CVE-2013-7106, CVE-2013-7107 https://dev.icinga.org/issues/5250
The icinga web gui is susceptible to several buffer overflow flaws,
which can be triggered as a logged on user. A remote attacker may
utilize a CSRF (cross site request forgery) attack vector against a
logged in user to exploit this flaw remotely.
CVE-2013-7108 https://dev.icinga.org/issues/5251
The icinga web gui are susceptible to an "off-by-one read" error
resulting from an improper assumption in the handling of user submitted
CGI parameters. [..] by sending a specially crafted cgi parameter,
the check routine can be forced to skip the terminating null pointer
and read the heap address right after the end of the parameter list.
Depending on the memory layout, this may result in a memory corruption
condition/crash or reading of sensitive memory locations.
Changelog:
* Fix for quote marks in private messages (thanks @jnm)
* -dontautoreply is a comma-separated list of names you don't want to
auto-reply to. Useful for users you don't want to interact with by mistake
Special thanks to Bhagya Bantwal of Sourcefire for a patch to fix
crashes on sparc64 on first alert.
Tested on sparc64 by Markus; tested on amd64, i386, and macppc by me.
It is currently used in Amarok 2 and Clementine to retrieve a
directory of podcasts and to synchronize podcast subscriptions with
gpodder.net.
This is a dependency for upcoming Clementine 1.2 update.
Input from and okay nigel@
In this release, four "fat" packages were split:
* kdeadmin
* kdenetwork
* kdesdk
* kdetoys
To make updates reliable, we provide corresponding meta-packages now.
Many new patches in x11/kde4 correspond to the linking problems detected.
Those are planned to integrate upstream but probably we'll have to keep
some of them until KDE 5.
For information about major KDE 4.11 features, look at the official site:
http://www.kde.org/announcements/4.11/
Kopete Jingle support is disabled for now, until googletalk-call gets
cured from permanent coredumping.
This update involved a lot of help and patience for my mistakes from
many people, including ajacoutot@, espie@, naddy@... but most of the
times this was landry@ who definitely deserves personal "thank you"!
with a couple of commercial dyndns providers which are also covered by
other software such as net/ddclient, net/inadyn, net/no-ip.
At the request of Mitja (maintainer), nobody complained on ports@ (and
it can always be fished out of the attic if needed).
* Avoid a node DoS on bad plugin (CVE-2013-6359)
* Avoid an OOM in HTML generation on bad multigraph data (CVE-2013-6048)
OK sthen@ with the reminder to fix substitue-confvar-inline target
"allow local as", extended filters, bugfixes and more.
Note these incompatible changes:
- IBGP is multihop by default.
- Changes primary address selection on BSD to the first one.
- Integers in filters are handled as unsigned.
- ISO 8601 time formats used by default.
- Import of device routes from kernel protocol allowed.
- Last state change now tracks just protocol state change.
- Minor changes to default router ID calculation.
