Commit Graph

81303 Commits

Author SHA1 Message Date
sthen
195eaac041 SECURITY update; py-Django 1.4.5
https://www.djangoproject.com/weblog/2013/feb/19/security/

- Host header poisoning: an attacker could cause Django to generate
and display URLs that link to arbitrary domains.

- Formset denial-of-service: an attacker can abuse Django's tracking
of the number of forms in a formset to cause a denial-of-service attack.

- XML attacks: Django's serialization framework was vulnerable to
attacks via XML entity expansion and external references.

- Data leakage via admin history log: Django's admin interface could
expose supposedly-hidden information via its history log.
2013-03-02 12:47:49 +00:00
jasper
6686fa807f for ports built from source, bump the MODJAVA_VER from 1.5 to 1.6.
as discussed with/ok kurt@
2013-03-02 12:45:19 +00:00
jasper
3bd2806f69 - update HOMEPAGE 2013-03-02 12:42:39 +00:00
sthen
7315927d04 zap -no-pie stuff no longer needed for static bins. 2013-03-02 12:42:33 +00:00
jasper
6d3f8104b7 disable -Werror which breaks at least hppa/mips64/sparc64
ok landry@ aja@
2013-03-02 12:42:03 +00:00
sthen
c59262b392 icinga-web 1.8.2 2013-03-02 12:41:55 +00:00
sthen
cfeb576100 SECURITY update to isync 1.0.6
CVE-2013-0289 - does not verify hostnames from SSL certificates
2013-03-02 12:39:56 +00:00
sthen
7ac16f3659 Make alephone scenarios BUILD_DEPENDS on alephone. It's not technically
required but scenarios are useless without the game and very big, so this
saves excessively large files being uncompressed/recompressed and shipped
out to mirrors on arch where the game won't run anyway. ok phessler
2013-03-02 12:38:46 +00:00
sthen
715843528d update to p5-Error 0.17019 2013-03-02 12:36:36 +00:00
jasper
45987be890 - add $V to SUBST_VARS to minimize future diffs. 2013-03-02 12:35:01 +00:00
jasper
15e553cf97 - update to apache-maven-3.0.5 2013-03-02 12:33:57 +00:00
jasper
ee9c1c3220 - update to apache-ant-1.8.4
tested in a bulk by landry@
ok kurt@
2013-03-02 12:33:01 +00:00
jasper
9e4c660d68 - update to clutter-gst-2.0.2. 2013-03-02 12:32:11 +00:00
jasper
79684e7f37 - update to apache-activemq-5.8.0 2013-03-02 12:31:35 +00:00
jasper
b594444971 - update py-pygments to 1.6
- reset maintainer as per djm@'s request

ok djm@
2013-03-02 12:30:10 +00:00
jasper
1148d8193d - update to node-canvas-1.0.0 2013-03-02 12:29:09 +00:00
jasper
ce1871cb41 - update to libvirt-glib-0.1.5 2013-03-02 12:28:26 +00:00
jasper
45186755ed - update to gtkhtml4- 4.6.4 2013-03-02 12:27:42 +00:00
jasper
0023e677a1 - update to coffeescript-1.5.0 2013-03-02 12:22:28 +00:00
jasper
e406ed523f - fix MASTER_SITES 2013-03-02 12:21:26 +00:00
jasper
4bf2fc7c44 - add missing build dependency, spotted by several
ok aja@
2013-03-02 12:21:10 +00:00
naddy
bacef4041b sync, 7893 2013-02-25 19:14:32 +00:00
jasper
e378789687 add RUN_DEPENDS on php-curl; while it's sort-of-optional dep, it's light and
useful.

ok landry@ (MAINTAINER) sthen@
2013-02-24 16:31:54 +00:00
sthen
c0a59f9671 force opus support to be disabled for now (hidden dep); to be enabled
later.  ok naddy@ espie@
2013-02-24 14:47:52 +00:00
sthen
80b61379f2 hidden build dep on libgcrypt (which shouldn't be necessary, but to be
fixed properly later). ok naddy@ espie@
2013-02-24 14:46:29 +00:00
sthen
950eac2a39 build dep on wdg-sgml-lib, no package change. ok naddy@ espie@ 2013-02-24 14:45:08 +00:00
sthen
089ff7e0cd oops, wrong tree, add a REVISION bump 2013-02-24 14:44:45 +00:00
sthen
3e66370f14 don't pick up openal/freeglut (hidden deps). should probably be enabled at a
different time in the release cycle. ok naddy@ espie@
2013-02-24 14:44:25 +00:00
espie
c90669c473 fix LIB_DEPENDS for arches that need the gcc4 modules (multi-packages are
fun that way). Bump affected pkgs just in case.

problem noticed by rpe@

okay naddy@, sthen@
2013-02-24 11:18:38 +00:00
jeremy
1f6d81dd85 Update to ruby 1.9.3-p392, fixing CVE-2013-0269 and a DoS
vulnerability in REXML.

OK jasper@ sthen@
2013-02-23 01:22:26 +00:00
espie
a1ccfe7ec7 with live debug help from phessler@ : don't register lib signatures from dead
hosts, thus precluding live hosts from starting up correctly.

okay naddy@
2013-02-22 19:58:12 +00:00
espie
5d89e474d0 security update, okay jasper@, naddy@ 2013-02-22 17:04:24 +00:00
ajacoutot
f44bdb4a47 Remove an annoying warning at pkg_add/delete time due to an empty manpage.
Theo confirmed this can still go in.
prodded by and ok sthen@, ok jasper@
2013-02-21 15:55:32 +00:00
jasper
d3a132e124 add missing build dependency on dbus, as spotted by rpe@
ok aja@
2013-02-21 08:07:34 +00:00
naddy
eca3112a43 5.2 CD packages 2013-02-20 20:22:30 +00:00
ajacoutot
bac61701e3 SECURITY update to owncloud-4.5.7.
Multiple XSS vulnerabilities (oC-SA-2013-003)
Multiple CSRF vulnerabilities (oC-SA-2013-004)
PHP settings disclosure (oC-SA-2013-005)
Multiple code executions (oC-SA-2013-006)
Privilege escalation in the calendar application (oC-SA-2013-007)
2013-02-20 15:32:21 +00:00
jasper
64dbe6e3e0 - security update of jenkins to 1.502 which addresses three vulnerabilities,
as described in https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16

ok aja@
(no response from maintainer as of yet, committing now to make sure it makes 5.3)
2013-02-19 17:50:44 +00:00
ajacoutot
86e08285c5 Sanitize this package and provide a working runtime out of the box:
* remove USE_GROFF to prevent warnings
* fix the examples directory
* use .conf files from upcoming 3.1 version (they work by default and the patches can be easily removed when we upgrade)
* add a default minimal puppet.conf that works instead of the currently broken one we ship
* only include conf files we need
* no need to create the hierarchy under /var/puppet since puppet will take care of it

ok robert@ (maintainer), jasper@
2013-02-19 16:11:16 +00:00
ajacoutot
5de6c24ff0 Unbreak rule parsing by opening the proper libmozjs.
spotted by landry@
ok landry@ jasper@
2013-02-19 16:09:15 +00:00
espie
f783cefe01 give a clue to clueless people
okay sthen@
2013-02-18 12:07:42 +00:00
jasper
a650be30e4 sync with gtkhtml4 by adding a build dependency on libsoup as used for
testgtkhtml.

found by naddy@
ok aja@
2013-02-18 07:53:54 +00:00
sthen
7f9dc60721 The pkg_create magic to handle stripping dynamic libraries on static-only
arch works by converting the .so to .a (which covers the case where a
shared arch builds an .so with no associated .a). As gettext has a couple
of shared libraries with no associated static library this scheme doesn't
work, so split it back out to PFRAG.shared to disable the magic. Fixes vax.
ok espie@ naddy@
2013-02-16 18:17:49 +00:00
ajacoutot
8f0aa87e02 Fix for CVE-2013-0292: authentication bypass vulnerability
ok jasper@ sthen@ espie@
2013-02-16 09:05:36 +00:00
sthen
106aa47da7 Fix mixed code/decl's in gettext. ok jasper@ aja@ naddy@ 2013-02-15 23:47:04 +00:00
kili
217bf15d14 Ensure that cups/gdevcups.c is compiled with the same flags as
everything else, especially to get the same value for GX_COLOR_INDEX_TYPE
(and the same field sizes and offsets for the gx_device type).

This fixes crashes with the cups driver on 32 bit archs.

Reported and fix tested by Martin Crossley <martin@crossleys.biz>.

ok aja@ dcoppa@ sthen@
2013-02-15 12:40:00 +00:00
sthen
34d753f122 unbreak build on a clean system. reported by nigel (and I hit it too),
ok jasper@ nigel@
2013-02-15 12:06:11 +00:00
fgsch
5321f2a662 SECURITY UPDATE: fix remote DoS.
aja@ sthen@ ok
2013-02-15 09:54:36 +00:00
jasper
7ada00f584 Security fix for CVE-2013-0256, an XSS exploit in RDoc
ok jeremy@ sthen@
2013-02-13 18:19:37 +00:00
sthen
4764baf432 add bootstraps to SUPDISTFILES, don't use $ARCH in DISTFILES as (despite
ONLY_FOR_ARCHS) dpb still fetches the files. fixes spurious dpb errors with
!amd64/i386. ok espie@ kurt@
2013-02-13 18:13:12 +00:00
robert
66b9154738 add devel/swig as a build dependency and regenerate the swig code
ok aja@
2013-02-13 08:02:37 +00:00