1. 01 Oct, 2014 1 commit
    • Bryan Drewery's avatar
      MFH: r369684 · a0ccd6f8
      Bryan Drewery authored
      Add RedHat's patch for CVE-2014-7186, commonly known as "redir_stack" overflow,
      which has not been shown to be as critical as "shellshock" currently.
      
      Security:	CVE-2014-7186
      a0ccd6f8
  2. 29 Sep, 2014 1 commit
  3. 28 Sep, 2014 1 commit
    • Bryan Drewery's avatar
      MFH: r369467 · 037396ee
      Bryan Drewery authored
      - Update to patchlevel 27 which changes how functions are exported.
        This should eliminate the recent vulnerabilities, but keep the
        requirement for --import-functions/IMPORTFUNCTIONS option for now.
      - Loosen the --import-functions requirement so it is not needed when running
        an interactive shell. It is already disallowed for privileged/setuid mode.
      - Show an error on stderr when an imported function is ignored.
      037396ee
  4. 27 Sep, 2014 1 commit
    • Bryan Drewery's avatar
      MFH: r369416 · 8f4ed37f
      Bryan Drewery authored
      - Apply patch to fix timed out SSL connections from spinning CPU
      
      Tested by:	bdrewery
      Submitted by:	kajetan.staszkiewicz@innogames.de
      Submitted by:	ohauer
      PR:		176438
      Approved by:	maintainer timeout
      8f4ed37f
  5. 26 Sep, 2014 3 commits
    • Bryan Drewery's avatar
      MFH: r369347 · 1c20652f
      Bryan Drewery authored
      Update to patchlevel 26. This is a NOP as r369261 already covered it.
      1c20652f
    • Bryan Drewery's avatar
      MFH: r369341 · df421f29
      Bryan Drewery authored
      Disable function importing from the environment by default.  This can be
      enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.
      
      This removes the risk of further parser bugs leading to code execution, as
      well as the risk to setuid scripts and poorly written applications that
      do not cleanse their environment [1][2].
      
      Also note that there is an unofficial 4.3.26 floating around that has not yet
      been officially released.  r369261 covers the change in 4.3.26.
      
      See also:
        http://seclists.org/oss-sec/2014/q3/747 [1]
        http://seclists.org/oss-sec/2014/q3/746 [2]
        http://seclists.org/oss-sec/2014/q3/755 [3]
      
      Obtained from:	NetBSD (based on) [3]
      PR:		193932
      Reviewed by:	Eric Vangyzen
      With hat:	portmgr
      df421f29
    • Johannes Jost Meixner's avatar
      MFH: r369267 · 6a66a15c
      Johannes Jost Meixner authored
      Backport Adobe's Flash upgrade to fix twelve vulnerabilities.
      
      While here, set maintainer to emulation@ in line with r369160.
      
      Approved by:	swills (mentor)
      Approved by:	portmgr (erwin)
      Security:	ca44b64c-4453-11e4-9ea1-c485083ca99c
      6a66a15c
  6. 25 Sep, 2014 5 commits
  7. 24 Sep, 2014 4 commits
  8. 18 Sep, 2014 2 commits
    • Guido Falsi's avatar
      MFH: r368515 · 2918bade
      Guido Falsi authored
      Document new asterisk11 vulnerability.
      
      Approved by:	portmgr (zi)
      2918bade
    • Dmitry Marakasov's avatar
      MFH: r368409 · da178bae
      Dmitry Marakasov authored
      - Fix build failure with perl 5.20 due to error in documentation
      
      PR:             193267
      Submitted by:   John.Marshall@riverwillow.com.au
      Approved by:	portmgr
      da178bae
  9. 17 Sep, 2014 6 commits
    • Bryan Drewery's avatar
      MFH r367994: · 57cdaceb
      Bryan Drewery authored
        @sample: Alert user that there is a stale file to be removed.
      57cdaceb
    • Bryan Drewery's avatar
      MFH: r366334 · 8968bdc5
      Bryan Drewery authored
      - Update to 3.17.7
      
      Changes:
        * Use PM_SU_CMD for pkg set -o
      8968bdc5
    • Bryan Drewery's avatar
      MFH: r368387 · 0fa16071
      Bryan Drewery authored
      - Update to 3.0.19
      
      Changes:
        * Fix improper call to 'msg_warn'. Bad backport from 3.1.
      
      Reported by:	sunpoet
      0fa16071
    • Bryan Drewery's avatar
      MFH: r368336 · 79bb0e9c
      Bryan Drewery authored
      - Update to 3.0.18
      
      Changes:
        * Add a check for 3.1 repository and reject the build. 3.0 does not know
          how to handle 3.1's repository format. Downgrading is not supported
          at this point.
        * Allow securelevel>=1 with USE_TMPFS=all
        * Add a warning that DEVELOPER=yes is ignored in lieu of bulk -t/testport
      79bb0e9c
    • Bryan Drewery's avatar
      MFH: r363770 · d343c698
      Bryan Drewery authored
      - Update to 3.0.17
      
      Changes:
        * Workaround regression with pkg-1.3 causing all packages to have new options.
        * distclean: Fix some false-positives
        * Fix dead link in poudriere.conf
      d343c698
    • Koop Mast's avatar
      MFH: r368364 · 1469c316
      Koop Mast authored
      Update to 1.8.8.
      
      Security update.
      
      Approved by:	portmgr (erwin@)
      1469c316
  10. 16 Sep, 2014 1 commit
    • Bryan Drewery's avatar
      MFH r368345: · a13f63e7
      Bryan Drewery authored
        - Fix off-by-one with 'make checksum' which caused it to not properly
            download files from the last site (distcache).
      
      With hat:	portmgr
      a13f63e7
  11. 13 Sep, 2014 1 commit
  12. 12 Sep, 2014 1 commit
    • Sunpoet Po-Chuan Hsieh's avatar
      MFH: r368009 · 3b09aaa4
      Sunpoet Po-Chuan Hsieh authored
      - Fix heap-based buffer overflow in formisc.c
      - Bump PORTREVISION for package change
      
      Security:	CVE-2014-3618
      Approved by:	portmgr (erwin)
      3b09aaa4
  13. 10 Sep, 2014 2 commits
  14. 09 Sep, 2014 1 commit
  15. 05 Sep, 2014 1 commit
    • Tijl Coosemans's avatar
      MFH: r367344 · 013dbdd8
      Tijl Coosemans authored
      Document trafficserver vulnerability
      
      Approved by:	portmgr (erwin)
      013dbdd8
  16. 03 Sep, 2014 3 commits
    • Olli Hauer's avatar
      MFH: r367227 · fee683c9
      Olli Hauer authored
      - update to 2.2.29
      - use PTHREAD_LIBS/CFLAGS instead -pthread
      
      Changes with Apache 2.2.29
      http://www.apache.org/dist/httpd/CHANGES_2.2.29
      
        *) Corrected docs/manual pages for new MergeTrailers directive and other
           out of date documentation. [William Rowe]
      
      Changes with Apache 2.2.28
      
        *) SECURITY: CVE-2014-0118 (cve.mitre.org) [1]
           mod_deflate: The DEFLATE input filter (inflates request bodies) now
           limits the length and compression ratio of inflated request bodies to avoid
           denial of service via highly compressed bodies.  See directives
           DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
           and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
      
        *) SECURITY: CVE-2014-0231 (cve.mitre.org) [1]
           mod_cgid: Fix a denial of service against CGI scripts that do
           not consume stdin that could lead to lingering HTTPD child processes
           filling up the scoreboard and eventually hanging the server.  By
           default, the client I/O timeout (Timeout directive) now applies to
           communication with scripts.  The CGIDScriptTimeout directive can be
           used to set a different timeout for communication with scripts.
           [Rainer Jung, Eric Covener, Yann Ylavic]
      
        *) SECURITY: CVE-2014-0226 (cve.mitre.org) [1]
           Fix a race condition in scoreboard handling, which could lead to
           a heap buffer overflow.  [Joe Orton, Eric Covener, Jeff Trawick]
      
        *) SECURITY: CVE-2013-5704 (cve.mitre.org) [2]
           core: HTTP trailers could be used to replace HTTP headers
           late during request processing, potentially undoing or
           otherwise confusing modules that examined or modified
           request headers earlier.  Adds "MergeTrailers" directive to restore
           legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
      
        *) core: Detect incomplete request and response bodies, log an error and
           forward it to the underlying filters. PR 55475.  [Yann Ylavic]
      
        *) mod_deflate: Handle Zlib header and validation bytes received in multiple
           chunks. PR 46146. [Yann Ylavic]
      
        *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
           differs. PR 55782.  [Yann Ylavic]
      
        *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
           [Lukas Bezdicka <social v3.sk>]
      
        *) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
           [Ben Reser]
      
        *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
           resumed by TLS session resumption (RFC 5077). [Rainer Jung]
      
        *) mod_proxy_ajp: Forward local IP address as a custom request attribute
           like we already do for the remote port. [Rainer Jung]
      
        *) mod_deflate: Don't fail when flushing inflated data to the user-agent
           and that coincides with the end of stream ("Zlib error flushing inflate
           buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
      
        *) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary
           header might not get the benefit of the thundering herd protection due to
           an incorrect internal cache key.  PR 50317.
           [Ruediger Pluem, Jan Kaluza, Yann Ylavic]
      
        *) mod_rewrite: Support session cookies with the CO= flag when later
           parameters are used.  The doc for this implied the feature had been
           backported for quite some time.  PR56014 [Eric Covener]
      
        *) mod_cache: Don't remove stale cache entries that cannot be conditionally
           revalidated. This prevents the thundering herd protection from serving
           stale responses during a revalidation. PR 50317.
           [Eric Covener, Jan Kaluza,  Ruediger Pluem]
      
        *) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds.
           PR 41270. [Dean Gaudet <dean arctic org>]
      
      [1] CVE issues already fixed since FreeBSD-ports r362845
      [2] new CVE-2013-5704 issue fixed in 2.2.29
      
      Approved by:    portmgr (erwin@)
      Security:	f927e06c-1109-11e4-b090-20cf30e32f6d
      Security:	CVE-2013-5704
      fee683c9
    • Olli Hauer's avatar
      MFH: r367225 · 4d47efd9
      Olli Hauer authored
      - update vid f927e06c-1109-11e4-b090-20cf30e32f6d
        (httpd-2.2.29 was released today)
      
      Approved by:	portmgr (erwin@)
      4d47efd9
    • Thomas Zander's avatar
      MFH: r367223 · 1553ab42
      Thomas Zander authored
      - Stagify
      - Fix build on clang
      - Add MAKE_JOBS_UNSAFE
      - Add LICENSE
      - Add DOCS option
      - Bump PORTREVISION
      - Pet portlint
      
      PR:		191049
      Submitted by:	k@stereochro.me
      Reviewed by:	cpm@fbsd.es, joemann@beefree.free.de, marino, riggs
      Final patch by:	cpm@fbsd.es, riggs
      Approved by:	portmgr (erwin)
      1553ab42
  17. 27 Aug, 2014 4 commits
    • Antoine Brodin's avatar
      MFH: r365627 · 95d1fc76
      Antoine Brodin authored
      MIT license with a copyright holder can be distributed
      95d1fc76
    • Antoine Brodin's avatar
      MFH: r365802 · 33dfb327
      Antoine Brodin authored
      Ignore ports setting NO_PACKAGE when PACKAGE_BUILDING is set
      Side effect is that we will no longer mirror their distfiles, sad for them,
      but we will no longer spend cpu cycles building them for nothing every week
      and have strange errors from dependent ports unable to install NO_PACKAGE
      dependencies
      
      Users willing to package those ports can still set FORCE_PACKAGE
      
      Poudriere users can also package by not setting NO_FORCE_PACKAGE in poudriere.conf (by default it's already not set)
      
      Differential Revision: https://reviews.freebsd.org/D670
      Reviewed by:	bdrewery
      With hat:	portmgr
      33dfb327
    • Antoine Brodin's avatar
      MFH: r366021 · 4e22ac53
      Antoine Brodin authored
      - Unbreak by updating to 0.8.19
      - Fix LICENSE_PERMS
      - Add lang/gawk to (BUILD|TEST)_DEPENDS
      - Remove conflicts with misc/translate
      - Add 3 new options (default off) to support RTL languages,
        enable text-to-speech functionality and readline-style
        editing and history in interactive mode
      - Remove pkg-plist
      
      Build Log:	https://redports.org/buildarchive/20140824220804-65990/
      4e22ac53
    • Rene Ladan's avatar
      MFH: r366223 · 36b43fa8
      Rene Ladan authored
      Document new vulnerabilities in www/chromium < 37.0.2062.94
      
      Obtained from:	http://googlechromereleases.blogspot.nl
      
      Also merge entries for file, django, php, and phpMyAdmin
      
      Approved by:	portmgr (erwin)
      36b43fa8
  18. 26 Aug, 2014 2 commits
    • Dmitry Marakasov's avatar
      MFH: r366173 · 3cfd08db
      Dmitry Marakasov authored
      - Fix link for SQL option
      
      Approved by:	portmgr blanket
      3cfd08db
    • Dmitry Marakasov's avatar
      MFH: r366172 · a6ebdd4a
      Dmitry Marakasov authored
      - Fix build by disabling warning which shoots on libdbi and is fatal due to -Werror
      
      Approved by:	portmgr blanket
      a6ebdd4a