Update to version 4.1.1
- Fixes "PowerDNS Security Advisory 2018-01: Insufficient validation
of DNSSEC signatures". An issue has been found in the DNSSEC
validation component of PowerDNS Recursor, allowing an ancestor
delegation NSEC or NSEC3 record to be used to wrongfully prove the
non-existence of a RR below the owner name of that record. This
would allow an attacker in position of man-in-the-middle to send a
NXDOMAIN answer for a name that does exist.
The 4.0.x branch is not vulnerable.
- Add support for algo16 and simplify Lua/LuaJIT engine choice.
PR: 225397
Submitted by: maintainer
Security: CVE-2018-1000003
Approved by: ports-secteam
Remove BROKEN, DEPRECATED and EXPIRATION_DATE
This port builds fine in poudriere.
This port depends on py-twisted and py-twistedCore has been removed from ports tree.
Approved by: ports-secteam (swills)
net-p2p/transmission-daemon: Mitigate DNS rebinding attack
Incorporate upstream pull request 468, proposed by Tavis Ormandy from
Google Project Zero, which mitigates this attack by requiring a host
whitelist for requests that cannot be proven to be secure, but it can
be disabled if a user does not want security.
PR: 225150
Submitted by: Tavis Ormandy
Approved by: crees (maintainer)
Obtained from: https://github.com/transmission/transmission/pull/468#issuecomment-357098126
Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html
Add note to UPDATING for net-p2p/transmission-daemon explaining how to
allow client access with the new DNS rebinding mitigations.
PR: 225150
Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html
net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message
This will ensure users who do not read UPDATING are still presented with
the message about how to allow clients to connect to the daemon using
DNS when they upgrade the package.
PR: 225150
Reported by: swills
Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html
Approved by: ports-secteam (swills)
astro/viking: Fix LIB_DEPENDS and unbreak port
- While here reset MAINTAINER: The port has been marked as broken
since 2017-05-10 and the maintainer has a history of timeouts.
PR: 224668
Submitted by: Ting-Wei Lan <lantw44@gmail.com>
Approved by: koalative@gmail.com (maintainer timeout, 2 weeks)
Approved by: ports-secteam (swills)
security/trousers: fix distinfo
- see the PR for the diff between the two distfiles
PR: 221105
Approved by: hrs (maintainer timeout)
Approved by: portmgr
databases/memcached: Fix user/group handling for running process
You can now set memcached_user and memcached_group in rc.conf and get
expected results of running process and socket ownership.
Differential Revision: https://reviews.freebsd.org/D13967
net-mgmt/librenms: Update to 1.35, many improvements
Improvements:
- All files should be owned root:wheel except logs and rrd which need to be writable by the app
- Add missing php posix extension
- Do not install config.php by default. This breaks the install process which won't run if this file exists
- Clean up automatic PLIST creation: don't install .orig or .bak files, don't add @dir as they aren't needed
- Patch LibreNMS to make /validate/ page not produce warnings about files not being writable (for git updates)
- Remove the Updates validation check altogether as we won't be using git to update
- Patch the User validation check to only check the logs and rrd dir and ensure the correct user owns them
- Change the default user in the generated config to "www"
- Patch the File Lock code to put the lock file in /tmp and not in the WWWDIR which should not be writable
- Update message in installer to use WWWDIR as suggested path for config.php
- Use shebangfix instead of patch where applicable
- Fix APACHEMOD port option and declaration of the USES=php
PR: 225161
Differential Revision: https://reviews.freebsd.org/D13907
Update debian patch collection to version 17 since 16 is not available anymore
Reported by: David Martin <dmartin@aisliny.com>
Sponsored by: Rubicon Communications, LLC (Netgate)
Approved by: ports-secteam (swills)
Fix build
was failing with:
Error: '/bin/bash' is an invalid shebang you need USES=shebangfix for 'lib/ruby/gems/2.4/gems/passenger-5.1.12/dev/ci/tests/debian/run'
Error: '/bin/bash' is an invalid shebang you need USES=shebangfix for 'lib/ruby/gems/2.4/gems/passenger-5.1.12/dev/ci/tests/rpm/run'
Error: '/usr/local/bin/python2' is an invalid shebang you need USES=shebangfix for 'lib/ruby/gems/2.4/gems/passenger-5.1.12/src/cxx_supportlib/vendor-copy/libuv/gyp_uv.py'
Approved by: portmgr@ (blanket approval)
databases/mysql56-{client, server}: Update to 5.7.21
This update fixes bugs like CVE-2018-2696, CVE-2018-2562, CVE-2018-2640,
CVE-2018-2668, CVE-2017-3737 (and more) in MySQL protocol by upstream.
Delete local patches (CMake plugin macros) that are merged by upstream.
PR: 225195
Sponsored by: Netzkommune GmbH
Approved by: ports-secteam (feld)
databases/mysql56-{client, server}: Update to 5.6.39
This update fixes bugs like CVE-2018-2696, CVE-2018-2562,
and CVE-2018-2583 in MySQL protocol by upstream
PR: 225240
Sponsored by: Netzkommune GmbH
Approved by: ports-secteam (feld)
ports-mgmt/fastest_sites: Fix runtime with modern bsd.sites.mk
fastest_sites currently can't parse entries like
https://archives.fedoraproject.org/pub/archive/fedora/linux/%SUBDIR%/:DEFAULT,SOURCE
=> Checking servers for MASTER_SITE_FEDORA_LINUX (6 servers)
Traceback (most recent call last):
File "/usr/local/bin/fastest_sites", line 164, in <module>
latency_list = FindFastest(varname, sitelist)
File "/usr/local/bin/fastest_sites", line 110, in FindFastest
AsyncConnect(url, callback)
File "/usr/local/bin/fastest_sites", line 53, in __init__
self.ParseURL()
File "/usr/local/bin/fastest_sites", line 64, in ParseURL
(scheme, remainder) = self._url.split(":", 2)
ValueError: too many values to unpack
PR: 224854
Approved by: ports-secteam blanket
devel/libevent: Fix QA warning
Need shebangfix for Python script, but we will consciously avoid adding
Python as a build or run dependency for a script that is unlikely to be
used.
PR: 224575
