Security update, which fixes a buffer overflow in HTTP chunked encoding
handling, when the chunk length was mishandled (CVE-2019-16239).
Changelog can be found at
https://www.infradead.org/openconnect/changelog.html.
OK sthen@
Follow the upstream recommendations for packagers and switch to
multi-packages:
devel/gettext -> devel/gettext,-runtime
devel/gettext-tools -> devel/gettext,-tools
(new) devel/gettext,-textstyle
Fixes a potential information leak (CVE-2018-20319), and adds some new
features including support for PAN GlobalProtect.
- minor of SHARED_LIBS has been bumped as symbols have been added
- switched HOMEPAGE to https
- drop wrapper scripts that are not useful for us, e.g tncc-wrapper.py
needs the icedtea-web plugin that we don't have and the CSD scripts
involve running a linux binary (suggested by sthen@)
Feedback and OK from sthen@
some existing COMPILER lines with arch restrictions etc. In the usual
case this is now using "COMPILER = base-clang ports-gcc base-gcc" on
ports with c++ libraries in WANTLIB.
This is basically intended to be a noop on architectures using clang
as the system compiler, but help with other architectures where we
currently have many ports knocked out due to building with an unsuitable
compiler -
- some ports require c++11/newer so the GCC version in base that is used
on these archirtectures is too old.
- some ports have conflicts where an executable is built with one compiler
(e.g. gcc from base) but a library dependency is built with a different
one (e.g. gcc from ports), resulted in mixing incompatible libraries in the
same address space.
devel/gmp is intentionally skipped as it's on the path to building gcc -
the c++ library there is unused in ports (and not built by default upstream)
so intending to disable building gmpcxx in a future commit.
Network Connect ssl-vpn protocol. ("we'll probably end up also implementing
Junos Pulse support which actually provides IPv6 rather than only Legacy IP.
But not this week!")
also fix for LZS compression on strict alignment arches and various other
changes.
message with no payload, just skip printing the disconnect reason."
Fixes printing junk and possibly crashing if the server goes away.
Tweak DESCR, mention the open-source server ocserv (port for this is
ready but holding in openbsd-wip until we're done with 5.7).
(Readers might be interested to note that 7.04 is probably the last
version of OpenConnect to only support Cisco's SSL-VPN protocol; the
next version will almost certainly add client support for Juniper's
protocol).
notable changes:
- workaround for XML POST issues with authgroups (full fix in a future
release, but this interim release has been made to avoid an ABI break)
- fix potential memory corruption which could be triggered by a malicious server
a fixed stack buffer when constructing HTTP requests. Prevents an overflow
if a malicious VPN gateway sends a very long hostname/path (for redirects)
or cookie list. (There is a newer release of OpenConnect which includes
this fix, but also some bigger code changes, so that will wait until we
are done with 5.3 release). ok aja@ jasper@
was already pulled in via libs, so no new deps), and avoid SEPARATE_BUILD
for now as the code to detect a version mismatch between binary and lib
in this version doesn't handle it.
