security problem that was present in the unpatched 3.1.5.
* Update the master sites list.
* Configure more precisely several important directories, partly to
compensate for some of the new defaults, and partly to avoid potential
future security problems regarding remote users being able to read
files specified as config files. This vulnerability was patched
already, and the fix is included in this version. However, a little
paranoia never hurt anyone.
* Remove the patches, as they have either been made obsolete by the new
version, or as in the pthreads issue, I'm doing them differently in
the Makefile.
* Make the patching in the Makefile smarter.
* Put my name in the pkg-descr.... overlooked previously.
* Adjust the pkg-plist, and sort it since the bloat is the same either way.
Thanks to Palle Girgensohn <girgen@partitur.se> for the suggestion in the PR
to place the conf file in its own directory.
PR: ports/26058
security vulnerability. Quoting from their e-mail announcement:
There is a security vulnerability in all versions of
htsearch between 3.1.0b2 and 3.1.5 . . . The hole can
allow a remote user to pick a file on your system for
the config file that the UID running the webserver
can read.
With a default ports install the httpd user should be nobody, which
makes the vulnerability small.
PR: ports/12488
Submitted by: Palle Girgensohn <girgen@partitur.se>
NOTE: This patch actually patches two files, which is normally frowned
upon. However, one of these files generates the other and really
isn't used by the port, just for people who would use the port
to make their own custom ht://dig. I don't think this is a problem.
[Has anyone figured-out what makes the number 393 so interesting to PW, now?]
I wonder what was going through Jordan's head during his infamous
$Id$-smashing commit.
Before I forget....
Thanks to naddy@mips.rhein-neckar.de (Christian Weisgerber) for prompting
this commit. See msg-id: 7geokh$tje$1@mips.rhein-neckar.de
never updated the Makefile. I was trying to avoid using sed and patch, and
just ended up breaking it by my indeciveness. :>
It's fixed now, and packages no less.
Remind by: Satoshi
===
===> Building package for htdig-3.1.0
Creating package /usr/ports/packages/All/htdig-3.1.0.tgz
Registering depends:.
Creating gzip'd tar ball in '/usr/ports/packages/All/htdig-3.1.0.tgz'
tar: can't add file etc/htdig.conf : No such file or directory
tar: can't add file share/htdig/footer.html : No such file or directory
tar: can't add file share/htdig/bad_words : No such file or directory
tar: can't add file share/htdig/header.html : No such file or directory
tar: can't add file share/htdig/nomatch.html : No such file or directory
tar: can't add file share/htdig/syntax.html : No such file or directory
tar: can't add file share/htdig/english.0 : No such file or directory
tar: can't add file share/htdig/english.aff : No such file or directory
tar: can't add file share/htdig/synonyms : No such file or directory
pkg_create: tar command failed with code 256
*** Error code 1
Stop.