* A bug with hash_fold() regarding incoming IPv4 and IPv6 source
addresses has been fixed. The "hash" group mechanism is now working as
expected.
* Buffering has been disabled for interactive shell IO. A new
"assign" command has been added to allow changing of the host:port
assignment of a channel (only if disabled). A locking bug has been
fixed.
* A new option -6 has been added to force IPv6 bind.
* Problems with setting IPV6_V6ONLY socket option are now handled
more nicely with a syslog warning message.
* Balance now compiles also on systems where IPV6_V6ONLY is
undefined (like some Solaris systems).
* IPv6 support on the listening side has been added. MAXCHANNELS in
balance.h has been increased to 64.
Ok aja@ brad@
A specific query can cause BIND nameservers using DNS64 to exit
with a REQUIRE assertion failure.
BIND nameservers that are not using DNS64 are not at risk.
https://kb.isc.org/article/AA-00828 CVE-2012-5688
dnsfilter is a filter and rate limiter for the Domain Name
System. DNS queries should be redirected into the filter using
the pf(4) divert-packet command.
Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features
significantly reduced directory overhead (via microdescriptors),
enormous crypto performance improvements for fast relays on new
enough hardware, a new v3 TLS handshake protocol that can better
resist fingerprinting, support for protocol obfuscation plugins (aka
pluggable transports), better scalability for hidden services, IPv6
support for bridges, performance improvements like allowing clients
to skip the first round-trip on the circuit ("optimistic data") and
refilling token buckets more often, a new "stream isolation" design
to isolate different applications on different circuits, and many
stability, security, and privacy fixes.
Also kill unneeded pthread patch.
Tested by dhill & dcoppa@.
ok dcoppa@
was already pulled in via libs, so no new deps), and avoid SEPARATE_BUILD
for now as the code to detect a version mismatch between binary and lib
in this version doesn't handle it.
Adds workaround for Dell PE x620 machines:
"[T]he CIM element "System Board 1 Riser Config Err 0: Connected" returned
a code of 12, which, according to the CIM documentation, means "Not
connected". But all affected users had an actual Riser Card connected
and working. So this return code does not make sense."
ok sthen@
irssi-xmpp is an irssi plugin to connect to the Jabber network.
Its aim is to provide a good integration in this text-based irc client
and a good support of XMPP (the Jabber protocol).
Its main features are:
- Sending and receiving messages in irssi's query windows
- A roster with contact & resource tracking (contact list)
- Contact management (add, remove, manage subscriptions)
- Tab completion of commands, JIDs and resources
- Many extensions supported (XEP) including Multi-User Chat (MUC)
- Support for multiple accounts
- Unicode support (UTF-8)
- SSL and STARTTLS support
ok landry@ gonzalo@
- BUG/MEDIUM: option forwardfor if-none doesn't work with some configurations
- BUG/MINOR: checks: expire on timeout.check if smaller than timeout.connect
- REORG/MINOR: use dedicated proxy flags for the cookie handling
- BUG/MINOR: config: do not report twice the incompatibility between cookie and non-http
- MINOR: contrib/iprange: add a network IP range to mask converter
- BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on full-length matches
- OPTIM: halog: make use of memchr() on platforms which provide a fast one
- OPTIM: halog: improve cold-cache behaviour when loading a file
- MINOR: config: tolerate server "cookie" setting in non-HTTP mode
- BUG/MINOR: tarpit: fix condition to return the HTTP 500 message
And others, while here remove for real the maintainer and add reload to rc.d(8) script.
Very initial update from chipitsine at gmail.com with tweaks by me. Thanks!
Ok aja@
and the line with the unregister.sh script down to the bottom of
the plist. Silences all the blurb about ".../*.haddock doesn't exist
or isn't a file."
rolled a new release quickly to revert, however since we've already
bumped the library, bump it again. No other changes.
While there, use a common distinfo file for all three 'sub-ports'
which share a single distfile.
ok brad@
Fix memory leak when AICH hashing already known files
(upstream git commit 9e62350fae9f24de64987a0cb002fdc15b5fa9af)
Like FAT, NTFS doesn't like special characters either
(upstream git commit 41113ecf15019301afea6cb35d9c35a7b8a0bdd1)
- slight tweaks to upgrade documentation while there; you should still
check the proper upgrade notes from upstream, but the README now points
idodb users at the actual location of the schema update files to save
a bit of hunting.
ocsync is the ownCloud version of csync.
Note that no @pkgpath nor quirks will be added because the "official"
csync client may appear in-tree.
ok jasper@
because I didn't sync PLIST-webkit (missed because it's only built as
a non-default pseudopackage); fix this by adding VERSION to SUBST_VARS
and syncing PLISTs, which also reduces the risk of problems in the future.
including URLs for registered users and subscribers of Snort.org
(suggested by Markus Lude who is taking maintainership of this port).
Also extend the URL regex check in the oinkmaster Perl script to
recognize an official Snort.org download URL.
OK Markus Lude (new maintainer) dcoppa@ sthen@
- attach icinga-web to build
icinga-core:
- bump REVISION for -main, -cgi and -ido
- remove CFGDIR, MAKE_FLAGS from Makefile which are relics
- replace /var/www with ${PREFIX-cgi}
- add instructions for icinga-web to README
- choose mysql by default
icinga-web:
- bump REVISION
- remove README, all instructions are in the icinga-core README
- remove comments about w.i.p
- choose mysql by default
- tell configure where to find icinga binary, icinga.cfg and the
icinga objects dir
- add icinga, icinga-idoutils and bash to RUN_DEPENDS
- patch shells scripts to use the correct path for bash
- patch databases.xml.in to have both DBs enabled by default
with help and ok from sthen aja
by me, ok jasper@
DNSCrypt-proxy provides local service which can be used directly
as your local resolver or as a DNS forwarder, encrypting requests
using the DNSCrypt protocol and passing them to an upstream server,
by default OpenDNS who run this on their resolvers.
The DNSCrypt protocol is very similar to DNSCurve, but focuses on
securing communications between a client and its first-level resolver.
While not providing end-to-end security, it protects the local
network, which is often the weakest point of the chain, against
man-in-the-middle attacks. It also provides some confidentiality to
DNS queries.
processing.
While there, remove unnecessary patches (some fixed upstream, some workarounds
for header problems which have since been cleaned up, and change the "Build the
pacrunner into libproxy" patch into -DBIPR:BOOL=OFF in CONFIGURE_ARGS instead).
ok ajacoutot@
* Add an rc.d script.
* In snort.conf, provide the URL to the official Snort rules so that
users know where to get them.
* In snort.conf, provide the URL to the Emerging Threats rules along
with a commented include line to allow users to easily load the
Emerging Threats rules if they wish.
* Revise pkg/README with details on where to obtain Snort rules, the
differences between the official Snort rules and Emerging Threats
rules, how to download them, and provide some guidance on setting up
Snort.
snort.conf and README changes OK Markus Lude (maintainer), sthen@
rc.d script OK sthen@
If specific combinations of RDATA are loaded into a nameserver, either
via cache or an authoritative zone, a subsequent query for a related
record will cause named to lock up.
See https://kb.isc.org/article/AA-00801 for more details.
* Added "qtype-any" filter for displaying ANY queries which are
now fashionable in DNS based attacks.
* Anand Buddhev pointed out that LDFLAGS= is missing from Makefile.in.
Also updated known_tlds.h.
While here dest and GROFF is not needed.
Ok sthen@ (maintainer)
The Net::PcapWriter module allows to create pcap files within
a perl programm without capturing any data.
from Stefan Rinkes <stefan.rinkes AT gmail DOT com>
The Net::Inspect module allows to inspect data on various network
layers.
The idea of Net::Inspect is to plug various layers of network
inspection together to analyze data. This is kind of what wireshark
or IDS do, exept this is in perl and therefore slower to execute
but faster to develop and maybe more flexibel too.
from Stefan Rinkes <stefan.rinkes AT gmail DOT com>
o Fixed sorting of 'fake' domain ; ucfirst not is required.
o Capitalize region names ; fake domains (like 'Master') should be
ucfirst, and go to the top of the report list ; 'proper' regions
are sorted 'lc'. The ISO-country-list is now utf8,
Capitalized and complete.
o Faster probe-load averaging by always probing the average number
of mirrors. The 'ok' and 'not ok' mirrors are averaged separately.
o Show 'project_name' when reporting changes in the mirror-list.
o Show 'path' for rsync urls in the report like 'site::path'.
While here GROFF is not needed.
Ok sthen@ (maintainer)
* Changed HTTP authentication code to a modular one.
* Added SASL support for HTTP authentication.
* Fixed compilation issues with libpng 1.5.x.
And other, while here GROFF is not needed, change
configure style, add rc.d(8) script, and edd@ drop
maintership, I take care of this now.
Tested on amd64 and i386.
Ok edd@
IMP is a protocol for inspection, modification and rejection of
data between two sides (client and server) using an analyzer
implementing this interface.
OK sthen@
Thank you to all who tested: Markus Lude (sparc64), abieber@ (macppc),
and Adam Jeanguenat (i386); I also tested on amd64 and i386. Thank you
to Rodolfo Gouveia for help/tests on earlier versions, and brad@ for
comments on an earlier version.
From Markus Lude (maintainer), and includes changes done based on
feedback from sthen@ and myself.
OK abieber@ sthen@
DAQ, or Data Acquisition library, is a library for packet I/O. The DAQ
replaces direct calls to PCAP functions with an abstraction layer.
This port is needed by the upcoming Snort 2.9.3.1 update.
From Markus Lude, and includes a tweak from sthen@.
OK abieber@ sthen@
ports, for the ports that are built both on ruby 1.8 and ruby 1.9,
switch the category Makefiles to explicitly list the ruby18 FLAVOR
instead of the ruby19 FLAVOR.
Also, for home_run, fastri, and fastercsv, explicitly build only the
ruby 1.8 version of the port. These libraries can run on ruby 1.9, but
it doesn't make sense to build a ruby 1.9 version by default.
The situation is this: even when we --disable-gtk-doc, if gtk-doc is
actually installed at configure stage, tools like gtkdoc-rebase will be
picked up and run during the install target. That is bad because the
gtk-doc package may have been removed by then, especially during dpb(1)
bulks (we explicitely disable support for it so why should it stay...).
So for now, let's add the following env to configure whenever we use
--disable-gtk-doc, until a bettersolution is found...
CONFIGURE_ENV +=ac_cv_path_GTKDOC_CHECK="" \
ac_cv_path_GTKDOC_REBASE="" \
ac_cv_path_GTKDOC_MKPDF=""
An issue with the use of lease times was found and fixed. Making
certain changes to the end time of an IPv6 lease could cause the
server to abort. Thanks to Glen Eustace of Massey University,
New Zealand for finding this issue.
Changes in version 0.2.2.39 - 2012-09-11
Tor 0.2.2.39 fixes two more opportunities for remotely triggerable
assertions.
o Security fixes:
- Fix an assertion failure in tor_timegm() that could be triggered
by a badly formatted directory object. Bug found by fuzzing with
Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
- Do not crash when comparing an address with port value 0 to an
address policy. This bug could have been used to cause a remote
assertion failure by or against directory authorities, or to
allow some applications to crash clients. Fixes bug 6690; bugfix
on 0.2.1.10-alpha.
No CVEs for these vulnerabilities yet.
https://kb.isc.org/article/AA-00778
If a record with RDATA in excess of 65535 bytes is loaded into a
nameserver, a subsequent query for that record will cause named to exit
with an assertion failure.
This vulnerability can be exploited remotely against recursive servers
by inducing them to query for records provided by an authoritative
server. It affects authoritative servers if a zone containing this type
of resource record is loaded from file or provided via zone transfer.
with no objections. It relies on a GUI toolkit which hasn't been updated
in 10 years, needs to run as root in order to get tcpdump to parse
capture files, and even then it still doesn't work.
* Fix warnings reported by clang.
* Using -1 is the same as 0, except older libpcap left 0 undefined.
* Fixed non-conflict.
* Always process all waiting packets.
Tested on amd64.
Ok benoit@ (maintainer)
* Improved HTTPS cipher handling and added support for chained certificates.
* Allow the source password to be undefined. There was a corner case,
where a default password would have taken effect. It would require the
admin to remove the 'source-password' from the icecast config to take
effect. Default configs ship with the password set, so this
vulnerability doesn't trigger there.
* Prevent error log injection of control characters by substituting
non-alphanumeric characters with a '.' (CVE-2011-4612). Injection
attempts can be identified via access.log, as that stores URL encoded
requests. Investigation if further logging code needs to have
sanitized output is ongoing.
Tested on amd64.
Reads fine aja@
r1.1183 this is now subpackage-dependent - nfsen sets a different PREFIX for
different subpackages and this change caused failures in DPB builds (but not
normal builds) as they pass the subpackage in SUBDIR.
Problem reported by krw, ok espie@.
- MINOR: stats admin: allow unordered parameters in POST requests
- BUG/MAJOR: possible crash when using capture headers on TCP frontends
- MINOR: config: disable header captures in TCP mode and complain
- CLEANUP: http: message parser must ignore HTTP_MSG_ERROR
- BUG/MAJOR: checks: don't call set_server_status_* when no LB algo is set
- MINOR: proxy: make findproxy() return proxies from numeric IDs too
- BUG/MINOR: stop connect timeout when connect succeeds
And others (http://haproxy.1wt.eu/download/1.4/src/CHANGELOG), while here GROFF is not needed,
add a rc.d(8) script and maintainer drop maintainership.
Tested on i386.
Ok sthen@ (untested)
Changes in version 0.2.2.38 - 2012-08-12
Tor 0.2.2.38 fixes a rare race condition that can crash exit relays;
fixes a remotely triggerable crash bug; and fixes a timing attack that
could in theory leak path information.
CVE-2012-3570: An Error in the Handling of an Unexpected Client
Identifiers can Cause Server Crash When Serving DHCPv6
CVE-2012-3571: An Error in the Handling of Malformed Client Identifiers
can Cause a Denial-of-Service Condition in Affected Servers
CVE-2012-3954: Memory Leaks Found in ISC DHCP
- rc.d script now generates the unbound-control keys if they don't exist
and the sample config file is patched to enable this, various rc.d/unbound
actions depend on this, pointed out/ok aja@
version of BIND than is in the base OS (some people require features
from this version e.g. DNS64), but note that it does not include
the hardening changes made to the version in base.
feedback from naddy@ giovanni@, ok giovanni@.
"BIND is open source software that implements the Domain Name System
(DNS) protocols for the Internet. It is a reference implementation
of those protocols, but it is also production-grade software,
suitable for use in high-volume and high-reliability applications."