Now
pkgsrc-2024Q1 commitmail json YAML
Mention pullup ticket #6855
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/www/firefox115-l10n/Makefile@1.6.2.2
/
diff
pkgsrc/www/firefox115-l10n/distinfo@1.6.2.2 / diff
pkgsrc/www/firefox115/Makefile@1.17.2.2 / diff
pkgsrc/www/firefox115/distinfo@1.6.2.2 / diff
pkgsrc/www/firefox115-l10n/distinfo@1.6.2.2 / diff
pkgsrc/www/firefox115/Makefile@1.17.2.2 / diff
pkgsrc/www/firefox115/distinfo@1.6.2.2 / diff
Pullup ticket #6855 - requested by gutteridge
www/firefox115: security fix
www/firefox115-lang: dependent update
Revisions pulled up:
- www/firefox115-l10n/Makefile 1.8
- www/firefox115-l10n/distinfo 1.8
- www/firefox115/Makefile 1.21
- www/firefox115/distinfo 1.9
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Tue May 14 17:57:00 UTC 2024
Modified Files:
pkgsrc/www/firefox115: Makefile distinfo
Log Message:
firefox115: update to 115.11.0
* Fixes for mfsa2024-22, also known as:
CVE-2024-4367, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769,
CVE-2024-4770, CVE-2024-4777
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Tue May 14 17:59:57 UTC 2024
Modified Files:
pkgsrc/www/firefox115-l10n: Makefile distinfo
Log Message:
firefox115-l10n: update to 115.11.0
www/firefox115: security fix
www/firefox115-lang: dependent update
Revisions pulled up:
- www/firefox115-l10n/Makefile 1.8
- www/firefox115-l10n/distinfo 1.8
- www/firefox115/Makefile 1.21
- www/firefox115/distinfo 1.9
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Tue May 14 17:57:00 UTC 2024
Modified Files:
pkgsrc/www/firefox115: Makefile distinfo
Log Message:
firefox115: update to 115.11.0
* Fixes for mfsa2024-22, also known as:
CVE-2024-4367, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769,
CVE-2024-4770, CVE-2024-4777
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Tue May 14 17:59:57 UTC 2024
Modified Files:
pkgsrc/www/firefox115-l10n: Makefile distinfo
Log Message:
firefox115-l10n: update to 115.11.0
pkgsrc-2024Q1 commitmail json YAML
Pullup #6848bis: add the change to lang/php/phpversion.mk for PHP83_VERSION
that pullup #6848 was supposed to contain but didn't.
that pullup #6848 was supposed to contain but didn't.
pkgsrc-2024Q1 commitmail json YAML
Mention pullup tickets #6851 and #6852
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/net/bind916/Makefile@1.69.2.1
/
diff
pkgsrc/net/bind916/distinfo@1.54.2.1 / diff
pkgsrc/net/bind916/patches/patch-lib_ns_query.c@1.2.28.1 / diff
pkgsrc/net/bind916/distinfo@1.54.2.1 / diff
pkgsrc/net/bind916/patches/patch-lib_ns_query.c@1.2.28.1 / diff
Pullup ticket #6852 - requested by taca
net/bind916: blocklist handling fix (PR bin/58170)
Revisions pulled up:
- net/bind916/Makefile 1.70-1.72
- net/bind916/distinfo 1.55-1.56
- net/bind916/patches/patch-lib_ns_query.c 1.3
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Apr 5 14:01:01 UTC 2024
Modified Files:
pkgsrc/audio/forked-daapd: Makefile
pkgsrc/audio/mixxx: Makefile
pkgsrc/audio/strawberry: Makefile
pkgsrc/audio/termusic: Makefile
pkgsrc/biology/plinkseq: Makefile
pkgsrc/chat/ekg: Makefile
pkgsrc/chat/libgadu: Makefile buildlink3.mk
pkgsrc/chat/mumble: Makefile
pkgsrc/databases/mysql80-server: Makefile
pkgsrc/databases/postgresql-postgis2: Makefile
pkgsrc/devel/compizconfig-backend-gconf: Makefile buildlink3.mk
pkgsrc/devel/libcompizconfig: Makefile buildlink3.mk
pkgsrc/devel/protobuf: buildlink3.mk
pkgsrc/devel/protobuf-c: Makefile buildlink3.mk
pkgsrc/devel/py-compizconfig: Makefile buildlink3.mk
pkgsrc/finance/bitcoin: Makefile
pkgsrc/geography/qgis: Makefile
pkgsrc/graphics/digikam: Makefile
pkgsrc/graphics/opencv: Makefile buildlink3.mk
pkgsrc/graphics/opencv-contrib-face: Makefile buildlink3.mk
pkgsrc/graphics/py-Willow: Makefile
pkgsrc/misc/marble: Makefile
pkgsrc/multimedia/vlc: Makefile
pkgsrc/net/bind916: Makefile
pkgsrc/net/bind918: Makefile
pkgsrc/net/frr: Makefile
pkgsrc/net/grpc: Makefile buildlink3.mk
pkgsrc/net/kopete: Makefile
pkgsrc/net/mosh: Makefile
pkgsrc/net/py-grpcio: Makefile
pkgsrc/net/py-grpcio-tools: Makefile
pkgsrc/net/qt6-qtgrpc: Makefile buildlink3.mk
pkgsrc/net/ratman: Makefile
pkgsrc/net/unbound: Makefile
pkgsrc/sysutils/collectd-grpc: Makefile
pkgsrc/sysutils/collectd-pinba: Makefile
pkgsrc/sysutils/collectd-riemann: Makefile
pkgsrc/sysutils/collectd-write_prometheus: Makefile
pkgsrc/sysutils/riemann-client: Makefile
pkgsrc/wm/ccsm: Makefile
Log Message:
*: recursive bump for protobuf 26.1
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Apr 18 13:39:53 UTC 2024
Modified Files:
pkgsrc/net/bind916: Makefile distinfo
Log Message:
net/bind916: update to 9.16.50
9.16.50 (2024-04-17)
This release marks the end of maintenance for the BIND 9.16 branch.
6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
[GL #4580]
6338. [func] Optimize slabheader placement, so the infrastructure
records are put in the beginning of the slabheader
linked list. [GL !8675]
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 20 14:01:08 UTC 2024
Modified Files:
pkgsrc/net/bind916: Makefile distinfo
pkgsrc/net/bind916/patches: patch-lib_ns_query.c
Log Message:
net/bind916: fix blocklist handling
Apply change of revision 1.21 in NetBSD base which fixed PR bin/58170.
Bump PKGREVISION.
net/bind916: blocklist handling fix (PR bin/58170)
Revisions pulled up:
- net/bind916/Makefile 1.70-1.72
- net/bind916/distinfo 1.55-1.56
- net/bind916/patches/patch-lib_ns_query.c 1.3
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Apr 5 14:01:01 UTC 2024
Modified Files:
pkgsrc/audio/forked-daapd: Makefile
pkgsrc/audio/mixxx: Makefile
pkgsrc/audio/strawberry: Makefile
pkgsrc/audio/termusic: Makefile
pkgsrc/biology/plinkseq: Makefile
pkgsrc/chat/ekg: Makefile
pkgsrc/chat/libgadu: Makefile buildlink3.mk
pkgsrc/chat/mumble: Makefile
pkgsrc/databases/mysql80-server: Makefile
pkgsrc/databases/postgresql-postgis2: Makefile
pkgsrc/devel/compizconfig-backend-gconf: Makefile buildlink3.mk
pkgsrc/devel/libcompizconfig: Makefile buildlink3.mk
pkgsrc/devel/protobuf: buildlink3.mk
pkgsrc/devel/protobuf-c: Makefile buildlink3.mk
pkgsrc/devel/py-compizconfig: Makefile buildlink3.mk
pkgsrc/finance/bitcoin: Makefile
pkgsrc/geography/qgis: Makefile
pkgsrc/graphics/digikam: Makefile
pkgsrc/graphics/opencv: Makefile buildlink3.mk
pkgsrc/graphics/opencv-contrib-face: Makefile buildlink3.mk
pkgsrc/graphics/py-Willow: Makefile
pkgsrc/misc/marble: Makefile
pkgsrc/multimedia/vlc: Makefile
pkgsrc/net/bind916: Makefile
pkgsrc/net/bind918: Makefile
pkgsrc/net/frr: Makefile
pkgsrc/net/grpc: Makefile buildlink3.mk
pkgsrc/net/kopete: Makefile
pkgsrc/net/mosh: Makefile
pkgsrc/net/py-grpcio: Makefile
pkgsrc/net/py-grpcio-tools: Makefile
pkgsrc/net/qt6-qtgrpc: Makefile buildlink3.mk
pkgsrc/net/ratman: Makefile
pkgsrc/net/unbound: Makefile
pkgsrc/sysutils/collectd-grpc: Makefile
pkgsrc/sysutils/collectd-pinba: Makefile
pkgsrc/sysutils/collectd-riemann: Makefile
pkgsrc/sysutils/collectd-write_prometheus: Makefile
pkgsrc/sysutils/riemann-client: Makefile
pkgsrc/wm/ccsm: Makefile
Log Message:
*: recursive bump for protobuf 26.1
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Apr 18 13:39:53 UTC 2024
Modified Files:
pkgsrc/net/bind916: Makefile distinfo
Log Message:
net/bind916: update to 9.16.50
9.16.50 (2024-04-17)
This release marks the end of maintenance for the BIND 9.16 branch.
6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
[GL #4580]
6338. [func] Optimize slabheader placement, so the infrastructure
records are put in the beginning of the slabheader
linked list. [GL !8675]
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 20 14:01:08 UTC 2024
Modified Files:
pkgsrc/net/bind916: Makefile distinfo
pkgsrc/net/bind916/patches: patch-lib_ns_query.c
Log Message:
net/bind916: fix blocklist handling
Apply change of revision 1.21 in NetBSD base which fixed PR bin/58170.
Bump PKGREVISION.
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/net/bind918/Makefile@1.28.2.1
/
diff
pkgsrc/net/bind918/distinfo@1.16.2.1 / diff
pkgsrc/net/bind918/patches/patch-lib_ns_query.c@1.1.12.1 / diff
pkgsrc/net/bind918/distinfo@1.16.2.1 / diff
pkgsrc/net/bind918/patches/patch-lib_ns_query.c@1.1.12.1 / diff
Pullup ticket #6851 - requested by taca
net/bind918: blocklist handling fix (PR bin/58170)
Revisions pulled up:
- net/bind918/Makefile 1.29-1.31
- net/bind918/distinfo 1.17-1.18
- net/bind918/patches/patch-lib_ns_query.c 1.2
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Apr 5 14:01:01 UTC 2024
Modified Files:
pkgsrc/audio/forked-daapd: Makefile
pkgsrc/audio/mixxx: Makefile
pkgsrc/audio/strawberry: Makefile
pkgsrc/audio/termusic: Makefile
pkgsrc/biology/plinkseq: Makefile
pkgsrc/chat/ekg: Makefile
pkgsrc/chat/libgadu: Makefile buildlink3.mk
pkgsrc/chat/mumble: Makefile
pkgsrc/databases/mysql80-server: Makefile
pkgsrc/databases/postgresql-postgis2: Makefile
pkgsrc/devel/compizconfig-backend-gconf: Makefile buildlink3.mk
pkgsrc/devel/libcompizconfig: Makefile buildlink3.mk
pkgsrc/devel/protobuf: buildlink3.mk
pkgsrc/devel/protobuf-c: Makefile buildlink3.mk
pkgsrc/devel/py-compizconfig: Makefile buildlink3.mk
pkgsrc/finance/bitcoin: Makefile
pkgsrc/geography/qgis: Makefile
pkgsrc/graphics/digikam: Makefile
pkgsrc/graphics/opencv: Makefile buildlink3.mk
pkgsrc/graphics/opencv-contrib-face: Makefile buildlink3.mk
pkgsrc/graphics/py-Willow: Makefile
pkgsrc/misc/marble: Makefile
pkgsrc/multimedia/vlc: Makefile
pkgsrc/net/bind916: Makefile
pkgsrc/net/bind918: Makefile
pkgsrc/net/frr: Makefile
pkgsrc/net/grpc: Makefile buildlink3.mk
pkgsrc/net/kopete: Makefile
pkgsrc/net/mosh: Makefile
pkgsrc/net/py-grpcio: Makefile
pkgsrc/net/py-grpcio-tools: Makefile
pkgsrc/net/qt6-qtgrpc: Makefile buildlink3.mk
pkgsrc/net/ratman: Makefile
pkgsrc/net/unbound: Makefile
pkgsrc/sysutils/collectd-grpc: Makefile
pkgsrc/sysutils/collectd-pinba: Makefile
pkgsrc/sysutils/collectd-riemann: Makefile
pkgsrc/sysutils/collectd-write_prometheus: Makefile
pkgsrc/sysutils/riemann-client: Makefile
pkgsrc/wm/ccsm: Makefile
Log Message:
*: recursive bump for protobuf 26.1
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Apr 18 13:37:53 UTC 2024
Modified Files:
pkgsrc/net/bind918: Makefile distinfo
Log Message:
net/bind918: update to 9.18.62
9.18.26 (2024-04-17)
6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
[GL #4580]
6363. [bug] dig/mdig +ednsflags=<non-zero-value> did not re-enable
EDNS if it had been disabled. [GL #4641]
6361. [bug] Some invalid ISO 8601 durations were accepted
erroneously. [GL #4624]
6360. [bug] Don't return static-stub synthesised NS RRset.
[GL #4608]
6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552]
6351. [protocol] Support for the RESINFO record type has been added.
[GL #4413]
6346. [bug] Cleaned up several minor bugs in the RBTDB dbiterator
implementation. [GL !8741]
6345. [bug] Added missing dns_rdataset_disassociate calls in
validator.c:findnsec3proofs. [GL #4571]
6340. [test] Fix incorrectly reported errors when running tests
with `make test` on platforms with older pytest.
[GL #4560]
6338. [func] Optimize slabheader placement, so the infrastructure
records are put in the beginning of the slabheader
linked list. [GL !8675]
6334. [doc] Improve ARM parental-agents definition. [GL #4531]
6333. [bug] Fix the DNS_GETDB_STALEFIRST flag, which was defined
incorrectly in lib/ns/query.c. [GL !8683]
6330. [doc] Update ZSK minimum lifetime documentation in ARM, also
depends on signing delay. [GL #4510]
6328. [func] Add workaround to enforce dynamic linker to pull
jemalloc earlier than libc to ensure all memory
allocations are done via jemalloc. [GL #4404]
6326. [bug] Changes to "listen-on" statements were ignored on
reconfiguration unless the port or interface address was
changed, making it impossible to change a related
listener transport type. Thanks to Thomas Amgarten.
[GL #4518] [GL #4528]
6325. [func] Expose the TCP client count in statistics channel.
[GL #4425]
6324. [bug] Fix a possible crash in 'dig +nssearch +nofail' and
'host -C' commands when one of the name servers returns
SERVFAIL. [GL #4508]
6313. [bug] When dnssec-policy is in effect the DNSKEY's TTLs in
the zone where not being updated to match the policy.
This lead to failures when DNSKEYs where updated as the
TTLs mismatched. [GL #4466]
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 20 14:02:40 UTC 2024
Modified Files:
pkgsrc/net/bind918: Makefile distinfo
pkgsrc/net/bind918/patches: patch-lib_ns_query.c
Log Message:
net/bind918: fix blocklist handling
Apply change of revision 1.21 in NetBSD base which fixed PR bin/58170.
Bump PKGREVISION.
net/bind918: blocklist handling fix (PR bin/58170)
Revisions pulled up:
- net/bind918/Makefile 1.29-1.31
- net/bind918/distinfo 1.17-1.18
- net/bind918/patches/patch-lib_ns_query.c 1.2
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Apr 5 14:01:01 UTC 2024
Modified Files:
pkgsrc/audio/forked-daapd: Makefile
pkgsrc/audio/mixxx: Makefile
pkgsrc/audio/strawberry: Makefile
pkgsrc/audio/termusic: Makefile
pkgsrc/biology/plinkseq: Makefile
pkgsrc/chat/ekg: Makefile
pkgsrc/chat/libgadu: Makefile buildlink3.mk
pkgsrc/chat/mumble: Makefile
pkgsrc/databases/mysql80-server: Makefile
pkgsrc/databases/postgresql-postgis2: Makefile
pkgsrc/devel/compizconfig-backend-gconf: Makefile buildlink3.mk
pkgsrc/devel/libcompizconfig: Makefile buildlink3.mk
pkgsrc/devel/protobuf: buildlink3.mk
pkgsrc/devel/protobuf-c: Makefile buildlink3.mk
pkgsrc/devel/py-compizconfig: Makefile buildlink3.mk
pkgsrc/finance/bitcoin: Makefile
pkgsrc/geography/qgis: Makefile
pkgsrc/graphics/digikam: Makefile
pkgsrc/graphics/opencv: Makefile buildlink3.mk
pkgsrc/graphics/opencv-contrib-face: Makefile buildlink3.mk
pkgsrc/graphics/py-Willow: Makefile
pkgsrc/misc/marble: Makefile
pkgsrc/multimedia/vlc: Makefile
pkgsrc/net/bind916: Makefile
pkgsrc/net/bind918: Makefile
pkgsrc/net/frr: Makefile
pkgsrc/net/grpc: Makefile buildlink3.mk
pkgsrc/net/kopete: Makefile
pkgsrc/net/mosh: Makefile
pkgsrc/net/py-grpcio: Makefile
pkgsrc/net/py-grpcio-tools: Makefile
pkgsrc/net/qt6-qtgrpc: Makefile buildlink3.mk
pkgsrc/net/ratman: Makefile
pkgsrc/net/unbound: Makefile
pkgsrc/sysutils/collectd-grpc: Makefile
pkgsrc/sysutils/collectd-pinba: Makefile
pkgsrc/sysutils/collectd-riemann: Makefile
pkgsrc/sysutils/collectd-write_prometheus: Makefile
pkgsrc/sysutils/riemann-client: Makefile
pkgsrc/wm/ccsm: Makefile
Log Message:
*: recursive bump for protobuf 26.1
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Apr 18 13:37:53 UTC 2024
Modified Files:
pkgsrc/net/bind918: Makefile distinfo
Log Message:
net/bind918: update to 9.18.62
9.18.26 (2024-04-17)
6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
[GL #4580]
6363. [bug] dig/mdig +ednsflags=<non-zero-value> did not re-enable
EDNS if it had been disabled. [GL #4641]
6361. [bug] Some invalid ISO 8601 durations were accepted
erroneously. [GL #4624]
6360. [bug] Don't return static-stub synthesised NS RRset.
[GL #4608]
6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552]
6351. [protocol] Support for the RESINFO record type has been added.
[GL #4413]
6346. [bug] Cleaned up several minor bugs in the RBTDB dbiterator
implementation. [GL !8741]
6345. [bug] Added missing dns_rdataset_disassociate calls in
validator.c:findnsec3proofs. [GL #4571]
6340. [test] Fix incorrectly reported errors when running tests
with `make test` on platforms with older pytest.
[GL #4560]
6338. [func] Optimize slabheader placement, so the infrastructure
records are put in the beginning of the slabheader
linked list. [GL !8675]
6334. [doc] Improve ARM parental-agents definition. [GL #4531]
6333. [bug] Fix the DNS_GETDB_STALEFIRST flag, which was defined
incorrectly in lib/ns/query.c. [GL !8683]
6330. [doc] Update ZSK minimum lifetime documentation in ARM, also
depends on signing delay. [GL #4510]
6328. [func] Add workaround to enforce dynamic linker to pull
jemalloc earlier than libc to ensure all memory
allocations are done via jemalloc. [GL #4404]
6326. [bug] Changes to "listen-on" statements were ignored on
reconfiguration unless the port or interface address was
changed, making it impossible to change a related
listener transport type. Thanks to Thomas Amgarten.
[GL #4518] [GL #4528]
6325. [func] Expose the TCP client count in statistics channel.
[GL #4425]
6324. [bug] Fix a possible crash in 'dig +nssearch +nofail' and
'host -C' commands when one of the name servers returns
SERVFAIL. [GL #4508]
6313. [bug] When dnssec-policy is in effect the DNSKEY's TTLs in
the zone where not being updated to match the policy.
This lead to failures when DNSKEYs where updated as the
TTLs mismatched. [GL #4466]
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 20 14:02:40 UTC 2024
Modified Files:
pkgsrc/net/bind918: Makefile distinfo
pkgsrc/net/bind918/patches: patch-lib_ns_query.c
Log Message:
net/bind918: fix blocklist handling
Apply change of revision 1.21 in NetBSD base which fixed PR bin/58170.
Bump PKGREVISION.
pkgsrc-2024Q1 commitmail json YAML
Mention pullup tickets #6846 and #6850
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/www/firefox115-l10n/Makefile@1.6.2.1
/
diff
pkgsrc/www/firefox115-l10n/distinfo@1.6.2.1 / diff
pkgsrc/www/firefox115/Makefile@1.17.2.1 / diff
pkgsrc/www/firefox115/distinfo@1.6.2.1 / diff
pkgsrc/www/firefox115-l10n/distinfo@1.6.2.1 / diff
pkgsrc/www/firefox115/Makefile@1.17.2.1 / diff
pkgsrc/www/firefox115/distinfo@1.6.2.1 / diff
Pullup ticket #6850 - requested by gutteridge
www/firefox115: security fix
www/firefox115-l10n: dependent update
Revisions pulled up:
- www/firefox115-l10n/Makefile 1.7
- www/firefox115-l10n/distinfo 1.7
- www/firefox115/Makefile 1.20
- www/firefox115/distinfo 1.7
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Wed Apr 17 13:42:45 UTC 2024
Modified Files:
pkgsrc/www/firefox115: Makefile distinfo
Log Message:
firefox115: update to 115.10.0
* Fixes for mfsa2024-19, also known as:
CVE-2024-3852, CVE-2024-3854, CVE-2024-3857, CVE-2024-2609,
CVE-2024-3859, CVE-2024-3861, CVE-2024-3302, CVE-2024-3864.
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Wed Apr 17 13:46:55 UTC 2024
Modified Files:
pkgsrc/www/firefox115-l10n: Makefile distinfo
Log Message:
firefox115-l10n: update to 115.10.0
www/firefox115: security fix
www/firefox115-l10n: dependent update
Revisions pulled up:
- www/firefox115-l10n/Makefile 1.7
- www/firefox115-l10n/distinfo 1.7
- www/firefox115/Makefile 1.20
- www/firefox115/distinfo 1.7
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Wed Apr 17 13:42:45 UTC 2024
Modified Files:
pkgsrc/www/firefox115: Makefile distinfo
Log Message:
firefox115: update to 115.10.0
* Fixes for mfsa2024-19, also known as:
CVE-2024-3852, CVE-2024-3854, CVE-2024-3857, CVE-2024-2609,
CVE-2024-3859, CVE-2024-3861, CVE-2024-3302, CVE-2024-3864.
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Wed Apr 17 13:46:55 UTC 2024
Modified Files:
pkgsrc/www/firefox115-l10n: Makefile distinfo
Log Message:
firefox115-l10n: update to 115.10.0
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/net/mirror/Makefile@1.46.14.1
/
diff
pkgsrc/net/mirror/distinfo@1.9.20.1 / diff
pkgsrc/net/mirror/patches/patch-ac@1.5.102.1 / diff
pkgsrc/net/mirror/patches/patch-ad@1.5.176.1 / diff
pkgsrc/net/mirror/patches/patch-ae@1.7.102.1 / diff
pkgsrc/net/mirror/patches/patch-ag@1.2.102.1 / diff
pkgsrc/net/mirror/patches/patch-lsparse.pl@1.1.2.2 / diff
pkgsrc/net/mirror/distinfo@1.9.20.1 / diff
pkgsrc/net/mirror/patches/patch-ac@1.5.102.1 / diff
pkgsrc/net/mirror/patches/patch-ad@1.5.176.1 / diff
pkgsrc/net/mirror/patches/patch-ae@1.7.102.1 / diff
pkgsrc/net/mirror/patches/patch-ag@1.2.102.1 / diff
pkgsrc/net/mirror/patches/patch-lsparse.pl@1.1.2.2 / diff
Pullup ticket #6846 - requested by bouyer
net/mirror: build fix
Revisions pulled up:
- net/mirror/Makefile 1.47
- net/mirror/distinfo 1.10-1.11
- net/mirror/patches/patch-ac 1.6
- net/mirror/patches/patch-ad 1.6
- net/mirror/patches/patch-ae 1.8-1.9
- net/mirror/patches/patch-ag 1.3
- net/mirror/patches/patch-lsparse.pl 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Thu Apr 11 10:23:44 UTC 2024
Modified Files:
pkgsrc/net/mirror: Makefile distinfo
pkgsrc/net/mirror/patches: patch-ac patch-ad patch-ae patch-ag
Added Files:
pkgsrc/net/mirror/patches: patch-lsparse.pl
Log Message:
Fix warning:
Old package separator "'" deprecated at ...
Bump PKGREVISION
---
Module Name: pkgsrc
Committed By: bouyer
Date: Thu Apr 11 17:11:01 UTC 2024
Modified Files:
pkgsrc/net/mirror: distinfo
pkgsrc/net/mirror/patches: patch-ae
Log Message:
Remove $Id: from patch-ae, so that CVS doesn't change it
Regen distinfo
net/mirror: build fix
Revisions pulled up:
- net/mirror/Makefile 1.47
- net/mirror/distinfo 1.10-1.11
- net/mirror/patches/patch-ac 1.6
- net/mirror/patches/patch-ad 1.6
- net/mirror/patches/patch-ae 1.8-1.9
- net/mirror/patches/patch-ag 1.3
- net/mirror/patches/patch-lsparse.pl 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Thu Apr 11 10:23:44 UTC 2024
Modified Files:
pkgsrc/net/mirror: Makefile distinfo
pkgsrc/net/mirror/patches: patch-ac patch-ad patch-ae patch-ag
Added Files:
pkgsrc/net/mirror/patches: patch-lsparse.pl
Log Message:
Fix warning:
Old package separator "'" deprecated at ...
Bump PKGREVISION
---
Module Name: pkgsrc
Committed By: bouyer
Date: Thu Apr 11 17:11:01 UTC 2024
Modified Files:
pkgsrc/net/mirror: distinfo
pkgsrc/net/mirror/patches: patch-ae
Log Message:
Remove $Id: from patch-ae, so that CVS doesn't change it
Regen distinfo
pkgsrc-2024Q1 commitmail json YAML
Mention PHP updates
pkgsrc-2024Q1 commitmail json YAML
Pullup ticket #6849 - requested by taca
lang/php81: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.429
- lang/php81/distinfo 1.32
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 13 02:53:35 UTC 2024
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php81: distinfo
Log Message:
lang/php81: update to 8.1.27
This release includes security fixes.
11 Apr 2024, PHP 8.1.28
- Standard:
. Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
. Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
lang/php81: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.429
- lang/php81/distinfo 1.32
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 13 02:53:35 UTC 2024
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php81: distinfo
Log Message:
lang/php81: update to 8.1.27
This release includes security fixes.
11 Apr 2024, PHP 8.1.28
- Standard:
. Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
. Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/lang/php/phpversion.mk@1.426.2.2
/
diff
pkgsrc/lang/php83/distinfo@1.5.2.1 / diff
pkgsrc/lang/php83/patches/patch-configure@1.3.2.1 / diff
pkgsrc/lang/php83/distinfo@1.5.2.1 / diff
pkgsrc/lang/php83/patches/patch-configure@1.3.2.1 / diff
Pullup ticket #6848 - requested by taca
lang/php83: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.428
- lang/php83/distinfo 1.6
- lang/php83/patches/patch-configure 1.4
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 13 02:51:54 UTC 2024
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php83: distinfo
pkgsrc/lang/php83/patches: patch-configure
Log Message:
lang/php83: update to 8.3.5
This release includes security fixes.
11 Apr 2024, PHP 8.3.5
- Core:
. Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when
scanning WeakMaps). (Arnaud)
. Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
(nielsdos)
. Fixed bug GH-13446 (Restore exception handler after it finishes). (ilutov)
. Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure). (Remi)
. Fixed bug GH-13670 (GC does not scale well with a lot of objects created in
destructor). (Arnaud)
- DOM:
. Add some missing ZPP checks. (nielsdos)
. Fix potential memory leak in XPath evaluation results. (nielsdos)
- FPM:
. Fixed GH-11086 (FPM: config test runs twice in daemonised mode).
(Jakub Zelenka)
. Fix incorrect check in fpm_shm_free(). (nielsdos)
- GD:
. Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests). (Michael Orlitzky)
- Gettext:
. Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5
with category set to LC_ALL. (David Carlier)
- MySQLnd:
. Fix GH-13452 (Fixed handshake response [mysqlnd]). (Saki Takamachi)
. Fix incorrect charset length in check_mb_eucjpms(). (nielsdos)
- Opcache:
. Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
(Arnaud, Dmitry)
. Fixed GH-13712 (Segmentation fault for enabled observers when calling trait
method of internal trait when opcache is loaded). (Bob)
- Random:
. Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
modes). (timwolla)
. Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between
requests when MT_RAND_PHP is used). (timwolla)
- Session:
. Fixed bug GH-13680 (Segfault with session_decode and compilation error).
(nielsdos)
- SPL:
. Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos)
- Standard:
. Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos)
. Fixed GH-13402 (Added validation of `\n` in $additional_headers of mail()).
(SakiTakamachi)
. Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
(divinity76)
. Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
. Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some
inputs). (CVE-2024-2757) (Alex Dowad)
lang/php83: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.428
- lang/php83/distinfo 1.6
- lang/php83/patches/patch-configure 1.4
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 13 02:51:54 UTC 2024
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php83: distinfo
pkgsrc/lang/php83/patches: patch-configure
Log Message:
lang/php83: update to 8.3.5
This release includes security fixes.
11 Apr 2024, PHP 8.3.5
- Core:
. Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when
scanning WeakMaps). (Arnaud)
. Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
(nielsdos)
. Fixed bug GH-13446 (Restore exception handler after it finishes). (ilutov)
. Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure). (Remi)
. Fixed bug GH-13670 (GC does not scale well with a lot of objects created in
destructor). (Arnaud)
- DOM:
. Add some missing ZPP checks. (nielsdos)
. Fix potential memory leak in XPath evaluation results. (nielsdos)
- FPM:
. Fixed GH-11086 (FPM: config test runs twice in daemonised mode).
(Jakub Zelenka)
. Fix incorrect check in fpm_shm_free(). (nielsdos)
- GD:
. Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests). (Michael Orlitzky)
- Gettext:
. Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5
with category set to LC_ALL. (David Carlier)
- MySQLnd:
. Fix GH-13452 (Fixed handshake response [mysqlnd]). (Saki Takamachi)
. Fix incorrect charset length in check_mb_eucjpms(). (nielsdos)
- Opcache:
. Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
(Arnaud, Dmitry)
. Fixed GH-13712 (Segmentation fault for enabled observers when calling trait
method of internal trait when opcache is loaded). (Bob)
- Random:
. Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
modes). (timwolla)
. Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between
requests when MT_RAND_PHP is used). (timwolla)
- Session:
. Fixed bug GH-13680 (Segfault with session_decode and compilation error).
(nielsdos)
- SPL:
. Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos)
- Standard:
. Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos)
. Fixed GH-13402 (Added validation of `\n` in $additional_headers of mail()).
(SakiTakamachi)
. Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
(divinity76)
. Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
. Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some
inputs). (CVE-2024-2757) (Alex Dowad)
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/lang/php/phpversion.mk@1.426.2.1
/
diff
pkgsrc/lang/php82/distinfo@1.19.2.1 / diff
pkgsrc/lang/php82/patches/patch-configure@1.17.2.1 / diff
pkgsrc/lang/php82/distinfo@1.19.2.1 / diff
pkgsrc/lang/php82/patches/patch-configure@1.17.2.1 / diff
Pullup ticket #6847 - requested by taca
lang/php82: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.427
- lang/php82/distinfo 1.20
- lang/php82/patches/patch-configure 1.18
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 13 02:49:41 UTC 2024
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php82: distinfo
pkgsrc/lang/php82/patches: patch-configure
Log Message:
lang/php82: update to 8.2.18
This release includes security fixes.
11 Apr 2024, PHP 8.2.18
- Core:
. Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
(nielsdos)
. Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure). (Remi)
. Fixed bug GH-13670 (GC does not scale well with a lot of objects created in
destructor). (Arnaud)
- DOM:
. Add some missing ZPP checks. (nielsdos)
. Fix potential memory leak in XPath evaluation results. (nielsdos)
. Fix phpdoc for DOMDocument load methods. (VincentLanglet)
- FPM
. Fix incorrect check in fpm_shm_free(). (nielsdos)
- GD:
. Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests). (Michael Orlitzky)
- Gettext:
. Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5
with category set to LC_ALL. (David Carlier)
- MySQLnd:
. Fix GH-13452 (Fixed handshake response [mysqlnd]). (Saki Takamachi)
. Fix incorrect charset length in check_mb_eucjpms(). (nielsdos)
- Opcache:
. Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
(Arnaud, Dmitry)
. Fixed GH-13712 (Segmentation fault for enabled observers when calling trait
method of internal trait when opcache is loaded). (Bob)
- PDO:
. Fix various PDORow bugs. (Girgias)
- Random:
. Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
modes). (timwolla)
. Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between
requests when MT_RAND_PHP is used). (timwolla)
- Session:
. Fixed bug GH-13680 (Segfault with session_decode and compilation error).
(nielsdos)
- Sockets:
. Fixed bug GH-13604 (socket_getsockname returns random characters in the end
of the socket name). (David Carlier)
- SPL:
. Fixed bug GH-13531 (Unable to resize SplfixedArray after being unserialized
in PHP 8.2.15). (nielsdos)
. Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos)
- Standard:
. Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos)
. Fixed GH-13402 (Added validation of `\n` in $additional_headers of mail()).
(SakiTakamachi)
. Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
(divinity76)
. Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
. Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
- XML:
. Fixed bug GH-13517 (Multiple test failures when building with
--with-expat). (nielsdos)
lang/php82: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.427
- lang/php82/distinfo 1.20
- lang/php82/patches/patch-configure 1.18
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Apr 13 02:49:41 UTC 2024
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php82: distinfo
pkgsrc/lang/php82/patches: patch-configure
Log Message:
lang/php82: update to 8.2.18
This release includes security fixes.
11 Apr 2024, PHP 8.2.18
- Core:
. Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
(nielsdos)
. Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure). (Remi)
. Fixed bug GH-13670 (GC does not scale well with a lot of objects created in
destructor). (Arnaud)
- DOM:
. Add some missing ZPP checks. (nielsdos)
. Fix potential memory leak in XPath evaluation results. (nielsdos)
. Fix phpdoc for DOMDocument load methods. (VincentLanglet)
- FPM
. Fix incorrect check in fpm_shm_free(). (nielsdos)
- GD:
. Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests). (Michael Orlitzky)
- Gettext:
. Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5
with category set to LC_ALL. (David Carlier)
- MySQLnd:
. Fix GH-13452 (Fixed handshake response [mysqlnd]). (Saki Takamachi)
. Fix incorrect charset length in check_mb_eucjpms(). (nielsdos)
- Opcache:
. Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
(Arnaud, Dmitry)
. Fixed GH-13712 (Segmentation fault for enabled observers when calling trait
method of internal trait when opcache is loaded). (Bob)
- PDO:
. Fix various PDORow bugs. (Girgias)
- Random:
. Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
modes). (timwolla)
. Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between
requests when MT_RAND_PHP is used). (timwolla)
- Session:
. Fixed bug GH-13680 (Segfault with session_decode and compilation error).
(nielsdos)
- Sockets:
. Fixed bug GH-13604 (socket_getsockname returns random characters in the end
of the socket name). (David Carlier)
- SPL:
. Fixed bug GH-13531 (Unable to resize SplfixedArray after being unserialized
in PHP 8.2.15). (nielsdos)
. Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos)
- Standard:
. Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos)
. Fixed GH-13402 (Added validation of `\n` in $additional_headers of mail()).
(SakiTakamachi)
. Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
(divinity76)
. Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
. Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
- XML:
. Fixed bug GH-13517 (Multiple test failures when building with
--with-expat). (nielsdos)
pkgsrc-2024Q1 commitmail json YAML
Pullup tickets up to #6845
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/www/php-concrete-cms/Makefile@1.2.2.1
/
diff
pkgsrc/www/php-concrete-cms/PLIST@1.1.2.1 / diff
pkgsrc/www/php-concrete-cms/distinfo@1.2.2.1 / diff
pkgsrc/www/php-concrete-cms/PLIST@1.1.2.1 / diff
pkgsrc/www/php-concrete-cms/distinfo@1.2.2.1 / diff
Pullup ticket #6845 - requested by taca
www/php-concrete-cms: security fix
Revisions pulled up:
- www/php-concrete-cms/Makefile 1.3
- www/php-concrete-cms/PLIST 1.2
- www/php-concrete-cms/distinfo 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Apr 7 13:59:05 UTC 2024
Modified Files:
pkgsrc/www/php-concrete-cms: Makefile PLIST distinfo
Log Message:
www/php-concrete-cms: update to 9.2.8
9.2.8 (2024-04-02)
Bug Fixes
* Fixed bug where c5:info console command would fail when run on a Concrete
webroot if that webroot was not yet an installed Concrete site.
* Fixed bug where logout link in toolbar would not work when user was logged
in as an editor who could not view the Dashboard (thanks ounziw)
Security Updates
* Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
fixed it with commit 11988 Prior to the fix, a rogue administrator could
put malicious javascript on the Concrete CMS color setting screen which
would have would have been triggered by and affected users who accessed
the color settings screen. The Concrete CMS security team gave this
vulnerability a CVSS v3.1 score of 2.0 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Thank you Rikuto Tauchi for reporting HackerOne 2433383.
* Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
Filter and fixed it with commit 11988 for version 9 and commit 11989 for
version 8. Prior to the fix, a rogue administrator could add malicious
code in the file manager because of insufficient validation of
administrator provided data. All administrators have access to the File
Manager and hence could create a search filter with the malicious code
attached. The Concrete CMS security team gave this vulnerability a CVSS
v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
Thank you Guram (javakhishvili) for reporting HackerOne 949443
* Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
fixed it with commit 11988 for version 9 and commit 11989 for version 8.
Prior to the fix, a rogue administrator could insert malicious code in the
custom class field due to insufficient validation of administrator
provided data. Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
non alphanumeric characters in this CSS class. The Concrete CMS security
team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
reporting HackerOne 918129.
* Created and fixed [CVE-2024-3180]
(https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
could be executed by a rogue administrator adding malicious code to the
link-text field when creating a block of type file. Fixed with commit
11988 for version 9 and commit 11989 for version 8. The Concrete CMS
security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
for reporting HackerOne 903356
* Created CVE-2024-3181 Stored XSS in the Search Field. Prior to the fix,
stored XSS could be executed by an administrator changing a filter to
which a rogue administrator had previously added malicious code. The
Concrete Team fixed this with commit 11988 for version 9 and commit 11989
for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142
www/php-concrete-cms: security fix
Revisions pulled up:
- www/php-concrete-cms/Makefile 1.3
- www/php-concrete-cms/PLIST 1.2
- www/php-concrete-cms/distinfo 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Apr 7 13:59:05 UTC 2024
Modified Files:
pkgsrc/www/php-concrete-cms: Makefile PLIST distinfo
Log Message:
www/php-concrete-cms: update to 9.2.8
9.2.8 (2024-04-02)
Bug Fixes
* Fixed bug where c5:info console command would fail when run on a Concrete
webroot if that webroot was not yet an installed Concrete site.
* Fixed bug where logout link in toolbar would not work when user was logged
in as an editor who could not view the Dashboard (thanks ounziw)
Security Updates
* Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
fixed it with commit 11988 Prior to the fix, a rogue administrator could
put malicious javascript on the Concrete CMS color setting screen which
would have would have been triggered by and affected users who accessed
the color settings screen. The Concrete CMS security team gave this
vulnerability a CVSS v3.1 score of 2.0 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Thank you Rikuto Tauchi for reporting HackerOne 2433383.
* Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
Filter and fixed it with commit 11988 for version 9 and commit 11989 for
version 8. Prior to the fix, a rogue administrator could add malicious
code in the file manager because of insufficient validation of
administrator provided data. All administrators have access to the File
Manager and hence could create a search filter with the malicious code
attached. The Concrete CMS security team gave this vulnerability a CVSS
v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
Thank you Guram (javakhishvili) for reporting HackerOne 949443
* Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
fixed it with commit 11988 for version 9 and commit 11989 for version 8.
Prior to the fix, a rogue administrator could insert malicious code in the
custom class field due to insufficient validation of administrator
provided data. Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
non alphanumeric characters in this CSS class. The Concrete CMS security
team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
reporting HackerOne 918129.
* Created and fixed [CVE-2024-3180]
(https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
could be executed by a rogue administrator adding malicious code to the
link-text field when creating a block of type file. Fixed with commit
11988 for version 9 and commit 11989 for version 8. The Concrete CMS
security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
for reporting HackerOne 903356
* Created CVE-2024-3181 Stored XSS in the Search Field. Prior to the fix,
stored XSS could be executed by an administrator changing a filter to
which a rogue administrator had previously added malicious code. The
Concrete Team fixed this with commit 11988 for version 9 and commit 11989
for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/editors/abiword-plugins/Makefile@1.147.2.1
/
diff
pkgsrc/editors/abiword-plugins/PLIST@1.14.70.1 / diff
pkgsrc/editors/abiword-plugins/PLIST@1.14.70.1 / diff
Pullup ticket #6844 - requested by taca
editors/abiword-plugins: build fix
Revisions pulled up:
- editors/abiword-plugins/Makefile 1.148
- editors/abiword-plugins/PLIST 1.15
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Mon Apr 1 15:41:08 UTC 2024
Modified Files:
pkgsrc/editors/abiword-plugins: Makefile PLIST
Log Message:
abiword-plugins: fix builds by disabling AbiCollab component
collab no longer builds with boost/asio in some environments, when the
AbiCollab component is built, but that service seems defunct, anyway.
editors/abiword-plugins: build fix
Revisions pulled up:
- editors/abiword-plugins/Makefile 1.148
- editors/abiword-plugins/PLIST 1.15
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Mon Apr 1 15:41:08 UTC 2024
Modified Files:
pkgsrc/editors/abiword-plugins: Makefile PLIST
Log Message:
abiword-plugins: fix builds by disabling AbiCollab component
collab no longer builds with boost/asio in some environments, when the
AbiCollab component is built, but that service seems defunct, anyway.
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/www/apache24/Makefile@1.123.2.1
/
diff
pkgsrc/www/apache24/distinfo@1.61.2.1 / diff
pkgsrc/www/apache24/patches/patch-configure@1.4.4.1 / diff
pkgsrc/www/apache24/patches/patch-modules_filters_mod__xml2enc.c deleted
pkgsrc/www/apache24/distinfo@1.61.2.1 / diff
pkgsrc/www/apache24/patches/patch-configure@1.4.4.1 / diff
pkgsrc/www/apache24/patches/patch-modules_filters_mod__xml2enc.c deleted
Pullup ticket #6843 - requested by taca
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.124
- www/apache24/distinfo 1.62
- www/apache24/patches/patch-configure 1.5
- www/apache24/patches/patch-modules_filters_mod__xml2enc.c deleted
---
Module Name: pkgsrc
Committed By: adam
Date: Fri Apr 5 09:31:38 UTC 2024
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
pkgsrc/www/apache24/patches: patch-configure
Removed Files:
pkgsrc/www/apache24/patches: patch-modules_filters_mod__xml2enc.c
Log Message:
apache24: updated to 2.4.59
Changes with Apache 2.4.59
*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)
*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
Users are recommended to upgrade to version 2.4.59, which fixes
this issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.
*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
Faulty input validation in the core of Apache allows malicious
or exploitable backend/content generators to split HTTP
responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) mod_deflate: Fixes and better logging for handling various
error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
Eric Norris <enorris etsy.com>]
*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]
*) mod_xml2enc: Tolerate libxml2 2.12.0 and later.
[ttachi <tachihara AT hotmail.com>]
*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
[Jean-Frederic Clere]
*) mod_ssl: Use OpenSSL-standard functions to assemble CA
name lists for SSLCACertificatePath/SSLCADNRequestPath.
Names will now be consistently sorted.
[Joe Orton]
*) mod_xml2enc: Update check to accept any text/ media type
or any XML media type per RFC 7303, avoiding
corruption of Microsoft OOXML formats.
[Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
*) htcacheclean: In -a/-A mode, list all files per subdirectory
rather than only one.
[Artem Egorenkov <aegorenkov.91 gmail.com>]
*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
which include CA certificates; those CA certs are treated as if
configured with SSLProxyMachineCertificateChainFile. [Joe Orton]
*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
"hashing", rather than "encrypting" passwords.
[Michele Preziuso <mpreziuso kaosdynamics.com>]
*) mod_ssl: Fix build with LibreSSL 2.0.7+.
[Giovanni Bechis, Yann Ylavic]
*) htpasswd: Add support for passwords using SHA-2. [Joe Orton,
Yann Ylavic]
*) core: Allow mod_env to override system environment vars. [Joe Orton]
*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
operation which removes a directory/file between apr_dir_read() and
apr_stat(). Current behaviour is to abort the connection which seems
inferior to tolerating (and logging) the error. [Joe Orton]
*) mod_ldap: HTML-escape data in the ldap-status handler.
[Eric Covener, Chamal De Silva]
*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
notably with OpenSSL >= 3. [Yann Ylavic, Joe Orton]
*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
[Yann Ylavic]
*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
some dollar substitution (backreference) happens in the hostname or port
part of the URL. [Yann Ylavic]
*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
systems are cached. [Yann Ylavic]
*) mod_proxy: Add optional third argument for ProxyRemote, which
configures Basic authentication credentials to pass to the remote
proxy.
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.124
- www/apache24/distinfo 1.62
- www/apache24/patches/patch-configure 1.5
- www/apache24/patches/patch-modules_filters_mod__xml2enc.c deleted
---
Module Name: pkgsrc
Committed By: adam
Date: Fri Apr 5 09:31:38 UTC 2024
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
pkgsrc/www/apache24/patches: patch-configure
Removed Files:
pkgsrc/www/apache24/patches: patch-modules_filters_mod__xml2enc.c
Log Message:
apache24: updated to 2.4.59
Changes with Apache 2.4.59
*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)
*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
Users are recommended to upgrade to version 2.4.59, which fixes
this issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.
*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
Faulty input validation in the core of Apache allows malicious
or exploitable backend/content generators to split HTTP
responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) mod_deflate: Fixes and better logging for handling various
error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
Eric Norris <enorris etsy.com>]
*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]
*) mod_xml2enc: Tolerate libxml2 2.12.0 and later.
[ttachi <tachihara AT hotmail.com>]
*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
[Jean-Frederic Clere]
*) mod_ssl: Use OpenSSL-standard functions to assemble CA
name lists for SSLCACertificatePath/SSLCADNRequestPath.
Names will now be consistently sorted.
[Joe Orton]
*) mod_xml2enc: Update check to accept any text/ media type
or any XML media type per RFC 7303, avoiding
corruption of Microsoft OOXML formats.
[Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
*) htcacheclean: In -a/-A mode, list all files per subdirectory
rather than only one.
[Artem Egorenkov <aegorenkov.91 gmail.com>]
*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
which include CA certificates; those CA certs are treated as if
configured with SSLProxyMachineCertificateChainFile. [Joe Orton]
*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
"hashing", rather than "encrypting" passwords.
[Michele Preziuso <mpreziuso kaosdynamics.com>]
*) mod_ssl: Fix build with LibreSSL 2.0.7+.
[Giovanni Bechis, Yann Ylavic]
*) htpasswd: Add support for passwords using SHA-2. [Joe Orton,
Yann Ylavic]
*) core: Allow mod_env to override system environment vars. [Joe Orton]
*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
operation which removes a directory/file between apr_dir_read() and
apr_stat(). Current behaviour is to abort the connection which seems
inferior to tolerating (and logging) the error. [Joe Orton]
*) mod_ldap: HTML-escape data in the ldap-status handler.
[Eric Covener, Chamal De Silva]
*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
notably with OpenSSL >= 3. [Yann Ylavic, Joe Orton]
*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
[Yann Ylavic]
*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
some dollar substitution (backreference) happens in the hostname or port
part of the URL. [Yann Ylavic]
*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
systems are cached. [Yann Ylavic]
*) mod_proxy: Add optional third argument for ProxyRemote, which
configures Basic authentication credentials to pass to the remote
proxy.
pkgsrc-2024Q1 commitmail json YAML
I hereby declare pull-up season to be open! :)
pkgsrc-2024Q1 commitmail json YAML
pkgsrc/sysutils/xentools415/Makefile@1.29.4.1
/
diff
pkgsrc/sysutils/xentools415/distinfo@1.14.4.1 / diff
pkgsrc/sysutils/xentools415/patches/patch-xen_common_libelf_libelf-loader.c@1.1.2.2 / diff
pkgsrc/sysutils/xentools418/Makefile@1.4.2.1 / diff
pkgsrc/sysutils/xentools418/distinfo@1.2.2.1 / diff
pkgsrc/sysutils/xentools418/patches/patch-xen_common_libelf_libelf-loader.c@1.1.2.2 / diff
pkgsrc/sysutils/xentools415/distinfo@1.14.4.1 / diff
pkgsrc/sysutils/xentools415/patches/patch-xen_common_libelf_libelf-loader.c@1.1.2.2 / diff
pkgsrc/sysutils/xentools418/Makefile@1.4.2.1 / diff
pkgsrc/sysutils/xentools418/distinfo@1.2.2.1 / diff
pkgsrc/sysutils/xentools418/patches/patch-xen_common_libelf_libelf-loader.c@1.1.2.2 / diff
Pullup ticket #6842 - requested by bouyer
sysutils/xentools415: NetBSD 10 bugfix
sysutils/xentools418: NetBSD 10 bugfix
Revisions pulled up:
- sysutils/xentools415/Makefile 1.30
- sysutils/xentools415/distinfo 1.15
- sysutils/xentools415/patches/patch-xen_common_libelf_libelf-loader.c 1.1
- sysutils/xentools418/Makefile 1.5
- sysutils/xentools418/distinfo 1.3
- sysutils/xentools418/patches/patch-xen_common_libelf_libelf-loader.c 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Tue Apr 2 22:01:24 UTC 2024
Modified Files:
pkgsrc/sysutils/xentools415: Makefile distinfo
pkgsrc/sysutils/xentools418: Makefile distinfo
Added Files:
pkgsrc/sysutils/xentools415/patches:
patch-xen_common_libelf_libelf-loader.c
pkgsrc/sysutils/xentools418/patches:
patch-xen_common_libelf_libelf-loader.c
Log Message:
xentools415, xentools418: fix bug in BSD symbol table support for i386:
When computing the size of the ELF symbol table, the code use
sizeof(Elf64_Shdr) or sizeof(Elf32_Shdr) depending on the kernel being
loaded. But later when computing offsets, the code uses
sizeof(struct elf_sym_header) which contains a union of both Shdr. This result
in an overflow of 64 bytes. Fortunably the code checks the size being copied
with the allocated size and silently ignores the copy if there isn't enough
space. Fortunably as well, the allocated size is rounded up to the next page
boundary, so most of the time there is enough space. Unfortunably, the official
i386 GENERIC kernel from the 10.0 release has the right size to trigger
this bug.
Bump PKGREVISION.
sysutils/xentools415: NetBSD 10 bugfix
sysutils/xentools418: NetBSD 10 bugfix
Revisions pulled up:
- sysutils/xentools415/Makefile 1.30
- sysutils/xentools415/distinfo 1.15
- sysutils/xentools415/patches/patch-xen_common_libelf_libelf-loader.c 1.1
- sysutils/xentools418/Makefile 1.5
- sysutils/xentools418/distinfo 1.3
- sysutils/xentools418/patches/patch-xen_common_libelf_libelf-loader.c 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Tue Apr 2 22:01:24 UTC 2024
Modified Files:
pkgsrc/sysutils/xentools415: Makefile distinfo
pkgsrc/sysutils/xentools418: Makefile distinfo
Added Files:
pkgsrc/sysutils/xentools415/patches:
patch-xen_common_libelf_libelf-loader.c
pkgsrc/sysutils/xentools418/patches:
patch-xen_common_libelf_libelf-loader.c
Log Message:
xentools415, xentools418: fix bug in BSD symbol table support for i386:
When computing the size of the ELF symbol table, the code use
sizeof(Elf64_Shdr) or sizeof(Elf32_Shdr) depending on the kernel being
loaded. But later when computing offsets, the code uses
sizeof(struct elf_sym_header) which contains a union of both Shdr. This result
in an overflow of 64 bytes. Fortunably the code checks the size being copied
with the allocated size and silently ignores the copy if there isn't enough
space. Fortunably as well, the allocated size is rounded up to the next page
boundary, so most of the time there is enough space. Unfortunably, the official
i386 GENERIC kernel from the 10.0 release has the right size to trigger
this bug.
Bump PKGREVISION.
pkgsrc-2024Q1 commitmail json YAML
Pullup ticket #6841 - requested by wiz
www/p5-libwww: build fix
Revisions pulled up:
- www/p5-libwww/Makefile 1.143
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Apr 3 07:15:39 UTC 2024
Modified Files:
pkgsrc/www/p5-libwww: Makefile
Log Message:
p5-libwww: p5-Try-Tiny is a runtime dependency, make it so
Bump PKGREVISION
www/p5-libwww: build fix
Revisions pulled up:
- www/p5-libwww/Makefile 1.143
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Apr 3 07:15:39 UTC 2024
Modified Files:
pkgsrc/www/p5-libwww: Makefile
Log Message:
p5-libwww: p5-Try-Tiny is a runtime dependency, make it so
Bump PKGREVISION
pkgsrc-2024Q1 commitmail json YAML
doc: add changes file for pkgsrc-2024Q1