1. 09 Mar, 2016 4 commits
    • Mark Felder's avatar
      MFH: r410731 · ce01c0b5
      Mark Felder authored
      security/libotr: Update to 4.1.1
      
      Changes:
      * Fix an integer overflow bug that can cause a heap buffer overflow (and
      from there remote code execution) on 64-bit platforms
      * Fix possible free() of an uninitialized pointer
      * Be stricter about parsing v3 fragments
      * Add a testsuite ("make check" to run it), but only on Linux for now,
      since it uses Linux-specific features such as epoll
      * Fix a memory leak when reading a malformed instance tag file
      * Protocol documentation clarifications
      
      Security:	CVE-2016-2851
      Approved by:	ports-secteam (with hat)
      ce01c0b5
    • Mathieu Arnold's avatar
      MFH: r410728 · cf261fce
      Mathieu Arnold authored
      Update to 9.9.8-P4, 9.10.3-P4 and latest snapshot.
      
      Security:	CVE-2016-1285
      Security:	CVE-2016-1286
      Security:	CVE-2016-2088
      Sponsored by:	Absolight
      cf261fce
    • Mark Felder's avatar
      MFH: r410712 · ea101d9e
      Mark Felder authored
      graphics/giflib: Add patch to fix regression
      
      There is a regression with the 5.1.2 update to giflib. This affects the
      ability for applications to render gif images usually ocurring after the
      first gif image is rendered. Upstream has been notified but has not yet
      provided feedback.
      
      giflib 5.1.2 was a security fix, so reverting is not reasonable.
      
      "The removed check look redundant - I couldn't find a code path where
      Private->RunningBits would exceed that limit after initialization.
      (Currently Private->RunningBits is checked before it is initialized)."
      
      PR:		207849
      Submitted by:	Stefan Ehmann <shoesoft@gmx.net>
      Approved by:	ports-secteam (with hat)
      ea101d9e
    • Jason Unovitch's avatar
      MFH: r406200, r410082 · 5dd1366c
      Jason Unovitch authored
      www/py-django18: update 1.8.7 -> 1.8.10
      
      www/py-django: update 1.8.7 -> 1.8.10 (manual)
      
      - MFH just the version bumps. Additional changes in ports/head marked
        www/py-django as IGNORE in r406202 in preparation of making it a meta
        port and set the RUN_DEPENDS of dependent ports to www/py-django18
        (r406203 and r406208). Those changes will not be merged.
      
      Security:	CVE-2016-2512
      Security:	CVE-2016-2513
      Security:	https://vuxml.FreeBSD.org/freebsd/f9e6c0d1-e4cc-11e5-b2bd-002590263bf5.html
      Approved by:	ports-secteam (with hat)
      5dd1366c
  2. 08 Mar, 2016 6 commits
  3. 07 Mar, 2016 4 commits
  4. 06 Mar, 2016 2 commits
    • Raphael Kubo da Costa's avatar
      MFH: r410474 · 41cd2b75
      Raphael Kubo da Costa authored
      Add patches to fix CVE-2013-6892 and CVE-2016-2511.
      
      PR:		207740
      Approved by:	ports-secteam (feld)
      41cd2b75
    • Thomas Zander's avatar
      MFH: r410448 · ec745002
      Thomas Zander authored
      Update to upstream version 0.13.2; enable ASM by default on i386
      
      As verified by submitter of [1], ASM optimised routines now work
      on i386 out of the box, hence enable by default.
      
      This release contains runtime bugfixes (from changelog):
      - Fix an issue with the new duplicate checking, which could lead to
        missing subtitles after seeking.
      - Fix a crash with CoreText under specific circumstances
      
      While on it:
      - Use default description for ASM from bsd.options.desc.mk
      
      PR:		207723 [1]
      Submitted by:	sasamotikomi@gmail.com
      Reviewed by:	riggs
      Approved by:	ports-secteam (feld)
      ec745002
  5. 05 Mar, 2016 3 commits
    • Jan Beich's avatar
      MFH: r410213 · 74a7bf66
      Jan Beich authored
      emulators/ppsspp: minor manpage update
      
      - Added --fullscreen parameter in man page
      
      Approved by:	ports-secteam (feld)
      74a7bf66
    • Jan Beich's avatar
      MFH: r410185 · ee4e60e9
      Jan Beich authored
      graphics/graphite2: update to 1.3.6
      
      PR:		207686
      Reviewed by:	tijl
      Approved by:	ports-secteam (feld)
      ee4e60e9
    • Raphael Kubo da Costa's avatar
      MFH: r410097 · a315aa71
      Raphael Kubo da Costa authored
      Make print/tex-dvipsk a runtime dependency.
      
      Two reasons for this:
      1. Document builds can fail without it even when using pdftex.
         From dblatex -d -D:
      
         Build uwm-pc-user-guide.pdf
         pdflatex failed
         Unexpected error occured
         Traceback (most recent call last):
         File "/usr/local/lib/python2.7/site-packages/dbtexmf/core/dbtex.py", line 332, in compile
            donefiles = self._compile()
         File "/usr/local/lib/python2.7/site-packages/dbtexmf/core/dbtex.py", line 400, in _compile
            self.make_bin()
         File "/usr/local/lib/python2.7/site-packages/dbtexmf/core/dbtex.py", line 317, in make_bin
            batch=self.texbatch)
         File "/usr/local/lib/python2.7/site-packages/dbtexmf/dblatex/runtex.py", line 113, in compile
            self.texer.compile(texfile)
         File "/usr/local/lib/python2.7/site-packages/dbtexmf/dblatex/grubber/texbuilder.py", line 73, in compile
            raise OSError("%s compilation failed" % self.tex.program)
         OSError: pdflatex compilation failed
         /tmp/tmpe0bJK0 not removed
      
         From tail -n 11 /tmp/tmpe0bJK0/uwm-pc-user-guide.log:
      
         Here is how much of TeX's memory you used:
          22571 strings out of 493117
          331796 string characters out of 6138550
          659827 words of memory out of 5000000
          19593 multiletter control sequences out of 15000+600000
          89643 words of font info for 150 fonts, out of 8000000 for 9000
          1141 hyphenation exceptions out of 8191
          48i,21n,51p,484b,2429s stack positions out of 5000i,2500n,10000p,300000b,80000s
         !pdfTeX error: pdflatex (file 8r.enc): cannot open encoding file for reading
         ==> Fatal error occurred, no output PDF file produced!
      
      2. dvips is a valid backend to specify with dblatex -b.
      
      PR:		201592
      Submitted by:	Jason Bacon <bacon4000@gmail.com>
      
      Approved by:	portmgr (miwi)
      a315aa71
  6. 03 Mar, 2016 6 commits
    • Mark Felder's avatar
      MFH: r410039 · 81ededa6
      Mark Felder authored
      security/openssl: Revert disabling of SSLv2 and MD2
      
      Disabling SSLv2 without a shared library bump has a visible impact to
      some applications. It is unclear at this time if disabling MD2 could
      cause the same issues, but both are being reverted at the moment to be
      safe.
      
      PR:		195796
      Approved by:	ports-secteam (with hat)
      81ededa6
    • Raphael Kubo da Costa's avatar
      Partially revert r409952. · 5d880509
      Raphael Kubo da Costa authored
      Switch back to USE_SQLITE=3 instead of USES=sqlite because the 2016Q1 branch
      does not support the latter.
      
      PR:		203424
      Approved by:	portmgr (antoine)
      5d880509
    • Jan Beich's avatar
      MFH: r410000 · 875f5ce7
      Jan Beich authored
      security/nss: unbreak build on 9.x after r409978
      
      Drop -ansi as it often breaks build e.g., C++-style comments in C code.
      
      secasn1d.c: In function 'sec_asn1d_parse_leaf':
      secasn1d.c:1611: error: expected expression before '/' token
      secasn1d.c:1622: error: expected expression before '/' token
      secasn1d.c:1629: error: expected expression before '/' token
      secasn1d.c:1621: warning: unused variable 'len_in_bits'
      
      Reported by:	pkg-fallout
      Pointy hat:	jbeich
      Approved by:	ports-secteam bustage fix blanket
      875f5ce7
    • Jason Helfman's avatar
      MFH: r409996 · f177b365
      Jason Helfman authored
      - unbreak and pass maintainer-ship to submitter
      
      PR:		207646
      Submitted by:	vvelox@vvelox.net
      Approved by:	ports-secteam (with hat)
      f177b365
    • Jan Beich's avatar
      MFH: r409978 · 75537750
      Jan Beich authored
      security/nss: update to 3.22.2
      
      Changes:	https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.22.2_release_notes
      Changes:	https://hg.mozilla.org/projects/nss/rev/ec7aee1a4c24
      Approved by:	ports-secteam (feld)
      75537750
    • Jan Beich's avatar
      MFH: r409976 · 7a8ffe89
      Jan Beich authored
      audio/alsa-plugins: partially revert r380063
      
      Restore BUFSZ_P2=on by default as a temporarily fix for excessive CPU usage
      in Firefox. r378529 wasn't enough to make BUFSZ_P2=off transition smooth.
      
      PR:		203732
      Reported by:	Henry Hu, Arto Pekkanen, many more indirectly
      Approved by:	ports-secteam (feld)
      7a8ffe89
  7. 02 Mar, 2016 7 commits
  8. 01 Mar, 2016 4 commits
  9. 29 Feb, 2016 2 commits
    • Thomas Zander's avatar
      MFH: r409735 · 5a9c420f
      Thomas Zander authored
      Respect timezone settings, remove unnecessary pkg-install script
      
      Detailed maintainer log:
      - Remove the setting of the TZ, LC_ALL and LANG shell variables from rc
        script.  This resolves an issue where the emby-server timezone was set to
        UTC, causing show air dates and TV guides to be off by a number of hours
        for some users [1]. Setting these variables was originally added when
        mono 3.12.1 was in the ports tree, to avoid mono throwing a number of
        System.TimeZoneNotFound exceptions when run in debugging mode [2]. Whilst
        these exceptions are still thrown, they are caught and the mono code now
        only sets the time to UTC if the correct timezone cannot be found from
        the TZ variable or /etc/localtime.
      - Remove pkg-install script as it is no longer necessary to download
        Mozilla's root certificates and import them into the Mono Trust store
        (this was actually never effective, as the certificates were saved into
        the root user's mono trust store instead of the emby user's store).
      - Bump PORTREVISION
      
      [1] http://emby.media/community/index.php?/topic/13083-freenas-plugin/?p=299783
      [2] mono --debug --trace=N:nothing /usr/local/lib/emby-server/MediaBrowser.Server.Mono.exe -ffmpeg /usr/local/bin/ffmpeg -ffprobe /usr/local/bin/ffprobe -programdata /var/db/emby-server
      
      PR:		207436
      Submitted by:	woodsb02@gmail.com (maintainer)
      Approved by:	ports-secteam (feld)
      5a9c420f
    • Mark Felder's avatar
      MFH: r409780 · ee1f7aaf
      Mark Felder authored
      Security upgrade from 7.0.67 to 7.0.68.
      
      ChangeLog:		http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
      Security ChangeLog:	https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.68
      
      Security:	CVE-2015-5345
      Security:	CVE-2015-5351
      Security:	CVE-2016-0706
      Security:	CVE-2016-0714
      Security:	CVE-2016-0763
      Approved by:	ports-secteam (with hat)
      ee1f7aaf
  10. 28 Feb, 2016 2 commits
    • Raphael Kubo da Costa's avatar
      MFH: r409785 · 910f34f3
      Raphael Kubo da Costa authored
      Fix line breaks conversion.
      
      Current japanese/today converts each file's line breaks from CRLF to LF
      with the following procedure in Makefile:
      
       ${SED} 's/.$$//'
      
      It is a very problematic method, and breaks many Japanese strings in
      the data files (*.tbl).
      
      To solve the problem, use "${TR} -d '\015'" for the conversion.
      
      PR:		206568
      Submitted by:	WATANABE Kazuhiro <CQG00620@nifty.ne.jp> (maintainer)
      
      Approved by:	portmgr blanket approval
      910f34f3
    • Raphael Kubo da Costa's avatar
      MFH: r409770 · 4d272a00
      Raphael Kubo da Costa authored
      Depend on multimedia/vlc-qt4 instead of multimedia/vlc.
      
      multimedia/vlc conflicts with multimedia/vlc-qt4, and the latter is needed by
      multimedia/phonon-qt4 and consequently by x11/kde4-workspace and other KDE4
      ports.
      
      Since Kaffeine depends on parts of KDE4 such as x11/kdelibs4, it makes more
      sense to depend on vlc-qt4 instead.
      
      PR:		204690
      
      Approved by:	ports-secteam (feld)
      4d272a00