sysutils/xenkernel415: security fix
sysutils/xentools415: security fix
Revisions pulled up:
- sysutils/xenkernel415/Makefile 1.4
- sysutils/xenkernel415/distinfo 1.5
- sysutils/xenkernel415/patches/patch-xen_arch_x86_boot_build32.mk 1.2
- sysutils/xentools415/Makefile 1.10
- sysutils/xentools415/distinfo 1.7
---
Module Name: pkgsrc
Committed By: bouyer
Date: Fri Mar 4 17:54:08 UTC 2022
Modified Files:
pkgsrc/sysutils/xenkernel415: Makefile distinfo
pkgsrc/sysutils/xenkernel415/patches:
patch-xen_arch_x86_boot_build32.mk
pkgsrc/sysutils/xentools415: Makefile distinfo
Log Message:
Update xenkernel415 and xentools415 to 4.15.2
Changes from 4.15.1 are bugfixes, some performance improvements and
some security hardening. It also includes all fixes for XSA up to 395.
www/wordpress: security fix
Revisions pulled up:
- www/wordpress/Makefile 1.103-1.104
- www/wordpress/PLIST 1.51
- www/wordpress/distinfo 1.87-1.88
---
Module Name: pkgsrc
Committed By: morr
Date: Tue Feb 22 23:14:24 UTC 2022
Modified Files:
pkgsrc/www/wordpress: Makefile PLIST distinfo
Log Message:
Update to version 5.9.1
Changes for 5.9 are too big to list. You can view them here: \
https://wordpress.org/news/2022/01/josephine/
Changes in 5.9.1:
WordPress 5.9.1 features 33 bug fixes on Core, as well as 52 bug fixes for the Block \
Editor. The WordPress 5.9.1 release was led by Jean-Baptiste Audras and George \
Mamadashvili. The following core tickets from Trac were fixed:
#54250 Twenty Twenty One: Editor Buttons margins incompatible with gap
#54782 Default presets in use by default themes need to be updated
#54844 Unnecessary database queries when a block theme isn't in use
#54849 Site transients cause DB errors when installing
#54862 FSE Navigation Block Styling Submenu
#54886 "Show hidden updates" button is invisible
#54889 Cannot access "Manage menus" in Navigation block toolbar when running a \
classic theme #54896 TT2: Blank screen displayed for custom post type
#54900 PHP warning in `WP_REST_Global_Styles_Controller` if no `styles` exist in \
theme.json #54902 Media Library Overlay Drag-and-Drop To Reorder Images Does Not \
Work In WP 5.9 #54904 Bounce hoverIntent.js version in script-loader to 10.1.2
#54906 Check _get_cron_array type in upgrade_590 routine
#54908 Standard post type UI is exposed for templates and template parts
#54911 Twenty Twenty-Two: Theme Check Plugin issue for the image size
#54922 Normalizing CSS also catches CSS IDs instead of only URLs
#54928 Twenty Twenty-Two: 404 search label should be translated
#54929 Twenty Twenty-Two: Pricing Table pattern header levels should be \
consistent #54944 By applying a background color to a group block, it aligns to the \
left in the editor #54955 Custom fields issue
#54960 Media Library Dragging Option Isn't Reflected
#54977 Dashboard welcome banner: fix bug when displayed in certain contexts
#55018 Twenty Twenty-Two – Update theme URI link
#55072 Widgets editor: Widget Group is missing .wp-widget-group__inner-blocks \
container #55103 Twenty Twenty-Two: Restore padding for Group blocks with a \
background color #55109 Plugins no longer download to tmp folder
#55148 In block themes, styles should load in the head
#55151 View scripts of blocks are loaded in editor
#55161 Full Site Editing: PHP Warning with incomplete presets
#55177 Normalizing relative CSS links should skip data URIs
#55178 Allow fully extending WP_Theme_JSON and WP_Theme_JSON_Resolver classes
#55179 Backport bugfixes from Gutenberg into Core for WP 5.9.1
#55188 Block styles should load after global styles in the editor
#55190 Global styles duotone not rendering in post editor
The following block editor issues from GitHub were fixed:
PR38857 Fix for late static binding in the resolver
PR38780 Block Editor: Add settings to enable/disable auto anchor generation
PR38750 Load block support styles in the head for block themes
PR38745 Fix global styles loading logic
PR38695 Site Editor: Limit template part slugs to Latin chars
PR38671 Allow extending the WP_Theme_JSON_Gutenberg class
PR38656 Edit Site: Add template check to ‘setPage' action
PR38655 Add site editor initial redirect error handling
PR38649 Fix search block html handling for label and button text
PR38642 Gallery block: copy all attributes when transforming to Image blocks
PR38625 Allow child classes to use the private methods and constants
PR38561 Only apply the social links block migration if there's a need for a \
migration PR38516 Block preview: fix resize listener
PR38442 Duotone: Allow users to specify custom filters
PR38432 Remove the aria-label from the site title block
PR38399 Images: Try moving responsive rule to common.scss.
PR38362 Cover block: Add back missing styles
PR38310 Gallery block: fix bug with link destination default option not being \
set PR38189 Gallery: Ensure the last image takes up all available space
PR38070 Post Editor: Fix template queries
PR37983 Tree Grid: Fix keyboard navigation for expand/collapse table rows in \
Firefox PR37954 Fix duotone render in non-fse themes
PR37941 Unset inherited backgrounds on Posts Lists
PR37895 Site Editor: Fix broken ‘Redo' by removing faulty logic for discarding \
unsaved Logo changes PR37885 Load the global styles before the theme styles in the \
editor PR37853 Block.json schema: update fontSize and lineHeight props
PR37840 [History]: Fix redo after update/publish with transient edits
PR37778 Update core/archive block schema to reflect no block-level settings \
support PR37774 Spacer: Fix unit settings filter
PR37762 Schema: Fix appearanceTools in theme.json schema
PR37650 Site Editor: Add keyboard shortcut help modal
PR37647 Site Editor: Add the "Help" link to the tools menu
PR37644 Fix: Coloring panel is unusable in RTL
PR37569 Docs: Add automated theme.json reference documentation
PR37493 Update: make color style labels simpler
PR37486 Show UI warning if Pages cannot be retrieved in Page List block
PR37474 Fix empty gray circle when site has no logo on template list page
PR37430 Update: Allow color gradient popover to be above the color toggle
PR37425 Border panel: Collapse color controls
PR37248 Site editor – try redirecting to homepage before the react render
PR37165 Remove versioning in theme schema descriptions
PR37067 Update: PanelColorGradientSettings to use dropdowns
PR37034 Block Editor: Handle the absence of href attrib in links
PR36917 Update theme.json version
PR36746 Update theme.json schema to allow for per-block management of settings
PR36540 Post Featured Image: Move width and height controls into the Dimensions \
panel via SlotFill PR36411 Schemas: Allow custom blocks in theme.json styles
PR36343 Add pattern to name key in block.json Schema
PR36295 Schema: Allow block.json attribute type to be an array
PR36236 Fix duotone theme cache
PR36186 Spacer: add custom units for height and width
PR30873 Focus save button when entities save states panel is opened
---
Module Name: pkgsrc
Committed By: morr
Date: Sat Mar 12 17:16:30 UTC 2022
Modified Files:
pkgsrc/www/wordpress: Makefile distinfo
Log Message:
Security fix for Wordpress.
Fixing 1 bug and 3 security bugs.
More informaton here:
https://wordpress.org/support/wordpress-version/version-5-9-2/
www/ruby-rails70: security fix
Revisions pulled up:
- databases/ruby-activerecord70/distinfo 1.2-1.3
- devel/ruby-activejob70/distinfo 1.2-1.3
- devel/ruby-activemodel70/distinfo 1.2-1.3
- devel/ruby-activestorage70/PLIST 1.2
- devel/ruby-activestorage70/distinfo 1.2-1.3
- devel/ruby-activesupport70/distinfo 1.2-1.3
- devel/ruby-railties70/distinfo 1.2-1.3
- lang/ruby/rails.mk 1.110,1.114
- mail/ruby-actionmailbox70/distinfo 1.2-1.3
- mail/ruby-actionmailer70/distinfo 1.2-1.3
- textproc/ruby-actiontext70/distinfo 1.2-1.3
- www/ruby-actioncable70/distinfo 1.2-1.3
- www/ruby-actionpack70/distinfo 1.2-1.3
- www/ruby-actionview70/distinfo 1.2-1.3
- www/ruby-rails70/distinfo 1.2-1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:02:54 UTC 2022
Modified Files:
pkgsrc/lang/ruby: rails.mk
Log Message:
lang/ruby: start update of Ruby on Rails 7.0.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:05:14 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activesupport70: distinfo
Log Message:
devel/ruby-activesupport70: update to 7.0.1
7.0.1 (2021-01-06)
* Fix Class#descendants and DescendantsTracker#descendants compatibilit=
y
with Ruby 3.1.
The native Class#descendants was reverted prior to Ruby 3.1 release, =
but
Class#subclasses was kept, breaking the feature detection.
Jean Boussier
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:05:44 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activemodel70: distinfo
Log Message:
devel/ruby-activemodel70: update to 7.0.1
7.0.1 (2021-01-06)
* No change.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:06:14 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activejob70: distinfo
Log Message:
devel/ruby-activejob70: update to 7.0.1
7.0.1 (2021-01-06)
* Allow testing discard_on/retry_on ActiveJob::DeserializationError
Previously in perform_enqueued_jobs, deserialize_arguments_if_needed
was called before calling perform_now. When a record no longer
exists and is serialized using GlobalID this led to raising an
ActiveJob::DeserializationError before reaching perform_now call.
This behaviour makes difficult testing the job discard_on/retry_on
logic.
Now deserialize_arguments_if_needed call is postponed to when
perform_now is called.
Example:
class UpdateUserJob < ActiveJob::Base
discard_on ActiveJob::DeserializationError
def perform(user)
# ...
end
end
# In the test
User.destroy_all
assert_nothing_raised do
perform_enqueued_jobs only: UpdateUserJob
end
Jacopo Beschi
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:06:39 UTC 2022
Modified Files:
pkgsrc/www/ruby-actionview70: distinfo
Log Message:
devel/ruby-actionview70: update to 7.0.1
7.0.1 (2021-01-06)
* Fix button_to to work with a hash parameter as URL.
MingyuanQin
* Fix link_to with a model passed as an argument twice.
Alex Ghiculescu
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:07:02 UTC 2022
Modified Files:
pkgsrc/www/ruby-actionpack70: distinfo
Log Message:
devel/ruby-actionpack70: update to 7.0.1
7.0.1 (2021-01-06)
* Fix ActionController::Parameters methods to keep the original logger
context when creating a new copy of the original object.
Yutaka Kamei
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:07:29 UTC 2022
Modified Files:
pkgsrc/databases/ruby-activerecord70: distinfo
Log Message:
databases/ruby-activerecord70: update to 7.0.1
7.0.1 (2021-01-06)
* Change QueryMethods#in_order_of to drop records not listed in values.=
in_order_of now filters down to the values provided, to match the
behavior of the Enumerable version.
Kevin Newton
* Allow named expression indexes to be revertible.
Previously, the following code would raise an error in a reversible
migration executed while rolling back, due to the index name not
being used in the index removal.
add_index(:settings, "(data->'property')", using: :gin, name: :index_s=
ettings_data_property)
Fixes#43331.
Oliver G=FCnther
* Better error messages when association name is invalid in the
argument of ActiveRecord::QueryMethods::WhereChain#missing.
ykpythemind
* Fix ordered migrations for single db in multi db environment.
Himanshu
* Extract on update CURRENT_TIMESTAMP for mysql2 adapter.
Kazuhiro Masuda
* Fix incorrect argument in PostgreSQL structure dump tasks.
Updating the --no-comment argument added in Rails 7 to the correct
--no-comments argument.
Alex Dent
* Fix schema dumping column default SQL values for sqlite3.
fatkodima
* Correctly parse complex check constraint expressions for PostgreSQL.
fatkodima
* Fix timestamptz attributes on PostgreSQL handle blank inputs.
Alex Ghiculescu
Fix migration compatibility to create SQLite references/belongs_to
column as integer when migration version is 6.0.
Reference/belongs_to in migrations with version 6.0 were creating
columns as bigint instead of integer for the SQLite Adapter.
Marcelo Lauxen
* Fix joining through a polymorphic association.
Alexandre Ruban
* Fix QueryMethods#in_order_of to handle empty order list.
Post.in_order_of(:id, []).to_a Also more explicitly set the column
as secondary order, so that any other value is still ordered.
Jean Boussier
* Fix rails dbconsole for 3-tier config.
Eileen M. Uchitelle
* Fix quoting of column aliases generated by calculation methods.
Since the alias is derived from the table name, we can't assume the
result is a valid identifier.
class Test < ActiveRecord::Base
self.table_name =3D '1abc'
end
Test.group(:id).count
# syntax error at or near "1" (ActiveRecord::StatementInvalid)
# LINE 1: SELECT COUNT(*) AS count_all, "1abc"."id" AS 1abc_id FROM "1=
...
Jean Boussier
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:07:49 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activestorage70: distinfo
Log Message:
devel/ruby-activestorage70: update to 7.0.1
7.0.1 (2021-01-06)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:08:13 UTC 2022
Modified Files:
pkgsrc/mail/ruby-actionmailer70: distinfo
Log Message:
mail/ruby-actionmailer70: update to 7.0.1
* Keep configuration of smtp_settings consistent between 6.1 and 7.0.
Andr=E9 Luis Leal Cardoso Junior
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:08:57 UTC 2022
Modified Files:
pkgsrc/mail/ruby-actionmailbox70: distinfo
Log Message:
mail/ruby-actionmailbox70: update to 7.0.1
7.0.1 (2021-01-06)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:09:16 UTC 2022
Modified Files:
pkgsrc/www/ruby-actioncable70: distinfo
Log Message:
www/ruby-actioncable70: update to 7.0.1
7.0.1 (2021-01-06)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:10:09 UTC 2022
Modified Files:
pkgsrc/devel/ruby-railties70: distinfo
Log Message:
devel/ruby-railties70: 7.0.1 (2021-01-06)
* Prevent duplicate entries in plugin Gemfile.
Jonathan Hefner
* Fix asset pipeline errors for plugin dummy apps.
Jonathan Hefner
* Fix generated route revocation.
Jonathan Hefner
* Addresses an issue in which Sidekiq jobs could not reload certain
namespaces.
See fxn/zeitwerk#198 for details.
Xavier Noria
* Fix plugin generator to a plugin that pass all the tests.
Rafael Mendon=E7a Fran=E7a
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:10:40 UTC 2022
Modified Files:
pkgsrc/textproc/ruby-actiontext70: distinfo
Log Message:
textproc/ruby-actiontext70: 7.0.1 (2021-01-06)
7.0.1 (2021-01-06)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jan 16 14:12:56 UTC 2022
Modified Files:
pkgsrc/www/ruby-rails70: distinfo
Log Message:
www/ruby-rails70: update to 7.0.1
This is meta gem (package) for Ruby on Rails 7.0.1.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:39:14 UTC 2022
Modified Files:
pkgsrc/lang/ruby: rails.mk
Log Message:
lang/ruby: start update of ruby-rails70 to 7.0.2.2
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:41:06 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activesupport70: distinfo
Log Message:
devel/ruby-activesupport70: update to 7.0.2
7.0.2 (2022-02-08)
* Fix ActiveSupport::EncryptedConfiguration to be compatible with Psych=
4
Stephen Sugden
* Improve File.atomic_write error handling.
Daniel Pepper
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* Fix Reloader method signature to work with the new Executor signature=
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:41:59 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activemodel70: distinfo
Log Message:
devel/ruby-activemodel70: update to 7.0.2
7.0.2 (2022-02-08)
* Use different cache namespace for proxy calls
Models can currently have different attribute bodies for the same met=
hod
names, leading to conflicts. Adding a new namespace :active_model_pro=
xy
fixes the issue.
Chris Salzberg
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:42:23 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activejob70: distinfo
Log Message:
devel/ruby-activejob70: update to 7.0.2
7.0.2 (2022-02-08)
* No changes.
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:42:47 UTC 2022
Modified Files:
pkgsrc/www/ruby-actionview70: distinfo
Log Message:
www/ruby-actionview70: update to 7.0.2
7.0.2 (2022-02-08)
* Ensure preload_link_tag preloads JavaScript modules correctly.
M=E1ximo Mussini
* Fix stylesheet_link_tag and similar helpers are being used to work in=
objects with a response method.
dark-panda
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:43:27 UTC 2022
Modified Files:
pkgsrc/www/ruby-actionpack70: distinfo
Log Message:
www/ruby-actionpack70: update to 7.0.2
This update contains security fix for CVE-2022-23633.
7.0.2 (2022-02-08)
* No changes.
7.0.2.1 (2022-02-11)
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state
not being fully reset before the next request
[CVE-2022-23633]
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:43:55 UTC 2022
Modified Files:
pkgsrc/databases/ruby-activerecord70: distinfo
Log Message:
databases/ruby-activerecord70: update to 7.0.2
7.0.2 (2022-02-08)
* Fix PG.connect keyword arguments deprecation warning on ruby 2.7.
Nikita Vasilevsky
* Fix the ability to exclude encryption params from being autofiltered.=
Mark Gangl
* Dump the precision for datetime columns following the new defaults.
Rafael Mendon=E7a Fran=E7a
* Make sure encrypted attributes are not being filtered twice.
Nikita Vasilevsky
* Dump the database schema containing the current Rails version.
Since #42297, Rails now generate datetime columns with a default prec=
ision
of 6. This means that users upgrading to Rails 7.0 from 6.1, when lo=
ading
the database schema, would get the new precision value, which would n=
ot
match the production schema.
To avoid this the schema dumper will generate the new format which wi=
ll
include the Rails version and will look like this:
ActiveRecord::Schema[7.0].define
When upgrading from Rails 6.1 to Rails 7.0, you can run the rails
app:update task that will set the current schema version to 6.1.
Rafael Mendon=E7a Fran=E7a
* Fix parsing expression for PostgreSQL generated column.
fatkodima
* Fix Mysql2::Error: Commands out of sync; you can't run this command n=
ow
when bulk-inserting fixtures that exceed max_allowed_packet configura=
tion.
Nikita Vasilevsky
* Fix error when saving an association with a relation named record.
Dorian Mari=E9
* Fix MySQL::SchemaDumper behavior about datetime precision value.
y0t4
* Improve associated with no reflection error.
Nikolai
* Fix PG.connect keyword arguments deprecation warning on ruby 2.7.
Fixes#44307.
Nikita Vasilevsky
* Fix passing options to check_constraint from change_table.
Frederick Cheung
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:44:29 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activestorage70: PLIST distinfo
Log Message:
devel/ruby-activestorage70: update to 7.0.2
7.0.2 (2022-02-08)
* Revert the ability to pass service_name param to DirectUploadsControl=
ler
which was introduced in 7.0.0.
That change caused a lot of problems to upgrade Rails applications so=
we
decided to remove it while in work in a more backwards compatible
implementation.
Gannon McGibbon
* Allow applications to opt out of precompiling Active Storage JavaScri=
pt
assets.
jlestavel
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:44:47 UTC 2022
Modified Files:
pkgsrc/mail/ruby-actionmailer70: distinfo
Log Message:
mail/ruby-actionmailer70: update to 7.0.2
7.0.2 (2022-02-08)
* No changes.
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:45:05 UTC 2022
Modified Files:
pkgsrc/mail/ruby-actionmailbox70: distinfo
Log Message:
mail/ruby-actionmailbox70: update to 7.0.2
7.0.2 (2022-02-08)
* No changes.
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:45:27 UTC 2022
Modified Files:
pkgsrc/www/ruby-actioncable70: distinfo
Log Message:
www/ruby-actioncable70: update to 7.0.2
7.0.2 (2022-02-08)
* No changes.
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:45:49 UTC 2022
Modified Files:
pkgsrc/devel/ruby-railties70: distinfo
Log Message:
devel/ruby-railties70: update to 7.0.2
7.0.2 (2022-02-08)
* No changes.
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:46:12 UTC 2022
Modified Files:
pkgsrc/textproc/ruby-actiontext70: distinfo
Log Message:
textproc/ruby-actiontext70: update to 7.0.2
7.0.2 (2022-02-08)
* No changes.
7.0.2.1 (2022-02-11)
* No changes.
7.0.2.2 (2022-02-11)
* No changes.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:47:25 UTC 2022
Modified Files:
pkgsrc/www/ruby-rails70: distinfo
Log Message:
www/ruby-rails70: update to 7.0.2
This gem is a meta package for Ruby on Rails 7, so no changes here.
www/wuby-rails61: security fix
Revisions pulled up:
- databases/ruby-activerecord61/distinfo 1.10
- devel/ruby-activejob61/distinfo 1.10
- devel/ruby-activemodel61/distinfo 1.10
- devel/ruby-activestorage61/distinfo 1.10
- devel/ruby-activesupport61/distinfo 1.10
- devel/ruby-railties61/distinfo 1.10
- lang/ruby/rails.mk 1.113
- mail/ruby-actionmailbox61/distinfo 1.10
- mail/ruby-actionmailer61/distinfo 1.10
- textproc/ruby-actiontext61/distinfo 1.10
- www/ruby-actioncable61/distinfo 1.10
- www/ruby-actionpack61/distinfo 1.10
- www/ruby-actionview61/distinfo 1.10
- www/ruby-rails61/distinfo 1.10
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:35:06 UTC 2022
Modified Files:
pkgsrc/databases/ruby-activerecord61: distinfo
pkgsrc/devel/ruby-activejob61: distinfo
pkgsrc/devel/ruby-activemodel61: distinfo
pkgsrc/devel/ruby-activestorage61: distinfo
pkgsrc/devel/ruby-activesupport61: distinfo
pkgsrc/devel/ruby-railties61: distinfo
pkgsrc/lang/ruby: rails.mk
pkgsrc/mail/ruby-actionmailbox61: distinfo
pkgsrc/mail/ruby-actionmailer61: distinfo
pkgsrc/textproc/ruby-actiontext61: distinfo
pkgsrc/www/ruby-actioncable61: distinfo
pkgsrc/www/ruby-actionpack61: distinfo
pkgsrc/www/ruby-actionview61: distinfo
pkgsrc/www/ruby-rails61: distinfo
Log Message:
www/ruby-rails61: update to 6.1.4.6
This update contains security fix for CVE-2022-23633 in ruby-actionpack61.
Active Support 6.1.4.6 (2022-02-11)
* Fix Reloader method signature to work with the new Executor signature.
Action Pack 6.1.4.5 (2022-02-11)
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state
not being fully reset before the next request.
[CVE-2022-23633]
Other packages have no change.
www/ruby-rails60: security fix
Revisions pulled up:
- databases/ruby-activerecord60/distinfo 1.15
- devel/ruby-activejob60/distinfo 1.15
- devel/ruby-activemodel60/distinfo 1.15
- devel/ruby-activestorage60/distinfo 1.15
- devel/ruby-activesupport60/distinfo 1.15
- devel/ruby-railties60/distinfo 1.15
- lang/ruby/rails.mk 1.112
- mail/ruby-actionmailbox60/distinfo 1.15
- mail/ruby-actionmailer60/distinfo 1.15
- textproc/ruby-actiontext60/distinfo 1.15
- www/ruby-actioncable60/distinfo 1.15
- www/ruby-actionpack60/distinfo 1.15
- www/ruby-actionview60/distinfo 1.15
- www/ruby-rails60/distinfo 1.15
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:31:23 UTC 2022
Modified Files:
pkgsrc/databases/ruby-activerecord60: distinfo
pkgsrc/devel/ruby-activejob60: distinfo
pkgsrc/devel/ruby-activemodel60: distinfo
pkgsrc/devel/ruby-activestorage60: distinfo
pkgsrc/devel/ruby-activesupport60: distinfo
pkgsrc/devel/ruby-railties60: distinfo
pkgsrc/lang/ruby: rails.mk
pkgsrc/mail/ruby-actionmailbox60: distinfo
pkgsrc/mail/ruby-actionmailer60: distinfo
pkgsrc/textproc/ruby-actiontext60: distinfo
pkgsrc/www/ruby-actioncable60: distinfo
pkgsrc/www/ruby-actionpack60: distinfo
pkgsrc/www/ruby-actionview60: distinfo
pkgsrc/www/ruby-rails60: distinfo
Log Message:
www/ruby-rails60: update to 6.0.4.6
This update contains security fix for CVE-2022-23633 in ruby-actionpack60.
Active Support 6.0.4.6 (2022-02-11)
* Fix Reloader method signature to work with the new Executor signature.
Action Pack 6.0.4.6
6.0.4.5 (2022-02-11)
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state
not being fully reset before the next request.
[CVE-2022-23633]
Other packages have no change.
www/ruby-rails52: security fix
Revisions pulled up:
- databases/ruby-activerecord52/distinfo 1.11
- devel/ruby-activejob52/distinfo 1.11
- devel/ruby-activemodel52/distinfo 1.11
- devel/ruby-activestorage52/distinfo 1.11
- devel/ruby-activesupport52/distinfo 1.11
- devel/ruby-railties52/distinfo 1.11
- lang/ruby/rails.mk 1.111
- mail/ruby-actionmailer52/distinfo 1.11
- www/ruby-actioncable52/distinfo 1.11
- www/ruby-actionpack52/distinfo 1.11
- www/ruby-actionview52/distinfo 1.11
- www/ruby-rails52/distinfo 1.11
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:26:07 UTC 2022
Modified Files:
pkgsrc/databases/ruby-activerecord52: distinfo
pkgsrc/devel/ruby-activejob52: distinfo
pkgsrc/devel/ruby-activemodel52: distinfo
pkgsrc/devel/ruby-activestorage52: distinfo
pkgsrc/devel/ruby-activesupport52: distinfo
pkgsrc/devel/ruby-railties52: distinfo
pkgsrc/lang/ruby: rails.mk
pkgsrc/mail/ruby-actionmailer52: distinfo
pkgsrc/www/ruby-actioncable52: distinfo
pkgsrc/www/ruby-actionpack52: distinfo
pkgsrc/www/ruby-actionview52: distinfo
pkgsrc/www/ruby-rails52: distinfo
Log Message:
www/ruby-rails52: update to 5.2.6.2
This update contains security fix for CVE-2022-23633 in
Active Support 5.2.6.2 (2022-02-11)
* Fix Reloader method signature to work with the new Executor signature.
Action Pack 5.2.6.2 (2022-02-11)
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state
not being fully reset before the next request.
[CVE-2022-23633]
net/bind916: SunOS build fix
Revisions pulled up:
- net/bind916/distinfo 1.31
- net/bind916/patches/patch-lib_isc_unix_socket.c 1.7
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Thu Feb 17 15:37:26 UTC 2022
Modified Files:
pkgsrc/net/bind916: distinfo
pkgsrc/net/bind916/patches: patch-lib_isc_unix_socket.c
Log Message:
bind916: fix builds on Solaris derivates
A patch fixing SunOS builds was lost during a recent update, restore
it. (And s/SmartOS/SunOS/ in comment, this doesn't just affect SmartOS,
reproduced and fixed on OmniOS. This package also fails to build on
Linux, but that's another issue entirely.) Addresses PR pkg/56716 from
Russell Hansen.
databases/mariadb106-client, databases/mariadb106-server: security fix
Revisions pulled up:
- databases/mariadb106-client/Makefile 1.6
- databases/mariadb106-client/Makefile.common 1.7
- databases/mariadb106-client/PLIST 1.3
- databases/mariadb106-client/distinfo 1.6
- databases/mariadb106-client/patches/patch-storage_innobase_include_transactional__lock__guard.h 1.2
- databases/mariadb106-server/Makefile 1.12
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Feb 19 09:13:21 UTC 2022
Modified Files:
pkgsrc/databases/mariadb106-client: Makefile Makefile.common PLIST
distinfo
pkgsrc/databases/mariadb106-client/patches:
patch-storage_innobase_include_transactional__lock__guard.h
pkgsrc/databases/mariadb106-server: Makefile
Log Message:
mariadb106: update to 10.6.7
MariaDB 10.6.7 Release Notes
InnoDB
* Set innodb_change_buffering=none by default (MDEV-27734)
Security
* Fixes for the following security vulnerabilities:
* CVE-2021-46665
* CVE-2021-46664
* CVE-2021-46661
* CVE-2021-46668
* CVE-2021-46663
MariaDB 10.6.6 Release Notes
Notable Items
InnoDB
* --skip-symbolic-links does not disallow .isl file creation
(MDEV-26870)
* Indexed CHAR columns are broken with NO_PAD collations (MDEV-25440)
* insert-intention lock conflicts with waiting ORDINARY lock
(MDEV-27025)
* Crash recovery improvements (MDEV-26784, MDEV-27022, MDEV-27183,
MDEV-27610)
* mariabackup skips valid .ibd file (MDEV-26326)
* Allow seamless upgrade despite ROW_FORMAT=COMPRESSED (MDEV-27736)
Galera
* Galera updated to 26.4.11
* Galera SST scripts should use ssl_capath (not ssl_ca) for CA directory
(MDEV-27181)
* Alter Sequence do not replicate to another nodes with in Galera
Cluster (MDEV-19353)
* Galera crash - Assertion. Possible parallel writeset problem
(MDEV-26803)
* CREATE TABLE with FOREIGN KEY constraint fails to apply in parallel
(MDEV-27276)
* Galera cluster node consider old server_id value even after
modification of server_id [wsrep_gtid_mode=ON] (MDEV-26223)
Replication
* Seconds behind master corrected from artificial spikes at relay-log
rotation (MDEV-16091)
* Statement rollback in binlog when transaction creates or drop
temporary table is set right (MDEV-26833)
* CREATE-or-REPLACE SEQUENCE is made to binlog with the DDL flag to
stabilize its parallel execution on slave (MDEV-27365)
Security
* Fixes for the following security vulnerabilities:
* CVE-2022-24052
* CVE-2022-24051
* CVE-2022-24050
* CVE-2022-24048
* CVE-2021-46659
databases/mariadb105-client, databases/mariadb105-server: security fix
Revisions pulled up:
- databases/mariadb105-client/Makefile 1.10
- databases/mariadb105-client/Makefile.common 1.15
- databases/mariadb105-client/PLIST 1.4
- databases/mariadb105-client/distinfo 1.11
- databases/mariadb105-server/Makefile 1.23
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Feb 19 09:57:51 UTC 2022
Modified Files:
pkgsrc/databases/mariadb105-client: Makefile Makefile.common PLIST
distinfo
pkgsrc/databases/mariadb105-server: Makefile
Log Message:
mariadb105: update to 10.5.15
MariaDB 10.5.15 Release Notes
Notable Items
InnoDB
* Set innodb_change_buffering=none by default (MDEV-27734)
Security
* Fixes for the following security vulnerabilities:
* CVE-2021-46665
* CVE-2021-46664
* CVE-2021-46661
* CVE-2021-46668
* CVE-2021-46663
MariaDB 10.5.14 Release Notes
Notable Items
InnoDB
* --skip-symbolic-links does not disallow .isl file creation
(MDEV-26870)
* Indexed CHAR columns are broken with NO_PAD collations (MDEV-25440)
* insert-intention lock conflicts with waiting ORDINARY lock
(MDEV-27025)
* Crash recovery improvements (MDEV-26784, MDEV-27022, MDEV-27183,
MDEV-27610)
Galera
* Galera updated to 26.4.11
* Galera SST scripts should use ssl_capath (not ssl_ca) for CA directory
(MDEV-27181)
* Alter Sequence do not replicate to another nodes with in Galera
Cluster (MDEV-19353)
* Galera crash - Assertion. Possible parallel writeset problem
(MDEV-26803)
* CREATE TABLE with FOREIGN KEY constraint fails to apply in parallel
(MDEV-27276)
* Galera cluster node consider old server_id value even after
modification of server_id [wsrep_gtid_mode=ON] (MDEV-26223)
Replication
* Seconds behind master corrected from artificial spikes at relay-log
rotation (MDEV-16091)
* Statement rollback in binlog when transaction creates or drop
temporary table is set right (MDEV-26833)
* CREATE-or-REPLACE SEQUENCE is made to binlog with the DDL flag to
stabilize its parallel execution on slave (MDEV-27365)
Security
* Fixes for the following security vulnerabilities:
* CVE-2022-24052
* CVE-2022-24051
* CVE-2022-24050
* CVE-2022-24048
* CVE-2021-46659
www/firefox91: security fix
Revisions pulled up:
- www/firefox91/Makefile 1.13
- www/firefox91/distinfo 1.10
---
Module Name: pkgsrc
Committed By: nia
Date: Mon Feb 21 03:43:56 UTC 2022
Modified Files:
pkgsrc/www/firefox91: Makefile distinfo
Log Message:
firefox91: update to 91.6.0
Security Vulnerabilities fixed in Firefox ESR 91.6
#CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance
Service
#CVE-2022-22754: Extensions could have bypassed permission confirmation
during update
#CVE-2022-22756: Drag and dropping an image could have resulted in the
dropped object being an executable
#CVE-2022-22759: Sandboxed iframes could have executed script if the parent
appended elements
#CVE-2022-22760: Cross-Origin responses could be distinguished between
script and non-script content-types
#CVE-2022-22761: frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
#CVE-2022-22763: Script Execution during invalid object state
#CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
textproc/expat: security fix
Revisions pulled up:
- textproc/expat/Makefile 1.48-1.49
- textproc/expat/distinfo 1.40-1.41
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Jan 17 08:49:34 UTC 2022
Modified Files:
pkgsrc/textproc/expat: Makefile distinfo
Log Message:
expat: update to 2.4.3.
Release 2.4.3 Sun January 16 2022
Security fixes:
#531#534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places
resulting in
a) realloc acting as free
b) realloc allocating too few bytes
c) undefined behavior
depending on architecture and precise value
for XML documents with >=2^27+1 prefixed attributes
on a single XML tag a la
"<r xmlns:a='[..]' a:a123='[..]' [..] />"
where XML_ParserCreateNS is used to create the parser
(which needs argument "-n" when running xmlwf).
Impact is denial of service, or more.
#532#538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
on variable m_groupSize in function doProlog leading
to realloc acting as free.
Impact is denial of service or more.
#539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
near memory allocation at multiple places. Mitre assigned
a dedicated CVE for each involved internal C function:
- CVE-2022-22822 for function addBinding
- CVE-2022-22823 for function build_model
- CVE-2022-22824 for function defineAttribute
- CVE-2022-22825 for function lookup
- CVE-2022-22826 for function nextScaffoldPart
- CVE-2022-22827 for function storeAtts
Impact is denial of service or more.
Other changes:
#535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19
#541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
and MSYS2 by not going through Wine on these platforms
#527#528 Address compiler warnings
#533#543 Version info bumped from 9:2:8 to 9:3:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#536 CI: Check for realistic minimum CMake version
#529#539 CI: Cover compilation with -m32
#529 CI: Store coverage reports as artifacts for download
#528 CI: Upgrade Clang from 11 to 13
Release 2.4.2 Sun December 19 2021
Other changes:
#509#510 Link againgst libm for function "isnan"
#513#514 Include expat_config.h as early as possible
#498 Autotools: Include files with release archives:
- buildconf.sh
- fuzz/*.c
#507#519 Autotools: Sync CMake templates
#495#524 CMake: MinGW: Fix pkg-config section "Libs" for
- non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
- multi-config CMake generators (e.g. Ninja Multi-Config)
#502#503 docs: Document that function XML_GetBuffer may return NULL
when asking for a buffer of 0 (zero) bytes size
#522#523 docs: Fix return value docs for both
XML_SetBillionLaughsAttackProtection* functions
#525#526 Version info bumped from 9:1:8 to 9:2:8;
see https://verbump.de/ for what these numbers do
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Feb 1 12:10:18 UTC 2022
Modified Files:
pkgsrc/textproc/expat: Makefile distinfo
Log Message:
expat: update to 2.4.4.
Release 2.4.4 Sun January 30 2022
Security fixes:
#550 CVE-2022-23852 -- Fix signed integer overflow
(undefined behavior) in function XML_GetBuffer
(that is also called by function XML_Parse internally)
for when XML_CONTEXT_BYTES is defined to >0 (which is both
common and default).
Impact is denial of service or more.
#551 CVE-2022-23990 -- Fix unsigned integer overflow in function
doProlog triggered by large content in element type
declarations when there is an element declaration handler
present (from a prior call to XML_SetElementDeclHandler).
Impact is denial of service or more.
Bug fixes:
#544#545 xmlwf: Fix a memory leak on output file opening error
Other changes:
#546 Autotools: Fix broken CMake support under Cygwin
#554 Windows: Add missing files to the installer to fix
compilation with CMake from installed sources
#552#554 Version info bumped from 9:3:8 to 9:4:8;
see https://verbump.de/ for what these numbers do
security/heimdal: build fix
Revisions pulled up:
- security/heimdal/distinfo 1.54
- security/heimdal/patches/patch-lib_hx509_Makefile.in 1.3
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Thu Jan 27 03:31:22 UTC 2022
Modified Files:
pkgsrc/security/heimdal: distinfo
pkgsrc/security/heimdal/patches: patch-lib_hx509_Makefile.in
Log Message:
heimdal: correct build fix patch
The previous version of this patch added build dependencies at the
wrong point: we need the headers generated by the time the object is
compiled, not by the time the final binary is linked. (This matches the
actual upstream change set.)
mail/roundcube: security fix
Revisions pulled up:
- mail/roundcube-plugin-password/distinfo 1.28
- mail/roundcube/Makefile.common 1.26
- mail/roundcube/PLIST 1.50
- mail/roundcube/distinfo 1.79
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jan 29 13:34:44 UTC 2022
Modified Files:
pkgsrc/mail/roundcube: Makefile.common PLIST distinfo
pkgsrc/mail/roundcube-plugin-password: distinfo
Log Message:
mail/roundcube: update to 1.5.2
This update contains security fix.
Roundcube Webmail 1.5.1 (2021-11-28)
This is the first service release to update the new stable version 1.5. It
provides a bunch of small fixes and improvements after getting your feedback
from the 1.5.0 release. See the full changelog below.
Important note for MySQL and MariaDB database backends
The change to full UTF-8 support in MySQL/MariaDB didn't work for everybody
migrating an existing DB. Hence here's an important notice from the
UPGRADING instructions:
If you use MySQL < 5.7.7 or MariaDB < 10.2.2 make sure to configure it with:
innodb_large_prefix=1
innodb_file_per_table=1
innodb_file_format=Barracuda
This version is considered stable and we recommend to update all productive
installations of Roundcube with it. Please do backup your data before
updating!
CHANGELOG
* Fix importing contacts with no email address (#8227)
* Fix so session's search scope is not used if search is not active (#8199)
* Fix some PHP8 warnings (#8239)
* Fix so dark mode state is retained after closing the browser (#8237)
* Fix bug where new messages were not added to the list on refresh if
skip_deleted=true (#8234)
* Fix colors on "Show source" page in dark mode (#8246)
* Fix handling of dark_mode_support:false setting in skins meta.json - also
when devel_mode=false (#8249)
* Fix database initialization if db_prefix is a schema prefix (#8221)
* Fix undefined constant error in Installer on Windows (#8258)
* Fix installation/upgrade on MySQL 5.5 - Index column size too large (#8231)
* Fix regression in setting of contact listing name (#8260)
* Fix bug in Larry skin where headers toggle state was reset on full page
preview (#8203)
* Fix bug where \u200b characters were added into the recipient input
preventing mail delivery (#8269)
* Fix charset conversion errors on PHP < 8 for charsets not supported by
mbstring (#8252)
* Fix bug where adding a contact to trusted senders via "Always allow
from..." button didn't work (#8264, #8268)
* Fix bug with show_images setting where option 1 and 3 were swapped (#8268)
* Fix PHP fatal error on an undefined constant in contacts import action
(#8277)
* Fix fetching headers of multiple message parts at once in
rcube_imap_generic::fetchMIMEHeaders() (#8282)
* Fix bug where attachment download could sometimes fail with a CSRF check
error (#8283)
* Fix an infinite loop when parsing environment variables with float/integer
values (#8293)
* Fix so 'small-dark' logo has more priority than the 'small' logo (#8298)
Roundcube Webmail 1.5.2 (2021-12-30)
This is the second service release to update the new stable version 1.5. It
provides a bunch of small fixes and improvements to the OAuth feature as
well as a security fix to a recently reported XSS vulnerability. See the
full changelog below.
Security fix
* Cross-site scripting (XSS) via HTML messages with malicious CSS content
This version is considered stable and we recommend to update all productive
installations of Roundcube with it. Please do backup your data before
updating!
CHANGELOG
* OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
* OAuth: fix expiration of short-lived oauth tokens (#8147)
* OAuth: fix relative path to assets if /index.php/foo/bar url is used
(#8144)
* OAuth: no auto-redirect on imap login failures (#8370)
* OAuth: refresh access token in 'refresh' plugin hook (#8224)
* Fix so folder search parameters are honored by subscriptions_option plugin
(#8312)
* Fix password change with Directadmin driver (#8322, #8329)
* Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
* Fix handling of unicode/special characters in custom From input (#8357)
* Fix some PHP8 compatibility issues (#8363)
* Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
* Fix scrolling and missing Close button in the Select image dialog in
Elastic/mobile (#8367)
* Security: fix cross-site scripting (XSS) via HTML messages with malicious
CSS content
www/drupal7: security fix
Revisions pulled up:
- www/drupal7/Makefile 1.75
- www/drupal7/PLIST 1.29
- www/drupal7/distinfo 1.59
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jan 27 13:38:03 UTC 2022
Modified Files:
pkgsrc/www/drupal7: Makefile PLIST distinfo
Log Message:
www/drupal7: update to 7.86
Drupal 7.86, 2022-01-18
-----------------------
- Fixed security issues:
- SA-CORE-2022-001
- SA-CORE-2022-002
Drupal 7.85, 2022-01-12
-----------------------
- Fix session cookies for sites with different base_urls but a shared domain
Drupal 7.84, 2021-12-13
-----------------------
- Hotfix for session cookie domain on www subdomains
Drupal 7.83, 2021-12-01
-----------------------
- Initial support for PHP 8.1
- The has_js cookie has been removed (but can be re-enabled)
- The leading www. is no longer stripped from cookie domain by default
- The user entity now has a "changed" property
- Introduced a skip_permissions_hardening setting
- Changes to the password reset process to avoid email and username enumeration
- Various bug fixes, optimizations and improvements
net/samba4: security fix
Revisions pulled up:
- net/samba4/Makefile 1.135
- net/samba4/distinfo 1.71
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 10 14:11:16 UTC 2022
Modified Files:
pkgsrc/net/samba4: Makefile distinfo
Log Message:
net/samba4: update to 4.13.16
===============================
Release Notes for Samba 4.13.16
January 10, 2022
===============================
This is a security release in order to address the following defects:
o CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x.
https://www.samba.org/samba/security/CVE-2021-43566.html
=======
Details
=======
o CVE-2021-43566:
All versions of Samba prior to 4.13.16 are vulnerable to a malicious
client using an SMB1 or NFS symlink race to allow a directory to be
created in an area of the server file system not exported under the
share definition. Note that SMB1 has to be enabled, or the share
also available via NFS in order for this attack to succeed.
Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or NFS can create symlinks that
can race the server by renaming an existing path and then replacing it
with a symlink. If the client wins the race it can cause the server to
create a directory under the new symlink target after the exported
share path check has been done. This new symlink target can point to
anywhere on the server file system. The authenticated user must have
permissions to create a directory under the target directory of the
symlink.
This is a difficult race to win, but theoretically possible. Note that
the proof of concept code supplied wins the race only when the server
is slowed down and put under heavy load. Exploitation of this bug has
not been seen in the wild.
Changes since 4.13.15
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x
security/clamav: security fix
Revisions pulled up:
- security/clamav/Makefile 1.82
- security/clamav/Makefile.common 1.22
- security/clamav/distinfo 1.41
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jan 13 15:28:22 UTC 2022
Modified Files:
pkgsrc/security/clamav: Makefile Makefile.common distinfo
Log Message:
security/clamav: update to 0.103.5
0.103.5 (2022-01-12)
ClamAV 0.103.5 is a critical patch release with the following fixes:
* CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>:
Fix for invalid pointer read that may cause a crash. This issue affects
0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
option) is enabled.
Cisco would like to thank Laurent Delosieres of ManoMano for reporting
this vulnerability.
* Fixed ability to disable the file size limit with libclamav C API, like
this:
cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
This issue didn't affect ClamD or ClamScan which also can disable the
limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD,
or clamscan --max-filesize=0 for ClamScan.
Note: Internally, the max file size is still set to 2 GiB. Disabling the
limit for a scan will fall back on the internal 2 GiB limitation.
* Increased the maximum line length for ClamAV config files from 512 bytes
to 1,024 bytes to allow for longer config option strings.
* SigTool: Fix insufficient buffer size for --list-sigs that caused a
failure when listing a database containing one or more very long
signatures. This fix was backported from 0.104.
Special thanks to the following for code contributions and bug reports:
* Laurent Delosieres
www/webkit-gtk: NetBSD 9 build fix, PR pkg/56604
Revisions pulled up:
- www/webkit-gtk/Makefile 1.219
- www/webkit-gtk/buildlink3.mk 1.87
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Thu Jan 13 03:57:28 UTC 2022
Modified Files:
pkgsrc/www/webkit-gtk: Makefile buildlink3.mk
Log Message:
webkit-gtk: fix builds on NetBSD 9.x
The base GCC 7.5 on NetBSD 9.x is missing a C++17 feature expected by
this package now. The pkgsrc GCC 7.5 includes that feature, but the
build still fails later on with another unmet expectation. So GCC 8 is
now the minimum viable version with which to build this package.
This involves a bit of a kludge to deal with how GCC from pkgsrc ends
up linking. This is obviously not ideal, and is part of a broader
topic that needs revisiting. The present goal is to try and stabilize
the 2021Q4 branch.
Tested on 9.2_STABLE/amd64 with www/badwolf. Addresses PR pkg/56604.
www/wordpress: security fix
Revisions pulled up:
- www/wordpress/Makefile 1.102
- www/wordpress/PLIST 1.50
- www/wordpress/distinfo 1.86
---
Module Name: pkgsrc
Committed By: morr
Date: Mon Jan 10 20:48:20 UTC 2022
Modified Files:
pkgsrc/www/wordpress: Makefile PLIST distinfo
Log Message:
Security update to 5.8.3.
Changes since 5.8:
5.8.3
4 security issues affect WordPress versions between 3.7 and 5.8. If you haven't yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issues:
* Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
* Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
* Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.
* Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query.
More info on https://wordpress.org/support/wordpress-version/version-5-8-3/
5.8.2
1 security update and fixed 2 bugs.
More info on https://wordpress.org/support/wordpress-version/version-5-8-2/
5.8.1
3 security issues affects WordPress versions between 5.4 and 5.8. If you haven't yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the following security issues:
* Props @mdawaffe, member of the WordPress Security Team for their work fixing a data exposure vulnerability within the REST API.
* Props to Michal Bentkowski of Securitum for reporting a XSS vulnerability in the block editor.
* The Lodash library has been updated to version 4.17.21 in each branch to incorporate upstream security fixes.
In addition to these issues, the security team would like to thank the following people for reporting vulnerabilities during the WordPress 5.8 beta testing period, allowing them to be fixed prior to release:
* Props Evan Ricafort for reporting a XSS vulnerability in the block editor discovered during the 5.8 release's beta period.
* Props Steve Henty for reporting a privilege escalation issue in the block editor.
More info on https://wordpress.org/support/wordpress-version/version-5-8-1/
lang/wasi-libcxx: build fix
Revisions pulled up:
- lang/wasi-libcxx/Makefile 1.8
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Mon Jan 10 02:10:04 UTC 2022
Modified Files:
pkgsrc/lang/wasi-libcxx: Makefile
Log Message:
wasi-libcxx: carry over wasi-compiler-rt fix for Firefox builds
Also apply tnn@'s workaround in wasi-compiler-rt here, as related
failures have been observed due to this package. See PR pkg/56590.
(Tested with multiple iterations on NetBSD 9.2_STABLE.)
lang/wasi-compiler-rt: build fix
lang/wasi-libc: build fix
lang/wasi-libcxx: build fix
Revisions pulled up:
- lang/wasi-compiler-rt/Makefile 1.4-1.8
- lang/wasi-libc/Makefile 1.4-1.5
- lang/wasi-libcxx/Makefile 1.5-1.7
---
Module Name: pkgsrc
Committed By: tnn
Date: Fri Jan 7 13:32:48 UTC 2022
Modified Files:
pkgsrc/lang/wasi-compiler-rt: Makefile
pkgsrc/lang/wasi-libc: Makefile
pkgsrc/lang/wasi-libcxx: Makefile
Log Message:
wasi-*: force ABI=32
These packages were failing when ABI=64 in mk.conf, because then -m64 is
passed down to clang and WebAssembly currently only supports -m32.
---
Module Name: pkgsrc
Committed By: tnn
Date: Fri Jan 7 13:51:05 UTC 2022
Modified Files:
pkgsrc/lang/wasi-compiler-rt: Makefile
Log Message:
wasi-compiler-rt: don't circumvent pkgsrc wrappers
Fixes build failure on Linux due to BUILDLINK_TRANSFORM not kicking in.
---
Module Name: pkgsrc
Committed By: tnn
Date: Fri Jan 7 14:33:43 UTC 2022
Modified Files:
pkgsrc/lang/wasi-compiler-rt: Makefile
pkgsrc/lang/wasi-libcxx: Makefile
Log Message:
wasi-*: fix build failure when package already installed
Only use headers that pkgsrc has permitted via buildlink.
---
Module Name: pkgsrc
Committed By: tnn
Date: Fri Jan 7 15:49:53 UTC 2022
Modified Files:
pkgsrc/lang/wasi-compiler-rt: Makefile
pkgsrc/lang/wasi-libc: Makefile
pkgsrc/lang/wasi-libcxx: Makefile
Log Message:
wasi-*: eliminate -march and/or -mcpu CFLAGS user might have set
Random CFLAGS from mk.conf are not a good idea in a cross compile scenario.
Also reset ABI to empty string since -m32 can break some native CMake tests.
---
Module Name: pkgsrc
Committed By: tnn
Date: Fri Jan 7 20:24:40 UTC 2022
Modified Files:
pkgsrc/lang/wasi-compiler-rt: Makefile
Log Message:
wasi-compiler-rt: apply band-aid for ranlib error in www/firefox
emulators/compat90: fix for PR pkg/56597
1) ensure that a symlink points the expected place before
removing it on de-install (safety measure)
2) change ONLY_FOR_PLATFORMS so that 9.[012] and _STABLE
variants are excluded; insist on 9.99.* or later.
Subsequently, adapt to pkglint warnings about EMUL_PLATFORMS
member names.
Revisions pulled up:
- emulators/compat90/Makefile 1.2-1.3
- emulators/compat90/PLIST.armeb deleted
- emulators/compat90/PLIST.armv6hf deleted
- emulators/compat90/PLIST.armv7hf deleted
- emulators/compat90/PLIST.earmeb 1.1
- emulators/compat90/PLIST.earmv6hf 1.1
- emulators/compat90/PLIST.earmv7hf 1.1
- emulators/compat90/PLIST.m68000 1.1
- emulators/compat90/PLIST.m68010 deleted
- emulators/compat90/distinfo 1.3
- emulators/compat_netbsd/INSTALL.ELF 1.3
---
Module Name: pkgsrc
Committed By: he
Date: Sun Jan 2 16:15:55 UTC 2022
Modified Files:
pkgsrc/emulators/compat_netbsd: INSTALL.ELF
Log Message:
Don't just remove a symlink on removal, ensure that it points
to an expected name before doing so. Should prevent removal of
required symlinks which might otherwise happen when this package
by accident is instsalled and subsequently de-installed on
9.0 - 9.2 or other netbsd-9 variants.
Parts of fix for PR#56597.
---
Module Name: pkgsrc
Committed By: he
Date: Sun Jan 2 16:22:32 UTC 2022
Modified Files:
pkgsrc/emulators/compat90: Makefile
Log Message:
Change the ONLY_FOR_PLATFORM pattern, so that it no longer matches
against 9.0, 9.1, 9.2 or 9.x_STABLE, only 9.99.* and subsequent
releses. The set of libraries this is compared against is what's
in 9.99.92, but the binaries are from 9.0, of course.
Bump PKGREVISION so that we pick up the changes from
compat_netbsd/INSTALL.ELF, to protect against removal of base system
symlinks, ref. PR#56597.
---
Module Name: pkgsrc
Committed By: he
Date: Sun Jan 2 16:35:12 UTC 2022
Modified Files:
pkgsrc/emulators/compat90: Makefile
Log Message:
Adjust EMUL_PLATFORMS to pkglint's liking:
armeb -> earmeb
armv6hf -> earmv6hf
armv7hf -> earmv7hf
m68010 -> m68000
Compat symlinks created in distfile repository.
Riding on the quite recent PKGREVISION bump.
---
Module Name: pkgsrc
Committed By: he
Date: Sun Jan 2 16:49:29 UTC 2022
Added Files:
pkgsrc/emulators/compat90: PLIST.earmeb PLIST.earmv6hf PLIST.earmv7hf
PLIST.m68000
Removed Files:
pkgsrc/emulators/compat90: PLIST.armeb PLIST.armv6hf PLIST.armv7hf
PLIST.m68010
Log Message:
Rename the set lists corresponding to recent EMUL_PLATFORMS
renaming. Ride on recent PKG_REVISION bump.
---
Module Name: pkgsrc
Committed By: he
Date: Sun Jan 2 16:54:05 UTC 2022
Modified Files:
pkgsrc/emulators/compat90: distinfo
Log Message:
Update distinfo as well, to complete the EMUL_PLATFORMS renaming.
graphics/graphviz: PowerPC build fix
Revisions pulled up:
- graphics/graphviz/Makefile 1.242
---
Module Name: pkgsrc
Committed By: he
Date: Wed Dec 29 12:10:32 UTC 2021
Modified Files:
pkgsrc/graphics/graphviz: Makefile
Log Message:
Build with -fopenmp on NetBSD/powerpc, so that we link explicitly
with -lgomp and thereby avoid overflowing the static thread local
storage allocated in ld.elf_so when libgomp.so is dlopen()ed
indirectly via libgvplugin_gd.so.
Bump PKGREVISION.
bsiegert
tm
gdt