Update php55 to 5.5.17, approved by wiz@.

18 Sep 2014, PHP 5.5.17

- Core:
  . Fixed bug #47358 (glob returns error, should be empty array()). (Pierre)
  . Fixed bug #65463 (SIGSEGV during zend_shutdown()). (Keyur Govande)
  . Fixed bug #66036 (Crash on SIGTERM in apache process). (Keyur Govande)
  . Fixed bug #67878 (program_prefix not honoured in man pages). (Remi)

- COM:
  . Fixed bug #41577 (DOTNET is successful once per server run)
    (Aidas Kasparas)

- FPM:
  . Fixed #67606 (FPM with mod_fastcgi/apache2.4 is broken). (David Zuelke)

- OpenSSL:
  . Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).
    (Daniel Lowrey)
  . Fixed bug #67850 (extension won't build if openssl compiled without SSLv3)
    (Daniel Lowrey)

- SPL:
  . Fixed bug #67813 (CachingIterator::__construct InvalidArgumentException
    wrong message). (tim_siebels_aurich at yahoo dot de)

- Date:
  . Fixed bug #66091 (memory leaks in DateTime constructor). (Tjerk)
  . Fixed bug #66985 (Some timezones are no longer valid in PHP 5.5.10).
    (Derick)
  . Fixed bug #67109 (First uppercase letter breaks date string parsing).
    (Derick)

- GD
  . Made fontFetch's path parser thread-safe. (Sara).

- MySQLi:
  . Fixed bug #67839 (mysqli does not handle 4-byte floats correctly). (Keyur)

- Zlib:
  . Fixed bug #67724 (chained zlib filters silently fail with large amounts of
    data). (Mike)
  . Fixed bug #67865 (internal corruption phar error). Mike

(taca)

Note update of misc/ruby-bundler package to 1.7.3.

(taca)

Update ruby-bundler to 1.7.3, including security fix for CVE-2013-0334.

## 1.7.3 (2014-09-14)

Bugfixes:

  - `extconf.rb` is now generated with the right path for `create_makefile` (@andremedeiros)
  - Fix various Ruby warnings (@piotrsanarki, @indirect)

## 1.7.2 (2014-08-23)

Bugfixes:

  - Revert gem source sorting in lock files (@indirect)

## 1.7.1 (2014-08-20)

Bugfixes:

  - Install gems from one source needed by gems in another source (@indirect)
  - Install the same gem versions even after some are installed (@tmoore)
  - Download specs only when installing from servers (@indirect)

## 1.7.0 (2014-08-13)

Security:

  - Fix for CVE-2013-0334, installing gems from an unexpected source (@tmoore)

Features:

  - Gemfile `source` calls now take a block containing gems from that source (@tmoore)
  - added the `:source` option to `gem` to specify a source (@tmoore)

Bugfixes:

  - warn on ambiguous gems available from more than one source (@tmoore)

## 1.6.5 (2014-07-23)

Bugfixes:

  - require openssl explicitly to fix rare HTTPS request failures (@indirect, #3107)

## 1.6.4 (2014-07-17)

Bugfixes:

  - fix undefined constant error when can't find gem during binstubs (#3095, @jetaggart)
  - work when installed git gems are not writable (#3092, @pmahoney)
  - don't store configured source credentials in Gemfile.lock (#3045, @lhz)
  - don't include config source credentials in the lockfile (Lars Haugseth)
  - use threads for jobs on Rubinius (@YorickPeterse)
  - skip dependencies from other platforms (@mvz)
  - work when Rubygems was built without SSL (@andremedeiros)

## 1.6.3 (2014-06-16)

Bugfixes:

  - fix regression when resolving many conflicts (#2994, @Who828)
  - use local gemspec for builtin gems during install --local (#3041, @Who828)
  - don't warn about sudo when installing on Windows (#2984, @indirect)
  - shell escape `bundle open` arguments (@indirect)

## 1.6.2 (2014-04-13)

Bugfixes:

  - fix an exception when using builtin gems (#2915, #2963, @gnufied)
  - cache gems that are built in to the running ruby (#2975, @indirect)
  - re-allow deploying cached git gems without git installed (#2968, @aughr)
  - keep standalone working even with builtin gems (@indirect)
  - don't update vendor/cache in deployment mode (#2921, @indirect)

Features:

  - warn informatively when `bundle install` is run as root (#2936, @1337807)

## 1.6.1 (2014-04-02)

Bugfixes:

  - update C extensions when git gem versions change (#2948, @dylanahsmith)

Features:

  - add support for C extensions in sudo mode on Rubygems 2.2

## 1.6.0 (2014-03-28)

Bugfixes:

  - many Gemfiles that caused incorrect errors now resolve correctly (@Who828)
  - redirects across hosts now work on rubies without OpenSSL (#2686, @grddev)
  - gemspecs now handle filenames with newlines (#2634, @jasonmp85)
  - support escaped characters in usernames and passwords (@punkie)
  - no more exception on `update GEM` without lock file (@simi)
  - allow long config values (#2823, @kgrz)
  - cache successfully even locked to gems shipped with Ruby (#2869, @aughr)
  - respect NO_PROXY even if a proxy is configured (#2878, @stlay)
  - only retry git commands that hit the network (#2899, @timmoore)
  - fix NameError regression when OpenSSL is not available (#2898, @timmoore)
  - handle exception installing when build_info owned by root (@Who828)
  - skip HTTP redirects from rubygems.org, huge speed boost (@Who828)

Features:

  - resolver rewritten to avoid recursion (@Who828)
  - add `git_source` for custom options like :github and :gist (@strzalek)
  - HTTP auth may now be stored in `bundle config` (@smashwilson)
  - some complex Gemfiles are resolved up to 10x faster (@Who828)
  - add support for IRB alternatives such as Pry and Ripl (@joallard, @postmodern)
  - highlight installed or updated gems (#2722, #2741, @yaotti, @simi)
  - display the `post_install_message` for gems installed via :git (@phallstrom)
  - `bundle outdated --strict` now only reports allowed updates (@davidblondeau)
  - `bundle show --verbose` Add gem summary to the output (@lardcanoe)
  - `bundle gem GEM --ext` now generates a skeleton for a C extension (@superdealloc)
  - Avoid using threequals operator where possible (@as-cii)

Documentation:

  - Add missing switches for bundle-install(1) and bundle-update(1) (@as-cii)

(taca)

+ cmake-3.0.2 [wip], cups-filters-1.0.59, easytag-2.2.4, ffmpeg2-2.4.1,
  firefox-32.0.3, glibmm-2.42.0, gnome-3.14, gnucash-2.6.4,
  gst-plugins1-base-1.4.3, gstreamer1-1.4.3, gtkmm-3.14.0,
  help2man-1.46.3, lgogdownloader-2.18, libdrm-2.4.58, libsodium-1.0.0,
  meld-3.12.0, musicpd-0.18.16, neon-0.30.1, pcre-8.36, poppler-0.26.5,
  py-foolscap-0.7.0, py-html2text-2014.9.25, py-ldap-2.4.17,
  py-psutil-2.1.2, py-setuptools-6.0.1, py-test-2.6.3, qemu-2.1.2,
  webkit-gtk-2.6.0, x264-devel-20140927.

(wiz)

Updated graphics/netpbm to 10.67.05nb2.

(gson)

Revert the shell used to run netpbm commands implemented as shell
scripts from bash to sh, to limit exposure to any still-unfixed or
still-undiscovered bash vulnerabilities.

A quick review of the shell scripts did not turn up any obvious
bashishms.  Hopefully they have all been fixed already, but if not,
I'd still rather have one or two scripts be broken (and volunteer to
fix any breakage reported) than have all of them be vulnerable to bash
bugs.

Approved by agc.

(gson)

Requires zlib.

(jperkin)

Don't use non-POSIX brace expansion.

(jperkin)

Don't use non-POSIX brace expansion.

(jperkin)

Updated shells/bash to 4.3.027

(wiz)

Add another upstream security fix patch. Welcome to 4.3.027.

(wiz)

Minimally invasive fix for CVE-2014-4330, also known as
https://www.lsexperts.de/advisories/lse-2014-06-10.txt,
a stack overflow vulnerability in Data::Dumper

Patches taken from
http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304,
to be removed when updating to 5.20.1 (or later).

perl-5.20.0nb2 is fit for pkg_add -u replacement of perl-5.20.0nb1

(spz)

Requires lex and yacc.

(jperkin)

Requires lex.

(jperkin)

Make compiler wrapper add RPATH.

(asau)

Note update of www/php-ja-wordpress package to 3.9.2.

(taca)

Update php-ja-wordpress to 3.9.2, latest stable release of 3.9, which
should fix security problems as wordpress 3.9.2.

(taca)

Note update of www/php-concrete5 package to 5.6.3.2.

(taca)

Update to 5.6.3.2, latest release of 5.6, which should be fixed security
problem of 5.6.1.2.

Changes are too many and please refer these release notes.

http://www.concrete5.org/documentation/background/version_history/5-6-2-release-notes/
http://www.concrete5.org/documentation/background/version_history/5-6-2-1-release-notes/
http://www.concrete5.org/documentation/background/version_history/5-6-3-release-notes/
http://www.concrete5.org/documentation/background/version_history/5-6-3-1-release-notes/
http://www.concrete5.org/documentation/background/version_history/5-6-3-2/

(taca)

Updated www/mediawiki to 1.23.4

(wen)

Update to 1.23.4(security update)

Upstream changes:
MediaWiki 1.23.4
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.3
(bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
(bug 65998) Make MySQLi work with non-standard socket.
(bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config settings.

(wen)

just for fun to modularize uim package, but that's all, useless for me.

(obache)

probably imported for uim package improvement, but not interesting for myself.

(obache)

just imported for gnome-mag package improvement, but not used by myself.

(obache)

I don't remember why I imported and updated this package.

(obache)

not interesting anymore.

(obache)

not using.

(obache)

Updated net/knot to 1.4.7

(pettai)

v1.4.7 - Jun 18, 2014
---------------------
Bugfixes:
        * Fixed DDNS corner cases
        * Fixed zone EXPIRE timer
        * Fixed semantic checks false positives
        * Fixed sending malformed IXFR with automatic DNSSEC
        * Fixed NAPTR record serialization

(pettai)

Updated security/py-hsm to 1.0.4k

(pettai)

Version 1.0.4k (released 2014-09-18)

* yhsm-db-import, yhsm-db-export: Fix syntax error.

Version 1.0.4j (released 2014-09-16)

* yhsm-yubikey-ksm: Fix syntax error.

Version 1.0.4i (released 2014-09-16)

* yhsm-yubikey-ksm: Add --daemon.
* yhsm-yubikey-ksm: Add --db-url to specify SQL database path to AEAD store.
* yhsm-db-import, yhsm-db-export: New tools to do database import/export.
* Documentation cleanup.

(pettai)

Updated security/libyubikey to 1.12

(pettai)

Version 1.12 (released 2014-06-11)

* Rewrote man pages using Asciidoc.

(pettai)

Updated net/nsd to 4.1.0

(pettai)

4.1.0
================
FEATURES:
        - database: "" starts without mmap of database.  Less memory is used,
          zones are read from text zonefile.
        - optimised zonefile parse code and zonefile write code.
        - zonefiles-write option in nsd.conf, enabled when database is "".
          The server writes changed zonefiles to disk every hour.
        - xfrdfile: "" disables xfrd.state.  If enabled, zones that are
          same as before are not checked for a serial update at server start.
        - include: "foo/nsd.d/*.conf" works, wildcard glob on includes.
        - nsd shuts down during init process if given signal.
        - log-time-ascii option, default yes, with readable timestamp in log.
        - nsd-control addzone reports if zone already exists.
        - Fix #564: add nsd-checkzone tool to check zonefile correctness.
        - Increased default --with-max-ips from 8 to 16, this increases the
          number of interfaces you can specify in nsd.conf to listen to.
BUG FIXES:
        - Fixed shutdown message sporadically not printed on exit.
        - Documented zonefile %s syntax in nsd.conf man page.
        - Fix manpage to put colon after zonefiles check and write.
        - Change from 'Zone" to "zone" with ".. serial .. is updated" log
          message.
        - Changed maxbackoff for no-content secondary zones from 4h to 24h.
        - Fix print filename of encompassing config file on read failure.
        - Fix delete or rename of a lot of zones and make it take a
          non-enormous time.
        - Speed up deletion of zone contents a lot, (56s to 1s), speeds up
          delete, rename and AXFR for zones.
        - Fix #571: unused variable and incompatible pointer warnings when
          compiled on a system without INET6.
        - Fix write_socket return value check in server.c
        - Fix that xfrd reaps children also if the signal is lost.
        - Fix #577: makefile incorrectly installed manpages from srcdir.
        - Fix #587: Default value for statistics is 0.
        - Fix #553: Improve TXT parsing.
        - Fix #590: rrl log does not print wildcard as a star but escaped.
        - Fix #591: rrl log messages at verbosity level 1.
        - fix strptime implicit declaration error on OpenBSD.
        - Fix -O3 compile flag to -O2 to avoid miscompilations.
        - Allow user to override the -g -O2 CFLAGS in ./configure.
        - Fix endian.h include for OpenBSD.
        - Fix #600: document that provide-xfr provides AXFR and not IXFR.
        - Fix rising-load-average or memory-leaks in OSes (Linux since 2.6),
          that keep track of all past process parents, or leak memory
          for them.  Fix makes it so there is no very deep string of
          process parents.
        - Remove .LP after .SH in man pages.

(pettai)

Updated security/ykclient to 2.12

(pettai)

Version 2.12 (released 2013-10-18)

* Use pkg-config to find curl, instead of libcurl.m4.
* ykclient: Added --cai parameter to specify GnuTLS-compatible CA Info.
* libykclient: Added ykclient_set_ca_info function.
  Used when curl is linked with GnuTLS, used to set CA Info.
* libykclient: Added ykclient_set_url_bases function.
  Uses a more reasonable/extensible URL string syntax.  The old
  ykclient_set_url_templates is hereby deprecated.
* Added shared library versioning script.
* Valgrind is used for selftests.

(pettai)

Updated security/ykpers to 1.15.3

(pettai)

Version 1.15.3 (released 2014-09-04)

* Fix URLs for opensource.y.com -> developers.y.com move.
* Whitelist firmware version 3.3 and detect new PIDs.

Version 1.15.2 (released 2014-07-30)

* Whitelist firmware version 2.5
* Read key when importing configuration.
* Fix formatting error in information about what is written to key.
* Check return codes when doinf NDEF writes.

(pettai)

Updated security/opendnssec to 1.4.6

(pettai)

OpenDNSSEC 1.4.6 - 2014-07-21

* Signer Engine: Print secondary server address when logging notify reply
  errors.
* Build: Fixed various OpenBSD compatibility issues.
* OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and
  signer, and <SocketFile> for the signer.
* New tool: ods-getconf: to retrieve a configuration value from conf.xml
  given an expression.

Bugfixes:
* OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup
  can't be written zone is still added to database, solved it by checking the
  zonelist.xml.backup is writable before adding zones, and add error message
  when add zone failed.
* OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone
  the first time due to RFC 1982 serial arethmetic.
* OPENDNSSEC-619: memory leak when signer failed, solved it by add
  ldns_rr_free(signature) in libhsm.c
* OPENDNSSEC-627: Signer Engine: Unable to update serial after restart
  when the backup files has been removed.
* OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed
  from debug to info.
* OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
* libhsm: Fixed a few other memory leaks.
* simple-dnskey-mailer.sh: Fix syntax error.

(pettai)

Updated mail/opendmarc to 1.3.0

(pettai)

1.3.0          2014/07/31
        Integrated SPF checking is now available through the new
                SPFSelfValidate and SPFIgnoreResults settings.
        Feature request #79: Optionally ignore clients that authenticated
                using SMTP AUTH.
        Fix bug #60, part II: Default AuthservID to the name provided by the
                MTA, not the local host name, which is consistent with what
                OpenDKIM does.
        Fix bug #72: Don't crash when From fields are absent.
        Fix bug #74: Change "Forensic" to "Failure" just about everywhere
                to match the language now being used in the base DMARC
                draft.  Note that this also changes some names in the
                configuration file.
        Fix bug #75: Correct typo in MIME of forensic reports.
        Fix bug #76: Repair damage with respect to Authentication-Results
                header field selection.
        Fix bug #77: Request quarantine from the MTA during option
                negotiation.
        Fix bug #78: Add missing newline in forensic report header.
        Fix bug #90: Make "--with-sql-backend" without any value do the
                right thing.
        Fix bug #93: Honor size limits in URIs.
        Make "smime" and "rrvs" legal Authentication-Results methods.
        Provide better logging when pclose() for a forensic report returns
                non-zero.
        Add configuration support for internal SPF checks.  Includes hooks in
                the milter to check that SPF is configured to do so.
                This can use a private SPF implementation or libspf2.
        Fix strlcat() and strlcpy() support for Debian.
        REPORTS: Feature request #80: Generate aggregate reports on UTC
                day boundaries.
        REPORTS: Feature request #84: Optionally expire old data from
                lower-growth tables.
        REPORTS: Fix bug #70: Fix date range generation in reports.
        REPORTS: Fix bug #82: Fix recording of report timestamp to avoid lost
                records.
        REPORTS: Fix bug #83: When expiring data, truncate the signatures table
                if all messages were expired..
        REPORTS: Fix bug #85: Report subdomain policy.
        LIBOPENDMARC: Fix bug #71: Fix "rua" extraction from DMARC records.
        LIBOPENDMARC: Added support for milter to perform own spf checks.
                Three new files: opendmarc_spf.c, opendmard_spf_dns.c and
                test/test_spf.cl, allow integrated SPF support.  Support for
                use of libspf2 is also provided.

(pettai)

Drop maintainershop.

I'm never using this package, please take someone else really using this.

(obache)

Updated net/mikutter to 3.0.6nb1

(obache)

Drop dependency on xdg-utils.

We have no well-configured standard desktop system, so xdg-utils is useless.
Furthermore, honor "hate bash" users.

(obache)

Fixes MASTER_SITES due to HOMEPAGE url change.

(obache)

Updated graphics/feh to 2.12

(szptvlfn)

Update to feh-2.12
This is a leaf package, OK by wiz@.

ChangeLog:
Thu, 15 May 2014 23:41:07 +0200  Daniel Friesel <derf+feh@finalrewind.org>

* Releasev v2.12
    * feh-cam and gen-cam-menu are no longer installed by default. Use
      'make install cam=1' to install them or 'make uninstall cam=1 && make
      install cam=0' to remove them permanently
    * feh no longer depends on giblib. Instead, the relevant parts of the
      giblib source were imported into the feh source.
      Rationale: giblib is unmaintained and, as far as I know, only used by
      three projects (one of which is feh). There is at least one known bug
      in it, and as I do not have the time to take over giblib development,
      importing the library seems to be the best solution.
    * Fix/improve --randomize for short filelists (closes #151)
    * Fix a buffer overflow in the printf implementation when handling unknown
      format specifiers (affects --action, --customlist, --index-info, --info,
      --thumb-title and --title)
    * Update help (if built with help=1)

Sun, 27 Apr 2014 20:28:02 +0200  Daniel Friesel <derf+feh@finalrewind.org>

* Release v2.11
    * Patch by Michael Vorburger: Fix erroneous free() in case of failed
      scandir (closes #140, #147)
    * Patch by rangerer: --randomize: re-randomize after list is through
      (closes #154)
    * When setting a wallpaper from a URL, do not try to store it as
      absolute path in .fehbg (closes #153)
    * Add --scroll-step <px> option to change scroll_{up,left,down,right}
      scroll offset in pixels
    * feh(1): Escape %V (interpreted as mdoc macro)
      (closes debian #745467)
    * Respect --image-bg=checks in fullscreen mode (default remains black)
      (closes #156)

Fri, 28 Feb 2014 18:20:25 +0100  Daniel Friesel <derf+feh@finalrewind.org>

* Release v2.10
    * Allow non-centered wallpapers using the --geometry option
      (Patch by Joel Bradshaw)
    * Add ; flag to --info (as in "--info ';echo foo'") to disable info
      display on startup
    * Partially fix off-by-one pixel error when warping the pointer in the
      bottom/right window border
    * thumbnail mode: If --action is set, run specified command instead of
      opening image on click.
    * feh.desktop: Use feh %F since we support multiple files
    * Fix --borderless not working on some 64bit systems
      (Patch by Brian Mattern)
    * Always use absolute paths in .fehbg

(szptvlfn)

Updated net/dhcpcd to 6.4.7

(roy)

Import dhcpcd-6.4.7 with the following changes:
  *  make test works again
  *  Many bounds checking fixes from Tobias Stoeckmann
  *  Improve error when the authentication token cannot be found
  *  close the IPv4 specific UDP socket when done sending
  *  Implemented a write queue to the control sockets
  *  Only send interfaces to control sockets when in a BOUND state
  *  Add a sample controlgroup directive to dhcpcd.conf to make setup easier
  *  Add variables if_oneup and if_ipwaited so hook scripts know the overall
    state of dhcpcd better
  *  Pass RC_SVCNAME from enviromment to hooks so that a service hook can
    know it's name (may not be dhcpcd)
  *  Document every variable set for dhcpcd-run-hooks(8)
  *  Use the nl80211 interface on Linux to get the wireless SSID if we fail
    to get it via WEXT
  *  Allow SSIDs with non printable characters to be used in ssid selection
    in dhcpcd.conf
  *  Add an unprivileged control socket so that normal users can obtain
    dhcpcd running state
  *  Remove all instances of if_indextoname as we already know the index
  *  Only bring in linux/ipv6.h for linux AND glibc
  *  Add _DEFAULT_SOURCE #define to to make glibc-2.20 happy
  *  Check we have allocated IPv6 resources before checkings RA's
  *  configure errors are now logged to config.log
  *  Only hunt for a cross compiler if build != host
  *  Detect removal of IPv6 routes
  *  Don't add link-local addresses to POINTOPOINT interfaces
  *  Don't discard expired DHCPv6 leases when dumping them
  *  If a DHCPv6 lease has no timers, expire it right away
  *  Report delegated addresses
  *  Call dhcpcd-run-hooks correctly when delegated prefixes already exist
  *  Fix a memory error when ia_* config exists but IPv6 is disabled
  *  Ensure servername and bootfile are safely exported
  *  Sanitise the following characters using svis(3) with VIS_CTYLE and
    VIS_OCTAL:
        | ^ & ; < > ( ) $ ` \ " ' <tab> <newline>
    This allows a non buggy unvis(1) to decode it 100% and stays compatible
    with how dhcpcd used to handle encoding on most platforms.
    For systems that supply svis(3) there is a code reduction, for systems
    that do not, a slight code increase. This change mitigates systems
    affected by bash CVE-2014-6271 and CVE-2014-7169.

OK: jperkin@

(roy)

Really fix pkglocaledir.

(jperkin)

Use tr to handle differences between unzip implementations.

(jperkin)

Iterate over directories in order, fixes issue seen with BSD chmod.

(jperkin)

Use tr to handle differences between unzip implementations.

(jperkin)

Use tr to handle differences between unzip implementations.

(jperkin)

Use tr to handle differences between unzip implementations.

(jperkin)

bring bash2 up to speed since people don't seem to think it can be removed.

(christos)

use the official version of the parse.y patch.

(christos)

Updated security/pinepgp to 0.18.0nb4

(mspo)

switch dep to shells/bash instead of explicit bash2; in response to shellshock

(mspo)

Revert unintended part of previous. Discussed with spz.

(wiz)

Updated lang/go to 1.3.2

(wiz)

Update to 1.3.2 for a security fix:

We've just released Go version 1.3.2, a minor point release.

This release includes bug fixes to cgo and the crypto/tls package.
    https://golang.org/doc/devel/release.html#go1.3.minor

The crpyto/tls fix addresses a security bug that affects programs
that use crypto/tls to implement a TLS server from Go 1.1 onwards.
If the server enables TLS client authentication using certificates
(this is rare) and explicitly sets SessionTicketsDisabled to true
in the tls.Config, then a malicious client can falsely assert
ownership of any client certificate it wishes. This issue was
discovered internally and there is no evidence of exploitation.

(wiz)

Mark explicitly as broken due to incompatibility with current versions
of libwpg and co.

(joerg)

SunOS requires -lsocket -lnsl.

(jperkin)

Updated sysutils/xenkernel41 to 4.1.6.1nb11

(bouyer)

Add patch for:
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
  LIDT, and LMSW emulation
XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
  of software interrupts

bump PKGREVISION

(bouyer)

Updated sysutils/xenkernel42 to 4.2.5
Updated sysutils/xentools42 to 4.2.5

(bouyer)

Update xentools42 and xenkernel42 to Xen 4.2.5, fixing:
CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries to be
  created
CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests

pkgsrc also includes patches from the Xen Security Advisory:
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
  LIDT, and LMSW emulation
XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
  of software interrupts

(bouyer)

Update xentools42 and xenkernel42 to Xen 4.2.5, fixing:
CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries to be
  created
CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests

pkgsrc also includes patches from the Xen Security Advisory:
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
  LIDT, and LMSW emulation
XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
  of software interrupts

(bouyer)

current bootstrap binary kit for SmartOS is built with ncurses5

(obache)

security update fixing:
- Incorrect DigestInfo validation in NSS (CVE-2014-1568)
- RSA signature verification vulnerabilities in parsing of DigestInfo
(see https://www.mozilla.org/security/announce/2014/mfsa2014-73.html)

(spz)

SunOS needs -lsocket.

(jperkin)

bump pkgrevision for previous

(jmcneill)

Disable function import by default, enabled only with -import-functions.

(christos)

Requires USE_TOOLS+=pkg-config.

(jperkin)

USE_TOOLS+=gm4, requires -I support.

(jperkin)

SunOS needs -lsocket -lnsl.

(jperkin)

Try to only chmod extracted files, recursively chmod'ing WRKDIR runs
into problems with e.g. TOOLS_DIR.

(jperkin)

SunOS needs an explicit -lX11.

(jperkin)

Requires zlib.

(jperkin)

Extract using bsdtar, GNU tar cannot handle pre-1970 timestamps.

(jperkin)

Ensure the correct msgfmt tools are picked up.

(jperkin)

Requires OpenSSL and BerkeleyDB.

(jperkin)

Requires editline.

(jperkin)

Requires OpenSSL.

(jperkin)

Pass correct location to OpenSSL.

(jperkin)

Pass correct location of OpenSSL.

(jperkin)

Requires USE_TOOLS+=flex.

(jperkin)

Pass correct location to OpenSSL.

(jperkin)

Requires OpenSSL.

(jperkin)

Fix TOOLS_DIR reference in installed file.

(jperkin)

Force file from pkgsrc on SunOS, it needs stdin support.

(jperkin)

Needs -lsocket on SunOS.  Also required libpcap.

(jperkin)

Fix build on SunOS (needs -lsocket -lnsl and strings.h for bzero()).

(jperkin)

Add SunOS 5.10+ to the NOT_FOR_PLATFORMS list.

(jperkin)

SunOS needs -lnsl -lresolv.

(jperkin)

Mark as not for SunOS, has hardcoded BSD/Linux support.

(jperkin)

Solaris build fix

(prlw1)

Fix empty shell 'if's.  Uses libiconv.

(jperkin)

Fix pkglocaledir.

(jperkin)

Requires USE_TOOLS+=lex.

(jperkin)

Avoid sys/dir.h on SunOS.

(jperkin)

SunOS needs -lsocket -lnsl.

(jperkin)

Make bdb a suggested option.  The package doesn't actually build without
a bdb present.  Not bumping PKGREVISION as the only way the package would
have built previously is by using a builtin version anyway.

(jperkin)

Fix IPv6 build on SunOS 5.10 and newer.

(jperkin)

Add fix for CVE-2014-7169.

(tron)

Support builtin libmilter.

(jperkin)

Support builtin libmilter.

(jperkin)

Apply some patches to get the build further on SunOS.  May build
depending on compiler.

(jperkin)

Remove broken CPPFLAGS.SunOS.

(jperkin)

Fix PLIST for SunOS.

(fhajny)

Ensure we use a sane shell.  Fixes build on SunOS.

(jperkin)

Don't define _XOPEN_SOURCE to a bogus value on SunOS.

(jperkin)

Fix build on SunOS, use portable egrep construct.

(jperkin)

Fix build on SunOS.  Make it more likely that other OPSYS can build this
package too.

(jperkin)

Make diff call portable. Fixes ruby-clearsilver on SunOS at least.

(fhajny)

Put back Mac distfile, lost in previous update.

(jperkin)

strerror() fixes for SunOS.

(jperkin)

Use -d rather than non-portable --make-directories cpio argument.

(jperkin)

When using EXTRACT_ELEMENTS with wildcards we need to set EXTRACT_USING
to bsdtar, as the default tar implementation may be GNU tar which
requires explicitly using --wildcards for inclusion matches.

(jperkin)