http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php
Announcement-ID: PMASA-2011-2
Date: 2011-02-11
Summary
SQL query could be executed under another user.
Description
It was possible to create a bookmark which would be executed
unintentionally by other users.
Severity
We consider this vulnerability to be critical.
PR: ports/154695
Submitted by: me
Approved by: maintainer
2011-02-04 databases/qt-ibase-plugin: Port is broken on all supported versions of FreeBSD
2011-02-04 devel/ace+tao: Outdated and does not compile on any supported version of FreeBSD
2011-02-04 graphics/ray++: Does not compile on supported versions of FreeBSD
2011-02-04 japanese/oleo: Does not compile on supported versions of FreeBSD
2011-02-04 lang/dylan: does not build
2011-02-04 multimedia/jahshaka: Does not compile on supported versions of FreeBSD
Feature safe: yes
This update includes a security fix which prevents a buffer overrun in
the contrib module intarray's input function for the query_int type.
This bug is a security risk since the function's return address could
be overwritten by malicious code.
All supported versions of PostgreSQL are impacted. However, the
affected contrib module is optional. Only users who have installed the
intarray module in their database are affected. See the CVE Advisory
at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4015
This release includes 63 bugfixes, including:
- Avoid unexpected conversion overflow in planner for distant date values
- Fix assignment to an array slice that is before the existing range
of subscripts
- Fix pg_restore to do the right thing when escaping large objects
- Avoid failures when EXPLAIN tries to display a simple-form CASE expression
- Improved build support for Windows version
- Fix bug in contrib/seg's GiST picksplit algorithm which caused
performance degredation
The 9.0.3 update also contains several fixes for issues with features
introduced or changed in version 9.0:
- Ensure all the received WAL is fsync'd to disk before exiting walreceiver
- Improve performance of walreceiver by avoiding excess fsync activity
- Make ALTER TABLE revalidate uniqueness and exclusion constraints when needed
- Fix EvalPlanQual for UPDATE of an inheritance tree when the tables
are not all alike
PR: ports/154436
Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4015
Feature safe: yes
Approved by: portmgr
It is minimalistic because it just adds minimal support for the protocol,
but at the same time it uses an high level printf-alike API in order to make
it much higher level than otherwise suggested by its minimal code base and
the lack of explicit bindings for every Redis command.
Apart from supporting sending commands and receiving replies, it comes with
a reply parser that is decoupled from the I/O layer. It is a stream parser
designed for easy reusability, which can for instance be used in higher
level language bindings for efficient reply parsing.
Hiredis only supports the binary-safe Redis protocol, so you can use it with
any Redis version >= 1.2.0.
The library comes with multiple APIs. There is the synchronous API, the
asynchronous API and the reply parsing API.
WWW: https://github.com/antirez/hiredis
PR: ports/153535
Submitted by: Grzegorz Blach <magik at roorback.net>
Feature safe: yes
It is a Web and Web services based application for reporting, data analysis
(OLAP UI and server) and data integration.
WWW: http://jasperforge.org/projects/jasperserver
PR: ports/150208
Submitted by: Jason Helfman
Feature safe: yes
databases as a single cluster.
WWW: http://projects.2ndquadrant.com/repmgr
PR: ports/154074
Submitted by: Alexander Pyhalov <alp@sfedu.ru>
Feature safe: yes
Redis::hiredis is a simple wrapper around Salvatore Sanfilippo's hiredis C
client that allows connecting and sending any command just like you would
from a command line Redis client.
WWW: http://search.cpan.org/dist/Redis-hiredis/
PR: ports/153536
Submitted by: Grzegorz Blach <magik@roorback.net>
Feature safe: yes
You can easily dump your data into a backup file and - if needed - restore it.
It is especially suited for shared hosting webspaces, where you don't
have shell access. MySQLDumper is an open source project and released
under the GNU-license.
WWW: http://www.mysqldumper.net/
PR: ports/153811
Submitted by: Marek Holienka <marekholienka@gmail.com>
Feature safe: yes
support 'json' command which in turn spits output in json
format.
PORTREVISION not bumped as the default build was not
changed.
- While I'm there remove MD5 checksum.
Approved by: maintainer
Feature safe: yes
by correctly implementing pthread_once (see PR threads/150959).
While I'm here, replace CONFLICTS with CONFLICTS_INSTALL.
Bump PORTREVISION.
PR: ports/153588
Submitted by: Richard Anthony Secor <rsecor@seqlogic.com>
- The debugger has been enhanced using json_encode.
- TTL fix for redis cache code.
PR: ports/153783
Submitted by: Nicolas de Bari Embriz <nbari _at_ dalmp.com> (maintainer)
2010-12-30 databases/p5-sqlrelay: broken and upstream disapeared
2010-12-30 devel/php-dbg2: No upstream support
2010-12-30 dns/fourcdns: upstream has disapeared
2010-12-31 emulators/win4bsd: Development has ceased and distfile is no longer available
2010-12-31 french/mozilla-flp: www/seamonkey port is deprecated. Consider using the www/firefox-i18n.
2010-12-31 french/xtel: Minitel services will be discontinued at the end of 2010.
2010-12-30 ftp/ftpq: upstream has disapeared
2010-12-30 graphics/paintlib: does not compile with new tiff and no more maintained upstream
2010-12-30 graphics/g3dviewer: does not build with gcc 4.2, upstream disapeared
2010-12-30 lang/scriba: Does not compile with gcc 4.2+, looks like abandonware
2010-12-30 math/rascal: Broken on every arch since 2008, looks like an abandonware
2010-12-31 net-mgmt/nrg: Project has vanished. Use cacti instead.
2010-12-31 security/hostsentry: Project is dead.
2010-12-31 sysutils/kcube: Project has vanished
2010-12-31 www/cybercalendar: has been unmaintained since 2001 and is unusable with dates after 2010 (see ports/150974)
2010-12-31 www/flock: Flock 3 moves from Firefox to Chromium
2010-12-31 www/linux-flock: Flock 3 moves from Firefox to Chromium
2010-12-30 x11-clocks/xtu: Looks like abandonware
Leave java/tya in for now, as it has outstanding PRs.
- Instead of replace all /usr/local occourences on SConstruct file, use --prefix
argument
- Get rid of manual installation and use scons install instead
- Strip binaries on FreeBSD as scons were doing for solaris end linux
- Add a new OPTION (off by default) called DEVEL to install library and header
files, it's useful when you need to link binaries against libmongoclient
- Bump PORTREVISION since pkg-plist has changed
PR: ports/153525
Submitted by: garga@
Approved by: maintainer
Major changes:
- new installation layout, resembling RPM packages:
- client = Client Utilities + Development Libraries + Shared components
- server = MySQL Server + Embedded
- new build system: cmake instead of autotools
- fewer port knobs
Expect various breakages, but if we are lucky this could become the new default
mysql port.
Riak is a Dynamo-inspired key/value store that scales predictably and easily.
Riak also simplifies development by giving developers the ability to quickly
prototype, test, and deploy their applications. A truly fault-tolerant system,
Riak has no single point of failure. No machines are special or central in
Riak, so developers and operations professionals can decide exactly how
fault-tolerant they want and need their applications to be.
WWW: https://github.com/basho/riak-python-client
PR: ports/153342
Submitted by: TJ Ninneman <tj@harperdog.com>
SQL::Abstract. Declare 'use SQL::Abstract::Plugin::InsertMulti;' with
'use SQL::Abstract;', exporting insert_multi() and update_multi()
methods to SQL::Abstract namespace from
SQL::Abstract::Plugin::InsertMulti.
Plugin system is depends on 'into' options of Sub::Exporter.
WWW: http://search.cpan.org/dist/SQL-Abstract-Plugin-InsertMulti/
handle by simply calling the database keyword within your Dancer application.
Returns a Dancer::Plugin::Database::Handle object, which is a subclass of DBI's
DBI::db connection handle object, so it does everything you'd expect to do with
DBI, but also adds a few convenience methods. See the documentation for
Dancer::Plugin::Database::Handle for full details of those.
WWW: http://search.cpan.org/dist/Dancer-Plugin-Database
Firebird is a relational database offering many ANSI SQL-99 features
that runs on Linux, Windows, and a variety of Unix platforms. Firebird
offers excellent concurrency, high performance, and powerful language
support for stored procedures and triggers. It has been used in
production systems, under a variety of names since 1981.
Firebird is completely free of any registration, licensing or deployment
fees. It may be deployed freely for use with any third-party software,
whether commercial or not.
WWW: http://sourceforge.net/projects/firebird/
WWW: http://www.firebirdsql.org/
PR: 152403
Submitted by: Max Kochubey <root at hangover.org.ru>
Firebird is a relational database offering many ANSI SQL-99 features
that runs on Linux, Windows, and a variety of Unix platforms. Firebird
offers excellent concurrency, high performance, and powerful language
support for stored procedures and triggers. It has been used in
production systems, under a variety of names since 1981.
Firebird is completely free of any registration, licensing or deployment
fees. It may be deployed freely for use with any third-party software,
whether commercial or not.
WWW: http://sourceforge.net/projects/firebird/
WWW: http://www.firebirdsql.org/
PR: 152402
Submitted by: Max Kochubey <root at hangover.org.ru>
- Take maintainership
- Avoid conflicts with GEOM and sysutils/coreutils [1] gstat commands
- Clean up
Reported by: Jan Henrik Sylvester <me at janh.de> [1]
Firebird is a relational database offering many ANSI SQL-99 features
that runs on Linux, Windows, and a variety of Unix platforms. Firebird
offers excellent concurrency, high performance, and powerful language
support for stored procedures and triggers. It has been used in
production systems, under a variety of names since 1981.
Firebird is completely free of any registration, licensing or deployment
fees. It may be deployed freely for use with any third-party software,
whether commercial or not.
WWW: http://sourceforge.net/projects/firebird/
WWW: http://www.firebirdsql.org/
Firebird is a relational database offering many ANSI SQL-99 features
that runs on Linux, Windows, and a variety of Unix platforms. Firebird
offers excellent concurrency, high performance, and powerful language
support for stored procedures and triggers. It has been used in
production systems, under a variety of names since 1981.
Firebird is completely free of any registration, licensing or deployment
fees. It may be deployed freely for use with any third-party software,
whether commercial or not.
WWW: http://sourceforge.net/projects/firebird/
WWW: http://www.firebirdsql.org/
language for relational databases. The target audience for HTSQL is the
accidental programmer -- one who is not a SQL expert, yet needs a usable,
comprehensive query tool for data access and reporting.
WWW: http://htsql.org/
MyBatis is a first class persistence framework with support for custom
SQL, stored procedures and advanced mappings. MyBatis eliminates almost
all of the JDBC code and manual setting of parameters and retrieval of
results. MyBatis can use simple XML or Annotations for configuration and
map primitives, Map interfaces and Java POJOs (Plain Old Java Objects)
to database records.
WWW: http://www.mybatis.org/
retrieve data. It does this by using a table called __Store__. Once connected
to a database, it will detect if this table is missing and create it if
necessary.
When writing data to the store, the data (a HASH reference) is first
serialized using JSON and then inserted/updated via DBIx::Class to (currently)
an SQLite backend.
Retrieving data from the store is done by key lookup or by searching an
SQL-based index. Once found, the data is deserialized via JSON and returned.
WWW: http://search.cpan.org/dist/DBIx-NoSQL/
provide a library with a high level of usability, good interal error
handling and to emulate similar libraries available for other languages
to provide an easy migration of MySQL based systems into the Go language.
WWW: https://github.com/Philio/GoMySQL
Along with Qt4 the following ports are updated:
PyQt4 ports to 4.8.1
devel/py-sip to 4.11.2
devel/qscintilla2 to 2.4.5
PyKDE3 to 3.16.7
PyQt3 tp 3.18.2-snapshot-20091119
New ports added:
devel/qt4-declarative
devel/py-qt4-declarative
x11/qt4-graphicssystems-opengl
This release has been contributed by:
Thomas Abthorpe (tabthorpe)
Max Brazhnikov (makc)
Dima Panov (fluffy)
Alberto Villa (avilla)
We'd like to thank Martin Wilke (miwi) for exp-run.
