editors/neovim: backport arbitrary code execution fix to 6.4-stable.
Source command doesn't check for the sandbox.
https://github.com/neovim/neovim/pull/10082
Detailed description:
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
I also had to add another MASTER_SITE to libelf to get this to build.
Seems they have re-rolled their distfile at some point.
Reads OK, sthen@
Force the PHP version to 7.1 which is the minimum required by
Nextcloud, spotted by matthieu@ by the hard way.
Discussed with sthen@
OK sthen@
OpenBSD/ports h5MzDA5 — sysutils/firmware/intel Makefile distinfo, sysutils/firmware/intel/pkg PLIST
MFC new intel microcode
MFC make MASTER_SITES conditional on !GH_ACCOUNT
SECURITY update to samba-4.8.12
Fixes:
o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)
Release notes:
https://www.samba.org/samba/history/samba-4.8.12.html
Update for Nextcloud to 16.0.0:
https://nextcloud.com/changelog/
Fart cloud all the things!
OK stsp@
Update for Nextcloud to 15.0.7:
https://nextcloud.com/changelog/
OK kirby@
SECURITY update to samba-4.8.11
Fixes:
- CVE-2019-3880 (Save registry file outside share as unprivileged user)
Release notes:
https://www.samba.org/samba/history/samba-4.8.11.html
6.4 tests by Ian McWilliam
OpenBSD/ports yT7x2tn — www/apache-httpd Makefile, www/apache-httpd/patches patch-modules_ssl_ssl_private_h patch-modules_ssl_ssl_engine_init_c
move apache-httpd in -stable back to MODSSL_USE_OPENSSL_PRE_1_1_API codepaths,
in the 2.4.35->37 timeframe they switched to newer-API codepaths which seem to
be working in -current but fall over easily on 6.4/-stable, at least with the
event mpm.
problem reported by Frank Groeneveld.
MFC security updates to PHP 7.1.28 and 7.2.17.
(6.4 also shipped with 5.6 and 7.0 branches which are now EoL).
OpenBSD/ports uWflrss — www/apache-httpd Makefile, www/apache-httpd/patches patch-modules_filters_mod_reqtimeout_c
MFC: backport Apache httpd fix affecting file uploads, they were broken in 2.4.39
unless the admin specifies an explicit RequestReadTimeout.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63325
https://svn.apache.org/viewvc?view=revision&revision=1857129
OpenBSD/ports Aa5QCl9 — www/apache-httpd distinfo Makefile, www/apache-httpd/patches patch-modules_ssl_ssl_engine_init_c patch-configure
update -stable to apache httpd 2.4.39 - important security fixes
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.39
update -stable to Dovecot 2.2.36.3, from Brad
OpenBSD/ports 4OIw0Je — security/clamav Makefile distinfo, security/clamav/patches patch-libclamav_Makefile_in patch-clamd_Makefile_in
update clamav in -stable to 0.100.3
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
CVE-2019-1785 CVE-2019-1786 CVE-2019-1787 CVE-2019-1788 CVE-2019-1789
CVE-2019-1798
MFC:Update to firefox-esr 60.6.1.
Fixes https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/
6.4-stable packages will be available tmrw late, still building.
MFC: Update to firefox-esr 60.6.0.
See https://www.mozilla.org/en-US/firefox/60.6.0/releasenotes/
Fixes https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/
6.4-stable packages at the usual spot.
Use upstream patch to fix the following vulnerabilities in rubygems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Update to ruby 2.5.5
Fixes the following vulnerabilities in rubygems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Fix typo on my previous commit spotted by aja@
Also we want unify the variables
List alphabetically and removes the duplicates lines from Bruno Flueckiger
Thanks!
OpenBSD/ports soTg3EE — lang/php/7.2 Makefile distinfo, lang/php/7.2/patches patch-php_ini-development patch-php_ini-production
update -stable to php-7.2.16
OpenBSD/ports fG7NuFo — lang/php/7.1 Makefile distinfo, lang/php/7.1/patches patch-acinclude_m4 patch-aclocal_m4
update -stable to php-7.1.27
Update for Nextcloud to 15.0.5
https://nextcloud.com/changelog/
update to wireshark-2.6.7 in -stable
OpenBSD/ports ULMlXSZ — databases/mariadb Makefile, databases/mariadb/patches patch-scripts_mysql_install_db_sh
Fix the mysql_install_db script. From Brad.
SECURITY update to 0.3.4.11.
Tested and ok stsp@
OpenBSD/ports CfO7Bz7 — comms/conserver Makefile, comms/conserver/patches patch-console_console_c
MFC conserver console(1) fix
OpenBSD/ports LsNlzrJ — comms/conserver Makefile, comms/conserver/patches patch-conserver_main_c
MFC conserver fixes;
- rc.d: where possible only attempt to signal the master not childs
- FLAVOR=net: unbreak, :@SECLEVEL=0 is invalid
OpenBSD/ports eXm8D4m — mail/dovecot Makefile distinfo, mail/dovecot-pigeonhole distinfo Makefile
Update -stable to Dovecot 2.2.36.1 for CVE-2019-3814 and the
bug fixes in Dovecot and Dovecot-pigeonhole 0.4.24.1.
From Brad.
MFC: Bugfix update to firefox-esr 60.5.2.
See https://www.mozilla.org/en-US/firefox/60.5.2/releasenotes/
Fixes crashes when reading Reuters news, cf https://bugzilla.mozilla.org/1505844
