[odc] Daily ports changes for 2006-05-01
ODC
auto at squish.net
Tue May 2 08:08:16 BST 2006
OpenBSD ports changes summary for 2006-05-01
============================================
archivers/zoo converters/p5-Convert-ASN1
databases databases/directoryassistant
databases/mdbtools devel/svk
graphics/dia mail/hashcash
mail/mailman net
net/curl net/jabberd
net/lftp net/openvpn
net/pebrot security/clamav
security/gnupg security/p5-Crypt-CBC
www/mediawiki www/nostromo
www/p5-HTML-Mason x11/mplayer
== archivers ========================================================= 01/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/archivers
zoo
~ Makefile + patches/patch-misc_c
+ patches/patch-parse_c + patches/patch-portable_c
TAGGED OPENBSD_3_9
> MFC:
> fix several buffer overflows/issues from gentoo/fedora, brought up
> by Rui Reis <rui at rui.cx more exist for sure... (sturm@)
== converters ======================================================== 02/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/converters
p5-Convert-ASN1
~ Makefile ~ distinfo
> update to 0.20 (kevlo@)
== databases ========================================================= 03/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/databases
databases
~ Makefile
> +mdbtools (forgot to say, thx jasper for tests) (espie@)
~ Makefile
> Add directoryassistant (alek@)
directoryassistant
+ Makefile + distinfo
+ pkg/DESCR + pkg/PLIST
> New import:
> Import directoryassistant 2.0
mdbtools
+ snapshot/distinfo + snapshot/Makefile
+ snapshot/pkg/PLIST + snapshot/pkg/PFRAG.shared
+ snapshot/pkg/DESCR + snapshot/pkg/PLIST-gmdb
+ snapshot/pkg/DESCR-gmdb
+ snapshot/patches/patch-doc_Makefile_in
+ snapshot/patches/patch-src_libmdb_file_c
+ snapshot/patches/patch-src_gmdb2_sql_c
> New import:
> read access database files (jet format 3.0 and 4.0)
== devel ============================================================= 04/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/devel
svk
~ Makefile ~ distinfo
> update to svk 1.0.7 (kevlo@)
== graphics ========================================================== 05/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/graphics
dia
~ Makefile
+ patches/patch-plug-ins_xfig_xfig-import_c
+ patches/patch-plug-ins_xfig_xfig_h
TAGGED OPENBSD_3_9
> MFC:
> SECURITY FIX:
> A voluntary security review of the importers by infamous41md has turned up
> three buffer overflow errors in the xfig import code.
> Details:
> http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html (sturm@)
== mail ============================================================== 06/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/mail
hashcash
~ Makefile ~ distinfo
TAGGED OPENBSD_3_9
> MFC:
> SECURITY update to hashcash 1.21
> fix potential heap overflow bug reported by Andreas Seltenreich
> from Armin Wolfermann (maintainer) (sturm@)
mailman
~ Makefile ~ distinfo
~ pkg/PLIST
TAGGED OPENBSD_3_9
> MFC:
> upgrade to mailman 2.1.8; recommended upgrade as this fixes a cross-site
> scripting security bug in the previous release (CVE-2006-1712). (sturm@)
== net =============================================================== 07/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/net
net
~ Makefile
> cjk flavor has been removed from pebrot (naddy@)
curl
~ Makefile ~ distinfo
TAGGED OPENBSD_3_9
> MFC:
> SECURITY: Update to 7.15.3.
> Fixes TFTP packet buffer overflow vulnerability. (CVE-2006-1061) (sturm@)
jabberd
~ Makefile ~ distinfo
TAGGED OPENBSD_3_9
> MFC:
> SECURITY: update to 2.0s11
> http://jabberstudio.org/projects/jabberd2/releases/view.php?id=826
> * Sending a stanza before an stanza during a SASL negotiation can
> cause a c2s segfault. Leading to a remote DoS
> http://jabberstudio.org/projects/jabberd2/releases/view.php?id=802
> * fixed SASL anonymous, bug#126
> * fixed edge cases with new dynamic jid code
> * fixed incorrect free order in c2s, byg#125
> * corrected debug logging, bug#119
> * fixed s2s bus error on 64-bit architectures, bug#122
> * fixed c2s collisions due to long jids, bug#118
> * fixed error response to iq result, bug#110
> * fixed roster pushing packets without id, bug#73
> * applied new dynamic jid patch, bug#100
> * fixed double free of nad in c2s and s2s, bug#97
> * major memory enhancement, made jid structure dynamically allocated,
> bug#100
> * fixed glibc error with custom sql statements, bug#106
> * fixed segfault with keepalives, bug#102 (sturm@)
lftp
~ Makefile ~ distinfo
~ pkg/PLIST
> upgrade to lftp 3.4.6 (kevlo@)
openvpn
~ Makefile ~ distinfo
TAGGED OPENBSD_3_9
> MFC:
> Security update to openvpn-2.0.6.
> * Security Vulnerability affecting OpenVPN 2.0 through 2.0.5.
> An OpenVPN client connecting to a
> malicious or compromised server could potentially receive
> "setenv" configuration directives from the server which could
> cause arbitrary code execution on the client via a LD_PRELOAD
> attack.
> Detailed information: http://openvpn.net/changelog.html (sturm@)
pebrot
~ Makefile ~ distinfo
> - upgrade to pebrot 0.8.8
> - switch to python 2.4 (kevlo@)
== security ========================================================== 08/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/security
clamav
~ Makefile ~ distinfo
TAGGED OPENBSD_3_9
> MFC:
> Update to ClamAV 0.88.1.
> 1) An unspecified integer overflow error exists in the PE header parser
> in "libclamav/pe.c".
> 2) Some format string errors in the logging handling in
> "shared/output.c" may be exploited to execute arbitrary code.
> 3) An out-of-bounds memory access error in the "cli_bitset_test()"
> function in "ibclamav/others.c" may be exploited to cause a crash.
> CVE reference: CVE-2006-1614, CVE-2006-1615, CVE-2006-1630
> More info: http://secunia.com/advisories/19534/
> -----------
> Update to ClamAV 0.88.2
> This release improves virus detection and fixes zip handling on 64-bit
> architectures.
> SECURITY
> This release fixes a possible security problem in freshclam.
> See http://www.clamav.net/security/0.88.2.html for a full security report.
> (sturm@)
~ Makefile ~ distinfo
TAGGED OPENBSD_3_7
> MFC:
> Update to ClamAV 0.88.2
> This release improves virus detection and fixes zip handling on 64-bit
> architectures.
> SECURITY
> This release fixes a possible security problem in freshclam.
> See http://www.clamav.net/security/0.88.2.html for a full security report.
> (sturm@)
~ Makefile ~ distinfo
TAGGED OPENBSD_3_8
> MFC:
> Update to ClamAV 0.88.2
> This release improves virus detection and fixes zip handling on 64-bit
> architectures.
> SECURITY
> This release fixes a possible security problem in freshclam.
> See http://www.clamav.net/security/0.88.2.html for a full security report.
> (sturm@)
gnupg
~ Makefile ~ distinfo
TAGGED OPENBSD_3_9
> security update to gnupg-1.4.2.2
> from gnupg.org:
> Signature verification of non-detached signatures may give a positive
> result but when extracting the signed data, this data may be prepended
> or appended with extra data not covered by the signature. Thus it is
> possible for an attacker to take any signed message and inject extra
> arbitrary data. (sturm@)
p5-Crypt-CBC
~ Makefile ~ distinfo
TAGGED OPENBSD_3_9
> MFC:
> SECURITY update to Crypt::CBC 2.17
> Versions of this module prior to 2.17 were incorrectly
> using 8 byte IVs when generating the old-style RandomIV style header
> (as opposed to the new-style random salt header). This affects data
> encrypted using the Rijndael algorithm, which has a 16 byte blocksize,
> and is a significant security issue.
> The bug has been corrected in versions 2.17 and higher by making it
> impossible to use 16-byte block ciphers with RandomIV headers. You may
> still read legacy encrypted data by explicitly passing the
> -insecure_legacy_decrypt option to Crypt::CBC->new(). (sturm@)
== www =============================================================== 09/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/www
mediawiki
~ Makefile ~ distinfo
~ pkg/PLIST
TAGGED OPENBSD_3_9
> MFC:
> Security update to mediawiki-1.5.8.
> A bug in decoding of certain encoded links could allow injection of raw
> HTML into page output; this could potentially lead to XSS attacks.
> More info:
> http://mail.wikipedia.org/pipermail/mediawiki-announce/2006-March/000040.ht
> ml (sturm@)
nostromo
~ Makefile ~ distinfo
TAGGED OPENBSD_3_9
> MFC:
> SECURITY: update to 1.7.9 which fixes a buffer overflow in the
> http_header_comp() function (sturm@)
p5-HTML-Mason
~ Makefile ~ distinfo
~ pkg/PLIST
> update to 1.32, a few performance improvements and bug-fixes.
> okay maintainer. (espie@)
== x11 =============================================================== 10/10 ==
http://www.openbsd.org/cgi-bin/cvsweb/ports/x11
mplayer
~ Makefile
+ patches/patch-libmpdemux_asfheader_c
+ patches/patch-libmpdemux_aviheader_c
TAGGED OPENBSD_3_9
> MFC:
> Protect from integer overflows. See CVE-2006-1502 (sturm@)
===============================================================================
More information about the odc
mailing list