to address issues with NetBSD-6(and earlier)'s fontconfig not being
new enough for pango.
While doing that, also bump freetype2 dependency to current pkgsrc
version.
Suggested by tron in PR 47882
All:
- Due to an incorrect message from last release, here is corrected
information on when a Linux installation is potentially dangerous:
New autoconf tests for sys/capability.h and cap_*() functions
from Linux -lcap
WARNING: If you do not see this:
checking for sys/capability.h... yes
...
checking for cap_get_proc in -lcap... yes
checking for cap_get_proc... yes
checking for cap_set_proc... yes
checking for cap_set_flag... yes
checking for cap_clear_flag... yes
your Linux installation is insecure in case you ever use the
command "setcap" to set up file capabilities for executable commands.
Note that cdrtools (as any other command) need to be capabylity aware
in order to avoid security leaks with enhanced privileges. In most
cases, privileges are only needed for a very limited set of operations.
If cdrtools (cdrecord, cdda2wav, readcd) are installed suid-root, the
functions to control privileges are in the basic set of supported
functions and thus there is no problem for any program to control it's
privileges - if they have been obtained via suid root, you are on a
secure system.
If you are however on an incomplete installation, that supports to
raise privileges via fcaps but that does not include developer support
for caps, the programs get the privileges without being able to know
about the additional privileges and thus keep them because they cannot
control them.
WARNING: If you are on a Linux system that includes support for
fcaps (this is seems to be true for all newer systems with
Linux >= 2.6.24) and there is no development support for capabilities
in the base system, you are on an inherently insecure system that allows
to compile and set up programs with enhanced privileges that cannot
control them.
In such a case, try to educate the security manager for the related
Linux distribution. Note that you may turn your private installation
into a secure installation by installing development support for libcap.
- WARNING: the include structure of include/schily/*.h and several sources
has been restructured to cause less warnings with older OS platforms.
If you see any new problem on your personal platform, please report.
- New includefiles:
schily/poll.h Support poll()
schily/stdarg.h An alias to schily/varargs.h (but using the std name)
schily/sunos4_proto.h Missing prototypes for SunOS-4.x to make gcc quiet
schily/timeb.h Needed for users of ftime()
- Many minor bug-fixes for the files include/schily/*.h
- include/schily/archconf.h now defines __SUNOS5 for easier coding
- include/schily/priv.h now defines platform independent fine grained privileges
- Updated README.compile:
Some typo patches from Jan Engelhardt <jengelh@inai.de>
Documented the "LINKMODE=" macro to explain how to create dynamically
linked bynaries.
Libschily:
- Added #include <schily/libport.h> to libschily/fnmatch.c
Libedc (Optimized by Jörg Schilling, originated by Heiko Eißfeldt heiko@hexco.de):
- Added #include <schily/libport.h>
Libdeflt:
- Added #include <schily/libport.h>
Libfind:
- dirname -> dir_name to avoid a gcc warning
Libhfs_iso:
- Rename variable "utime" to "uxtime" to avoid a compiler warning
Libscg:
- Repositioned #ifdefs to avoid unused variable definitions in
libscg/scsi-sun.c
- libscg/scsi-linux-ata.c now aborts early if errno == EPERM. This now
makes it behave like libscg/scsi-linux-sg.c
- A new scg flag SCGF_PERM_PRINT tells libscg to print a more verbose error
in case that a SCSI comand was aborted with errno == EPERM.
Cdrecord:
- Allow to compile without Linux libcap using "smake COPTX=-DNO_LINUX_CAPS LIB_CAP="
- Cdrecord now checks whether there are sufficient fine grained privileges.
- Cdrecord now uses the new flag SCGF_PERM_PRINT to get better warnings if the
permissions granted by the OS are not sufficient.
Cdda2wav (Maintained/enhanced by Jörg Schilling, originated by Heiko Eißfeldt heiko@hexco.de):
- Include file reordering to avoid warnings on older platforms
- Allow to compile without Linux libcap using "smake COPTX=-DNO_LINUX_CAPS LIB_CAP="
- Repositioned #ifdefs to avoid unused variable definitions in
cdda2wav/sndconfig.c
- Cdda2wav now checks whether there are sufficient fine grained privileges.
- Work around a bug in sys/param.h FreeBSD-9.1, that #define's __FreeBSD_kernel__
instead of #define __FreeBSD_kernel__ 9 that would be needed for Debian
k-FreeBSD compatibility.
The bug affects cdda2wav/mycdrom.h
Readcd:
- Allow to compile without Linux libcap using "smake COPTX=-DNO_LINUX_CAPS LIB_CAP="
- Readcd now checks whether there are sufficient fine grained privileges.
Mkisofs (Maintained/enhanced by Jörg Schilling since 1997, originated by Eric Youngdale):
- Make mkisofs compile without -DUDF and without -DDVD_VIDEO
Thanks to a hint from rmd4work@mail.ru
add: new supported ThinkPad X40
chg: adjusted poll interval to 200ms, which has a acceptable responsiveness
add: support for udev filesystem
and many bug fixes.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
D-Bus Python Bindings 1.2.0 (2013-05-07)
========================================
The "compile like it's 1998" release.
Dependencies:
• libdbus 1.6 or later is now required.
Enhancements:
• Unicode Corrigendum 9: when used with a suitable version of libdbus
(1.6.10 or later, or 1.7.2 or later), noncharacters in strings are
now accepted
Fixes:
• Support DBusException('something with non—ASCII') under Python 2
(Michael Vogt, smcv; fd.o #55899)
• Correct some misleading wording in COPYING which was written under the
assumption that libdbus could actually be relicensed to MIT/X11
(Thiago Macieira)
• Avoid variable-length arrays, because MSVC++ is still stuck in 1998
(based on patches from Christoph Höger, fd.o #51725)
• Remove unnecessary uses of stdint.h (fd.o #51725)
• Add support for Unix compilers not supporting 'inline', for completeness
• Use GObject.__class__ instead of GObjectMeta, which can no longer be
imported from gi.repository.GObject in pygobject 3.8
• Fix autoreconfiscation on Automake 1.13 (Marko Lindqvist, fd.o #59006)
etckeeper is a collection of tools to let /etc be stored in a git,
mercurial, darcs, or bzr repository. It hooks into apt (and other
package managers including yum and pacman-g2) to automatically commit
changes made to /etc during package upgrades. It tracks file metadata
that revison control systems do not normally support, but that is
important for /etc, such as the permissions of /etc/shadow.
It's quite modular and configurable, while also being simple to use
if you understand the basics of working with revision control.
The GFM is an application allowing to manipulate single/group/tigroup files. It
can:
* create a new file
* open an existing file
* save file
* rename variables
* remove variables
* create folders
* group files into a group/tigroup file
* ungroup a group/tigroup file into single files
D-Bus Python Bindings 1.2.0 (2013-05-07)
========================================
The "compile like it's 1998" release.
Dependencies:
• libdbus 1.6 or later is now required.
Enhancements:
• Unicode Corrigendum 9: when used with a suitable version of libdbus
(1.6.10 or later, or 1.7.2 or later), noncharacters in strings are
now accepted
Fixes:
• Support DBusException('something with non—ASCII') under Python 2
(Michael Vogt, smcv; fd.o #55899)
• Correct some misleading wording in COPYING which was written under the
assumption that libdbus could actually be relicensed to MIT/X11
(Thiago Macieira)
• Avoid variable-length arrays, because MSVC++ is still stuck in 1998
(based on patches from Christoph Höger, fd.o #51725)
• Remove unnecessary uses of stdint.h (fd.o #51725)
• Add support for Unix compilers not supporting 'inline', for completeness
• Use GObject.__class__ instead of GObjectMeta, which can no longer be
imported from gi.repository.GObject in pygobject 3.8
• Fix autoreconfiscation on Automake 1.13 (Marko Lindqvist, fd.o #59006)
D-Bus 1.6.10 (2013-04-24)
==
The “little-known facts about bananas” release.
• Following Unicode Corrigendum #9, the noncharacters U+nFFFE, U+nFFFF,
U+FDD0..U+FDEF are allowed in UTF-8 strings again.
(fd.o #63072, Simon McVittie)
• Diagnose incorrect use of dbus_connection_get_data() with negative slot
(i.e. before allocating the slot) rather than returning junk
(fd.o #63127, Dan Williams)
• In the activation helper, when compiled for tests, do not reset the system
bus address, fixing the regression tests. (fd.o #52202, Simon)
• Fix building with Valgrind 3.8, at the cost of causing harmless warnings
with Valgrind 3.6 on some compilers (fd.o #55932, Arun Raghavan)
• Don't leak temporary fds pointing to /dev/null (fd.o #56927, Michel HERMIER)
• Create session.d, system.d directories under CMake (fd.o #41319,
Ralf Habacker)
• Unix-specific:
· Include alloca.h for alloca() if available, fixing compilation on
Solaris 10 (fd.o #63071, Dagobert Michelsen)
- added to MESSAGE advising of rc.d script changes
- added BASH as a tool
- fixed pygrub install so that it doesn't get overwritten with a symlink
- turned oxenstored.conf into a proper config file
functional for PV domains. Support for HVM domains and grant tables
is still to come. Note that xm/xend is deprecated in this version.
You should switch to using xl (which is tested to be working) if
you can.
----- 4.2.2
Xen 4.2.2 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.1 upgrade to Xen 4.2.2.
This release fixes the following critical vulnerabilities:
CVE-2012-5634 / XSA-33: VT-d interrupt remapping source
validation flaw
CVE-2013-0151 / XSA-34: nested virtualization on 32-bit
exposes host crash
CVE-2013-0152 / XSA-35: Nested HVM exposes host to being
driven out of memory by guest
CVE-2013-0153 / XSA-36: interrupt remap entries shared and
old ones not cleared on AMD IOMMUs
CVE-2013-0154 / XSA-37: Hypervisor crash due to incorrect
ASSERT (debug build only)
CVE-2013-0215 / XSA-38: oxenstored incorrect handling of
certain Xenbus ring states
CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer
overflow when processing large packets
CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER
CVE-2013-1919 / XSA-46: Several access permission issues with
IRQs for unprivileged guests
CVE-2013-1920 / XSA-47: Potential use of freed memory in event
channel operations
CVE-2013-1922 / XSA-48: qemu-nbd format-guessing due to missing
format specification
This release contains many bug fixes and improvements (around
100 since Xen 4.2.1). The highlights are:
ACPI APEI/ERST finally working on production systems
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.1
Xen 4.2.1 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.0 upgrade to Xen 4.2.1.
The release fixes the following critical vulnerabilities:
CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
CVE-2012-4537 / XSA-22: Memory mapping failure DoS
vulnerability
CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS
vulnerability
CVE-2012-4539 / XSA-24: Grant table hypercall infinite
loop DoS vulnerability
CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder
Out-of-memory due to malicious kernel/ramdisk
CVE-2012-5510 / XSA-26: Grant table version switch list
corruption vulnerability
CVE-2012-5511 / XSA-27: Several HVM operations do not
validate the range of their inputs
CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite
hypervisor memory
CVE-2012-5514 / XSA-30: Broken error handling in
guest_physmap_mark_populate_on_demand()
CVE-2012-5515 / XSA-31: Several memory hypercall operations
allow invalid extent order values
CVE-2012-5525 / XSA-32: several hypercalls do not validate
input GFNs
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
A fix for a long standing time management issue
Bug fixes for S3 (suspend to RAM) handling
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.0
The Xen 4.2 release contains a number of important new features
and updates including:
The release incorporates many new features and improvements to
existing features. There are improvements across the board including
to Security, Scalability, Performance and Documentation.
XL is now the default toolstack: Significant effort has gone
in to the XL tool toolstack in this release and it is now feature
complete and robust enough that we have made it the default. This
toolstack can now replace xend in the majority of deployments, see
XL vs Xend Feature Comparison. As well as improving XL the underlying
libxl library has been significantly improved and supports the
majority of the most common toolstack features. In addition the
API has been declared stable which should make it even easier for
external toolstack such as libvirt and XCP's xapi to make full use
of this functionality in the future.
Large Systems: Following on from the improvements made in 4.1
Xen now supports even larger systems, with up to 4095 host CPUs
and up to 512 guest CPUs. In addition toolstack feature like the
ability to automatically create a CPUPOOL per NUMA node and more
intelligent placement of guest VCPUs on NUMA nodes have further
improved the Xen experience on large systems. Other new features,
such as multiple PCI segment support have also made a positive
impact on such systems.
Improved security: The XSM/Flask subsystem has seen several
enhancements, including improved support for disaggregated systems
and a rewritten example policy which is clearer and simpler to
modify to suit local requirements.
Documentation: The Xen documentation has been much improved,
both the in-tree documentation and the wiki. This is in no small
part down to the success of the Xen Document Days so thanks to all
who have taken part.
---- 4.2.2
Xen 4.2.2 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.1 upgrade to Xen 4.2.2.
This release fixes the following critical vulnerabilities:
CVE-2012-5634 / XSA-33: VT-d interrupt remapping source
validation flaw
CVE-2013-0151 / XSA-34: nested virtualization on 32-bit
exposes host crash
CVE-2013-0152 / XSA-35: Nested HVM exposes host to being
driven out of memory by guest
CVE-2013-0153 / XSA-36: interrupt remap entries shared and
old ones not cleared on AMD IOMMUs
CVE-2013-0154 / XSA-37: Hypervisor crash due to incorrect
ASSERT (debug build only)
CVE-2013-0215 / XSA-38: oxenstored incorrect handling of
certain Xenbus ring states
CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer
overflow when processing large packets
CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER
CVE-2013-1919 / XSA-46: Several access permission issues with
IRQs for unprivileged guests
CVE-2013-1920 / XSA-47: Potential use of freed memory in event
channel operations
CVE-2013-1922 / XSA-48: qemu-nbd format-guessing due to missing
format specification
This release contains many bug fixes and improvements (around
100 since Xen 4.2.1). The highlights are:
ACPI APEI/ERST finally working on production systems
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.1
Xen 4.2.1 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.0 upgrade to Xen 4.2.1.
The release fixes the following critical vulnerabilities:
CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
CVE-2012-4539 / XSA-24: Grant table hypercall infinite
loop DoS vulnerability
CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder
Out-of-memory due to malicious kernel/ramdisk
CVE-2012-5510 / XSA-26: Grant table version switch list
corruption vulnerability
CVE-2012-5511 / XSA-27: Several HVM operations do not
validate the range of their inputs
CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
CVE-2012-5514 / XSA-30: Broken error handling in
guest_physmap_mark_populate_on_demand()
CVE-2012-5515 / XSA-31: Several memory hypercall operations
allow invalid extent order values
CVE-2012-5525 / XSA-32: several hypercalls do not validate input GFNs
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
A fix for a long standing time management issue
Bug fixes for S3 (suspend to RAM) handling
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.0
The Xen 4.2 release contains a number of important new features
and updates including:
The release incorporates many new features and improvements to
existing features. There are improvements across the board including
to Security, Scalability, Performance and Documentation.
XL is now the default toolstack: Significant effort has gone
in to the XL tool toolstack in this release and it is now feature
complete and robust enough that we have made it the default. This
toolstack can now replace xend in the majority of deployments, see
XL vs Xend Feature Comparison. As well as improving XL the underlying
libxl library has been significantly improved and supports the
majority of the most common toolstack features. In addition the
API has been declared stable which should make it even easier for
external toolstack such as libvirt and XCP's xapi to make full use
of this functionality in the future.
Large Systems: Following on from the improvements made in 4.1
Xen now supports even larger systems, with up to 4095 host CPUs
and up to 512 guest CPUs. In addition toolstack feature like the
ability to automatically create a CPUPOOL per NUMA node and more
intelligent placement of guest VCPUs on NUMA nodes have further
improved the Xen experience on large systems. Other new features,
such as multiple PCI segment support have also made a positive
impact on such systems.
Improved security: The XSM/Flask subsystem has seen several
enhancements, including improved support for disaggregated systems
and a rewritten example policy which is clearer and simpler to
modify to suit local requirements.
Documentation: The Xen documentation has been much improved,
both the in-tree documentation and the wiki. This is in no small
part down to the success of the Xen Document Days so thanks to all
who have taken part.
This release fixes a serious security issue found in the way that RSA keys
were being generated.
It recommended that existing Salt keys be regenerated once 0.15.1 has been
deployed on the master and all minions.
A 'key_regen' routine has been added to 0.15.1 to make this transition easier.
The following sequence is a convenient way to regenerate all keys in an
environment:
salt-run manage.key_regen
You will be prompted to restart the master. Once completed, all keys in the
environment will have been regenerated and you will need to accept the new
keys using the following command:
salt-key -A
This broke packages that needed a target Python at build-time.
Instead, change it from defined/undefined to yes/no/tool. Most cases
of defined used `yes' anyway; fix the few stragglers do that instead.
New case `tool' is for TOOL_DEPENDS rather than buildlink3.
pkgsrc changes:
* set LICENSE as gnu-lgpl-v2 from COPYING.
* drop -DG_DISABLE_DEPREATED in whole build instead of just in a directory
by patch-ah, because much deprecated warnings will be appeared with recent
glib2.
* fix specify to configure of samba location.
Major changes in 1.6.7
======================
This is a convenient release for people who want to have old
gnome 2.32 and new glib:
* Do not build app lookup extension if we have glib >= 2.27.1
Other fixes:
* build: Adapt autogen.sh to libtool-2.4
* build: Bump fuse requirement for ATOMIC_O_TRUNC support
Upstream changes:
* Revision 2.36 2013-04-12 11:47:03+02 fred
* Some processes like apache under a recent Linux were listed with UID
* root instead of the correct UID, as they use setuid(). We now read the
* UID from the owner of /proc/PID instead of /proc/PID/stat, as this
* seems to be updated correctly. Thanks to Tom Schmidt
* <tschmidt AT micron.com> for pointing out this bug.
*
* Revision 2.35 2013-02-28 08:33:02+01 fred
* Added Stan Sieler's fix to my adaption of snprintf fix by Stan Sieler :-)
*
* Revision 2.34 2013-02-27 16:57:25+01 fred
* Added snprintf fix by Stan Sieler
From Nils Ratusznik per PR pkg/47800
pkgsrc changes:
---------------
Update MASTER_SITES. Now requires curl to fetch on https mirror.
Upstream changes:
-----------------
3.8.3 -> 3.8.4
- Added --version command line option
- Disable ACL tests if logrotate is not compiled WITH_ACL support or if
ACLs are not supported by the system running tests
- Disable SELinux tests if logrotate is not compiled WITH_SELINUX support
or if SELinux is not supported by the system running tests
- Fixed bug which prevented skipping particular log file config
if the config contained errors.
- Fixed skipping of configs containing firstaction/lastaction scripts
with '}' character in case of error before these scripts.
- Support also 'K' unit for *size directives.
- Added preremove option to let admin to do something with the old logs
before they are removed by logrotate.
- Fixed possible loop in tabooext parsing.
- Move code to set SELinux context before compressLogFile calls to create
compressed log files with the proper context.
- Call prerotate/postrotate script only for really rotated files in
nosharedscripts mode (as stated in man page).
LogRider is my attempt to improve a popular LogCheck/LogSentry utility.
LogCheck uses egrep for periodically scanning system logs for specific
alert/hacking signatures based on set of static filters. LogRider is
rewritten from scratch with lot of important features added:
1. Strings caught by any filter are excluded from processing by next filters.
2. Actual filters are composed from the set of small sub-filters located
in directories that name is given as filter name. Each subfilter
contains messages generated by one service. You can easily put additional
filters for checking additional services without modification of
already existing program and configuration.
3. Configuration is separated from program and moved to standalone file.
This means that LogRider may be easily adopted to new platform without
modification of program core, and may be easily used for checking multiple
logfiles by different filters.
