LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL,
it doesn't calculate the length of the hostname passed in case
chklen/namelen == 0. This means that the check in MariaDB always
fails if built against LibreSSL. This forces adminstrators to disable
hostname verification, which weakens security (hence the MFH request below).
Note that the fix has no negative implications if built against OpenSSL,
as its implementation calls strlen(hostname) in case namelen == 0.
See also https://github.com/MariaDB/server/pull/562
Approved by: ssl blanket
MFH: 2018Q1
(via Mk/bsd.default-versions.mk and lang/gcc) which has moved from
GCC 5.4 to GCC 6.4 under most circumstances.
This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c++11-lib, c++11-lang,
c++14-lang, c++0x, c11, or gcc-c++11-lib.
PR: 219275
databases/mysqlwsrep56-server has been present for some time and
databases/mysqlwsrep57-server has been added recently. Both ports
conflict with other MySQL server ports and this has been reflected
in databases/mysqlwsrep5[67]-server/Makefile but must also be
reflected in all conflicting ports' Makefiles as well.
The conflicting ports are:
databases/mariadb100-server
databases/mariadb101-server
databases/mariadb102-server
databases/mariadb55-server
databases/mysql55-server
databases/mysql56-server
databases/mysql57-server
databases/mysql80-server
databases/percona55-server
databases/percona56-server
databases/percona57-server
There is not going to be mysqlwsrep*-client* ports (because the vanilla
mysql*-client* ports suffice), so the entry in CONFLICTS just reads
mysqlwsrep*.
PR: 220791
Submitted by: vd
Approved by: brnrd, ale (maintainer timeout), feld (maintainer timeout), flo, mmokhi, koobs
lang/gcc which have moved from GCC 4.9.4 to GCC 5.4 (at least under some
circumstances such as versions of FreeBSD or platforms).
This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using using Mk/bsd.octave.mk which in turn has USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c++11-lib, c++14-lang,
c++11-lang, c++0x, c11, or gcc-c++11-lib.
PR: 216707
- Update to 10.1.21
- Fix patches that no longer cleanly apply
- Rename patches to new naming scheme
MFH: 2017Q1
Security: 4d2f9d09-ddb7-11e6-a9a5-b499baebfeaf
The only reason to use post-stage is because the port needs to do
"things" at a later time, like some plist manipulation.
While there, fold post-install in do-install targets when they are
defined.
PR: 214780
Submitted by: mat
Exp-run by: antoine
Sponsored by: Absolight
- Update to 10.1.19
- Use target-OPT-on not .if exists
- Remove OQGraph patches now included upstream
MFH: 2016Q4
Security: 9bc14850-a070-11e6-a881-b499baebfeaf
Replace RAND_SSLeay->bytes with arc4random_buf when using LibreSSL, as
it supports RAND_SSLeay only for ABI compatibility [0].
Note that the code in question in mariadb mentions that RAND_bytes
isn't guaranteed to not block and therefore uses these functions directly.
As LibreSSL implements RAND_bytes in terms of arc4random_buf, which
shouldn't block, the patch could also use RAND_bytes instead of
using arc4random_buf directly, but the current version of the patch
has been tested in production and might be less confusing overall.
Bumped revision, as this fixes a runtime problem.
[0]
https://github.com/libressl/libressl/blob/master/src/crypto/rand/rand_lib.c#L36
PR: 213577
Approved by: ssl blanket
THere were 5 new programs built and installed by both the client and
the server. This is not a unique case. Previously they were allocated
to the client and removed by the post-install target of the server. In
this case, they've already been allocated to the server, so we need a
new post-install target for the client to remove them from the stage
directory so stage-QA checks pass.
While here, remove the now-unnecessary DragonFly configure argument
and change the backtick in a comment to an apostrophe to avoid the
makefile being interpreted as a shell script by some editors. Also
remove redundant forward slashes on the server post-install target.
Approved by: just-fix-it
The intent was to check for GSSAPI BASE option set on FreeBSD 9, but
the effect was an IGNORE set for all non-FreeBSD platforms. Fix the
logic to its original intent under the just-fix-it blanket.
