graphics/librsvg: NetBSD/arm build fix
Revisions pulled up:
- graphics/librsvg/available.mk 1.2
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Jun 17 10:13:25 UTC 2020
Modified Files:
pkgsrc/graphics/librsvg: available.mk
Log Message:
librsvg: Disable rust version on NetBSD/arm (32-bit)
It doesn't have the address space to build a rust compiler so this
is currently broken.
emulators/libretro-bsnes-mercury: NetBSD/arm build fix
Revisions pulled up:
- emulators/libretro-bsnes-mercury/Makefile.common 1.7
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Jun 13 10:01:06 UTC 2020
Modified Files:
pkgsrc/emulators/libretro-bsnes-mercury: Makefile.common
Log Message:
libretro-bsnes-mercury: Uncondition HAVE_POSIX_MEMALIGN so it works on 32-bit arm
devel/libntlm: security fix
Revisions pulled up:
- devel/libntlm/Makefile 1.22
- devel/libntlm/distinfo 1.12
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Jun 9 06:18:18 UTC 2020
Modified Files:
pkgsrc/devel/libntlm: Makefile distinfo
Log Message:
libntlm: update to 1.6.
* Version 1.6 (released 2020-04-19)
** Fix buffer overflow in buildSmbNtlmAuth* function. CVE-2019-17455.
Reported by Kirin in <https://gitlab.com/jas/libntlm/-/issues/2> and
patch provided by Cedric Buissart. See newly introduced regression
check test_CVE-2019-17455.c for test of a vulnerable library.
** API and ABI modifications.
No changes since last version.
sysutils/dbus: security fix
Revisions pulled up:
- sysutils/dbus/Makefile 1.121
- sysutils/dbus/distinfo 1.93
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Jun 9 07:13:31 UTC 2020
Modified Files:
pkgsrc/sysutils/dbus: Makefile distinfo
Log Message:
dbus: update to 1.12.18.
dbus 1.12.18 (2020-06-02)
=========================
The “telepathic vines” release.
Denial of service fixes:
• CVE-2020-12049: If a message contains more file descriptors than can
be sent, close those that did get through before reporting error.
Previously, a local attacker could cause the system dbus-daemon (or
another system service with its own DBusServer) to run out of file
descriptors, by repeatedly connecting to the server and sending fds that
would get leaked.
Thanks to Kevin Backhouse of GitHub Security Lab.
(dbus#294, GHSL-2020-057; Simon McVittie)
Other fixes:
• Fix a crash when the dbus-daemon is terminated while one or more
monitors are active (dbus#291, dbus!140; Simon McVittie)
• The dbus-send(1) man page now documents --bus and --peer instead of
the old --address synonym for --peer, which has been deprecated since
the introduction of --bus and --peer in 1.7.6
(fd.o #48816, dbus!115; Chris Morin)
• Fix a wrong environment variable name in dbus-daemon(1)
(dbus#275, dbus!122; Mubin, Philip Withnall)
• Fix formatting of dbus_message_append_args example
(dbus!126, Felipe Franciosi)
• Avoid a test failure on Linux when built in a container as uid 0, but
without the necessary privileges to increase resource limits
(dbus!58, Debian #908092; Simon McVittie)
• When building with CMake, cope with libX11 in a non-standard location
(dbus!129, Tuomo Rinne)
security/gnutls: security fix
Revisions pulled up:
- security/gnutls/Makefile 1.210-1.213
- security/gnutls/PLIST 1.70-1.71
- security/gnutls/PLIST.guile 1.1
- security/gnutls/buildlink3.mk 1.37
- security/gnutls/distinfo 1.143-1.144
- security/gnutls/options.mk 1.3
- security/gnutls/patches/patch-configure 1.5
---
Module Name: pkgsrc
Committed By: adam
Date: Wed Apr 1 08:24:07 UTC 2020
Modified Files:
pkgsrc/security/gnutls: Makefile PLIST distinfo
Added Files:
pkgsrc/security/gnutls/patches: patch-configure
Log Message:
gnutls: updated to 3.6.13
Version 3.6.13:
** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3.
The DTLS client would not contribute any randomness to the DTLS negotiation,
breaking the security guarantees of the DTLS protocol
[GNUTLS-SA-2020-03-31, CVSS: high]
** libgnutls: Added new APIs to access KDF algorithms.
** libgnutls: Added new callback gnutls_keylog_func that enables a custom
logging functionality.
** libgnutls: Added support for non-null terminated usernames in PSK
negotiation.
** gnutls-cli-debug: Improved support for old servers that only support
SSL 3.0.
** API and ABI modifications:
gnutls_hkdf_extract: Added
gnutls_hkdf_expand: Added
gnutls_pbkdf2: Added
gnutls_session_get_keylog_function: Added
gnutls_session_set_keylog_function: Added
gnutls_prf_hash_get: Added
gnutls_psk_server_get_username2: Added
gnutls_psk_set_client_credentials2: Added
gnutls_psk_set_client_credentials_function2: Added
gnutls_psk_set_server_credentials_function2: Added
---
Module Name: pkgsrc
Committed By: nikita
Date: Thu May 14 14:30:02 UTC 2020
Modified Files:
pkgsrc/security/gnutls: Makefile buildlink3.mk options.mk
Added Files:
pkgsrc/security/gnutls: PLIST.guile
Log Message:
security/gnutls: revbump, add support for building guile bindings
---
Module Name: pkgsrc
Committed By: leot
Date: Mon Jun 8 19:48:14 UTC 2020
Modified Files:
pkgsrc/security/gnutls: Makefile PLIST distinfo
Log Message:
gnutls: Update to 3.6.14
Changes:
3.6.14
------
* libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
The TLS server would not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (#1011).
[GNUTLS-SA-2020-06-03, CVSS: high]
* libgnutls: Fixed handling of certificate chain with cross-signed
intermediate CA certificates (#1008).
* libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
* libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
(2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
Key Identifier (AKI) properly (#989, #991).
* certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
* libgnutls: Added several improvements on Windows Vista and later releases
(!1257, !1254, !1256). Most notably the system random number generator now
uses Windows BCrypt* API if available (!1255).
* libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
Also both accelerated and non-accelerated implementations check key block
according to FIPS-140-2 IG A.9 (!1233).
* libgnutls: Added support for AES-SIV ciphers (#463).
* libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
* libgnutls: No longer use internal symbols exported from Nettle (!1235)
* API and ABI modifications:
GNUTLS_CIPHER_AES_128_SIV: Added
GNUTLS_CIPHER_AES_256_SIV: Added
GNUTLS_CIPHER_AES_192_GCM: Added
gnutls_pkcs7_print_signature_info: Added
mail/sympa: security fix
Revisions pulled up:
- mail/sympa/Makefile 1.75-1.76
- mail/sympa/PLIST 1.16-1.17
- mail/sympa/distinfo 1.20-1.21
- mail/sympa/patches/patch-aa 1.10
- mail/sympa/patches/patch-ab 1.8
- mail/sympa/patches/patch-ac 1.6
---
Module Name: pkgsrc
Committed By: bouyer
Date: Mon Apr 27 17:57:52 UTC 2020
Modified Files:
pkgsrc/mail/sympa: Makefile PLIST distinfo
pkgsrc/mail/sympa/patches: patch-aa patch-ab patch-ac
Log Message:
Update to 6.2.54. Main changes since 6.2.16:
* Security and bug fixes
* more translations
* Some scenarios and list creation templates for "intranet" use cases were
made optional: They have been moved into samples/
https://github.com/sympa-community/sympa/issues/119
See also "upgrading notes" (https://sympa-community.github.io/manual/upgrade/notes.html#from-version-prior-to-6250)
for details.
* Hide full email addresses in archives
* Button for full export of subscribers
* Admin function to bulk unsubscribe
* Delete my account" button
* ARC support (Authenticated Received Chain).
---
Module Name: pkgsrc
Committed By: bouyer
Date: Mon Jun 1 21:46:25 UTC 2020
Modified Files:
pkgsrc/mail/sympa: Makefile PLIST distinfo
Log Message:
Update to 6.2.56. Changes since 6.2.54:
Security fix for https://sympa-community.github.io/security/2020-002.html
Translation updates
mail/roundcube: security fix
Revisions pulled up:
- mail/roundcube-plugin-password/distinfo 1.18-1.19
- mail/roundcube/Makefile 1.93
- mail/roundcube/Makefile.common 1.18-1.19
- mail/roundcube/distinfo 1.69-1.70
- mail/roundcube/options.mk 1.17
- mail/roundcube/patches/patch-program_lib_Roundcube_rcube__mime.php 1.3
- mail/roundcube/patches/patch-rcube_mime_default deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jun 7 22:07:04 UTC 2020
Modified Files:
pkgsrc/mail/roundcube: Makefile Makefile.common distinfo options.mk
Added Files:
pkgsrc/mail/roundcube/patches:
patch-program_lib_Roundcube_rcube__mime.php
Removed Files:
pkgsrc/mail/roundcube/patches: patch-rcube_mime_default
Log Message:
mail/roundcube: update to 1.4.5
Update roundcube to 1.4.5, including some security fixes.
pkgsrc change:
* Proper replace PHP interpreter.
* Fix php-sockets option to work.
RELEASE 1.4.5
-------------
- Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
- Fix so the database setup description is compatible with MySQL 8 (#7340)
- Markasjunk: Fix regression in jsevent driver (#7361)
- Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
- Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
- Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
- Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
- Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
- Fix error when user-configured skin does not exist anymore (#7271)
- Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
- Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
- Security: Fix a couple of XSS issues in Installer (#7406)
- Security: Fix XSS issue in template object 'username' (#7406)
- Security: Better fix for CVE-2020-12641
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jun 7 22:08:37 UTC 2020
Modified Files:
pkgsrc/mail/roundcube-plugin-password: distinfo
Log Message:
mail/roundcube-plugin-password: update to 1.4.5
Update roundcube-plugin-password to 1.4.5
RELEASE 1.4.5
-------------
- Password: Fix issue with Modoboa driver (#7372)
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Jun 9 00:25:19 UTC 2020
Modified Files:
pkgsrc/mail/roundcube: Makefile.common distinfo
pkgsrc/mail/roundcube-plugin-password: distinfo
Log Message:
mail/roundcube: update to 1.14.6
Update roundcube to 1.14.6.
RELEASE 1.4.6
-------------
- Installer: Fix regression in SMTP test section (#7417)
net/powerdns: bugfixes
Revisions pulled up:
- net/powerdns/Makefile 1.55
- net/powerdns/Makefile.common 1.29
- net/powerdns/distinfo 1.40
- net/powerdns/patches/patch-pdns_iputils.hh deleted
---
Module Name: pkgsrc
Committed By: otis
Date: Sun Jun 7 18:55:13 UTC 2020
Modified Files:
pkgsrc/net/powerdns: Makefile Makefile.common distinfo
Removed Files:
pkgsrc/net/powerdns/patches: patch-pdns_iputils.hh
Log Message:
net/powerdns: Update to 4.2.2
Changes since 4.2.1:
* Released:
- 9th of April 2020
* New Features:
- api: add includerings option to statistics endpoint
* Improvements:
- cache: strictly enforce maximum size, and improve cleanup routine
* Bug Fixes:
- fix records ending up in wrong packet section
- avoid IXFR-in corruption when deltas come in close together.
Please see the IXFR-in corruption upgrade notes
- fix out-of-bound access for zero length "serialized" string when
using lmdbbackend.
- bind backend: pthread_mutex_t should be inited and destroyed and not be copied
* Reference:
- https://doc.powerdns.com/authoritative/changelog/4.2.html#change-4.2.2
www/ruby-puma: security fix
Revisions pulled up:
- www/ruby-puma/Makefile 1.23
- www/ruby-puma/distinfo 1.18
---
Module Name: pkgsrc
Committed By: taca
Date: Sun May 24 13:47:49 UTC 2020
Modified Files:
pkgsrc/www/ruby-puma: Makefile distinfo
Log Message:
www/ruby-puma: update to 4.3.5
Update ruby-puma to 4.3.5.
4.3.4/4.3.5 and 3.12.5/3.12.6 / 2020-05-22
Each patchlevel release contains a separate security fix. We recommend
simply upgrading to 4.3.5/3.12.6.
* Security
Fix: Fixed two separate HTTP smuggling vulnerabilities that used the
Transfer-Encoding header. CVE-2020-11076 and CVE-2020-11077.
www/ruby-rails60: security fix
Revisions pulled up:
- databases/ruby-activerecord60/PLIST 1.2
- databases/ruby-activerecord60/distinfo 1.2-1.3
- devel/ruby-activejob60/distinfo 1.2-1.3
- devel/ruby-activemodel60/distinfo 1.2-1.3
- devel/ruby-activestorage60/distinfo 1.2-1.3
- devel/ruby-activesupport60/distinfo 1.2-1.3
- devel/ruby-railties60/distinfo 1.2-1.3
- mail/ruby-actionmailbox60/distinfo 1.2-1.3
- mail/ruby-actionmailer60/distinfo 1.2-1.3
- textproc/ruby-actiontext60/distinfo 1.2-1.3
- www/ruby-actioncable60/distinfo 1.2-1.3
- www/ruby-actionpack60/distinfo 1.2-1.3
- www/ruby-actionview60/distinfo 1.2-1.3
- www/ruby-rails60/distinfo 1.2-1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:15:25 UTC 2020
Modified Files:
pkgsrc/devel/ruby-activesupport60: distinfo
Log Message:
devel/ruby-activesupport60: update to 6.0.3
Update ruby-activesupport60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* `Array#to_sentence` no longer returns a frozen string.
Before:
['one', 'two'].to_sentence.frozen?
# => true
After:
['one', 'two'].to_sentence.frozen?
# => false
*Nicolas Dular*
* Update `ActiveSupport::Messages::Metadata#fresh?` to work for cookies with expiry set when
`ActiveSupport.parse_json_times = true`.
*Christian Gregg*
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:16:16 UTC 2020
Modified Files:
pkgsrc/devel/ruby-activemodel60: distinfo
Log Message:
devel/ruby-activemodel60: updat to 6.0.3
Update ruby-activemodel60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:16:55 UTC 2020
Modified Files:
pkgsrc/devel/ruby-activejob60: distinfo
Log Message:
devel/ruby-activejob60: update to 6.0.3
Update ruby-activejob60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* While using `perform_enqueued_jobs` test helper enqueued jobs must be stored for the later check with
`assert_enqueued_with`.
*Dmitry Polushkin*
* Add queue name support to Que adapter
*Brad Nauta*, *Wojciech Wnętrzak*
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:17:34 UTC 2020
Modified Files:
pkgsrc/www/ruby-actionview60: distinfo
Log Message:
www/ruby-actionview60: update to 6.0.3
Update ruby-actionview60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* annotated_source_code returns an empty array so TemplateErrors without a
template in the backtrace are surfaced properly by DebugExceptions.
*Guilherme Mansur*, *Kasper Timm Hansen*
* Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.
*Guilherme Mansur*, *Gannon McGibbon*
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:18:09 UTC 2020
Modified Files:
pkgsrc/www/ruby-actionpack60: distinfo
Log Message:
www/ruby-actionpack60: update to 6.0.3
Update ruby-actionpack60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* Include child session assertion count in ActionDispatch::IntegrationTest
`IntegrationTest#open_session` uses `dup` to create the new session, which
meant it had its own copy of `@assertions`. This prevented the assertions
from being correctly counted and reported.
Child sessions now have their `attr_accessor` overriden to delegate to the
root session.
Fixes#32142
*Sam Bostock*
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:18:56 UTC 2020
Modified Files:
pkgsrc/databases/ruby-activerecord60: PLIST distinfo
Log Message:
databases/ruby-activerecord60: update to 6.0.3
Update ruby-activerecord60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* Recommend applications don't use the `database` kwarg in `connected_to`
The database kwarg in `connected_to` was meant to be used for one-off scripts but is often used in requests. This is really dangerous because it re-establishes a connection every time. It's deprecated in 6.1 and will be removed in 6.2 without replacement. This change soft deprecates it in 6.0 by removing documentation.
*Eileen M. Uchitelle*
* Fix support for PostgreSQL 11+ partitioned indexes.
*Sebastián Palma*
* Add support for beginless ranges, introduced in Ruby 2.7.
*Josh Goodall*
* Fix insert_all with enum values
Fixes#38716.
*Joel Blum*
* Regexp-escape table name for MS SQL
Add `Regexp.escape` to one method in ActiveRecord, so that table names with regular expression characters in them work as expected. Since MS SQL Server uses "[" and "]" to quote table and column names, and those characters are regular expression characters, methods like `pluck` and `select` fail in certain cases when used with the MS SQL Server adapter.
*Larry Reid*
* Store advisory locks on their own named connection.
Previously advisory locks were taken out against a connection when a migration started. This works fine in single database applications but doesn't work well when migrations need to open new connections which results in the lock getting dropped.
In order to fix this we are storing the advisory lock on a new connection with the connection specification name `AdisoryLockBase`. The caveat is that we need to maintain at least 2 connections to a database while migrations are running in order to do this.
*Eileen M. Uchitelle*, *John Crepezzi*
* Ensure `:reading` connections always raise if a write is attempted.
Now Rails will raise an `ActiveRecord::ReadOnlyError` if any connection on the reading handler attempts to make a write. If your reading role needs to write you should name the role something other than `:reading`.
*Eileen M. Uchitelle*
* Enforce fresh ETag header after a collection's contents change by adding
ActiveRecord::Relation#cache_key_with_version. This method will be used by
ActionController::ConditionalGet to ensure that when collection cache versioning
is enabled, requests using ConditionalGet don't return the same ETag header
after a collection is modified. Fixes#38078.
*Aaron Lipman*
* A database URL can now contain a querystring value that contains an equal sign. This is needed to support passing PostgresSQL `options`.
*Joshua Flanagan*
* Retain explicit selections on the base model after applying `includes` and `joins`.
Resolves#34889.
*Patrick Rebsch*
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:20:09 UTC 2020
Modified Files:
pkgsrc/mail/ruby-actionmailer60: distinfo
Log Message:
mail/ruby-actionmailer60: update to 6.0.3
Update ruby-actionmailer60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:20:46 UTC 2020
Modified Files:
pkgsrc/mail/ruby-actionmailbox60: distinfo
Log Message:
mail/ruby-actionmailbox60: update to 6.0.3
Update ruby-actionmailbox60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* Update Mandrill inbound email route to respond appropriately to HEAD requests for URL health checks from Mandrill.
*Bill Cromie*
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:21:24 UTC 2020
Modified Files:
pkgsrc/www/ruby-actioncable60: distinfo
Log Message:
www/ruby-actioncable60: update to 6.0.3
Update to ruby-actioncable60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:22:16 UTC 2020
Modified Files:
pkgsrc/devel/ruby-railties60: distinfo
Log Message:
devel/ruby-railties60: update to 6.0.3
Update ruby-railties60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* Cache compiled view templates when running tests by default
When generating a new app without `--skip-spring`, caching classes is
disabled in `environments/test.rb`. This implicitly disables caching
view templates too. This change will enable view template caching by
adding this to the generated `environments/test.rb`:
````ruby
config.action_view.cache_template_loading = true
````
*Jorge Manrubia*
* `Rails::Application#eager_load!` is available again to load application code
manually as it was possible in previous versions.
Please, note this is not integrated with the whole eager loading logic that
runs when Rails boots with eager loading enabled, you can think of this
method as a vanilla recursive code loader.
This ability has been restored because there are some use cases for it, such
as indexers that need to have all application classes and modules in memory.
*Xavier Noria*
* Generators that inherit from NamedBase respect `--force` option
*Josh Brody*
* Regression fix: The Rake task `zeitwerk:check` supports eager loaded
namespaces which do not have eager load paths, like the recently added
`i18n`. These namespaces are only required to respond to `eager_load!`.
*Xavier Noria*
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:22:55 UTC 2020
Modified Files:
pkgsrc/devel/ruby-activestorage60: distinfo
Log Message:
devel/ruby-activestorage60: update to 6.0.3
Update ruby-activestorage60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:23:36 UTC 2020
Modified Files:
pkgsrc/textproc/ruby-actiontext60: distinfo
Log Message:
textproc/ruby-actiontext60: update to 6.0.3
Update ruby-actiontext60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sat May 16 14:24:28 UTC 2020
Modified Files:
pkgsrc/www/ruby-rails60: distinfo
Log Message:
www/ruby-rails60: update to 6.0.3
Finally, update ruby-rails60 to 6.0.3.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:10:27 UTC 2020
Modified Files:
pkgsrc/devel/ruby-activesupport60: distinfo
Log Message:
devel/ruby-activesupport60: update to 6.0.3.1
Update ruby-activesupport60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore
* [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:11:10 UTC 2020
Modified Files:
pkgsrc/devel/ruby-activemodel60: distinfo
Log Message:
devel/ruby-activemodel60: update to 6.0.3.1
Update ruby-activemodel60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:11:43 UTC 2020
Modified Files:
pkgsrc/devel/ruby-activejob60: distinfo
Log Message:
devel/ruby-activejob60: update to 6.0.3.1
Update ruby-activejob60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:12:16 UTC 2020
Modified Files:
pkgsrc/www/ruby-actionview60: distinfo
Log Message:
www/ruby-actionview60: update to 6.0.3.1
Update ruby-actionview60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:12:50 UTC 2020
Modified Files:
pkgsrc/www/ruby-actionpack60: distinfo
Log Message:
www/ruby-actionpack60: update to 6.0.3.1
Update ruby-actionpack60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:13:24 UTC 2020
Modified Files:
pkgsrc/databases/ruby-activerecord60: distinfo
Log Message:
databases/ruby-activerecord60: update to 6.0.3.1
Update ruby-activerecord60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:14:04 UTC 2020
Modified Files:
pkgsrc/mail/ruby-actionmailer60: distinfo
Log Message:
mail/ruby-actionmailer60: update to 6.0.3.1
Update ruby-actionmailer60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:14:41 UTC 2020
Modified Files:
pkgsrc/mail/ruby-actionmailbox60: distinfo
Log Message:
mail/ruby-actionmailbox60: update to 6.0.3.1
Update ruby-actionmailbox60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:15:14 UTC 2020
Modified Files:
pkgsrc/www/ruby-actioncable60: distinfo
Log Message:
www/ruby-actioncable60: update to 6.0.3.1
Update ruby-actioncable60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:15:47 UTC 2020
Modified Files:
pkgsrc/devel/ruby-railties60: distinfo
Log Message:
devel/ruby-railties60: update to 6.0.3.1
Update ruby-railties60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:16:26 UTC 2020
Modified Files:
pkgsrc/devel/ruby-activestorage60: distinfo
Log Message:
devel/ruby-activestorage60: update to 6.0.3.1
Update ruby-activestorage60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* [CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct upload
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:17:01 UTC 2020
Modified Files:
pkgsrc/textproc/ruby-actiontext60: distinfo
Log Message:
textproc/ruby-actiontext60: update to 6.0.3.1
Update ruby-actiontext60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 17:17:45 UTC 2020
Modified Files:
pkgsrc/www/ruby-rails60: distinfo
Log Message:
www/ruby-rails60: update to 6.0.3.1.
Finally, update ruby-rails60 to 6.0.3.1.
net/bind914: security fix
Revisions pulled up:
- net/bind914/Makefile 1.21
- net/bind914/distinfo 1.15
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 10:23:04 UTC 2020
Modified Files:
pkgsrc/net/bind914: Makefile distinfo
Log Message:
net/bind914: update to 9.14.12
Update bind914 to 9.14.12 (BIND 9.14.12).
Note from release announce:
BIND 9.14.12 is the final planned release in the now End-of-Life (EOL)
9.14 branch.
--- 9.14.12 released ---
5395. [security] Further limit the number of queries that can be
triggered from a request. Root and TLD servers
are no longer exempt from max-recursion-queries.
Fetches for missing name server address records
are limited to 4 for any domain. (CVE-2020-8616)
[GL #1388]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5376. [bug] Fix ineffective DNS rebinding protection when BIND is
configured as a forwarding DNS server. Thanks to Tobias
Klein. [GL #1574]
5358. [bug] Inline master zones whose master files were touched
but otherwise unchanged and were subsequently reloaded
may have stopped re-signing. [GL !3135]
5357. [bug] Newly added RRSIG records with expiry times before
the previous earliest expiry times might not be
re-signed in time. This was a side effect of 5315.
[GL !3137]
net/bind911: security fix
Revisions pulled up:
- net/bind911/Makefile 1.23-1.24
- net/bind911/PLIST 1.3
- net/bind911/distinfo 1.17-1.18
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 18 06:12:28 UTC 2020
Modified Files:
pkgsrc/net/bind911: Makefile PLIST distinfo
Log Message:
net/bind911: update to 9.11.18
Update bind911 to 9.11.18 (BIND 9.11.18).
--- 9.11.18 released ---
5380. [contrib] Fix building MySQL DLZ modules against MySQL 8
libraries. [GL #1678]
5379. [doc] Clean up serve-stale related options that leaked into
the BIND 9.11 release. [GL !3265]
5378. [bug] Receiving invalid DNS data was triggering an assertion
failure in nslookup. [GL #1652]
5377. [feature] Detect atomic operations support on ppc64le. Thanks to
Petr Men=A8=EDk. [GL !3295]
5376. [bug] Fix ineffective DNS rebinding protection when BIND is
configured as a forwarding DNS server. Thanks to Tobias
Klein. [GL #1574]
5368. [bug] Named failed to restart if 'rndc addzone' names
contained special characters (e.g. '/'). [GL #1655]
--- 9.11.17 released ---
5358. [bug] Inline master zones whose master files were touched
but otherwise unchanged and were subsequently reloaded
may have stopped re-signing. [GL !3135]
5357. [bug] Newly added RRSIG records with expiry times before
the previous earliest expiry times might not be
re-signed in time. The was a side effect of 5315.
[GL !3137]
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 19 10:21:25 UTC 2020
Modified Files:
pkgsrc/net/bind911: Makefile distinfo
Log Message:
net/bind911: update to 9.11.19
Update bind911 to 9.11.19 (BIND 9.11.19).
--- 9.11.19 released ---
5404. [bug] 'named-checkconf -z' could incorrectly indicate
success if errors were found in one view but not in a
subsequent one. [GL #1807]
5398. [bug] Named could fail to restart if a zone with a double
quote (") in its name was added with 'rndc addzone'.
[GL #1695]
5395. [security] Further limit the number of queries that can be
triggered from a request. Root and TLD servers
are no longer exempt from max-recursion-queries.
Fetches for missing name server address records
are limited to 4 for any domain. (CVE-2020-8616)
[GL #1388]
5394. [cleanup] Named formerly attempted to change the effective UID an=
d
GID in named_os_openfile(), which could trigger a
spurious log message if they were already set to the
desired values. This has been fixed. [GL #1042]
[GL #1090]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5387. [func] Warn about AXFR streams with inconsistent message IDs.
[GL #1674]
games/teeworlds: security fix
Revisions pulled up:
- games/teeworlds/Makefile 1.16
- games/teeworlds/PLIST 1.4
- games/teeworlds/distinfo 1.5
---
Module Name: pkgsrc
Committed By: nia
Date: Tue May 19 11:46:26 UTC 2020
Modified Files:
pkgsrc/games/teeworlds: Makefile PLIST distinfo
Log Message:
teeworlds: Update to 0.7.5
An exploit was discovered, that allows to crash any 0.7 Teeworlds server.
Though it does not compromise the security of the host (e.g. no arbitrary
accesses in memory) it lets an attacker force a server to repetitively shut
down (CVE-2020-12066).
The 0.7.5 release is a security update that aims to patch this server
exploit. As such, it is very light in features, and is mostly made of fixes.
net/unbound: security fix
Revisions pulled up:
- net/unbound/Makefile 1.78
- net/unbound/distinfo 1.58
---
Module Name: pkgsrc
Committed By: he
Date: Tue May 19 08:39:31 UTC 2020
Modified Files:
pkgsrc/net/unbound: Makefile distinfo
Log Message:
Update unbound to version 1.10.1.
Pkgsrc changes:
* None.
Upstream changes:
This release fixes CVE-2020-12662 and CVE-2020-12663.
Bug Fixes:
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
used to make Unbound unresponsive.
mail/dovecot2: security fix
Revisions pulled up:
- mail/dovecot2/Makefile.common 1.40
- mail/dovecot2/distinfo 1.104
---
Module Name: pkgsrc
Committed By: taca
Date: Mon May 18 14:20:47 UTC 2020
Modified Files:
pkgsrc/mail/dovecot2: Makefile.common distinfo
pkgsrc/mail/dovecot2-sqlite: Makefile
Log Message:
mail/dovecot2: update to 2.3.10.1
Update dovecot2 to 2.3.10.1.
v2.3.10.1 2020-05-18 Aki Tuomi <aki.tuomi@open-xchange.com>
- CVE-2020-10957: lmtp/submission: A client can crash the server by
sending a NOOP command with an invalid string parameter. This occurs
particularly for a parameter that doesn't start with a double quote.
This applies to all SMTP services, including submission-login, which
makes it possible to crash the submission service without
authentication.
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
commands can cause the server to access freed memory, which can lead
to a server crash. This happens when the server closes the connection
with a "421 Too many invalid commands" error. The bad command limit
depends on the service (lmtp or submission) and varies between 10 to
20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
mail/mailman: security fix
Revisions pulled up:
- mail/mailman/Makefile 1.91
- mail/mailman/PLIST 1.29
- mail/mailman/distinfo 1.27
---
Module Name: pkgsrc
Committed By: nia
Date: Fri May 15 09:40:46 UTC 2020
Modified Files:
pkgsrc/mail/mailman: Makefile PLIST distinfo
Log Message:
mailman: Update to 2.1.33
>From jcea via pkgsrc-wip
2.1.33 (07-May-2020)
Security
- A content injection vulnerability via the private login page has been
fixed. (LP: #1877379)
2.1.32 (05-May-2020)
i18n
Fixed a typo in the Spanish translation and uptated mailman.pot and
the message catalog for 2.1.31 security fix.
2.1.31 (05-May-2020)
Security
- A content injection vulnerability via the options login page has been
discovered and reported by Vishal Singh. This is fixed. (LP: #1873722)
i18n
- The Spanish translation has been updated by Omar Walid Llorente.
Bug Fixes and other patches
- Bounce recognition for a non-compliant Yahoo format is added.
- Archiving workaround for non-ascii in string.lowercase in some Python
packages is added.
2.1.30 (13-Apr-2020)
New Features
- Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses
list setting that can be used to apply dmarc_moderation_action to mail
From: addresses listed or matching listed regexps. This can be used
to modify mail to addresses that don't accept external mail From:
themselves.
- There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874
obtains a list of the names of all the all the lists in the installation
in order to determine the maximum length of a legitimate list name. It
does this on every web access and on sites with a very large number of
lists, this can have performance implications. See the description in
Defaults.py for more information.
- Thanks to Ralf Jung there is now the ability to add text based captchas
(aka textchas) to the listinfo subscribe form. See the documentation
for the new CAPTCHA setting in Defaults.py for how to enable this. Also
note that if you have custom listinfo.html templates, you will have to
add a <mm-captcha-ui> tag to those templates to make this work. This
feature can be used in combination with or instead of the Google
reCAPTCHA feature added in 2.1.26.
- Thanks to Ralf Hildebrandt the web admin Membership Management section
now has a feature to sync the list's membership with a list of email
addresses as with the bin/sync_members command.
- There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This
controls the dropping of addresses from the Cc: header in delivered
messages by the duplicate avoidance process. (LP: #1845751)
- There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause
a second request to subscribe to a list when there is already a pending
confirmation for that user. This can be set to Yes to prevent
mailbombing of a third party by repeatedly posting the subscribe form.
(LP: #1859104)
i18n
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
- The German translation has been updated by Ludwig Reiter.
- The Spanish translation has been updated by Omar Walid Llorente.
- The Brazilian Portugese translation has been updated by Emerson de Mello.
Bug Fixes and other patches
- Fixed the confirm CGI to catch a rare TypeError on simultaneous
confirmations of the same token. (LP: #1785854)
- Scrubbed application/octet-stream MIME parts will now be given a
.bin extension instead of .obj.
- Added bounce recognition for a non-compliant opensmtpd DSN with
Action: error. (LP: #1805137)
- Corrected and augmented some security log messages. (LP: #1810098)
- Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All.
(LP: #1818205)
- Leading/trailing spaces in provided email addresses for login to private
archives and the user options page are now ignored. (LP: #1818872)
- Fixed the spelling of the --no-restart option for mailmanctl.
- Fixed an issue where certain combinations of charset and invalid
characters in a list's description could produce a List-ID header
without angle brackets. (LP: #1831321)
- With the Postfix MTA and virtual domains, mappings for the site list
-bounces and -request addresses in each virtual domain are now added
to data/virtual-mailman (-owner was done in 2.1.24). (LP: #1831777)
- The paths.py module now extends sys.path with the result of
site.getsitepackages() if available. (LP: #1838866)
- A bug causing a UnicodeDecodeError in preparing to send the confirmation
request message to a new subscriber has been fixed. (LP: #1851442)
- The SimpleMatch heuristic bounce recognizer has been improved to not
return most invalid email addresses. (LP: #1859011)
security/clamav: security fix
Revisions pulled up:
- security/clamav/Makefile 1.64-1.65
- security/clamav/Makefile.common 1.16
- security/clamav/distinfo 1.33
---
Module Name: pkgsrc
Committed By: adam
Date: Wed May 6 14:05:09 UTC 2020
Modified Files:
pkgsrc/security/clamav: Makefile
Log Message:
revbump after boost update
---
Module Name: pkgsrc
Committed By: taca
Date: Wed May 13 14:58:58 UTC 2020
Modified Files:
pkgsrc/security/clamav: Makefile Makefile.common distinfo
Log Message:
security/clamav: update to 0.102.3
Update clamav to 0.102.3.
## 0.102.3
ClamAV 0.102.3 is a bug patch release to address the following issues.
- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
an unsigned variable results in an out-of-bounds read which causes a crash.
Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
parsing vulnerability.
- [CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
could cause a Denial-of-Service (DoS) condition. Improper size checking of
a buffer used to initialize AES decryption routines results in an out-of-
bounds read which may cause a crash. Bug found by OSS-Fuzz.
- Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.
- Fix a couple of minor memory leaks.
- Updated libclamunrar to UnRAR 5.9.2.
mail/roundcube: security fix
Revisions pulled up:
- mail/roundcube-plugin-password/Makefile 1.9
- mail/roundcube-plugin-password/distinfo 1.17
- mail/roundcube/Makefile.common 1.17
- mail/roundcube/PLIST 1.48
- mail/roundcube/distinfo 1.68
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Apr 30 07:09:34 UTC 2020
Modified Files:
pkgsrc/mail/roundcube: Makefile.common PLIST distinfo
Log Message:
mail/roundcube: update to 1.4.4
Update roundcube, roundcube-plugin-enigma and roundcube-plugin-zipdownload to
1.4.4. This includes security fixes..
RELEASE 1.4.4
-------------
- Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
- Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
- Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
- Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
- Elastic: Fix color of a folder with recent messages (#7281)
- Elastic: Restrict logo size in print view (#7275)
- Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
- Fix missing contact display name in QR Code data (#7257)
- Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
- Fix regression in testing database schema on MSSQL (#7227)
- Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
- Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
- Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
- Fix handling keyservers configured with protocol prefix (#7295)
- Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
- Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
- Fix so imap error message is displayed to the user on folder create/update (#7245)
- Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
- Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
- Fix characters encoding in group rename input after group creation/rename (#7330)
- Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
- Make install-jsdeps.sh script working without the 'file' program installed (#7325)
- Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
- Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
- Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
RELEASE 1.4.3
-------------
- Enigma: Fix so key list selection is reset when opening key creation form (#7154)
- Enigma: Fix so using list checkbox selection does not load the key preview frame
- Enigma: Fix generation of key pairs for identities with IDN domains (#7181)
- Enigma: Display IDN domains of key users and identities in UTF8
- Enigma: Fix bug where "Send unencrypted" button didn't work in Elastic skin (#7205)
- Managesieve: Fix bug where it wasn't possible to save flag actions (#7188)
- Markasjunk: Fix bug where marking as spam/ham didn't work on moving messages with drag-and-drop (#7137)
- Elastic: Fix disappearing sidebar in mail compose after clicking Mail button
- Elastic: Fix incorrect aria-disabled attribute on Mail taskmenu button in mail compose
- Elastic: Fix bug where it was possible to switch editor mode when 'htmleditor' was in 'dont_override' (#7143)
- Elastic: Fix text selection in recipient inputs (#7129)
- Elastic: Fix missing Close button in "more recipients" dialog
- Elastic: Fix non-working folder subscription checkbox for newly added folders (#7174)
- Fix regression where "Open in new window" action didn't work (#7155)
- Fix PHP Warning: array_filter() expects parameter 1 to be array, null given in subscriptions_option plugin (#7165)
- Fix unexpected error message when mail refresh involves folder auto-unsubscribe (#6923)
- Fix recipient duplicates in print-view when the recipient list has been expanded (#7169)
- Fix bug where files in skins/ directory were listed on skins list (#7180)
- Fix bug where message parts with no Content-Disposition header and no name were not listed on attachments list (#7117)
- Fix display issues with mail subject that contains line-breaks (#7191)
- Fix invalid Content-Transfer-Encoding on multipart messages - Mail_Mime fix (#7170)
- Fix regression where using an absolute path to SQLite database file on Windows didn't work (#7196)
- Fix using unix:///path/to/socket.file in memcached driver (#7210)
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Apr 30 07:11:16 UTC 2020
Modified Files:
pkgsrc/mail/roundcube-plugin-password: Makefile distinfo
Log Message:
mail/roundcube-plugin-password: update to 1.4.4
Update roundcube-plugin-password to 1.4.4.
pkgsrc change: add dependecy to lang/tcl-expect.
RELEASE 1.4.3
-------------
- Password: Make chpass-wrapper.py Python 3 compatible (#7135)
www/drupal8: security fix
Revisions pulled up:
- www/drupal8/Makefile 1.31
- www/drupal8/PLIST 1.25
- www/drupal8/distinfo 1.27
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Apr 26 09:18:43 UTC 2020
Modified Files:
pkgsrc/www/drupal8: Makefile PLIST distinfo
Log Message:
www/drupal8: update to 8.7.12
Update drupal8 to 8.7.12.
Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001
No other fixes are included.
Which release do I choose? Security coverage information
* Sites on 8.7.x will receive security coverage until June 3, 2020 (when
Drupal 8.9.0 is scheduled for release).
* Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.
Important update information
No changes have been made to the .htaccess, web.config, robots.txt or
default settings.php files in this release, so upgrading custom versions of
those files is not necessary if your site is already on the previous
release.
devel/git-base: security fix
(via patch)
---
git: Update to 2.25.4
Changes:
2.25.4
------
This release is to address the security issue: CVE-2020-11008
* With a crafted URL that contains a newline or empty host, or lacks
a scheme, the credential helper machinery can be fooled into
providing credential information that is not appropriate for the
protocol in use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
Credit for finding the vulnerability goes to Carlo Arenas.
multimedia/ffmpeg2: security fix
Revisions pulled up:
- multimedia/ffmpeg2/Makefile 1.56
- multimedia/ffmpeg2/Makefile.common 1.59
- multimedia/ffmpeg2/distinfo 1.58
---
Module Name: pkgsrc
Committed By: nia
Date: Thu Apr 23 16:34:21 UTC 2020
Modified Files:
pkgsrc/multimedia/ffmpeg2: Makefile Makefile.common distinfo
Log Message:
ffmpeg2: Very late update to 2.8.15
version 2.8.15:
- avcodec/dvdsub_parser: Allocate input padding
- avcodec/dvdsub_parser: Init output buf/size
- avcodec/imgconvert: fix possible null pointer dereference
- swresample/arm: rename labels to fix xcode build error
- avformat/utils: fix mixed declarations and code
- libwebpenc_animencoder: add missing braces to struct initialization
- avformat/movenc: Check input sample count
- avcodec/mjpegdec: Check for odd progressive RGB
- avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id
- avformat/mms: Add missing chunksize check
- avformat/pva: Check for EOF before retrying in read_part_of_packet()
- avcodec/indeo4: Check for end of bitstream in decode_mb_info()
- avcodec/shorten: Fix undefined addition in shorten_decode_frame()
- avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
- avcodec/jpeg2000dec: Check that there are enough bytes for all tiles
- avcodec/escape124: Fix spelling errors in comment
- avcodec/ra144: Fix integer overflow in ff_eval_refl()
- avcodec/cscd: Check output buffer size for lzo.
- avcodec/escape124: Check buf_size against num_superblocks
- avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()
- avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed()
- avutil/common: Fix undefined behavior in av_clip_uintp2_c()
- fftools/ffmpeg: Fallback to duration if sample rate is unavailable
- avformat/mov: Only set pkt->duration to non negative values
- avcodec/h264_mc_template: Only prefetch motion if the list is used.
- avcodec/xwddec: Use ff_set_dimensions()
- avcodec/wavpack: Fix overflow in adding tail
- avcodec/shorten: Fix multiple integer overflows
- avcodec/shorten: Sanity check nmeans
- avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()
- avcodec/truemotion2: Fix overflow in tm2_apply_deltas()
- avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c
- avcodec/amrwbdec: Fix division by 0 in find_hb_gain()
- avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()
- avformat/mov: Break out early if chunk_count is 0 in mov_build_index()
- avcodec/fic: Avoid some magic numbers related to cursors
- avcodec/g2meet: ask for sample with overflowing RGB
- avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed()
- avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()
- avcodec/mlpdec: Only change noise_type if the related fields are valid
- indeo4: Decode all or nothing of a band header.
- avformat/mov: Only fail for STCO/STSC contradictions if both exist
- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0
- avcodec/fic: Check available input space for cursor
- avcodec/g2meet: Check RGB upper limit
- avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case
- avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done
- avcodec/g2meet: Change order of operations to avoid undefined behavior
- avcodec/flac_parser: Fix infinite loop
- avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()
- avcodec/error_resilience: Fix integer overflow in filter181()
- avcodec/h263dec: Check slice_ret in mspeg4 slice loop
- avcodec/elsdec: Fix memleaks
- avcodec/vc1_block: simplify ac_val computation
- avcodec/ffv1enc: Check that the crc + version combination is supported
- lavf/http.c: Free allocated client URLContext in case of error.
- avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame
- avcodec/dsicinvideo: Propagate errors from cin_decode_rle()
- avcodec/dfa: Check dimension against maximum
- avcodec/cinepak: Skip empty frames
- avcodec/cinepak: move some checks prior to frame allocation
- swresample/arm: remove unintentional relocation.
- doc/APIchanges: Fix typos in hashes
- avformat/utils: Check cur_dts in update_initial_timestamps() more
- avcodec/utils: Enforce minimum width also for VP5/6
- avcodec/truemotion2: Propagate out of bounds error from GET_TOK()
- avcodec/mjpegdec: Check input buffer size.
- lavc/libopusdec: Allow avcodec_open2 to call .close
- avcodec/movtextdec: Check style_start/end
- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
- swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.
- avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()
- avcodec/cscd: Error out when LZ* decompression fails
- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
- avcodec/get_bits: Make sure the input bitstream with padding can be addressed
- avformat/mov: Check STSC and remove invalid entries
- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
- avcodec/wmalosslessdec: Reset num_saved_bits on error path
- avformat/mov: Fix integer overflows related to sample_duration
- avformat/oggparseogm: Check lb against psize
- avformat/oggparseogm: Fix undefined shift in ogm_packet()
- avformat/avidec: Fix integer overflow in cum_len check
- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
- avformat/utils: Fix integer overflow of fps_first/last_dts
- libavformat/oggparsevorbis: Fix memleak on multiple headers
- avcodec/bintext: sanity check dimensions
- avcodec/utvideodec: Check subsample factors
- avcodec/smc: Check input packet size
- avcodec/cavsdec: Check alpha/beta offset
- avcodec/diracdec: Fix integer overflow in mv computation
- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
- avcodec/diracdec: Use int64 in global mv to prevent overflow
- avformat/hvcc: zero initialize the nal buffers past the last written byte
security/mbedtls: security fix
Revisions pulled up:
- security/mbedtls/Makefile 1.14
- security/mbedtls/distinfo 1.9
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Apr 18 14:21:56 UTC 2020
Modified Files:
pkgsrc/security/mbedtls: Makefile distinfo
Log Message:
mbedtls: Update to 2.16.6
= mbed TLS 2.16.6 branch released 2020-04-14
Security
* Fix side channel in ECC code that allowed an adversary with access to
precise enough timing and memory access information (typically an
untrusted operating system attacking a secure enclave) to fully recover
an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
* Fix a potentially remotely exploitable buffer overread in a
DTLS client when parsing the Hello Verify Request message.
Bugfix
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
* Fix a function name in a debug message. Contributed by Ercan Ozturk in
#3013.
lang/ruby24-base: security fix
Revisions pulled up:
- lang/ruby/rubyversion.mk 1.221
- lang/ruby24-base/distinfo 1.16
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Apr 1 15:27:40 UTC 2020
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
Log Message:
lang/ruby24-base: update to 2.4.10
Update ruby24-base (and ruby24) to 2.4.10.
This release includes a security fix. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
Ruby 2.4 is now under the state of the security maintenance phase, until the
end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. Thus, this release would be the last of Ruby 2.4 series. We
recommend you immediately upgrade Ruby to newer versions, such as 2.7 or 2.6
or 2.5.
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu Apr 2 12:20:51 UTC 2020
Modified Files:
pkgsrc/lang/ruby24-base: distinfo
Log Message:
ruby24-base: update distinfo for 2.4.10 release
mk/pkginstall: NetBSD 7 bugfix
Revisions pulled up:
- mk/pkginstall/files 1.11
---
Module Name: pkgsrc
Committed By: sborrill
Date: Wed Apr 15 13:33:32 UTC 2020
Modified Files:
pkgsrc/mk/pkginstall: files
Log Message:
Work around a potential shell bug where "${FOO=${BAR%/*}}" does not work
if quoted. Seen on NetBSD 7.
#!/bin/sh
in="/path/to/dir with space/file"
: "${file=${in##*/}}"
: "${dir=${in%/*}}"
echo "dir:$dir"
echo "file:$file"
[ "$dir" = "$file" ] && echo "dir and file are same"
Leads to errors when adding packages such as:
./+FILES: cannot create
/var/db/pkg.refcount/files/etc/rc.d/xenguest//var/db/pkg/xe-guest-utilities-7.0.0:
directory nonexistent
devel/git-base: security fix
(via patch)
---
git: Update to 2.25.3
Changes:
2.25.3
------
This release is to address the security issue: CVE-2020-5260
* With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for
a wrong host. The attack has been made impossible by forbidding
a newline character in any value passed via the credential
protocol.
Credit for finding the vulnerability goes to Felix Wilhelm of Google
Project Zero.
www/firefox68: security fix
Revisions pulled up:
- www/firefox68/Makefile 1.17
- www/firefox68/distinfo 1.14
---
Module Name: pkgsrc
Committed By: nia
Date: Fri Apr 10 10:41:50 UTC 2020
Modified Files:
pkgsrc/www/firefox68: Makefile distinfo
Log Message:
firefox68: Update to 68.7.0
Security Vulnerabilities fixed in Firefox ESR 68.7
#CVE-2020-6828: Preference overwrite via crafted Intent from malicious
Android application
#CVE-2020-6827: Custom Tabs in Firefox for Android could have the URI
spoofed
#CVE-2020-6821: Uninitialized memory could be read when using the WebGL
copyTexSubImage method
#CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large
images
#CVE-2020-6825: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
www/apache24: Security fix
Revisions pulled up:
- www/apache24/Makefile 1.89
- www/apache24/PLIST 1.32
- www/apache24/distinfo 1.42
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Apr 6 08:27:26 UTC 2020
Modified Files:
pkgsrc/www/apache24: Makefile PLIST distinfo
Log Message:
apache: update to 2.4.43.
Changes with Apache 2.4.43
*) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
Changes with Apache 2.4.42
*) mod_proxy_http: Fix the forwarding of requests with content body when a
balancer member is unavailable; the retry on the next member was issued
with an empty body (regression introduced in 2.4.41). PR63891.
[Yann Ylavic]
*) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
[Michael Kaufmann, Stefan Eissing]
*) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
PR64140. [Renier Velazco <renier.velazco upr.edu>]
*) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
PR64172.
*) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
to allow customization of the usertrack cookie. PR64077.
[Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
*) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
*) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
[Eric Covener, Yann Ylavic]
*) Add a config layout for OpenWRT. [Graham Leggett]
*) Add support for cross compiling to apxs. If apxs is being executed from
somewhere other than its target location, add that prefix to includes and
library directories. Without this, apxs would fail to find config_vars.mk
and exit. [Graham Leggett]
*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
[Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
*) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
[Graham Leggett]
*) mod_ssl: Support use of private keys and certificates from an
OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
[Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
*) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
*) test: Added continuous testing with Travis CI.
This tests various scenarios on Ubuntu with the full test suite.
Architectures tested: amd64, s390x, ppc64le, arm64
The tests pass successfully.
[Luca Toscano, Joe Orton, Mike Rumph, and others]
*) core: Be stricter in parsing of Transfer-Encoding headers.
[ZeddYu <zeddyu.lu gmail.com>, Eric Covener]
*) mod_ssl: negotiate the TLS protocol version per name based vhost
configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
SSLProtocol (from the first vhost declared on the IP:port) is now only
relevant if no SSLProtocol is declared for the vhost or globally,
otherwise the vhost or global value apply. [Yann Ylavic]
*) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
output. PR 64096. [Joe Orton]
*) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
[Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]
*) mod_systemd: New module providing integration with systemd. [Jan Kaluza]
*) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
r:notes_table, r:subprocess_env_table as read-only native table alternatives
that can be iterated over. [Eric Covener]
*) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
[Yann Ylavic, Stefan Eissing]
*) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
r.headers_out, etc) to remove the key from the table. PR63971.
[Eric Covener]
*) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
always `on`, regardless of configuration. Found and reported by
<Armin.Abfalterer@united-security-providers.ch> and
<Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]
*) mod_http2: Multiple field length violations in the same request no longer cause
several log entries to be written. [@mkauf]
*) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
[Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
*) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
[Jim Jagielski]
*) mod_authn_socache: Increase the maximum length of strings that can be cached by
the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
*) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
[Ruediger Pluem, Eric Covener]
*) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
valid (For example, testing for a file on a flash drive that is not mounted)
[Christophe Jaillet]
*) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet]
*) mod_md v2.2.3:
- Configuring MDCAChallenges replaces any previous existing challenge configuration. It
had been additive before which was not the intended behaviour. [@mkauf]
- Fixing order of ACME challenges used when nothing else configured. Code now behaves as
documented for `MDCAChallenges`. Fixes#156. Thanks again to @mkauf for finding this.
- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
"transfer-encoding" to POST requests. This failed in directy communication with
Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
*) mod_md: Adding the several new features.
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certicate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
[Stefan Eissing]
*) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
net/haproxy: security fix (CVE-2020-11100)
Revisions pulled up:
- net/haproxy/Makefile 1.60
- net/haproxy/distinfo 1.53
- net/haproxy/options.mk 1.9
---
Module Name: pkgsrc
Committed By: adam
Date: Fri Apr 3 16:34:13 UTC 2020
Modified Files:
pkgsrc/net/haproxy: Makefile distinfo options.mk
Log Message:
haproxy: updated to 2.1.4
2.1.4
- SCRIPTS: make announce-release executable again
- BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat
- BUG/MEDIUM: muxes: Use the right argument when calling the destroy method.
- BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO param
- MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo regex
- SCRIPTS: announce-release: use mutt -H instead of -i to include the draft
- MINOR: http-htx: Add a function to retrieve the headers size of an HTX message
- MINOR: filters: Forward data only if the last filter forwards something
- BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them
- BUG/MINOR: http-htx: Don't return error if authority is updated without changes
- BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
- MINOR: http-ana: Match on the path if the monitor-uri starts by a /
- BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered
- MINOR: ist: add an iststop() function
- BUG/MINOR: http: http-request replace-path duplicates the query string
- BUG/MEDIUM: shctx: make sure to keep all blocks aligned
- MINOR: compiler: move CPU capabilities definition from config.h and complete them
- BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support
- BUILD: fix recent build failure on unaligned archs
- CLEANUP: cfgparse: Fix type of second calloc() parameter
- BUG/MINOR: sample: fix the json converter's endian-sensitivity
- BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions
- BUG/MINOR: connection: make sure to correctly tag local PROXY connections
- MINOR: compiler: add new alignment macros
- BUILD: ebtree: improve architecture-specific alignment
- BUG/MINOR: h2: reject again empty :path pseudo-headers
- BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch
- BUG/MINOR: dns: ignore trailing dot
- BUG/MINOR: http-htx: Do case-insensive comparisons on Host header name
- MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics
- MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric
- BUG/MEDIUM: random: initialize the random pool a bit better
- MINOR: tools: add 64-bit rotate operators
- BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG
- MINOR: backend: use a single call to ha_random32() for the random LB algo
- BUG/MINOR: checks/threads: use ha_random() and not rand()
- BUG/MAJOR: list: fix invalid element address calculation
- MINOR: debug: report the task handler's pointer relative to main
- BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump
- MINOR: haproxy: export main to ease access from debugger
- BUILD: tools: remove obsolete and conflicting trace() from standard.c
- BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled
- DOC: fix incorrect indentation of http_auth_*
- OPTIM: startup: fast unique_id allocation for acl.
- BUG/MINOR: pattern: Do not pass len = 0 to calloc()
- DOC: configuration.txt: fix various typos
- DOC: assorted typo fixes in the documentation and Makefile
- BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits
- BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
- REGTEST: make the PROXY TLV validation depend on version 2.2
- BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data
- BUG/MINOR: filters: Forward everything if no data filters are called
- MINOR: htx: Add a function to return a block at a specific offset
- BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload
- BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload
- BUG/MINOR: http-ana: Reset request analysers on a response side error
- BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
- BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action
- BUG/MINOR: http-rules: Fix a typo in the reject action function
- BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action
- BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop
- DOC: fix typo about no-tls-tickets
- DOC: improve description of no-tls-tickets
- DOC: assorted typo fixes in the documentation
- DOC: ssl: clarify security implications of TLS tickets
- BUILD: wdt: only test for SI_TKILL when compiled with thread support
- BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL;
- MINOR: mt_lists: Appease gcc.
- BUG/MEDIUM: random: align the state on 2*64 bits for ARM64
- BUG/MEDIUM: pools: Always update free_list in pool_gc().
- BUG/MINOR: haproxy: always initialize sleeping_thread_mask
- BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping
- BUG/MINOR: haproxy/threads: try to make all threads leave together
- DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID
- DOC: correct typo in alert message about rspirep
- BUILD: on ARM, must be linked to libatomic.
- BUILD: makefile: fix regex syntax in ARM platform detection
- BUILD: makefile: fix expression again to detect ARM platform
- BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases.
- DOC: assorted typo fixes in the documentation
- MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h.
- BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue().
- MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc.
- BUG/MINOR: connections: Make sure we free the connection on failure.
- REGTESTS: use "command -v" instead of "which"
- REGTEST: increase timeouts on the seamless-reload test
- BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection
- BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
- BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
- BUG/MINOR: peers: Use after free of "peers" section.
- MINOR: listener: add so_name sample fetch
- BUILD: ssl: only pass unsigned chars to isspace()
- BUG/MINOR: stats: Fix color of draining servers on stats page
- DOC: internals: Fix spelling errors in filters.txt
- MINOR: http-rules: Add a flag on redirect rules to know the rule direction
- BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits
- MINOR: http-rules: Handle the rule direction when a redirect is evaluated
- BUG/MINOR: http-ana: Reset request analysers on error when waiting for response
- BUG/CRITICAL: hpack: never index a header into the headroom after wrapping
@@ -46,10 +46,10 @@ set prompt_string "(%|\\\$|>)"
set fingerprint_string "The authenticity of host.* can't be established.*\n(RSA|ECDSA) key fingerprint is.*\nAre you sure you want to continue connecting.*"
set password_string "(P|p)assword.*"
set oldpassword_string "((O|o)ld|login|\\\(current\\\) UNIX) (P|p)assword.*"
bsiegert
jperkin