Commit graph

135 commits

Author SHA1 Message Date
rillig
579e977969 Ran "pkglint --autofix", which corrected some of the quoting issues in
CONFIGURE_ARGS.
2005-12-05 23:55:01 +00:00
rillig
b71a1d488b Fixed pkglint warnings. The warnings are mostly quoting issues, for
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in

    http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
2005-12-05 20:49:47 +00:00
wiz
167afa8d27 Remove line that I committed by accident 6 weeks ago :) 2005-12-02 17:10:04 +00:00
wiz
481ff1cfa5 Update HOMEPAGE and MASTER_SITES, noted by tron@. 2005-10-18 00:46:28 +00:00
adrianp
09d1eaf3f2 Fix for http://secunia.com/advisories/16553/ via RedHat. 2005-08-26 21:36:28 +00:00
wiz
bc2ecb8cc1 Convert to options framework. 2005-05-31 21:28:22 +00:00
wiz
ab23277b8f Update to 1.11.20.
NOTE: currently without IPv6 support, until there is an updated KAME patch
for it.

Changes:

Changes since 1.11.19:
**********************

SERVER SECURITY FIXES

* Thanks to a report from Alen Zukich, several minor
  security issues have been addressed.  One was a buffer overflow that is
  potentially serious but which may not be exploitable, assigned CAN-2005-0753
  by the Common Vulnerabilities and Exposures Project
  <http://www.cve.mitre.org>.  Other fixes resulting from Alen's report include
  repair of an arbitrary free with no known exploit and several plugged memory
  leaks and potentially freed NULL pointers which may have been exploitable for
  a denial of service attack.

* Thanks to a report from Craig Monson, minor
  potential vulnerabilities in the contributed Perl scripts have been fixed.
  The confirmed vulnerability could allow the execution of arbitrary code on
  the CVS server, but only if a user already had commit access and if one of
  the contrib scripts was installed improperly, a condition which should have
  been quickly visible to any administrator.  The complete description of the
  problem is here: <https://ccvs.cvshome.org/issues/show_bug.cgi?id=224>.  If
  you were making use of any of the contributed trigger scripts on a CVS
  server, you should probably still replace them with the new versions, to be
  on the safe side.

  Unfortunately, our fix is incomplete.  Taint-checking has been enabled in all
  the contributed Perl scripts intended to be run as trigger scripts, but no
  attempt has been made to ensure that they still run in taint mode.  You will
  most likely have to tweak the scripts in some way to make them run.  Please
  send any patches you find necessary back to <bug-cvs@gnu.org> so that we may
  again ship fully enabled scripts in the future.

  You should also make sure that any home-grown Perl scripts that you might
  have installed as CVS triggers also have taint-checking enabled.  This can be
  done by adding `-T' on the scripts' #! lines.  Please try running
  `perldoc perlsec' if you would like more information on general Perl security
  and taint-checking.

BUG FIXES

* Thanks to a report and a patch from Georg Scwharz
  CVS now builds without error on IRIX 5.3

DEVELOPER ISSUES

* We've standardized on Automake 1.9.5 to get some at new features that make
  our jobs easier.  See the HACKING file for more on using the autotools with
  CVS.
2005-04-19 12:39:18 +00:00
tv
f816d81489 Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used. 2005-04-11 21:44:48 +00:00
wiz
b866526e4a Update to 1.11.19.
pkgsrc change:
patch-ag, provided by Georg Schwarz, added to fix the build on IRIX.

NEWS:
Changes since 1.11.18:
**********************

BUG FIXES

* An intermittant assertion failure in checkout has been fixed.

* Thanks to a report from Chris Bohn, all the source files
  needed for the Windows "red file" fix are actually included in the
  distribution.

* Misc bug and documentation fixes.

Changes from 1.11.17 to 1.11.18:
********************************

BUG FIXES

* Thanks to a report from Gottfried Ganssauge, CVS no
  longer exits when it encounters links pointing to paths containing more
  than 128 characters.

* Thanks to a report from Dan Peterson, error messages from
  GSSAPI servers are no longer truncated.

* Thanks to a report from Dan Peterson, attempts to resurrect
  a file on the trunk that was added on a branch no longer causes an assertion
  failure.

* Thanks to a report from Dan Peterson, imports to branches
  like "1.1." no longer create corrupt RCS archives.

* Thanks to a report from Chris Bohn, links from J.C. Hamlin,
  and code posted by Jonathan Gilligan, we think we have
  finally corrected the Windows "red-file" (daylight savings time) bug once and
  for all.

* Thanks to a patch from Jeroen Ruigrok/asmodai, the
  log_accum.pl script should no longer elicit warnings from Perl 5.8.5.

* The r* commands (rlog, rls, etc.) can once again handle requests to run
  against the entire repository (e.g. `cvs rlog .').  Thanks go to Dan Peterson
  for the report.

* A problem where the attempted access of files via tags beginning with spaces
  could cause the CVS server to hang has been fixed.  This was a particular
  problem with WinCVS clients because users would sometimes accidentally
  include spaces in tags pasted into a dialog box.  This fix also altered some
  of the error messages generated by the use of invalid tags.  Thanks go to Dan
  Peterson for the report.

* Thanks to James E Wilson for a bug fix to
  modules processing "gcc-core -a !gcc/f gcc" will no longer exclude
  gcc/fortran by mistake.

* Thanks to Conrad Pino, the Windows build works once again.

* Misc updates to the manual.

DEVELOPER ISSUES

* We've standardized on Automake 1.9.3 to get some at new features that make
  our jobs easier.  See the note below on the Autoconf upgrade for more
  details.

* We've standardized on Autoconf version 2.59 to get presumed bug fixes and
  features, but nothing specific.  Mostly, once we decide to upgrade one of the
  autotools we just figure it'll save time later to grab the most current
  versions of the others too.  See the HACKING file for more on using the
  autotools with CVS.
2005-03-01 15:36:48 +00:00
agc
4a3d2f7ce2 Add RMD160 digests. 2005-02-23 22:24:08 +00:00
wiz
f0f1f38832 Recognise SunOS-5.10. From sigsegv in PR 29428. 2005-02-17 17:43:33 +00:00
tv
c487cb967a Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10
in the process.  (More information on tech-pkg.)

Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.

Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
2004-10-03 00:12:51 +00:00
minskim
3b4738fc7f Regen. 2004-09-09 23:24:12 +00:00
wiz
d3b678a6a6 Bump PKGREVISION for two new patches. 2004-09-09 22:26:27 +00:00
wiz
0c30218580 regen to fix offsets. 2004-09-09 22:26:17 +00:00
wiz
c7247dff29 From Ian Lance Taylor <ian@wasabisystems.com>:
* recurse.c (do_recursion): Correct test for calling
        server_pause_check to occur when locktype != CVS_LOCK_WRITE.
2004-09-09 22:26:09 +00:00
wiz
4e096b8547 From otto@OpenBSD:
Do not evaluate this->next after calling the handler; the handler may
have clobbered it. Resolves core dumps of cvs server on user ^C.
2004-09-09 22:25:16 +00:00
grant
30980e582d Updated cvs to 1.11.17.
changes since 1.11.16:

SERVER SECURITY FIXES

* Thanks to Stefan Esser & Sebastian Krahmer, several potential security
  problems have been fixed.  The ones which were considered dangerous enough
  to catalogue were assigned issue numbers CAN-2004-0416, CAN-2004-0417, &
  CAN-2004-0418 by the Common Vulnerabilities and Exposures Project.  Please
  see <http://www.cve.mitre.org> for more information.

* A potential buffer overflow vulnerability in the server has been fixed.
  This addresses the Common Vulnerabilities and Exposures Project's issue
  #CAN-2004-0414.  Please see <http://www.cve.mitre.org> for more information.
2004-06-10 10:06:43 +00:00
wiz
eaaeb741bb Update to 1.11.16:
Changes since 1.11.15:
**********************

SERVER SECURITY FIXES

* A potential buffer overflow vulnerability in the server has been fixed.
  Prior to this patch, a malicious client could potentially use carefully
  crafted server requests to run arbitrary programs on the CVS server machine.
  This addresses the Common Vulnerabilities and Exposures Project's issue
  #CAN-2004-0396.  Please see <http://www.cve.mitre.org> for more information.

BUG FIXES

* The Microsoft Visual C++ workspace and project files have been repaired and
  regenerated with MSVC++ 6.0.

* The cvs.1 man page is now generated automatically from a section of the CVS
  Manual.

* Thanks to a report from Mark Andrews at the Internet Systems Consortium, the
  :ext: connection method no longer relies on a transparent transport that uses
  an argument processor that can handle arbitrary ordering of options and other
  arguments when using a username other than the caller's.

* Thanks to Ken Raeburn at MIT, directory deletion, whether via `cvs release'
  or empty directory pruning, now works on network shares under Windows XP.
2004-05-22 10:38:06 +00:00
wiz
8ea777230e Update to 1.11.15 (security update):
Changes since 1.11.14:
**********************

SERVER SECURITY ISSUES

* Piped checkouts of paths above $CVSROOT no longer work.  Previously, clients
  could have requested the contents of RCS archive files anywhere on a CVS
  server.

CLIENT SECURITY ISSUES

* Clients now check paths from the server to verify that they are within one of
  the sandboxes the user requested be updated.  Previously, a trojan server
  could have written or overwritten files anywhere the user had access,
  presenting a serious security risk.

GENERAL USER ISSUES

* Method options (used by WinCVS & CVS 1.12.7+) in CVSROOTs are ignored.

* Configure no longer checks the $TMPDIR, $TMP, & $TEMP variables to set the
  default temporary directory.

* CVS on Cygwin correctly handles X:\ style paths.

* Import now uses backslash rather than slash on Windows when checking for
  "CVS" directories to ignore in import commands.

* Relative paths containing up-references (`..') should now work in
  client/server mode (client fix).

* A race condition between the ordering of messages from CVS and messages from
  called scripts in client/server mode has been removed (server fix).

* Resurrected files now get their modes and timestamps set correctly and a
  longstanding bug involving resurrection of an uncommitted removal has been
  fixed (server fix).

* Some resurrection (cvs add) status messages have changed slightly.

* `cvs release' now works with Kerberos or GSSAPI encryption enabled (server
  fix).

* File resurrection from a previously existing revision no longer just reports
  that it works (server fix).

* Misc error & status message corrections.

* Diffing of locally added files against arbitrary revisions in an RCS archive
  is now allowed when a file of the same name exists or used to exist on some
  branch (server fix).

* Misc documentation fixes.

Changes from 1.11.13 to 1.11.14:
********************************

GENERAL USER ISSUES

* Imports will now always ignore directories and files named `CVS' to avoid
  violating assumptions made by other parts of CVS.

* A problem with `cvs release' of subdirs that could corrupt CVS/Entries files
  has been fixed (client/server).

* The CVS server's protocol check for unused data from the client is no longer
  called automatically at program exit in order to avoid potential recursive
  calls to error when the first close is due to memory allocation or similar
  problems that cause calls to error() to fail.  The check is still made when
  the server program exits normally.

* The spec file has been updated to work with more recent versions of RPM.

* Several memory leaks have been plugged (client/server).

DEVELOPER ISSUES

* Misc cosmetic, readability, and commenting fixes.
2004-04-15 22:28:36 +00:00
jlam
fe87ac2069 Use the correct zlib.h, not the one distributed with cvs. 2004-03-27 04:22:55 +00:00
jlam
10c8c0cce2 Check for USE_INET being "YES" or "yes". 2004-03-27 04:21:55 +00:00
wiz
83eca79e87 Update to 0.11.13:
Changes since 1.11.12:
**********************

GENERAL USER ISSUES

* Several memory leaks have been plugged.

* Thanks to Ville Skyttä the man page has a few less spelling errors and is
  slightly more accurate.

* An unlikely potential segfault when using the :fork: connection method has
  been fixed.

* Misc cosmetic, readability, and commenting fixes.

* The CVS server has had the protocol check for unused data from the client
  partially restored.

* A fix has been included that should avoid a very rare race condition that
  could cause a CVS server to exit with a "broken pipe" message.

* A minor problem with the nmake build file that was preventing the source from
  compiling under Windows has been fixed.

* Tests have been added to the test suite.

Changes from 1.11.11 to 1.11.12:
********************************

GENERAL USER ISSUES

* Infinite alias loops in the modules file are now checked for and avoided.

* Clients on case insensitive systems now preserve the case of directories in
  CVS/Entries, in addition to files, for use in communications with the CVS
  server.

* Some previously untested behavior is now being tested.

* Server support for case insensitive clients has been removed in favor of the
  server relying on the client to preserve the case of checked out files, as
  per the CVS client/server protocol spec.  This is not as drastic as it may
  sound, as all of the current tests still pass without modification when run
  from a case insensitive client to a case sensitive server.  This change
  disables little previous functionality, enables access to more of the
  possible namespace to users on systems with case insensitive file systems,
  fixes a few bugs, and in the end this should provide a major stability
  improvement.

* Thanks to Ville Skyttä the man page is a bit more accurate.

* Thanks to Ville Skyttä some unused variables were removed from the log_accum
  Perl script in contrib.

* Thanks to Alexey Mahotkin, a bug that prevented CVS from being compiled with
  Kerberos 4 authentication enabled has been fixed.

* A minor bug that caused CVS to fail to report an inifinte alias loop in the
  modules file when portions of the alias definition contained trailing slashes
  has been fixed.

* A bug in the gzip code that could cause heap corruption and segfaults in CVS
  servers talking to clients less than 1.8 and some modern third-party CVS
  clients has been fixed.

* mktemp.sh is now included with the source distribution so that the rcs2log
  and cvsbug executables may be run on systems which do not contain an
  implementation of mktemp.

* Misc documentation fixes.
2004-03-04 20:54:40 +00:00
seb
689189ef2d Remove info files entries from PLIST file. 2004-02-13 08:26:03 +00:00
jlam
0377138279 Convert to use krb5.buildlink3.mk to get Kerberos 5 support. Tested to
build and install properly using Heimdal.
2004-01-21 14:31:36 +00:00
jlam
e6a6aed232 whitespace 2004-01-21 14:14:13 +00:00
jlam
580a53de35 bl3ify 2004-01-05 11:42:20 +00:00
wiz
90d2fdbd44 Update to 1.11.11:
SERVER SECURITY ISSUES

* pserver can no longer be configured to run as root via the
  $CVSROOT/CVSROOT/passwd file, so if your passwd file is compromised, it no
  longer leads directly to a root hack.  Attempts to root will also be logged
  via the syslog.

Take over maintainership.
2004-01-03 17:24:07 +00:00
wiz
06e2c18124 Update to 1.11.10:
Changes since 1.11.9:
*********************

SERVER SECURITY ISSUES

* Malformed module requests could cause the CVS server to attempt to create
  directories and possibly files at the root of the filesystem holding the CVS
  repository.  Filesystem permissions usually prevent the creation of these
  misplaced directories, but nevertheless, the CVS server now rejects the
  malformed requests.

GENERAL USER ISSUES

* Case insensitive clients using a case sensitive server can now use a
  `cvs rm -f file; cvs add FILE' command sequence to add a file with the same
  name in a new case.

* CVSROOTs which contain a symlink to a real repository should work.

* The configure script now tests whether it is building CVS on a case
  insensitive file system.  If it is, CVS assumes that all file systems on this
  platform will be case insensitive.  This is useful for getting the case
  insensitivity flag set correctly when compiling on Mac OS X and under Cygwin
  on Windows.  Autodetection can be overridden using the
  --disable-case-sensitivity and --enable-case-sensitivity arguments to
  configure.

* A behavior change in `cvs up -jrev1 -jrev2' for modified files with a base
  revision of rev2 (ie, checked-out version matches rev2 and file has been
  modified).  The operation is no longer ignored and instead is passed to
  diff3.  This will potentially re-apply the diffs between the two revisions to
  a modified local file.  Status messages like from a standard merge have also
  been added when the file would not or does not change due to this merge
  request ("[file] already contains the changes between [revisions]...").

* A bug which could stop `cvs admin -mTAG:message' from recursing has been
  fixed.

* Misc documentation cleanup and fixes.

* Some of the contrib scripts, some of the documentation, and sanity.sh were
  modified to use and recommend more portable commands rather than using and
  recommending commands which were not compatible with the POSIX 1003.1-2001
  specification.

DEVELOPER ISSUES

* A new set of tests to test issues specific to case insensitive clients and
  servers has also been added.

* Support has been added to the test suite to support testing over a :ext: link
  to another machine, subject to some stringent requirements.  This support can
  be used, for instance, to test the operation of a case insensitive client
  against a case sensitive server.  Please see the comments in TEST and the
  src/sanity.sh test script itself for more.

* We've standardized on Automake 1.7.9 to get a bug fix.  See the note below
  on the Autoconf upgrade for more details.

* We've standardized on Autoconf version 2.58 to avoid a bug and get at a few
  new macros.  Again, this should only really affect developers, though it is
  possible that CVS will now compile on a few new platforms.  Please see the
  section of the INSTALL file about using the autotools if you are compiling
  CVS yourself.

Changes from 1.11.8 to 1.11.9:

* CVS now knows how to report, as well as record, `P' record types.

* When running the `cvs history' command, clients will now send the
  long-accepted `-e' option, for all records, rather than explicitly requesting
  `P' record types, a request which servers prior to 1.11.7 will reject with a
  fatal error message.

* A problem with locating files requested by case insensitive clients which was
  accidentally introduced in 1.11.6 as part of a fix for a data loss problem
  involving `cvs add's from case insensitive clients has been fixed.  The
  relevant error message was `cvs [<command> aborted]: filE,v is ambiguous;
  could mean FILE,v or file,v'.

* Attempts to use the global `-l' option, removed from both client and server
  as of version 1.11.6, will now elicit a warning rather than a fatal error
  from the server.

Changes from 1.11.7 to 1.11.8:

* A problem in the CVS getpass library that could cause passwords to echo on
  some systems has been fixed.

Changes from 1.11.6 to 1.11.7:

* A segfault that could occur in very rare cases where the stat of a file
  failed during a diff has been fixed.

* Any user with write privleges to the CVSROOT/checkoutlist file could pass
arbitrary format strings directly through to a printf function.  This was
probably bad and has been fixed.  White space at the beginning of error strings
in checkoutlist is now ignored properly.

* In client/server mode, most messages from CVS now contain the actual
command name rather than the generic "server".

* A long-standing bug that prevented most client/server updates from being
logged in the history file has been fixed.

* Updates done via a patch ("P" status) are now logged in the history file
by default and the corresponding "P" history record type is now documented.
If you're setting the LogHistory option in your CVSROOT/config file, you may
want to add "P" to the list of record types.

* CVS now will always compile and its own getpass() function (originally from
GNULIB) in favor of any system one that may exist.  This avoids some problems
with long passwords on some systems and updates us to POSIX.2 compliance, since
getpass() was removed from the POSIX.2 specification.

* A bug that allowed a write lock to be created in a directory despite
there being existing read locks when using LockDir in CVSROOT/config has
been fixed.

* A bug with short patches (`rdiff -s') which caused rdiff to sometimes report
differences that did not exist has been fixed.

* Some minor corrections were made to the diff code to keep diff & rdiff from
printing diff headers with empty change texts when two files have different
revision numbers but the same content.

* The global '-l' option, which suppressed history logging, has been removed
from both client and server.
2003-12-12 22:05:55 +00:00
seb
8d15907ec2 USE_NEW_TEXINFO is unnecessary now. 2003-08-09 10:38:23 +00:00
grant
91f00f1cbc s/netbsd.org/NetBSD.org/ 2003-07-17 21:21:03 +00:00
wiz
2569301ae4 Let the commit message contain an empty line by default.
Requested by salo; ride 1.11.6 update version bump.
2003-07-12 09:39:28 +00:00
wiz
6da4e38375 Update to 1.11.6.
* A warning message is now issued if an administrative file contains
more than one DEFAULT entry.

* An error running a verifymsg script (such as referencing an unset
user variable or the script not existing) now causes the verification
to fail.

* Errors in administrative files commands (like unset user variables)
are no longer reported unless the command is actually executed.

* When a file is initially checked out, its last access time is
now set to the current time rather than being set to the time the
file was last checked in like the modification time is.

* The Checkin.prog and Update.prog functionality has been removed.
This fuctionality previously allowed executables to be specified
in the modules file to be run at update and checkin time, but users
could edit these files on a per workspace basis, creating a security
hole.
[NB: already fixed in the package earlier -- wiz]

* Corrected the path in a failed write error message.

* Autoconf and Automake are no longer run automatically unless you
run configure with --enable-maintainer-mode.  Accordingly,
noautomake.sh is no longer needed and has been removed.

* We've standardized on Automake version 1.7.5 and Autoconf version
2.57 to get at a few new macros.  Again, this should only really
affect developers.  See the section of the INSTALL file about using
the autotools if you are compiling CVS yourself.
2003-07-12 09:19:17 +00:00
grant
3ef68c51eb kill some leading whitespace 2003-07-09 17:03:27 +00:00
seb
eadec76813 Convert to USE_NEW_TEXINFO.
Remove unnecessary patches on texinfo sources.
2003-06-19 21:55:26 +00:00
jschauma
e366d0c694 Use tech-pkg@ in favor of packages@ as MAINTAINER for orphaned packages.
Should anybody feel like they could be the maintainer for any of thewe packages,
please adjust.
2003-06-02 01:15:31 +00:00
jmc
1a2859d833 INET6 needs to be disabled on solaris9 as well 2003-04-01 22:52:42 +00:00
jschauma
cc889f1ae1 As with Solaris:
The IPv6 patch doesn't go well with Linux idea of struct sockaddr, so
disable IPv6 for the time being.
2003-03-30 20:04:00 +00:00
seb
414552782d Cvs' IPv6 patch does not like Solaris 8's getaddrinfo().
So disable IPv6 support on this system.
2003-03-23 19:16:48 +00:00
grant
bd9fb58bec fix USE_INET6 and KERBEROS conditionals, allowing this to build with
IPv6 support on FreeBSD and probably others.

bump PKGREVISION for user-visible changes.
2003-03-18 15:29:48 +00:00
grant
9721d61242 bz2 -> gz 2003-03-07 05:41:13 +00:00
grant
2a70b2b93d don't use .bz2 distfile, as it doesn't appear to exist on various
mirrors.
2003-03-07 05:34:30 +00:00
wiz
e264881530 Reorder slightly to please pkglint. 2003-01-21 09:58:38 +00:00
wiz
f71cfe97f2 Update to 1.11.5 (minor update).
The security fix that was the reason for releasing 1.11.5 was already
in 1.11.4nb1.
2003-01-21 09:57:50 +00:00
wiz
a50eb025ee Bump PKGREVISION for patch-ar change. 2003-01-17 02:11:00 +00:00
christos
c2aa9b9d18 - disable update-prog and commit-prog
- avoid double free
2003-01-16 14:46:07 +00:00
wiz
a8d93b1fc7 Update to 1.11.4. Use KAME patch for IPv6 support. If compiling with
kerberos, also use kerberos5 headers since they are now needed by the
gssapi code in cvs.

Changes since 1.11.3:

* Some minor changes to allow the code to compile on Windows platforms.

Changes from 1.11.2 to 1.11.3:

* When waiting for another user's lock, the message timestamps are now
in UTC rather than the server's local time.

* The options.h file is no longer used.  This fixes a bug that occurred when
1.11.2 was compiled on Windows platforms.

* We've standardized on Automake version 1.6.3 and Autoconf version 2.53.
They are cleaner, less bug prone, and will hopfully allow me to start updating
sanity.sh to use Autotest and Autoshell.  Again, this should only really affect
developers.  See the section of the INSTALL file about using the autotools if
you are compiling CVS yourself.
2003-01-15 22:49:37 +00:00
schmonz
d4833b9159 Add "-framework Kerberos" to LDFLAGS to fix build on Darwin. From Fink. 2002-12-24 23:00:18 +00:00
wiz
d214224384 According to a mail from Alan Post on tech-pkg on 2002/11/27,
this package needs a newer makeinfo to compile, so let it demand 4.2.
2002-11-27 17:50:20 +00:00
junyoung
a4c3018741 Correct information for cvs-1.11.2.tar.gz. 2002-11-26 10:30:19 +00:00