pkgsrc changes:
- use private Linux npviewer.bin binaries built by me (tsutsui@) on
openSUSE 12.1 on 32 bit (i386) and 64 bit (x86_64) on VirtualBox
- enable EMUL_PLATFORMS=linux-x86_64 using the native 64 bit Linux
npviewer.bin binary, which allows using 64 bit native adobe-flash-plugin
on NetBSD/amd64 hosts
- also explicitly set EMUL_REQD= suse>=12.1 (NetBSD 6.x can use it anyway)
- tweak some pkgsrc ${PREFIX}
- update HOMEPAGE
- take maintainership
Note:
- major Linux distributions provided nspluginwrapper binaries to use
the 32 bit plugin binaries without sources on their 64 bit systems,
so there is no 64 bit wrapper binary (npviewer.bin) to use native 64 bit
plugin binaries on other systems (like NetBSD) via binary emulation
- nowadays adobe provides 64 bit native adobe-flash-plugin11 binaries
and NPAPI plugins are being deprecated by vendors, so I guess there is
very few motivation to update nspluginwrapper project for Linux people
http://nspluginwrapper.org/why.html
- Linux binaries in distfiles are built with following changes to
make npviewer.bin works on non-Linux hosts:
- configure with the following options, to enable "generic" RPC calls
(The default Linux native binaries use their specific "anonymous socket")
- for i386:
% ./configure --enable-generic
- for x86_64:
% ./configure --target-cpu=x86_64 --disable-biarch --enable-generic --enable-viewer --enable-player
- disable USE_NPIDENTIFIER_CACHE in npviewer (as patch-src_npw-viewer.c),
which doesn't seems tested with the "generic" RPC interfaces
OK from abs@, and no particular objection to PR pkg/49705 and pkgsrc-users@.
Also thanks to Onno van der Linden for his first analysis about
newer nspluginwrapper APIs in PR pkg/47208.
Upstream changes (in NEWS file):
Version 1.4.4 - 30.Jun.2011
* Fix crash in some cases when the number of watched file descriptors decreases
Version 1.4.2 - 04.Jun.2011
* Fix crash in WebKit/GTK when npwrapper.so is incorrectly treated as a plugin
* Fix symbol versioning issues with _Unwind_GetIPInfo on some systems
* Fix install process with parallel make
Version 1.4.0 - 15.May.2011
* Report capabilities over RPC to fix logic based on NULL plugin/browser hooks
* Fix initialization bug that causes Flash 10.3 to report a version of 0
* Implement ClearSiteData NPAPI extension for managing Flash LSOs
* Work around bug in Konqueror that prevents plug-ins from functioning properly
Version 1.3.2 (BETA) - 23.Apr.2011
* Work around lack of client-side windows in Flash
* Fix race condition when NPP_Destroy was called while viewer is busy
* Fix build on modern Linux platforms
* Support NPAPI 0.24, in particular, Flash can now query for private browsing
* Don't export any symbols but those necessary
* Support XEmbeding npplayer into another application
* Remove NPClass::HasMethod cache; it was incorrect
* Fix initializing two wrapped plugins with the same name in the same process
* Work around Qt bug that breaks npplayer when Kopete is installed
* Release implicit grabs before forwarding events to fix Flash context menu hang
* Work around Firefox quirk that broke windowless Flash in Firefox 4
* Bind wrapper and viewer event loops together to avoid many many race conditions
* Redesign NPRuntime bridge to avoid leaking proxy objects
* Incorportate release number into ident string so update works on distro patches
Version 1.3.0 (BETA) - 02.Jan.2009
* Don't poll for Xt events in Gtk (XEMBED) plug-ins
* Use 40 Hz timer for Xt events only when necessary (Xt input sources)
* Add NPIdentifier and NPClass::HasMethod caches, i.e. lower RPC traffic
* Add support for multiple viewer paths, see --viewer-paths=PATH-EXPR
* Add basic checks for malloc()'ed buffer underflow/overflow
* Add checks for single-threaded calls into the browser (NPN_*() functions)
The binaries in distfiles in this packages seem built by pkgsrc developers,
but I'm not sure which sources were used to build the previous version.
In this "4.2.2011" version all binaries are built by me (tsutsui@) using
libflashsupport.c in Open Sounde System oss v4.2-2011 distribution
http://www.opensound.com/http://www.4front-tech.com/developer/sources/stable/gpl/oss-v4.2-build2011-src-
gpl.tar.bz2
on openSUSE 12.1 on both 32 bit (i386) and 64 bit (x86_64) on VirtualBox.
Notable visible changes from previous libflashsupport-1.1:
- provide not only i386 version but also x86_64 native binary,
which allows sound via oss with 64 bit native adobe-flash-plugin
and nspluginwrapper binaries
- resolve a sound noise problem on some flash videos
11ce031e40/
Also take maintainership.
OK from abs@, and no particular objection to PR pkg/49705 and pkgsrc-users@.
It was only refered from adobe-flash-plugin 10.0 package in Attic and
didn't work well (or not necessary?) for current adobe-flash-plugin11.
No particular comments to PR pkg/49705 and pkgsrc-users@ post.
This package was provided for old 10.0 based adobe-flash-plugin
for older NetBSD 5.x systems using suse100, but the old flash package
has been removed recently.
Update home page & master site, clean up.
PgBouncer 1.6.1.
- Security fix for CVE-2015-6817.
- Per-pool pooling mode vs. reset query.
Details:
http://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/
PgBouncer 1.6.0
Main new features:
- Load user password hash from postgres database.
- Pooling mode can be configured both per-database and per-user.
- Per-database and per-user connection limits: max_db_connections and
max_user_connections.
- Add DISABLE/ENABLE commands to prevent new connections.
- New preferred DNS backend: c-ares.
- Config files have %include FILENAME directive to allow configuration
to be split into several files.
Details:
http://pgbouncer.github.io/2015/08/pgbouncer-1-6/
PgBouncer 1.5.5
- Fix remote crash - invalid packet order causes lookup of NULL pointer.
Not exploitable, just DoS.
Upstream changes:
* v3.00 - 21st May 2015
No changes from v2.99_04.
* v2.99_04 (pre-release for 3.0) - 18th May 2015
Uploaded files with duplicate field names are treated in the
same ways as other data with duplicate field names.
* v2.99_03 (pre-release for 3.0) - 5th April 2015
BUG FIX: Additional change to forms.t to prevent MS Windows systems
hanging. (issue 103315)
* v2.99_02 (pre-release for 3.0) - 4th April 2015
Added force_unique_cookies method and equivalent parsing code and tests.
Improved test suite: better coverage, skipped failling tests for
Microsoft systems which don't use/honour normal permissions, silenced
noisy tests on older perls.
* v2.99_01 (pre-release for 3.0) - 31st March 2015
Source amended to pass perlcritic. String evals removed or replaced.
Strictures added to module and examples. All filehandles are now
lexicals. Consistent source formatting applied to module (perltidy).
deny_uploads and set_size_limit added.
All active public subroutines are now methods.
print_cookie_data and print_form_data have been removed. They had been
deprecated for well over a decade.
escape_dangerous_chars has been removed. It has been considered a
security risk since version 2.0.
Upstream changes:
version 1.20; 2015-10-21
* bugfix: avoid some C undefined behaviour from unsequenced side effects
that in practice bit when using a newer gcc (4.9 rather than 4.7)
with the parser token stack change in Perl 5.21.9
* add doc note advising users to prefer the core aliasing facility on
Perl 5.22
version 1.19; 2015-10-21
* update for new stricture on op_last in Perl 5.21.2
* update for the parser's PL_expect changes in Perl 5.21.4
* update for op_private stricture in Perl 5.21.4
* update for sub references directly in stash in Perl 5.21.4
* update for IS_PADGV()'s limited visibility in Perl 5.21.4
* update for increased specialness of OP_PUSHMARK in Perl 5.21.6
* update for distinct PADNAMELIST type in Perl 5.21.7
* update for multideref optimisation in Perl 5.21.7, by a disgusting
hack that depends on a flaw in the optimisation (which may disappear
in the future) and which disables the optimisation entirely
* add MYMETA.json to .gitignore
Bug:
* [SSPCPP-656] - NameID insert logic appears wrong for ODBC Session store
* [SSPCPP-657] - Update Windows libraries
* [SSPCPP-663] - BOOST autoconf macros break with gcc5
* [SSPCPP-665] - Use of systemd breaks on reboot due to disappearance of /run/shibboleth
Improvement:
* [SSPCPP-654] - Move fork wait timeout from init script to sysconfig
Task:
* [SSPCPP-661] - Preparation of 2.5.5 release
* [SSPCPP-662] - Set AllowSameVersionUpgrades to 'yes'
Version 2.5.4
Bug:
* [SSPCPP-612] - Old DiscoveryFeed cache files are not correctly removed
* [SSPCPP-616] - SP does not build with C++11
* [SSPCPP-621] - log4shib. RemoteSyslogAppender doesn't work in debian.
* [SSPCPP-623] - Attribute mapper interprets attribute name with leading/trailing whitespace
* [SSPCPP-624] - Trailing whitespace in authnContextClassRef attribute parsed incorrectly
* [SSPCPP-627] - SyslogAppender is not working on windows
* [SSPCPP-646] - When triggered by file size limit, native.log does not rotate correctly and logs are missing
Improvement:
* [SSPCPP-618] - Add support for Amazon Linux 2014.3 via attached patch
* [SSPCPP-629] - attribute-map.xml missing "uid" attribute (eduPerson)
* [SSPCPP-645] - Adjust ownership of /var/cache/shibboleth in the init script of RPM-based Linux distributions
* [SSPCPP-647] - consider not permitting RC4 on back channel queries
Task:
* [SSPCPP-644] - Release log4shib 1.0.9
* [SSPCPP-648] - Release process for 2.5.4
Version 2.5.3
Bug:
* [SSPCPP-578] - Example Apache config uses require valid-user
* [SSPCPP-580] - FastCGI programs use libxmltooling but don't link with it
* [SSPCPP-584] - Limit on preserved POST data size is not enforced
* [SSPCPP-585] - POST data replay in Firefox fails if data contains key "submit"
* [SSPCPP-589] - Relative paths in Shibboleth XML catalogs are resolved against /usr/share/xml/opensaml
* [SSPCPP-595] - postTemplat.html form submission bug
* [SSPCPP-596] - Red Hat init script produces spurious restorecon warning at startup
* [SSPCPP-603] - Directory Indexes don't work when using file-based basic auth (ShibCompatValidUser is On)
Documentation:
* [SSPCPP-591] - Errors partialLogout attribute not documented
Improvement:
* [SSPCPP-598] - Dynamic metadata provider in SP should avoid unmarshalling non-EntityDescriptor results
* [SSPCPP-605] - Rephrase error log lines for AuthnFailed responses
Task:
* [SSPCPP-609] - Release of 2.5.3
Upstream changes:
6.25 2015-10-21
- Deprecated Mojo::Message::Request::proxy with boolean and string arguments
in favor of Mojo::Message::Request::via_proxy.
- Replaced proxy method in Mojo::Message::Request with an attribute.
- Moved all bundled files into "resources" directories.
- Added via_proxy attribute to Mojo::Message::Request.
- Improved Mojo::DOM::CSS to support selectors with leading and trailing
whitespace.
- Improved rendering of built-in templates to show actual template names in
log messages.
- Fixed punycode bug in Mojo::URL.
- Fixed "0" value bug in Mojo::JSON::Pointer.
pkgsrc change:
* Remove duplicated HTML documents.
* Install some addtional documents.
Changes are too many to write here, please refer NEWS files and this
release fixes security problems.
October 2015 NTP Security Vulnerability Announcement (Medium)
NTF's NTP Project has been notified of the following 13 low- and
medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on
Wednesday, 21 October 2015:
* Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association
authentication bypass via crypto-NAK (Cisco ASIG)
* Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning
FAIL on some bogus values (IDA)
* Bug 2921 CVE-2015-7854 Password Length Memory Corruption
Vulnerability. (Cisco TALOS)
* Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock
driver could cause a buffer overflow. (Cisco TALOS)
* Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption
Vulnerability. (Cisco TALOS)
* Bug 2918 CVE-2015-7851 saveconfig Directory Traversal
Vulnerability. (OpenVMS) (Cisco TALOS)
* Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS)
* Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS)
* Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS)
* Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable)
* Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile"
should only be allowed locally. (RedHat)
* Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should
validate the origin timestamp field. (Boston University)
* Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey
data packet length checks. (Tenable)
The only generally-exploitable bug in the above list is the crypto-NAK bug,
which has a CVSS2 score of 6.4.
Additionally, three bugs that have already been fixed in ntp-4.2.8 but were
not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all
below 1.8 CVSS score, so we're reporting them here:
* Bug 2382 : Peer precision < -31 gives division by zero
* Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL
* Bug 1593 : ntpd abort in free() with logconfig syntax error
because this is a GNU configure script and without it we do not get
config.{sub,guess} overrides.
Instead, pass --disable-option-checking to the configure script so that
unrecognized options that appear when using pkgsrc iconv are discarded.
This is a security release fixing CVE-2015-5230.
Bug fixes:
- Avoid superfluous backend recycling
- Removal of dnsdist from the authoritative server distribution
- Add EDNS unknown version handling and tests EDNS unknown version handling
Improvements:
- Update YaHTTP to v0.1.7
- Make trailing/leading spaces stand out in pdnssec check_zone
- GCC 5.2 support and sync boost.m4 macro with upstream
- Log answer packets only if log-dns-details is enabled
=============
Features:
* Default for ssl-port is port 853, the temporary port assignment for
secure domain name system traffic. If you used to rely on the older default
of port 443, you have to put a clause in unbound.conf for that. The new
value is likely going to be the standardised port number for this traffic.
* ANY responses include DNAME records if present,
as per Evan Hunt's remark in dnsop.
Bug Fixes:
* Fix segfault in the dns64 module in the formaterror error path.
* Fix manpage to suggest using SIGTERM to terminate the server.
* iana portlist update.
Unbound 1.5.5
=============
Features:
* Change default of harden-algo-downgrade to off.
This is lenient for algorithm rollover.
* Added permit-small-holddown config to debug fast 5011 rollover.
* Allow certificate chain files to allow for intermediate certificates.
* Enable ECDHE for servers. Where available, use SSL_CTX_set_ecdh_auto()
for TLS-wrapped server configurations to enable ECDHE. Otherwise,
manually offer curve p256. Client connections should automatically
use ECDHE when available.
* [bugzilla: 699 ] Feature --enable-pie option to that builds PIE binary.
* [bugzilla: 700 ] Feature --enable-relro-now option that enables full
read-only relocation.
* [bugzilla: 702 ] New IPs for for h.root-servers.net.
Bug Fixes:
* [bugzilla: 681 ] Fix setting forwarders with unbound-control forward
implicitly turns on forward-first.
* [bugzilla: 690 ] Fix that reload fails when so-reuseport is yes
after changing num-threads.
* please afl-gcc (llvm) for uninitialised variable warning.
* Fix mktime in unbound-anchor not using UTC.
* Fix 5011 anchor update timer after reload.
* 5011 implementation does not insist on all algorithms,
when harden-algo-downgrade is turned off.
* Document in the manual more text about configuring locally served zones.
* Document that local-zone nodefault matches exactly and transparent can
be used to release a subzone.
* [bugzilla: 694 ] Fix that configure script does not detect LibreSSL 2.2.2
* Fix deadlock for local data add and zone add when unbound-control
list_local_data printout is interrupted.
* [bugzilla: 697 ] Fix get PY_MAJOR_VERSION failure at configure for
python 2.4 to 2.6.
* changed windows setup compression to be more transparent.
* Fix config globbed include chroot treatment, this fixes reload of globs.
* [bugzilla: 705 ] Fix ub_ctx_set_fwd() return value mishandled on windows.
* Fix minor error in unbound.conf.5.in.
* Fix unbound.conf(5) access-control description for precedence and default.
* Fix unbound-control flush that does not succeed in removing data.
* MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution failures.
* iana portlist update.
