Four new serious security alerts were issued today by the phpMyAdmin
them: PMASA-2013-2 and PMASA-2013-3 are documented in this commit to
vuln.xml.
- Remote code execution via preg_replace().
- Locally Saved SQL Dump File Multiple File Extension Remote Code
Execution.
The other two: PMASA-2013-4 and PMASA-2013-5 only affect PMA 4.0.0
pre-releases earlier than 4.0.0-rc3, which are not available through
the ports.
- Convert to new options framework
sieve-connect was not actually verifying TLS certificate identities matched
the expected hostname. Changes with new version:
Fix TLS verification; find server by own hostname & SRV.
* TLS hostname verification was not actually happening.
* IO::Socket::SSL requirement bumped to 1.14 (was 0.97).
* By default, if no server specified, before falling back to localhost try to
use the current hostname and SRV records in DNS to figure out if Sieve is
available. Checks for sieve, imaps & imap protocol SRV records and honours
target==. to mean "no".
* This works better with the Mozilla::PublicSuffix module installed.
* Added ability to blacklist authentication mechanisms
More info:
http://mail.globnix.net/pipermail/sieve-connect-announce/2013/000005.html
PR: ports/177859
Submitted by: "Alexey V. Degtyarev" <alexey@renatasystems.org> (maintainer)
Approved by: portmgr (implicit)
Security: a2ff483f-a5c6-11e2-9601-000d601460a4
- Replace links to changelog and commit with a link to the official
announcement (which also links to the commit)
- Replace the description with a sentence lifted from the
announcement.
Approved by: portmgr (tabthorpe)
- Subversion 1.6.21 security update [2]
This release addesses the following issues security issues:
[1][2] CVE-2013-1845: mod_dav_svn excessive memory usage from property changes
[1][2] CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs
[1][2] CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs
[1][2] CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs
[1] CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT request
More information on these vulnerabilities, including the relevent advisories
and potential attack vectors and workarounds, can be found on the Subversion
security website:
http://subversion.apache.org/security/
PR: 177646
Submitted by: ohauer
Approved by: portmgr (tabthorpe, erwin), lev
Security: b6beb137-9dc0-11e2-882f-20cf30e32f6d
17.0.5
- update firefox to 20.0
- update seamonkey and linux-seamonkey to 2.17
- update nspr to 4.9.6
- remove mail/thunderbird-esr, Mozilla stopped providing 2 versions of
thunderbird
- prune support for old FreeBSD versions; users of 8.2, 7.4 or earlier
are advised to upgrade - http://www.freebsd.org/security/
- add vuln.xml entry
Security: 94976433-9c74-11e2-a9fc-d43d7e0c7c02
Approved by: portmgr (miwi)
In collaboration with: Jan Beich <jbeich@tormail.org>
"This release adds supports for PolarSSL 1.2. It also adds a fix to
prevent potential side-channel attacks by switching to a constant-time
memcmp when comparing HMACs in the openvpn_decrypt function. In
addition, it contains several bugfixes and documentation updates, as
well as some minor enhancements."
Full ChangeLog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>
The port upgrade also offers an option to use the GPLv2+-licensed
PolarSSL instead of OpenSSL (which brings in a license mix).
PR: ports/177517
Reviewed by: miwi
Approved by: portmgr (miwi)
Security: 92f30415-9935-11e2-ad4c-080027ef73ec
Add patch to fix CVE-2013-0338 and CVE-2013-0339. [2]
Convert to OptionsNG, rename patches to standard form. [1]
Notified by: swills@ [2]
Obtained from: gnome team repo [1]
Security: 843a4641-9816-11e2-9c51-080027019be0
* Update to 0.6.21
* Add LICENSE
* Switch to OptionsNG and PORTDOCS
- Document libexif 2012-07-12 vulnerabilty
- Bump PORTREVISION for libexif related ports
- Trim headers while here
PR: ports/175910
Approved by: swills (mentor)
Security: d881d254-70c6-11e2-862d-080027a5ec9a
