- update seamonkey to 2.21
- update firefox-esr to 17.0.9
- enable GSTREAMER by default for html5 with h264/aac/mp3
- WEBRTC is now always built
- add PROFILE and TESTS options
Security: 7dfed67b-20aa-11e3-b8d8-0025905a4771
In collaboration with: Jan Beich <jbeich@tormail.org>
- update devel/subversion17 to 1.7.13 [1]
- add vuxml entry
Version 1.7.13
(29 Aug 2013, from /branches/1.7.x)
http://svn.apache.org/repos/asf/subversion/tags/1.7.13/CHANGES
User-visible changes:
- General
* merge: fix bogus mergeinfo with conflicting file merges (issue #4306)
* diff: fix duplicated path component in '--summarize' output (issue #4408)
* ra_serf: ignore case when checking certificate common names (r1514763)
- Server-side bugfixes:
* svnserve: fix creation of pid files (r1516556)
* mod_dav_svn: better status codes for commit failures (r1490684)
* mod_dav_svn: do not map requests to filesystem (r1512432 et al)
Developer-visible changes:
- General:
* support linking against gssapi on Solaris 10 (r1515068)
* don't use uninitialized variable to produce an error code (r1482282)
- Bindings:
* swig-pl: fix SVN::Client not honoring config file settings (r150744)
* swig-pl & swig-py: disable unusable svn_fs_set_warning_func (r1515119)
Version 1.8.3
(29 August 2013, from /branches/1.8.x)
http://svn.apache.org/repos/asf/subversion/tags/1.8.3/CHANGES
User-visible changes:
- Client- and server-side bugfixes:
* translation updates for Swedish
* enforce strict version equality between tools and libraries (r1502267)
* consistently output revisions as "r%ld" in error messags (r1499044 et al)
- Client-side bugfixes:
* status: always use absolute paths in XML output (issue #4398)
* ra_serf: 'svn log -v' fails with a 1.2.x server (issue #4044)
* ra_serf: fix crash when committing cp with deep deletion (issue #4400)
* diff: issue an error for files that can't fit in memory (r1513119 et al)
* svnmucc: generate proper error for mismatched URLs (r1511353)
* update: fix a crash when a temp file doesn't exist (r1513156)
* commit & update: improve sleep for timestamps performance (r1508438)
* diff: continue on missing or obstructing files (issue #4396)
* ra_serf: use runtime serf version for User-Agent (r1514315, r1514628)
* ra_serf: ignore case when checking certificate common names (r1514763)
* ra_serf: format distinguished names properly (r1514804)
* ra_serf: do not retry HTTP requests if we started to parse them (r1503318)
* ra_serf: output ssl cert verification failure reason (r1514785 et al)
* ra_serf: allow session reuse after SVN_ERR_CEASE_INVOCATION (r1502901)
* ra_serf: include library version in '--version' output (r1514295 et al)
* info: fix spurious error on wc root with child in conflict (r1515366)
- Server-side bugfixes:
* svnserve: fix creation of pid files (r1516556)
* svnadmin: fix output encoding in non-UTF8 environments (r1506966)
* svnsync: fix high memory usage when running over ra_serf (r1515249 et al)
* mod_dav_svn: do not map requests to filesystem (r1512432 et al)
* svnauthz: improve help strings (r1511272)
* fsfs: fixed manifest file growth with revprop changes (r1513874)
* fsfs: fix packed revprops causing loss of revprops (r1513879 et al)
- Other tool improvements and bugfixes:
* svnwcsub/irkerbridge: fix symlink attack via pid file (r175 from upstream)
Developer-visible changes:
- General:
* describe APR unimplemented errors as coming from APR (r1503010 et al)
* mod_dav_svn: update INSTALL to reflect configure defaults (r1515141)
* davautocheck: use the correct apxs binary by default (r1507889, r1507891)
- API changes:
* svn_config_walk_auth_data() config_dir arg: permit NULL (r1507382 et al)
- Bindings:
* swig-pl: fix SVN::Client not honoring config file settings (r150744)
* swig-pl & swig-py: disable unusable svn_fs_set_warning_func (r1515119)
Approved by: lev@ (explicit per PM)
Security: f8a913cc-1322-11e3-8ffa-20cf30e32f6d
CVE-2013-4277 [1]
incorrect, and the topic description does not need too many details
since that is explained in the description itself.
Also correct the url's since c comes before u ;-)
Prodded by: stas
- update firefox-esr, thunderbird and libxul to 17.0.8
- update seamonkey to 2.20
- fix plist for *-i18n
Security: 0998e79d-0055-11e3-905b-0025905a4771
In collaboration with: Jan Beich <jbeich@tormail.org>
Quoting the upstream's change log:
- Security fix: prevent a nefarious SSH server or network attacker from
crashing PuTTY at startup in three different ways by presenting a maliciously
constructed public key and signature.
- Security fix: PuTTY no longer retains the private half of users' keys in
memory by mistake after authenticating with them.
- Revamped the internal configuration storage system to remove all fixed
arbitrary limits on string lengths. In particular, there should now no longer
be an unreasonably small limit on the number of port forwardings PuTTY can
store.
- Port-forwarded TCP connections which close one direction before the other
should now be reliably supported, with EOF propagated independently in the
two directions. This also fixes some instances of port-forwarding data
corruption (if the corruption consisted of losing data from the very end of
the connection) and some instances of PuTTY failing to close when the session
is over (because it wrongly thought a forwarding channel was still active
when it was not).
- The terminal emulation now supports xterm's bracketed paste mode (allowing
aware applications to tell the difference between typed and pasted text, so
that e.g. editors need not apply inappropriate auto-indent).
- You can now choose to display bold text by both brightening the foreground
colour and changing the font, not just one or the other. - PuTTYgen will now
never generate a 2047-bit key when asked for 2048 (or more generally n−1 bits
when asked for n).
- Some updates to default settings: PuTTYgen now generates 2048-bit keys by
default (rather than 1024), and PuTTY defaults to UTF-8 encoding and 2000
lines of scrollback (rather than ISO 8859-1 and 200).
- Unix: PSCP and PSFTP now preserve the Unix file permissions, on copies in
both directions.
- Unix: dead keys and compose-character sequences are now supported.
- Unix: PuTTY and pterm now permit font fallback (where glyphs not present in
your selected font are automatically filled in from other fonts on the
system) even if you are using a server-side X11 font rather than a Pango
client-side one.
- Bug fixes too numerous to list, mostly resulting from running the code
through Coverity Scan which spotted an assortment of memory and resource
leaks, logic errors, and crashes in various circumstances.
Security: 4b448a96-ff73-11e2-b28d-080027ef73ec
Security: CVE-2013-4206
Security: CVE-2013-4207
Security: CVE-2013-4208
Security: CVE-2013-4852
- some small Makefile cleanups
- add vuxml entry
Vulnerability Types: Cross-Site Scripting, Remote Code Execution
Overall Severity: Critical
Vulnerable subcomponent: Third Party Libraries used for audio and video playback
Affected Versions: All versions from 4.5.0 up to the development branch of 6.2
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Vulnerable subcomponent: Backend File Upload / File Abstraction Layer
Vulnerability Type: Remote Code Execution by arbitrary file creation
Affected Versions: All versions from 6.0.0 up to the development branch of 6.2
Severity: Critical
PR: ports/180951
ports/180952
ports/180953
Submitted by: Helmut Ritter <freebsd-ports@charlieroot.de> (maintainer)
Security: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/
CVE-2011-3642
CVE-2013-1464
ChangeLog: http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.5/phpMyAdmin-4.0.5-notes.html/download
SecurityAdvisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php
- Deprecate databases/phpmyadmin35
This version is vulnerable to the 'clickjacking protection bypass'
problem fixed in 4.0.5, but the development team will not be
publishing a fix. "We have no solution for 3.5.x, due to the proposed
solution requiring JavaScript. We don't want to introduce a dependency
to JavaScript in the 3.5.x family."
Therefore deprecate this port and set expiry for one month. Please
upgrade to 4.0.5 instead.
Security: 17326fd5-fcfb-11e2-9bb9-6805ca0b3d42
below 3.2.2 was a match, including all 2.7.x versions. It also appears that
there is no puppet27 version, just puppet-2.7.x and puppet-3.2.x instead.
Bump modification date.
PR: 180958
Submitted by: Kan Sasaki <sasaki@fcc.ad.jp>
This is a security release by upstream, and requires configuration changes
in addition to the software update. See UPDATING.
Reviewed by: ports-security (zi, remko)
Approved by: hrs (mentor, ports committer)
- new modules: mod_cache_socache, mod_macro and mod_proxy_wstunnel
- add enty to vuxml
SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault.
SECURITY: CVE-2013-2249 (cve.mitre.org)
mod_session_dbd: Make sure that dirty flag is respected when saving
sessions, and ensure the session ID is changed each time the session
changes. This changes the format of the updatesession SQL statement.
Existing configurations must be changed.
Changelog:
http://www.apache.org/dist/httpd/CHANGES_2.4.6
with hat apache@
Security: ca4d63fb-f15c-11e2-b183-20cf30e32f6d
- update vuxml with additional CVE-2013-1896 entry
Changes with Apache 2.2.25
http://www.apache.org/dist/httpd/CHANGES_2.2.25
*) SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
<ben reser.org>]
*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
*) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]
*) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun
<apache heilbrun.org>]
*) mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
*) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
*) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]
*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. PR 54893. [Rainer Jung]
*) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. PR 52559 [Diego Santa Cruz
<diego.santaCruz spinetix.com>]
*) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
*) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
PR: ports/180248
Submitted by: Jason Helfman jgh@
Update to apache22-2.2.25 is ready to commit.
Until now there is no official announcement from apache.org
so we hold the update back until we have official checksums.
now so that users can build the port, per popular demands
on mailing list.
The upgrade patch found in ports/172325 is currently under
exp-run. The changes in this commit against ftp/curl can be
safely reverted before applying that patch, as it's shipped
with new curl release.
Approved by: portmgr (miwi)
- update firefox-esr, thunderbird and libxul to 17.0.7
- update nspr to 4.10
- OSS support was removed upstream, only ALSA and PulseAudio are supported
from now on.
Security: b3fcb387-de4b-11e2-b1c6-0025905a4771
In collaboration with: Jan Beich <jbeich@tormail.org>
I'm not completly sure this affects us, but beter safe then sorry.
While here wordsmith Options description to try to make it clearer.
Security: CVE-2013-2168
This is a bugfix release.
* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
service. [CVE-2002-2443]
* Improve interoperability with some Windows native PKINIT clients.
Security: CVE-2002-2443
* Fix buffer overflows in fileserver and ptserver.
* Fix rare file corruption during background sync (Gerrit 8796).
* Fix corrupting clients' metadata cache during certain errors (Gerrit 6957).
* Fix cache corruption when reading from a file another client is simultaneously writing to (Gerrit 7994).
* Fix fileservers to properly report >2 TiB partitions.
and some other less serious changes.
PR: ports/179259
Submitted by: Adam Nowacki <nowak@tepeserwery.pl>
Submitted by: bjk (maintainer)
Security: CVE-2013-1794
while it is unclear whether it affects OpenSSL-builds at all.
Let's play it safe.
- Reference CVE-2013-2061 name in OpenVPN's VuXML entry
- Mark 2.0.9_4 <= openvpn < 2.1.0 and 2.2.2_2 < openvpn < 2.3.0 not vulnerable
- Mark openvpn22 deprecated and to expire 2013-09-01.
(openvpn20 is already marked to expire 2013-07-11.)
Security: CVE-2013-2061
Security: 92f30415-9935-11e2-ad4c-080027ef73ec
- www/rt40 to 4.0.13
- www/rt38 to 3.8.17 [1]
This is a security fix addressing a number of CVEs:
CVE-2012-4733
CVE-2013-3368
CVE-2013-3369
CVE-2013-3370
CVE-2013-3371
CVE-2013-3372
CVE-2013-3373
CVE-2013-3374
Users will need to update their database schemas as described in
pkg-message
Approved by: flo [1]
Security: 3a429192-c36a-11e2-97a9-6805ca0b3d42
- update firefox-esr and thunderbird to 17.0.6
- WEBRTC now supports PULSEAUDIO
- make linux-firefox work with plugins again (e.g. quakelive)
Security: 4a1ca8a4-bd82-11e2-b7a0-d43d7e0c7c02
In collaboration with: Jan Beich <jbeich@tormail.org>
Note that we don't really have nginx 1.3.9 in the ports collection, due
to the recent ports freeze. The version 1.3.9 is used here just to
better match the original advisory.
Four new serious security alerts were issued today by the phpMyAdmin
them: PMASA-2013-2 and PMASA-2013-3 are documented in this commit to
vuln.xml.
- Remote code execution via preg_replace().
- Locally Saved SQL Dump File Multiple File Extension Remote Code
Execution.
The other two: PMASA-2013-4 and PMASA-2013-5 only affect PMA 4.0.0
pre-releases earlier than 4.0.0-rc3, which are not available through
the ports.
- Convert to new options framework
sieve-connect was not actually verifying TLS certificate identities matched
the expected hostname. Changes with new version:
Fix TLS verification; find server by own hostname & SRV.
* TLS hostname verification was not actually happening.
* IO::Socket::SSL requirement bumped to 1.14 (was 0.97).
* By default, if no server specified, before falling back to localhost try to
use the current hostname and SRV records in DNS to figure out if Sieve is
available. Checks for sieve, imaps & imap protocol SRV records and honours
target==. to mean "no".
* This works better with the Mozilla::PublicSuffix module installed.
* Added ability to blacklist authentication mechanisms
More info:
http://mail.globnix.net/pipermail/sieve-connect-announce/2013/000005.html
PR: ports/177859
Submitted by: "Alexey V. Degtyarev" <alexey@renatasystems.org> (maintainer)
Approved by: portmgr (implicit)
Security: a2ff483f-a5c6-11e2-9601-000d601460a4
- Replace links to changelog and commit with a link to the official
announcement (which also links to the commit)
- Replace the description with a sentence lifted from the
announcement.
Approved by: portmgr (tabthorpe)
