupal/distinfo 1.32
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Sep 29 13:39:58 UTC 2009
Modified Files:
pkgsrc/www/drupal: Makefile distinfo
Log Message:
Update www/drupal package to 5.20 to fix security problem.
pkgsrc change: add LICENSE.
Drupal 5.20, 2009-09-16
-----------------------
- Avoid security problems resulting from writing Drupal 6-style menu
declarations.
- Fixed security issues (session fixation), see SA-CORE-2009-008.
- Fixed a variety of small bugs.
tron [Wed, 30 Sep 2009 12:20:06 +0000]
Pullup ticket #2903.
tron [Wed, 30 Sep 2009 12:19:49 +0000]
Pullup ticket #2903 - requested by taca
php5: security update
Revisions pulled up:
- lang/php5/Makefile.common 1.37
- lang/php5/Makefile.php 1.36-1.37 via patch
- lang/php5/PLIST 1.24
- lang/php5/distinfo 1.66-1.67 via patch
- lang/php5/patches/patch-ad delete
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Sep 26 05:40:05 UTC 2009
Modified Files:
pkgsrc/lang/php5: Makefile.common Makefile.php PLIST distinfo
Removed Files:
pkgsrc/lang/php5/patches: patch-ax
Log Message:
Update lang/php5 to 5.2.11, fixing security problem of 5.2.10.
One pkglint warning was fixed, too.
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
17 Sep 2009, PHP 5.2.11
- Fixed certificate validation inside php_openssl_apply_verification_policy.
(Ryan Sleevi, Ilia)
10 Sep 2009, PHP 5.2.11RC3
- Updated timezone database to version 2009.13 (2009m) (Derick)
- Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). (Ilia)
- Fixed bug #49447 (php engine needs to correctly check for socket API return
status on windows). (Sriram Natarajan)
- Fixed bug #48060 (pdo_pgsql - large objects are returned as empty). (Matteo)
03 Sep 2009, PHP 5.2.11RC2
- Added missing sanity checks around exif processing. (Ilia)
- Fixed sanity check for the color index in imagecolortransparent. (Pierre)
- Fixed zlib.deflate compress filter to actually accept level parameter. (Jani)
- Fixed leak on error in popen/exec (and related functions) on Windows.
(Pierre)
- Fixed bug #49361 (wordwrap() wraps incorrectly on end of line boundaries).
(Ilia, code-it at mail dot ru)
- Fixed bug #49289 (bcmath module doesn't compile with phpize configure).
(Jani)
- Fixed bug #49286 (php://input (php_stream_input_read) is broken). (Jani)
- Fixed bug #49269 (Ternary operator fails on Iterator object when used inside
foreach declaration). (Etienne, Dmitry)
- Fixed bug #49236 (Missing PHP_SUBST(PDO_MYSQL_SHARED_LIBADD)). (Jani)
- Fixed bug #49144 (Import of schema from different host transmits original
authentication details). (Dmitry)
- Fixed bug #49000 (PHP CLI in Interactive mode (php -a) crashes when including
files from function). (Stas)
- Fixed bug #48696 (ldap_read() segfaults with invalid parameters). (Felipe)
- Fixed bug #47273 (Encoding bug in SoapServer->fault). (Dmitry)
- Fixed bug #28038 (Sent incorrect RCPT TO commands to SMTP server) (Garrett)
13 Aug 2009, PHP 5.2.11RC1
- Fixed regression in cURL extension that prevented flush of data to output
defined as a file handle. (Ilia)
- Fixed memory leak in stream_is_local(). (Felipe, Tony)
- Fixed bug #49372 (segfault in php_curl_option_curl). (Pierre)
- Fixed bug #49132 (posix_times returns false without error).
(phpbugs at gunnu dot us)
- Fixed bug #49125 (Error in dba_exists C code). (jdornan at stanford dot edu)
- Fixed bug #49095 (proc_get_status['exitcode'] fails on win32). (Felipe)
- Fixed bug #49074 (private class static fields can be modified by using
reflection). (Jani)
- Fixed bug #49072 (feof never returns true for damaged file in zip). (Pierre)
- Fixed bug #49052 (context option headers freed too early when using
--with-curlwrappers). (Jani)
- Fixed bug #49032 (SplFileObject::fscanf() variables passed by reference).
(Jani)
- Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars
restrictions). (Ilia)
- Fixed bug #48994 (zlib.output_compression does not output HTTP headers when
set to a string value). (Jani)
- Fixed bug #48980 (Crash when compiling with pdo_firebird). (Felipe)
- Fixed bug #48962 (cURL does not upload files with specified filename).
(Ilia)
- Fixed bug #48929 (Double \r\n after HTTP headers when "header" context
option is an array). (David Z762 (IPv6 address filter still rejects valid address). (Felipe)
- Fixed bug #48733 (CURLOPT_WRITEHEADER|CURLOPT_FILE|CURLOPT_STDERR warns on
files that have been opened with r+). (Ilia)
- Fixed bug #48732 (TTF Bounding box wrong for letters below baseline).
(Takeshi Abe)
- Fixed bug #48718 (FILTER_VALIDATE_EMAIL does not allow numbers in domain
components). (Ilia)
- Fixed bug #48709 (metaphone and 'wh'). (brettz9 at yahoo dot com, Felipe)
- Fixed bug #48697 (mb_internal_encoding() value gets reset by parse_str()).
(Moriyoshi)
- Fixed bug #48693 (Double declaration of __lambda_func when lambda wrongly
formatted). (peter at lvp-media dot com, Felipe)
- Fixed bug #48661 (phpize is broken with non-bash shells). (Jani)
- Fixed bug #48645 (mb_convert_encoding() doesn't understand hexadecimal
html-entities). (Moriyoshi)
- Fixed bug #48637 ("file" fopen wrapper is overwritten when using
--with-curlwrappers). (Jani)
- Fixed bug #48636 (Error compiling of ext/date on netware). (guenter at
php.net, Ilia)
- Fixed bug #48629 (get_defined_constants() ignores categorize parameter).
(Felipe)
- Fixed bug #48619 (imap_search ALL segfaults). (Pierre)
- Fixed bug #48608 (Invalid libreadline version not detected during configure).
(Jani)
- Fixed bug #48555 (ImageFTBBox() differs from previous versions for texts
with new lines) (Takeshi Abe)
- Fixed bug #48539 (pdo_dblib fails to connect, throws empty PDOException
"SQLSTATE[] (null)"). (Felipe)
- Fixed bug #48465 (sys_get_temp_dir() possibly inconsistent when using
TMPDIR). (Ilia)
- Fixed bug #48450 (Compile failure under IRIX 6.5.30 building gd.c). (Kalle)
- Fixed bug #48400 (imap crashes when closing stream opened with
OP_PROTOTYPE flag). (Jani)
- Fixed bug #48284 (hash "adler32" byte order is reversed). (Scott)
- Fixed bug #48276 (date("Y") on big endian machines produces the
wrong result). (Scott)
- Fixed bug #48247 (Infinite loop and possible crash during startup with
errors when errors are logged). (Jani)
- Fixed bug #48116 (Fixed build with Openssl 1ImageLine w/ antialias = 1px shorter). (wojjie at gmail dot
com, Kalle)
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Sep 26 07:35:31 UTC 2009
Modified Files:
pkgsrc/lang/php5: Makefile.php distinfo
Log Message:
Update suhosin patch to 5.2.11, too.
tron [Mon, 28 Sep 2009 09:57:22 +0000]
Pullup ticket #2901.
tron [Mon, 28 Sep 2009 09:57:01 +0000]
Pullup ticket #2901 - requested by ahoka
vlc: security update
Revisions pulled up:
- multimedia/vlc/Makefile 1.83
- multimedia/vlc/PLIST 1.32
- multimedia/vlc/distinfo 1.32
- multimedia/vlc/patches/patch-aa 1.10
- multimedia/vlc/patches/patch-configure 1.4
---
Module Name: pkgsrc
Committed By: ahoka
Date: Thu Sep 24 22:14:58 UTC 2009
Modified Files:
pkgsrc/multimedia/vlc: Makefile PLIST distinfo
pkgsrc/multimedia/vlc/patches: patch-aa patch-configure
Log Message:
Changes between 1.0.1 and 1.0.2:
--------------------------------
Decoders:
* Native support for WMA Professional, without the use of the Win32 dlls
* Fix issues in subtitles, especially SSA ones
* Various fixes on theora and ogg
Demuxers:
* Various fixes for EPG support in MPEG-TS demuxer
* Fixes for potential stack overflow in .avi, .mp4 and .asf demuxers
Access:
* Fixes for v4l2 devices
* Fixes for dvb-c channels-scanning
Qt Interface:
* Fix some playlist sorting issues
Mac OS X Interface:
* Fixed a crash when updating VLC
* Fixed a crash related to QTKit when opening video files (10.6 only)
* Added the ability to play 2nd media in sync to the primary item (input-slave)
* Added the "Quit after Playback" feature
Mac OS X Port:
* The "Delete Preferences" script is now delivered as a Universal Binary
with native code for PowerPC, Intel and Intel 64bit
* Full 64bit runtime compatibility on both Mac OS X 10.5 and 10.6
- no support for Goom and SDL
- limited text rendering support
- This port is still considered as EXPERIMENTAL despite its binary release.
Encoders:
* MPEG2 transrate stream output removed
* x264 default-values closer to x264.exe defaults.
* x264 rc-behaviour fixes:
- if user defines qp-value, CQP-mode is used
- otherwise if user defines vb=0, CRF-mode is used
- otherwise ABR-mode is used
* x264 set vbv-bufsize/vbv-maxsize better if user hasn't defined these:
- ABR mode set vbv-max-bitrate=bitrate
- vbv-bufsize is bitrate * seconds between keyframes (keyint/fps)
Playlist:
* Lua scripts for Mpora and Vimeo playback
Unix builds:
* Various fixes to enable 1.0 to build on Solaris and OpenBSD
spz [Mon, 28 Sep 2009 08:09:34 +0000]
pullup #2902
spz [Mon, 28 Sep 2009 08:08:31 +0000]
Pullup ticket 2902 - requested by tron
security patch
Revisions pulled up:
- pkgsrc/multimedia/ffmpeg/Makefile by patch
- pkgsrc/multimedia/ffmpeg/distinfo by patch
- pkgsrc/multimedia/ffmpeg/options.mk by patch
- pkgsrc/multimedia/ffmpeg/patches/patch-bktr by patch
- pkgsrc/multimedia/ffmpeg/patches/patch-configure by patch
Files added:
pkgsrc/multimedia/ffmpeg/patches/patch-aa 1.9
pkgsrc/multimedia/ffmpeg/patches/patch-ab 1.6
pkgsrc/multimedia/ffmpeg/patches/patch-powerpc 1.6
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Fri Sep 25 11:10:21 UTC 2009
Modified Files:
pkgsrc/multimedia/ffmpeg: Makefile distinfo
Added Files:
pkgsrc/multimedia/ffmpeg/patches: patch-ab
Log Message:
Add patch from ffmpeg GIT repository to fix the vulnerability
reported in SA36760.
To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 pkgsrc/multimedia/ffmpeg/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/multimedia/ffmpeg/distinfo
cvs rdiff -u -r0 -r1.6 pkgsrc/multimedia/ffmpeg/patches/patch-ab
spz [Thu, 24 Sep 2009 11:53:35 +0000]
pullup #2900
spz [Thu, 24 Sep 2009 11:51:47 +0000]
Pullup ticket 2900 - requested by jun
build fix for mips
Revisions pulled up:
- pkgsrc/editors/emacs/distinfo by patch
- pkgsrc/editors/emacs/patches/patch-ab by patch
Files added:
pkgsrc/editors/emacs/patches/patch-aw by patch
pkgsrc/editors/emacs/patches/patch-ax by patch
package revision doesn't bump because the change only impacts mips
architecture, where it wouldn't properly build before.
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: jun
Date: Mon Sep 21 10:10:58 UTC 2009
Modified Files:
pkgsrc/editors/emacs22: distinfo
Added Files:
pkgsrc/editors/emacs22/patches: patch-ax
Log Message:
compile enable on mips ports.
adviced and patches from tsutsui-san on [netbsd,09810].
tested on hpcmips-current.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 pkgsrc/editors/emacs22/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/editors/emacs22/patches/patch-ax
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: jun
Date: Sun Sep 13 02:12:28 UTC 2009
Modified Files:
pkgsrc/editors/emacs22: Makefile distinfo
pkgsrc/editors/emacs22/patches: patch-ab
Log Message:
change patch-ab:
add mips config to configure
Bump PKGREVISION
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 pkgsrc/editors/emacs22/Makefile \
pkgsrc/editors/emacs22/distinfo
cvs rdiff -u -r1.1.1.1 -r1.2 pkgsrc/editors/emacs22/patches/patch-ab
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: jun
Date: Sun Sep 13 01:26:34 UTC 2009
Modified Files:
pkgsrc/editors/emacs22/patches: patch-aw
Log Message:
Fit for mips, change fix from emacs23:
http://cvs.savannah.gnu.org/viewvc/emacs/configure.in?root=emacs&r1=1.602&r2=1.603
adviced by obata-san,[netbsd,09792]
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 pkgsrc/editors/emacs22/patches/patch-aw
spz [Wed, 23 Sep 2009 13:28:08 +0000]
pullup #2899
spz [Wed, 23 Sep 2009 12:47:13 +0000]
Pullup ticket 2899 - requested by tron
security update
Revisions pulled up:
- pkgsrc/net/wireshark/Makefile by patch
- pkgsrc/net/wireshark/PLIST by patch
- pkgsrc/net/wireshark/distinfo by patch
Module Name: pkgsrc
Committed By: tron
Date: Sat Sep 19 06:36:19 UTC 2009
Modified Files:
pkgsrc/net/wireshark: Makefile PLIST distinfo
Log Message:
Update "wireshark" package to version 1.2.2. Changes since version 1.2.1:
- The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
- The GSM A RR dissector could crash.
Versions affected: 1.2.0 to 1.2.1
- The OpcUa dissector could use excessive CPU and memory.
Versions affected: 0.99.6 to 1.0.8, 1.2.0 to 1.2.1
- The TLS dissector could crash on some platforms.
Versions affected: 1.2.0 to 1.2.1
- The following bugs have been fixed:
- The "Capture->Interfaces" window can't be closed. (Bug 1740)
- tshark-1.0.2 (dumpcap) signal abort core saved. (Bug 2767)
- Memory leak fixes. (Bug 3330)
- Display filter autocompletion doesn't work for some RADIUS and
WiMAX ASNCP fields. (Bug 3538)
- Wireshark Portable includes wrong WinPcap installer. (Bug
3547)
- Crash when loading a profile. (Bug 3640)
- The proto,colinfo tap doesn't work if the INFO column isn't
being printed. (Bug 3675)
- Flow Graph adds too much unnecessary garbage. (Bug 3693)
- The EAP Diameter dictionary file was missing in the
distribution. (Bug 3761)
- Graph analysis window is behind other window. (Bug 3773)
- IKEv2 Cert Request payload dissection error. (Bug 3782)
- DNS NAPTR RR (RFC 3403) replacement MUST be a fully qualified
domain-name. (Bug 3792)
- Malformed RTCP Packet error while sending Payload specific
RTCP feedback packet( as per RFC 4585). (Bug 3800)
- 802.11n Block Ack packet Bitmap field missing. (Bug 3806)
- Wireshark doesn't decode WBXML/ActiveSync information
correctly. (Bug 3811)
- Malformed packet when IPv6 packet has Next Header =3D=3D 59. (Bug
3820)
- Wireshark could crash while reading an ERF file. (Bug 3849)
- Minor errors in gsm rr dissectors. (Bug 3889)
- WPA Decryption Issues. (Bug 3890)
- GSM A RR sys info dissection problem. (Bug 3901)
- GSM A RR inverts MEAS-VALID values. (Bug 3915)
- PDML output leaks ~300 bytes / packet. (Bug 3913)
- Incorrect station identifier parsing in Kingfisher dissector.
(Bug 3946)
- DHCPv6, Vendor-Specific Informantion, SubOption"Option
Request" parser incorrect. (Bug 3987)
- Wireshark could leak memory while analyzing SSL.
- Wireshark could crash while updating menu items after reading
a file in some cases.
- The Mac OS X ChmodBPF script now works correctly under Snow
Leopard.
- Updated Protocol Support
DCERPC, DHCPv6, DNS, E.212, GSM A RR, GTPv2, H.248, IEEE 802.11,
IPMI, ISAKMP/IKE, ISUP, Kingfisher, LDAP, OpcUA, RTCP, SCTP, SIP,
SSL, TCP, WBXML, ZRTP
- Updated Capture File Support
ERF
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 pkgsrc/net/wireshark/Makefile
cvs rdiff -u -r1.14 -r1.15 pkgsrc/net/wireshark/PLIST
cvs rdiff -u -r1.23 -r1.24 pkgsrc/net/wireshark/distinfo
tron [Wed, 16 Sep 2009 18:01:32 +0000]
Pullup ticket #2897 - requested by ghen
seamonkey-gtk1: package list fix
Revisions pulled up:
- www/seamonkey-gtk1/Makefile 1.22
- www/seamonkey-gtk1/PLIST 1.12
---
Module Name: pkgsrc
Committed By: ghen
Date: Wed Sep 16 16:44:44 UTC 2009
Modified Files:
pkgsrc/www/seamonkey-gtk1: Makefile PLIST
Log Message:
Get the PLIST completely straight (sorry, forgot about it when committing
www/seamonkey). Bump PKGREVISION.
tron [Wed, 16 Sep 2009 12:59:22 +0000]
Pullup tickets #2895, #2896, #2897 and #2898.
tron [Wed, 16 Sep 2009 12:56:33 +0000]
Pullup ticket #2897 - requested by ghen
seamonkey-bin: security update
seamonkey-gtk: security update
seamonkey: security update
Revisions pulled up:
- www/seamonkey-bin/Makefile 1.31
- www/seamonkey-bin/distinfo 1.27
- www/seamonkey-gtk1/Makefile 1.21
- www/seamonkey-gtk1/PLIST 1.11
- www/seamonkey/Makefile 1.28
- www/seamonkey/Makefile-seamonkey.common 1.27
- www/seamonkey/PLIST 1.18
- www/seamonkey/distinfo 1.42
- www/seamonkey/patches/patch-ba 1.3
- www/seamonkey/patches/patch-br 1.3
- www/seamonkey/patches/patch-dk 1.2
- www/seamonkey/patches/patch-dm delete
- www/seamonkey/patches/patch-dy delete
- www/seamonkey/patches/patch-dz delete
- www/seamonkey/patches/patch-ed 1.1
---
Module Name: pkgsrc
Committed By: ghen
Date: Tue Sep 15 09:26:07 UTC 2009
Modified Files:
pkgsrc/www/seamonkey: Makefile Makefile-seamonkey.common PLIST distinfo
pkgsrc/www/seamonkey-bin: Makefile distinfo
pkgsrc/www/seamonkey-gtk1: Makefile
pkgsrc/www/seamonkey/patches: patch-ba patch-br patch-dk
Added Files:
pkgsrc/www/seamonkey/patches: patch-ed
Removed Files:
pkgsrc/www/seamonkey/patches: patch-dm patch-dy patch-dz
Log Message:
Update seamonkey, seamonkey-bin and seamonkey-gtk1 to Seamonkey 1.1.18.
Security fixes in this version:
MFSA 2009-43 Heap overflow in certificate regexp parsing
MFSA 2009-42 Compromise of SSL-protected communication
For more info, see http://www.seamonkey-project.org/releases/seamonkey1.1.18/
---
Module Name: pkgsrc
Committed By: he
Date: Wed Sep 16 09:28:59 UTC 2009
Modified Files:
pkgsrc/www/seamonkey-gtk1: PLIST
Log Message:
Sync PLIST with what's actually being installed.
No version bump since this is merely a cleanup, and doesn't
actually change what's installed.
tron [Wed, 16 Sep 2009 10:54:23 +0000]
Pullup ticket #2896 - requested by ghen
dovecot-sieve: security update
Revisions pulled up:
- mail/dovecot-sieve/Makefile 1.4
- mail/dovecot-sieve/distinfo 1.4
- mail/dovecot-sieve/patches/patch-aa 1.3
---
Module Name: pkgsrc
Committed By: ghen
Date: Mon Sep 14 06:10:48 UTC 2009
Modified Files:
pkgsrc/mail/dovecot-sieve: Makefile distinfo
pkgsrc/mail/dovecot-sieve/patches: patch-aa
Log Message:
Dovecot CMU Sieve plugin 1.1.7 fixes some buffer overflow vulnerabilities,
see: http://www.dovecot.org/list/dovecot-news/2009-September/000135.html
Other changes not listed.
tron [Wed, 16 Sep 2009 10:48:30 +0000]
Pullup ticket #2895 - requested by ghen
dovecot: security update
Requested revisions:
- mail/dovecot/Makefile 1.136,1.138-1.139
- mail/dovecot/distinfo 1.101-1.103
- mail/dovecot/patches/patch-ai delete
---
odule Name: pkgsrc
Committed By: ghen
Date: Mon Jul 13 08:00:11 UTC 2009
Modified Files:
pkgsrc/mail/dovecot: Makefile distinfo
Removed Files:
pkgsrc/mail/dovecot/patches: patch-ai
Log Message:
Update to Dovecot 1.1.17. manu's patch-ai has been included upstream.
- IMAP: Don't crash if IDLE command is pipelined after a long-running
UID FETCH or UID SEARCH.
- IMAP: Some FETCH command parameters were broken with in some OSes.
- mbox: New mailboxes were created with UIDVALIDITY 1.
- mbox: Don't write garbage to mbox if message doesn't have a body.
- Maildir: Fixed using in-memory indexes when some required directory
was missing.
- auth: Don't assert-crash if trying to log in as master user but
with empty login username.
- Transaction log dotlocking ignored mail_nfs_index and
dotlock_use_excl settings.
- convert plugin / convert-tool: Fixed changing hierarchy separators
in mailbox names when alt_hierarchy_char isn't set.
- Several fixes to expire plugin / expire-tool
- zlib: Give better error messages on failures.
---
Module Name: pkgsrc
Committed By: ghen
Date: Tue Aug 11 11:33:58 UTC 2009
Modified Files:
pkgsrc/mail/dovecot: Makefile distinfo
Log Message:
Update to Dovecot 1.1.18.
+ dovecot -n/-a now outputs also lda settings.
- Maildir++ quota: Quota was sometimes updated wrong when it was
being recalculated.
- Searching quoted-printable message body internally converted "_"
characters to spaces and didn't match search keys with "_".
- Messages in year's first/last day may have had broken timezones
with OSes not having struct tm->tm_gmtoff (e.g. Solaris).
---
Module Name: pkgsrc
Committed By: ghen
Date: Mon Sep 14 06:09:08 UTC 2009
Modified Files:
pkgsrc/mail/dovecot: Makefile distinfo
Log Message:
Update to Dovecot 1.1.19.
- file_set_size() was broken with OSes that didn't support posix_fallocate()
(almost everyone except Linux), causing all kinds of index file errors.
- ldap: Fixed hang when >128 requests were sent at once.
- Fixed a crash in saving messages where message contained a CR character t=
hat
wasn't followed by LF (and the CR happened to be the last character in an
internal buffer).
- deliver: Don't send rejects to any messages that have Auto-Submitted head=
er.
This avoids emails loops.
- Message decoding fixes (mainly for IMAP SEARCH, Sieve).
tron [Wed, 16 Sep 2009 10:31:58 +0000]
Pullup ticket #2898 - requested by spz
rt3: security update
Revisions pulled up:
- devel/rt3/Makefile 1.38-1.39
- devel/rt3/Makefile.install 1.13
- devel/rt3/distinfo 1.13
---
Module Name: pkgsrc
Committed By: spz
Date: Wed Jul 29 05:25:34 UTC 2009
Modified Files:
pkgsrc/devel/rt3: Makefile Makefile.install
Log Message:
where env PATH is being set for security reasons, have it include $PREFIX/bin
pointed out by "Peter C. Lai" <peter%simons-rock.edu@localhost> fixes PR 41571
---
Module Name: pkgsrc
Committed By: spz
Date: Tue Sep 15 23:15:58 UTC 2009
Modified Files:
pkgsrc/devel/rt3: Makefile distinfo
Log Message:
security update (lesser impact) to version 3.8.5
spz [Tue, 15 Sep 2009 13:33:32 +0000]
pullups 2893 and 2894
spz [Tue, 15 Sep 2009 13:32:04 +0000]
Pullup ticket 2894 - requested by tron
security update
Revisions pulled up:
- pkgsrc/www/neon/Makefile by patch
- pkgsrc/www/neon/PLIST by patch
- pkgsrc/www/neon/distinfo by patch
Files added:
pkgsrc/www/neon/patches/patch-ab by patch
Module Name: pkgsrc
Committed By: tron
Date: Mon Sep 14 16:48:44 UTC 2009
Modified Files:
pkgsrc/www/neon: Makefile PLIST distinfo
pkgsrc/www/neon/patches: patch-ab
Removed Files:
pkgsrc/www/neon/patches: patch-aa
Log Message:
Update "neon" package to version 0.29. Changes since version 0.28.5:
* Interface changes:
o none, API and ABI backwards-compatible with 0.28.x and 0.27.x
* New interfaces and features:
o added NTLM auth support for Unix builds (Kai Sommerfeld,
Daniel Stenberg)
o ne_auth.h: added NE_AUTH_GSSAPI and NE_AUTH_NTLM auth protocol codes
o added ne_acl3744.h, updated WebDAV ACL support (Henrik Holst)
o added built-in SOCKS v4/v4a/v5 support: ne_socket.h:ne_sock_proxy(),
and ne_session.h:ne_session_socks_proxy()
o added support for system-default proxies: ne_session_system_proxy(),
implemented using libproxy where available
o ne_session.h: added NE_SESSFLAG_EXPECT100 session flag,
SSL verification failure bits extended by NE_SSL_BADCHAIN and
NE_SSL_REVOKED, better handling of failures within the cert chain
(thanks to Ludwig Nussel)
o ne_socket.h: ne_sock_writev() (Julien Reichel), ne_sock_set_error(),
ne_iaddr_raw(), ne_iaddr_parse()
o ne_string.h: ne_buffer_qappend(), ne_strnqdup()
* Deprecated interfaces:
o ne_acl.h is obsoleted by ne_acl3744.h (but is still present)
o obsolete feature "NE_FEATURE_SOCKS" now never marked present
* Other changes:
o fix handling of "stale" flag in RFC2069-style Digest auth challenge
o ne_free() implemented as a function on Win32 (thanks to Helge Hess)
o symbol versioning used for new symbols, where supported
o ensure SSL connections are closed cleanly with OpenSSL
o fix build with OpenSSL 1.0 beta
o updated Polish (pl) translation (Arfrever Frehtes Taifersar Arahesis)
* SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat;
could allow a Denial of Service attack by a malicious server.
* SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in a
certificate subject name; could allow an undetected MITM attack against
an SSL server if a trusted CA issues such a cert.
Tested by Daniel Horecki with SVN client.
To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 pkgsrc/www/neon/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/www/neon/PLIST
cvs rdiff -u -r1.20 -r1.21 pkgsrc/www/neon/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/www/neon/patches/patch-aa
cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/neon/patches/patch-ab
spz [Tue, 15 Sep 2009 10:26:34 +0000]
Pullup ticket 2893 - requested by tron
security fix
Revisions pulled up:
- pkgsrc/net/wget/Makefile 1.100
- pkgsrc/net/wget/distinfo 1.34
Files added:
pkgsrc/net/wget/patches/patch-aa 1.9
Module Name: pkgsrc
Committed By: tron
Date: Mon Sep 14 12:06:13 UTC 2009
Modified Files:
pkgsrc/net/wget: Makefile distinfo
Added Files:
pkgsrc/net/wget/patches: patch-aa
Log Message:
Add a fix for SA36540 (SSL certificate spoofing vulnerability) taken
from the source repository.
To generate a diff of this commit:
cvs rdiff -u -r1.99 -r1.100 pkgsrc/net/wget/Makefile
cvs rdiff -u -r1.33 -r1.34 pkgsrc/net/wget/distinfo
cvs rdiff -u -r0 -r1.9 pkgsrc/net/wget/patches/patch-aa
tron [Mon, 14 Sep 2009 06:33:20 +0000]
Pullup ticket #2891.
tron [Mon, 14 Sep 2009 06:33:02 +0000]
Pullup ticket #2891 - requested by hira
openoffice3: security update
Revisions pulled up:
- misc/openoffice3/Makefile 1.37 via patch
- misc/openoffice3/distinfo 1.21-1.22 via patch
- misc/openoffice3/patches/patch-ga 1.1
- misc/openoffice3/patches/patch-gb 1.1
- misc/openoffice3/patches/patch-gc 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu Jul 16 10:47:11 UTC 2009
Modified Files:
pkgsrc/misc/openoffice3: distinfo
Added Files:
pkgsrc/misc/openoffice3/patches: patch-ga patch-gb patch-gc
Log Message:
Fix build with getline() in libc.
From http://bugs.gentoo.org/show_bug.cgi?id=
3D270263
via roy
---
Module Name: pkgsrc
Committed By: hira
Date: Sat Aug 29 09:48:54 UTC 2009
Modified Files:
pkgsrc/misc/openoffice3: Makefile distinfo
Log Message:
Update to 3.1.1. This is bug fix release. Add LICENSE to Makefile.
Release notes: http://development.openoffice.org/releases/3.1.1.html
tron [Sun, 13 Sep 2009 22:35:55 +0000]
Pullup ticket #2890.
tron [Sun, 13 Sep 2009 22:32:50 +0000]
Pullup ticket #2890 - requested by hira
openoffice2: security update
Revisions pulled up:
- misc/openoffice2/Makefile 1.74 via patch
- misc/openoffice2/distinfo 1.55 via patch
- misc/openoffice2/patches/patch-ga 1.1
- misc/openoffice2/patches/patch-gb 1.1
- misc/openoffice2/patches/patch-gc 1.1
---
Module Name: pkgsrc
Committed By: hira
Date: Sun Sep 13 03:54:14 UTC 2009
Modified Files:
pkgsrc/misc/openoffice2: Makefile distinfo
Added Files:
pkgsrc/misc/openoffice2/patches: patch-ga patch-gb patch-gc
Log Message:
Update to 2.4.3. This is bug fix release. It fixes the following
security vulnerabilities.
* CVE-2009-0200/CVE-2009-0201: Manipulated Microsoft Word files can
lead to heap overflows and arbitrary code execution
* CVE-2009-2414/CVE-2009-2416: Manipulated XML documents can lead to
arbitrary code execution
Release notes: http://development.openoffice.org/releases/2.4.3.html
- Fix getline() problem (patches from misc/openoffice3/patches).
- Use internal neon (9 patches are required to use external neon).
- Use internal openssl for internal neon.
- Disable VBA extension (enabling this causes build error).
spz [Sun, 13 Sep 2009 15:05:12 +0000]
pullup 2892
spz [Sun, 13 Sep 2009 15:03:36 +0000]
Pullup ticket 2892 - requested by tron
security fix
Revisions pulled up:
- pkgsrc/www/apache22/Makefile by patch
- pkgsrc/www/apache22/distinfo by patch
Files added:
pkgsrc/www/apache22/patches/patch-ab 1.12
Module Name: pkgsrc
Committed By: tron
Date: Sun Sep 13 13:32:50 UTC 2009
Modified Files:
pkgsrc/www/apache22: Makefile distinfo
Added Files:
pkgsrc/www/apache22/patches: patch-ab
Log Message:
Add a fix for the remote Denial of Service vulnerability reported
in CVE-2009-3094.
To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 pkgsrc/www/apache22/Makefile
cvs rdiff -u -r1.24 -r1.25 pkgsrc/www/apache22/distinfo
cvs rdiff -u -r0 -r1.12 pkgsrc/www/apache22/patches/patch-ab
tron [Sun, 13 Sep 2009 14:58:38 +0000]
Pullup ticket #2889.
tron [Sun, 13 Sep 2009 14:57:36 +0000]
Pullup ticket #2889 - requested by taca
geeklog: security update
Revisions pulled up:
- www/geeklog/Makefile 1.23
- www/geeklog/PLIST 1.10
- www/geeklog/distinfo 1.10
- www/geeklog/patches/patch-aa 1.4
- www/geeklog/patches/patch-aj 1.2
- www/geeklog/patches/patch-ak 1.1
- www/geeklog/patches/patch-al 1.1
- www/geeklog/patches/patch-ba 1.1
- www/geeklog/patches/patch-bb 1.1
- www/geeklog/patches/patch-bc 1.1
- www/geeklog/patches/patch-bd 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Sep 13 01:15:11 UTC 2009
Modified Files:
pkgsrc/www/geeklog: Makefile PLIST distinfo
pkgsrc/www/geeklog/patches: patch-aa patch-aj
Added Files:
pkgsrc/www/geeklog/patches: patch-ak patch-al patch-ba patch-bb
patch-bc patch-bd
Log Message:
Update Geeklog 1.5.2sr5 by adding patches since 1.5.2sr5 isn't provided
as full release.
And add updated fckeditor for Geeklog.
These updates should fix known security problems, Secunia SA36372.
Jul 30, 2009 (1.5.2sr5)
------------
This release addresses the following security issues:
- Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
- The "Mail Story to a Friend" function didn't check story permissions, so that
it was possible to email a story even if you didn't have the permissions to
view it on the site.
tron [Sun, 13 Sep 2009 14:51:48 +0000]
Pullup tickets #2886, #2887 and #2888.
tron [Sun, 13 Sep 2009 14:37:57 +0000]
Pullup ticket #2888 - requested taca
squid27: security patch
Revisions pulled up:
- www/squid27/Makefile 1.8
- www/squid27/distinfo 1.5
- www/squid27/patches/patch-am 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Sep 13 01:00:17 UTC 2009
Modified Files:
pkgsrc/www/squid27: Makefile distinfo
Added Files:
pkgsrc/www/squid27/patches: patch-am
Log Message:
Add CVE-2009-2855 DoS fix from squid's repositry.
Bump PKGREVISION.
tron [Sun, 13 Sep 2009 14:26:46 +0000]
Pullup ticket #2887 - requested by roy
dnsmasq: security update
Revisions pulled up:
- net/dnsmasq/Makefile 1.12
- net/dnsmasq/distinfo 1.11
---
Module Name: pkgsrc
Committed By: roy
Date: Sat Sep 5 21:16:08 UTC 2009
Modified Files:
pkgsrc/net/dnsmasq: Makefile distinfo
Log Message:
Bump to dnsmasq-2.50
Fixes CVE 2009-2957 and CVE 2009-2958
tron [Sun, 13 Sep 2009 14:18:23 +0000]
Pullup ticket 2887 - requested by jnemeth
asterisk16: security update
---
Apply patch to update comms/asterisk16 to version 1.6.0.15:
- 1.6.0.11 was never released
- 1.6.0.12 fixes AST-2009-005 which is a remote DOS issue in SIP
- 1.6.0.13 fixes a bug in 1.6.0.12 security fix
- 1.6.0.14 has additional updates for AST-2009-001 and AST-2009-005 plus
SIP Changes
-----------
* Added a new 'ignoresdpversion' option to sip.conf. When this is enabled
(either globally or for a specific peer), chan_sip will treat any SDP data
it receives as new data and update the media stream accordingly. By
default, Asterisk will only modify the media stream if the SDP session
version received is different from the current SDP session version. This
option is required to interoperate with devices that have non-standard SDP
session version implementations (observed with Microsoft OCS). This option
is disabled by default. In addition, this behavior is automatic when the SDP
received
is in response to a T.38 re-INVITE that Asterisk initiated. In this situation
,
since the call will fail if Asterisk does not process the incoming SDP, Aster
isk
will accept the SDP even if the SDP version number is not properly incremente
d,
but will generate a warning in the log indicating that the SIP peer that sent
the SDP should have the 'ignoresdpversion' option set.
Closed Issues
This is a list of all issues from the issue tracker that were closed by
changes that went into this release.
Category: Addons/General
#15269: [patch] memory leak in asterisk some bug fixing and removing
Redundant condition
Category: Applications/General
#15022: [patch] Language handling for numbers, dates, etc is misbehaving
when utilizing sub-regional languages
Category: Applications/app_chanspy
#15660: ChanSpy "whisper" is broken in 1.4.26
Category: Applications/app_fax
#15355: app_fax does not compile with iaxmodem 1.2.0
#15480: [patch] Not all fixes from #14849 are committed
#15606: app_fax.c is not compiling under OpenBSD
#15610: T.38 re-INVITE received after T.38 already negotiated fails
Category: Applications/app_meetme
#15493: [patch] contrib/scripts/meetme.sql doesn't contain all fields
Category: Applications/app_milliwatt
#15386: [patch] Milliwatt() is off by -11dbm
Category: Applications/app_mixmonitor
#15259: MixMonitor is not releasing the file handle on the recorded file
#15699: [patch] using ast_free instead of mixmonitor_free
Category: Applications/app_queue
#14536: [patch] After a caller is processed by app_queue the queue_log
logs the hangup as TRANSFER
#14631: [patch] Ghost calls with queues and spa942 and 922
#15664: [patch] QUEUE_MEMBER_LIST() returns member names instead of
interfaces
Category: Applications/app_stack
#15557: [patch] Gosub() dequotes once more than Macro()
#15617: [patch] crash in LOCAL() if Gosub stack is allocated but empty
Category: Applications/app_voicemail
#14554: [patch] # for fastforward goes beyond end of message
#14932: [patch] asterisk-1.6.0.9-x86_64 segfaults when leaving a voicemail
internally to another extension
#15331: [patch] Log message does not match conditional check
#15333: [patch] add FILE_STORAGE to Voicemail Build Options
#15720: opendir() return code is not checked in last_message_index()
Category: Applications/app_voicemail/IMAP
#14496: [patch] IMAP crash multiple callers / callers hangup at beep
#14597: greetings can not be retrieved from IMAP
#14950: [patch] Greetings are stored as IMAP messages even when
imapgreetings=no
Category: CDR/General
#15751: [patch] Core dump in ast_bridge_call features.c line 2772
Category: Channels/General
#15330: [patch] Using CHANNEL function from ZOMBIE channel stops Asterisk
#15416: No voice on PRI calls with asterisk 1.4.25 & 26
Category: Channels/chan_dahdi
#13917: [patch] fxo modules incorrectly believes channel is answered, if
telco reverses line polarity at off hook.
#14383: priexclusive parameter ignored if pri = pri_cpe ?
#14434: [patch] Dahdi does not wait for wink on outbound calls before
dialing DTMF with Signalling type = em_w
#14434: [patch] Dahdi does not wait for wink on outbound calls before
dialing DTMF with Signalling type = em_w
#14477: pseudo channel disappears after dahdi restart
#14696: reload in console overwrites priindication=outofband setting
#14726: Conditional compilation of a diagnostic message needs an L
modifier to %d for a 64 bit integer
#15248: [patch] Multiple Groups Not working
#15389: [patch] no audio with SIP call to ISDN PRI, if neither Progress or
Proceeding are received.
#15655: [patch] Dialplan starts execution before call is accepted
Category: Channels/chan_iax2
#15361: [patch] AST-2009-001 breaks IAX2 RFC5456 compliance - Timestamps
in POKE/PONG zero in 2 of 4 Bytes
#15404: [patch] Unrequired Debug Message
Category: Channels/chan_misdn
#11974: external lines connected with message !! Got Busy in Connected
State !?!
#12113: [patch] asterisk crash at reload chan_misdn.so
#14355: [patch] Segfault if you transfer a call into a meetme room
#14692: [patch] ISDN-Transfer causes backcall attempt of attendent phone
Category: Channels/chan_sip/General
#11231: [patch] Many retransmits when chan_sip generates multiple
outstanding requests
#12434: Handle wrong at offer/answer in sdp in media description(m=)
#12869: [patch] 'context' doesn't change when 'sip reload' issued when
driven from realtime
#13432: [patch] outboundproxy=proxy.mmmydomain.net where domain can not be
resolved silently removes the sip section
#13623: Asterisk segfaults when using SIP session timers
#14239: [patch] 491-request pending is sent out of dialog
#14464: [patch] lock during simple call processing
#14575: BYE to 408 Request Timeout
#14659: [patch] MWI NOTIFY contains a wrong URI if Asterisk listens to
non-standard port (5060)
#15213: [patch] asterisk lock in sipsock_read for several seconds and drop
sip packets
#15283: [patch] CLI NOTIFY always tries to use UDP, even if the peer is
connected via TCP
#15345: [patch] SIP deadlock in 1.4 revision 199472
#15349: Deadlock in do_monitor() of chan_sip
#15362: [patch] log message output is truncated
#15376: SIP option (SIP_OPT_ flag) is not handled correctly
#15403: [patch] Session timer is not activated
Category: Channels/chan_sip/Interoperability
#13958: SDP replies incorrect - 'a=inactive' - replied to with
'a=sendrecv'
#14465: [patch] Incorrect From: header information when
CALLERPRES=PRES_PROHIB
#14584: [patch] Asterisk does not stop retransmission
#14725: Asterisk doesn't add Route headers in NOTIFY when the SUBSCRIBE
came from a proxy
#15158: [patch] Message: "Unable to handle indication 3"
Revision: 200362
#15442: [patch] Asterisk cannot handle SIP 183 "Session Progress" if no
SDP is contained in it
Category: Channels/chan_sip/Registration
#14344: [patch] Outbound proxy not used for registrations
#14366: [patch] Registration expiry not compatible with some ITSP
#15102: [patch] Registration Deadlock between Asterisk and Polycom
Soundpoint IP 450
#15539: [patch] Register request line contains wrong address when domain
and registrar host differ
Category: Channels/chan_sip/T.38
#14849: [patch] SendFax function not working as expected on > 1.6.0.7
#15182: [patch] T.38 invite does not always comply with RFC 2327
Category: Channels/chan_sip/TCP-TLS
#13865: [patch] SIP/TLS enabled - just one call possible - 481
Call/Transaction Does Not Exist
#14452: in "_sip_tcp_helper_thread" Buffer is filled with dirty bytes
Category: Channels/chan_sip/Video
#15121: [patch] Video support in SIP channel driver appears to be totally
broken
Category: Core/BuildSystem
#15697: most cleaner alaw don't compile
#15698: [patch] If enable DEBUG_FD_LEAKS - h323 can't start.
#15714: [patch] Asterisk won't build with curl unless curl_config is
present
Category: Core/Channels
#14723: ERROR[5003]: channel.c:2043 __ast_read: ast_read() called with no
recorded file descriptor.
Category: Core/Configuration
#14509: [patch] users.conf (and other .conf files) have incorrect
whitespacing
Category: Core/General
#14730: [patch] Fix runlevels in Debian rc files
#15273: [patch] german time (20:01:00 oh clock) is announced wrong
#15649: T38 Faxing failing on 1.6.1 svn
#15667: LOGGER WARNING : error executing after rotate
Category: Core/Internationalization
#15346: [patch] TW is not an ISO Language Code
Category: Core/ManagerInterface
#15397: [patch] segfault in action_coreshowchannels() at manager.c
Category: Core/PBX
#15057: [patch] hints with 2+ devices that include ONHOLD are often set
wrong
#15242: [patch] log does not indicate which function is missing closing
parenthesis
#15303: new_find_extension arguments in wrong order
Category: Documentation
#15518: iax.conf, IP-based access control
#15755: Description in queues.conf on call recording is slightly
misleading
Category: Functions/func_callerid
#15476: callerid(num) is wrong when username is missing
Category: Functions/func_devstate
#15413: [patch] Mapping of extension state to device state is incorrect
Category: Functions/func_iconv
#15169: When building with uClibc, configure script mistakenly assumes
iconv is always available
Category: Functions/func_realtime
#15517: [patch] memory leak in func_realtime
Category: Functions/func_uri
#15439: [patch] URIENCODE() throws a warning when passed an empty string
Category: General
#15420: [patch] No audio on calls from asterisk sip phones to nortel set
until dtmf from sip phone
#15571: [patch] 'received' typos in trunk, in 6 files
#15595: [patch] fix spelling for typos, mainly in comments.
#15595: [patch] fix spelling for typos, mainly in comments.
Category: PBX/pbx_dundi
#15322: [patch] DUNDILOOKUP() does not accept comma as argument separator
Category: Resources/res_config_ldap
#13725: [patch] ERROR[7387]: res_config_ldap.c:1292 update_ldap: Couldn't
modify dn:cn=1001,dc=xxx,dc=xxx because Invalid syntax
#15710: Typo in LDAP schema files on line 598
Category: Resources/res_features
#13794: [patch] CDR for picked up parked call gives answer time < start
time and no record for parking
Category: Resources/res_musiconhold
#15051: [patch] Moh class set in the dialplan is ignored with realtime moh
----------------------------------------------------------------------
Commits Not Associated with an Issue
This is a list of all changes that went into this release that did not
directly close an issue from the issue tracker. The commits may have been
marked as being related to an issue. If that is the case, the issue
numbers are listed here, as well.
+------------------------------------------------------------------------+
| Revision | Author | Summary | Issues |
| | | | Referenced |
|----------+------------+-----------------------------------+------------|
| 199142 | dvossel | Additional updates to | |
| | | AST-2009-001 | |
|----------+------------+-----------------------------------+------------|
| | | __WORDSIZE is not available on | |
| 199858 | seanbright | all platforms, so use sizeof(void | |
| | | *) instead. | |
|----------+------------+-----------------------------------+------------|
| | | The 1.6.0 branch was missing all | |
| 199975 | mmichelson | invite_branch logic. It has now | |
| | | been added. | |
|----------+------------+-----------------------------------+------------|
| 200040 | lmadsen | Fix path for .flavor and .version | #14737 |
|----------+------------+-----------------------------------+------------|
| 200149 | mmichelson | Fix a crash due to a potentially | |
| | | NULL p->options. | |
|----------+------------+-----------------------------------+------------|
| | | Fix all of the parallel build | |
| 200228 | seanbright | warnings issued when running make | |
| | | -j#. | |
|----------+------------+-----------------------------------+------------|
| | | Add INFO to our allowed methods | |
| 200515 | mmichelson | so that endpoints know they may | |
| | | send it to us. | |
|----------+------------+-----------------------------------+------------|
| 200729 | kpfleming | Document the new automatic | |
| | | 'ignoresdpversion' behavior. | |
|----------+------------+-----------------------------------+------------|
| | | Ensure that configure-script | |
| 200767 | kpfleming | testing for compiler attributes | |
| | | actually works. | |
|----------+------------+-----------------------------------+------------|
| | | Fix problems with new compiler | |
| 200986 | kpfleming | attribute checking in configure | |
| | | script. | |
|----------+------------+-----------------------------------+------------|
| | | Improve support for media paths | |
| 201093 | kpfleming | that can generate multiple frames | |
| | | at once. | |
|----------+------------+-----------------------------------+------------|
| | | fix issue with build_contact | |
| 201226 | dvossel | introduced by the "SIP trasnport | |
| | | type issues" commit | |
|----------+------------+-----------------------------------+------------|
| | | Correct AST_LIST_APPEND_LIST | |
| 201263 | kpfleming | behavior when list to be appended | |
| | | is empty. | |
|----------+------------+-----------------------------------+------------|
| | | Change the datastore traversal in | |
| 201459 | mmichelson | ast_do_masquerade to use a safe | |
| | | list traversal. | |
|----------+------------+-----------------------------------+------------|
| 201463 | mmichelson | Fix problem with no audio due to | |
| | | ignoring the SDP. | |
|----------+------------+-----------------------------------+------------|
| | | Fix memory corruption and leakage | #15109, |
| 201612 | russell | related reloads of non files mode | #15123, |
| | | MoH classes. | #15195 |
|----------+------------+-----------------------------------+------------|
| | | One of the changes in 1.6.1 was | |
| 201786 | tilghman | to allow app_directory to use | |
| | | functionality | |
|----------+------------+-----------------------------------+------------|
| 201830 | tilghman | If the "h" extension fails, give | |
| | | it another chance in main/pbx.c. | |
|----------+------------+-----------------------------------+------------|
| | | Added deadlock protection to | |
| 202006 | mnicholson | try_suggested_sip_codec in | |
| | | chan_sip.c. | |
|----------+------------+-----------------------------------+------------|
| | | Standardize return values of | |
| 202259 | russell | load_config() so reload() doesn't | |
| | | report an error on success. | |
|----------+------------+-----------------------------------+------------|
| | | Fix possibility of crashiness | |
| 202263 | russell | during reload in custom fields | |
| | | handling. | |
|----------+------------+-----------------------------------+------------|
| 202416 | russell | Make Polycom subscription type | |
| | | override check more explicit. | |
|----------+------------+-----------------------------------+------------|
| | | Fix lock usage in | |
| 202471 | seanbright | cdr_sqlite3_custom to avoid | |
| | | potential crashes during reload. | |
|----------+------------+-----------------------------------+------------|
| 202498 | russell | Report CallerID change during a | |
| | | masquerade. | |
|----------+------------+-----------------------------------+------------|
| | | I could have sworn I committed | |
| 202763 | mattf | this patch ages ago, but... bug | |
| | | fix with setting NAI properly on | |
| | | linksets in certain situations. | |
|----------+------------+-----------------------------------+------------|
| | | Ensure the default settings are | |
| 202926 | file | applied for T.38 when we set it | |
| | | up for a peer. | |
|----------+------------+-----------------------------------+------------|
| | | Use the handy UNLINK macro | |
| 202968 | mmichelson | instead of hand-coding the same | |
| | | thing in-line. | |
|----------+------------+-----------------------------------+------------|
| 203044 | rmudgett | Improved chan_dahdi.conf pritimer | |
| | | error checking. | |
|----------+------------+-----------------------------------+------------|
| 203117 | russell | Resolve a crash related to a T.38 | |
| | | reinvite race condition. | |
|----------+------------+-----------------------------------+------------|
| 203387 | twilson | I didn't see that Mark already | |
| | | fixed the underlying issue! | |
|----------+------------+-----------------------------------+------------|
| 203447 | dvossel | fixes a few redundant conditions | #15269 |
|----------+------------+-----------------------------------+------------|
| | | Improve T.38 negotiation by | |
| 203701 | file | exchanging session parameters | |
| | | between application and channel. | |
|----------+------------+-----------------------------------+------------|
| 203711 | jpeeler | whitespace fix | |
|----------+------------+-----------------------------------+------------|
| | | reverse whitespace change 203711 | |
| | | that was based on looking at | |
| 203717 | jpeeler | sig_analog (which has about a | |
| | | 1000 line indentation change that | |
| | | is not worth doing here) | |
|----------+------------+-----------------------------------+------------|
| | | Fix ast_say_counted_noun to | |
| 204476 | qwell | correctly handle Polish. Fix a | |
| | | comment typo in passing. | |
|----------+------------+-----------------------------------+------------|
| 204652 | dvossel | removes fake dialog_unref and | |
| | | dialog_ref function calls. | |
|----------+------------+-----------------------------------+------------|
| | | Improve handling of | |
| 204949 | kpfleming | AST_CONTROL_T38 and | |
| | | AST_CONTROL_T38_PARAMETERS for | |
| | | non-T.38-capable channels. | |
|----------+------------+-----------------------------------+------------|
| 204980 | tilghman | Restore Hungarian (mistakenly | |
| | | removed during merge) | |
|----------+------------+-----------------------------------+------------|
| | | Move OpenSSL initialization to a | |
| 205139 | russell | single place, make library usage | |
| | | thread-safe. | |
|----------+------------+-----------------------------------+------------|
| 205152 | russell | Use tabs instead of spaces for | |
| | | indentation. | |
|----------+------------+-----------------------------------+------------|
| | | Add redirection warnings for the | |
| 205200 | tilghman | invalid language codes previously | |
| | | removed. | |
|----------+------------+-----------------------------------+------------|
| 205220 | dvossel | ast_samp2tv needs floating point | |
| | | for 16khz audio | |
|----------+------------+-----------------------------------+------------|
| 205224 | tilghman | oops, fixing build | |
|----------+------------+-----------------------------------+------------|
| | | Update config.guess and | |
| 205296 | qwell | config.sub from the | |
| | | savannah.gnu.org git repo. | |
|----------+------------+-----------------------------------+------------|
| 205415 | dvossel | moving ast_devstate_to_extenstate | |
| | | to pbx.c from devicestate.c | |
|----------+------------+-----------------------------------+------------|
| | | pthread_self returns a pthread_t | |
| 205533 | mvanbaak | which is not an unsigned int on | |
| | | all | |
|----------+------------+-----------------------------------+------------|
| 205597 | dvossel | Fixes 8khz assumptions | |
|----------+------------+-----------------------------------+------------|
| 205608 | dvossel | Changing ast_samp2tv to not use | |
| | | floating point. | |
|----------+------------+-----------------------------------+------------|
| 205880 | mmichelson | Fix build. | |
|----------+------------+-----------------------------------+------------|
| 205940 | kpfleming | Update comments about the level | |
| | | of T.38 support in Asterisk. | |
|----------+------------+-----------------------------------+------------|
| 206369 | rmudgett | Fix some memory leaks in | |
| | | chan_misdn. | |
|----------+------------+-----------------------------------+------------|
| 206387 | russell | Ensure apathetic replies are sent | |
| | | out on the proper socket. | |
|----------+------------+-----------------------------------+------------|
| | | Only print debug info in | |
| 206637 | seanbright | codec_dahdi if we are asking for | |
| | | it. | |
|----------+------------+-----------------------------------+------------|
| 206762 | rmudgett | Merged revision 206700 from | |
|----------+------------+-----------------------------------+------------|
| 206871 | dvossel | avoid segfault caused by user | |
| | | error | |
|----------+------------+-----------------------------------+------------|
| 207097 | jpeeler | Update some missing allowed | |
| | | options for overlapdial | |
|----------+------------+-----------------------------------+------------|
| 207286 | rmudgett | | |
|----------+------------+-----------------------------------+------------|
| 207683 | kpfleming | Ensure that user-provided CFLAGS | |
| | | and LDFLAGS are honored. | |
|----------+------------+-----------------------------------+------------|
| 207725 | mmichelson | Document default timeout for AMI | |
| | | originations. | |
|----------+------------+-----------------------------------+------------|
| | | Revert r207636, this approach | |
| 207783 | jpeeler | could potentially block for an | |
| | | unacceptable | |
|----------+------------+-----------------------------------+------------|
| 208316 | mmichelson | Remove inaccurate XXX comment. | |
|----------+------------+-----------------------------------+------------|
| | | Rework of T.38 negotiation and | |
| 208468 | kpfleming | UDPTL API to address | |
| | | interoperability problems | |
|----------+------------+-----------------------------------+------------|
| 208502 | kpfleming | Use correct formatting for T.38 | |
| | | change note in UPGRADE.txt | |
|----------+------------+-----------------------------------+------------|
| | | Resolve a T.38 negotiation issue | |
| 208549 | kpfleming | left over from the udptl-updates | |
| | | merge. | |
|----------+------------+-----------------------------------+------------|
| 208594 | russell | Do not log an ERROR if | |
| | | autoservice_stop() returns -1. | |
|----------+------------+-----------------------------------+------------|
| 208752 | jpeeler | Fix compiling under dev-mode with | |
| | | gcc 4.4.0. | |
|----------+------------+-----------------------------------+------------|
| 208925 | jpeeler | Fix logic errors from 208746 | |
|----------+------------+-----------------------------------+------------|
| | | Restore explicit export of | |
| 209057 | kpfleming | ASTCFLAGS/ASTLDFLAGS and | |
| | | underscore-variants to sub-makes. | |
|----------+------------+-----------------------------------+------------|
| 209061 | dbrooks | Just replacing typos "recieved" | #15360 |
| | | with "received". | |
|----------+------------+-----------------------------------+------------|
| 209259 | kpfleming | Make T.38 switchover in | |
| | | ReceiveFAX synchronous. | |
|----------+------------+-----------------------------------+------------|
| 209280 | kpfleming | Cleanup T.38 negotiation changes. | |
|----------+------------+-----------------------------------+------------|
| 209325 | tilghman | Publish French extra sounds | |
|----------+------------+-----------------------------------+------------|
| 209394 | kpfleming | Correct error in backport of | |
| | | latest app_fax fixes. | |
|----------+------------+-----------------------------------+------------|
| | | Fix some places where | |
| 209712 | russell | ast_event_type was used instead | |
| | | of ast_event_ie_type. | |
|----------+------------+-----------------------------------+------------|
| 209762 | kpfleming | Minor changes inspired by testing | |
| | | with latest GCC. | |
|----------+------------+-----------------------------------+------------|
| 209896 | russell | Resolve a valgrind warning about | #15396 |
| | | a read from uninitialized memory. | |
|----------+------------+-----------------------------------+------------|
| 211114 | russell | Resolve a deadlock involving | |
| | | app_chanspy and masquerades. | |
|----------+------------+-----------------------------------+------------|
| 211276 | tilghman | Small oops. Clear the flags which | |
| | | have been checked. | |
|----------+------------+-----------------------------------+------------|
| 211551 | tilghman | AST-2009-005 | |
|----------+------------+-----------------------------------+------------|
| 211587 | tilghman | Conversion specifiers, not format | |
| | | specifiers | |
|----------+------------+-----------------------------------+------------|
| | | Check an actual populated | |
| 212068 | file | variable when seeing if we need | |
| | | to do video or not. | |
|----------+------------+-----------------------------------+------------|
| | | Ensure that T38FaxVersion is put | |
| 212114 | kpfleming | into outgoing SDP in the proper | |
| | | case. | |
|----------+------------+-----------------------------------+------------|
| 212432 | rmudgett | Fix uninitialized variable. | |
|----------+------------+-----------------------------------+------------|
| 212765 | rmudgett | Removed some deadwood and added | |
| | | some doxygen comments. | |
|----------+------------+-----------------------------------+------------|
| 212926 | kpfleming | Convert this branch to Opsound | |
| | | music-on-hold. | |
|----------+------------+-----------------------------------+------------|
| | | Remove some | |
| 212941 | kpfleming | accidentally-committed | |
| | | properties. | |
|----------+------------+-----------------------------------+------------|
| | | Make autoheader descriptions | |
| 214361 | tilghman | render correctly in our | #14906 |
| | | autoconfig.h file. | |
|----------+------------+-----------------------------------+------------|
| | | One more build system change, to | |
| 214474 | tilghman | make the descriptions look | |
| | | better, if we have better | |
| | | information. | |
+------------------------------------------------------------------------+
- 1.6.0.15 fixes AST-2009-006 which is a remote DOS issue in IAX2
spz [Sun, 13 Sep 2009 11:48:04 +0000]
pullups 2883 and 2886
spz [Sun, 13 Sep 2009 11:46:01 +0000]
Pullup ticket 2883 - requested by tron
security fix
Revisions pulled up:
- pkgsrc/mail/libspf2/Makefile 1.7
- pkgsrc/mail/libspf2/distinfo 1.4
Files added:
pkgsrc/mail/libspf2/patches/patch-aa 1.1
Module Name: pkgsrc
Committed By: tron
Date: Tue Sep 8 10:36:27 UTC 2009
Modified Files:
pkgsrc/mail/libspf2: Makefile distinfo
Added Files:
pkgsrc/mail/libspf2/patches: patch-aa
Log Message:
Fix an abort() caused by miscalculating the size of an internal buffer.
This can crash applications using "libspf2" (e.g. "milter-greylist")
in an e-mail gets delivered via SMTP over IPv6 depending on the
remote machine's IPv6 address.
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 pkgsrc/mail/libspf2/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/mail/libspf2/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/mail/libspf2/patches/patch-aa
spz [Sun, 13 Sep 2009 11:38:45 +0000]
Pullup ticket 2886 - requested by drochner
security fix
Revisions pulled up:
- pkgsrc/textproc/expat/Makefile 1.24
- pkgsrc/textproc/expat/distinfo 1.17
Files added:
pkgsrc/textproc/expat/patches/patch-aa 1.7
Module Name: pkgsrc
Committed By: drochner
Date: Thu Sep 10 09:59:21 UTC 2009
Modified Files:
pkgsrc/textproc/expat: Makefile distinfo
Added Files:
pkgsrc/textproc/expat/patches: patch-aa
Log Message:
fix SA36425: possible DoS due to an error when parsing certain
UTF-8 sequences
(patch from Python CVS)
bump PKGREVISION
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/textproc/expat/distinfo
cvs rdiff -u -r0 -r1.7 pkgsrc/textproc/expat/patches/patch-aa
tron [Fri, 11 Sep 2009 13:44:37 +0000]
Pullup ticket #2885.
tron [Fri, 11 Sep 2009 13:38:53 +0000]
Pullup ticket #2885 - requested by tnn
firefox3: security update
Revisions pulled up:
- www/firefox3/Makefile 1.37
- www/firefox3/distinfo 1.28
---
Module Name: pkgsrc
Committed By: tnn
Date: Thu Sep 10 00:05:21 UTC 2009
Modified Files:
pkgsrc/www/firefox3: Makefile distinfo
Log Message:
Update to firefox3-3.0.14. Bugfix and security release.
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode
characters MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-48 Insufficient warning for PKCS11 module installation and
removal MFSA 2009-47 Crashes with evidence of memory corruption
(rv:1.9.1.3/1.9.0.14)
tron [Sun, 6 Sep 2009 14:31:52 +0000]
Pullup tickets #2881 and #2882.
tron [Sun, 6 Sep 2009 14:31:35 +0000]
Pullup ticket #2882 - requested by jnemeth
asterisk: security update
Revisions pulled up:
- comms/asterisk/Makefile 1.68
- comms/asterisk/PLIST.common 1.17
- comms/asterisk/distinfo 1.44
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Sat Sep 5 01:44:19 UTC 2009
Modified Files:
pkgsrc/comms/asterisk: Makefile PLIST.common distinfo
Log Message:
update to asterisk 1.2.35 which fixes AST-2009-006 -- IAX2 DOS vulnerability
tron [Sun, 6 Sep 2009 13:47:20 +0000]
Pullup ticket #2881 - requested by joerg
pbulk-base: bug fix update
pbulk: bug fix update
Revisions pulled up:
- pkgtools/pbulk-base/Makefile 1.2
- pkgtools/pbulk/Makefile 1.55
- pkgtools/pbulk/files/pbulk/lib/event.c 1.6
- pkgtools/pbulk/files/pbulk/scripts/pkg-build 1.18
--
Module Name: pkgsrc
Committed By: joerg
Date: Sun Aug 23 18:02:04 UTC 2009
Modified Files:
pkgsrc/pkgtools/pbulk-base: Makefile
pkgsrc/pkgtools/pbulk/files/pbulk/lib: event.c
Log Message:
pbulk-base-0.39:
Fix ordering of event handler vs queue modification. This can result in
queue corruption or use after free when the master can't handle a
request before the next arrives. From Matt Dillon.
---
Module Name: pkgsrc
Committed By: joerg
Date: Fri Sep 4 22:06:18 UTC 2009
Modified Files:
pkgsrc/pkgtools/pbulk: Makefile
pkgsrc/pkgtools/pbulk/files/pbulk/scripts: pkg-build
Log Message:
pbulk-0.41:
Create & chown work.log for destdir builds too, as the normal build is
run unprivileged.
spz [Sat, 5 Sep 2009 08:52:22 +0000]
should have been deleted with pullup #2844 already
tron [Tue, 1 Sep 2009 11:54:43 +0000]
Pullup tickets #2879 and #2880.
tron [Tue, 1 Sep 2009 11:54:26 +0000]
Pullup ticket #2880 - requested by tez
htmldoc: security patch
Revisions pulled up:
- www/htmldoc/Makefile 1.27 via patch
- www/htmldoc/distinfo 1.9
- www/htmldoc/patches/patch-ab 1.3
- www/htmldoc/patches/patch-ac 1.1
- www/htmldoc/patches/patch-ad 1.1
---
Module Name: pkgsrc
Committed By: tez
Date: Thu Aug 27 21:51:37 UTC 2009
Modified Files:
pkgsrc/www/htmldoc: Makefile distinfo
Added Files:
pkgsrc/www/htmldoc/patches: patch-ab patch-ac patch-ad
Log Message:
Fix for Secunia Advisory: SA35780
from http://bugs.gentoo.org/attachment.cgi?id=199846
tron [Tue, 1 Sep 2009 11:48:42 +0000]
Pullup ticket #2879 - requested by martti
postfix: bug fix update
Revisions pulled up:
- mail/postfix/Makefile 1.229-1.230
- mail/postfix/distinfo 1.128
---
Module Name: pkgsrc
Committed By: heinz
Date: Sun Aug 9 21:15:31 UTC 2009
Modified Files:
pkgsrc/mail/postfix: Makefile
Log Message:
Enabled installation to DESTDIR. (OK by martti@).
---
Module Name: pkgsrc
Committed By: martti
Date: Mon Aug 31 09:37:35 UTC 2009
Modified Files:
pkgsrc/mail/postfix: Makefile distinfo
Log Message:
Updated mail/postfix to 2.6.5
The stable release Postfix 2.6.5 addresses the defects described
below (some already addressed with the not-announced Postfix 2.6.3
release). These defects are also addressed in the legacy releases
that are still maintained: Postfix 2.5.9, 2.4.13 and 2.3.19.
Do not use Postfix 2.6.4, 2.5.8, 2.4.12, 2.3.18, 2.7-
20090807, and
2.7-
20090807-nonprod. These contain a DNS workaround that causes
more trouble than it prevents. It is removed until further notice.
Defects fixed with Postfix 2.6.3, 2.5.9, 2.4.13 and 2.3.19:
- The Postfix Milter client got out of step with a Milter application
after the application sent a "quarantine" request at end-of-message
time. The Milter application would still be in the end-of-message
state, while Postfix would already be working on the next SMTP
event, typically, QUIT or MAIL FROM. In the latter case, Milter
responses for the previously-received email message would be
applied towards the next MAIL FROM transaction. This problem was
diagnosed with help from Alban Deniz.
Defects fixed with Postfix 2.6.5, 2.5.9, 2.4.13 and 2.3.19:
- The Postfix SMTP server would abort with an "unexpected lookup
table" error when an SMTPD policy server was mis-configured in a
particular way.
spz [Sat, 29 Aug 2009 13:03:16 +0000]
pullup #2875
spz [Sat, 29 Aug 2009 13:02:45 +0000]
Pullup ticket 2875 - requested by tron
security update
Revisions pulled up:
- pkgsrc/mail/squirrelmail/Makefile 1.108
- pkgsrc/mail/squirrelmail/PLIST 1.33
- pkgsrc/mail/squirrelmail/distinfo 1.55
Module Name: pkgsrc
Committed By: tron
Date: Wed Aug 26 12:47:17 UTC 2009
Modified Files:
pkgsrc/mail/squirrelmail: Makefile PLIST distinfo
Log Message:
Update "squirremail" package to version 1.4.20rc2. Changes since 1.4.19:
- Protect message deletion with security token system.
(Secunia Advisory SA346)
- Removed the shut down DSBL blocklists (#2796734).
- Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess
(#2798839).
- Updated INSTALL doc to remove possible bad system admin typos (#2827153).
- PHP 5.3 deprecates ereg functions (#2820952).
- Filters plugin uses badly formatted literals request (#2805201).
- Provide option for complete removal of usernames and user IP addresses
from message headers, and remove personal data from Message ID seed.
(#880029/847107)
- Implemented page referal verification mechanism.
(Secunia Advisory SA34627)
- Implemented security token system. (Secunia Advisory SA34627)
Approved by Martti Kuparinen.
To generate a diff of this commit:
cvs rdiff -u -r1.107 -r1.108 pkgsrc/mail/squirrelmail/Makefile
cvs rdiff -u -r1.32 -r1.33 pkgsrc/mail/squirrelmail/PLIST
cvs rdiff -u -r1.54 -r1.55 pkgsrc/mail/squirrelmail/distinfo
spz [Sat, 29 Aug 2009 09:49:54 +0000]
pullup #2874
spz [Sat, 29 Aug 2009 09:49:14 +0000]
Pullup ticket 2874 - requested by tron
security update
Revisions pulled up:
- pkgsrc/security/gnutls/Makefile 1.86
- pkgsrc/security/gnutls/PLIST 1.36
- pkgsrc/security/gnutls/distinfo 1.60
Files added:
pkgsrc/security/gnutls/patches/patch-ak 1.2
pkgsrc/security/gnutls/patches/patch-al 1.2
Module Name: pkgsrc
Committed By: wiz
Date: Sat Jul 18 10:32:32 UTC 2009
Modified Files:
pkgsrc/security/gnutls: Makefile distinfo
Log Message:
Update to 2.8.1:
* Version 2.8.1 (released 2009-06-10)
** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cyc=
le.
Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from
<http://bugs.gentoo.org/272388>.
** libgnutls: Fix PKCS#12 decryption from password.
The encryption key derived from the password was incorrect for (on
average) 1 in every 128 input for random inputs. Reported by "Kukosa,
Tomas" <tomas.kukosa@siemens-enterprise.com> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1663>.
** API and ABI modifications:
No changes since last version.
To generate a diff of this commit:
cvs rdiff -u -r1.83 -r1.84 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.57 -r1.58 pkgsrc/security/gnutls/distinfo
----------------------------------------------------------------------
Module Name: pkgsrc
Committed By: drochner
Date: Wed Jul 22 16:50:07 UTC 2009
Modified Files:
pkgsrc/security/gnutls: Makefile PLIST distinfo
Added Files:
pkgsrc/security/gnutls/patches: patch-ak patch-al
Log Message:
disable the openssl compatibility library -- no pkg I know of needs
it, and it only has a potential to conflict with the real openssl
(bad things will happen if a program links or dlopen()s both)
bump PKGREVISION
(the bug fixed in the added patches is already fixed upstream, will
be in the next release)
To generate a diff of this commit:
cvs rdiff -u -r1.84 -r1.85 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.35 -r1.36 pkgsrc/security/gnutls/PLIST
cvs rdiff -u -r1.58 -r1.59 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnutls/patches/patch-ak \
pkgsrc/security/gnutls/patches/patch-al
----------------------------------------------------------------------
Module Name: pkgsrc
Committed By: snj
Date: Thu Aug 13 18:56:32 UTC 2009
Modified Files:
pkgsrc/security/gnutls: Makefile distinfo
pkgsrc/security/gnutls/patches: patch-ak patch-al
Log Message:
Update to 2.8.3. Changes:
* Version 2.8.3 (released 2009-08-13)
** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations. Reported by Tomas Hoger <thoger@redhat.com>. A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].
** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.
** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.
** tests: Made self-test mini-eagain take less time.
** doc: Typo fixes.
** API and ABI modifications:
No changes since last version.
* Version 2.8.2 (released 2009-08-10)
** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate. Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates. Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions. The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA. It does not apply to client authenticated TLS
sessions. Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch. [GNUTLS-SA-2009-4].
** libgnutls: Fix return value of gnutls_certificate_client_get_request_sta=
tus.
Before it always returned false. Reported by Peter Hendrickson
<pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.
** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs. Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.
** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits. Before the reported value was
overestimated. Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.
** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.
** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with. Now we just check
that the runtime usage is above the minimum required. Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.
** minitasn1: Internal copy updated to libtasn1 v2.3.
** tests: Fix failure in "chainverify" because a certificate have expired.
** API and ABI modifications:
No changes since last version.
To generate a diff of this commit:
cvs rdiff -u -r1.85 -r1.86 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.59 -r1.60 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/gnutls/patches/patch-ak \
pkgsrc/security/gnutls/patches/patch-al
tron [Fri, 28 Aug 2009 22:18:52 +0000]
Pullup ticket #2878.
tron [Fri, 28 Aug 2009 22:15:55 +0000]
Pullup ticket #2878 - requested by hasso
openexr: security patch
Revisions pulled up:
- graphics/openexr/Makefile 1.22
- graphics/openexr/distinfo 1.13 via patch
- graphics/openexr/patches/patch-ae 1.1
- graphics/openexr/patches/patch-af 1.1
- graphics/openexr/patches/patch-ag 1.1
- graphics/openexr/patches/patch-ah 1.1
- graphics/openexr/patches/patch-ai 1.1
---
Module Name: pkgsrc
Committed By: hasso
Date: Fri Aug 28 21:33:08 UTC 2009
Modified Files:
pkgsrc/graphics/openexr: Makefile distinfo
Added Files:
pkgsrc/graphics/openexr/patches: patch-ae patch-af patch-ag
patch-ah
patch-ai
Log Message:
Add patches for CVE-2009-1720 (multiple integer overflows in OpenEXR) and
CVE-2009-1721 (denial of service (application crash) or possibly execute
arbitrary code in the Imf::hufUncompress function). Bump PKGREVISION.
tron [Fri, 28 Aug 2009 12:37:17 +0000]
Pullup ticket #2877.
tron [Fri, 28 Aug 2009 12:35:45 +0000]
Pullup ticket #2877 - requested by wiz
curl: security update
Revisions pulled up:
- www/curl/Makefile 1.91
- www/curl/distinfo 1.60
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Aug 16 13:47:35 UTC 2009
Modified Files:
pkgsrc/www/curl: Makefile distinfo
Log Message:
Update to 7.19.6:
Version 7.19.6 (12 August 2009)
Daniel Stenberg (12 Aug 2009)
- Carsten Lange reported a bug and provided a patch for TFTP upload and the
sending of the TSIZE option. I don't like fixing bugs just hours before
a release, but since it was broken and the patch fixes this for him I decided
to get it in anyway.
Daniel Stenberg (11 Aug 2009)
- Peter Sylvester made the HTTPS test server use specific certificates for
each test, so that the test suite can now be used to actually test the
verification of cert names etc. This made an error show up in the OpenSSL-
specific code where it would attempt to match the CN field even if a
subjectAltName exists that doesn't match. This is now fixed and verified
in test 311.
- Benbuck Nason posted the bug report #2835196
(http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler
warnings when mixing ints and bools.
Daniel Fandrich (10 Aug 2009)
- Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow.
Daniel Fandrich (9 Aug 2009)
- Fixed some memory leaks in the command-line tool that caused most of the
torture tests to fail.
Daniel Stenberg (2 Aug 2009)
- Curt Bogmine reported a problem with SNI enabled on a particular server. We
should introduce an option to disable SNI, but as we're in feature freeze
now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
option for SNI, or are we simply not using it?
Daniel Stenberg (1 Aug 2009)
- Scott Cantor posted the bug report #2829955
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
verification flaw found and exploited by Moxie Marlinspike. The presentation
he did at Black Hat is available here:
https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
Apparently at least one CA allowed a subjectAltName or CN that contain a
zero byte, and thus clients that assumed they would never have zero bytes
were exploited to OK a certificate that didn't actually match the site. Like
if the name in the cert was "example.com\0theatualsite.com", libcurl would
happily verify that cert for example.com.
libcurl now better uses the length of the extracted name, not using the zero
termination for getting the string length.
This fixing only made and needed in OpenSSL interfacing code.
- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present
only in some OpenSSL installs - like on Windows) isn't thread-safe and we
agreed that moving it to the global_init() function is a decent way to deal
with this situation.
- Alexander Beedie provided the patch for a noproxy problem: If I have set
CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually
could still end up using a proxy if a proxy environment variable was set.
Daniel Stenberg (27 Jul 2009)
- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and
CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to
send when using FTP, as a sign that libcurl shall simply ignore the response
from the server instead of treating it as an error. Not treating a 400+ FTP
response code as an error means that failed commands will not abort the
chain of commands, nor will they cause the connection to get disconnected.
Daniel Stenberg (26 Jul 2009)
- Johan van Selst posted bug report #2825989
(http://curl.haxx.se/bug/view.cgi?id=2825989) pointing out that
OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and
provided the solution too: to use OpenSSL_add_all_algorithms() in addition
to the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in
OpenSSL 0.9.5
Daniel Stenberg (23 Jul 2009)
- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA.
They introduce known_host support for SSH keys to libcurl. See docs for
details. Note that this feature depends on a new enough libssh2 version, to
be supported in libssh2 1.2 and later (or current git repo at this time).
Michal Marek (22 Jul 2009)
- David Binderman found a memory and fd leak in lib/gtls.c:load_file()
(https://bugzilla.novell.com/523919). When looking at the code, I found that
also the ptr pointer can leak.
Kamil Dudka (20 Jul 2009)
- Claes Jakobsson improved the support for client certificates handling in
NSS-powered libcurl. Now the client certificates can be selected
automatically by a NSS built-in hook. Additionally pre-login to all PKCS11
slots is no more performed. It used to cause problems with HW tokens.
- Fixed reference counting for NSS client certificates. Now the PEM reader
module should be always properly unloaded on Curl_nss_cleanup(). If the
unload fails though, libcurl will try to reuse the already loaded instance.
Daniel Fandrich (15 Jul 2009)
- Added nonblock.c to the non-automake makefiles (note that the dependencies
in the Watcom makefiles aren't quite correct).
Michal Marek (15 Jul 2009)
- Changed the description of CURLINFO_OS_ERRNO to make it clear that the
errno is not reset on success.
Guenter Knauf (14 Jul 2009)
- renamed generated config.h to curl_config.h to avoid any future clashes
with config.h from other projects.
Daniel Stenberg (9 Jul 2009)
- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for
setting a file descriptor non-blocking. Used by the functionality Eric
himself brough on June 15th.
Daniel Stenberg (8 Jul 2009)
- Constantine Sapuntzakis posted bug report #2813123
(http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the
problem:
Url A is accessed using auth. Url A redirects to Url B (on a different
server0. Url B reuses a persistent connection. Url B has auth, even though
it's on a different server.
Note: if Url B does not reuse a persistent connection, auth is not sent.
reason:
data->state.first_host is not initialized becuase Curl_http_connect is not
called when a connection is reused.
Solution:
move initialization of data->state.first_host to Curl_http. No code before
Curl_http uses data->state.first_host anyway.
Guenter Knauf (4 Jul 2009)
- Markus Koetter provided a patch to avoid getnameinfo() usage which broke a
couple of both IPv4 and IPv6 autobuilds.
Daniel Stenberg (29 Jun 2009)
- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port
range if given colon-separated after the host name/address part. Like
"192.168.0.1:2000-10000"
- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I
don't know how they got wrong in the first place, but using this output
format makes it possible to quite easily separate the string into an array
of multiple items.
Daniel Fandrich (16 June 2009)
- Added a few more compiler warning options for gcc.
Daniel Stenberg (16 Jun 2009)
- Reuven Wachtfogel made curl -o - properly produce a binary output on windows
(no newline translations). Use -B/--use-ascii if you rather get the ascii
approach.
Michal Marek (16 Jun 2009)
- When doing non-anonymous ftp via http proxies and the password is not
provided in the url, add it there (squid needs this).
Daniel Stenberg (15 Jun 2009)
- Eric Wong's patch:
This allows curl(1) to be used as a client-side tunnel for arbitrary stream
protocols by abusing chunked transfer encoding in both the HTTP request and
HTTP response. This requires server support for sending a response while a
request is still being read, of course.
If attempting to read from stdin returns EAGAIN, then we pause our sender.
This leaves curl to attempt to read from the socket while reading from stdin
(and thus sending) is paused.
This change was needed to allow successfully tunneling the git protocol over
HTTP (--no-buffer is needed, as well).
Patrick Monnerat (15 Jun 2009)
- Replaced use of standard C library rand()/srand() by our own pseudo-random
number generator.
Yang Tse (11 Jun 2009)
- I adapted testcurl script to allow building test harness programs when
cross-compiling for a *-*-mingw* host.
Daniel Stenberg (10 Jun 2009)
- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings and
contributed a range of patches to fix them.
Yang Tse (10 Jun 2009)
- I introduced configure script option --enable-curldebug which now allows
the decoupled enabling or disabling of the curl debug memory tracking
feature from the --enable-debug option which no longer controls this.
curl --version will list 'Debug' feature for debug enabled builds, and
will list 'TrackMemory' feature for curl debug memory tracking capable
builds. These features are independent and can be controlled when running
the configure script. When --enable-debug is given both features will be
enabled, unless some restriction prevents memory tracking from being used.
Internally, definition of preprocessor symbol DEBUGBUILD restricts code
which is only compiled for debug enabled builds. And symbol CURLDEBUG is
used to differentiate code which is _only_ used for memory tracking.
Yang Tse (9 Jun 2009)
- Daniel Steinberg pointed out that Curl_FormInit() in formdata.c was not
initializing the fread callback pointer and this triggered a compiler
warning, also provided a friendly suggestion on how to fix it.
Daniel Stenberg (8 Jun 2009)
- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
issue with client certs that caused issues like segfaults.
http://curl.haxx.se/mail/lib-2009-05/0316.html
- Triggered by bug report #2798852 and the patch in there, I fixed configure
to detect gnutls build options with pkg-config only and not libgnutls-config
anymore since GnuTLS has stopped distributing that tool. If an explicit path
is given to configure, we will instead guess on how to link and use that
lib. I did not use the patch from the bug report.
Yang Tse (8 Jun 2009)
- Igor Novoseltsev adjusted Makefile.vxworks to get sources and headers
included from Makefile.inc, and provided docs\INSTALL VxWorks section.
- I removed buildconf.bat from release and daily snapshot archives. This
file is only for CVS tree checkout builds.
Daniel Stenberg (8 Jun 2009)
- Eric Wong fixed --no-buffer to actually switch off output buffering. Been
broken since 7.19.0
Bill Hoffman (6 Jun 2009)
- Added some cmake docs and fixed socklen_t in the build.
Yang Tse (5 Jun 2009)
- John E. Malmberg provided VMS specific patch: "This fixes an existing bug
in urlglob.c where it was not converting the Curl Unix exit code to a VMS
DCL compatible exit code. This fix required the enhancement described next.
This also adds an enhancement to main.c so that when curl is run under a
Unix shell like Bash on VMS, it will return the standard Unix exit codes
and messages." And another patch for docs/examples.
I introduced os-specific.c and os-specific.h for use in curl tool code
and adjusted John E. Malmberg's patch placement to use these new files
as an effort to prevent main.c from growing ad infinitum. Code already
existing in main.c which is OS specific should be moved into these files.
Daniel Stenberg (4 June 2009)
- Setting the Content-Length: header from your app when you do a POST or PUT
is almost always a VERY BAD IDEA. Yet there are still apps out there doing
this, and now recently it triggered a bug/side-effect in libcurl as when
libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
knows it will just get a 401/407 back. If the app then replaced the
Content-Length header, it caused the server to wait for input that libcurl
wouldn't send. Aaron Oneal reported this problem in bug report #2799008
(http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
Yang Tse (4 Jun 2009)
- Igor Novoseltsev provided patches and information, that after some
adjustments to better fit curl's way of doing things, have resulted
in the posibility of building libcurl for VxWorks.
Daniel Fandrich (2 June 2009)
- Checked in a Google Android make file. To use it, you must first
create a config.h file by running configure in the Android environment,
which doesn't seem to be easy to do. If no easy way can be found, a
static config-android.h may need to be created and checked in to the
libcurl source tree.
Daniel Stenberg (1 June 2009)
- Claes Jakobsson fixed the configure script to better find and use NSS
without pkg-config.
Yang Tse (1 Jun 2009)
- John E. Malmberg provided a VMS specific clean-up for curl.h, and pointed
out that the configure script was failing to detect the timeval struct on
VMS when building with _XOPEN_SOURCE_EXTENDED undefined due to definition
taking place in socket.h instead of time.h. I have adjusted configure
script to also include this header when checking struct timeval.
Daniel Stenberg (27 May 2009)
- Frank McGeough provided a small OpenSSL #include fix to make libcurl compile
fine with Nokia 5th edition 1.0 SDK for Symbian.
- Andre Guibert de Bruet found a call to a OpenSSL function that didn't check
for a failure properly.
- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear
the auth credentials back in 7.19.0 and earlier while now you have to set ""
to get the same effect. His patch brings back the ability to use NULL.
- Claes Jakobsson fixed libcurl-NSS to build fine even without the
PK11_CreateGenericObject() function.
Daniel Stenberg (25 May 2009)
- bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed
out that the cookie parser would leak memory when it parses cookies that are
received with domain, path etc set multiple times in the same header. While
such a cookie is questionable, they occur in the wild and libcurl no longer
leaks memory for them. I added such a header to test case 8.
Daniel Fandrich (22 May 2009)
- Removed some obsolete digest code that caused a valgrind error in test 551.
Daniel Fandrich (20 May 2009)
- Added "non-existing host" test keywords to make it easy to skip those
tests on machines that have broken DNS configurations (such as
those configured to use OpenDNS).
Daniel Stenberg (19 May 2009)
- Kamil Dudka brought the patch from the Redhat bug entry
https://bugzilla.redhat.com/show_bug.cgi?id=427966 which was libcurl closing
a bad file descriptor when closing down the FTP data connection. Caolan
McNamara seems to be the original author of it.
tron [Fri, 28 Aug 2009 12:09:32 +0000]
Pullup ticket #2876.
tron [Fri, 28 Aug 2009 12:07:16 +0000]
Pullup ticket #2876 - requested by hasso
xerces-c: security patch
Revisions pulled up:
- textproc/xerces-c/Makefile 1.38
- textproc/xerces-c/distinfo 1.13
- textproc/xerces-c/patches/patch-ba 1.1
---
Module Name: pkgsrc
Committed By: hasso
Date: Fri Aug 28 05:24:34 UTC 2009
Modified Files:
pkgsrc/textproc/xerces-c: Makefile distinfo
Added Files:
pkgsrc/textproc/xerces-c/patches: patch-ba
Log Message:
Add the fix for CVE-2009-1885 - nested DTD structure XML parsing remote
denial of service vulnerability. While there fix MASTER_SITES as
recommended by pkglint. Bump PKGREVISION.
spz [Fri, 28 Aug 2009 07:45:35 +0000]
pullup #2873
spz [Fri, 28 Aug 2009 07:43:14 +0000]
Pullup ticket 2873 - requested by tron
security update
Revisions pulled up:
- pkgsrc/textproc/libxml2/Makefile 1.101
- pkgsrc/textproc/libxml2/distinfo 1.72
Files added:
pkgsrc/textproc/libxml2/patches/patch-af 1.5
Module Name: pkgsrc
Committed By: tron
Date: Wed Aug 26 10:20:57 UTC 2009
Modified Files:
pkgsrc/textproc/libxml2: Makefile distinfo
Added Files:
pkgsrc/textproc/libxml2/patches: patch-af
Log Message:
Add patch to fix the security vulnerabilites reported in CVE-2009-2414
and CVE-2009-2416.
The patch was taken from the latest Fedora 11 "libxml2" source RPM.
To generate a diff of this commit:
cvs rdiff -u -r1.100 -r1.101 pkgsrc/textproc/libxml2/Makefile
cvs rdiff -u -r1.71 -r1.72 pkgsrc/textproc/libxml2/distinfo
cvs rdiff -u -r0 -r1.5 pkgsrc/textproc/libxml2/patches/patch-af
tron [Thu, 27 Aug 2009 11:36:32 +0000]
Pullup ticket #2872.
tron [Thu, 27 Aug 2009 11:35:17 +0000]
Pullup ticket #2872 - requested by jnemeth
asterisk: security update
Revisions pulled up:
- comms/asterisk/Makefile 1.67
- comms/asterisk/distinfo 1.43
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Sun Aug 23 09:22:24 UTC 2009
Modified Files:
pkgsrc/comms/asterisk: Makefile distinfo
Log Message:
This update is just to fix a hypothetical security issue (AST-2009-005)
which is most likely not exploitable.
tron [Sun, 23 Aug 2009 10:34:56 +0000]
Pullup ticket #2871.
tron [Sun, 23 Aug 2009 10:33:57 +0000]
Pullup ticket #2871 - requested by wiz
libvorbis: security update
Revisions pulled up:
- audio/libvorbis/Makefile 1.48
- audio/libvorbis/PLIST 1.10
- audio/libvorbis/distinfo 1.17
- audio/libvorbis/patches/patch-aa delete
- audio/libvorbis/patches/patch-ab delete
- audio/libvorbis/patches/patch-ac delete
- audio/libvorbis/patches/patch-ad delete
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Jul 17 20:28:21 UTC 2009
Modified Files:
pkgsrc/audio/libvorbis: Makefile PLIST distinfo
Removed Files:
pkgsrc/audio/libvorbis/patches: patch-aa patch-ab patch-ac patch-ad
Log Message:
Update to 1.2.3. Set LICENSE.
Two of the patches were from upstream CVS, the other two are not needed
any longer because the configure script was improved.
libvorbis 1.2.3 (2009-07-09) -- "Xiph.Org libVorbis I
20090709"
* correct a vorbisfile bug that prevented proper playback of
Vorbis files where all audio in a logical stream is in a
single page
* Additional decode setup hardening against malicious streams
* Add 'OV_EXCLUDE_STATIC_CALLBACKS' define for developers who
wish to avoid avoid unused symbol warnings from the static
callbacks defined in vorbisfile.h
libvorbis 1.2.2 (2009-06-24) -- "Xiph.Org libVorbis I
20090624"
* define VENDOR and ENCODER strings
* seek correctly in files bigger than 2 GB (Windows)
* fix regression from CVE-2008-1420; 1.0b1 files work again
* mark all tables as constant to reduce memory occupation
* additional decoder hardening against malicious streams
* substantially reduce amount of seeking performed by Vorbisfile
* Multichannel decode bugfix
* build system updates
* minor specification clarifications/fixes
libvorbis 1.2.1 (unreleased) -- "Xiph.Org libVorbis I
20080501"
* Improved robustness with corrupt streams.
* New ov_read_filter() vorbisfile call allows filtering decoded
audio as floats before converting to integer samples.
* Fix an encoder bug with multichannel streams.
* Replaced RTP payload format draft with RFC 5215.
* Bare bones self test under 'make check'.
* Fix a problem encoding some streams between 14 and 28 kHz.
* Fix a numerical instability in the edge extrapolation filter.
* Build system improvements.
* Specification correction.
tron [Fri, 21 Aug 2009 12:18:01 +0000]
Pullup ticket #2870.
tron [Fri, 21 Aug 2009 12:17:35 +0000]
Pullup ticket #2870 - requested by jnemeth
asterisk: build fix
Revisions pulled up:
- comms/asterisk/Makefile 1.64-1.66
- comms/asterisk/PLIST.common 1.16
- comms/asterisk/distinfo 1.41-1.42
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Thu Aug 20 22:31:41 UTC 2009
Modified Files:
pkgsrc/comms/asterisk: Makefile PLIST.common distinfo
Log Message:
Digium in its infinite wisdom changed the Music-On-Hold sound files in all
release tarballs. Update for that change.
While here, do some pkglint cleanup and add LICENSE=gplv2.
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Thu Aug 20 22:33:47 UTC 2009
Modified Files:
pkgsrc/comms/asterisk: Makefile
Log Message:
bump PKGREVISION for previous
---
Module Name: pkgsrc
Committed By: jnemeth
Date: Fri Aug 21 08:34:25 UTC 2009
Modified Files:
pkgsrc/comms/asterisk: Makefile
Log Message:
Change DIST_SUBDIR to avoid people having to manually remove the old
distfile. Requested by wiz@.
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Aug 21 08:46:16 UTC 2009
Modified Files:
pkgsrc/comms/asterisk: distinfo
Log Message:
regen (for DIST_SUBDIR change).
tron [Wed, 19 Aug 2009 09:13:42 +0000]
Pullup ticket #2866, #2867 and #2868.
tron [Wed, 19 Aug 2009 09:12:31 +0000]
Pullup ticket #2868 - requested by he
p5-Math-Pari: build fix
Revisions pulled up:
- math/p5-Math-Pari/Makefile 1.35
- math/p5-Math-Pari/distinfo 1.14
- math/p5-Math-Pari/patches/patch-ab 1.7
---
Module Name: pkgsrc
Committed By: he
Date: Sun Aug 16 13:33:07 UTC 2009
Modified Files:
pkgsrc/math/p5-Math-Pari: Makefile distinfo
pkgsrc/math/p5-Math-Pari/patches: patch-ab
Log Message:
Update from version 2.010801nb1 to 2.010801nb2.
Pkgsrc changes:
o Re-do patch-ab so that this package actually builds on hosts other
than arm and i386. ('eq' instead of '=' is the bug...)
tron [Wed, 19 Aug 2009 09:07:14 +0000]
Pullup ticket #2867 - requested by bouyer
sympa: build fix
Revisions pulled up:
- mail/sympa/Makefile 1.41
---
Module Name: pkgsrc
Committed By: bouyer
Date: Wed Aug 12 22:39:17 UTC 2009
Modified Files:
pkgsrc/mail/sympa: Makefile
Log Message:
ALso needs p5-Template-Toolkit. Bump PKGREVISION.
tron [Wed, 19 Aug 2009 08:55:15 +0000]
Pullup ticket #2866 - requested by adrianp
viewvc: security update
Revisions pulled up:
- www/viewvc/Makefile 1.10
- www/viewvc/distinfo 1.7
---
Module Name: pkgsrc
Committed By: adrianp
Date: Sat Aug 15 08:33:13 UTC 2009
Modified Files:
pkgsrc/www/viewvc: Makefile distinfo
Log Message:
Version 1.0.9 (released 11-Aug-2009)
* security fix: validate the 'view' parameter to avoid XSS attack
* security fix: avoid printing illegal parameter names and values
Version 1.0.8 (released 05-May-2009)
* fix directory view sorting UI
* tolerate malformed Accept-Language headers (issue #396)
* fix directory log views in revision-less Subversion repositories
* fix exception in rev-sorted remote Subversion directory views (issue #409)
salo [Fri, 14 Aug 2009 18:46:32 +0000]
Pullup ticket #2859
salo [Fri, 14 Aug 2009 18:45:44 +0000]
Pullup ticket #2859 - requested by tron
fetchmail: security update
fetchmailconf: security update
Revisions pulled up:
- pkgsrc/mail/fetchmail/Makefile 1.169
- pkgsrc/mail/fetchmail/PLIST 1.13
- pkgsrc/mail/fetchmail/distinfo 1.40
- pkgsrc/mail/fetchmail/patches/patch-aa removed
- pkgsrc/mail/fetchmail/patches/patch-aa removed
- pkgsrc/mail/fetchmailconf/Makefile 1.75
Module Name: pkgsrc
Committed By: tron
Date: Mon Aug 10 08:46:30 UTC 2009
Modified Files:
pkgsrc/mail/fetchmail: Makefile PLIST distinfo
pkgsrc/mail/fetchmailconf: Makefile
Removed Files:
pkgsrc/mail/fetchmail/patches: patch-aa patch-ab
Log Message:
Update "fetchmail" package to version 6.3.11. Changes since version 6.3.8:
- Security fixes for CVE-2009-2666, CVE-2007-4565 and CVE-2008-2711.
- Fetchmail no longer drops permanently undelivered messages by default,
to match historic documentation. It does this by adding a new
"softbounce" option.
- A lot bug fixes and improvements.
tron [Fri, 14 Aug 2009 15:57:16 +0000]
Pullup tickets #2681, #2862 and #2863.
tron [Fri, 14 Aug 2009 15:56:38 +0000]
Pullup ticket #2863 - requested by kefren
gmplayer: security patch
Revisions pulled up:
- multimedia/gmplayer/Makefile 1.77
- multimedia/gmplayer/distinfo 1.64
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Aug 9 19:21:10 UTC 2009
Modified Files:
pkgsrc/multimedia/gmplayer: distinfo
Log Message:
Add patch-ar.
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Aug 9 19:24:25 UTC 2009
Modified Files:
pkgsrc/multimedia/gmplayer: Makefile
Log Message:
Remove BROKEN_IN 2006Q4, builds fine for me. Bump PKGREVISION for patch-ar.
tron [Fri, 14 Aug 2009 15:39:36 +0000]
Pullup ticket #2862 - requested by kefren
mplayer: security patch
Revisions pulled up:
- multimedia/mplayer-share/distinfo 1.61-1.62
- multimedia/mplayer-share/patches/patch-ar 1.1-1.2
- multimedia/mplayer/Makefile 1.67
---
Module Name: pkgsrc
Committed By: kefren
Date: Sun Aug 9 12:56:11 UTC 2009
Modified Files:
pkgsrc/multimedia/mplayer: Makefile
pkgsrc/multimedia/mplayer-share: distinfo
Added Files:
pkgsrc/multimedia/mplayer-share/patches: patch-ar
Log Message:
add fix for SA26157. Bump PKGREVISION
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Aug 9 19:20:50 UTC 2009
Modified Files:
pkgsrc/multimedia/mplayer-share: distinfo
pkgsrc/multimedia/mplayer-share/patches: patch-ar
Log Message:
Add RCS Id and comment.
tron [Fri, 14 Aug 2009 15:24:05 +0000]
Pullup ticket #2861 - requested by kefren
vlc08: security patch
Revisions pulled up:
- multimedia/vlc08/Makefile 1.22
- multimedia/vlc08/distinfo 1.9
- multimedia/vlc08/patches/patch-ab 1.7
---
Module Name: pkgsrc
Committed By: kefren
Date: Sun Aug 9 12:33:14 UTC 2009
Modified Files:
pkgsrc/multimedia/vlc08: Makefile distinfo
Added Files:
pkgsrc/multimedia/vlc08/patches: patch-ab
Log Message:
add fix for SA36037, bump PKGREVISION. XXX: not tested
tron [Fri, 14 Aug 2009 14:02:37 +0000]
Pullup tickets #2860, #2864 and #2865.
tron [Fri, 14 Aug 2009 14:00:01 +0000]
Pullup ticket #2860 - requested by kefren
vlc: security patch
Revisions pulled up:
- multimedia/vlc/Makefile 1.80 via patch
- multimedia/vlc/distinfo 1.29 via patch
- multimedia/vlc/patches/patch-aa 1.7
---
Module Name: pkgsrc
Committed By: kefren
Date: Sun Aug 9 12:18:17 UTC 2009
Modified Files:
pkgsrc/multimedia/vlc: Makefile distinfo
Added Files:
pkgsrc/multimedia/vlc/patches: patch-aa
Log Message:
add fix for SA26156
Bump PKGREVISION
tron [Fri, 14 Aug 2009 10:18:20 +0000]
Pullup ticket #2865 - requested by taca
apr0: security patch
Revisions pulled up:
- devel/apr0/Makefile 1.6
- devel/apr0/distinfo 1.4
- devel/apr0/patches/patch-ab 1.1
- devel/apr0/patches/patch-ac 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Aug 12 03:37:28 UTC 2009
Modified Files:
pkgsrc/devel/apr0: Makefile distinfo
Added Files:
pkgsrc/devel/apr0/patches: patch-ab patch-ac
Log Message:
Fix security problem of CVE-2009-2412 adding patches described in it.
Bump PKGREVISION.
tron [Fri, 14 Aug 2009 10:02:07 +0000]
Pullup ticket #2864 - requested by adrianp
wordpress: security update
Revisions pulled up:
- www/wordpress/Makefile 1.5
- www/wordpress/distinfo 1.4
---
Module Name: pkgsrc
Committed By: adrianp
Date: Wed Aug 12 20:21:10 UTC 2009
Modified Files:
pkgsrc/www/wordpress: Makefile distinfo
Log Message:
Update to 2.8.4 to fix security issue:
http://wordpress.org/development/2009/08/2-8-4-security-release/
tron [Mon, 10 Aug 2009 12:00:04 +0000]
Pullup ticket #2858 - requested by bouyer
py-smbpasswd: build fix
Revisions pulled up:
- security/py-smbpasswd/Makefile 1.4
---
Module Name: pkgsrc
Committed By: bouyer
Date: Sat Aug 8 14:16:55 UTC 2009
Modified Files:
pkgsrc/security/py-smbpasswd: Makefile
Log Message:
This works fine with python 2.5
tron [Mon, 10 Aug 2009 11:59:23 +0000]
Pullup ticket #2858.
tron [Sat, 8 Aug 2009 22:55:47 +0000]
Pullup ticket #2857.
tron [Sat, 8 Aug 2009 22:54:54 +0000]
Pullup ticket #2857 - requested by obache
GraphicsMagick: security update
Revisions pulled up:
- graphics/GraphicsMagick/Makefile 1.22
- graphics/GraphicsMagick/distinfo 1.18
- graphics/GraphicsMagick/patches/patch-ab 1.1
---
Module Name: pkgsrc
Committed By: obache
Date: Sat Aug 8 04:41:08 UTC 2009
Modified Files:
pkgsrc/graphics/GraphicsMagick: Makefile distinfo
Added Files:
pkgsrc/graphics/GraphicsMagick/patches: patch-ab
Log Message:
Add an patch to fixes CVE-2008-1097, taken from upstream repository.
Bump PKGREVISION.
salo [Sat, 8 Aug 2009 00:25:35 +0000]
Pullup ticket #2851
salo [Sat, 8 Aug 2009 00:23:26 +0000]
Pullup ticket 2851 - requested by tron
security update for squid31
Revisions pulled up:
- pkgsrc/www/squid31/Makefile 1.14
- pkgsrc/www/squid31/distinfo 1.12
- pkgsrc/www/squid31/patches/patch-ae 1.4
Module Name: pkgsrc
Committed By: tron
Date: Wed Aug 5 10:29:12 UTC 2009
Modified Files:
pkgsrc/www/squid31: Makefile distinfo
pkgsrc/www/squid31/patches: patch-ae
Log Message:
Update "squid31" package to version 3.1.0.13.
Changes since version 3.1.0.12:
- Bug 2723 regression: enable PURGE requests if PURGE method ACL is present.
- Fix one more internal profiler error
- Language Updates: Italian, Russian
- Language Updates: Add many more aliases
- Add Copyright document for errors/ content
- ... all bug fixes from 3.0.STABLE18
- ... and several code polishing cleanups
spz [Fri, 7 Aug 2009 21:34:01 +0000]
pullup #2852
spz [Fri, 7 Aug 2009 21:08:15 +0000]
Pullup ticket 2852 - requested by tron
bug fix update
Revisions pulled up:
- pkgsrc/www/apache22/Makefile 1.48
- pkgsrc/www/apache22/PLIST 1.13
- pkgsrc/www/apache22/distinfo 1.23
- pkgsrc/www/apache22/patches/patch-ba 1.4
- pkgsrc/www/apache22/patches/patch-bb 1.3
Files added:
pkgsrc/www/apache22/patches/patch-bb
Files deleted:
pkgsrc/www/apache22/patches/patch-ab
pkgsrc/www/apache22/patches/patch-af
pkgsrc/www/apache22/patches/patch-ah
pkgsrc/www/apache22/patches/patch-bc
pkgsrc/www/apache22/patches/patch-bd
Module Name: pkgsrc
Committed By: tron
Date: Thu Aug 6 07:07:23 UTC 2009
Modified Files:
pkgsrc/www/apache22: Makefile PLIST distinfo
Removed Files:
pkgsrc/www/apache22/patches: patch-ab patch-af patch-ah patch-ba
patch-bc patch-bd
Log Message:
Update "apache22" package to version 2.2.12. Changes since version 2.2.11:
- SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects. Bug 39605.
[Joe Orton, Ruediger Pluem]
- SECURITY: CVE-2009-1195 (cve.mitre.org)
Prevent the "Includes" Option from being enabled in an .htaccess
file if the AllowOverride restrictions do not permit it.
[Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
Ruediger Pluem, Jeff Trawick]
- SECURITY: CVE-2009-1890 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_proxy in a
reverse proxy configuration, where a remote attacker can force a
proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
- SECURITY: CVE-2009-1191 (cve.mitre.org)
mod_proxy_ajp: Avoid delivering content from a previous request which
failed to send a request body. Bug 46949 [Ruediger Pluem]
- SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
The bundled copy of the APR-util library has been updated, fixing three
different security issues which may affect particular configurations
and third-party modules.
- mod_include: fix potential segfault when handling back references
on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
- mod_alias: check sanity in Redirect arguments.
Bug 44729 [S??nke Tesch <st kino-fahrplan.de>, Jim Jagielski]
- mod_proxy_http: fix Host: header for literal IPv6 addresses.
Bug 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
- mod_rewrite: Remove locking for writing to the rewritelog.
Bug 46942
- mod_alias: Ensure Redirect emits HTTP-compliant URLs.
Bug 44020
- mod_proxy_http: fix case sensitivity checking transfer encoding
Bug 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
- mod_rewrite: Fix the error string returned by RewriteRule.
RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
argument of RewriteRule was not started with "[" or not ended with "]".
Bug 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
- mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given;
BalancerMember balancer://alias http://example.com/foo
ProxyPassReverse /bash balancer://alias/bar
backend url http://example.com/foo/bar/that is now translated /bash/that
[William Rowe]
- New piped log syntax: Use "||process args" to launch the given process
without invoking the shell/command interpreter. Use "|$command line"
(the default behavior of "|command line" in 2.2) to invoke using shell,
consuming an additional shell process for the lifetime of the logging
pipe program but granting additional process invocation flexibility.
[William Rowe]
- mod_ssl: Add server name indication support (RFC 4366) and better
support for name based virtual hosts with SSL. Bug 34607
[Peter Sylvester <peter.sylvester edelweb.fr>,
Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
Ruediger Pluem]
- mod_negotiation: Escape pathes of filenames in 406 responses to avoid
HTML injections and HTTP response splitting. Bug 46837.
[Geoff Keating <geoffk apple.com>]
- mod_include: Prevent a case of SSI timefmt-smashing with filter chains
including multiple INCLUDES filters. Bug 39369 [Joe Orton]
- mod_rewrite: When evaluating a proxy rule in directory context, do
escape the filename by default. Bug 46428 [Joe Orton]
- mod_proxy_ajp: Check more strictly that the backend follows the AJP
protocol. [Mladen Turk]
- mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
to enable stricter checking of remote server certificates.
[Ruediger Pluem]
- mod_substitute: Fix a memory leak. Bug 44948
[Dan Poirier <poirier pobox.com>]
- mod_proxy_ajp: Forward remote port information by default.
[Rainer Jung]
- mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
directive to correctly remove headers before storing them.
[Lars Eilebrecht]
- mod_deflate: revert changes in 2.2.8 that caused an invalid
etag to be emitted for on-the-fly gzip content-encoding.
Bug 39727 will require larger fixes and this fix was far more
harmful than the original code. Bug 45023. [Roy T. Fielding]
- mod_disk_cache: The module now turns off sendfile support if
'EnableSendfile off' is defined globally. Bug 41218.
[Lars Eilebrecht, Issac Goldstand]
- prefork: Fix child process hang during graceful restart/stop in
configurations with multiple listening sockets. Bug 42829. [Joe Orton,
Jeff Trawick]
- mod_ssl: Add SSLRenegBufferSize directive to allow changing the
size of the buffer used for the request-body where necessary
during a per-dir renegotiation. Bug 39243. [Joe Orton]
- mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
way that per-directory rewrites append the previous notion of PATH_INFO
to each substitution before evaluating subsequent rules.
Bug 38642 [Eric Covener]
- mod_authnz_ldap: Reduce number of initialization debug messages and make
information more clear. Bug 46342 [Dan Poirier]
- mod_cache: Introduce 'no-cache' per-request environment variable
to prevent the saving of an otherwise cacheable response.
[Eric Covener]
- core: Translate the status line to ASCII on EBCDIC platforms in
ap_send_interim_response() and for locally generated "100 Continue"
responses. [Eric Covener]
- CGI: return 504 (Gateway timeout) rather than 500 when a script
times out before returning status line/headers.
Bug 42190 [Nick Kew]
- prefork: Log an error instead of segfaulting when child startup fails
due to pollset creation failures. Bug 46467. [Jeff Trawick]
- mod_ext_filter: fix error handling when the filter prog fails to start,
and introduce an onfail configuration option to abort
All the security problems mentioned above had already been fixed in
"pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me
know that new version had finally been released.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 pkgsrc/www/apache22/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/apache22/PLIST
cvs rdiff -u -r1.21 -r1.22 pkgsrc/www/apache22/distinfo
cvs rdiff -u -r1.10 -r0 pkgsrc/www/apache22/patches/patch-ab
cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-af \
pkgsrc/www/apache22/patches/patch-ah
cvs rdiff -u -r1.2 -r0 pkgsrc/www/apache22/patches/patch-ba \
pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd
-----
Module Name: pkgsrc
Committed By: tron
Date: Thu Aug 6 08:21:44 UTC 2009
Modified Files:
pkgsrc/www/apache22: distinfo
Added Files:
pkgsrc/www/apache22/patches: patch-ba patch-bb
Log Message:
Add patches provided by Adam Ciarcinski to fix build with recent versions
of OpenSSL (e.g. the version in NetBSD-current).
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 pkgsrc/www/apache22/distinfo
cvs rdiff -u -r0 -r1.4 pkgsrc/www/apache22/patches/patch-ba
cvs rdiff -u -r0 -r1.3 pkgsrc/www/apache22/patches/patch-bb
spz [Fri, 7 Aug 2009 18:45:31 +0000]
pullup #2856
spz [Fri, 7 Aug 2009 18:44:33 +0000]
Pullup ticket 2856 - requested by gdt
security update
Revisions pulled up:
- pkgsrc/devel/apr/Makefile 1.59
- pkgsrc/devel/apr/distinfo 1.27
Module Name: pkgsrc
Committed By: gdt
Date: Fri Aug 7 14:29:44 UTC 2009
Modified Files:
pkgsrc/devel/apr: Makefile distinfo
Log Message:
Update to 1.3.8 (security fix).
Changes for APR 1.3.8
*) SECURITY: CVE-2009-2412 (cve.mitre.org)
Fix overflow in pools and rmm, where size alignment was taking place.
[Matt Lewis <mattlewis@google.com>, Sander Striker]
*) Make sure that "make check" is used in the RPM spec file, consistent
with apr-util. [Graham Leggett]
*) Pass default environment to testflock, testoc and testpipe children,
so that tests run when APR is compiled with Intel C Compiler.
[Bojan Smojver]
To generate a diff of this commit:
cvs rdiff -u -r1.58 -r1.59 pkgsrc/devel/apr/Makefile
cvs rdiff -u -r1.26 -r1.27 pkgsrc/devel/apr/distinfo
spz [Fri, 7 Aug 2009 12:24:24 +0000]
pullup #2854
spz [Fri, 7 Aug 2009 12:22:17 +0000]
Pullup ticket 2854 - requested by tron
security update
Revisions pulled up:
- pkgsrc/devel/apr-util/Makefile 1.14
- pkgsrc/devel/apr-util/Makefile 1.8
- pkgsrc/devel/apr/Makefile 1.58
- pkgsrc/devel/apr/distinfo 1.26
Module Name: pkgsrc
Committed By: schmonz
Date: Fri Jul 24 13:09:32 UTC 2009
Modified Files:
pkgsrc/devel/apr-util: Makefile
Log Message:
Configure --without-sqlite2 in case it's unavoidably on the include path.
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/apr-util/Makefile
-----
Module Name: pkgsrc
Committed By: tonnerre
Date: Tue Aug 4 10:09:35 UTC 2009
Modified Files:
pkgsrc/devel/apr: Makefile distinfo
Log Message:
Update to apr version 1.3.7, which, other than 1.3.5, is still downloadable.
Changes since 1.3.5:
- On Linux/hppa flock() returns EAGAIN instead of EWOULDBLOCK. This
causes proc mutex failures.
- Set CLOEXEC flags where appropriate. Either use new O_CLOEXEC flag and
associated functions, such as dup3(), accept4(), epoll_create1() etc.,
or simply set CLOEXEC flag using fcntl().
- More elaborate detection for dup3(), accept4() and epoll_create1().
To generate a diff of this commit:
cvs rdiff -u -r1.57 -r1.58 pkgsrc/devel/apr/Makefile
cvs rdiff -u -r1.25 -r1.26 pkgsrc/devel/apr/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
-----
Module Name: pkgsrc
Committed By: tonnerre
Date: Tue Aug 4 10:13:04 UTC 2009
Modified Files:
pkgsrc/devel/apr-util: Makefile distinfo
Log Message:
Upgrade apr-util to version 1.3.8, which, unlike 1.3.7, is still downloadab=
le.
Changes since 1.3.7:
- Use locally scoped variables in PostgreSQL driver to avoid stomping
on return codes.
- Fix race conditions in initialisation of DBD, DBM and DSO.
- Expose DBM libs in apu-1-config by default. To avoid that, use
apu-1-config --avoid-dbm --libs. To get just DBM libs, use
apu-1-config --dbm-libs.
- Make sure --without-ldap works.
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/apr-util/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/devel/apr-util/distinfo
-----
Module Name: pkgsrc
Committed By: tron
Date: Fri Aug 7 10:39:24 UTC 2009
Modified Files:
pkgsrc/devel/apr-util: Makefile distinfo
Log Message:
Update "apr-util" package to version 1.3.8. Changes since 1.3.9:
- SECURITY: CVE-2009-2412 (cve.mitre.org)
Fix overflow in rmm, where size alignment was taking place.
[Matt Lewis <mattlewis@google.com>, Sander Striker]
- Make sure that "make check" is used in the RPM spec file, so that
the crypto, dbd and dbm tests pass. [Graham Leggett]
- Make sure the mysql version of dbd_mysql_get_entry() respects the
rule that if the column number exceeds the number of columns, we
return NULL. [Graham Leggett]
- Ensure the dbm module is packaged up correctly in the RPM.
[Graham Leggett]
- Clarify the error messages within the dbd tests. [Graham Leggett]
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/apr-util/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/devel/apr-util/distinfo
tron [Fri, 7 Aug 2009 11:10:13 +0000]
Pullup ticket #2853.
tron [Fri, 7 Aug 2009 11:09:47 +0000]
Pullup ticket #2853 - requested by gdt
ap22-subversion: security update
p5-subversion: security update
py25-subversion: security update
ruby18-subversion: security update
subversion-base: security update
subversion: security update
Revisions pulled up:
- devel/subversion/Makefile.common 1.33
- devel/subversion/Makefile.version 1.51
- devel/subversion/distinfo 1.72
---
Module Name: pkgsrc
Committed By: gdt
Date: Thu Aug 6 22:08:56 UTC 2009
Modified Files:
pkgsrc/devel/subversion: Makefile.common Makefile.version distinfo
Log Message:
Update to 1.6.4, a security release.
Version 1.6.4
(06 Aug 2009, from /branches/1.6.x)
http://svn.collab.net/repos/svn/tags/1.6.4
User-visible changes:
* fixed: heap overflow vulnerability on server and client
See CVE-2009-2411, and descriptive advisory at
http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt
Version 1.6.3
(22 Jun 2009, from /branches/1.6.x)
http://svn.collab.net/repos/svn/tags/1.6.3
User-visible changes:
* fix segfault in WC->URL copy (r37646, -56)
* let 'svnadmin load' tolerate mergeinfo with "\r\n" (r37768)
* make svnsync normalize svn:* props to LF line endings (issue #3404)
* better integration with external merge tools (r36178)
* return a friendly error message for 'svn diff' (r37735)
* update dsvn.el for 1.6 (r37774)
* don't allow setting of props on out-of-date dirs under neon (r37745)
* improve BASH completion (r36450, -52, -70, -79, -538)
* always show tree conflicts with 'svn st' (issue #3382)
* improve correctness of 'svn mergeinfo' (issue #3126)
* decrease the amount of memory needed for large commits (r37894, -6)
* work around an APR buffer overflow seen by svnsync (r37622)
* ra_svn clients now use TCP keep-alives if available (issue #3347)
* improve 'svn merge' perf by reducing server contact (r37491, -593, -618)
* stop propagating self-referential mergeinfo in reintegrate merges (r37931)
* fix NLS detection where -liconv is required for bindtextdomain() (r37827)
* don't delete unversioned files with 'rm --keep-local' (r38015, -17, -19)
* bump apr and apr-util versions included in deps to latest. (r37941)
* avoid temp file name collisions with ra_serf, ra_neon (r37972)
* fixed: potential segfault with noop file merges (r37779)
* fixed: incorrect output with 'svn blame -g' (r37719, -23, -41)
* fixed: bindings don't load FS libs when module search enabled (issue #3413)
* fixed: DAV RA layers not properly handling update/switch working copy
directory to revision/place in which it doesn't exist (issue #3414)
* fixed: potential abort() in the working copy library (r37857)
* fixed: memory leak in hash reading functions (r37868, -979)
Developer-visible changes:
* improve memory usage in file-to-stringbuf APIs (r37907)
* reduce memory usage for temp string manipulation (r38010)
tron [Wed, 5 Aug 2009 12:00:31 +0000]
Pullup tickets #2848, #2849 and #2850.
tron [Wed, 5 Aug 2009 11:57:40 +0000]
Pullup ticket #2850 - requested by taca
squid30: security update
Revisions pulled up:
- www/squid30/Makefile 1.15
- www/squid30/distinfo 1.13
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Aug 5 01:47:11 UTC 2009
Modified Files:
pkgsrc/www/squid30: Makefile distinfo
Log Message:
Update squid30 package to 3.0.18 (3.0.STABLE18).
It contains some critical problem of 3.0.17 and really fix security
problem according to updated SQUID-2009_2.txt.
Changes to squid-3.0.STABLE18 (04 Aug 2009):
- Bug 2728: regression: assertion failed: !eof
- Bug 2732: reply_body_max_size smaller than error page loops
infinitely until out of memory
- Bug 2725: pconn failure if domain or client_address are unset
- Bug 2648: reserved helpers not shut down after reconfigure/rotate
- Bug 2462: make check should tell when cppunit is missing
- Remove excess messages about headers < minimum size
- Support Libtool 2.2.6
tron [Wed, 5 Aug 2009 11:16:33 +0000]
Pullup ticket #2849 - requested by tnn
firefox3: security update
Revisions pulled up:
- www/firefox3/Makefile 1.35
- www/firefox3/PLIST 1.11
- www/firefox3/distinfo 1.27
- www/firefox3/patches/patch-dk 1.3
---
Module Name: pkgsrc
Committed By: tnn
Date: Tue Aug 4 21:28:42 UTC 2009
Modified Files:
pkgsrc/www/firefox3: Makefile PLIST distinfo
pkgsrc/www/firefox3/patches: patch-dk
Log Message:
Update to firefox3-3.0.13. Fixes the following advisories:
MFSA 2009-44 Location bar and SSL indicator spoofing via window.open()
on invalid URL
MFSA 2009-43 Heap overflow in certificate regexp parsing
MFSA 2009-42 Compromise of SSL-protected communication
tron [Wed, 5 Aug 2009 10:37:39 +0000]
Pullup ticket #2848 - requested by adrianp
wordpress: security update
Revisions pulled up:
- www/wordpress/Makefile 1.4
- www/wordpress/distinfo 1.3
---
Module Name: pkgsrc
Committed By: adrianp
Date: Tue Aug 4 21:32:40 UTC 2009
Modified Files:
pkgsrc/www/wordpress: Makefile distinfo
Log Message:
WordPress 2.8.3 Security Release
Unfortunately, I missed some places when fixing the privilege escalation issues
for 2.8.1. Luckily, the entire WordPress community has our backs. Several
folks in the community dug deeper and discovered areas that were overlooked.
With their help, the remaining issues are fixed in 2.8.3. Since this is a
security release, upgrading is highly recommended.
tron [Tue, 4 Aug 2009 12:30:36 +0000]
Pullup ticket #2846.
projects / pkgsrc.git / log