5.4.2:
Unknown changes.
Changes with libwww 5.4.1
* Removed the expat source code in favor of linking against
the global system expat library to avoid having to track
security advisories in that library
* Updated expat to 2.2.0
* Updated autotools to the current versions
* Library/src/HTSQL.c: add missing mysql_init to HTSQL_connect reported by Xavier Torne
* configure.ac, Library/src/Makefile.am, Library/cvs2sql/Makefile.am,
Robot/src/Makefile.am:
modify configure scripts for mysql_config based autoconf processing
* Library/src/HTSQL.c, Library/src/HTSQL.html, Library/src/HTSQLLog.c: remove
mysql directory from include directiv
* Robot/src/RobotMain.c: added flag MR_KEEP_META for -lm last modified option
detected by Jan Hutaø
* Robot/src/RobotMain.c: added flag MR_KEEP_META for -title option
detected by Jan Hutaø
* close leak in HTBound process_boundary() detected by Sam Varshavchik
using valgrind; excised old #if 0 snippets from HTMIME.c
* Library/src/HTCookie.c: add private function HTCookie_splitPair to
split a KEY=VALUE pair, from Jesse Morgan
* configure.ac: remove unecessary check for appkit.h as
suggested by Roger Persson
* Library/src/wwwsys.html: change genuine angle bracket characters
into the angle bracket entities, thanks to Bobby Jack
* Library/src/HT*.html, Library/src/SSL/HT*.html: wrap
all header files with extern "C"
* Library/src/HTFile, configure.ac: add a basis for
addressing Ben's security concerns
* Library/src/HTBound.c: libwww security advisory fix from
Sam Varshavchik, fix double-counting of processed bytes,
rewrote HTBoundary_put_block, to fix problematic HTTP 1.1
byte range requests
* Library/src/: HTAlert.c, HTHeader.c, HTInit.c, HTNet.c,
HTProfil.c, HTProt.c, HTTrans.c: Patch to greatly speed up
repeated requests, from Arthur Smith
* Library/src/HTSQL.c: modifications to compile without using
deprecated mysql functions
* config/: config.sub, ltmain.sh: updates for recent version of
libtool
* INSTALL.html, Library/src/HTEvtLst.c: cleaning
* libwww-config.in: include -lwwwssl, thanks to mgoddard at
itgs-presearch.com
* Library/src/SSL/HTSSLWriter.c: avoids an eternal loop in libwww
* Library/src/SSL/HTSSL.html, Robot/src/RobotMain.c: fix for webbot
-v option check and documentation addition
* configure.ac, Library/src/SSL/HTSSL.c,
Library/src/SSL/windows/wwwssl.def, Robot/src/HTRobMan.html,
Robot/src/Makefile.am, Robot/src/RobotMain.c: basic support for
client side certificates using PEM format
* Library/src/SSL/: HTSSL.c, HTSSLReader.c, HTSSLWriter.c: add
openssl to include for ssl.h and rand.h
* config/: config.guess, config.sub, ltmain.sh: update after
running libtoolize
* Robot/src/Makefile.am: use SSL directory for libwwwssl.la
* Robot/src/RobotMain.c: include HTSSL.h
* configure.ac: fix aclocal underquoting warnings
* Robot/src/: RobotMain.c, Makefile.am: update to enable https
protocol
* Library/src/HTTPReq.c: fixed , to _ in HTTRACE call
* Library/src/HTTPReq.c: removed LIBWWW_USEIDN, because unnecessary
* modules/idn/unicode_template.c: forgot one file
* Library/src/HTDNS.html: moved IDN to main branch
* Library/src/HTDNS.c: moved IDN to main branch
* Library/src/HTTPReq.c: added "LIBWWW_USEIDN" conditional
* Library/src/HTTPReq.c: moved IDN to main branch
* Library/Overview.html: JK: Added the libwww survey results
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
This package contained several Makefile.am patches but then proceeded to
ignore all of them by touching all of the Makefile.in's. Unfortunately
those patches were there for a reason!
Correctly packages on solaris now.
the corresponding buildlinks have to be present as well.
Get the option libwww was built with to decide whether to do that.
Inspired by and fixing PR 28412.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
"A vulnerability was found in W3C Libwww, which potentially can be exploited
by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to a boundary error in the
"HTBoundary_put_block()" function when processing multipart MIME data. This
may be exploited to cause an illegal memory access past the end of the input
buffer via specially crafted multipart MIME data.
Successful exploitation can potentially cause an application that uses Libwww
to crash."
http://secunia.com/advisories/17119/https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159597
Bump PKGREVISION.
Patch from RedHat.