"Apparently this zero-day exploit is already being used by hackers to
read Roundcube’s configuration files. It requires a valid
username/password as the exploit only works with a valid session. More
details will be published soon under CVE-2017-16651.
In order to check whether your Roundcube installation has been
compromised check the access logs for requests like
?_task=settings&_action=upload-display&_from=timezone
As mentioned above, the file disclosure only works for authenticated
users and by finding such requests in the logs you should also be able
to identify the account used for this unauthorized access. For
mitigation we recommend to change the all credentials to external
services like database or LDAP address books and preferably also the
'des_key' option in your config."
OK abieber@
Port changes:
- bump version
- everything now lives under /usr/local/share/yquake2
this has been asked by upstream and outlined in
their porting guide that was created after
I started complaining that they want relative
paths between the binaries:
https://github.com/yquake2/yquake2/blob/master/stuff/packaging.md#where-you-should-put-the-executables
- adding a new wrapper for the quake2 binary
to cd into the port directory before executing it
as we provide no way for a binary to get its executable
directory
- drop the patch that hardcoded the executable directory
upstream accounted for us not supporting that feature
and defaults to returning cwd (./) instead of bailing
out with an error
- modified the q2ded rc.d script to account for the need
of changing the working directory before starting the
server
- note I am not providing a separate wrapper for q2ded
in /usr/bin on purpose - I don't see a need for running
it outside of the rc.d scripts for any reasons other
than debugging and that's rare enough that people can
just cd to the game folder themselves
- we can drop the Makefile compilation flag diff as
upstream took our patch
Upstream changelog:
Quake II 7.01 to 7.02:
- Fix several corner cases regarding render library loading. The game
should now always fall back to the OpenGL 1.4 renderer if the new
OpenGL 3.2 renderer can't be initialized. Also the game aborts if no
useable OpenGL implementation exists.
- Refactor the search path code. This should fix several bugs with
Quake II writing to the wrong directories or being unable to find
some / all assets.
- Reimplement portable binaries. If called with the -portable command
line option Quake II saves all data (configs, savegames, screenshorts
etc.) into it's systemwide installation directory and not users home
directory. In contrast to the old implementation on Windows stdout.txt
contains all output, the first lines are no longer missing.
- vid_fullscreen set to 1 now keeps the desktops resolution. Set it to 2
to change the resolution.
- Instead of a list with precalculated FOV values the video menu now
shows a slider with possible values from 60 to 120. Horplus is now
always enabled, set the horplus cvar to 0 to disable it.
- The game is now able to hold the requested framerate (either by the
vsync or the gl_maxfps cvar) with an accuracy of about +/- 1% as long
as the hardware is fast enough. The framecounter was reimplemented
to be much more precise.
- Fix misspredictions if an original client running on Win32 connects
to a Yamagi Quake II server running on Linux/i386.
Newsboat is a fork of Newsbeuter, an RSS/Atom feed reader for text
terminals.
Newsboat's great configurability and vast number of features make
it a perfect choice for people that need a slick and fast feed
reader that can be completely controlled via keyboard.
OK bcallah@
