pkgsrc change:
* tcp_wrappers support was removed from release 6.7, but add it refering
FreeBSD's ports.
* hpn-patch is also based on FreeBSD's ports.
Security
--------
* ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be permitted
and no longer subject to XSECURITY restrictions because of an
ineffective timeout check in ssh(1) coupled with "fail open"
behaviour in the X11 server when clients attempted connections with
expired credentials. This problem was reported by Jann Horn.
* ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
For more information, please refer release announce.
http://www.openssh.com/txt/release-6.9http://www.openssh.com/txt/release-6.8http://www.openssh.com/txt/release-6.7
Changelog:
What's New
New GMail supports OAuth2 authentication, removing the need to manually select "allow less secure applications" in Google options for the account. (bug 849540)
New Ship Lightning calendar addon with Thunderbird and enable with an opt-out dialog (bug 1113183)
New Filter sent messages (bug 11039)
New Filter messages when archived (bug 479823)
New Enable search in multiple/all address books (bug 170270)
New Add support for Yahoo Messenger in Chat (bug 955574)
New Support Internationalized domain name URLs for RSS feeds (Bug 1018589)
New Show expanded columns in folder pane (bug 464973)
New Allow file-per-message (maildir) local message storage (bug 845952)
New Add a Learn more link to the support page in feeds subscribe dialog (bug 1053782)
New Add reading position marker line to conversations (bug 760762)
New The editor for twitter should show inputtable character count (bug 736002)
Changed Thunderbird will no longer use SHA-1 to sign messages (bug 1018259)
Changed Removed rarely used character sets: T.61-8bit, non-encoding Mac encoders, VISCII, x-viet-tcvn5712, x-viet-vps x-johab, ARMSCII8 , map us-ascii to windows-1252, ISO-8859-6-I and -E and ISO-8859-8-E, (bug 1068505 and others.)
Changed Disable CONDSTORE support for IMAP to prevent discrepancies in IMAP message status (deleted, unread) on some servers (bug 912216)
Changed Make OpenSearch queries open in the user's default browser (bug 1120777)
Changed Default to using SSL for XMPP and IRC. This might cause issues for self-signed certificates (bug 1122567, bug 1122666)
Fixed Replied/forwarded icons disappear after folder repair, detach/delete (bug 840418)
Fixed Attachment "Save As" files are displayed in Tools/Saved Files (bug 914517)
Fixed Adding unknown email addresses to Mailing list, then deleting ghost duplicate entries from contacts pane, caused dataloss in mailing list (bug 628035)
Fixed Web site from RSS feed was not rendered correctly (bug 662907)
Fixed Email address with leading/trailing whitespace displayed wrongly with added quotes when composing ["foo"@bar.com] (bug 286760)
Fixed Force display of Sender header if S/MIME sender is the signer (bug 332639)
Fixed Addressing autocomplete widget: Typed text in red despite results/matches found if suggestions change by last input (bug 1042561)
Fixed Status bar not accessible (bug 934875)
Fixed Wrong folder may be deleted when requesting junk delete (bug 1018960)
Fixed Severe UI stutter or freezes getting new mail for very large folders (bug 870556)
Fixed Automatically rejoin multi-user conversations on reconnect for XMPP (bug 1014472)
Fixed Various improvements when using IRC on moznet (bug 1083768 and others)
Fixed Significantly improve XMPP support (bug 1085022 and others)
Fixed Fixes for connecting to non-standard IRC networks (bug 870556 and others)
Fixed Automatically reclaim IRC nicks during a reconnect (bug 1087566)
Fixed Changing location in editor doesn't preserve the font when returning to end of text/line (bug 756984)
Fixed Inline spell checker loses red underlines after a backspace is used (bug 1100966)
Known Issues
unresolved Automatic addon compatibility update checks were not completed, so existing addon compatibilities may not be accurate.
unresolved Copy/Paste into plain text editor deletes newlines from quoted text (bug 1143570)
unresolved Importing data from Outlook or Eudora crashes (bug 917961)
Security:
Fixed in Thunderbird 38.0.1
2015-58 Mozilla Windows updater can be run outside of application directory
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems.
It is fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up
windows.
Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.
This package tracks 38 ESR.
* Version 1.31 (released 2015-07-08) [bet
** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059
This function has always been documented to not validate that the
input UTF-8 string is actually valid UTF-8. Like the rest of the API,
when you call a function that works on UTF-8 data, you have to pass it
valid UTF-8 data. Application writers appear to have difficulties
using interfaces designed like that, as bugs triggered by invalid
UTF-8 has been identified in a number of projects (jabberd2, gnutls,
wget, and curl). While we could introduce a new API to perform UTF-8
validation, so that applications can easily implement the proper
checks, this appear error prone because there is a risk that the check
will be forgotten. Instead, we took the more radical approach of
modifying the documentation and the implementation of the API. The
intention is that all functions that accepts UTF-8 data should
validate it before use. This will solve the problem for applications,
without needing to change them. This change has the unfortunate
side-effect that Surrogate codes (see section 5.5 of RFC 3454) no
longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but
instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error
code, as the gnulib/libunistring-based code that we use to test
UTF-8-compliance rejects Surrogate codes. We hope that this is an
acceptable cost to live with in order to improve application security.
We welcome feedback on this solution, and we are marking this release
as beta rather than stable to signal that we may reconsider this
approach if people disagree. Reported by several people including
Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos
Mavrogiannopoulos.
** libidn: Added STRINGPREP_ICONV_ERROR error code.
** libidn: Workaround valgrind/gcc/glibc issue.
Valgrind reported a 'Invalid read of size 4' that was caused by
optimized strlen implementation. Reported and patch by Alessandro
Ghedini <alessandro@ghedini.me>.
** build: Use LOG_COMPILER instead of TESTS_ENVIRONMENT to fix valgrind use.
Errors caught by valgrind did not always trigger 'make check' failures
before.
** i18n: Updated Danish translation.
Thanks to Joe Hansen.
** API and ABI is backwards compatible with the previous version.
* Change packaging from bz2 to xz
* Fixed waitip
* For Prefix Delegation, servers must now support RFC7550
* Fixed detecting host routes in DHCP messages
* Fixed ARP checking that failed in some situations
* Fixed static address assignment in dhcpcd.conf
* Split IPv4LL state from DHCP and into it's own state
* Reject any NA/RA with a hop limit != 255
* Replace if_oneup with if_afwaited and af_waited for hook scripts
* Fix a potential buffer overrun if an embedded DHCP option is
a zero length or fails to parse - thanks to Paul Stewart
* Check fclose for errors - thanks to Bob
* wpad_url has been added to dhcpcd-definitions.conf
* Fix a double free when failing to send a DHCPv6 RELEASE
Thanks to Todd Blanchard.
* Correct IPv6 public address test, thanks to Micha? K?pie?
* Fix DHCPv6 starting if no public addresses found in the RA
but the M or O bit was set
* Replaced custom uptime() with clock_gettime(2)
* Fix DHCPv6 elapsed time
Mtx(1) is a set of low level driver programs to control features of SCSI
backup related devices such as autoloaders, tape changers, mediajukeboxes,
and tape drives. It can also report much data, including serial numbers,
maximum block sizes, and TapeAlert(tm) messages that most modern tape
drives implement, as well as do raw SCSI READ and WRITE commands to
tape drives.
It works like chio(1) but supports more features and drives and runs in
users land. There are some amanda (sysutils/amanda-server) scripts, which
depend on mtx.
configure tries to discover capstone (and ssl) with pkg-config.
This issue was spotted thanks to BulkTracker.
In case of missing capstone, the radare2's Makefiles tries to fetch them
with git. The missing git was the direct reason to fail during bulk builds.
This package is prepared to reuse capstone from devel/capstone and never
fetch additional dependencies, during its build, from external sources.
Reviewed by <khorben>
radare2 is an advanced commandline hexadecimal editor
with a set of tools for working with binary files.
This package generates language bindings for radare2.
2015.07.05 - GNU nano 2.4.1 "Portorož" is released. This release
includes several fixes, including the ability to resize
when in modes other than the main editing window,
proper displaying of invalid UTF-8 bytes, new syntax
definitions for Elisp, Guile, and PostgreSQL, and
better display of shortcuts in the help menu and file
browser. Thanks for your patience and using nano!
I am happy to announce release of Qt 4.8.7 today bringing over 150
improvements and bug fixes. Qt 4.8.7 provides important security
updates, better support for Mac OS X 10.10 and many requested error
corrections. As a patch release, it does not add new functionality
and maintains full compatibility with previous Qt 4.8.x releases.
Highlights of Qt 4.8.7 are:
Security fix for DoS vulnerability in the BMP image handler
(CVE-2015-0295) as well as security fixes for vulnerabilities
in image handling of BMP (CVE-2015-1858), ICO (CVE-2015-1859)
and GIF (CVE-2015-1860)
Update 3rd party libpng to version 1.6.17 to address known
vulnerabilities in previous version
Update 3rd party libtiff to version 4.0.3 to address known
vulnerabilities in previous version
Better support for running Qt 4.8 applications on Mac OS X
10.10 Yosemite
Many customer requested bug fixes
Upstream announcement for 11.2.202.481:
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
Security Advisory for Adobe Flash Player
Release date: July 7, 2015
Vulnerability identifier: APSA15-03
CVE number: CVE-2015-5119
Platform: Windows, Macintosh and Linux
Upstream announcement for 11.2.202.468:
https://helpx.adobe.com/security/products/flash-player/apsb15-14.html
Security updates available for Adobe Flash Player
Release date: June 23, 2015
Vulnerability identifier: APSB15-14
CVE number: CVE-2015-3113
Platform: Windows, Macintosh and Linux
