[UPDATE] security/libssh
Hi, this is the diff to update libssh to latest release. Ok? Cheers, Remi. Index: Makefile === RCS file: /cvs/ports/security/libssh/Makefile,v retrieving revision 1.12 diff -u -p -u -p -r1.12 Makefile --- Makefile9 Feb 2015 08:16:54 - 1.12 +++ Makefile3 Nov 2015 15:19:01 - @@ -2,15 +2,16 @@ COMMENT = C library implementing server and client side # XXX if updating, check the number in the MASTER_SITES path -DISTNAME = libssh-0.6.4 +DISTNAME = libssh-0.7.2 -SHARED_LIBS += ssh 1.1 # 4.5 -SHARED_LIBS += ssh_threads 1.1 # 4.5 +SHARED_LIBS += ssh 2.0 # 4.5 +SHARED_LIBS += ssh_threads 2.0 # 4.5 CATEGORIES = security devel HOMEPAGE = http://www.libssh.org/ -MASTER_SITES = https://red.libssh.org/attachments/download/107/ +MASTER_SITES = https://red.libssh.org/attachments/download/177/ +EXTRACT_SUFX = .tar.xz MAINTAINER = Remi Pointel Index: distinfo === RCS file: /cvs/ports/security/libssh/distinfo,v retrieving revision 1.9 diff -u -p -u -p -r1.9 distinfo --- distinfo9 Feb 2015 08:16:54 - 1.9 +++ distinfo3 Nov 2015 15:19:01 - @@ -1,2 +1,2 @@ -SHA256 (libssh-0.6.4.tar.gz) = fjIF4ulb81sjuDpkhafVmr58dUbQG3KPaRzww3Qha1I= -SIZE (libssh-0.6.4.tar.gz) = 381835 +SHA256 (libssh-0.7.2.tar.xz) = oyxFuWdBQcq0vehN7X1T6TEHbGsPELj9Yn81hPrrrmI= +SIZE (libssh-0.7.2.tar.xz) = 350540 Index: pkg/PLIST === RCS file: /cvs/ports/security/libssh/pkg/PLIST,v retrieving revision 1.5 diff -u -p -u -p -r1.5 PLIST --- pkg/PLIST 9 Feb 2015 08:16:54 - 1.5 +++ pkg/PLIST 3 Nov 2015 15:19:01 - @@ -3,6 +3,7 @@ include/libssh/ include/libssh/callbacks.h include/libssh/legacy.h include/libssh/libssh.h +include/libssh/libsshpp.hpp include/libssh/server.h include/libssh/sftp.h include/libssh/ssh2.h
Re: Clarification about out-of-date script
On Tue, Nov 03, 2015 at 10:38:17AM +0500, Артур Истомин wrote: > On Tue, Nov 03, 2015 at 02:19:51AM +0100, Juan Francisco Cantero Hurtado > wrote: > > On Sun, Nov 01, 2015 at 11:41:21PM +0500, Артур Истомин wrote: > > > Here is output on my system, OpenBSD 5.8, from out-of-date script: > > > > > > databases/postgresql,-server # @libxml-2.9.2p1 -> @libxml-2.9.2p2 > > > devel/quirks # always-update -> quirks-2.114 > > > editors/libreoffice,-main # @libxslt-1.1.28p2 -> @libxslt-1.1.28p3 > > > misc/shared-mime-info # @libxml-2.9.2p1 -> @libxml-2.9.2p2 > > > multimedia/libbluray # @libxml-2.9.2p1 -> @libxml-2.9.2p2 > > > print/cups,-libs # @gnutls-3.3.16 -> @gnutls-3.3.16p0 > > > textproc/raptor# @libxslt-1.1.28p2 -> @libxslt-1.1.28p3 > > > x11/gnome/librsvg # @gdk-pixbuf-2.30.8p1,@libxml-2.9.2p1 -> > > > @gdk-pixbuf-2.30.8p3,@libxml-2.9.2p2 > > > x11/gtk+2,-main# @gdk-pixbuf-2.30.8p1 -> > > > @gdk-pixbuf-2.30.8p3 > > > x11/gtk+3,-guic# @gdk-pixbuf-2.30.8p1 -> > > > @gdk-pixbuf-2.30.8p3 > > > x11/kde/libs3,-main# @libxslt-1.1.28p2 -> @libxslt-1.1.28p3 > > > > > > Am I right, that left column is ports/packages that can be updated; right > > > column is reason why they need to be updated? > > > > Yes. > > > > > Also is it true that in my case I can ignore all this updates because > > > all ports from left column are dynamicaly linked with already updated > > > library from right column? > > > > No. Those ports use the outdated version of the library. > > Can You elaborate, please, I don't understand. E.g. shared-mime-info. > > $ ldd /usr/local/bin/update-mime-database | grep libxml > 1d0114c0 1d011515f000 rlib 01 0 > /usr/local/lib/libxml2.so.15.1 > > $ pkg_info | grep libxml > > > libxml-2.9.2p2 XML parsing library > > So libxml already updated. If I understand correctly: if libxml updated and > update-mime-database > _dynamicaly_ linked to it there is no need further intervention, is not is so? If a new version of a port doesn't change the version number of the lib, then the ports which depend of the lib will use the updated version. If there is an increase in the version number of the lib (SHARED_LIBS in the Makefile, unrelated to the version of the port), then the ports will use the outdated library. "pkg_info -A | grep ^\\." shows the outdated libs. -- Juan Francisco Cantero Hurtado http://juanfra.info
Re: Vulnerable packages in ports tree 03/11
devel/jdk/1.7 & 1.8 http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA
[NEW] database/liquibase
Here is a port of liquibase. >From pkg/DESCR: Liquibase is a Java-based command-line tool that allows you to build and maintain a SQL database schema using a series of "changeset" files that can be checked into a version control system. This allows the database schema to be just another piece of your application that can be versioned and maintained, just like any other piece of source code. See http://liquibase.org for full documentation. Comments or recommendations gratefully accepted. I had originally wanted to pull the source and build it; however, as this uses Maven, the build is dynamic and will pull down other files which will break the build process for the binary packages. Given that, I felt the best approach would be to pull the official "compiled" jarfile instead, as security/burpsuite does. As I am not a committer, I will need someone to commit the changes on my behalf if approved. Thanks, Bryan liquibase.tgz Description: GNU Zip compressed data
Re: py-acme, plus deps
On 2015/11/03 22:42, Stuart Henderson wrote: > Attached tgz contains: > > textproc/py-pyRFC3339 - python library for the RFC-3339 date format. > > www/py-ndg-httpsclient - https client using py-openssl rather than the > built-in python SSL support. > > The above two are dependencies of: > > security/py-acme - python library for the ACME protocol used by > letsencrypt. This is a devel release and isn't expected to be perfect > yet but it's required for the client software for the letsencrypt CA > and would be useful to have around. > > any OKs to import? (pretend the WANTLIB lines aren't there ;)
py-acme, plus deps
Attached tgz contains: textproc/py-pyRFC3339 - python library for the RFC-3339 date format. www/py-ndg-httpsclient - https client using py-openssl rather than the built-in python SSL support. The above two are dependencies of: security/py-acme - python library for the ACME protocol used by letsencrypt. This is a devel release and isn't expected to be perfect yet but it's required for the client software for the letsencrypt CA and would be useful to have around. any OKs to import? py-acme-and-friends.tgz Description: application/tar-gz
Re: www/youtube-dl fetch fails due to ssl handshake failure
On 2015/11/03 22:13, Markus Lude wrote: > On Mon, Nov 02, 2015 at 08:53:41PM +, Stuart Henderson wrote: > > On 2015/11/02 19:45, Markus Lude wrote: > > > On Sat, Oct 24, 2015 at 09:05:27PM +0200, Markus Lude wrote: > > > > Hello Paul, > > > > > > Hello again, > > > > > > > make fetch fails for recent youtube-dl: > > > > > > > > ===> Checking files for youtube-dl-2015.10.24 > > > > >> Fetch > > > > >> https://yt-dl.org/downloads/2015.10.24/youtube-dl-2015.10.24.tar.gz > > > > ftp: SSL read error: read failed: error:140940E5:SSL > > > > routines:SSL3_READ_BYTES:ssl handshake failure > > > > > > recent update to youtube-dl-2015.11.01 fails too at the dowenload stage: > > > > > > ===> Checking files for youtube-dl-2015.11.01 > > > >> Fetch > > > >> https://yt-dl.org/downloads/2015.11.01/youtube-dl-2015.11.01.tar.gz > > > ftp: SSL read error: read failed: error:140940E5:SSL > > > routines:SSL3_READ_BYTES:ssl handshake failure > > > > > > > > > quick workaround: use http instead? > > > > > > Regards, > > > Markus > > > > > > > The https server for yt-dl.org requires SNI, is there anything unusual > > about the way you're connecting to it (weird proxy or something)? > > I'm not aware of any proxy (yet). > > > It would be interesting to see what 'nc -vvc yt-dl.org 443' says. > > $ nc -vvc yt-dl.org 443 > Connection to yt-dl.org 443 port [tcp/https] succeeded! > TLS handshake negotiated TLSv1.2/DHE-RSA-AES256-GCM-SHA384 with host yt-dl.org > Peer name yt-dl.org > Subject: /OU=Domain Control Validated/OU=PositiveSSL/CN=yt-dl.org > Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO > RSA Domain Validation Secure Server CA > Cert Hash: > SHA256:a396c2fb2644a50328b208e335e897a7639a7a2f2a22ae7f04d6908322a9429c > That's exactly what I'd expect from nc - that's odd though... if nc can connect, I don't think there's any reason why ftp shouldn't be able to (since jca added SNI support in 2014). Not really sure what to suggest...
Re: www/youtube-dl fetch fails due to ssl handshake failure
On Mon, Nov 02, 2015 at 08:53:41PM +, Stuart Henderson wrote: > On 2015/11/02 19:45, Markus Lude wrote: > > On Sat, Oct 24, 2015 at 09:05:27PM +0200, Markus Lude wrote: > > > Hello Paul, > > > > Hello again, > > > > > make fetch fails for recent youtube-dl: > > > > > > ===> Checking files for youtube-dl-2015.10.24 > > > >> Fetch > > > >> https://yt-dl.org/downloads/2015.10.24/youtube-dl-2015.10.24.tar.gz > > > ftp: SSL read error: read failed: error:140940E5:SSL > > > routines:SSL3_READ_BYTES:ssl handshake failure > > > > recent update to youtube-dl-2015.11.01 fails too at the dowenload stage: > > > > ===> Checking files for youtube-dl-2015.11.01 > > >> Fetch https://yt-dl.org/downloads/2015.11.01/youtube-dl-2015.11.01.tar.gz > > ftp: SSL read error: read failed: error:140940E5:SSL > > routines:SSL3_READ_BYTES:ssl handshake failure > > > > > > quick workaround: use http instead? > > > > Regards, > > Markus > > > > The https server for yt-dl.org requires SNI, is there anything unusual > about the way you're connecting to it (weird proxy or something)? I'm not aware of any proxy (yet). > It would be interesting to see what 'nc -vvc yt-dl.org 443' says. $ nc -vvc yt-dl.org 443 Connection to yt-dl.org 443 port [tcp/https] succeeded! TLS handshake negotiated TLSv1.2/DHE-RSA-AES256-GCM-SHA384 with host yt-dl.org Peer name yt-dl.org Subject: /OU=Domain Control Validated/OU=PositiveSSL/CN=yt-dl.org Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA Cert Hash: SHA256:a396c2fb2644a50328b208e335e897a7639a7a2f2a22ae7f04d6908322a9429c
Re: NEW: textproc/wkhtmltopdf
On Tue, Nov 03, 2015 at 07:53:21PM +0100, Frank Groeneveld wrote: > On 10/31/15 16:47, Frank Groeneveld wrote: > >Ping? > > > >It's quite a simple port which only takes a few minutes to build on my > >machine. You can then test it by running something like: > >wkhtmltopdf http://www.openbsd.org/ openbsd.pdf > > > >Frank > > As noted by somebody off-list, it might be useful to have the port attached > again to my ping mail, so people don't have to search for it. I've attached > it to this mail. Please let me know what you think about it. That reads good to me - minor nit, if you run make update-plist it should remove the man/ man/man1/ dirs from the PLIST which i think are not needed. As for the background dep on QT4, i highly prefer depending on the existing one instead of building another bundled copy, so the way you did it makes perfect sense. (note: havent built/tested it yet) Landry
Re: NEW: net/tinc
On Mon Nov 02, 2015 at 10:35:42PM +, Stuart Henderson wrote: > On 2015/11/02 22:08, Stuart Henderson wrote: > > I've got a bit more on top of this, will send it in a bit.. > > > > - remove pointless lines from Makefile > - install sample config > - patch out mentions of '/dev/tun* link0' for OpenBSD, this is now /dev/tap* > - add a uid, use it and chroot in tincd.rc > - no need to override the standard functions in tincd.rc > Great modifications! Thank you Stuart. Review and build by me and runtime test by Uwe with a complex TOR setup. > > It could maybe also do with a little README showing people which files to edit > and how to set tincd_flags in rc.conf.local to override the default config. I don't think so, tincd(8) and tinc.conf(5) are looking complete for me and rc(8) manuals are perfect. All manuals with examples, so okay from me. Cheers, Rafael
Re: NEW: textproc/wkhtmltopdf
On 10/31/15 16:47, Frank Groeneveld wrote: Ping? It's quite a simple port which only takes a few minutes to build on my machine. You can then test it by running something like: wkhtmltopdf http://www.openbsd.org/ openbsd.pdf Frank As noted by somebody off-list, it might be useful to have the port attached again to my ping mail, so people don't have to search for it. I've attached it to this mail. Please let me know what you think about it. Frank wkhtmltopdf-port-0.12.2.4p0.tar.gz Description: application/gzip
Re: [UPDATE] sysutils/tarsnap-gui
On Mon, Nov 02, 2015 at 11:07:11PM -0500, Josh Grosse wrote: > Updated to version 0.7. Tested on amd64, with both a simple tiling > window manager and also with Gnome, to test a new notification feature. > > A pkg-readme was added with one paragraph of upgrade notes, excerpted > from the upstream CHANGELOG. > > OK? Looks good. I can commit tonight. -- James Turner
Re: Vulnerable packages in ports tree 03/11
On Tue, 03 Nov 2015, Sevan / Venture37 wrote: > net/miniupnpc - http://talosintel.com/reports/TALOS-2015-0035/ Here's a diff for miniupnpc: Index: Makefile === RCS file: /cvs/ports/net/miniupnp/miniupnpc/Makefile,v retrieving revision 1.6 diff -u -p -u -p -r1.6 Makefile --- Makefile3 Feb 2014 13:30:52 - 1.6 +++ Makefile3 Nov 2015 11:14:12 - @@ -10,6 +10,8 @@ DISTNAME= miniupnpc-${MODPY_EGG_VERSION} PKGNAME-main= ${DISTNAME} PKGNAME-python= py-${DISTNAME} +REVISION-main= 0 + SHARED_LIBS += miniupnpc 2.0 WANTLIB-main += c Index: patches/patch-igd_desc_parse_c === RCS file: patches/patch-igd_desc_parse_c diff -N patches/patch-igd_desc_parse_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-igd_desc_parse_c 3 Nov 2015 11:14:12 - @@ -0,0 +1,23 @@ +$OpenBSD$ + +commit 79cca974a4c2ab1199786732a67ff6d898051b78 +Author: Thomas Bernard +Date: Tue Sep 15 15:32:33 2015 +0200 + +igd_desc_parse.c: fix buffer overflow + +http://talosintel.com/reports/TALOS-2015-0035/ + +--- igd_desc_parse.c.orig Mon Apr 11 11:19:37 2011 igd_desc_parse.c Tue Nov 3 12:08:09 2015 +@@ -15,7 +15,9 @@ + void IGDstartelt(void * d, const char * name, int l) + { + struct IGDdatas * datas = (struct IGDdatas *)d; +- memcpy( datas->cureltname, name, l); ++ if(l >= MINIUPNPC_URL_MAXSIZE) ++ l = MINIUPNPC_URL_MAXSIZE-1; ++ memcpy(datas->cureltname, name, l); + datas->cureltname[l] = '\0'; + datas->level++; + if( (l==7) && !memcmp(name, "service", l) ) {
Re: Vulnerable packages in ports tree 03/11
On Tue, Nov 03, 2015 at 01:06:00AM +, Sevan / Venture37 wrote: > net/miniupnpc - http://talosintel.com/reports/TALOS-2015-0035/ > databases/postgresql - http://www.postgresql.org/about/news/1615/ > I will commit the PostgreSQL update today. Thanks,
Re: security update: postgresql 9.4.4 -> 9.4.5
On Tue, Nov 03, 2015 at 01:39:37AM -0600, Abel Abraham Camarillo Ojeda wrote: > Hi ports > > this updates postgres, deletes one patch > because now its applied upstream. > > http://www.postgresql.org/about/news/1615/ > > tested in amd64@ with: > > $ make test NO_TEST=No > > also tested dependents: > > databases/p5-DBD-Pg > databases/p5-Mojo-Pg > > with $ make test; > > any comments about removing NO_TEST=Yes > in databases/postgresql? tests didn't asked for any > user intervention nor any SYSV changes - in amd64@ > at least... > > > comments? > > thanks > > patch attached as I use gmail... Hi, I've already sent this update to ports ;) http://marc.info/?l=openbsd-ports&m=144431886218091&w=2 I will commit it later today (to -current and -stable). Regards, > Index: Makefile > === > RCS file: /cvs/ports/databases/postgresql/Makefile,v > retrieving revision 1.207 > diff -u -p -r1.207 Makefile > --- Makefile 3 Aug 2015 07:42:30 - 1.207 > +++ Makefile 3 Nov 2015 07:32:39 - > @@ -11,7 +11,7 @@ BROKEN-sparc= Requires v9|v9a|v9b; reque > # DO NOT FORGET to also change the @ask-update entry in pkg/PLIST-server > # in case a dump before / restore after pkg_add -u is required! > > -VERSION= 9.4.4 > +VERSION= 9.4.5 > DISTNAME=postgresql-${VERSION} > PKGNAME-main=postgresql-client-${VERSION} > PKGNAME-server= postgresql-server-${VERSION} > Index: distinfo > === > RCS file: /cvs/ports/databases/postgresql/distinfo,v > retrieving revision 1.57 > diff -u -p -r1.57 distinfo > --- distinfo 22 Jun 2015 07:29:42 - 1.57 > +++ distinfo 3 Nov 2015 07:32:39 - > @@ -1,2 +1,2 @@ > -SHA256 (postgresql-9.4.4.tar.gz) = > mm885nfV8UmQH8dsEZgokahGvLkogGnZGBHatqGBF2Y= > -SIZE (postgresql-9.4.4.tar.gz) = 23113477 > +SHA256 (postgresql-9.4.5.tar.gz) = > qh15GK54Kg/F4Yhv1GP8iQPl/8PrbTtRUABlrsmIohA= > +SIZE (postgresql-9.4.5.tar.gz) = 23211720 > Index: patches/patch-src_include_storage_barrier_h > === > RCS file: patches/patch-src_include_storage_barrier_h > diff -N patches/patch-src_include_storage_barrier_h > --- patches/patch-src_include_storage_barrier_h 16 Jan 2015 23:24:15 > - 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 - > @@ -1,15 +0,0 @@ > -$OpenBSD: patch-src_include_storage_barrier_h,v 1.1 2015/01/16 23:24:15 > landry Exp $ > - > -fix build on alpha > - > src/include/storage/barrier.h.orig Fri Jan 16 13:08:20 2015 > -+++ src/include/storage/barrier.hFri Jan 16 13:24:05 2015 > -@@ -117,7 +117,7 @@ extern slock_t dummy_spinlock; > - * read barrier to cover that case. We might need to add that later. > - */ > - #define pg_memory_barrier() __asm__ __volatile__ ("mb" : : : > "memory") > --#define pg_read_barrier() __asm__ __volatile__ ("rmb" : : : > "memory") > -+#define pg_read_barrier() __asm__ __volatile__ ("mb" : : : > "memory") > - #define pg_write_barrier() __asm__ __volatile__ ("wmb" : : : > "memory") > - #elif defined(__hppa) || defined(__hppa__) /* HP PA-RISC */ > - > Index: pkg/PLIST-docs > === > RCS file: /cvs/ports/databases/postgresql/pkg/PLIST-docs,v > retrieving revision 1.69 > diff -u -p -r1.69 PLIST-docs > --- pkg/PLIST-docs22 Jun 2015 07:29:42 - 1.69 > +++ pkg/PLIST-docs3 Nov 2015 07:32:39 - > @@ -485,6 +485,7 @@ share/doc/postgresql/html/monitoring-ps. > share/doc/postgresql/html/monitoring-stats.html > share/doc/postgresql/html/monitoring.html > share/doc/postgresql/html/multibyte.html > +share/doc/postgresql/html/mvcc-caveats.html > share/doc/postgresql/html/mvcc-intro.html > share/doc/postgresql/html/mvcc.html > share/doc/postgresql/html/nls-programmer.html > @@ -826,6 +827,7 @@ share/doc/postgresql/html/release-9-0-2. > share/doc/postgresql/html/release-9-0-20.html > share/doc/postgresql/html/release-9-0-21.html > share/doc/postgresql/html/release-9-0-22.html > +share/doc/postgresql/html/release-9-0-23.html > share/doc/postgresql/html/release-9-0-3.html > share/doc/postgresql/html/release-9-0-4.html > share/doc/postgresql/html/release-9-0-5.html > @@ -844,6 +846,7 @@ share/doc/postgresql/html/release-9-1-15 > share/doc/postgresql/html/release-9-1-16.html > share/doc/postgresql/html/release-9-1-17.html > share/doc/postgresql/html/release-9-1-18.html > +share/doc/postgresql/html/release-9-1-19.html > share/doc/postgresql/html/release-9-1-2.html > share/doc/postgresql/html/release-9-1-3.html > share/doc/postgresql/html/release-9-1-4.html > @@ -858,6 +861,7 @@ share/doc/postgresql/html/release-9-2-10 > share/doc/postgresql/html/release-9-2-11.html > share/doc/postgresql/html/release-9-2-12.html > share/doc/postgresql/html/release-9-2-13.html > +share/doc/
Re: Vulnerable packages in ports tree 03/11
On Tue, Nov 03, 2015 at 01:06:00AM +, Sevan / Venture37 wrote: > net/miniupnpc - http://talosintel.com/reports/TALOS-2015-0035/ > databases/postgresql - http://www.postgresql.org/about/news/1615/ > databases/mariadb: 10.0.22 fixes some CVE Giovanni