2013-07-11 databases/embedded_innodb: The Embedded InnoDB project was terminated a few years ago
2013-07-11 print/lyx16: Unmaintained upstream, upgrading to the 2.x series is advised
2013-07-11 security/py-crack: Superseded by security/py-cracklib
- update vuxml with additional CVE-2013-1896 entry
Changes with Apache 2.2.25
http://www.apache.org/dist/httpd/CHANGES_2.2.25
*) SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
<ben reser.org>]
*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
*) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]
*) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun
<apache heilbrun.org>]
*) mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
*) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
*) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]
*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. PR 54893. [Rainer Jung]
*) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
*) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood <tjw omnigroup.com>]
*) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. PR 52559 [Diego Santa Cruz
<diego.santaCruz spinetix.com>]
*) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
*) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
PR: ports/180248
Submitted by: Jason Helfman jgh@
- Change pkgconfig:build to pkgconfig since it's the same and it's bad practice.
It accidentally slipped in during the original introduction
- Trim header
Update to apache22-2.2.25 is ready to commit.
Until now there is no official announcement from apache.org
so we hold the update back until we have official checksums.
This was causing the "Undefined symbol '_'" message when hitting ^C or
entering an incorect command.
PR: ports/180262
Submitted by: Christophe Juniet <c.juniet@gmail.com>
Proudly brought to you by the KDE on FreeBSD team. We're sorry to ship two
KDE updates in just a few days, but the work on 4.10.5 was very light
compared to 4.10.4 so it was ready much faster.
The release announcement can be found in [1].
[1] http://www.kde.org/announcements/announce-4.10.5.php
The biggest news for us on FreeBSD is that the Ruby bindings should work
with Ruby 1.9 now.
I will probably add a note to UPDATING later about this, but as avilla@
pointed out, the clang support we mentioned that was improved in 4.10.4
requires a rebuild of the ports that depend on kdelibs4. Most of them are
covered by this update, but those which are not part of the Software
Compilation need to be rebuilt manually to make sure the previous issues
(proper symbol visibility being the most annoying of them) are solved.
With commits from avilla@, makc@, rakuco@ and Schaich Alonso.
The upstream announcement can be found in [1].
[1] http://www.kde.org/announcements/announce-4.10.4.php
clang support should be more stable now, with clang being recognized by
kdelibs4 and being passed the correct flags to build other ports.
Additionally, all ports being committed have been verified to build with
-CURRENT's clang 3.3 on an amd64 tinderbox (special thanks go to swills@ for
providing it).
Work on the newly-released 4.10.5 will begin shortly.
now so that users can build the port, per popular demands
on mailing list.
The upgrade patch found in ports/172325 is currently under
exp-run. The changes in this commit against ftp/curl can be
safely reverted before applying that patch, as it's shipped
with new curl release.
Approved by: portmgr (miwi)
libsparkcrypto is a formally verified implementation of several widely used
symmetric cryptographic algorithms using the SPARK programming language and
toolset. For the complete library proofs of the absence of run-time errors
like type range violations, division by zero and numerical overflows are
available. Some of its subprograms include proofs of partial correctness.
The distribution contains test cases for all implemented algorithms and a
benchmark to compare its performance with the OpenSSL library. The achieved
speed has been found to be very close to the optimized C and Assembler
implementations of OpenSSL.
WWW: http://senier.net/libsparkcrypto/
PR: ports/180015
Submitted by: John Marino <draco@marino.st>
protocol. It is designed to be small and fast, and is suited to
embedded projects. A web server is included.
WWW: http://http://axtls.sourceforge.net/
PR: ports/177790
Submitted by: Hirohisa Yamaguchi <umq@ueo.co.jp>
- update firefox-esr, thunderbird and libxul to 17.0.7
- update nspr to 4.10
- OSS support was removed upstream, only ALSA and PulseAudio are supported
from now on.
Security: b3fcb387-de4b-11e2-b1c6-0025905a4771
In collaboration with: Jan Beich <jbeich@tormail.org>
- Fix build, add pkgconfig to USES
- Trim Makefile header
- Remove leading article form COMMENT
PR: ports/179810 [1]
Submitted by: John Marino <draco@marino.st>
because the present FreeBSD is too old, or because we are building on,
say, DragonFlyBSD).
Fix up most compiler warnings, while I'm here.
Bump PORTREVISION.
PR: ports/179752
Submitted by: John Marino
I'm not completly sure this affects us, but beter safe then sorry.
While here wordsmith Options description to try to make it clearer.
Security: CVE-2013-2168
As such it will be slow (hence the project name) but still useful when
faster ones are not available (for example, for JavaScript clients in
browsers, and Python servers on Google App Engine).
WWW: https://code.google.com/p/slowaes/
PR: 179447
Submitted by: Neil Booth <kyuupichan@gmail.com>
- Make additional documentation installation conditional
(note: run-rootless.txt not installed as not relevant for FreeBSD)
Changes: https://raw.github.com/fail2ban/fail2ban/master/ChangeLog
PR: ports/179426 [1]
Submitted by: Christoph Theis <theis@gmx.at> (maintainer)
Note that from 2.5, shibd is run as the user shibd. The port tries to fix the
key file ownership but if you have changed the file name of the key from the
default sp-key.pem, make sure you chown your key file(s) to user shibd.
Also, take maintainership of the entire tool chain (approved by all previous
maintainers).
Incorporates the ideas suggested by Craig Leres [177668], making sure that the
ssl key is not added to the package.
PR: 177668, 178694
This is a bugfix release.
* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
service. [CVE-2002-2443]
* Improve interoperability with some Windows native PKINIT clients.
Security: CVE-2002-2443
* Fix buffer overflows in fileserver and ptserver.
* Fix rare file corruption during background sync (Gerrit 8796).
* Fix corrupting clients' metadata cache during certain errors (Gerrit 6957).
* Fix cache corruption when reading from a file another client is simultaneously writing to (Gerrit 7994).
* Fix fileservers to properly report >2 TiB partitions.
and some other less serious changes.
PR: ports/179259
Submitted by: Adam Nowacki <nowak@tepeserwery.pl>
Submitted by: bjk (maintainer)
Security: CVE-2013-1794
while it is unclear whether it affects OpenSSL-builds at all.
Let's play it safe.
- Reference CVE-2013-2061 name in OpenVPN's VuXML entry
- Mark 2.0.9_4 <= openvpn < 2.1.0 and 2.2.2_2 < openvpn < 2.3.0 not vulnerable
- Mark openvpn22 deprecated and to expire 2013-09-01.
(openvpn20 is already marked to expire 2013-07-11.)
Security: CVE-2013-2061
Security: 92f30415-9935-11e2-ad4c-080027ef73ec
2013.05.31 -- Version 2.3.2
Arne Schwabe (3):
Only print script warnings when a script is used. Remove stray mention of script-security system.
Move settings of user script into set_user_script function
Move checking of script file access into set_user_script
Davide Brini (1):
Provide more accurate warning message
Gert Doering (2):
Fix NULL-pointer crash in route_list_add_vpn_gateway().
Fix problem with UDP tunneling due to mishandled pktinfo structures.
James Yonan (1):
Always push basic set of peer info values to server.
Jan Just Keijser (1):
make 'explicit-exit-notify' pullable again
Josh Cepek (2):
Fix proto tcp6 for server & non-P2MP modes
Fix Windows script execution when called from script hooks
Steffan Karger (2):
Fixed tls-cipher translation bug in openssl-build
Fixed usage of stale define USE_SSL to ENABLE_SSL
svimik (1):
Fix segfault when enabling pf plug-ins
bsd.linux-rpm.mk. The default linux version is now Fedora 10.
- Remove now obsolete checks for Linux 2.4 in emulators/linux_base-c6,
emulators/linux_base-f10, and emulators/linux_dist-gentoo-stage3.
While there, remove superfluous -p argument from ${MKDIR}.
- Remove now obsolete check for Linux 2.4 or FreeBSD 6 and lower from
astro/google-earth.
- Remove expired Fedora Core 4 ports which were only used on FreeBSD 7
and below.
- Update LEGAL and MOVED
PR: ports/176877
Submitted by: myself
Approved by: portmgr (bapt)
Exp-run by: bapt
safer for developers to use cryptography in their applications. Keyczar supports
authentication and encryption with both symmetric and asymmetric keys. Some
features of Keyczar include:
* A simple API
* Key rotation and versioning
* Safe default algorithms, modes, and key lengths
* Automated generation of initialization vectors and ciphertext signatures
* Java, Python, and C++ implementations
* International support in Java (Python coming soon)
Keyczar was originally developed by members of the Google Security Team and is
released under an Apache 2.0 license.
WWW: http://www.keyczar.org/
PR: ports/179025
Submitted by: Douglas Thrift <douglas@douglasthrift.net>
Python.
It uses DBus Secret Service API that is supported by GNOME Keyring (>= 2.30) and
KWallet (>= 4.8).
It allows to create new passwords, delete and search for passwords matching
given attributes. It also supports graphical prompts when unlocking is needed.
WWW: http://pypi.python.org/pypi/SecretStorage
PR: ports/179026
Submitted by: Douglas Thrift <douglas@douglasthrift.net>
I did very minor porting of the upstream patch to make
it apply.
Note that this currently does not build with base heimdal, but
does build with port MIT or port HEIMDAL.
- Bump PORTREVISION in case someone built the update, expecting
this option to work and now have a broken ssh.
PR: ports/178885
Reported by: Garrett Wollman <wollman@csail.mit.edu>
- Remove unnecessary depend on PERL_LEVEL < 5.12
- Drop maintainership per maintainer request
PR: ports/178926
Submitted by: az
Approved by: Victor Popov <v.a.popov@gmail.com> (maintainer)
- www/rt40 to 4.0.13
- www/rt38 to 3.8.17 [1]
This is a security fix addressing a number of CVEs:
CVE-2012-4733
CVE-2013-3368
CVE-2013-3369
CVE-2013-3370
CVE-2013-3371
CVE-2013-3372
CVE-2013-3373
CVE-2013-3374
Users will need to update their database schemas as described in
pkg-message
Approved by: flo [1]
Security: 3a429192-c36a-11e2-97a9-6805ca0b3d42
This was due to not including the canohost.h header for our
base customization to respect class login restrictions. I had
missed this as I was only tested with the default (HPN enabled)
which already was including this header.
Reported by: runelind in ##freenode
Tested by: runelind, myself
Reported by: Krzysztof Stryjek
* patch-misc.h
This fixes a warning triggered by testing an unsigned parameter against
0. The patch solves this by creating a different template for signed
case.
* patch-nbtheory.cpp
This is a workaround for a bug with the current version of libc++ shipped
with FreeBSD 9.x, which causes an infinite loop when generating RSA key,
possibly also other operations.
PR: ports/178827
Submitted by: Michael Gmelin <freebsd grem de>
instead of a buffer.
Bump PORTREVISION.
While here, fix warnings -- well enough for gcc48 to be happy with ``-Wall -W''.
Approved by: maintainer timeout (since February).
- The LPK patch has been updated but is obsolete, deprecated and
untested. It has been replaced by AuthorizedKeysCommand
- The upstream HPN's last update was for 6.1 and is mostly
abandoned. The patch has had bugs since 5.9. I have reworked
it and split into into HPN and AES_THREADED options. The
debugging/logging part of the patch is incomplete. I may
change the patch to more closely match our base version
eventually.
- The KERB_GSSAPI option has been removed as the patch has not
been updated by upstream since 5.7
- sshd VersionAddendum is currently not working as intended;
it will be fixed later to allow removing the port/pkg version.
- Update our patchset to match latest base version
- Bring in ssh-agent -x support from base
- I incrementally updated the port from 5.8 up to 6.2p2 along
with patches. You can find all of the versions at
https://github.com/bdrewery/openssh
Changes:
http://www.openssh.com/txt/release-5.9http://www.openssh.org/txt/release-6.0http://www.openssh.org/txt/release-6.1http://www.openssh.org/txt/release-6.2http://www.openssh.org/txt/release-6.2p2
- update firefox-esr and thunderbird to 17.0.6
- WEBRTC now supports PULSEAUDIO
- make linux-firefox work with plugins again (e.g. quakelive)
Security: 4a1ca8a4-bd82-11e2-b7a0-d43d7e0c7c02
In collaboration with: Jan Beich <jbeich@tormail.org>
The referenced security issues have been fixed in this version (1.5.0 beta), and
some small bugs have been found too, with many fixes from Debian's Gerrit Pape.
Obtained from: Debian (parts)
Security: CVE-2002-0351
Security: CVE-2006-3123
