20150501
Support for Linux 4.*, and some simplification for future
makedefs files. Files: makedefs, util/sys_defs.h.
20150718
Security: opportunistic TLS by default uses "medium" or
stronger ciphers instead of "export" or stronger. See the
RELEASE_NOTES file for how to get the old settings back.
Files: global/mail_params.h, proto/TLS_README.html,
proto/postconf.proto, and files derived from those.
20150719
Security: Postfix TLS support by default no longer uses
SSLv2 or SSLv3. See the RELEASE_NOTES file for how to get
the old settings back. Files: global/mail_params.h,
proto/postconf.proto, and files derived from those.
Incompatible change with Postfix 2.11.6 / 3.0.2
-------------------------------------------------
As of the middle of 2015, all supported Postfix releases no longer
enable "export" grade ciphers for opportunistic TLS, and no longer
use the deprecated SSLv2 and SSLv3 protocols for mandatory or
opportunistic TLS.
These changes are very unlikely to cause problems with server-to-server
communication over the Internet, but they may result in interoperability
problems with ancient client or server implementations on internal
networks. To address this problem, you can revert the changes with:
Postfix SMTP client settings:
lmtp_tls_ciphers = export
smtp_tls_ciphers = export
lmtp_tls_protocols = !SSLv2
smtp_tls_protocols = !SSLv2
lmtp_tls_mandatory_protocols = !SSLv2
smtp_tls_mandatory_protocols = !SSLv2
Postfix SMTP server settings:
smtpd_tls_ciphers = export
smtpd_tls_protocols =
smtpd_tls_mandatory_protocols = !SSLv2
These settings, if put in main.cf, affect all Postfix SMTP client
or server communication, which may be undesirable. To be more
selective, use "-o name=value" parameter overrides on specific
services in master.cf. Execute the command "postfix reload" to make
the changes effective.
- remove backports
- minor cleanups
- always rebuild configure script
- add patch for acinclude.m4 [1]
Changes with Apache 2.2.31 [2]
*) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
[Yann Ylavic, Gregg Smith]
Changes with Apache 2.2.30 (not released)
*) SECURITY: CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters. [Graham Leggett, Yann Ylavic]
*) http: Fix LimitRequestBody checks when there is no more bytes to read.
[Michael Kaufmann <mail michael-kaufmann.ch>]
*) core: Allow spaces after chunk-size for compatibility with implementations
using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts. PR 56241.
[Kaspar Brand]
*) http: Make ap_die() robust against any HTTP error code and not modify
response status (finally logged) when nothing is to be done. PR 56035.
[Yann Ylavic]
*) core, modules: Avoid error response/document handling by the core if some
handler or input filter already did it while reading the request (causing
a double response body). [Yann Ylavic]
*) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick,
Olli Hauer <ohauer gmx de>]
*) mod_proxy: use the original (non absolute) form of the request-line's URI
for requests embedded in CONNECT payloads used to connect SSL backends via
a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
gmail com>, William Rowe, Yann Ylavic]
*) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
internationalization. [William Rowe]
*) mod_log_config: Implement logging for sub second timestamps and
request end time. [Rainer Jung]
*) mod_log_config: Ensure that time data is consistent if multiple
duration patterns are used in combination, e.g. %D and %{ms}T.
[Rainer Jung]
*) mod_log_config: Add "%{UNIT}T" format to output request duration in
seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
[Ben Reser, Rainer Jung]
*) In alignment with RFC 7525, the default recommended SSLCipherSuite
and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
default recommended SSLProtocol and SSLProxyProtocol directives now
exclude SSLv3. Existing configurations must be adjusted by the
administrator. [William Rowe]
*) core: Avoid potential use of uninitialized (NULL) request data in
request line error path. [Yann Ylavic]
*) mod_proxy_http: Use the "Connection: close" header for requests to
backends not recycling connections (disablereuse), including the default
reverse and forward proxies. [Yann Ylavic]
*) mod_proxy: Add ap_connection_reusable() for checking if a connection
is reusable as of this point in processing. [Jeff Trawick]
*) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
graceful restarts, even if new workers are added, old ones removed, or
the order changes. [Jan Kaluza, Yann Ylavic]
*) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
Yann Ylavic]
*) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
allowing custom parameters to be configured via SSLCertificateFile,
and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
Unless custom parameters are configured, the standardized parameters
are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
*) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
keys, and unconditionally disable aNULL, eNULL and EXP ciphers
(not overridable via SSLCipherSuite). [Kaspar Brand]
*) mod_ssl: Add support for configuring persistent TLS session ticket
encryption/decryption keys (useful for clustered environments).
[Paul Querna, Kaspar Brand]
*) SSLProtocol and SSLCipherSuite recommendations in the example/default
conf/extra/httpd-ssl.conf file are now global in scope, affecting all
VirtualHosts (matching 2.4 default configuration). [William Rowe]
*) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
selected DB engine. PR 46421. [Jan Kaluza].
*) Turn static function get_server_name_for_url() into public
ap_get_server_name_for_url() and use it where appropriate. This
fixes mod_rewrite generating invalid URLs for redirects to IPv6
literal addresses. PR 52831 [Stefan Fritsch]
*) dav_validate_request: avoid validating locks and ETags when there are
no If headers providing them on a resource we aren't modifying.
[Ben Reser]
*) mod_ssl: New directive SSLSessionTickets (On|Off).
The directive controls the use of TLS session tickets (RFC 5077),
default value is "On" (unchanged behavior).
Session ticket creation uses a random key created during web
server startup and recreated during restarts. No other key
recreation mechanism is available currently. Therefore using session
tickets without restarting the web server with an appropriate frequency
(e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
*) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
compile against APR-1.2.x (minimum required version). [Yann Ylavic]
*) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
computed for subsequent requests. PR 56729. [Eric Covener]
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=58126
[2] http://www.apache.org/dist/httpd/CHANGES_2.2.31
With Head apache@
MFH: 2015Q3 ( in case no new issues are reported during the next 7 days )
This version of zeitgeist now bundles libzeitgeist in the port. The
new libzeitgeist was bumped to libzeitgeist-1.0.so -> libzeitgeist-2.0.so.
* deskutils/cairo-dock-plugins: supports both zeitgeist versions.
* net-im/folks: Only supports the new 2.0 libzeitgeist library version. And
this went unnoticed, woops.
* sysutils/libzeitgeist: Remove since it is now bundled in zeitgeist.
* sysutils/qzeitgeist: Update the port for the new zeitgeist API.
* www/midori: Mark the zeitgeist option (non-default) broken until midori
can be updated to a version that supports the new libzeitgeist 2.0
PR: 190729 [1]
Submitted by: olivierd@ [1]
<file> on ELF systems, but this doesn't really do what -export-symbols is
meant to do. On GNU ELF systems it converts <file> to a simple version
script first and then uses -version-script instead of -retain-symbols-file.
Let USES=libtool patch libtool scripts to do this on all systems with GNU
ld(1).
Bump PORTREVISION on all ports where the build log contains -export-symbols.
audio/calf: This port builds a module that now exports only one function,
but it also builds a number of executables that link to this module and
expect to see other functions. Because it's already a bit dodgy to link to
a module (libtool warns about this) let the module continue to export only
one function and instead build an ordinary library from the same source that
the executables can link to. Fix a number of other issues in the same
Makefile.am and clean up the port Makefile.
japanese/scim-honoka: Tries to hide all symbols that start with an
underscore, but because this library is written in C++ all symbols start
with _Z so it ends up hiding everything. Just don't hide anything at all
like the textproc/scim configure script does.
multimedia/schroedinger: Apply an upstream patch.
textproc/scim-input-pad: Same as japanese/scim-honoka.
PR: 201922
Approved by: portmgr (antoine)
Exp-run by: antoine
Process many files in parallel. It is meant for people comfortable
with using a terminal but strives to be as easy to use as humanly
possible.
Ladon is named after the multiheaded serpent dragon from Greek mythology,
slain by Heracles and thrust into the sky as the constellation Draco. His
many heads allow you to efficiently work on many files at once.
WWW: https://github.com/danielgtaylor/ladon
PR: 201906
Submitted by: Carlos Jacobo Puga Medina <cpm@fbsd.es>
- switch to PyPi
- convert to autoplist and limit python version to 2.x
- update WWW urls and package description
Changelog:
2015-05-19 Andres Blanco <ablanco@coresecurity.com>
* Added sendpacket support by default
- always compile in the loader code for win32 dlls on i386:
i386 users can install multimedia/win32-codecs and just use them
with mplayer/mencoder without compile-time knobs
- Bump PORTREVISION
Reported by: Slawa Olhovchenkov <slw@zxy.spb.ru> via personal mail
