Pullup ticket #3636 - requested by tron databases/phpmyadmin security update Revisions pulled up: - databases/phpmyadmin/Makefile 1.96 - databases/phpmyadmin/distinfo 1.57 --- Module Name: pkgsrc Committed By: tron Date: Fri Dec 23 08:07:44 UTC 2011 Modified Files: pkgsrc/databases/phpmyadmin: Makefile distinfo Log Message: Update "phpmyadmin" package to version 3.4.9. Changes since 3.4.8: - bug #3442028 [edit] Inline editing enum fields with null shows no dropdown - bug #3442004 [interface] DB suggestion not correct for user with underscore - bug #3438420 [core] Magic quotes removed in PHP 5.4 - bug #3398788 [session] No feedback when result is empty (signon auth_type) - bug #3384035 [display] Problems regarding ShowTooltipAliasTB - bug #3306875 [edit] Can't rename a database that contains views - bug #3452506 [edit] Unable to move tables with triggers - bug #3449659 [navi] Fast filter broken with table tree - bug #3448485 [GUI] Firefox favicon frameset regression - [core] Better compatibility with mysql extension - [security] Self-XSS on export options (export server/database/table), see PMASA-2011-20 - [security] Self-XSS in setup (host parameter), see PMASA-2011-19
Pullup ticket #3637 - requested by drochner graphics/jasper: security patch Revisions pulled up: - graphics/jasper/Makefile 1.34 - graphics/jasper/distinfo 1.14 - graphics/jasper/patches/patch-ai 1.2 --- Module Name: pkgsrc Committed By: drochner Date: Thu Dec 22 16:17:57 UTC 2011 Modified Files: pkgsrc/graphics/jasper: Makefile distinfo pkgsrc/graphics/jasper/patches: patch-ai Log Message: add patches from Redhat to add some input validation and fix a memory allocation error; both could lead to heap buffer overflows (CVE-2011-4516, CVE-2011-4517) bump PKGREV
Pullup ticket #3628 - requested by dholland www/kazehakase: build fix Revisions pulled up: - www/kazehakase/distinfo 1.11 - www/kazehakase/patches/patch-src_kz-app.c 1.1 --- Module Name: pkgsrc Committed By: joerg Date: Mon Dec 12 19:10:37 UTC 2011 Modified Files: pkgsrc/www/kazehakase: distinfo Added Files: pkgsrc/www/kazehakase/patches: patch-src_kz-app.c Log Message: Fix fallout from newer gnutls.
Pullup ticket #3629 - requested by spz www/apache-tomcat6: security update Revisions pulled up: - www/apache-tomcat6/Makefile 1.10 - www/apache-tomcat6/PLIST 1.6 - www/apache-tomcat6/distinfo 1.7 --- Module Name: pkgsrc Committed By: spz Date: Tue Dec 13 09:44:17 UTC 2011 Modified Files: pkgsrc/www/apache-tomcat6: Makefile PLIST distinfo Log Message: Upstream changelog: Tomcat 6.0.35 (jfclere) +++++++++++++++++++++++ Catalina -------- fix Fix regression in decoding of parameters that contain spaces. Patch by Willem Fibbe. (kkolinko) Tomcat 6.0.34 (jfclere) not released ++++++++++++++++++++++++++++++++++++ Catalina -------- fix 51550: Display an error page rather than an empty response for an IllegalStateException caused by too many active sessions. (markt) add 51640: Improve the memory leak prevention for leaks triggered by java.sql.DriverManager. (markt/kkolinko) fix 51688: JreMemoryLeakPreventionListener now protects against AWT thread creation. (schultz) fix 51758: The digester (used for processing XML files) used the logger name org.apache.commons.digester.Digester rather than the expected org.apache.tomcat.util.digester.Digester. The digester has been changed to use the expected logger name. (kkolinko) add 51862: Added a classesToInitialize attribute to JreMemoryLeakPreventionListener to allow pre-loading of configurable classes to avoid some classloader leaks. (slaurent) fix 51872: Ensure that the access log always uses the correct value for the remote IP address associated with the request and that requests with multiple errors do not result in multiple entries in the access log. (markt) add Allow to overwrite the check for distributability of session attributes by session implementations. (rjung) add Provide the log format "OneLineFormatter" for JULI that provides the same information as the default plus thread name but on a single line. (markt/rjung) fix Ensure the the memory leak protection for the HttpClient keep-alive always operates even if the thread has already stopped. (markt) fix 51940: Do not limit saving of request bodies during FORM authentication to POST requests since any HTTP method may include a request body. Based on a patch by Nicholas Sushkin. (kkolinko) fix 52091: Address performance issues related to lock contention in StandardWrapper. Based on patch provided by Taiki Sugawara. (kkolinko) update In GenericPrincipal, SerializablePrincipal: Do not sort lists of roles that have only one element. (kkolinko) add Make configuration issue for CsrfPreventionFilter result in the failure of the filter rather than just a warning message. (kkolinko) fix Ensure changes to the configuration of RemoteAddrValve and RemoteHostValve via JMX are thread-safe. (kkolinko) add Make configuration issue for RemoteAddrValve and RemoteHostValve result in the failure of the valve rather than just a warning message. (kkolinko) update In RequestFilterValve (RemoteAddrValve, RemoteHostValve): refactor value matching logic into separate method and expose this new method isAllowed through JMX. (kkolinko) add Improve performance of parameter processing for GET and POST requests. Also add an option to limit the maximum number of parameters processed per request. This defaults to 10000. Excessive parameters are ignored. Note that FailedRequestFilter can be used to reject the request if some parameters were ignored. (markt/kkolinko) add New filter FailedRequestFilter that will reject a request if there were errors during HTTP parameter parsing. (kkolinko) Coyote ------ fix 50394: Return -1 from read operation instead of throwing an exception when encountering an EOF with the HTTP APR connector. (kkolinko) fix 51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt) fix Detect incomplete AJP messages and reject the associated request if one is found. (markt) fix 51794: Fix race condition in NioEndpoint selector. Patch provided by dlord. (fhanik) fix 51905: Fix infinite loop in AprEndpoint shutdown if acceptor unlock fails. Reduce timeout before forcefully closing the socket from 30s to 10s. (kkolinko) fix 52121: Fix possible output corruption when compression is enabled for a connector and the response is flushed. Test case provided by David Marcks. (kkolinko) fix Replace unneeded call that iterated events queue in NioEndpoint.Poller. (kkolinko) fix Improve MimeHeaders.toString(). (kkolinko) fix Allow the BIO HTTP connector to be used with SSL when running under Java 7. (markt) fix Improve multi-byte character handling in all connectors. (rjung) Jasper ------ fix 51220: Correct copy/paste error in original commit for this issue. (markt) fix 52091: Address performance issues related to log creation in TagHandlerPool. Patch provided by Taiki Sugawara. (markt) Cluster ------- add 51736: Make rpcTimeout configurable in BackupManager. (kfujino) add New cluster manager attribute sessionAttributeFilter allows to filter which session attributes are replicated using a regular expression applied to the attribute name. (rjung) fix Avoid an unnecessary session ID change notice. Notice of changed session ID by JvmRouteBinderValve is unnecessary to BackupManager. In BackupManager, change of session ID is replicated by the call of a setId() method. (kfujino) fix Fix unneeded duplicate resetDeltaRequest() call in DeltaSession.setId(String). (kkolinko) add When Context manager does not exist, no context manager message is replied in order to avoid timeout (default 60 sec) of GET_ALL_SESSIONS sync phase. (kfujino) Webapps ------- fix Correct the documentation for the connectionLinger attribute of the HTTP connector. (markt) add Show build date and version in the header on every documentation page. (kkolinko) fix 52049: Improve setup instructions for running as a Windows service: correct information on how a JRE is identified and selected. (markt) update 52172: Clarify Tomcat build instructions. Patch provided by bmargulies. (kkolinko) Other ----- update Update the native component of the APR/native connectors to 1.1.22. (markt) update Update the recommended version of the native component of the APR/native connectors to 1.1.22. (kkolinko) update Update the Eclipse compiler (used for JSPs) to 3.7. (markt) fix Correct two typos in the Windows installer. (kkolinko) fix 52059: In Windows uninstaller: Do not forget to remove Tomcat keys from 32-bit registry on deinstallation. (kkolinko)
Pullup ticket #3631 - requested by spz www/apache22 security patch Revisions pulled up: - www/apache22/Makefile 1.76 - www/apache22/distinfo 1.47 - www/apache22/patches/patch-modules_mappers_mod_rewrite.c 1.1 - www/apache22/patches/patch-modules_proxy_mod_proxy.c 1.1 --- Module Name: pkgsrc Committed By: spz Date: Tue Dec 13 15:37:57 UTC 2011 Modified Files: pkgsrc/www/apache22: Makefile distinfo Added Files: pkgsrc/www/apache22/patches: patch-modules_mappers_mod_rewrite.c patch-modules_proxy_mod_proxy.c Log Message: add revision 1209432 from http://svn.apache.org/ as patches: fix for CVE-2011-4317
Pullup ticket #3630 - requested by spz security/openpam security patch Revisions pulled up: - security/openpam/Makefile 1.16 - security/openpam/distinfo 1.8 - security/openpam/patches/patch-ab 1.4 --- Module Name: pkgsrc Committed By: spz Date: Tue Dec 13 15:57:08 UTC 2011 Modified Files: pkgsrc/security/openpam: Makefile distinfo pkgsrc/security/openpam/patches: patch-ab Log Message: added prevention of CVE-2011-4122 taken from NetBSD src
Pullup ticket #3627 - requested by taca textproc/chasen-base: security patch Revisions pulled up: - textproc/chasen-base/Makefile 1.21 - textproc/chasen-base/distinfo 1.11 --- Module Name: pkgsrc Committed By: taca Date: Sun Dec 11 14:26:27 UTC 2011 Modified Files: pkgsrc/textproc/chasen-base: Makefile distinfo Log Message: Add security patch for CVE-2011-4000 from official site. Bump PKGREVISION.
Pullup ticket #3626 - requested by tron www/apache22 security update Revisions pulled up: - www/apache22/Makefile 1.75 - www/apache22/distinfo 1.45 - www/apache22/patches/patch-server_protocol.c 1.2 --- Module Name: pkgsrc Committed By: tron Date: Wed Dec 7 22:58:12 UTC 2011 Modified Files: pkgsrc/www/apache22: Makefile distinfo pkgsrc/www/apache22/patches: patch-server_protocol.c Log Message: Add improved fix for proxy vulnerability reported in CVE-2011-3368. This should also fix CVE-2011-3639 and possibly CVE-2011-4317, both part of SA46987.
Pullup ticket #3616 - requested by is net/icsi-finger security update Revisions pulled up: - doc/CHANGES-2011 1.2900 - net/icsi-finger/Makefile 1.17-1.19 - net/icsi-finger/distinfo 1.10-1.13 - net/icsi-finger/patches/patch-ak 1.2-1.4 - net/icsi-finger/patches/patch-al 1.2 - net/icsi-finger/patches/patch-an 1.1 - net/icsi-finger/patches/patch-lib_util_c 1.1 --- Module Name: pkgsrc Committed By: is Date: Thu Nov 10 09:42:22 UTC 2011 Modified Files: pkgsrc/net/icsi-finger: distinfo Added Files: pkgsrc/net/icsi-finger/patches: patch-an Log Message: Missed part of the fix for 64bit time_t from 2011/01/18 12:28:25. The maintainance program packet2ascii (actually, the ascii2packet part) needed to be fixed, too. --- Module Name: pkgsrc Committed By: is Date: Thu Nov 10 09:59:53 UTC 2011 Modified Files: pkgsrc/net/icsi-finger: Makefile Log Message: Missed part of the fix for 64bit time_t from 2011/01/18 12:28:25. The maintainance program packet2ascii (actually, the ascii2packet part) needed to be fixed, too. --- Module Name: pkgsrc Committed By: dholland Date: Tue Nov 15 00:11:07 UTC 2011 Modified Files: pkgsrc/net/icsi-finger: distinfo pkgsrc/net/icsi-finger/patches: patch-ak patch-al Added Files: pkgsrc/net/icsi-finger/patches: patch-lib_util_c Log Message: Use stdlib.h instead of private decls of malloc; remove union wait. Should fix build with newer gcc and maybe also clang. --- Module Name: pkgsrc Committed By: is Date: Tue Nov 15 13:04:47 UTC 2011 Modified Files: pkgsrc/doc: CHANGES-2011 pkgsrc/net/icsi-finger: Makefile distinfo pkgsrc/net/icsi-finger/patches: patch-ak Log Message: replace mktemp() by mkstemp(), updating net/icsi-finger to 1.0.27nb6 --- Module Name: pkgsrc Committed By: is Date: Tue Nov 22 09:04:49 UTC 2011 Modified Files: pkgsrc/net/icsi-finger: Makefile distinfo pkgsrc/net/icsi-finger/patches: patch-ak Log Message: Remove a data-dependent case of segmentation fault in in.fingerd.
Pullup ticket #3625 - requested by gls devel/p5-PAR: security update Revisions pulled up: - devel/p5-PAR/Makefile 1.17 - devel/p5-PAR/distinfo 1.7 --- Module Name: pkgsrc Committed By: gls Date: Sun Dec 4 20:52:25 UTC 2011 Modified Files: pkgsrc/devel/p5-PAR: Makefile distinfo Log Message: Update devel/p5-PAR to 1.005. Includes a fix for CVE 2011-4114. Upstream changes: [Changes for 1.005 - Dec 2, 2011] - run all tests using a nonce PAR_TMPDIR (otherwise CPAN Testers goes crazy as top level /tmp/par-USER directories (or similar) from previous tests may now be considered "unsafe") [Changes for 1.004 - Nov 30, 2011] - back out r1241: it causes errors in PAR::Packer's test suite - change "unsafe directory" error message to match the wording used by PAR::Packer - remove "debian" sub directory: it isn't released to CPAN and Debian will supply its own anyway - remove some cruft from MANIFEST.SKIP [Changes for 1.003 - Nov 28, 2011] - RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories (Note: this bug was originally reported against PAR::Packer, but it applies to PAR as well) - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 - if it already exists, make sure that (and bail out if not) - it's not a symlink - it's mode 0700 - it's owned by USER - Fix a problem packing XML::LibXSLT on Windows (see the thread starting with http://www.nntp.perl.org/group/perl.par/2011/02/msg4919.html) - Die (with a hopefully useful message) if any error is encountered during an Archive::Zip extract operation
Pullup ticket #3624 - requested by dholland graphics/xart: build fix Revisions pulled up: - graphics/xart/distinfo 1.15 - graphics/xart/patches/patch-ad 1.3 - graphics/xart/patches/patch-ak 1.2 - graphics/xart/patches/patch-image.h 1.1 - graphics/xart/patches/patch-main.c 1.1 - graphics/xart/patches/patch-protocol.c 1.1 - graphics/xart/patches/patch-rw_readGIF.c 1.1 - graphics/xart/patches/patch-rw_readWriteXBM.c 1.1 - graphics/xart/patches/patch-rw_readWriteXWD.c 1.1 --- Module Name: pkgsrc Committed By: joerg Date: Mon Dec 5 22:48:59 UTC 2011 Modified Files: pkgsrc/graphics/xart: distinfo pkgsrc/graphics/xart/patches: patch-ad patch-ak Added Files: pkgsrc/graphics/xart/patches: patch-image.h patch-main.c patch-protocol.c patch-rw_readGIF.c patch-rw_readWriteXBM.c patch-rw_readWriteXWD.c Log Message: Fix build with newer GCC
Pullup ticket #3623 - requested by dholland devel/opal: build fix Revisions pulled up: - devel/opal/distinfo 1.9 - devel/opal/patches/patch-configure 1.1 - devel/opal/patches/patch-configure.ac 1.1 - devel/opal/patches/patch-plugins_configure 1.1 - devel/opal/patches/patch-plugins_configure.ac 1.1 - devel/opal/patches/patch-plugins_video_H.263-1998_h263-1993.cxx 1.1 - devel/opal/patches/patch-plugins_video_MPEG4-ffmpeg_mpeg4.cxx 1.1 - devel/opal/patches/patch-plugins_video_common_dyna.cxx 1.1 --- Module Name: pkgsrc Committed By: marino Date: Sun Dec 4 22:06:04 UTC 2011 Modified Files: pkgsrc/devel/opal: distinfo Added Files: pkgsrc/devel/opal/patches: patch-configure patch-configure.ac patch-plugins_configure patch-plugins_configure.ac patch-plugins_video_H.263-1998_h263-1993.cxx patch-plugins_video_MPEG4-ffmpeg_mpeg4.cxx patch-plugins_video_common_dyna.cxx Log Message: devel/opal: Fix incompatibility with ffmpeg / Add DragonFly support Several plugins of Opal weren't building because the function names in the ffmpeg libraries changed (they were prefixed with "ff_"). These function names were updated, but a couple of the plugins also needed changes for a modern gcc. Finally, DragonFly support was added to the various configuration scripts.