security/libgcrypt: Update to 1.8.3 (bugfix)
- Improve comment in Makefile
- Provide more elaborate port description and update WWW in pkg-descr
Noteworthy changes in version 1.8.3
===================================
- Use blinding for ECDSA signing to mitigate a novel side-channel
attack. [#4011,CVE-2018-0495]
- Fix incorrect counter overflow handling for GCM when using an IV
size other than 96 bit. [#3764]
- Fix incorrect output of AES-keywrap mode for in-place encryption
on some platforms.
- Fix the gcry_mpi_ec_curve_point point validation function.
- Fix rare assertion failure in gcry_prime_check.
Release info at <https://dev.gnupg.org/T4016>.
For further details, see https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html
Security: http://vuxml.freebsd.org/freebsd/9b5162de-6f39-11e8-818e-e8e0b747a45a.html
Approved by: ports-secteam (feld)
multimedia/libvpx: unbreak on powerpc*
- newer libstdc++ ABI is required by many consumers
- -mspe and -maltivec are mutually exclusive
- implement VSX detection for powerpc and powerpc64
PR: 228586
Submitted by: jhibbits (based on)
Approved by: ports-secteam blanket
sysutils/google-compute-engine-oslogin: update to version 1.1.5
PR: 226936
Submitted by: Helen Koike <helen.koike@collabora.com> (maintainer)
Mark as broken on various tier-2 archs.
Approved by: portmgr (tier-2 blanket)
sysutils/google-compute-engine-oslogin: fix oslogin and update to 1.3.0
PR: 228949
Submitted by: Helen Koike <helen.koike@collabora.com> (maintainer)
Approved by: ports-secteam (implicit)
www/waterfox: flatten line endings after r461193 (direct commit)
Subversion doesn't allow mixed line endings when svn:eol-style
property is set. files/patch-bug1402766 tries to create a new test
file, so simply strip carriage-return from lines which is what
actually happens on checkout. Originally, the file landed via
git-svn which doesn't appear to run sanity checks on dcommit.
$ svn cat files/patch-bug1402766
svn: E135000: Inconsistent line ending style
Reported by: gjb
Approved by: ports-secteam blanket
Update to 2.5.4 which fixes multiple memory allocation issues:
- Multiple fixes and improvements to BinPAC generated code
related to array parsing, with potential impact to all Bro's
BinPAC-generated analyzers in the form of buffer over-reads
or other invalid memory accesses depending on whether a
particular analyzer incorrectly assumed that the
evaulated-array-length expression is actually the number of
elements that were parsed out from the input.
- The NCP analyzer (not enabled by default and also updated
to actually work with newer Bro APIs in the release) performed
a memory allocation based directly on a field in the input
packet and using signed integer storage. This could result
in a signed integer overflow and memory allocations of
negative or very large size, leading to a crash or memory
exhaustion. The new NCP::max_frame_size tuning option now
limits the maximum amount of memory that can be allocated.
Other fixes:
- A memory leak in the SMBv1 analyzer.
- The MySQL analyzer was generally not working as intended,
for example, it now is able to parse responses that contain
multiple results/rows.
Add gettext-runtime to USES to address a poudriere testport
warning.
Reviewed by: matthew (mentor)
Approved by: matthew (mentor)
Security: 2f4fd3aa-32f8-4116-92f2-68f05398348e
Differential Revision: https://reviews.freebsd.org/D15678
Approved by: ports-secteam (feld), matthew (mentor)
Update gnupg to 2.2.6
* gpg,gpgsm: New option --request-origin to pretend requests coming
from a browser or a remote site.
* gpg: Fix race condition on trustdb.gpg updates due to too early
released lock. [#3839]
* gpg: Emit FAILURE status lines in almost all cases. [#3872]
* gpg: Implement --dry-run for --passwd to make checking a key's
passphrase straightforward.
* gpg: Make sure to only accept a certification capable key for key
signatures. [#3844]
* gpg: Better user interaction in --card-edit for the factory-reset
sub-command.
* gpg: Improve changing key attributes in --card-edit by adding an
explicit "key-attr" sub-command. [#3781]
* gpg: Print the keygrips in the --card-status.
* scd: Support KDF DO setup. [#3823]
* scd: Fix some issues with PC/SC on Windows. [#3825]
* scd: Fix suspend/resume handling in the CCID driver.
* agent: Evict cached passphrases also via a timer. [#3829]
* agent: Use separate passphrase caches depending on the request
origin. [#3858]
* ssh: Support signature flags. [#3880]
* dirmngr: Handle failures related to missing IPv6 support
gracefully. [#3331]
* Fix corner cases related to specified home directory with
drive letter on Windows. [#3720]
* Allow the use of UNC directory names as homedir. [#3818]
Update gnupg to 2.2.7
Also, remove unnecessary USE_LDCONFIG.
* gpg: New option --no-symkey-cache to disable the passphrase cache
for symmetrical en- and decryption.
* gpg: The ERRSIG status now prints the fingerprint if that is part
of the signature.
* gpg: Relax emitting of FAILURE status lines
* gpg: Add a status flag to "sig" lines printed with --list-sigs.
* gpg: Fix "Too many open files" when using --multifile. [#3951]
* ssh: Return an error for unknown ssh-agent flags. [#3880]
* dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL
caches under Windows. [#2448,#3923]
* dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed
mapping of keys.gnupg.net to sks-keyservers.net. [#3755]
* dirmngr: Try resurrecting dead hosts earlier (from 3 to 1.5 hours).
* dirmngr: Fallback to CRL if no default OCSP responder is configured.
* dirmngr: Implement CRL fetching via https. Here a redirection to
http is explictly allowed.
* dirmngr: Make LDAP searching and CRL fetching work under Windows.
This stopped working with 2.1. [#3937]
* agent,dirmngr: New sub-command "getenv" for "getinfo" to ease
debugging.
Update gnupg to 2.2.8 (security release)
CVE-2018-12020:
The OpenPGP protocol allows to include the file name of the original
input file into a signed or encrypted message. During decryption and
verification the GPG tool can display a notice with that file name. The
displayed file name is not sanitized and as such may include line feeds
or other control characters. This can be used inject terminal control
sequences into the out and, worse, to fake the so-called status
messages. These status messages are parsed by programs to get
information from gpg about the validity of a signature and an other
parameters. Status messages are created with the option "--status-fd N"
where N is a file descriptor. Now if N is 2 the status messages and the
regular diagnostic messages share the stderr output channel. By using a
made up file name in the message it is possible to fake status messages.
Using this technique it is for example possible to fake the verification
status of a signed mail.
Also:
* gpg: Decryption of messages not using the MDC mode will now lead
to a hard failure even if a legacy cipher algorithm was used. The
option --ignore-mdc-error can be used to turn this failure into a
warning. Take care: Never use that option unconditionally or
without a prior warning.
* gpg: The MDC encryption mode is now always used regardless of the
cipher algorithm or any preferences. For testing --rfc2440 can be
used to create a message without an MDC.
* gpg: Sanitize the diagnostic output of the original file name in
verbose mode. [#4012,CVE-2018-12020]
* gpg: Detect suspicious multiple plaintext packets in a more
reliable way. [#4000]
* gpg: Fix the duplicate key signature detection code. [#3994]
* gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc,
--disable-mdc and --no-disable-mdc have no more effect.
* agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the
list of startup environment variables. [#3947]
Security: CVE-2018-12020
Approved by: ports-secteam (miwi)
Update gitlab to 10.7.3.
For list of changes look here: https://about.gitlab.com/2018/04/22/gitlab-10-7-released/
Please note that gitlab-pages is temporarily removed and will be added later if upstream bug is fixed.
To not update to this version if you require gitlab-pages.
The Gemfile.lock is now generated on gitlab startup, so this should help with Gemfile issues.
Reviewed by: swills (mentor)
Approved by: swills (mentor)
Differential Revision: https://reviews.freebsd.org/D15314
Applied security upgrade to gitlab 10.7.5.
Fixed bug with wrong path for gitlab-workhouse that should fix artifacts (reported by Felix <mail@felix.flornet.de>). This was fix upstream but is not included in this version yet: https://gitlab.com/gitlab-org/gitlab-ce/issues/46763
Update net/rubygem-grpc to 1.11.1 which is required for gitlab 10.7.5.
Sync dep net/rubygem-grpc with gitlab which uses now 1.11.1.
Added gitlab-pages again to dependencies as the new version builds again.
Reported by: Felix <mail@felix.flornet.de>
Reviewed by: swills (mentor)
Approved by: swills (mentor)
Differential Revision: https://reviews.freebsd.org/D15631
Approved by: ports-secteam (eadler)
Remove duplicate entry of BUILD_DEPENDS
- Fix indent
rubygem-bundler is already listed in MY_DEPENDS.
Differential Revision: https://reviews.freebsd.org/D15281
Submitted by: sunpoet (myself)
Approved by: mfechner (maintainer)
Upgrade devel/gitaly to 0.96.1 required for gitlab 10.7.x.
Reviewed by: tz (mentor)
Approved by: tz (mentor)
Differential Revision: https://reviews.freebsd.org/D15323
Fixed a wrong standard path in a configuration. New projects can be created again if the standard gitaly configuration is used.
Reviewed by: tz (mentor)
Approved by: tz (mentor)
Differential Revision: https://reviews.freebsd.org/D15447
Approved by: ports-secteam (eadler)