- Fix build with aarch64, armv6, armv7
- Fix QT4 option on all platforms (needs USES=gmake, and fix for moc location)
- Remove some substitutions that didn't do anything
- Don't try to create directories already in mtree
Approved by: ports-secteam (blanket)
It appears as if the development branch of ntp is dead as no new
development tarballs have been relesed for ~ 17 months now. This is a
security concern.
Approved by: portmgr (riggs)
gecko: convert to CONFIGURE_OUTSOURCE
client.mk is on its way out upstream, switching to it was a mistake.
$ MACH=1 gmake -f client.mk build
client.mk:40: /.mozconfig-client-mk: No such file or directory
gmake: *** No rule to make target '/.mozconfig-client-mk'. Stop.
Approved by: ports-secteam (riggs)
Fix build on 11 and later with c++ compilers by default in c++11 mode
PR: 226213
Submitted by: portmaster@bsdforge.com (maintainer)
Approved by: ports-secteam (build fix blanket)
Update to 1.28 which fixes a buffer overflow (that will be)
documented in CVE-2017-17663.
Reviewed by: matthew (mentor)
Approved by: matthew (mentor)
Security: f5524753-67b1-4c88-8114-29c2d258b383
Differential Revision: https://reviews.freebsd.org/D14218
Approved by: ports-secteam (feld)
Update to version 1.6.3
Shibboleth SP software vulnerable to forged user attribute data
====================================================================
The Service Provider software relies on a generic XML parser to process
SAML responses and there are limitations in older versions of the parser
that make it impossible to fully disable Document Type Definition (DTD)
processing.
Through addition/manipulation of a DTD, it's possible to make changes
to an XML document that do not break a digital signature but are
mishandled by the SP and its libraries. These manipulations can alter
the user data passed through to applications behind the SP and result
in impersonation attacks and exposure of protected information.
While the use of XML Encryption can serve as a mitigation for this bug,
it may still be possible to construct attacks in such cases, and the SP
does not provide a means to enforce its use.
An updated version of XMLTooling-C (V1.6.3) is available that works
around this specific bug.
While newer versions of the parser are configured by the SP into
disallowing the use of a DTD via an environment variable, this feature
is not present in the parser used on some supported platforms (notably
Red Hat and CentOS 7), so an additional fix is being provided now that
an actual DTD exploit has been identified.
Security: CVE-2018-0486
Shibboleth SP software vulnerable to additional data forgery flaws
The XML processing performed by the Service Provider software has been
found to be vulnerable to new flaws similar in nature to the one
addressed in an advisory last month.
Security: 22438240-1bd0-11e8-a2ec-6cc21735f730
URL: https://shibboleth.net/community/advisories/secadv_20180227.txt
Approved by: ports-secteam
Use USE_GITHUB instead of hand crafting urls.
Sponsored by: Absolight
Add a NETMAP option to build and install the bro netmap plugin.
PR: 224918
Reported by: Shane Peters
Reviewed by: matthew (mentor)
Approved by: matthew (mentor)
Differential Revision: https://reviews.freebsd.org/D14378
Update to 2.5.3 which fixes an integer overflow:
http://blog.bro.org/2018/02/bro-253-released-security-update.html
Note that a CVE has not been assigned yet.
Reviewed by: matthew (mentor)
Approved by: matthew (mentor)
Differential Revision: https://reviews.freebsd.org/D14444
Approved by: ports-secteam (swills)
2018-03-01 Security Update Release
The PostgreSQL Global Development Group has released an update to all supported
versions of the PostgreSQL database system, including 10.3, 9.6.8, 9.5.12,
9.4.17, and 9.3.22.
The purpose of this release is to address CVE-2018-1058, which describes how a
user can create like-named objects in different schemas that can change the
behavior of other users' queries and cause unexpected or malicious behavior,
also known as a "trojan-horse" attack. Most of this release centers around added
documentation that describes the issue and how to take steps to mitigate the
impact on PostgreSQL databases.
We strongly encourage all of our users to please visit
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
for a detailed explanation of CVE-2018-1058 and how to protect your PostgreSQL
installations.
After evaluating the documentation for CVE-2018-1058, a database administrator
may need to take follow up steps on their PostgreSQL installations to ensure
they are protected from exploitation.
Security: CVE-2018-1058
Approved by: portmgr
Update dovecot to 2.2.34, and bump pigeonhole.
* CVE-2017-15130: TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted. This happens only if Dovecot config has
local_name { } or local { } configuration blocks and attacker uses
randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or
leak memory contents to attacker. For example, these memory contents
might contain parts of an email from another user if the same imap
process is reused for multiple users. First discovered by Aleksandar
Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
via HackerOne.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login
process.
* Linux: Core dumping is no longer enabled by default via
PR_SET_DUMPABLE, because this may allow attackers to bypass
chroot/group restrictions. Found by cPanel Security Team. Nowadays
core dumps can be safely enabled by using "sysctl -w
fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
enabled by setting:
import_environment=$import_environment PR_SET_DUMPABLE=1
* doveconf output now includes the hostname.
+ mail_attachment_detection_options setting controls when
$HasAttachment and $HasNoAttachment keywords are set for mails.
+ imap: Support fetching body snippets using FETCH (SNIPPET) or
(SNIPPET (LAZY=FUZZY))
+ fs-compress: Automatically detect whether input is compressed or not.
Prefix the compression algorithm with "maybe-" to enable the
detection, for example: "compress:maybe-gz:6:..."
+ Added settings to change dovecot.index* files' optimization behavior.
See https://wiki2.dovecot.org/IndexFiles#Settings
+ Auth cache can now utilize auth workers to do password hash
verification by setting auth_cache_verify_password_with_worker=yes.
+ Added charset_alias plugin. See
https://wiki2.dovecot.org/Plugins/CharsetAlias
+ imap_logout_format and pop3_logout_format settings now support all of
the generic variables (e.g. %{rip}, %{session}, etc.)
+ Added auth_policy_check_before_auth, auth_policy_check_after_auth
and auth_policy_report_after_auth settings.
- v2.2.33: doveadm-server: Various fixes related to log handling.
- v2.2.33: doveadm failed when trying to access UNIX socket that didn't
require authentication.
- v2.2.33: doveadm log reopen stopped working
- v2.2.30+: IMAP stopped advertising SPECIAL-USE capability
- v2.2.30+: IMAP stopped sending untagged OK/NO storage notifications
- replication: dsync sends unnecessary replication notification for
changes it does internally. NOTE: Folder creates, renames, deletes
and subscribes still trigger unnecessary replication notifications,
but these should be rather rare.
- mail_always/never_cache_fields setting changes weren't applied for
existing dovecot.index.cache files.
- Fix compiling and other problems with OpenSSL v1.1
- auth policy: With master user logins, lookup using login username.
- FTS reindexed all mails unnecessarily after loss of
dovecot.index.cache file
- mdbox rebuild repeatedly fails with "missing map extension"
- SSL connections may have been hanging with imapc or doveadm client.
- cassandra: Using protocol v3 (Cassandra v2.1) caused memory leaks and
also timestamps weren't set to queries.
- fs-crypt silently ignored public/private keys specified in
configuration (mail_crypt_global_public/private_key) and just
emitted plaintext output.
- lock_method=dotlock caused crashes
- imapc: Reconnection may cause crashes and other errors
Security: CVE-2017-14461
Security: CVE-2017-15130
Security: CVE-2017-15132
Approved by: ports-secteam (delphij), adamw
math/ogdf: unbreak build with Clang 6 (C++14 by default)
The bundled version of CoinMP required the same patches as those applied
to the port math/coinmp, so the patches were copied from there.
Submitted by: jbeich (via commit r458136)
Reported by: antoine (via bug 224669)
Approved by: ports-secteam blanket
Convert to USES=autoreconf.
Fix ICU depend for postgresql10-server.
PR: 225049
Submitted by: mat
Approved by: maintainer timeout
Sponsored by: Absolight
Update to latest versions of PostgreSQL
2018-02-08 Security Update Release
==================================
The PostgreSQL Global Development Group has released an update to all supported
versions of our database system, including 10.2, 9.6.7, 9.5.11, 9.4.16, 9.3.21.
This release fixes two security issues. This release also fixes issues with
VACUUM, GIN indexes, and hash indexes that could lead to data corruption, as
well as fixes for using parallel queries and logical replication.
All users using the affected versions of PostgreSQL should update as soon as
possible. Please see the notes on "Updating" below for any post-update steps
that may be required.
Please note that PostgreSQL changed its versioning scheme with the release of
version 10.0, so updating to version 10.2 from 10.0 or 10.1 is considered a
minor update.
Security Issues
---------------
Two security vulnerabilities have been fixed by this release:
* CVE-2018-1052: Fix the processing of partition keys containing multiple
expressions
* CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are
non-world-readable
Local fixes to the FreeBSD ports
--------------------------------
Inform users about data checksums [1].
Make sure /usr/bin/su is used regardless of PATH settings [2].
Enable DTRACE by default [3].
PR: 214671 [1], 223157 [2], 215028 [3]
Security: c602c791-0cf4-11e8-a2ec-6cc21735f730
Remove DTRACE from OPTIONS_DEFAULT, causes segmentation fault during build
Approved by: portmgr
sysutils/py-salt: Update to 2017.7.3
This is a bug fix release for the 2017.7.x branch. Changes this release:
https://docs.saltstack.com/en/latest/topics/releases/2017.7.3.html
PR: 225983
Submitted by: ohauer
Approved by: Christer Edwards (maintainer)
Approved by: ports-secteam (riggs)
WITH_CCACHE_BUILD: Fix some ports not using proper CCACHE_DIR.
Some ports will truncate CCACHE_DIR from the env and due to HOME=${WRKDIR}
will incorrectly use ${WRKDIR}/.ccache. Symlink to the proper place.
Approved by: portmgr (implicit)
www/squid-devel: Update to 4.0.23, Fixes security vulnerabilities
- Add a patch from upstream that fixes a problem when building on i386 arch
Kid.cc:93:42: error: format specifies type 'long' but the argument has type
'time_t' (aka 'int') [-Werror,-Wformat]
theName.termedBuf(), pid, Config.hopelessKidRevivalDelay);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
- Remove CXXFLAGS with clang, not necessary anymore
PR: 225447
Submitted by: timp87@gmail.com (maintainer)
Security: d5b6d151-1887-11e8-94f7-9c5c8e75236a
Approved by: ports-secteam (swills)
