Permalink
Commits on Apr 7, 2010
  1. Pullup tickets #3072 and #3073.

    tron committed Apr 7, 2010
  2. Pullup ticket #3073 - requested by martti

    mediawiki: security update
    
    Revisions pulled up:
    - www/mediawiki/Makefile		1.11
    - www/mediawiki/distinfo		1.7
    ---
    Module Name:	pkgsrc
    Committed By:	martti
    Date:		Wed Apr  7 05:40:11 UTC 2010
    
    Modified Files:
    	pkgsrc/www/mediawiki: Makefile distinfo
    
    Log Message:
    Updated www/mediawiki to 1.15.3
    
    This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
    1.16.0beta2.
    
    MediaWiki was found to be vulnerable to login CSRF. An attacker who
    controls a user account on the target wiki can force the victim to log
    in as the attacker, via a script on an external website. If the wiki is
    configured to allow user scripts, say with "$wgAllowUserJs = true" in
    LocalSettings.php, then the attacker can proceed to mount a
    phishing-style attack against the victim to obtain their password.
    
    Even without user scripting, this attack is a potential nuisance, and so
    all public wikis should be upgraded if possible.
    
    Our fix includes a breaking change to the API login action. Any clients
    using it will need to be updated. We apologise for making such a
    disruptive change in a minor release, but we feel that security is
    paramount.
    
    For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
    tron committed Apr 7, 2010
  3. Pullup ticket #3072 - requested by martti

    clamav: security improvements
    
    Revisions pulled up:
    - mail/clamav/Makefile				1.100-1.102
    - mail/clamav/Makefile				1.99
    - mail/clamav/PLIST				1.23-1.24
    - mail/clamav/PLIST.milter			1.5
    - mail/clamav/distinfo				1.63
    - mail/clamav/options.mk			1.5
    - mail/clamav/patches/patch-aa			1.20
    - mail/clamav/patches/patch-ab			1.13
    - mail/clamav/patches/patch-ac			1.7
    - mail/clamav/patches/patch-ad			1.20
    - mail/clamav/patches/patch-af			1.11
    - mail/clamav/patches/patch-ag			1.4
    ---
    Module Name:	pkgsrc
    Committed By:	wiz
    Date:		Sun Mar 21 16:29:44 UTC 2010
    
    Modified Files:
    	 pkgsrc/mail/clamav: Makefile
    
    Log Message:
    Reset maintainer, developer lost his commit bit.
    ---
    Module Name:	pkgsrc
    Committed By:	asau
    Date:		Wed Mar 24 19:43:29 UTC 2010
    
    Modified Files:
    	 pkgsrc/mail/clamav: Makefile
    
    Log Message:
    Recursive revision bump for GMP update.
    ---
    Module Name:	pkgsrc
    Committed By:	martti
    Date:		Thu Apr	 1 12:02:23 UTC 2010
    
    Modified Files:
    	pkgsrc/mail/clamav: Makefile PLIST distinfo
    	pkgsrc/mail/clamav/patches: patch-aa patch-ad patch-af patch-ag
    Added Files:
    	pkgsrc/mail/clamav/patches: patch-ab patch-ac
    
    Log Message:
    Updated mail/clamav to 0.96
    
    This release of ClamAV introduces new malware detection mechanisms and other
    significant improvements to the scan engine. The key features include:
    
        - The Bytecode Interpreter: the interpreter built into LibClamAV allows
          the signature writers to create and distribute very complex detection
          routines and remotely enhance the scanner's functionality
    
        - Heuristic improvements: improve the PE heuristics detection engine by
          adding support of bogus icons and fake PE header information. In a
          nutshell, ClamAV can now detect malware that tries to disguise itself
          as a harmless application by using the most common Windows program icons.
    
        - Signature Improvements: logical signature improvements to allow more
          detailed matching and referencing groups of signatures. Additionally,
          improvements to wildcard matching on word boundaries and newlines.
    
        - Support for new archives: 7zip, InstallShield and CPIO. LibClamAV
          can now transparently unpack and inspect their contents.
    
        - Support for new executable file formats: 64-bit ELF files and OS X
          Universal Binaries with Mach-O files. Additionally, the PE module
          can now decompress and inspect executables packed with UPX 3.0.
    
        - Support for DazukoFS in clamd
    
        - Performance improvements: overall performance improvements and memory
          optimizations for a better overall resource utilization experience.
    
        - Native Windows Support: ClamAV will now build natively under Visual
          Studio. This will allow 3rd Party application developers on Windows
          to easily integrate LibClamAV into their applications.
    ---
    Module Name:	pkgsrc
    Committed By:	martti
    Date:		Fri Apr	 2 19:45:24 UTC 2010
    
    Modified Files:
    	 pkgsrc/mail/clamav: Makefile PLIST options.mk
    Added Files:
    	 pkgsrc/mail/clamav: PLIST.milter
    
    Log Message:
    Fixed PLIST when using the milter option.
    tron committed Apr 7, 2010
Commits on Mar 28, 2010
  1. Pullup ticket #3068.

    tron committed Mar 28, 2010
  2. Pullup ticket #3068 - requested by taca

    apache22: security update
    
    Revisions pulled up:
    - www/apache22/Makefile				1.56
    - www/apache22/PLIST				1.16
    - www/apache22/distinfo				1.30-1.31
    - www/apache22/patches/patch-aq			delete
    - www/apache22/patches/patch-as			delete
    - www/apache22/patches/patch-au			delete
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Fri Mar  5 00:22:59 UTC 2010
    
    Modified Files:
    	pkgsrc/www/apache22: distinfo
    Removed Files:
    	pkgsrc/www/apache22/patches: patch-aq patch-as patch-au
    
    Log Message:
    Remove CVE-2007-3304 related patches.  CVE-2007-3304 was fixed
    in Apache 2.2.6 and these patches are noop.
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Tue Mar  9 02:30:15 UTC 2010
    
    Modified Files:
    	pkgsrc/www/apache22: Makefile PLIST distinfo
    
    Log Message:
    Update apache22 package to 2.2.15.
    
    For full changes information please refer:
    http://www.apache.org/dist/httpd/Announcement2.2.html.
    
    Here is security related changes from ChangeLog
    (http://www.apache.org/dist/httpd/CHANGES_2.2.15).
    
    Changes with Apache 2.2.15
    
      *) SECURITY: CVE-2009-3555 (cve.mitre.org)
         mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
         by rejecting any client-initiated renegotiations. Forcibly disable
         keepalive for the connection if there is any buffered data readable. Any
         configuration which requires renegotiation for per-directory/location
         access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
         [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
    
      *) SECURITY: CVE-2010-0408 (cve.mitre.org)
         mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
         when request headers indicate a request body is incoming; not a case of
         HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]
    
      *) SECURITY: CVE-2010-0425 (cve.mitre.org)
         mod_isapi: Do not unload an isapi .dll module until the request
         processing is completed, avoiding orphaned callback pointers.
         [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
    tron committed Mar 28, 2010
Commits on Mar 27, 2010
  1. Pullup ticket #3066.

    tron committed Mar 27, 2010
  2. Pullup ticket #3066 - requested by taca

    pango: security patch
    
    Revisions pulled up:
    - devel/pango/Makefile			1.140-1.141
    - devel/pango/distinfo			1.82-1.83
    - devel/pango/patches/patch-ae		1.5
    - devel/pango/patches/patch-am		1.1
    ---
    Module Name:	pkgsrc
    Committed By:	tron
    Date:		Sun Feb 21 23:51:26 UTC 2010
    
    Modified Files:
    	pkgsrc/devel/pango: Makefile distinfo
    	pkgsrc/devel/pango/patches: patch-ae
    
    Log Message:
    Change very questionable C++ code slightly to avoid high CPU usage under
    Mac OS X. (see https://bugzilla.gnome.org/show_bug.cgi?id=593240 for
    more details). Tested with XChat and Wireshark under Mac OS 10.6.2 and
    NetBSD/amd64 5.0_STABLE.
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Sat Mar 27 15:59:34 UTC 2010
    
    Modified Files:
    	pkgsrc/devel/pango: Makefile distinfo
    Added Files:
    	pkgsrc/devel/pango/patches: patch-am
    
    Log Message:
    Add a patch to fix CVE-2010-0421, DoS security fix.
    
    Bump PKGREVISION.
    tron committed Mar 27, 2010
  3. Pullup ticket #3065.

    tron committed Mar 27, 2010
  4. Pullup ticket #3065 - requested by taca

    openssl: security update
    
    Revisions pulled up:
    - security/openssl/Makefile			1.144-1.1.146
    - security/openssl/PLIST.common			1.17
    - security/openssl/distinfo			1.72-1.73
    - security/openssl/patches/patch-aa		1.23
    - security/openssl/patches/patch-ac		1.38
    - security/openssl/patches/patch-af		1.24
    - security/openssl/patches/patch-ax		delete
    - security/openssl/patches/patch-ay		delete
    - security/openssl/patches/patch-az		delete
    - security/openssl/patches/patch-ba		delete
    - security/openssl/patches/patch-bb		delete
    - security/openssl/patches/patch-bc		1.1
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Fri Feb 26 03:15:14 UTC 2010
    
    Modified Files:
    	pkgsrc/security/openssl: Makefile distinfo
    	pkgsrc/security/openssl/patches: patch-aa patch-ac patch-af
    Removed Files:
    	pkgsrc/security/openssl/patches: patch-ax patch-ay patch-az patch-ba
    	    patch-bb
    
    Log Message:
    Update openssl to 0.9.8m.
    
       The OpenSSL project team is pleased to announce the release of
       version 0.9.8m of our open source toolkit for SSL/TLS. This new
       OpenSSL version is a security and bugfix release which implements
       RFC5746 to address renegotiation vulnerabilities mentioned in
       CVE-2009-3555.  For a complete list of changes,
       please see http://www.openssl.org/source/exp/CHANGES.
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Mon Mar  1 08:15:40 UTC 2010
    
    Modified Files:
    	pkgsrc/security/openssl: Makefile PLIST.common
    
    Log Message:
    Fix broken PLIST.
    (I wonder why "make print-PLIST" generated wrong result before...")
    
    Bump PKGREVISION.
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Fri Mar 26 00:20:49 UTC 2010
    
    Modified Files:
    	pkgsrc/security/openssl: Makefile distinfo
    Added Files:
    	pkgsrc/security/openssl/patches: patch-bc
    
    Log Message:
    Add a patch for Fix for CVE-2010-0740, DoS problem.
    
    http://www.openssl.org/news/secadv_20100324.txt
    
    Bump PKGREVISION.
    tron committed Mar 27, 2010
Commits on Mar 15, 2010
  1. Pullup ticket #3054.

    tron committed Mar 15, 2010
  2. Pullup ticket #3054 - requested by martti

    ejabberd: security update
    
    Revisions pulled up:
    - chat/ejabberd/Makefile			1.17-1.19
    - chat/ejabberd/PLIST				1.11
    - chat/ejabberd/distinfo			1.11-1.12
    - chat/ejabberd/patches/patch-aa		1.6-1.7
    - chat/ejabberd/patches/patch-ad		1.5
    - chat/ejabberd/patches/patch-ae		1.5
    ---
    Module Name:    pkgsrc
    Committed By:   dmcmahill
    Date:           Mon Mar  8 17:30:23 UTC 2010
    
    Modified Files:
            pkgsrc/chat/ejabberd: Makefile
            pkgsrc/chat/ejabberd/patches: patch-aa
    
    Log Message:
    use BSD_INSTALL_SCRIPT instead of BSD_INSTALL_DATA for a shell script
    ---
    Module Name:    pkgsrc
    Committed By:   spz
    Date:           Thu Mar 11 06:33:04 UTC 2010
    
    Modified Files:
            pkgsrc/chat/ejabberd: distinfo
    
    Log Message:
    updated patch -> distinfo needs an update too
    ---
    odule Name:    pkgsrc
    Committed By:   fhajny
    Date:           Sat Mar 13 21:05:49 UTC 2010
    
    Modified Files:
             pkgsrc/chat/ejabberd: Makefile PLIST distinfo
             pkgsrc/chat/ejabberd/patches: patch-aa patch-ad patch-ae
    
    Log Message:
    Updated chat/ejabberd to 2.1.3.
    
    Changes in ejabberd-2.1.3
    
    Client connections
    * Avoid 'invalid' value in iq record
    * Avoid resending stream:error stanzas on terminate (EJAB-1180)
    * Close also legacy sessions that were half connected (EJAB-1165)
    * iq_query_info/1 now returns 'invalid' if XMLNS is invalid
    * New ejabberd_c2s option support: max_fsm_queue
    * Rewrite mnesia counter functions to use dirty_update_counter (EJAB-1177)
    * Run user_receive_packet also when sending offline messages (EJAB-1193)
    * Use p1_fsm behaviour in c2s FSM (EJAB-1173)
    
    Clustering
    * Fix cluster race condition in route read
    * New command to set master Mnesia node
    * Use mnesia:async_dirty when cleaning table from failed node
    
    Documentation
    * Add quotes in documentation of some erl arguments (EJAB-1191)
    * Add option access_from (EJAB-1187)
    * Add option max_fsm_queue (EJAB-1185)
    * Fix documentation installation, no need for executable permission
       (EJAB-1170)
    * Fix typo in EJABBERD_BIN_PATH (EJAB-891)
    * Fix typos in example config comments (EJAB-1192)
    
    ejabberdctl
    * Support concurrent connections with bound connection names
    * Add support for Jot in ctl and TTY in debug
    * Support help command names with old - characters
    * Fix to really use the variable ERL_PROCESSES
    
    Erlang compatibility
    * Don't call queue:filter/2 to keep compatibility with older Erlang versions
    * Use alternative of file:read_line/1 to not require R13B02
    
    HTTP
    * Add new debugging hook to the http receiving process
    * Allow a request_handler to serve a file in root of HTTP
    
    HTTP-Bind (BOSH)
    * Cross-domain HTTP-Bind support (EJAB-1168)
    * Hibernate http-bind process after handling a request
    * Reduce verbosity of HTTP Binding log messages
    
    LDAP
    * Document ldap_dn_filter, fetch only needed attributes in search
       (EJAB-1204)
    * Use "%u" pattern as default for ldap_uids (EJAB-1203)
    
    Localization
    * Fix German translation (EJAB-1195)
    * Fix Russian translation
    
    ODBC
    * Fix MSSQL support, which was broken (EJAB-1201)
    * Improved SQL reconnect behaviour
    
    Pubsub, PEP and Caps
    * Add extended stanza addressing 'replyto' on PEP (EJAB-1198)
    * Add pubsub#purge_offline (EJAB-1186)
    * Fix pubsub#title option (EJAB-1190)
    * Fix remove_user for node subscriptions (EJAB-1172)
    * Optimizations in mod_caps
    
    Other
    * mod_register: Add new acl access_from, default is to deny
    * mod_sic: new module for the experimental XEP-0279 Server IP Check
       (EJAB-1205)
    * PIEFXIS: Catch errors when exporting to PIEFXIS file (EJAB-1178)
    * Proxy65: new option "hostname" (EJAB-838)
    * Roster: Fix resending authorization problem
    * Shared Roster Groups: get contacts nickname from vcard (EJAB-114)
    * S2S: Improved s2s connections clean up (EJAB-1202)
    
    Changes in ejabberd-2.1.2
    
    Core
    * Close sessions that were half connected
    * Fix SASL PLAIN authentication message for RFC4616 compliance
    * Fix support for old Erlang/OTP R10 and R11
    * Return proper error (not 'conflict') when register is forbidden by ACL
    * When ejabberd stops, send stream close to clients
    
    ejabberdctl
    * Check for EGID in ejabberdctl command
    * Command to stop ejabberd informing users, with grace period
    * If there's a problem in config file, display config lines and stop node
    
    MUC
    * Kick occupants with reason when room is stopped due to MUC shutdown
    * Write in room log when a room is created, destroyed, started, stopped
    
    PubSub and PEP
    * Don't call gen_server on internal event (improves performance and
       scalability)
    * Fix duplicate SHIM header in Pubsub message
    * Notification messages of Pubsub node config change contained a SHIM
       header
    * SubID SHIM header missing in Pubsub message with multiple subscriptions
       on the same node
    * PEP: last published item not sent from unavailable users when the
       subscription is implicit (XEP-0115)
    * pep_mapping not working due to Node type mismatch
    
    WebAdmin
    * If big offline message queue, show only subset on WebAdmin
    * Support in user list page of WebAdmin when mod_offline is disabled
    ---
    Module Name:	pkgsrc
    Committed By:	martti
    Date:		Mon Mar 15 06:27:55 UTC 2010
    
    Modified Files:
    	pkgsrc/chat/ejabberd: Makefile
    
    Log Message:
    Reset MAINTAINER.
    tron committed Mar 15, 2010
Commits on Mar 9, 2010
  1. Pullup ticket #3046.

    tron committed Mar 9, 2010
  2. Pullup ticket #3046 - requested by martti

    mediawiki: security update
    
    Revisions pulled up:
    - www/mediawiki/Makefile		1.10
    - www/mediawiki/distinfo		1.6
    ---
    Module Name:	pkgsrc
    Committed By:	martti
    Date:		Tue Mar  9 05:16:42 UTC 2010
    
    Modified Files:
    	pkgsrc/www/mediawiki: Makefile distinfo
    
    Log Message:
    Updated www/mediawiki to 1.15.2
    
    Two security issues were discovered:
    
    A CSS validation issue was discovered which allows editors to display
    external images in wiki pages. This is a privacy concern on public
    wikis, since a malicious user may link to an image on a server they
    control, which would allow that attacker to gather IP addresses and
    other information from users of the public wiki. All sites running
    publicly-editable MediaWiki installations are advised to upgrade. All
    versions of MediaWiki (prior to this one) are affected.
    
    A data leakage vulnerability was discovered in thumb.php which affects
    wikis which restrict access to private files using img_auth.php, or
    some similar scheme. All versions of MediaWiki since 1.5 are affected.
    
    Deleting thumb.php is a suitable workaround for private wikis which do
    not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
    Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
    patch below to whatever version of MediaWiki you are using.
    tron committed Mar 9, 2010
Commits on Mar 7, 2010
  1. Pullup ticket #3041.

    tron committed Mar 7, 2010
  2. Pullup ticket #3041 - requested by hannken

    chrony: security update
    
    Revisions pulled up:
    - net/chrony/Makefile				1.26
    - net/chrony/distinfo				1.7
    - net/chrony/patches/patch-aa			1.4
    - net/chrony/patches/patch-ab			1.4
    - net/chrony/patches/patch-ac			1.4
    - net/chrony/patches/patch-ad			1.3
    - net/chrony/patches/patch-ae			1.4
    - net/chrony/patches/patch-ag			delete
    ---
    Module Name:    pkgsrc
    Committed By:   hannken
    Date:           Fri Feb 26 09:27:43 UTC 2010
    
    Modified Files:
            pkgsrc/doc: TODO
            pkgsrc/net/chrony: Makefile distinfo
            pkgsrc/net/chrony/patches: patch-aa patch-ab patch-ac patch-ad patch-ae
    Removed Files:
            pkgsrc/net/chrony/patches: patch-ag
    
    Log Message:
    Update to 1.24.
    
    The changes in version 1.24 are
    
    Security fixes
    --------------
    * Don't reply to invalid cmdmon packets (CVE-2010-0292)
    * Limit client log memory size (CVE-2010-0293)
    * Limit rate of syslog messages (CVE-2010-0294)
    
    Bug fixes/Enhancements
    ----------------------
    * Support for reference clocks (SHM, SOCK, PPS drivers)
    * IPv6 support
    * Linux capabilities support (to drop root privileges)
    * Memory locking support on Linux
    * Real-time scheduler support on Linux
    * Leap second support on Linux
    * Support for editline library
    * Support for new Linux readonly adjtime
    * NTP client support for KoD RATE
    * Read kernel timestamps for received NTP packets
    * Reply to NTP requests with correct address on multihomed hosts
    * Retry name resolving after temporary failure
    * Fix makestep command, make it available on all systems
    * Add makestep directive for automatic clock stepping
    * Don't require _bigadj kernel symbol on NetBSD
    * Avoid blocking read in Linux RTC driver
    * Support for Linux on S/390 and PowerPC
    * Fix various bugs on 64-bit systems
    * Fix valgrind errors and compiler warnings
    * Improve configure to support common options and variables
    * Improve status checking and printing in chronyc
    * Return non-zero exit code on errors in chronyc
    * Reduce request timeout in chronyc
    * Print estimated offset in sourcestats
    * Changed chronyc protocol, incompatible with older versions
    
    Reviewed by: Joerg Sonnenberger <joerg@netbsd.org>
    tron committed Mar 7, 2010
Commits on Mar 5, 2010
  1. Pullup tickets #3037 and #3038.

    tron committed Mar 5, 2010
  2. Pullup ticket #3038 - requested by taca

    drupal6: security update
    
    Revisions pulled up:
    - www/drupal6/Makefile				1.19
    - www/drupal6/PLIST				1.6
    - www/drupal6/distinfo				1.15
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Thu Mar  4 01:29:58 UTC 2010
    
    Modified Files:
    	pkgsrc/www/drupal6: Makefile PLIST distinfo
    
    Log Message:
    Update drupal6 package to 6.16.
    
    Drupal 6.16, 2010-03-03
    ----------------------
    - Fixed security issues (Installation cross site scripting, Open redirection,
      Locale module cross site scripting, Blocked user session regeneration),
      see SA-CORE-2010-001.
    - Better support for updated jQuery versions.
    - Reduced resource usage of update.module.
    - Fixed several issues relating to support of install profiles and
      distributions.
    - Added a locking framework to avoid data corruption on long operations.
    - Fixed a variety of other bugs.
    tron committed Mar 5, 2010
  3. Pullup ticket #3037 - requested taca

    drupal: security update
    
    Revisions pulled up:
    - www/drupal/Makefile			1.44
    - www/drupal/distinfo			1.34
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Thu Mar  4 01:29:39 UTC 2010
    
    Modified Files:
    	pkgsrc/www/drupal: Makefile distinfo
    
    Log Message:
    Update drupal package to 5.22.
    
    Drupal 5.22, 2010-03-03
    -----------------------
    - Fixed security issues (Open redirection, Locale module cross site scripting,
      Blocked user session regeneration), see SA-CORE-2010-001.
    tron committed Mar 5, 2010
Commits on Mar 4, 2010
  1. Pullup ticket #3036.

    tron committed Mar 4, 2010
  2. Pullup ticket #3036 - requested by taca

    php5: security update
    php-bz2: security update
    php-zip: security update
    php-zlib: security update
    php-iconv: security update
    php-dba: security update
    php-dbase: security update
    php-dbx: security update
    php-ldap: security update
    php-mssql: security update
    php-mysql: security update
    php-odbc: security update
    php-pdo: security update
    php-pdo_dblib: security update
    php-pdo_mysql: security update
    php-pdo_pgsql: security update
    php-pdo_sqlite: security update
    php-pgsql: security update
    php-sqlite: security update
    php5-mysqli: security update
    php-gettext: security update
    php-gmp: security update
    php-memcache: security update
    php-pcntl: security update
    php-posix: security update
    php-shmop: security update
    php-sysvsem: security update
    php-sysvshm: security update
    php-exif: security update
    php-gd: security update
    php5-perl: security update
    php-imap: security update
    php-bcmath: security update
    php-calendar: security update
    php-mbstring: security update
    php-ming: security update
    php-ftp: security update
    php-snmp: security update
    php-sockets: security update
    php-xmlrpc: security update
    php-yaz: security update
    php5-soap: security update
    php-pdflib: security update
    php-mcrypt: security update
    php-mhash: security update
    php-suhosin: security update
    php-json: security update
    php-pspell: security update
    php-wddx: security update
    php5-dom: security update
    php5-xsl: security update
    php-apc: security update
    php-curl: security update
    php-eaccelerator: security update
    
    Revisions pulled up:
    - archivers/php-zlib/Makefile			1.14
    - databases/php-dba/Makefile			1.12
    - databases/php-ldap/Makefile			1.16
    - databases/php-mssql/Makefile			1.12
    - databases/php-pdo_dblib/Makefile		1.12
    - databases/php-pdo_pgsql/Makefile		1.13
    - databases/php-pgsql/Makefile			1.14
    - graphics/php-exif/Makefile			1.8
    - graphics/php-gd/Makefile			1.22
    - lang/php5/Makefile				1.77-1.78
    - lang/php5/Makefile.common			1.40
    - lang/php5/Makefile.php			1.39-1.41
    - lang/php5/distinfo				1.73,1.76
    - mail/php-imap/Makefile			1.20
    - net/php-ftp/Makefile				1.12
    - print/php-pdflib/Makefile			1.13
    - www/php-curl/Makefile				1.16
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Sat Feb 27 03:25:17 UTC 2010
    
    Modified Files:
    	pkgsrc/lang/php5: Makefile Makefile.common Makefile.php distinfo
    
    Log Message:
    Update php5 package to 5.2.13.
    
    25 Feb 2010, PHP 5.2.13
    - Updated timezone database to version 2010.2. (Derick)
    - Upgraded bundled PCRE to version 7.9. (Ilia)
    
    - Removed automatic file descriptor unlocking happening on shutdown and/or
      stream close (on all OSes excluding Windows). (Tony, Ilia)
    
    - Changed tidyNode class to disallow manual node creation. (Pierrick)
    
    - Added missing host validation for HTTP urls inside FILTER_VALIDATE_URL.
      (Ilia)
    
    - Improved LCG entropy. (Rasmus, Samy Kamkar)
    
    - Fixed safe_mode validation inside tempnam() when the directory path does
      not end with a /). (Martin Jansen)
    - Fixed a possible open_basedir/safe_mode bypass in session extension
      identified by Grzegorz Stachowiak. (Ilia)
    - Fixed bug in bundled libgd causing spurious horizontal lines drawn by
      gdImageFilledPolygon (libgd #100). (Takeshi Abe)
    - Fixed build of mysqli with MySQL 5.5.0-m2. (Andrey)
    
    - Fixed bug #50940 Custom content-length set incorrectly in Apache sapis.
      (Brian France, Rasmus)
    - Fixed bug #50930 (Wrong date by php_date.c patch with ancient gcc/glibc
      versions). (Derick)
    - Fixed bug #50859 (build fails with openssl 1.0 due to md2 deprecation).
      (Ilia, hanno at hboeck dot de)
    - Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes
      long). (Ilia)
    - Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP
      authentication). (Jani)
    - Fixed bug #50823 (ReflectionFunction::isDeprecated producing "cannot be called
      statically" error). (Jani, Felipe)
    - Fixed bug #50791 (Compile failure: Bad logic in defining fopencookie
      emulation). (Jani)
    - Fixed bug #50787 (stream_set_write_buffer() has no effect on socket
      streams). (vnegrier at optilian dot com, Ilia)
    - Fixed bug #50772 (mysqli constructor without parameters does not return a
      working mysqli object). (Andrey)
    - Fixed bug #50761 (system.multiCall crashes in xmlrpc extension). (hiroaki
      dot kawai at gmail dot com, Ilia)
    - Fixed bug #50732 (exec() adds single byte twice to $output array). (Ilia)
    - Fixed bug #50728 (All PDOExceptions hardcode 'code' property to 0). (Joey,
      Ilia)
    - Fixed bug #50727 (Accessing mysqli->affected_rows on no connection causes
      segfault). (Andrey, Johannes)
    - Fixed bug #50680 (strtotime() does not support eighth ordinal number).
      (Ilia)
    - Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16). (Rob)
    - Fixed bug #50657 (copy() with an empty (zero-byte) HTTP source succeeds but
      returns false). (Ilia)
    - Fixed bug #50636 (MySQLi_Result sets values before calling constructor).
      (Pierrick)
    - Fixed bug #50632 (filter_input() does not return default value if the
      variable does not exist). (Ilia)
    - Fixed bug #50576 (XML_OPTION_SKIP_TAGSTART option has no effect). (Pierrick)
    - Fixed bug #50575 (PDO_PGSQL LOBs are not compatible with PostgreSQL 8.5).
      (Matteo)
    - Fixed bug #50558 (Broken object model when extending tidy). (Pierrick)
    - Fixed bug #50540 (Crash while running ldap_next_reference test cases).
      (Sriram)
    - Fixed bug #50508 (compile failure: Conflicting HEADER type declarations).
      (Jani)
    - Fixed bug #50394 (Reference argument converted to value in __call). (Stas)
    - Fixed bug #49851 (http wrapper breaks on 1024 char long headers). (Ilia)
    - Fixed bug #49600 (imageTTFText text shifted right). (Takeshi Abe)
    - Fixed bug #49585 (date_format buffer not long enough for >4 digit years).
      (Derick, Adam)
    - Fixed bug #49463 (setAttributeNS fails setting default namespace). (Rob)
    - Fixed bug #48667 (Implementing Iterator and IteratorAggregate). (Etienne)
    - Fixed bug #48590 (SoapClient does not honor max_redirects). (Sriram)
    - Fixed bug #48190 (Content-type parameter "boundary" is not case-insensitive
      in HTTP uploads). (Ilia)
    - Fixed bug #47601 (defined() requires class to exist when testing for class
      constants). (Ilia)
    - Fixed bug #47409 (extract() problem with array containing word "this").
      (Ilia, chrisstocktonaz at gmail dot com)
    - Fixed bug #47002 (Field truncation when reading from dbase dbs with more
      then 1024 fields). (Ilia, sjoerd-php at linuxonly dot nl)
    - Fixed bug #45599 (strip_tags() truncates rest of string with invalid
      attribute). (Ilia, hradtke)
    - Fixed bug #44827 (define() allows :: in constant names). (Ilia)
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Sat Feb 27 03:35:12 UTC 2010
    
    Modified Files:
    	pkgsrc/archivers/php-zlib: Makefile
    	pkgsrc/databases/php-dba: Makefile
    	pkgsrc/databases/php-ldap: Makefile
    	pkgsrc/databases/php-mssql: Makefile
    	pkgsrc/databases/php-pdo_dblib: Makefile
    	pkgsrc/databases/php-pdo_pgsql: Makefile
    	pkgsrc/databases/php-pgsql: Makefile
    	pkgsrc/graphics/php-exif: Makefile
    	pkgsrc/graphics/php-gd: Makefile
    	pkgsrc/mail/php-imap: Makefile
    	pkgsrc/net/php-ftp: Makefile
    	pkgsrc/print/php-pdflib: Makefile
    	pkgsrc/www/php-curl: Makefile
    
    Log Message:
    Reset PKGREVISION.
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Wed Mar  3 10:51:35 UTC 2010
    
    Modified Files:
    	pkgsrc/lang/php5: Makefile.php
    
    Log Message:
    Re-enable suhosin option since there is no need to disable it.
    
    Noted by Volkmar Seifert and I misunderstood something.
    ---
    Module Name:	pkgsrc
    Committed By:	taca
    Date:		Thu Mar  4 15:36:04 UTC 2010
    
    Modified Files:
    	pkgsrc/lang/php5: Makefile Makefile.php distinfo
    
    Log Message:
    Update suhosin patch for PHP 5.2.13.
    
    Bump PKGREVISION.
    tron committed Mar 4, 2010
  3. Pullup ticket #3032.

    tron committed Mar 4, 2010
  4. Pullup ticket #3032 - requested by tnn

    thunderbird: security update
    
    Revisions pulled up:
    - mail/thunderbird/Makefile			1.47-1.49
    - mail/thunderbird/distinfo			1.62-1.63
    ---
    Module Name:	pkgsrc
    Committed By:	tnn
    Date:		Mon Jan 25 14:42:55 UTC 2010
    
    Modified Files:
    	pkgsrc/mail/thunderbird: Makefile distinfo
    
    Log Message:
    Update to thunderbird-3.0.1.
    General stability/bugfix update.
    ---
    Module Name:	pkgsrc
    Committed By:	tnn
    Date:		Fri Feb 26 18:38:39 UTC 2010
    
    Modified Files:
    	pkgsrc/mail/thunderbird: Makefile distinfo
    
    Log Message:
    Update to thunderbird-3.0.2
    * Several fixes to improve stability and security.
    * Fixes for Thunderbird 2 users upgrading to Thunderbird 3.
    * Several fixes to IMAP.
    ---
    Module Name:	pkgsrc
    Committed By:	tnn
    Date:		Wed Mar  3 13:54:47 UTC 2010
    
    Modified Files:
    	pkgsrc/mail/thunderbird: Makefile
    
    Log Message:
    relax sqlite3 dependency to match what we have in pkgsrc-2009Q4.
    tron committed Mar 4, 2010
Commits on Mar 2, 2010
  1. Pullup ticket #3034.

    tron committed Mar 2, 2010
  2. Pullup ticket #3034 - requested by obache

    tor: security and compatibility update
    
    Revisions pulled up:
    - net/tor/Makefile			1.71
    - net/tor/distinfo			1.40
    ---
    Module Name:	pkgsrc
    Committed By:	obache
    Date:		Tue Mar  2 11:25:59 UTC 2010
    
    Modified Files:
    	pkgsrc/net/tor: Makefile distinfo
    
    Log Message:
    Update tor to 0.2.1.24 per maintainer update request by PR#42911.
    
    Changes in version 0.2.1.24 - 2010-02-21
       Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time
       for sure!
    
       o Minor bugfixes:
         - Work correctly out-of-the-box with even more vendor-patched versions
           of OpenSSL. In particular, make it so Debian and OS X don't need
           customized patches to run/build.
    
    Changes in version 0.2.1.23 - 2010-02-13
       Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work
       again on the latest OS X, and updates the location of a directory
       authority.
    
       o Major bugfixes (performance):
         - We were selecting our guards uniformly at random, and then weighting
           which of our guards we'd use uniformly at random. This imbalance
           meant that Tor clients were severely limited on throughput (and
           probably latency too) by the first hop in their circuit. Now we
           select guards weighted by currently advertised bandwidth. We also
           automatically discard guards picked using the old algorithm. Fixes
           bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
    
       o Major bugfixes:
         - Make Tor work again on the latest OS X: when deciding whether to
           use strange flags to turn TLS renegotiation on, detect the OpenSSL
           version at run-time, not compile time. We need to do this because
           Apple doesn't update its dev-tools headers when it updates its
           libraries in a security patch.
         - Fix a potential buffer overflow in lookup_last_hid_serv_request()
           that could happen on 32-bit platforms with 64-bit time_t. Also fix
           a memory leak when requesting a hidden service descriptor we've
           requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
           by aakova.
    
       o Minor bugfixes:
         - Refactor resolve_my_address() to not use gethostbyname() anymore.
           Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.
    
       o Minor features:
         - Avoid a mad rush at the beginning of each month when each client
           rotates half of its guards. Instead we spread the rotation out
           throughout the month, but we still avoid leaving a precise timestamp
           in the state file about when we first picked the guard. Improves
           over the behavior introduced in 0.1.2.17.
    tron committed Mar 2, 2010
Commits on Feb 28, 2010
  1. Pullup ticket #3026.

    tron committed Feb 28, 2010
  2. Pullup ticket #3026 - requested by spz

    curl: security update
    
    Revisions pulled up:
    - www/curl/Makefile			1.96
    - www/curl/distinfo			1.64
    - www/curl/patches/patch-ab		delete
    ---
    Module Name:    pkgsrc
    Committed By:   wiz
    Date:           Tue Feb 16 12:51:44 UTC 2010
    
    Modified Files:
            pkgsrc/www/curl: Makefile distinfo
    Removed Files:
            pkgsrc/www/curl/patches: patch-ab
    
    Log Message:
    Update to 7.20.0:
    
    Version 7.20.0 (9 February 2010)
    
    Daniel Stenberg (9 Feb 2010)
    - When downloading compressed content over HTTP and the app asked libcurl to
      automatically uncompress it with the CURLOPT_ENCODING option, libcurl could
      wrongly provide the callback with more data than the maximum documented
      amount. An application could thus get tricked into badness if the maximum
      limit was trusted to be enforced by libcurl itself (as it is documented).
    
      This is further detailed and explained in the libcurl security advisory
      20100209 at
    
        http://curl.haxx.se/docs/adv_20100209.html
    
    Daniel Fandrich (3 Feb 2010)
    - Changed the Watcom makefiles to make them easier to keep in sync with
      Makefile.inc since that can't be included directly.
    
    Yang Tse (2 Feb 2010)
    - Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
      symbol will not be available when building with CURL_NO_OLDIES defined. Use
      of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
    
    Daniel Stenberg (1 Feb 2010)
    - Using the multi_socket API, it turns out at times it seemed to "forget"
      connections (which caused a hang). It turned out to be an existing (7.19.7)
      bug in libcurl (that's been around for a long time) and it happened like
      this:
    
      The app calls curl_multi_add_handle() to add a new easy handle, libcurl will
      then set it to timeout in 1 millisecond so libcurl will tell the app about
      it.
    
      The app's timeout fires off that there's a timeout, the app calls libcurl as
      we so often document it:
    
      do {
       res = curl_multi_socket_action(... TIMEOUT ...);
      } while(CURLM_CALL_MULTI_PERFORM == res);
    
      And this is the problem number one:
    
      When curl_multi_socket_action() is called with no specific handle, but only
      a timeout-action, it will *only* perform actions within libcurl that are
      marked to run at this time. In this case, the request would go from INIT to
      CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl
      again, there's no timer set for this handle so it remains in the CONNECT
      state. The CONNECT state is a transitional state in libcurl so it reports no
      sockets there, and thus libcurl never tells the app anything more about that
      easy handle/connection.
    
      libcurl _does_ set a 1ms timeout for the handle at the end of
      multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop
      is instant the new job is not ready to run at that point (and there's no
      code that makes libcurl call the app to update the timout for this new
      timeout). It will simply rely on that some other timeout will trigger later
      on or that something else will update the timeout callback. This makes the
      bug fairly hard to repeat.
    
      The fix made to adress this issue:
    
      We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
      simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
      benefit that this goes in line with my long-term wishes to get rid of the
      CURLM_CALL_MULTI_PERFORM all together from the public API.
    
      The downside of this fix, is that the counter we return in 'running_handles'
      in several of our public functions then gets a slightly new and possibly
      confusing behavior during times:
    
      If an app adds a handle that fails to connect (very quickly) it may just
      as well never appear as a 'running_handle' with this fix. Previously it
      would first bump the counter only to get it decreased again at next call.
      Even I have used that change in handle counter to signal "end of a
      transfer". The only *good* way to find the end of a individual transfer
      is calling curl_multi_info_read() to see if it returns one.
    
      Of course, if the app previously did the looping before it checked the
      counter, it really shouldn't be any new effect.
    
    Yang Tse (26 Jan 2010)
    - Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months
      relative to the asynchronous DNS lookups, along with with some integration
      adjustments I have done are finally committed to CVS.
    
      Currently these enhancements will benefit builds done using c-ares on any
      platform as well as Windows builds using the default threaded resolver.
    
      This release does not make generally available POSIX threaded DNS lookups
      yet. There is no configure option to enable this feature yet. It is possible
      to experimantally try this feature running configure with compiler flags that
      make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and
      HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones
      are required to link and properly use pthread_* functions on each platform.
    
    Daniel Stenberg (26 Jan 2010)
    - Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
      proxy that cannot be resolved when using c-ares. This matches the behaviour
      when not using c-ares.
    
    Bj
    - Added a new flag: -J/--remote-header-name. This option tells the
      -O/--remote-name option to use the server-specified Content-Disposition
      filename instead of extracting a filename from the URL.
    
    Daniel Stenberg (21 Jan 2010)
    - Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
      libcurl options for controlling what to get and how to receive posssibly
      interleaved RTP data.
    
    Daniel Stenberg (20 Jan 2010)
    - As was pointed out on the http-state mailing list, the order of cookies in a
      HTTP Cookie: header _needs_ to be sorted on the path length in the cases
      where two cookies using the same name are set more than once using
      (overlapping) paths. Realizing this, identically named cookies must be
      sorted correctly. But detecting only identically named cookies and take care
      of them individually is harder than just to blindly and unconditionally sort
      all cookies based on their path lengths. All major browsers also already do
      this, so this makes our behavior one step closer to them in the cookie area.
    
      Test case 8 was the only one that broke due to this change and I updated it
      accordingly.
    
    Daniel Stenberg (19 Jan 2010)
    - David McCreedy brought a fix and a new test case (129) to make libcurl work
      again when downloading files over FTP using ASCII and it turns out that the
      final size of the file is not the same as the initial size the server
      reported. This is very common since servers don't take the newline
      conversions into account.
    
    Kamil Dudka (14 Jan 2010)
    - Suppressed side effect of OpenSSL configure checks, which prevented NSS from
      being properly detected under certain circumstances. It had been caused by
      strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
      distinguishes among empty and non-existent environment variable in that case.
    
    Daniel Stenberg (12 Jan 2010)
    - Gil Weber reported a peculiar flaw with the multi interface when doing SFTP
      transfers: curl_multi_fdset() would return -1 and not set and file
      descriptors several times during a transfer of a single file. It turned out
      to be due to two different flaws now fixed. Gil's excellent recipe helped me
      nail this.
    
    Daniel Stenberg (11 Jan 2010)
    - Made sure that the progress callback is repeatedly called at a regular
      interval even during very slow connects.
    
    - The tests/runtests.pl script now checks to see if the test case that runs is
      present in the tests/data/Makefile.am and outputs a notice message on the
      screen if not. Each test file has to be included in that Makefile.am to get
      included in release archives and forgetting to add files there is a common
      mistake. This is an attempt to make it harder to forget.
    
    Daniel Stenberg (9 Jan 2010)
    - Johan van Selst found and fixed a OpenSSL session ref count leak:
    
      ossl_connect_step3() increments an SSL session handle reference counter on
      each call. When sessions are re-used this reference counter may be
      incremented many times, but it will be decremented only once when done (by
      Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
      if this reference count remains positive. When a session is re-used the
      reference counter should be corrected by explicitly calling
      SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
      introducing a memory leak.
    
      (http://curl.haxx.se/bug/view.cgi?id=2926284)
    
    Daniel Stenberg (7 Jan 2010)
    - Make sure the progress callback is called repeatedly even during very slow
      name resolves when c-ares is used for resolving.
    
    Claes Jakobsson (6 Jan 2010)
    - Julien Chaffraix fixed so that the fragment part in an URL is not sent
      to the server anymore.
    
    Kamil Dudka (3 Jan 2010)
    - Julien Chaffraix eliminated a duplicated initialization in singlesocket().
    
    Daniel Stenberg (2 Jan 2010)
    - Make curl support --ssl and --ssl-reqd instead of the previous FTP-specific
      versions --ftp-ssl and --ftp-ssl-reqd as these options are now used to
      control SSL/TLS for IMAP, POP3 and SMTP as well in addition to FTP. The old
      option names are still working but the new ones are the ones listed and
      documented.
    
    Daniel Stenberg (1 Jan 2010)
    - Ingmar Runge enhanced libcurl's FTP engine to support the PRET command. This
      command is a special "hack" used by the drftpd server, but even though it is
      a custom extension I've deemed it fine to add to libcurl since this server
      seems to survive and people keep using it and want libcurl to support
      it. The new libcurl option is named CURLOPT_FTP_USE_PRET, and it is also
      usable from the curl tool with --ftp-pret. Using this option on a server
      that doesn't support this command will make libcurl fail.
    
      I added test cases 1107 and 1108 to verify the functionality.
    
      The PRET command is documented at
      http://www.drftpd.org/index.php/Distributed_PASV
    
    Yang Tse (30 Dec 2009)
    - Steven M. Schweda improved VMS build system, and Craig A. Berry helped
      with the patch and testing.
    
    Daniel Stenberg (26 Dec 2009)
    - Renato Botelho and Peter Pentchev brought a patch that makes the libcurl
      headers work correctly even on FreeBSD systems before v8.
    
      (http://curl.haxx.se/bug/view.cgi?id=2916915)
    
    Daniel Stenberg (17 Dec 2009)
    - David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when
      available.
    
    - Follow-up fix for the proxy fix I did for Jon Nelson's bug. It turned out I
      was a bit too quick and broke test case 1101 with that change. The order of
      some of the setups is sensitive. I now changed it slightly again to make
      sure we do them in this order:
    
      1 - parse URL and figure out what protocol is used in the URL
      2 - prepend protocol:// to URL if missing
      3 - parse name+password off URL, which needs to know what protocol is used
          (since only some allows for name+password in the URL)
      4 - figure out if a proxy should be used set by an option
      5 - if no proxy option, check proxy environment variables
      6 - run the protocol-specific setup function, which needs to have the proxy
          already set
    
    Daniel Stenberg (15 Dec 2009)
    - Jon Nelson found a regression that turned out to be a flaw in how libcurl
      detects and uses proxies based on the environment variables. If the proxy
      was given as an explicit option it worked, but due to the setup order
      mistake proxies would not be used fine for a few protocols when picked up
      from '[protocol]_proxy'. Obviously this broke after 7.19.4. I now also added
      test case 1106 that verifies this functionality.
    
      (http://curl.haxx.se/bug/view.cgi?id=2913886)
    
    Daniel Stenberg (12 Dec 2009)
    - IMAP, POP3 and SMTP support and their TLS versions (including IMAPS, POP3S
      and SMTPS) are now supported. The current state may not yet be solid, but
      the foundation is in place and the test suite has some initial support for
      these protocols. Work will now persue to make them nice libcurl citizens
      until release.
    
      The work with supporting these new protocols was sponsored by
      networking4all.com - thanks!
    
    Daniel Stenberg (10 Dec 2009)
    - Siegfried Gyuricsko found out that the curl manual said --retry would retry
      on FTP errors in the transient 5xx range. Transient FTP errors are in the
      4xx range. The code itself only tried on 5xx errors that occured _at login_.
      Now the retry code retries on all FTP transfer failures that ended with a
      4xx response.
    
      (http://curl.haxx.se/bug/view.cgi?id=2911279)
    
    - Constantine Sapuntzakis figured out a case which would lead to libcurl
      accessing alredy freed memory and thus crash when using HTTPS (with
      OpenSSL), multi interface and the CURLOPT_DEBUGFUNCTION and a certain order
      of cleaning things up. I fixed it.
    
      (http://curl.haxx.se/bug/view.cgi?id=2905220)
    
    Daniel Stenberg (7 Dec 2009)
    - Martin Storsjo made libcurl use the Expect: 100-continue header for posts
      with unknown size. Previously it was only used for posts with a known size
      larger than 1024 bytes.
    
    Daniel Stenberg (1 Dec 2009)
    - If the Expect: 100-continue header has been set by the application through
      curl_easy_setopt with CURLOPT_HTTPHEADER, the library should set
      data->state.expect100header accordingly - the current code (in 7.19.7 at
      least) doesn't handle this properly. Martin Storsjo provided the fix!
    
    Yang Tse (28 Nov 2009)
    - Added Diffie-Hellman parameters to several test harness certificate files in
      PEM format. Required by several stunnel versions used by our test harness.
    
    Daniel Stenberg (28 Nov 2009)
    - Markus Koetter provided a polished and updated version of Chad Monroe's TFTP
      rework patch that now integrates TFTP properly into libcurl so that it can
      be used non-blocking with the multi interface and more. BLKSIZE also works.
    
      The --tftp-blksize option was added to allow setting the TFTP BLKSIZE from
      the command line.
    
    Daniel Stenberg (26 Nov 2009)
    - Extended and fixed the change I did on Dec 11 for the the progress
      meter/callback during FTP command/response sequences. It turned out it was
      really lame before and now the progress meter SHOULD get called at least
      once per second.
    
    Daniel Stenberg (23 Nov 2009)
    - Bjorn Augustsson reported a bug which made curl not report any problems even
      though it failed to write a very small download to disk (done in a single
      fwrite call). It turned out to be because fwrite() returned success, but
      there was insufficient error-checking for the fclose() call which tricked
      curl to believe things were fine.
    
    Yang Tse (23 Nov 2009)
    - David Byron modified Makefile.dist vc8 and vc9 targets in order to allow
      finer granularity control when generating src and lib makefiles.
    
    Yang Tse (22 Nov 2009)
    - I modified configure to force removal of the curlbuild.h file included in
      distribution tarballs for use by non-configure systems. As intended, this
      would get overwriten when doing in-tree builds. But VPATH builds would end
      having two curlbuild.h files, one in the source tree and another in the
      build tree. With the modification I introduced 5 Nov 2009 this could become
      an issue when running libcurl's test suite.
    
    Daniel Stenberg (20 Nov 2009)
    - Constantine Sapuntzakis identified a write after close, as the sockets were
      closed by libcurl before the SSL lib were shutdown and they may write to its
      socket. Detected to at least happen with OpenSSL builds.
    
    - Jad Chamcham pointed out a bug with connection re-use. If a connection had
      CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the
      same proxy with the tunnel option disabled would still wrongly re-use that
      previous connection and the outcome would only be badness.
    
    Yang Tse (18 Nov 2009)
    - I modified the memory tracking system to make it intolerant with zero sized
      malloc(), calloc() and realloc() function calls.
    
    Daniel Stenberg (17 Nov 2009)
    - Constantine Sapuntzakis provided another fix for the DNS cache that could
      end up with entries that wouldn't time-out:
    
      1. Set up a first web server that redirects (307) to a http://server:port
         that's down
      2. Have curl connect to the first web server using curl multi
    
      After the curl_easy_cleanup call, there will be curl dns entries hanging
      around with in_use != 0.
    
      (http://curl.haxx.se/bug/view.cgi?id=2891591)
    
    - Marc Kleine-Budde fixed: curl saved the LDFLAGS set during configure into
      its pkg-config file.  So -Wl stuff ended up in the .pc file, which is really
      bad, and breaks if there are multiple -Wl in our LDFLAGS (which are in
      PTXdist). bug #2893592 (http://curl.haxx.se/bug/view.cgi?id=2893592)
    
    Kamil Dudka (15 Nov 2009)
    - David Byron improved the configure script to use pkg-config to find OpenSSL
      (and in particular the list of required libraries) even if a path is given
      as argument to --with-ssl
    
    Yang Tse (15 Nov 2009)
    - I removed enable-thread / disable-thread configure option. These were only
      placebo options. The library is always built as thread safe as possible on
      every system.
    
    Claes Jakobsson (14 Nov 2009)
    - curl-config now accepts '--configure' to see what arguments was
      passed to the configure script when building curl.
    
    Daniel Stenberg (14 Nov 2009)
    - Claes Jakobsson restored the configure functionality to detect NSS when
      --with-nss is set but not "yes".
    
      I think we can still improve that to check for pkg-config in that path etc,
      but at least this patch brings back the same functionality we had before.
    
    - Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for
      the client certificate. It also disable the key name test as some engines
      can select a private key/cert automatically (When there is only one key
      and/or certificate on the hardware device used by the engine)
    
    Yang Tse (14 Nov 2009)
    - Constantine Sapuntzakis provided the fix that ensures that an SSL connection
      won't be reused unless protection level for peer and host verification match.
    
      I refactored how preprocessor symbol _THREAD_SAFE definition is done.
    
    Kamil Dudka (12 Nov 2009)
    - Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly
      closed NSPR descriptor. The issue was hard to find, reported several times
      before and always closed unresolved. More info at the RH bug:
      https://bugzilla.redhat.com/534176
    
    - libcurl-NSS now tries to reconnect with TLS disabled in case it detects
      a broken TLS server. However it does not happen if SSL version is selected
      manually. The approach was originally taken from PSM. Kaspar Brand helped me
      to complete the patch. Original bug reports:
      https://bugzilla.redhat.com/525496
      https://bugzilla.redhat.com/527771
    
    Yang Tse (12 Nov 2009)
    - I modified configure script to make the getaddrinfo function check also
      verify if the function is thread safe.
    
    Yang Tse (11 Nov 2009)
    - Marco Maggi reported that compilation failed when configured --with-gssapi
      and GNU GSS installed due to a missing mutual exclusion of header files in
      the Kerberos 5 code path. He also verified that my patch worked for him.
    
    Daniel Stenberg (11 Nov 2009)
    - Constantine Sapuntzakis posted bug #2891595
      (http://curl.haxx.se/bug/view.cgi?id=2891595) which identified how an entry
      in the DNS cache would linger too long if the request that added it was in
      use that long. He also provided the patch that now makes libcurl capable of
      still doing a request while the DNS hash entry may get timed out.
    
    - Christian Schmitz noticed that the progress meter/callback was not properly
      used during the FTP connection phase (after the actual TCP connect), while
      it of course should be. I also made the speed check get called correctly so
      that really slow servers will trigger that properly too.
    
    Kamil Dudka (5 Nov 2009)
    - Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket works
      in non-blocking mode.
    
    Yang Tse (5 Nov 2009)
    - I removed leading 'curl' path on the 'curlbuild.h' include statement in
      curl.h, adjusting auto-makefiles include path, to enhance portability to
      OS's without an orthogonal directory tree structure such as OS/400.
    
    Daniel Stenberg (4 Nov 2009)
    - I fixed several problems with the transfer progress meter. It showed the
      wrong percentage for small files, most notable for <1000 bytes and could
      easily end up showing more than 100% at the end. It also didn't show any
      percentage, transfer size or estimated transfer times when transferring
      less than 100 bytes.
    tron committed Feb 28, 2010
  3. pullup #3027, #3028, #3029

    spz committed Feb 28, 2010
  4. Pullup ticket 3029 - requested by taca

    security patch
    
    Revisions pulled up:
    - pkgsrc/x11/wxGTK28/Makefile		1.8
    - pkgsrc/x11/wxGTK28/Makefile.common	1.5
    - pkgsrc/x11/wxGTK28/distinfo		1.8
    - pkgsrc/x11/wxGTK28/patches/patch-ba	1.2
    - pkgsrc/x11/wxGTK28/patches/patch-bb	1.2
    - pkgsrc/x11/wxGTK28/patches/patch-ca	1.2
    
    Files added:
    pkgsrc/x11/wxGTK28/patches/patch-cb
    
       --------------------------------------------------------------------
       Module Name:    pkgsrc
       Committed By:   taca
       Date:           Tue Feb 16 17:38:14 UTC 2010
    
       Modified Files:
               pkgsrc/x11/wxGTK28: Makefile Makefile.common distinfo
               pkgsrc/x11/wxGTK28/patches: patch-ba patch-bb patch-ca
       Added Files:
               pkgsrc/x11/wxGTK28/patches: patch-cb
    
       Log Message:
       * Add patches for CVE-2009-2369 and CVE-2009-2625.
       * Use textproc/expat to fix CVE-2009-3720.
    
       Bump PKGREVISION.
    
    
       To generate a diff of this commit:
       cvs rdiff -u -r1.7 -r1.8 pkgsrc/x11/wxGTK28/Makefile \
           pkgsrc/x11/wxGTK28/distinfo
       cvs rdiff -u -r1.4 -r1.5 pkgsrc/x11/wxGTK28/Makefile.common
       cvs rdiff -u -r1.1 -r1.2 pkgsrc/x11/wxGTK28/patches/patch-ba \
           pkgsrc/x11/wxGTK28/patches/patch-bb pkgsrc/x11/wxGTK28/patches/patch-ca
       cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK28/patches/patch-cb
    spz committed Feb 28, 2010
  5. Pullup ticket 3028 - requested by taca

    security patch
    
    Revisions pulled up:
    - pkgsrc/x11/wxGTK26/Makefile		1.5
    - pkgsrc/x11/wxGTK26/distinfo		1.4
    
    Files added:
    pkgsrc/x11/wxGTK26/patches/patch-ae
    pkgsrc/x11/wxGTK26/patches/patch-af
    pkgsrc/x11/wxGTK26/patches/patch-ag
    pkgsrc/x11/wxGTK26/patches/patch-ah
    
       --------------------------------------------------------------------
       Module Name:    pkgsrc
       Committed By:   taca
       Date:           Tue Feb 16 17:35:34 UTC 2010
    
       Modified Files:
               pkgsrc/x11/wxGTK26: Makefile distinfo
       Added Files:
               pkgsrc/x11/wxGTK26/patches: patch-ae patch-af patch-ag patch-ah
    
       Log Message:
       Add patches for CVE-2009-2369 and CVE-2009-2625.
    
       Bump PKGREVISION.
    
    
       To generate a diff of this commit:
       cvs rdiff -u -r1.4 -r1.5 pkgsrc/x11/wxGTK26/Makefile
       cvs rdiff -u -r1.3 -r1.4 pkgsrc/x11/wxGTK26/distinfo
       cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK26/patches/patch-ae \
           pkgsrc/x11/wxGTK26/patches/patch-af pkgsrc/x11/wxGTK26/patches/patch-ag \
           pkgsrc/x11/wxGTK26/patches/patch-ah
    spz committed Feb 28, 2010
  6. Pullup ticket 3027 - requested by taca

    security patch
    
    Revisions pulled up:
    - pkgsrc/x11/wxGTK24/Makefile		1.11
    - pkgsrc/x11/wxGTK24/distinfo		1.10
    
    Files added:
    pkgsrc/x11/wxGTK24/patches/patch-am
    pkgsrc/x11/wxGTK24/patches/patch-an
    pkgsrc/x11/wxGTK24/patches/patch-ao
    pkgsrc/x11/wxGTK24/patches/patch-ap
    
       --------------------------------------------------------------------
       Module Name:    pkgsrc
       Committed By:   taca
       Date:           Tue Feb 16 17:33:39 UTC 2010
    
       Modified Files:
               pkgsrc/x11/wxGTK24: Makefile distinfo
       Added Files:
               pkgsrc/x11/wxGTK24/patches: patch-am patch-an patch-ao patch-ap
    
       Log Message:
       Add patches for CVE-2009-2625 and CVE-2009-2369.
    
       Bump PKGREVISION.
    
    
       To generate a diff of this commit:
       cvs rdiff -u -r1.10 -r1.11 pkgsrc/x11/wxGTK24/Makefile
       cvs rdiff -u -r1.9 -r1.10 pkgsrc/x11/wxGTK24/distinfo
       cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK24/patches/patch-am \
           pkgsrc/x11/wxGTK24/patches/patch-an pkgsrc/x11/wxGTK24/patches/patch-ao \
           pkgsrc/x11/wxGTK24/patches/patch-ap
    spz committed Feb 28, 2010
Commits on Feb 26, 2010
  1. pullup #3024

    spz committed Feb 26, 2010
  2. Pullup ticket 3024 - requested by taca

    security update
    
    Revisions pulled up:
    - pkgsrc/security/sudo/Makefile		1.119
    - pkgsrc/security/sudo/distinfo		1.61
    
       --------------------------------------------------------------------
       Module Name:    pkgsrc
       Committed By:   taca
       Date:           Fri Feb 26 01:08:38 UTC 2010
    
       Modified Files:
               pkgsrc/security/sudo: Makefile distinfo
    
       Log Message:
       Update sudo package to 1.7.2p4.
    
       Major changes between version 1.7.2p3 and 1.7.2p4:
    
           * Fix a bug that could allow users with permission to run sudoedit
             to run arbitrary commands.
    
       Major changes between version 1.7.2p2 and 1.7.2p3:
    
           * Fix printing of entries with multiple host entries on a single line.
    
           * Fix use after free when sending error messages via email.
    
           * Use setrlimit64(), if available, instead of setrlimit() when
             setting AIX resource limits since rlim_t is 32bits.
    
           * Fix size arg when realloc()ing include stack.
    
           * Avoid a duplicate fclose() of the sudoers file.
    
    
       To generate a diff of this commit:
       cvs rdiff -u -r1.118 -r1.119 pkgsrc/security/sudo/Makefile
       cvs rdiff -u -r1.60 -r1.61 pkgsrc/security/sudo/distinfo
    
       ------------------------------------------------------------------
       Module Name:    pkgsrc
       Committed By:   zafer
       Date:           Tue Feb  9 00:05:48 UTC 2010
    
       Modified Files:
               pkgsrc/security/sudo: Makefile
    
       Log Message:
       update master_sites
    
    
       To generate a diff of this commit:
       cvs rdiff -u -r1.117 -r1.118 pkgsrc/security/sudo/Makefile
    spz committed Feb 26, 2010
Commits on Feb 25, 2010
  1. pullup #3022

    spz committed Feb 25, 2010
  2. Pullup ticket 3022 - requested by taca

    security update
    
    Revisions pulled up:
    - pkgsrc/graphics/netpbm/Makefile
    - pkgsrc/graphics/netpbm/distinfo
    - pkgsrc/graphics/netpbm/patches/patch-aa
    - pkgsrc/graphics/netpbm/patches/patch-ao
    - pkgsrc/graphics/netpbm/patches/patch-da
    - pkgsrc/graphics/netpbm/patches/patch-db
    - pkgsrc/graphics/netpbm/patches/patch-dd
    
    Files added:
    pkgsrc/graphics/netpbm/PLIST
    pkgsrc/graphics/netpbm/patches/patch-ec
    
    Files deleted:
    pkgsrc/graphics/netpbm/patches/patch-ac
    pkgsrc/graphics/netpbm/patches/patch-af
    pkgsrc/graphics/netpbm/patches/patch-ag
    pkgsrc/graphics/netpbm/patches/patch-ai
    pkgsrc/graphics/netpbm/patches/patch-aj
    pkgsrc/graphics/netpbm/patches/patch-ak
    pkgsrc/graphics/netpbm/patches/patch-al
    pkgsrc/graphics/netpbm/patches/patch-am
    pkgsrc/graphics/netpbm/patches/patch-an
    pkgsrc/graphics/netpbm/patches/patch-ap
    pkgsrc/graphics/netpbm/patches/patch-aq
    pkgsrc/graphics/netpbm/patches/patch-ar
    pkgsrc/graphics/netpbm/patches/patch-as
    pkgsrc/graphics/netpbm/patches/patch-at
    pkgsrc/graphics/netpbm/patches/patch-au
    pkgsrc/graphics/netpbm/patches/patch-av
    pkgsrc/graphics/netpbm/patches/patch-az
    pkgsrc/graphics/netpbm/patches/patch-ba
    pkgsrc/graphics/netpbm/patches/patch-ca
    pkgsrc/graphics/netpbm/patches/patch-ea
    
       --------------------------------------------------------------------
       Module Name:    pkgsrc
       Committed By:   drochner
       Date:           Fri Feb 19 18:25:44 UTC 2010
    
       Modified Files:
               pkgsrc/graphics/netpbm: Makefile distinfo
               pkgsrc/graphics/netpbm/patches: patch-aa patch-ao patch-da patch-db
                   patch-dd
       Added Files:
               pkgsrc/graphics/netpbm: PLIST
               pkgsrc/graphics/netpbm/patches: patch-ec
       Removed Files:
               pkgsrc/graphics/netpbm/patches: patch-ac patch-af patch-ag patch-ai
                   patch-aj patch-ak patch-al patch-am patch-an patch-ap patch-aq
                   patch-ar patch-as patch-at patch-au patch-av patch-az patch-ba
                   patch-ca patch-ea
    
       Log Message:
       update to 10.35.73
       changes: many bugfixes, especially:
        xpmtoppm: fix wild pointer with color index > 127.
        which fixes a stack-based buffer overflow (CVE-2009-4274)
    
       pkgsrc change: use a fixed PLIST instead of generating on install,
        helps to detect problems
    
    
       To generate a diff of this commit:
       cvs rdiff -u -r1.164 -r1.165 pkgsrc/graphics/netpbm/Makefile
       cvs rdiff -u -r0 -r1.6 pkgsrc/graphics/netpbm/PLIST
       cvs rdiff -u -r1.71 -r1.72 pkgsrc/graphics/netpbm/distinfo
       cvs rdiff -u -r1.39 -r1.40 pkgsrc/graphics/netpbm/patches/patch-aa
       cvs rdiff -u -r1.17 -r0 pkgsrc/graphics/netpbm/patches/patch-ac
       cvs rdiff -u -r1.12 -r0 pkgsrc/graphics/netpbm/patches/patch-af
       cvs rdiff -u -r1.18 -r0 pkgsrc/graphics/netpbm/patches/patch-ag
       cvs rdiff -u -r1.11 -r0 pkgsrc/graphics/netpbm/patches/patch-ai \
           pkgsrc/graphics/netpbm/patches/patch-aj
       cvs rdiff -u -r1.7 -r0 pkgsrc/graphics/netpbm/patches/patch-ak
       cvs rdiff -u -r1.3 -r0 pkgsrc/graphics/netpbm/patches/patch-al \
           pkgsrc/graphics/netpbm/patches/patch-am \
           pkgsrc/graphics/netpbm/patches/patch-an \
           pkgsrc/graphics/netpbm/patches/patch-ap \
           pkgsrc/graphics/netpbm/patches/patch-aq \
           pkgsrc/graphics/netpbm/patches/patch-ar \
           pkgsrc/graphics/netpbm/patches/patch-as \
           pkgsrc/graphics/netpbm/patches/patch-at \
           pkgsrc/graphics/netpbm/patches/patch-au
       cvs rdiff -u -r1.3 -r1.4 pkgsrc/graphics/netpbm/patches/patch-ao
       cvs rdiff -u -r1.4 -r0 pkgsrc/graphics/netpbm/patches/patch-av \
           pkgsrc/graphics/netpbm/patches/patch-az
       cvs rdiff -u -r1.5 -r0 pkgsrc/graphics/netpbm/patches/patch-ba
       cvs rdiff -u -r1.1 -r0 pkgsrc/graphics/netpbm/patches/patch-ca \
           pkgsrc/graphics/netpbm/patches/patch-ea
       cvs rdiff -u -r1.1 -r1.2 pkgsrc/graphics/netpbm/patches/patch-da \
           pkgsrc/graphics/netpbm/patches/patch-db \
           pkgsrc/graphics/netpbm/patches/patch-dd
       cvs rdiff -u -r0 -r1.1 pkgsrc/graphics/netpbm/patches/patch-ec
    spz committed Feb 25, 2010
Commits on Feb 24, 2010
  1. Pullup tickets #3019 and #3020.

    tron committed Feb 24, 2010