The CVS security ID is CAN-2004-0797.
The fix is same as used by OpenBSD, Debian and Gentoo.
(Didn't see any reference to issue on zlib webpages.)
The OpenBSD announcement "zlib reliabilty fix" says:
"could allow an attacker to crash programs linked
with it."
And the Gentoo announcement says "zlib contains a bug in the handling
of errors in the inflate() and inflateBack() functions. ... An
attacker could exploit this vulnerability to launch a Denial of
Service attack on any application using the zlib library."
PKGREVISION is bumped and BUILDLINK_RECOMMENDED.zlib added to
buildlink3.mk file.
to after GNU_CONFIGURE and USE_LIBTOOL being set.
This fixes the problem where the lt_cv_sys_max_cmd_len was not
added to the CONFIGURE_ENV.
Now that I think about it, I caused this problem when I added that
Linux check...
This release features a number of bug fixes, and also the disabling of
the focus-stealing-prevention code (we're entering hard code freeze in
Gnome so it's too late to fix the remaining issues, especially since
it requires several patches to modules other than Metacity).
Thanks to Havoc Pennington, Soeren Sandmann, Elijah Newren, and Rich
Wareham for fixes in this release
Fixes
* track the last_xor_rect, for wireframe painting (Havoc)
* Move wireframe code before grab is released to prevent endless
loops with fullscreen windows. (Soeren)
* Make dialogs that Metacity shows follow focus-stealing-prevention
conventions. (Elijah; part of #149028)
* add render extension check to the display, don't build the
compositing manager by default, use an ARGB visual when available
for the window frame (Rich Wareham; various tweaks added later by
Havoc)
* move the have_xrender variable initialization up in the file since
it can be set as part of composite check (Havoc)
* make argb stuff compile, add some code from xcompmgr (Havoc)
* fix an assertion failure that would occur after increasing the
number of workspaces; fix stacking order when a window is denied
focus (Elijah; #150615)
* disable some compositor code that wasn't working, don't grab the
server during repaint, various set_background fixes and
refactoring (Havoc)
Translations
* az(Metin Amiroff), bs(Kemal Sanjta), ca(Jordi Mallach),
el(Kostas Papadimas), es(Francisco Javier F. Serrador),
eu(Iñaki Larrañaga Murgoitio), fi(Pauli Virtanen),
nb(Kjartan Maraas), sq(Laurent Dhima), uk(Maxim Dziumanenko)
==============
Epiphany 1.2.8
==============
Code changes
* Adapt to Mozilla API changes (Christian)
* Confirm before overwriting a file [#143501]
Bug fixes
* Fix compilation of nautilus view (Christian) [#148995]
* Fix some memory leaks (Jean-François Rameau)
* Really translate the program name (Christian) [#148948]
* Fix restoring the history window on resume (Christian)
* Fix new tab position (Christian)
* Fix a crash in content handler (Christian) [#149550]
* Fix context menu on links with namespaced tag (Mikael Brockman) [#150208]
==============
Epiphany 1.2.7
==============
Code changes
* Adapt to mozilla API changes (Christian)
* Use nsIDOMWindow2 to get the root event target on
mozilla >= 1.7rc3 (Christian)
Bug fixes
* Work around mozilla bug #246392 which causes reloads of framed pages to
go back to original URI (backported from HEAD) (Christian) [#115800]
* Escape markup in string in the duplicate bookmarks dialogue
and topics menu (Christian)
* Escape markup in strings in the NSS dialogues (Crispin Flowerday)
* Work aroung mozilla bug #246392 which causes reload of framed pages to go
back to initial frameset (Christian, Crispin Flowerday) [#115800]
* Don't show redirected and non-toplevel pages in history (Christian) [#142143]
* Allow importing of Epiphany bookmarks format too (Christian) [#144699]
* Fix crash with corrupted toolbars file (Christian) [#144698]
* Fix prefs persistence with non-existent or bogus initial values (Christian)
* Unescape mailto: addresses (Christian) [#144462]
* Fix filename encoding for print-to-file (Christian)
* Depend on libgnomeui >= 2.6.0 (Christian) [#145776]
* Make print and print setup go trough nsIPrintingPromptService (Christian,
backported from HEAD)
* Fix print-to-file filechooser modality (Christian) [#147628]
* Fix mem leaks in gtk NSS dialogues (Christian, ported from galeon)
* Gracefully handle failure to create downloads directory (Marco) [#146902]
* Fix single observer ownership and reference counting (Christian) [#146873,
#146461]
* Fix downloader crash on shutdown (Marco) [#141928]
* Fix build with old mozilla versions (1.4.x, 1.5) (Christian)
* Use nsACString instead of nsCString in a few places in EphyWrapper (Christian)
* Fix crash on screen size change after using fullscreen (Christian)
New translations
* he
Updated translations
* bg, ca, vi
** General
- Improved event recording and playback.
** C64 changes
- Fixed some CPU opcodes.
- Added support for Magic Formel cart (preliminary).
- Improved TFE cart emulation.
- Fixed Final Cartridge III freeze bug.
** VIC20 changes
- Four true drives are supported now.
- The sound code has been rewritten.
** PLUS4 changes
- Added cartridge support.
** VIC-II
- Improved IRQ timing during DMA.
** Unix Changes
- Improved ROM set support.
- Added TFE and IDE64 cart support.
- Fixed crash on 64bit archs.
- Added BSD USB joystick support.
- Complete rework of french translation. Credits to Paul (alias Kaddict)!
** Miscellaneous changes
- Made fsdevice emulation to list non-PRG files again.
- Improved REL file handling of the virtual drive emulation.
- Fixed some bugs in the petcat tokenizer.
** General
- Improved event recording and playback.
** C64 changes
- Fixed some CPU opcodes.
- Added support for Magic Formel cart (preliminary).
- Improved TFE cart emulation.
- Fixed Final Cartridge III freeze bug.
** VIC20 changes
- Four true drives are supported now.
- The sound code has been rewritten.
** PLUS4 changes
- Added cartridge support.
** VIC-II
- Improved IRQ timing during DMA.
** Unix Changes
- Improved ROM set support.
- Added TFE and IDE64 cart support.
- Fixed crash on 64bit archs.
- Added BSD USB joystick support.
- Complete rework of french translation. Credits to Paul (alias Kaddict)!
** Miscellaneous changes
- Made fsdevice emulation to list non-PRG files again.
- Improved REL file handling of the virtual drive emulation.
- Fixed some bugs in the petcat tokenizer.
BMP 0.9.7 rc2
Bugfixes
* Include the file "beep/build.list" in the distribution.
BMP 0.9.7 rc1
Enhancements
* Revised GUI according to GNOME HIG
* New window icons
* New About and Preferences dialog
* New file/folder selector using GTK+ 2.4's file chooser
* Skin cursor support
* New equalizer using IIR filtering
* ID3v2 editing support using id3lib
* ID3 character encoding to assume may now be overrided
* New title formatting tag for conditional fields eg. %{n:text%}
* Experimental GConf and GNOME VFS support
* New translations (Dutch, German, Italian, Japanese, Korean, Lithuanian,
Russian, Simplified Chinese, Spanish, Swedish, Welsh)
* Merged configure scripts for shorter build time
Miscellaneous
* Removed EasyMove and DoubleSize
* Removed real-time priority support
* Removed AM_PATH_BMP m4 macro in favour of PKG_CHECK_MODULES
* Removed beep-config in favour of 'pkg-config bmp'
Bugfixes
* Memory leaks
* i18n and l10n
* Many others (see Bugzilla and ChangeLog)
-enhance warning diagnostics about non-accessible or non-writable maildirs.
-change method of determining name of local host; only fall back to
getfqdn() if the result of gethostname() does not contain a dot.
-documentation enhancements.
Drivel 1.2.0 (The "Hero of Canton" release)
===========================================
* Improvements:
- Added a user manual (Todd).
* Fixes:
- Fixed the oft-reported "automaticall" typo (Todd).
- Synced eggtrayicon.* and recent-files/* with libegg to get the latest
improvements and bug-fixes (Todd).
* Translations:
- Updated Canadian English translation (Adam Weinberger).
- Updated Simplified Chinese translation (Funda Wang).
- Updated Portuguese translation (Duarte Loreto).
- Updated Swedish translation (Christian Rose).
- Updated Czech translation (Miloslav Trmac).
- Updated Dutch translation (Elros Cyriatan).
- Updated Spanish translation (Francisco Javier F. Serrador).
- Updated Albanian translation (Laurent Dhima).
- Updated Brazilian Portuguese translation (Estêvão Samuel Procópio).
Drivel 1.1.2 (The "Betas make bubbles!" release)
================================================
* Improvements:
- Replace the RSA's reference MD5 implementation with a free one.
- Add the GNOME Spinner to the network progress dialog.
- Make the standard error dialog conform to the HIG.
- Port the Network Progress and Insert Image dialogs to Glade.
- Gave the Insert Image and Insert Link dialogs a make-over and some
HIG-lovin'.
- Added a Cancel button to the new Network Progress dialog.
- Use unique names for user pictures, prevents re-downloading the
same image again and again.
- Add support for back-dating journal entries.
- Add tooltips for post options.
* Fixes:
- Prevent the network dialog from "blinking" on short transactions.
- Fix a crash that occured when the network dialog was closed manually.
- Double-clicking an entry in the history dialog opens it for editing.
- Prevent the user from selecting a row in the history list when it is
empty, fixes a crash.
- Fix a few strings to bring them into HIG 2.0 compliance.
* Translations:
- Updated Brazilian Portuguese translation (Raphael Higino and
Estêvão Samuel Procópio).
- Updated Czech translation (Miloslav Trmac).
- Updated Canadian English translation (Adam Weinberger).
- Updated British English translation (David Lodge).
- Updated Spanish translation (Francisco Javier F. Serrador).
Drivel 1.1.1 (The "I'm too hung-over to be creative" release)
=============================================================
* Improvements:
- RhythmBox support for the Music entry (Davyd Madeley).
- New and improved network layer which doesn't suck.
- Abstracted blog API, should make it easy to support multiple blog
systems in the future.
- Support for EggRecent.
- Added a "Drivel journal draft" mimetype.
- Redesigned the Friends dialog.
* Fixes:
- Plugged some memory leaks.
- Use the correct signal (enter_notify) for triggering the query_music
function.
- Lots of HIG-related spacing fixes.
* Translations:
- Updated Spanish translation (Francisco Javier F. Serrador).
- Updated Brazilian Portuguese translation (Raphael Higino).
- Updated Norwegian translation (Kjartan Maraas).
- Updated Albanian translation (Laurent Dhima).
- Updated Czech translation (Miloslav Trmac).
- Updated British English translation (David Lodge).
Drivel 1.1.0 (The "Happy birthday, Stephie!" release)
=====================================================
* Improvements:
- HTML syntax highlighting (Davyd Madeley and Grahame Bowland).
- Optional in-line spell checking support via GtkSpell.
- Undo/Redo support (Davyd Madeley).
- Support the new challenge/response LiveJournal authentication method.
- Per-account autosaves.
- Use LogJam's XML file format when saving/loading drafts (Davyd Madeley).
- The Insert Link dialog now replaces selected text with a hyper-linked
version of the text.
- Saves the filename of drafts so that the user isn't prompted each time she
presses "Save Draft" and add a "Save Draft as..." menu command.
- Autocomplete support for the Mood control (Davyd Madeley).
- Lots of HIG work on the menus, dialogs, and alerts.
* Fixes:
- Keybinding fixes.
- Resolve a couple of bugs in the History dialog (still requires GTK+ 2.4.4
or higher to work correctly) (Davyd Madeley).
- Correct the lj-lq tag in the poll creator (Grahame Bowland).
- Don't duplicate the protocol in the Insert Link dialog (gnome@nash.nu).
- Fixed the autosave feature.
- Resolved a network threading issue that prevented Drivel from working on
NetBSD, and possibly the other BSD variants as well.
- Protect proxy variables with mutex locks, should resolve some more
BSD-related threading issues.
- Use libcurl's unescape method rather than our own, fixes a NetBSD
character conversion problem.
- Fix C99-ism which was preventing successfull compilation on
GCC-2.95 (Julio M. Merino Vidal).
* Translations:
- Added Albanian translation (Laurent Dhima).
- Updated Czech translation (Miloslav Trmac).
- Updated Brazilian Portuguese translation (Raphael Higino).
- Updated British English translation (David Lodge).
automatically in the PLIST.
- Use the new mimedb.mk file from shared-mime-info to handle the registration
of new mime types.
- Remove redundant LIBTOOL_OVERRIDE
- Bump PKGREVISION to 1 because of this.
* Changes in the package:
- Add a buildlink3.mk file to be used to add a direct dependency on this
package. This file also creates a fake "update-mime-database" wrapper
in the buildlink directory so that programs can't run it directly
during its build.
- Add the mimedb.mk file, which can be used by packages that install
mimedb extensions (into share/mime/packages) to automatically rebuild
the database at (de)installation time.
- The mime database files (except those installed into share/mime/packages)
must not be listed in the PLIST, so add some PRINT_PLIST_AWK magic to
handle this automatically.
* Mime Types Changes:
- Added various aliases
- Make text files inherit from text/plain
- Added text/x-xmi
- Added application/x-javascripta
* Translations:
- new translations: Danish (Ole Laursen), Greek (Nikos Charonitakis),
Korean (Cha Young-Ho)
- updated translations: Finnish (Ville Skyttä), German (Christian Neumair)
* Added new "IdentitiesOnly" option to ssh(1), which specifies that it should
use keys specified in ssh_config, rather than any keys in ssh-agent(1)
* Make sshd(8) re-execute itself on accepting a new connection. This security
measure ensures that all execute-time randomisations are reapplied for each
connection rather than once, for the master process' lifetime. This includes
mmap and malloc mappings, shared library addressing, shared library mapping
order, ProPolice and StackGhost cookies on systems that support such things
* Add strict permission and ownership checks to programs reading ~/.ssh/config
NB ssh(1) will now exit instead of trying to process a config with poor
ownership or permissions
* Implemented the ability to pass selected environment variables between the
client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in
ssh_config(5) for details
* Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum
number of authentication attempts permitted per connection
* Added support for cancellation of active remote port forwarding sessions.
This may be performed using the ~C escape character, see "Escape Characters"
in ssh(1) for details
* Many sftp(1) interface improvements, including greatly enhanced "ls" support
and the ability to cancel active transfers using SIGINT (^C)
* Implement session multiplexing: a single ssh(1) connection can now carry
multiple login/command/file transfer sessions. Refer to the "ControlMaster"
and "ControlPath" options in ssh_config(5) for more information
* The sftp-server has improved support for non-POSIX filesystems (e.g. FAT)
* Portable OpenSSH: Re-introduce support for PAM password authentication, in
addition to the keyboard-interactive driver. PAM password authentication
is less flexible, and doesn't support pre-authentication password expiry but
runs in-process so Kerberos tokens, etc are retained
* Improved and more extensive regression tests
* Many bugfixes and small improvements
- SECURITY: Don't try to free() uninitialised variables in DSS verification
code. Thanks to Arne Bernin for pointing out this bug. This is possibly
exploitable, all users with DSS and pubkey-auth compiled in are advised to
upgrade.
- Clean up agent forwarding socket files correctly, patch from Gerrit Pape.
- Don't go into an infinite loop when portforwarding to servers which don't
send any initial data/banner. Patch from Nikola Vladov
- Fix for network vs. host byte order in logging remote TCP ports, also
from Gerrit Pape.
- Initialise many pointers to NULL, for general safety. Also checked cleanup
code for mp_ints (related to security issues above).
Changes:
* The SSL/X509 DNS name verification code was fixed; it used incorrect code
from a book which sometimes caused segmentation faults (Bugreport by Lars
Kellogg-Stedman).
* The 'disconnect' command now accepts an optional message list specifying
messages to be read into the IMAP cache before the connection is closed.
* The new 'cache' command reads a list of messages into the IMAP cache.
* IMAP BODY.PEEK[] is now used when fetching messages from the server, and
the '\Seen' flag is set when the 'quit' command is executed. Thus an
'exit' command does not cause messages marked to be read.
* The 'connect'/'online' commands now announce new messages that are found
on the server.
* The 'replyto' variable can now contain multiple addresses.
* If the 'sort' command is used without arguments, the current sorting
criterion is printed.
* The 'sort', 'thread', 'unsort', and 'unthread' commands now only print a
header summary if the 'header' variable is set.
* The 'size' command has been fixed to print the full sizes of messages that
have not yet been entirely read in IMAP and POP3 folders, instead of the
sizes of the already downloaded parts.
* Deleted messages remained in the cache until an IMAP folder was accessed
a second time since 11.3. They are now deleted immediately when a folder
is quit in online mode.
* The configuration system now also checks for iconv() in libiconv if it is
not found in one of the standard libraries (Matthias Andree).
* Specifying LIBS on the make command line does now work with several make
implementations of commercial Unices too (Bugreports by Matthias Andree,
Matt S).
Changes in the package
======================
* Install compatibility symlinks for shared libraries to not break binary
programs linked against 1.4.0. This is just a workaround for our broken
libtool naming scheme and should be removed when it is fixed. Agreed
by rh@.
* Move installation of documentation to doc/, out of doc/html.
Overview of changes between 1.4.0 and 1.4.1
===========================================
* Win32 bug fixes [Tor Lillqvist, John Ehresman]
* Thai rendering improvements including OpenType support
[Theppitak Karoonboonyanan]
* Fix common crash in Hangul shaper [Changwoo Ryu]
* Fix various problems with language tag selection [Frederic Zhang]
* Documentation improvements [Felipe Heidrich, Doug Quale]
* Fix crash in line break code [Jeroen Zwartepoorte, Billy Biggs]
* Build fixes [J. Ali Harlow, Noah Misch]
* OpenType engine fixes [Kailash C. Chowksey, Sayamindu Dasgupta, Aamir Wali,
Masatake YAMATO, Soheil Hassas Yeganeh]
* Indic module bug fixes [Chris Blizzard, Rajkumar S, Taneem Ahmed,
Jungshik Shin]
* Misc bug fixes [Stanislav Brabec, Anders Carlsson, Behdad Esfahbod,
Jody Goldberg, Theppitak, Sven Neumann, Manish Singh, Morten Welinder]
