They affect different Tomcat versions from 7.x branch, so don't let
users of VuXML be fooled on the affected software for each vulnerability.
Feature safe: yes
vulnerabilities that could cause a crash and potentially allow an
attacker to take control of the affected system.
Submitted by: Tsurutani Naoki <turutani scphys kyoto-u ac jp>
BIND 9 nameservers using the DNS64 IPv6 transition mechanism are
vulnerable to a software defect that allows a crafted query to
crash the server with a REQUIRE assertion failure. Remote
exploitation of this defect can be achieved without extensive
effort, resulting in a denial-of-service (DoS) vector against
affected servers.
Security: 2892a8e2-3d68-11e2-8e01-0800273fe665
CVE-2012-5688
Feature safe: yes
Security update to fix a heap corruption bug with invalid base64 input,
reported and fixed by Julius Plenz, FU Berlin, Germany.
Feature safe: yes
Security: CVE-2012-5468
Security: f524d8e0-3d83-11e2-807a-080027ef73ec
- Bump PORTREVISION
Changes:
- CVE-2006-7243
PHP before 5.3.4 accepts the \0 character in a pathname, which might allow
context-dependent attackers to bypass intended access restrictions by placing a
safe file extension after this character, as demonstrated by .php\0.jpg at the
end of the argument to the file_exists function
Secuity 3761df02-0f9c-11e0-becc-0022156e8794 fixed by check in fopen functions
for strlen(filename) != filename_len
- CVE-2012-4388
The sapi_header_op function in main/SAPI.c does not properly determine a pointer
during checks for %0D sequences (aka carriage return characters), which allows
remote attackers to bypass an HTTP response-splitting protection mechanism via a
crafted URL, this vulnerability exists because of an incorrect fix for
CVE-2011-1398.
- Timezone database updated to version 2012.9 (2012i)
PR: ports/173685
Submitted by: Svyatoslav Lempert <svyatoslav.lempert@gmail.com>
Approved by: maintainer
Feature safe: yes
- Update seamonkey to 2.14
- Update ESR ports and libxul to 10.0.11
- support more h264 codecs when using GSTREAMER with YouTube
- Unbreak firefox-esr, thunderbird-esr and libxul on head >= 1000024 [1]
- Buildsystem is not python 3 aware, use python up to 2.7 [2]
PR: ports/173679 [1]
Submitted by: swills [1], demon [2]
In collaboration with: Jan Beich <jbeich@tormail.org>
Security: d23119df-335d-11e2-b64c-c8600054b392
Approved by: portmgr (beat)
Feature safe: yes
when receiving a special colored message.
The maintainer was contacted but due to the nature of
the issue apply the patch ASAP.
Approved by: secteam-ports (swills)
Security: e02c572f-2af0-11e2-bb44-003067b2972c
Feature safe: yes
while here:
- trim Makefile header
- remove indefinite article in COMMENT
- remove IGNORE_WITH_PHP and IGNORE_WITH_PGSQL since
we have not this versions in the tree anymore
- fix pkg-plist
- add vuxml entry
PR: 173211
Submitted by: Rick van der Zwet <info at rickvanderzwet dot nl> [1]
Approved by: Nick Hilliard <nick at foobar dot org> (maintainer)
Security: 2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5
Feature safe: yes
- Update seamonkey to 2.13.2
- Update ESR ports and libxul to 10.0.10
- Update nspr to 4.9.3
- Update nss to 3.14
- with GNOMEVFS2 option build its extension, too [1]
- make heap-committed and heap-dirty reporters work in about:memory
- properly mark QT4 as experimental (needs love upstream)
- *miscellaneous cleanups and fixups*
mail/thunderbird will be updated once the tarballs are available.
PR: ports/173052 [1]
Security: 6b3b1b97-207c-11e2-a03f-c8600054b392
Feature safe: yes
In collaboration with: Jan Beich <jbeich@tormail.org>
All users are encouraged to upgrade immediately.
- add vuxml entry
changes common for both ports:
- trim Makefile header
- strict python version to 2.x only
- utilize options framework multiple choice feature to let user to choose
database backends needed. Make SQLITE option default
- shorten description of HTMLDOCS_DESC to make it fit into dialog screen
- SITELIBDIR -> PKGNAMEPREFIX change in dependencies
- convert NOPORTDOCS condition to optionsng
- tab -> space change in pkg-descr
PR: 173017
Submitted by: rm (myself)
Approved by: lwhsu (maintainer, by mail)
Security: 5f326d75-1db9-11e2-bc8f-d0df9acfd7e5
Feature safe: yes
- Update firefox and thunderbird to 16.0
- Update seamonkey to 2.13
- Update all -i18n ports respectively
- switch firefox 16.0 and seamonkey 2.13 to ALSA by default for better
latency during pause and seeking with HTML5 video
- remove fedisableexcept() hacks, obsolete since FreeBSD 4.0
- support system hunspell dictionaries [1]
- unbreak -esr ports with clang3.2 [2]
- unbreak nss build when CC contains full path [3]
- remove GNOME option grouping [4]
- integrate enigmail into thunderbird/seamonkey as an option [5]
- remove mail/enigmail* [6]
- enable ENIGMAIL, LIGHTNING and GIO options by default
- add more reporters in about:memory: page-faults-hard, page-faults-soft,
resident, vsize
- use bundled jemalloc 3.0.0 on FreeBSD < 10.0 for gecko 16.0,
only heap-allocated reporter works in about:memory (see bug 762445)
- use lrintf() instead of slow C cast in bundled libopus
- use libjpeg-turbo's faster color conversion if available during build
- record startup time for telemetry
- use -z origin instead of hardcoding path to gecko runtime
- fail early if incompatible libxul version is installed (in USE_GECKO)
- *miscellaneous cleanups and fixups*
PR: ports/171534 [1]
PR: ports/171566 [2]
PR: ports/172164 [3]
PR: ports/172201 [4]
Discussed with: ale, beat, Jan Beich [5]
Approved by: ale [6]
In collaboration with: Jan Beich <jbeich@tormail.org>
Security: 6e5a9afd-12d3-11e2-b47d-c8600054b392
Feature safe: yes
Approved by: portmgr (beat)
- Deprecate and schedule removal in month - no upstream fix available and
no active development since 1998
Security: 73efb1b7-07ec-11e2-a391-000c29033c32
Security: CVE-2001-0733
Security: http://www.shmoo.com/mail/bugtraq/jun01/msg00286.shtml
- Add and update relevant vuxml entries
Changes:
- CVE-2011-1398 - The sapi_header_op function in main/SAPI.c in PHP
before 5.3.11 does not properly handle %0D sequences
- CVE-2012-0789 - Memory leak in the timezone functionality in PHP
before 5.3.9 allows remote attackers to cause a denial of service
(memory consumption) by triggering many strtotime function calls,
which are not properly handled by the php_date_parse_tzfile cache.
- CVE-2012-3365 - The SQLite functionality in PHP before 5.3.15 allows
remote attackers to bypass the open_basedir protection mechanism via
unspecified vectors
- Timezone database updated to version 2012.5 (2012e) (from 2011.13 (2011m))
- Minor improvements (CVE-2012-2688, compilation issues with old GCC)
PR: ports/171583
Submitted by: Svyatoslav Lempert <svyatoslav.lempert@gmail.com>
Approved by: Alex Keda <admin@lissyara.su> (maintainer)
