Permalink
Commits on Apr 3, 2007
  1. #2061

    salo committed Apr 3, 2007
  2. Pullup ticket 2061 - requested by ghen

    security fix for dovecot
    
    Updated via patch provided by the submitter.
    
    http://dovecot.org/list/dovecot-cvs/2007-March/008488.html
    salo committed Apr 3, 2007
Commits on Mar 24, 2007
  1. #2059

    salo committed Mar 24, 2007
  2. Pullup ticket 2059 - requested by ghen

    security update for firefox2
    
    Revisions pulled up:
    - pkgsrc/www/firefox2/Makefile-firefox.common		1.6
    - pkgsrc/www/firefox2/distinfo				1.9
    - pkgsrc/www/firefox2-bin/Makefile			1.6
    - pkgsrc/www/firefox2-bin/distinfo			1.4
    
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Wed Mar 21 13:45:21 UTC 2007
    
       Modified Files:
       	pkgsrc/www/firefox2: Makefile-firefox.common distinfo
       	pkgsrc/www/firefox2-bin: Makefile distinfo
    
       Log Message:
       Update firefox2, firefox2-bin and firefox2-gtk1 to 2.0.0.3.
       Fixed in this version:
    
       * Security update: MFSA 2007-11 (FTP PASV port-scanning) has been fixed.
       * Website Compatibility: Fixed various web compatibility regressions.
    
       For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.3/releasenotes/
    salo committed Mar 24, 2007
  3. #2058

    salo committed Mar 24, 2007
  4. Pullup ticket 2058 - requested by ghen

    security update for firefox
    
    Revisions pulled up:
    - pkgsrc/www/firefox/DESCR				1.2
    - pkgsrc/www/firefox/Makefile-firefox.common		1.42
    - pkgsrc/www/firefox/distinfo				1.64
    - pkgsrc/www/firefox-bin/Makefile			1.27
    - pkgsrc/www/firefox-bin/distinfo			1.24
    - pkgsrc/www/firefox-gtk1/DESCR				1.3
    
       Module Name:		pkgsrc
       Committed By:	ghen
       Date:		Wed Mar 21 13:33:05 UTC 2007
    
       Modified Files:
       	pkgsrc/www/firefox: DESCR Makefile-firefox.common distinfo
       	pkgsrc/www/firefox-bin: Makefile distinfo
       	pkgsrc/www/firefox-gtk1: DESCR
    
       Log Message:
       Update firefox, firefox-bin and firefox-gtk1 to 1.5.0.11.
       Fixed in this version:
    
       * Security update: MFSA 2007-11 (FTP PASV port-scanning) has been fixed.
       * Website Compatibility: Fixed various web compatibility regressions.
    
       For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.11.html
    salo committed Mar 24, 2007
  5. #2043

    salo committed Mar 24, 2007
  6. Pullup ticket 2043 - requested by joerg

    portability fixes for firefox and thunderbird
    
    Revisions pulled up:
    - pkgsrc/mail/thunderbird/distinfo			1.36
    - pkgsrc/mail/thunderbird/patches/patch-dw		1.1
    - pkgsrc/www/firefox/distinfo				1.63
    - pkgsrc/www/firefox/patches/patch-dw			1.3
    
       Module Name:		pkgsrc
       Committed By:	joerg
       Date:		Wed Mar  7 22:02:26 UTC 2007
    
       Modified Files:
       	pkgsrc/mail/thunderbird: distinfo
       Added Files:
       	pkgsrc/mail/thunderbird/patches: patch-dw
    
       Log Message:
       Fix build on DragonFly as RNG_RNGInit was calling itself due to bad
       linkage. I love platform dependent magic in each Makefile.
    ---
       Module Name:		pkgsrc
       Committed By:	joerg
       Date:		Wed Mar  7 22:05:22 UTC 2007
    
       Modified Files:
       	pkgsrc/www/firefox: distinfo
       Added Files:
       	pkgsrc/www/firefox/patches: patch-dw
    
       Log Message:
       Merge patch-dw from thunderbird to fix build on DragonFly.
    salo committed Mar 24, 2007
Commits on Mar 22, 2007
  1. Ticket #2056.

    ghen committed Mar 22, 2007
  2. Pullup ticket 2056 - requested by taca

    security patch for zope29
    
    - pkgsrc/www/zope29/Makefile				1.8-1.10
    - pkgsrc/www/zope29/PLIST				1.3
    - pkgsrc/www/zope29/distinfo				1.2-1.4
    
       Module Name:	pkgsrc
       Committed By:	wiz
       Date:		Thu Feb 22 19:27:30 UTC 2007
    
       Modified Files:
    	   pkgsrc/www/zope29: Makefile
    
       Log Message:
       Whitespace cleanup, courtesy of pkglint.
       Patch provided by Sergey Svishchev in private mail.
    ---
       Module Name:	pkgsrc
       Committed By:	taca
       Date:		Wed Mar 21 14:26:26 UTC 2007
    
       Modified Files:
    	   pkgsrc/www/zope29: Makefile PLIST distinfo
    
       Log Message:
       Add Hotfix_20070320 which fixes a security of privilege escalation.
    
       http://www.zope.org/Products/Zope/Hotfix-2007-03-20/
    
       Bump PKGREVISION.
    ---
       Module Name:	pkgsrc
       Committed By:	taca
       Date:		Thu Mar 22 09:58:45 UTC 2007
    
       Modified Files:
    	pkgsrc/www/zope29: distinfo
    
       Log Message:
       Hotfix file has updated, only addition reference to CVS-2007-0240
       in README.txt.
    ---
       Module Name:	pkgsrc
       Committed By:	taca
       Date:		Thu Mar 22 13:44:10 UTC 2007
    
       Modified Files:
    	pkgsrc/www/zope29: Makefile distinfo
    
       Log Message:
       - Set DIST_SUBDIR including date string to handle sudden change of
         hotfix's content without chaging its name.
       - Correct MASTER_SITES.
    ghen committed Mar 22, 2007
  3. Ticket #2057.

    ghen committed Mar 22, 2007
  4. Pullup ticket 2057 - requested by taca

    security update for squid
    
    - pkgsrc/www/squid/MESSAGE.common			1.2
    - pkgsrc/www/squid/Makefile				1.189-1.191
    - pkgsrc/www/squid/distinfo				1.127-1.131
    - pkgsrc/www/squid/options.mk				1.11-1.12
    - pkgsrc/www/squid/patches/patch-ag			1.26
    - pkgsrc/www/squid/patches/patch-at			1.1
    - pkgsrc/www/squid/patches/patch-bc			1.3
    
       Module Name:	pkgsrc
       Committed By:	joerg
       Date:		Tue Feb  6 20:22:15 UTC 2007
    
       Modified Files:
    	   pkgsrc/www/squid: distinfo options.mk
       Added Files:
    	   pkgsrc/www/squid/patches: patch-at
    
       Log Message:
       Allow transparent proxy support for PF on DragonFly.
    ---
       Module Name:	pkgsrc
       Committed By:	joerg
       Date:		Tue Feb  6 22:06:32 UTC 2007
    
       Modified Files:
    	   pkgsrc/www/squid: distinfo
    	   pkgsrc/www/squid/patches: patch-ag
    
       Log Message:
       don't complain if the location of the DragonFly header exists.
    ---
       Module Name:	pkgsrc
       Committed By:	taca
       Date:		Sun Feb 25 07:34:45 UTC 2007
    
       Modified Files:
    	   pkgsrc/www/squid: MESSAGE.common options.mk
    
       Log Message:
       Fix build problem with aufs option on DragonFly.
       Reported by PR pkg/35656 by Kimura Fuyuki and applied patch from it.
    ---
       Module Name:	pkgsrc
       Committed By:	taca
       Date:		Sun Mar  4 11:32:59 UTC 2007
    
       Modified Files:
    	   pkgsrc/www/squid: Makefile distinfo
    
       Log Message:
       Update www/squid to squid-2.6.10 (squid-2.6.STABLE10).
    
       Changes to squid-2.6.STABLE10 (Mar  4 2007)
    
    	   - Upgrade HTTP/0.9 responses to our HTTP version (HTTP/1.0)
    	   - various diskd bugfixes
    	   - In the access.log hierarchy field log the unique peer name
    	     instead of the host name
    	   - unlinkdClose() should be called after (not before) storeDirSync()
    	   - CLEAN_BUF_SZ was defined, but never used anywhere
    	   - logging HTTP-request size
    	   - Fix icmp pinger communication on FreeBSD and other not supporing
    	     large dgram AF_UNIX sockets
    	   - Release objects on swapin failure
    	   - Bug #1787: Objects stuck in cache if origin server clock in future
    	   - Bug #1420: 302 responses with an Expires header is always cached
    	   - Primitive support for HTTP/1.1 chunked encoding, working around
    	     broken servers
    	   - Clean up relations between TCP probing and DNS checks of peers with
    	     no known addresses.
    	   - Fix a minor HTML coding error in ftp directory listings with // in
    	     the path
    	   - Bug #1875, #1420. Cleanup of refresh logics when dealing with
    	     non-refreshable content
    	   - Negotiate authentication fixed again. Broken since STABLE7 by the
    	     patch for Bug #1792.
    	   - Bug #1892: COSS tries to shut down the same directory twice on exit
    	   - Bug #1908: store*DirRebuildFromSwapLog() ignores some SWAP_LOG_DEL
    	     entries
    	   - Added support for Subversion HTTP request methods MKACTIVITY,
    	     CHECKOUT and MERGE.
    ---
       Module Name:	pkgsrc
       Committed By:	taca
       Date:		Sat Mar 17 15:14:27 UTC 2007
    
       Modified Files:
    	   pkgsrc/www/squid: Makefile distinfo
    	   pkgsrc/www/squid/patches: patch-bc
    
       Log Message:
       Update squid to 2.6.11 (squid-2.6.STABLE11).
    
       Changes to squid-2.6.STABLE11 (Mar 17 2007)
    
    	   - Bug #1915: assertion failed: client_side.c:4055: "buf != NULL ||
    	     !conn->body.request"
    	   - Handle garbage helper responses better in concurrent protocol format
    	   - Fix kqueue when overflowing the changes queue
    	   - Make sure the child worker process commits suicide if it could
    	     not start up
    	   - Don't log short responses at debug level 1
    	   - Fix bswap16 & bwsap32 error on NetBSD
    	   - Fix collapsed_forwarding for non-GET requests
    ---
       Module Name:	pkgsrc
       Committed By:	taca
       Date:		Wed Mar 21 05:25:02 UTC 2007
    
       Modified Files:
    	   pkgsrc/www/squid: Makefile distinfo
    
       Log Message:
       Update squid package to 2.6.12.
    
       This fixes a DoS security problem.
    
    	   http://www.squid-cache.org/Advisories/SQUID-2007_1.txt
    
       Changes to squid-2.6.STABLE12 (Mar 20 2007)
    
    	   - Assertion error on TRACE
    ghen committed Mar 22, 2007
Commits on Mar 21, 2007
  1. #2055

    salo committed Mar 21, 2007
  2. Pullup ticket 2055 - requested by gendalia

    security update for openafs
    
    Revisions pulled up:
    - pkgsrc/net/openafs/Makefile				1.21, 1.22
    - pkgsrc/net/openafs/PLIST				1.5
    - pkgsrc/net/openafs/distinfo				1.11
    
       Module Name:		pkgsrc
       Committed By:	gendalia
       Date:		Wed Mar 21 04:29:29 UTC 2007
    
       Modified Files:
       	pkgsrc/net/openafs: Makefile distinfo
    
       Log Message:
       Update OpenAFS from 1.4.1 to 1.4.4.
    
       Changes:
       * Security bugfix:
       - SetUID is no longer honored for the local cell by default. The
          "fs setcellstatus" command must be issued for any cell the system
          administrator wishes to allow setuid files in.
       >From 1.4.3:
       All unix systems:
       - Fix Universal AFS Error mapping when the local OS does not define some
          errors.
       - Avoid byte range locking for java when it means to ask for a whole file
          lock but uses a -1 length.
       - Reinit resolver library on afsdb failure.
       All systems:
       - Make rxdebug be less aggressive when retransmitting.
       - Allow unix domain socket for fileserver-volserver communication.
       - Fix server fake address support when NetRestrict is being used.
       - Fix crash when 3.4 jumbograms are part of an Rx connection.
       - Fix crashes in pts chown and pts rename.
       - Make asetkey buildable with Heimdal.
       - Avoid potential orphaned files during vos restore.
       - Improve ubik debug logging.
       - Add vldb repair tool.
       - Avoid potential bosserver process list corruption.
       - Revert to previous fileserver startup attachment order.
    
       >From 1.4.2:
       All systems:
       * Volume dump parsing code in the volserver has better error checking.
       * salvager has improved damaged volume handling on namei fileservers.
       * fileserver has size validity checks for when large file support is
          disabled.
       * fileserver avoids potentially multiply adding a host to its hash table.
       * rxkad client private data storage is allocated dynamically on ticket size.
       * Handle universal error code translation for file locking.
       * fileserver needs to swap callback connections on a client IP change.
       * fileserver host package revised to reduce lock contention.
       * Rx has been fixed to count hard acks, thus opening the congestion window.
       * All servers support bound Rx sockets (on one interface).
       * namei fileserver no longer use lockf() to avoid range locking issues.
       * most binaries now support the -version switch.
       * backup suite fixes for 64 bit platforms.
       * volserver avoids holding holds during volume purges.
       * volserver avoids losing files on namei during vos zap.
    
       > Since 1.4.1:
       All systems:
         * Fix rx usage of WSAStartup/WSACleanup
         * Fix the code that writes the backconnectionhostnames value
           to ensure that the data buffer is written with the correct
           length.
         * Do not panic if the maximum number of volume entries are in use
           and one of them can be recycled.
         * Add a missing lock that was lost during the pullup
           of patchs for 1.4.1c
         * Fix the pthread library so that it can be loaded
           and unloaded safely by an application.
    ---
       Module Name:		pkgsrc
       Committed By:	gendalia
       Date:		Wed Mar 21 19:49:24 UTC 2007
    
       Modified Files:
       	pkgsrc/net/openafs: Makefile PLIST
    
       Log Message:
       fix PLIST, bump PKGREVISION
    salo committed Mar 21, 2007
Commits on Mar 20, 2007
  1. #2054

    salo committed Mar 20, 2007
  2. Pullup ticket 2054 - requested by tron

    security update for phpmyadmin
    
    Revisions pulled up:
    - pkgsrc/databases/phpmyadmin/Makefile			1.58
    - pkgsrc/databases/phpmyadmin/PLIST			1.17
    - pkgsrc/databases/phpmyadmin/distinfo			1.28
    
       Module Name:		pkgsrc
       Committed By:	tron
       Date:		Tue Mar 20 14:17:16 UTC 2007
    
       Modified Files:
       	pkgsrc/databases/phpmyadmin: Makefile PLIST distinfo
    
       Log Message:
       Update "phpmyadmin" package to version 2.10.0.2:
       - Fix for PMASA-2007-3 (PHP Executor Deep Recursion Stack Overflow)
       - New graphical relation manager, called Designer, available in
         database view
    salo committed Mar 20, 2007
  3. #2053

    salo committed Mar 20, 2007
  4. Pullup ticket 2053 - requested by rillig

    security update for libwpd
    
    Revisions pulled up:
    - pkgsrc/converters/libwpd/Makefile			1.13
    - pkgsrc/converters/libwpd/distinfo			1.4
    - pkgsrc/converters/libwpd/patches/patch-aa		1.1
    
       Module Name:		pkgsrc
       Committed By:	rillig
       Date:		Sun Mar 18 20:41:28 UTC 2007
    
       Modified Files:
       	pkgsrc/converters/libwpd: Makefile distinfo
    
       Log Message:
       Updated libwpd to 0.8.9.
    
       CHANGES:
       0.8.8 - 0.8.9
       - Fix http://qa.openoffice.org/issues/show_bug.cgi?id=74134, a bug in WP1
         document type detection where we could try to seek to a negative place
         in document (Fridrich)
       - Fix a regression wrt. 0.8.7 preventing the conversion of tab table in
         WP1 and WP3 file-format (Fridrich)
       - Fixed several overflow bugs reported by iDefense. An attacker could
         create a carefully crafted Word Perfect file that could cause an
         application linked with libwpd, such as OpenOffice, to crash or possibly
         execute arbitrary code if the file was opened by a victim. (CVE-2007-0002)
         (iDefense's Sean Larsson, Fridrich)
    
       0.8.7 - 0.8.8
       - Add unit tests for the stream class (Fridrich & Andrew Ziem)
       - Ignore foot/endnotes that are referenced inside other foot/endnotes
         (Fridrich); fixes http://www.openoffice.org/issues/show_bug.cgi?id=71487
       - Handle graciously unsupported password-protected documents; (Fridrich)
         fixes http://www.openoffice.org/issues/show_bug.cgi?id=72307
       - Remove warnings on main OpenOffice.org platforms (Fridrich)
       - Remove some potential memory leaks in the WPXPropertyList class
         and optimize the WPXPropertyList subscription operator (Fridrich)
       - When possible, pass WPXStrings by reference instead of passing them
         by copy (Fridrich)
       - Refactor WPXString to not cast from and to void*; refactor
         WPXPropertyList and WPXPropertyListVector classes as to save a bunch
         of virtual calls (Fridrich)
    ---
       Module Name:		pkgsrc
       Committed By:	rillig
       Date:		Sun Mar 18 20:41:50 UTC 2007
    
       Added Files:
       	pkgsrc/converters/libwpd/patches: patch-aa
    
       Log Message:
       ... and a patch for NetBSD 3.0.
    salo committed Mar 20, 2007
Commits on Mar 19, 2007
  1. #2052

    salo committed Mar 19, 2007
  2. Pullup ticket 2052 - requested by adrianp

    security update for horde
    
    Revisions pulled up:
    - pkgsrc/www/horde/Makefile				1.49
    - pkgsrc/www/horde/PLIST				1.15
    - pkgsrc/www/horde/distinfo				1.17
    
       Module Name:		pkgsrc
       Committed By:	adrianp
       Date:		Sun Mar 18 12:24:14 UTC 2007
    
       Modified Files:
       	pkgsrc/www/horde: Makefile PLIST distinfo
    
       Log Message:
       Update to 3.1.4
       ------
       v3.1.4
       ------
       [jan] SECURITY: Correctly quote file names in cleanup script for temporary
             files.
       [jan] Fix RPC authentication on CGI SAPIs.
       [jan] Detect unencrypted PGP messages.
    
       ----------
       v3.1.4-RC1
       ----------
       [jan] SECURITY: Fix an XSS vulnerability in the language selection.
       [jan] Complete Cyrus virtual domain support in cyrsql driver (Vilius
             Sumskas <vilius@lnk.lt>, Request #4967).
       [jan] Add option whether to strip domains from usernames in the account
             block (Request #4955).
       [jan] Fix email lists not being validated under certain conditions (Bug
             #4834).
       [cjh] Add a REST-ful preferences interface.
       [cjh] Faster DataTree-to-SQL History migration script (josh@endries.org,
             Request #4732).
       [cjh] Improved automatic webroot detection (Ben Klang, Request #4126).
       [cjh] Rewrite and fix the OCI8 SessionHandler (Bug #3452).
       [cjh] Allow signup hooks to override the user_name and password fields
             (thomas@gelf.net, Request #2904).
       [cjh] Fix creation of mailbox quotas by the Auth_cyrus driver
             (pascal@vmfacility.fr, Bug #4678).
       [cjh] Add "Save and Finish" to the share edit window (webmgr@muskingum.edu,
             Request #4307).
       [cjh] Let mailto: and anchor (#) links through Horde::externalUrl (Bug
             #3079).
       [cjh] Add smbclient version of the SMB Auth class (larry@wimble.biz,
             Request #4338).
       [cjh] Remove problematic "data descriptor" segment from generated ZIP
             files (reitsma@denison.edu, Bug #4670).
       [cjh] Strip accesskeys from menu tooltips when only showing icons (Bug
             #4667).
       [jan] Fix saving files in the root directory of an SQL VFS backend (Bug
             #4652, Ben Klang <ben@alkaloid.net>).
       [jan] Fix displaying all maintenance tasks to be confirmed at once (Bug
             #4377).
       [cjh] Fix return format of DataTree_null::getByAttributes()
             (thomas.jarosch@intra2net.com, Bug #4651).
       [jan] Support departments in vCard's ORG properties (martin@matuska.org,
             Request #4285).
       [cjh] Rename Auth_sasl backend to Auth_peclsasl to avoid conflicts with
             PEAR's Auth_SASL (Bug #4547).
       [cjh] Implement handling of vTimezones in iCalendar data
       (Carl Thompson <lists-horde@carlthompson.net>, Bug #4399).
       [cjh] keybindings.js now works with Safari/KHTML.
       [jan] Avoid recursive folder creation when sharing Kolab folders
             (michael.sheldon@credativ.de, Bug #4325).
       [jan] Add Kolab specific account block driver to support special Kolab
             users (mzizka@hotmail.com, Request: #4119).
       [mms] Only dim below the last signature line of input text in the
             dimsignature Text_Filter driver.
    salo committed Mar 19, 2007
Commits on Mar 16, 2007
  1. Ticket #2050.

    ghen committed Mar 16, 2007
  2. Pullup ticket 2050 - requested by wiz

    security update for p5-CGI-Session
    
    - pkgsrc/www/p5-CGI-Session/Makefile			1.8
    - pkgsrc/www/p5-CGI-Session/distinfo			1.4
    
       Module Name:	pkgsrc
       Committed By:	wiz
       Date:		Fri Mar 16 20:41:22 UTC 2007
    
       Modified Files:
    	   pkgsrc/www/p5-CGI-Session: Makefile distinfo
    
       Log Message:
       Update to 4.20:
    
       4.20 - Monday, December 4, 2006
    
           * INTERNAL: No Changes since 4.20_1. Declaring stable.
    
       4.20_1 - Friday, November 24, 2006
    
           * FIX: -ip_match now works even when it's not the last import item. (RT#21779)
           * FIX: In the PostgreSQL driver, a race condition is when storing is now worked around. (Mark Stosberg)
           * FIX: Added important clarification and example to MySQL driver docs that the session column
                  needs to be defined as a primary key to avoid duplicate sessions. (Justin Simoni, Mark Stosberg)
           * FIX: The default serializer now works correctly with certain data structures. (RT#?) (Matt LeBlanc)
           * FIX: A documentation bug in find() was fixed (Matt LeBlanc)
           * FIX: Documented how to declare a database handle to be used on demand, which was introduced
                  in 4.04. (Mark Stosberg)
           * FIX: Connections made with SQLite now disconnect only when appropriate, instead of always.
                  This addresses a symptom seen as "attempt to prepare on inactive database handle"
                  (Jaldhar Vyas, Sherzod, Mark Stosberg)
           * FIX: Args to the constructor for CGI::Session and the drivers are now always shallow
                  copied rather than used directly, to prevent modification.
                  (RT#21952, Franck Porcher, Sherzod, Mark Stosberg)
           * FIX: The documentation for expire($param, $time) was made more explicit
                  (pjf, Mark Stosberg)
           * NEW: Added recommended use of flush() to the Synopsis (Michael Renner, RT#22333)
           * NEW: Added links to Japanese translations of the documentation (Makio Tsukamoto)
                  http://digit.que.ne.jp/work/index.cgi?Perldoc/ja
           * INTERNAL: Update test to workaround YAML versions less than 0.58. (Matt LeBlanc)
           * INTERNAL: param() code was refactored for clarity (Mark Stosberg, Ali ISIK, RT#21782)
           * INTERNAL: new() and load() were refactored (Ali Isik)
           * INTERNAL: renamed some environment variables used for testing (Ron Savage)
           * INTERNAL: Multi key-value syntax of param() now always returns number of keys
             successfully processed, 0 if no key/values were processed.
    
       4.14 - Sunday, June 11, 2006
    
           * NEW: The find() command now has better documentation. (Ron Savage, Matt LeBlanc)
           * FIX: find() no longer changes the access or modified times (RT#18442) (Matt LeBlanc)
           * FIX: param() called with two parameters now returns the value set, if any (RT#18912) (Matt LeBlanc)
           * FIX: driver, serializer, and id generator names are now untainted (RT#18873) (Matt LeBlanc)
           * INTERNAL: automatic flushing has been documented to be unreliable, although
             it was recommended in the past. Automatic flushing can be affected adversely
             in persistent environments and in some cases by third party software. There are
             also some cases in which flushing happened automatically in 3.x, but quit working
             with 4.x. See these tickets for details.
    
              http://rt.cpan.org/Ticket/Display.html?id=17541
              http://rt.cpan.org/Ticket/Display.html?id=17299
    
       4.13 - Wednesday, April 12, 2006
    
           * FIX: Applied patch to fix cookie method (RT#18493,Nobuaki ITO)
           * FIX: Berkeley DB 1.x exhibits a bug when used in conjunction with O_NOFOLLOW. Because of this,
             we've removed it from the db_file driver. It will still attempt to stop symlinks but the
             open itself has dropped the flag. (Matt LeBlanc)
           * FIX: json and yaml db_file tests now check for the presence of DB_File. (Matt LeBlanc)
    
       4.12 - Friday, April 7, 2006
    
           * SECURITY: Fix possible SQL injection attack. (RT#18578, DMUEY)
    
       4.11 - Friday, March 31, 2006
    
           * FIX: Since 4.10, using name() as a class method was broken. This has
             been fixed, and regression tests for both uses have been added. (Matt LeBlanc)
    
       4.10 - Tuesday, March 28, 2006
    
           * SECURITY: Hopefully this settles all of the problems with symlinks. Both the file
             and db_file drivers now use O_NOFOLLOW with open when the file should exist and
             O_EXCL|O_CREAT when creating the file. Tests added for symlinks. (Matt LeBlanc)
           * SECURITY: sqlite driver no longer attempts to use /tmp/sessions.sqlt when no
             Handle or DataSource is specified. This was a mistake from a security standpoint
             as anyone on the machine would then be able to create and therefore insert data
             into your sessions. (Matt LeBlanc)
           * NEW: name is now an instance method (RT#17979) (Matt LeBlanc)
    
       4.09 - Friday, March 16th, 2006
    
           * SECURITY: Applying security patch from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555 (Julien Danjou)
    
       4.08 - Thursday, March 15th, 2006
    
           * FIX: DESTROY was sometimes wiping out exception handling. RT#18183, Matt LeBlanc.
           * SECURITY: Resolve some issues in: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555
             - db_file and file now check for symlinks either explicitly or by using O_EXCL on sysopen
             - file creation umask defaults to 660
           * NEW: db_file and file drivers now accepts a UMask option. (Matt LeBlanc)
           * INTERNAL: test suite clean up (Tyler MacDonald)
    ghen committed Mar 16, 2007
Commits on Mar 10, 2007
  1. #2049

    salo committed Mar 10, 2007
  2. Pullup ticket 2049 - requested by wiz

    security update for trac
    
    Revisions pulled up:
    - pkgsrc/www/trac/Makefile				1.24, 1.25
    - pkgsrc/www/trac/distinfo				1.18
    
       Module Name:		pkgsrc
       Committed By:	wiz
       Date:		Thu Feb 22 19:01:28 UTC 2007
    
       Modified Files:
       	pkgsrc/www/trac: Makefile
    
       Log Message:
       pkglint cleanup; update HOMEPAGE/MASTER_SITES.
       >From Sergey Svishchev in private mail.
    ---
       Module Name:		pkgsrc
       Committed By:	wiz
       Date:		Sat Mar 10 20:55:34 UTC 2007
    
       Modified Files:
       	pkgsrc/www/trac: Makefile distinfo
    
       Log Message:
       Update to 0.10.3.1:
    
       Trac 0.10.3.1 (March 8, 2007)
       http://svn.edgewall.org/repos/trac/tags/trac-0.10.3.1
    
        Trac 0.10.3.1 is a security release:
        * Always send "Content-Disposition: attachment" headers where potentially
          unsafe (user provided) content is available for download. This behaviour
          can be altered using the "render_unsafe_content" option in the
          "attachment" and "browser" sections of trac.ini.
        * Fixed XSS vulnerability in "download wiki page as text" in combination with
          Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc.
    salo committed Mar 10, 2007
Commits on Mar 9, 2007
  1. #2048

    salo committed Mar 9, 2007
  2. Pullup ticket 2048 - requested by drochner

    security update for asterisk
    
    Revisions pulled up:
    - pkgsrc/comms/asterisk/Makefile			1.35
    - pkgsrc/comms/asterisk/distinfo			1.23
    
       Module Name:		pkgsrc
       Committed By:	drochner
       Date:		Wed Mar  7 12:10:29 UTC 2007
    
       Modified Files:
       	pkgsrc/comms/asterisk: Makefile distinfo
    
       Log Message:
       update to 1.2.16
       changes:
       1.2.15: This release contains a significant Astribank (XPP) driver update,
        support for Digium's TE120P card, and various bug fixes.
       1.2.16: This release contains a number of bug fixes, including a fix for
        a recently discovered security vulnerability. All Asterisk 1.2 users are
        urged to update to this release as soon as possible.
    
       This is in response to PR pkg/35924 by David Wetzel. The PR suggests
       to update to 1.4.1, but since I'm not using Asterisk myself I prefer
       to do just the minor update (which also fixes the security vulnerability)
       for now.
    salo committed Mar 9, 2007
  3. #2047

    salo committed Mar 9, 2007
  4. Pullup ticket 2047 - requested by drochner

    security update for gnupg
    
    Revisions pulled up:
    - pkgsrc/security/gnupg/Makefile				1.94
    - pkgsrc/security/gnupg/PLIST					1.21
    - pkgsrc/security/gnupg/distinfo				1.46
    
       Module Name:		pkgsrc
       Committed By:	drochner
       Date:		Wed Mar  7 11:31:24 UTC 2007
    
       Modified Files:
       	pkgsrc/security/gnupg: Makefile PLIST distinfo
    
       Log Message:
       update to 1.4.7, from Christian Gall per PR pkg/35940
       This fixes a security problem which is rather an application issue:
       The user wasn't notified about additional text (not covered by the
       signature) unless the --status-fd flag is used.
    salo committed Mar 9, 2007
  5. #2046

    salo committed Mar 9, 2007
  6. Pullup ticket 2046 - requested by obache

    compatibility fix for cyrus-imapd
    
    Revisions pulled up:
    - pkgsrc/mail/cyrus-imapd/Makefile			1.70
    - pkgsrc/mail/cyrus-imapd/distinfo			1.27
    - pkgsrc/mail/cyrus-imapd/patches/patch-al		1.3
    
       Module Name:		pkgsrc
       Committed By:	obache
       Date:		Fri Mar  9 14:46:08 UTC 2007
    
       Modified Files:
       	pkgsrc/mail/cyrus-imapd: Makefile distinfo
       	pkgsrc/mail/cyrus-imapd/patches: patch-al
    
       Log Message:
       compatibility fix for SASL 2.1.22.
       Taken from:
       https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/cyrus/imtest/imtest.c.diff?r1=1.107&r2=1.108
    
       Bump PKGREVISION.
    
       Reported by Jukka Salmi in PR 35959.
    salo committed Mar 9, 2007
Commits on Mar 8, 2007
  1. #2045

    salo committed Mar 8, 2007
  2. Pullup ticket 2045 - requested by gavan

    require GCC version 3.x for C99 functionality
    
    Revisions pulled up:
    - pkgsrc/mk/compiler/gcc.mk				1.89
    
       Module Name:		pkgsrc
       Committed By:	gavan
       Date:		Mon Jan  8 19:29:45 UTC 2007
    
       Modified Files:
       	pkgsrc/mk/compiler: gcc.mk
    
       Log Message:
       gcc2 does not support -std=c99. If c99 is needed, require
       at least gcc 3.0.
    salo committed Mar 8, 2007
Commits on Mar 7, 2007
  1. Ticket #2042.

    ghen committed Mar 7, 2007
  2. Pullup ticket 2042 - requested by salo

    security update for silc-server
    
    - pkgsrc/chat/silc-server/Makefile			1.53
    - pkgsrc/chat/silc-server/distinfo			1.32
    
       Module Name:	pkgsrc
       Committed By:	salo
       Date:		Tue Mar  6 22:33:22 UTC 2007
    
       Modified Files:
    	   pkgsrc/chat/silc-server: Makefile distinfo
    
       Log Message:
       Security update to version 1.0.3
    
       Changes:
    
       - Fixed a denial of service vulnerability: If invalid hmac or cipher
         was specified on joining a channel, server crashed.
    
         Upgrading is recommended.
    ghen committed Mar 7, 2007
  3. #2041

    salo committed Mar 7, 2007