security/zeek: Update to 8.0.9
https://github.com/zeek/zeek/releases/tag/v8.0.9
This release fixes the following potential DoS vulnerabilities:
- The NVT, Rlogin, and RSH analyzers have received fixes to avoid
unbounded state growth. Due to the fact that these packets can
be received from remote hosts, these are considered DoS risks.
- A specially crafted WebSocket payload can cause the Spicy WebSocket
analyzer to use excessive memory when processing close, ping,
and pong frames. Due to the fact that these packets can be
received from remote hosts, these are considered a DoS risk.
- A specially crafted series of Finger packets can cause the Spicy
Finger analyzer to use excessive amounts of memory and potentially
crash Zeek. Due to the fact that these packets can be received
from remote hosts, this is considered a DoS risk.
[100 lines not shown]
security/vuxml: Mark security/zeek < 8.0.9 as vulnerable as per:
https://github.com/zeek/zeek/releases/tag/v8.0.9
This release fixes the following potential DoS vulnerabilities:
- The NVT, Rlogin, and RSH analyzers have received fixes to avoid
unbounded state growth. Due to the fact that these packets can
be received from remote hosts, these are considered DoS risks.
- A specially crafted WebSocket payload can cause the Spicy WebSocket
analyzer to use excessive memory when processing close, ping,
and pong frames. Due to the fact that these packets can be
received from remote hosts, these are considered a DoS risk.
- A specially crafted series of Finger packets can cause the Spicy
Finger analyzer to use excessive amounts of memory and potentially
crash Zeek. Due to the fact that these packets can be received
from remote hosts, this is considered a DoS risk.
[52 lines not shown]
games/battletanks: allow to build against any supported Lua version
Drop CXXFLAGS+=-fpermissive while here which seems no longer needed
and sort the `pkg-plist' after commit 2d8f9fb62e9e.
databases/lmdb0: Add port for LMDB 0.9.x legacy ABI
LMDB 1.0 introduced an incompatible on-disk format change and subtle
API breakage: applications that compiled cleanly against 1.0 headers
could fail silently at run time. Known affected ports include dns/knot3,
mail/bogofilter, and mail/postfix; the postfix issue has been confirmed
upstream. Linux distributions such as Arch Linux have observed the same
breakage. Samba can also be affected in certain configurations.
Because the regression is not detectable in an -exp build run -- the
postfix failure only manifests at run time, and bogofilter was caught
only because post-build self-tests happen to exercise this path -- we
cannot rely on package builds to validate the 1.0 upgrade.
This commit introduces databases/lmdb0 as a holding port for the 0.9.35
release, pinned to the 0.x branch with PORTSCOUT=limit:^0. and mutually
conflicting with databases/lmdb, which retains 1.0. The two packages
cannot be installed simultaneously, but having lmdb0 available means:
[13 lines not shown]