Permalink
Commits on Sep 23, 2006
  1. #1831

    salo committed Sep 23, 2006
  2. Pullup ticket 1831 - requested by briggs

    salo committed Sep 23, 2006
    gcc 4.x build fix for dict-server
    
    Revisions pulled up:
    - pkgsrc/textproc/dict-server/distinfo			1.16
    - pkgsrc/textproc/dict-server/patches/patch-aa		1.5
    - pkgsrc/textproc/dict-server/patches/patch-ab		1.6
    
       Module Name:		pkgsrc
       Committed By:	seb
       Date:		Sun Jul 16 22:37:49 UTC 2006
    
       Modified Files:
       	pkgsrc/textproc/dict-server: distinfo
       	pkgsrc/textproc/dict-server/patches: patch-aa patch-ab
    
       Log Message:
       On NetBSD too don't define alloca as it conflicts with stdlib.h
       (exposed with current's gcc 4.1.2).
  3. #1832

    salo committed Sep 23, 2006
  4. Pullup ticket 1832 - requested by ben

    salo committed Sep 23, 2006
    security update for cabextract
    
    Revisions pulled up:
    - pkgsrc/archivers/cabextract/Makefile			1.17
    - pkgsrc/archivers/cabextract/distinfo			1.9
    - pkgsrc/archivers/cabextract/patches/patch-aa		removed
    - pkgsrc/archivers/cabextract/patches/patch-ab		removed
    
       Module Name:		pkgsrc
       Committed By:	ben
       Date:		Sat Sep 23 13:02:17 UTC 2006
    
       Modified Files:
       	pkgsrc/archivers/cabextract: Makefile distinfo
       Removed Files:
       	pkgsrc/archivers/cabextract/patches: patch-aa patch-ab
    
       Log Message:
       Update cabextract to version 1.2.  Notable changes include:
    
       *  The "-t" archive integrity checking option has been added. This was
       requested by several users. cabextract can unpack cabinet files and give
       you MD5 checksums of the files inside, without writing the unpacked
       files to disk.
    
       * Large files (more than 2 gigabytes) are now correctly searched for
       cabinet files.
    
       * A security vulnerability has been fixed. Files compressed with the
       Quantum method, using a window size less than 32768 bytes, could cause
       cabextract to write beyond the end of the window and cause a
       segmentation fault. This fix also permits cabextract to unpack this type
       of cabinet file (of which only one has been found in the wild)
       correctly.
    
       * The unnecessary GNU source mempcpy.c, which caused compilation
       failures on several systems, was removed.
    
       * An off-by-one error introduced in 1.1's UTF-8 decoder was fixed. Files
       with UTF-8 filenames can now be extracted. The UTF-8 decoder was also
       upgraded to support the latest Unicode characer maps.
Commits on Sep 17, 2006
  1. #1829

    salo committed Sep 17, 2006
  2. Pullup ticket 1829 - requested by wiz

    salo committed Sep 17, 2006
    security update for flash plugin
    
    Revisions pulled up:
    - pkgsrc/multimedia/moz-bin-flash/distinfo		removed
    - pkgsrc/multimedia/ns-flash/Makefile			1.14
    - pkgsrc/multimedia/ns-flash/distinfo			1.7
    - pkgsrc/www/firefox-bin-flash/Makefile.common		1.14, 1.15
    - pkgsrc/www/firefox-bin-flash/distinfo			1.6
    
       Module Name:		pkgsrc
       Committed By:	wiz
       Date:		Sat Sep 16 07:17:52 UTC 2006
    
       Modified Files:
       	pkgsrc/multimedia/ns-flash: Makefile distinfo
       	pkgsrc/www/firefox-bin-flash: Makefile.common distinfo
    
       Log Message:
       Update to 7.0.68:
    
       This release fixes several security vulnerabilities as reported in
       Adobe Vulnerability APSB06-11. Multiple input validation errors
       have been identified that could lead to the potential execution of
       arbitrary code, such as that delivered from a remote location via
       the user's Web browser. Updating is strongly recommended.
    ---
       Module Name:		pkgsrc
       Committed By:	wiz
       Date:		Sun Sep 17 11:48:23 UTC 2006
    
       Modified Files:
       	pkgsrc/www/firefox-bin-flash: Makefile.common
       Removed Files:
       	pkgsrc/multimedia/moz-bin-flash: distinfo
    
       Log Message:
       Share distinfo file between moz-bin-flash and firefox-bin-flash.
       Noted by salo@
  3. #1830

    salo committed Sep 17, 2006
  4. Pullup ticket 1830 - requested by wiz

    salo committed Sep 17, 2006
    security update for gnutls
    
    Revisions pulled up:
    - pkgsrc/security/gnutls/Makefile		1.50, 1.51, 1.52
    - pkgsrc/security/gnutls/PLIST			1.22
    - pkgsrc/security/gnutls/distinfo		1.29, 1.30, 1.31
    
       Module Name:		pkgsrc
       Committed By:	wiz
       Date:		Mon Jul 17 17:02:02 UTC 2006
    
       Modified Files:
       	pkgsrc/security/gnutls: Makefile PLIST distinfo
    
       Log Message:
       Update to 1.4.1:
    
       * Version 1.4.1 (released 2006-06-14)
    
       ** Replaced inactive ifdefs to enable openpgp support in test programs.
    
       ** Fixed bug in OpenPGP authentication handshake.
    
       ** Fixed typographical in man pages.
    
       ** Build fixes of the manual.
    
       ** Added Swedish translation.
    
       ** API and ABI modifications:
       No changes since last version.
    ---
       Module Name:		pkgsrc
       Committed By:	wiz
       Date:		Sun Sep 10 21:12:21 UTC 2006
    
       Modified Files:
       	pkgsrc/security/gnutls: Makefile distinfo
    
       Log Message:
       Update to 1.4.3:
    
       * Version 1.4.3 (released 2006-09-08)
    
       ** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's
       ** Crypto 06 rump session attack.
       In particular, we check that the digestAlgorithm.parameters field is
       empty, to avoid that it can contain "garbage" that may be used to
       alter the numeric properties of the signature.  See
       <http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html> (which is
       not exactly the same as the problem we fix here).  Reported by Yutaka
       OIWA <y.oiwa@aist.go.jp>.
    
       See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more
       up to date information.
    
       ** Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack.
       See <http://www.bell-labs.com/user/bleichen/papers/pkcs.ps.gz>.
       Reported by Werner Koch <wk@gnupg.org>.
    
       See GNUTLS-SA-2006-3 on http://www.gnutls.org/security.html for more
       up to date information.
    
       ** Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key.
    
       ** API and ABI modifications:
       No changes since last version.
    
       * Version 1.4.2 (released 2006-08-12)
    
       ** Fix a crash (strcmp() on a NULL value) in the certificate verification logic.
       This can happen if you call gnutls_certificate_verify_peers2 and have
       a certain mix of local CA certificates and the peer send special
       certificates, that together trigger certain behaviour.  It is not
       known at this point whether the crash can be triggered without the
       special local CA certificate, and thus turn this into a remote crash
       of clients that verify server certificates when they talk to a server
       with the special server certificate.  See GNUTLS-SA-2006-2 on
       http://www.gnu.org/software/gnutls/security.html for more up to date
       information.  Reported by satyakumar <satyam_kkd@hyd.hellosoft.com>.
    
       ** Change SRP and Cert-Type extensions to match IANA registry.
    
       ** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support.
    
       ** Make --without-included-libtasn1 work.
       Reported by Daniel Black <dragonheart@gentoo.org>.
    
       ** API and ABI modifications:
       No changes since last version.
    ---
       Module Name:		pkgsrc
       Committed By:	wiz
       Date:		Sat Sep 16 06:21:22 UTC 2006
    
       Modified Files:
       	pkgsrc/security/gnutls: Makefile distinfo
    
       Log Message:
       Update to 1.4.4:
    
       * Version 1.4.4 (released 2006-09-12)
    
       ** Relax the test that caught signatures that exploit the variant of
       ** Bleichenbacher's Crypto 06 rump session attack on our
       ** verification logic flaw.
       In particular, we now permit the digestAlgorithm.parameters field to
       be present but empty, whereas in 1.4.3 we actually checked that the
       field was absent.
    
       ** Revert the removal of debug information for the GNUTLS-SA-2006-3 problem.
       The messages are only printed in debug mode, which is not recommended
       for normal use, and thus logging this situation cannot be abused as an
       oracle in typical recommended situations.
    
       ** API and ABI modifications:
       No changes since last version.
  5. #1827

    salo committed Sep 17, 2006
  6. Pullup ticket 1827 - requested by ghen

    salo committed Sep 17, 2006
    security update for seamonkey
    
    Revisions pulled up:
    - pkgsrc/www/seamonkey/Makefile				1.7, 1.8
    - pkgsrc/www/seamonkey/Makefile.common			1.8, 1.9
    - pkgsrc/www/seamonkey/distinfo				1.9, 1.10
    - pkgsrc/www/seamonkey-bin/Makefile			1.5, 1.6
    - pkgsrc/www/seamonkey-bin/distinfo			1.5, 1.6
    - pkgsrc/www/seamonkey-gtk1/Makefile			1.6, 1.7
    
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Thu Aug  3 09:37:35 UTC 2006
    
       Modified Files:
       	pkgsrc/www/seamonkey: Makefile distinfo
       	pkgsrc/www/seamonkey-bin: Makefile distinfo
       	pkgsrc/www/seamonkey-gtk1: Makefile
    
       Log Message:
       Update www/seamonkey* to Seamonkey 1.0.4.  Just one change:
    
       - Fixed an issue with playing Windows Media content
    ---
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Fri Sep 15 09:24:30 UTC 2006
    
       Modified Files:
       	pkgsrc/www/seamonkey-bin: Makefile distinfo
    
       Log Message:
       Update seamonkey-bin to 1.0.5.  Source package update will follow later.
    
       Fixed in SeaMonkey 1.0.5:
       MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
       MFSA 2006-63 JavaScript execution in mail via XBL
       MFSA 2006-61 Frame spoofing using document.open()
       MFSA 2006-60 RSA Signature Forgery
       MFSA 2006-59 Concurrency-related vulnerability
       MFSA 2006-57 JavaScript Regular Expression Heap Corruption
    
       For more info, see http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.0.5/
    ---
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Fri Sep 15 14:05:23 UTC 2006
    
       Modified Files:
       	pkgsrc/www/seamonkey: Makefile Makefile.common
       	pkgsrc/www/seamonkey-gtk1: Makefile
    
       Log Message:
       Centralize some more things in Makefile.common.
    ---
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Fri Sep 15 15:54:04 UTC 2006
    
       Modified Files:
       	pkgsrc/www/seamonkey: Makefile.common distinfo
    
       Log Message:
       Update seamonkey and seamonkey-gtk1 to 1.0.5.  Fixed in this version:
    
       MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
       MFSA 2006-63 JavaScript execution in mail via XBL
       MFSA 2006-61 Frame spoofing using document.open()
       MFSA 2006-60 RSA Signature Forgery
       MFSA 2006-59 Concurrency-related vulnerability
       MFSA 2006-57 JavaScript Regular Expression Heap Corruption
    
       For more info, see http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.0.5/
  7. #1828

    salo committed Sep 17, 2006
  8. Pullup ticket 1828 - requested by ghen

    salo committed Sep 17, 2006
    security update for thunderbird
    
    Revisions pulled up:
    - pkgsrc/mail/thunderbird/Makefile-thunderbird.common		1.17
    - pkgsrc/mail/thunderbird/distinfo				1.26, 1.27
    
       Module Name:		pkgsrc
       Committed By:	tron
       Date:		Mon Jul 31 14:05:00 UTC 2006
    
       Modified Files:
       	pkgsrc/mail/thunderbird: distinfo
       Added Files:
       	pkgsrc/mail/thunderbird/patches: patch-as
    
       Log Message:
       Make this build with GCC 4.1.x.
    ---
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Fri Sep 15 13:55:22 UTC 2006
    
       Modified Files:
       	pkgsrc/mail/thunderbird: Makefile-thunderbird.common distinfo
       Removed Files:
       	pkgsrc/mail/thunderbird/patches: patch-as
    
       Log Message:
       Update thunderbird and thunderbird-gtk1 to 1.5.0.7.  Fixed in this version:
    
       MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
       MFSA 2006-63 JavaScript execution in mail via XBL
       MFSA 2006-60 RSA Signature Forgery
       MFSA 2006-59 Concurrency-related vulnerability
       MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
       MFSA 2006-57 JavaScript Regular Expression Heap Corruption
    
       For more info, see http://www.mozilla.com/thunderbird/releases/1.5.0.7.html
Commits on Sep 16, 2006
  1. #1826

    salo committed Sep 16, 2006
  2. Pullup ticket 1826 - requested by ghen

    salo committed Sep 16, 2006
    security update for firefox
    
    Revisions pulled up:
    - pkgsrc/www/firefox/Makefile-firefox.common		1.36, 1.37
    - pkgsrc/www/firefox/distinfo				1.53, 1.54
    - pkgsrc/www/firefox-bin/Makefile			1.20, 1.21
    - pkgsrc/www/firefox-bin/Makefile.Linux.i386		1.7
    - pkgsrc/www/firefox-bin/distinfo			1.19, 1.20
    
       Module Name:		pkgsrc
       Committed By:	tron
       Date:		Thu Aug  3 08:31:28 UTC 2006
    
       Modified Files:
       	pkgsrc/www/firefox-bin: Makefile Makefile.Linux.i386 distinfo
    
       Log Message:
       Update "firefox-bin" package to version 1.5.0.6. Changes since 1.5.0.5:
       - Fixed an issue with playing Windows Media content
    ---
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Thu Aug  3 09:37:35 UTC 2006
    
       Modified Files:
       	pkgsrc/www/firefox: Makefile-firefox.common distinfo
    
       Log Message:
       Update www/firefox* to Firefox 1.5.0.6.  Just one change:
    
       - Fixed an issue with playing Windows Media content
    ---
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Fri Sep 15 09:24:30 UTC 2006
    
       Modified Files:
       	pkgsrc/www/firefox-bin: Makefile distinfo
    
       Log Message:
       Update firefox-bin to 1.5.0.7.  Source package update will follow later.
    
       Fixed in Firefox 1.5.0.7:
       MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
       MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
       MFSA 2006-61 Frame spoofing using document.open()
       MFSA 2006-60 RSA Signature Forgery
       MFSA 2006-59 Concurrency-related vulnerability
       MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
       MFSA 2006-57 JavaScript Regular Expression Heap Corruption
    
       For more info, see http://www.mozilla.com/firefox/releases/1.5.0.7.html
    ---
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Fri Sep 15 13:53:08 UTC 2006
    
       Modified Files:
       	pkgsrc/www/firefox: Makefile-firefox.common distinfo
    
       Log Message:
       Update firefox and firefox-gtk1 to 1.5.0.7.  Fixed in this version:
    
       MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
       MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
       MFSA 2006-61 Frame spoofing using document.open()
       MFSA 2006-60 RSA Signature Forgery
       MFSA 2006-59 Concurrency-related vulnerability
       MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
       MFSA 2006-57 JavaScript Regular Expression Heap Corruption
    
       For more info, see http://www.mozilla.com/firefox/releases/1.5.0.7.html
  3. #1825

    salo committed Sep 16, 2006
  4. Pullup ticket 1825 - requested by joerg

    salo committed Sep 16, 2006
    security fixes for xorg
    
    Revisions pulled up:
    - pkgsrc/x11/xorg-libs/Makefile			1.42, 1.43, 1.44
    - pkgsrc/x11/xorg-libs/PLIST			1.11
    - pkgsrc/x11/xorg-libs/distinfo			1.53, 1.54
    - pkgsrc/x11/xorg-libs/patches/patch-cg		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-ch		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-ci		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-cj		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-ck		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-cl		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-cm		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-cn		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-co		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-cp		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-cq		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-cr		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-cs		1.1
    - pkgsrc/x11/xorg-libs/patches/patch-ct		1.1
    - pkgsrc/x11/xorg-clients/Makefile		1.30, 1.31
    - pkgsrc/x11/xorg-server/Makefile		1.46
    
       Module Name:		pkgsrc
       Committed By:	joerg
       Date:		Sat Aug 26 15:20:44 UTC 2006
    
       Modified Files:
       	pkgsrc/x11/xorg-libs: Makefile PLIST
    
       Log Message:
       Fix PLIST for FreeBSD. Bump revision.
    ---
       Module Name:		pkgsrc
       Committed By:	joerg
       Date:		Tue Aug 29 15:06:59 UTC 2006
    
       Modified Files:
       	pkgsrc/x11/xorg-clients: Makefile
    
       Log Message:
       Make xorg-libs dependency explicit instead of including it indirectly
       via xcursor->Xfixes. Bump revision. Noticed by tron@.
    ---
       Module Name:		pkgsrc
       Committed By:	joerg
       Date:		Wed Sep 13 12:27:26 UTC 2006
    
       Modified Files:
       	pkgsrc/x11/xorg-libs: Makefile distinfo
       Added Files:
       	pkgsrc/x11/xorg-libs/patches: patch-cg patch-ch patch-ci
    
       Log Message:
       Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
       Bump revision.
    ---
       Module Name:		pkgsrc
       Committed By:	joerg
       Date:		Thu Sep 14 16:52:54 UTC 2006
    
       Modified Files:
       	pkgsrc/x11/xorg-libs: distinfo
       Added Files:
       	pkgsrc/x11/xorg-libs/patches: patch-cj patch-ck patch-cl patch-cm
       	    patch-cn patch-co patch-cp patch-cq patch-cr patch-cs patch-ct
    
       Log Message:
       Check set*uid for error, at least on Linux it can fail.
       Bump revisions of xorg-clients, xorg-libs and xorg-server.
    ---
       Module Name:		pkgsrc
       Committed By:	joerg
       Date:		Thu Sep 14 17:13:58 UTC 2006
    
       Modified Files:
       	pkgsrc/x11/xorg-clients: Makefile
       	pkgsrc/x11/xorg-libs: Makefile
       	pkgsrc/x11/xorg-server: Makefile
    
       Log Message:
       Actually bump the revisions as promised.
Commits on Sep 13, 2006
  1. #1824

    salo committed Sep 13, 2006
  2. Pullup ticket 1824 - requested by jdc

    salo committed Sep 13, 2006
    sparc64 build fix for nas
    
    Revisions pulled up:
    - pkgsrc/audio/nas/Makefile			1.67
    
       Module Name:		pkgsrc
       Committed By:	markd
       Date:		Wed Sep  6 12:08:30 UTC 2006
    
       Modified Files:
       	pkgsrc/audio/nas: Makefile
    
       Log Message:
       Fix PLIST for sparc64.
  3. #1823

    salo committed Sep 13, 2006
  4. Pullup ticket 1823 - requested by seb

    salo committed Sep 13, 2006
    security update for mysql4
    
    Revisions pulled up:
    - pkgsrc/databases/mysql4-client/Makefile.common	1.54
    - pkgsrc/databases/mysql4-client/PLIST			1.14
    - pkgsrc/databases/mysql4-client/distinfo		1.27
    - pkgsrc/databases/mysql4-client/patches/patch-ax	1.5
    - pkgsrc/databases/mysql4-client/patches/patch-bd	1.2
    - pkgsrc/databases/mysql4-server/Makefile		1.31
    - pkgsrc/databases/mysql4-server/PLIST			1.18
    - pkgsrc/databases/mysql4-server/distinfo		1.25
    - pkgsrc/databases/mysql4-server/patches/patch-bd	1.2
    
       Module Name:		pkgsrc
       Committed By:	seb
       Date:		Thu Aug 31 12:42:42 UTC 2006
    
       Modified Files:
       	pkgsrc/databases/mysql4-client: Makefile.common PLIST distinfo
       	pkgsrc/databases/mysql4-client/patches: patch-ax patch-bd
       	pkgsrc/databases/mysql4-server: Makefile PLIST distinfo
       	pkgsrc/databases/mysql4-server/patches: patch-bd
    
       Log Message:
       Update mysql4-client and mysql4-server to version 4.1.21.
    
       Most notably this version includes fixes for:
       http://secunia.com/advisories/21259/
       http://secunia.com/advisories/21506/
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469
    
       * Packages changes:
       the script mysqldumpslow had been moved from the mysql4-client to the
       mysql4-server.
    
       * Changes since last packaged version (4.1.20)
       (see http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html for more details):
    
       This is a bugfix release for the recent production release family.
    
       Functionality added or changed:
       - For spatial data types, the server formerly returned these as
       VARSTRING values with a binary collation. Now the server returns
       spatial values as BLOB values. (Bug#10166)
       - Added the --set-charset option to mysqlbinlog to allow the
       character set to be specified for processing binary log files.
       (Bug#18351)
       - For a table with an AUTO_INCREMENT column, SHOW CREATE TABLE now
       shows the next AUTO_INCREMENT value to be generated. (Bug#19025)
       - A warning now is issued if the client attempts to set the
       SQL_LOG_OFF variable without the SUPER privilege. (Bug#16180)
       - The mysqldumpslow script has been moved from client RPM packages
       to server RPM packages. This corrects a problem where mysqldumpslow
       could not be used with a client-only RPM install, because it depends
       on my_print_defaults which is in the server RPM. (Bug#20216)
    
       Bugs fixed:
       - Security fix: On Linux, and possibly other platforms using
       case-sensitive filesystems, it was possible for a user granted
       rights on a database to create or access a database whose name
       differed only from that of the first by the case of one or more
       letters. (Bug#17647)
       - Security fix: If a user has access to MyISAM table t, that user
       can create a MERGE table m that accesses t. However, if the user's
       privileges on t are subsequently revoked, the user can continue to
       access t by doing so through m. If this behavior is undesirable,
       you can start the server with the new --skip-merge option to disable
       the MERGE storage engine. (Bug#15195)
       - Security fix: Invalid arguments to DATE_FORMAT() caused a server
       crash. (CVE-2006-3469, Bug#20729) Thanks to Jean-David Maillefer
       for discovering and reporting this problem to the Debian project
       and to Christian Hammers from the Debian Team for notifying us of
       it.
       ...
       (see http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html for
       the complete
       bug fix list)
Commits on Sep 11, 2006
  1. #1822.

    ghen committed Sep 11, 2006
  2. Pullup ticket 1822 - requested by adrianp

    ghen committed Sep 11, 2006
    security fix for gtetrinet
    
    Revisions pulled up:
    - pkgsrc/games/gtetrinet/Makefile			1.34
    - pkgsrc/games/gtetrinet/distinfo			1.5
    - pkgsrc/games/gtetrinet/patches/patch-ac		1.1
    
       Module Name:	pkgsrc
       Committed By:	adrianp
       Date:		Sat Sep  2 12:38:23 UTC 2006
    
       Modified Files:
    	pkgsrc/games/gtetrinet: Makefile distinfo
       Added Files:
    	pkgsrc/games/gtetrinet/patches: patch-ac
    
       Log Message:
       Fix for CVE-2006-3125 via Debian.
       Bump to nb8
  3. #1821.

    ghen committed Sep 11, 2006
  4. Pullup ticket 1821 - requested by adrianp

    ghen committed Sep 11, 2006
    security fix for gtar
    
    Revisions pulled up:
    - pkgsrc/archivers/gtar-base/Makefile			1.54
    - pkgsrc/archivers/gtar-base/distinfo			1.17
    - pkgsrc/archivers/gtar-base/patches/patch-ai		1.1
    
       Module Name:	pkgsrc
       Committed By:	adrianp
       Date:		Sun Sep  3 17:24:16 UTC 2006
    
       Modified Files:
    	pkgsrc/archivers/gtar-base: Makefile distinfo
       Added Files:
    	pkgsrc/archivers/gtar-base/patches: patch-ai
    
       Log Message:
       Fix for CVE-2006-0300 via RedHat
  5. #1818.

    ghen committed Sep 11, 2006
  6. Pullup ticket 1818 - requested by adrianp

    ghen committed Sep 11, 2006
    build fix for awstats
    
    Revisions pulled up:
    - pkgsrc/www/awstats/Makefile				1.29
    - pkgsrc/www/awstats/distinfo				1.18
    
       Module Name:	pkgsrc
       Committed By:	adrianp
       Date:		Sat Jul 29 05:50:36 UTC 2006
    
       Modified Files:
    	pkgsrc/www/awstats: Makefile distinfo
    
       Log Message:
       Update DIST_SUBDIR as it looks like the tarball on the awstats site
       has been re-generated.
  7. #1819.

    ghen committed Sep 11, 2006
  8. Pullup ticket 1819 - requested by bouyer

    ghen committed Sep 11, 2006
    security update for mailman
    
    Revisions pulled up:
    - pkgsrc/mail/mailman/Makefile				1.45
    - pkgsrc/mail/mailman/PLIST				1.12
    - pkgsrc/mail/mailman/distinfo				1.13
    
       Module Name:	pkgsrc
       Committed By:	bouyer
       Date:		Sat Sep  9 23:20:11 UTC 2006
    
       Modified Files:
    	pkgsrc/mail/mailman: Makefile PLIST distinfo
    
       Log Message:
       Update to 2.1.9rc1, fixes security issues.
    
         Security
    
           - A malicious user could visit a specially crafted URI and inject an
             apparent log message into Mailman's error log which might induce an
             unsuspecting administrator to visit a phishing site.  This has been
             blocked.  Thanks to Moritz Naumann for its discovery.
    
           - Fixed denial of service attack which can be caused by some
             standards-breaking RFC 2231 formatted headers.  CVE-2006-2941.
    
           - Several cross-site scripting issues have been fixed.  Thanks to Moritz
             Naumann for their discovery.  CVE-2006-3636
    
         Internationalization
    
           - New languages: Arabic, Vietnamese.
    
         Bug fixes and other patches
    
           - Fixed Decorate.py so that characters in message header/footer which
             are not in the character set of the list's language are ignored rather
             than causing shunted messages (1507248).
    
           - Switchboard.py - Closed very tiny holes at the upper ends of queue
             slices that could result in unprocessable queue entries.  Improved FIFO
             processing when two queue entries have the same timestamp.
Commits on Sep 7, 2006
  1. #1814, #1816, #1817.

    ghen committed Sep 7, 2006
  2. Pullup ticket 1817 - requested by adrianp

    ghen committed Sep 7, 2006
    security fix for openssl
    
    Revisions pulled up:
    - pkgsrc/security/openssl/Makefile			1.116
    - pkgsrc/security/openssl/distinfo			1.52
    - pkgsrc/security/openssl/patches/patch-am		1.3
    
       Module Name:	pkgsrc
       Committed By:	adrianp
       Date:		Thu Sep  7 09:44:31 UTC 2006
    
       Modified Files:
    	pkgsrc/security/openssl: Makefile distinfo
       Added Files:
    	pkgsrc/security/openssl/patches: patch-am
    
       Log Message:
       Add a patch to address CVE-2006-4339
  3. Pullup ticket 1816 - requested by adrianp

    ghen committed Sep 7, 2006
    security update for bind9
    
    Revisions pulled up:
    - pkgsrc/net/bind9/Makefile				1.79,1.81-1.82
    - pkgsrc/net/bind9/PLIST				1.19
    - pkgsrc/net/bind9/distinfo				1.27
    - pkgsrc/net/bind9/patches/patch-aa			removed
    - pkgsrc/net/bind9/patches/patch-ac			1.6
    - pkgsrc/net/bind9/patches/patch-ad			1.6
    - pkgsrc/net/bind9/patches/patch-ae			removed
    - pkgsrc/net/bind9/patches/patch-af			1.6
    - pkgsrc/net/bind9/patches/patch-ah			removed
    - pkgsrc/net/bind9/patches/patch-ai			1.7
    - pkgsrc/net/bind9/patches/patch-aj			1.4
    - pkgsrc/net/bind9/patches/patch-al			1.2
    - pkgsrc/net/bind9/patches/patch-am			1.1
    - pkgsrc/net/bind9/patches/patch-ao			1.1
    - pkgsrc/net/bind9/patches/patch-ap			1.1
    - pkgsrc/net/bind9/patches/patch-aq			1.1
    
       Module Name:	pkgsrc
       Committed By:	taca
       Date:		Thu Aug 17 14:14:18 UTC 2006
    
       Modified Files:
    	pkgsrc/net/bind9: Makefile PLIST distinfo
    	pkgsrc/net/bind9/patches: patch-ac patch-ad patch-af patch-ai patch-aj
    	    patch-al
       Added Files:
    	pkgsrc/net/bind9/patches: patch-am
       Removed Files:
    	pkgsrc/net/bind9/patches: patch-aa patch-ae patch-ah
    
       Log Message:
       Update bind to 9.3.2.
    
       Changes are huge, so please see http://www.isc.org/sw/bind/bind9.3.php.
    ---
       Module Name:	pkgsrc
       Committed By:	seb
       Date:		Mon Aug 28 16:00:45 UTC 2006
    
       Modified Files:
    	pkgsrc/net/bind9: Makefile distinfo
       Added Files:
    	pkgsrc/net/bind9/patches: patch-an patch-ao
    
       Log Message:
       Bump PKGREVISION to 1.
    
       Fix build on NetBSD/sparc64 3.x: sync CPP symbols usage between
       struct addrinfo definition and its usage in getaddrinfo().
    
       While here define struct addrinfo's pad members the same way as in
       NetBSD's /usr/include/netbsd.h and sync code in
       lib/bind/irs/getaddrinfo.c:getaddrinfo().
    
       This had been reported to bind9-bugs at isc dot org.
    ---
       Module Name:	pkgsrc
       Committed By:	rillig
       Date:		Sun Sep  3 22:58:26 UTC 2006
    
       Modified Files:
    	pkgsrc/net/bind9: Makefile
    
       Log Message:
       Added the relevant variables to BUILD_DEFS.
    ---
       Module Name:	pkgsrc
       Committed By:	adrianp
       Date:		Tue Sep  5 20:45:32 UTC 2006
    
       Modified Files:
    	pkgsrc/net/bind9: Makefile distinfo
       Added Files:
    	pkgsrc/net/bind9/patches: patch-ap patch-aq
    
       Log Message:
       Fixes for CVE-2006-4095 and CVE-2006-4096 from bind-9.3.2-P1
    
       * Assertion failure in ISC BIND SIG query processing (CVE-2006-4095)
    
       - Recursive servers
       Queries for SIG records will trigger an assertion failure if more
       than one RRset is returned. However exposure can be minimized by
       restricting which sources can ask for recursion.
    
       - Authoritative servers
       If a nameserver is serving a RFC 2535 DNSSEC zone and is queried
       for the SIG records where there are multiple RRsets, then the
       named program will trigger an assertion failure when it tries
       to construct the response.
    
       * INSIST failure in ISC BIND recursive query handling code (CVE-2006-4096)
    
       It is possible to trigger an INSIST failure by sending enough
       recursive queries such that the response to the query arrives after
       all the clients waiting for the response have left the recursion
       queue. However exposure can be minimized by restricting which sources
       can ask for recursion.
Commits on Sep 6, 2006
  1. 1815

    snj committed Sep 6, 2006
  2. Pullup ticket 1815 - requested by ghen

    snj committed Sep 6, 2006
    security update for openldap
    
    Revisions pulled up:
    - pkgsrc/databases/openldap/Makefile		1.117
    - pkgsrc/databases/openldap/Makefile.common	1.5
    - pkgsrc/databases/openldap/distinfo		1.50
    - pkgsrc/databases/openldap-doc/Makefile	1.3
    - pkgsrc/databases/openldap-server/Makefile	1.4
    
       Module Name:    pkgsrc
       Committed By:   ghen
       Date:           Fri Aug 25 07:02:28 UTC 2006
    
       Modified Files:
               pkgsrc/databases/openldap: Makefile Makefile.common distinfo
               pkgsrc/databases/openldap-doc: Makefile
               pkgsrc/databases/openldap-server: Makefile
    
       Log Message:
       Update OpenLDAP packages to 2.3.27, the new "stable" release.
    
       Changes since 2.3.24:
    
       OpenLDAP 2.3.27 Release
       - Fixed libldap dangling pointer issue (previous fix was broken) (ITS#4405)
    
       OpenLDAP 2.3.26 Release
       - Fixed libldap dnssrv bug with "not present" positive statement (ITS#4610)
       - Fixed libldap dangling pointer issue (ITS#4405)
       - Fixed slapd incorrect rebuilding of replica URI (ITS#4633)
       - Fixed slapd DN X.509 normalization crash (ITS#4644)
       - Fixed slapd-monitor operations order via callbacks (ITS#4631)
       - Fixed slapd-sql undefined filter handling (ITS#4604)
       - Fixed slapo-accesslog purge task during shutdown
       - Fixed slapo-ppolicy handling of default policy (ITS#4634)
       - Fixed slapo-ppolicy logging verbosity when using default policy
       - Fixed slapo-syncprov incomplete sync on restart issues (ITS#4622)
    
       OpenLDAP 2.3.25 Release
       - Fixed liblber ber_bvreplace_x argument checks
       - Add libldap_r TLS concurrency workaround (ITS#4583)
       - Fixed liblutil password length bug
       - Add slapd glue/subordinate conflict check (ITS#4614)
       - Fixed slapd acl selfwrite bug (ITS#4587)
       - Fixed slapd bconfig "require" and "none" handling (ITS#4574)
       - Fixed slapd bconfig segfault when ldapadding new schema entries
       - Fixed slapd syncrepl no rootdn bug (ITS#4582)
       - Fixed slapd syncrepl contextCSN issue (ITS#4622)
       - Fixed slapd-bdb/hdb lock bug with virtual root (ITS#4572)
       - Fixed slapd-bdb/hdb modrdn new entry disappearing bug (ITS#4616)
       - Fixed slapd-bdb/hdb cache job issue
       - Fixed slapo-syncprov need new CSN with delete syncID sets (ITS#4534)
       - Fixed slapo-syncprov startup when lastmod is off (ITS#4613)
       - Fixed slapo-accesslog cn=3Dconfig purge bug (ITS#4595)
       - Fixes slapo-auditlog DB initialization
       - Fixed slapo-ppolicy password hashing bug (ITS#4575)
       - Fixed slapo-ppolicy password modify pwdMustChange reset bug (ITS#4576)
       - Fixed slapo-ppolicy control can be critical (ITS#4596)
       - Fixed slapo-retcode logical and bug
       - Fixed slapo-syncprov DEL propagation bug (ITS#4589)
       - Fixed slurpd ldaps:// default port bug (ITS#4580)
       - Build environment
         - Fix configure winsock.h detection for Cygwin (ITS#4621)
         - Fix configure GMP detection (ITS#4608)
         - Updated test006-acls to test selfwrite access (ITS#4587)
       - Documentation
         - Fixed ldapsearch(1) formatting (ITS#4619)
         - Updated slapd.conf(5) RFC references
         - Updated slapd.conf(5) lastmod discussion (ITS#4613)
         - Updated slapd.conf(5) "require" and "none" handling (ITS#4574)
         - Added slapd.conf(5) access control note to authz-regexp discussion
         - Updated slapo-syncprov(5) to clarify SyncProv and syncrepl diffs
Commits on Sep 2, 2006
  1. Pullup ticket 1814 - requested by tv

    ghen committed Sep 2, 2006
    security update for tor
    
    Revisions pulled up:
    - pkgsrc/net/tor/Makefile				1.32-1.33
    - pkgsrc/net/tor/distinfo				1.19-1.20
    - pkgsrc/net/tor/patches/patch-ae			1.1
    
       Module Name:	pkgsrc
       Committed By:	jschauma
       Date:		Sun Jul  9 15:03:55 UTC 2006
    
       Modified Files:
    	pkgsrc/net/tor: Makefile distinfo
       Added Files:
    	pkgsrc/net/tor/patches: patch-ae
    
       Log Message:
       update tor to version 0.1.1.22:
    
       Changes in version 0.1.1.22 - 2006-07-05
       o Major bugfixes:
         - Fix a big bug that was causing servers to not find themselves
           reachable if they changed IP addresses. Since only 0.1.1.22+
           servers can do reachability testing correctly, now we automatically
           make sure to test via one of these.
         - Fix to allow clients and mirrors to learn directory info from
           descriptor downloads that get cut off partway through.
         - Directory authorities had a bug in deciding if a newly published
           descriptor was novel enough to make everybody want a copy -- a few
           servers seem to be publishing new descriptors many times a minute.
       o Minor bugfixes:
         - Fix a rare bug that was causing some servers to complain about
           "closing wedged cpuworkers" and skip some circuit create requests.
         - Make the Exit flag in directory status documents actually work.
    
       While here, patch sample config file to log to syslog per default to make
       sure that tor starts as a daemon with the default config.
    ---
       Module Name:	pkgsrc
       Committed By:	tv
       Date:		Fri Aug  4 15:08:55 UTC 2006
    
       Modified Files:
    	pkgsrc/net/tor: Makefile distinfo
    
       Log Message:
       Changes in version 0.1.1.23 - 2006-07-30
        o Major bugfixes:
          - Fast Tor servers, especially exit nodes, were triggering asserts
            due to a bug in handling the list of pending DNS resolves. Some
            bugs still remain here; we're hunting them.
          - Entry guards could crash clients by sending unexpected input.
          - More fixes on reachability testing: if you find yourself reachable,
            then don't ever make any client requests (so you stop predicting
            circuits), then hup or have your clock jump, then later your IP
            changes, you won't think circuits are working, so you won't try to
            test reachability, so you won't publish.
    
        o Minor bugfixes:
          - Avoid a crash if the controller does a resetconf firewallports
            and then a setconf fascistfirewall=1.
          - Avoid an integer underflow when the dir authority decides whether
            a router is stable: we might wrongly label it stable, and compute
            a slightly wrong median stability, when a descriptor is published
            later than now.
          - Fix a place where we might trigger an assert if we can't build our
            own server descriptor yet.
    
       [ fixes security issue http://secunia.com/advisories/21708/ ]
Commits on Aug 30, 2006
  1. #1813.

    ghen committed Aug 30, 2006