| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
(cherry picked from commit 350fc98d27ebe38c9d32c8eea52efeb9630544fd)
|
|
|
|
|
|
|
|
|
|
|
| |
PR: 268294
No macro with this name is checked by USES=cmake. The correct
one would be CMAKE_ON, but that one is not evaluated again after
bsd.port.pre.mk. Just directly add -DSKIP_CPU_FEATURES=1 to
CMAKE_ARGS to work around this shortcoming.
(cherry picked from commit e1e189c2117ca7337a6133cb45523c249b6a7cd3)
|
|
|
|
| |
(cherry picked from commit acc5bd7e34792790cbc8437f2a5ea739b6e1d3a3)
|
|
|
|
|
|
|
|
| |
Changes: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/fHvKAhUTnLs
Changes: https://hg.mozilla.org/projects/nss/shortlog/NSS_3_85_RTM
Reported by: Repology
(cherry picked from commit 5a1b20f45e8f75e9c8a73cf0b4df62f0db0c1ab4)
|
|
|
|
|
|
|
|
|
|
|
| |
Register allocation exaustion results within inline assembly when
WITH_DEBUG is specified. Therefore when WITH_DEBUG is used, disable
inline assembly.
PR: 268173
Reported by: bofh
(cherry picked from commit c35577ebc10af5ae8c509e4c73a44a06ac5b05d4)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The suggested workaround will only work when autoreconf is not run.
The devel port still needs LLVM_DEFAULT while the non-devel port does
not
PR: 267814
Fixes: 22a683a337ef
This partially reverts commit 22a683a337efe7169b61de8c9ec63e2c0d561891.
(cherry picked from commit 286254e283f60ef160b572c8d76db06ac2b87c1a)
|
|
|
|
|
|
|
|
| |
Remove an artifact from 22a683a337ef.
PR: 267814
Fixes: 22a683a337ef
(cherry picked from commit 67fc2c392f1efc669521939b5003e47786807a6c)
|
|
|
|
|
|
|
|
|
|
| |
In addition to garbage realm data, also handle garbage dbname, acl_file,
stash_file, and invalid bitmask garbage data.
PR: 267912
Reported by: Robert Morris <rtm@lcs.mit.edu>
(cherry picked from commit 8cafd5bc0d866a425eb883e00cef02df1ef31db4)
|
|
|
|
|
|
|
|
|
|
| |
Fix a NULL dereference in _kadm5_s_init_context() when the client
sends a mangled realm message.
PR: 267912
Reported by: Robert Morris <rtm@lcs.mit.edu>
(cherry picked from commit 678bdaf21b9a05d99e0aceecd414782926e57ae4)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Should the sender send a string without a terminating NUL, ensure that
the NUL terminates the string regardless.
And while at it only process the version string when bytes are returned.
PR: 267884
Reported by: Robert Morris <rtm@lcs.mit.edu>
(cherry picked from commit d831a2fe480fe02126bd5b9aba5569c5e69f1034)
|
|
|
|
|
|
|
|
|
|
| |
Adjust ./configure to set the correct CLANG_FORMAT value when
clang-format is not found (when none of the llvm ports are installed).
PR: 267814
Submitted by: Tatsuki Makino <tatsuki_makino@hotmail.com>
(cherry picked from commit 22a683a337efe7169b61de8c9ec63e2c0d561891)
|
|
|
|
|
|
|
|
|
|
| |
Though heimdal ./configure checks for a lockfile dependency, it does
not use it. Let's remove the dependency.
PR: 267814
Reported by: Tatsuki Makino <tatsuki_makino@hotmail.com>
(cherry picked from commit b40d9eda115f03cd7859314c3617386094ac88a9)
|
|
|
|
| |
(cherry picked from commit 49329591c8db5617241358ce6dc3ef3b6283986a)
|
|
|
|
|
|
|
|
|
| |
Remove libmicrohttpd support. If installed it will automatically detect
and build the necessary binaries to support a microhttpd KDC server.
It is felt that a KDC with httpd support is another vector of concern.
Fixes: 4e44a84dcc9a
(cherry picked from commit e87043c6c23184ab537a67e013a6a1f6d4501c3e)
|
|
|
|
| |
(cherry picked from commit 194b9524fa1531531edccb5b4473c6d8dc8cd502)
|
|
|
|
|
|
|
| |
This new heimdal port tracks the Heimdal development branch. The
last security advisory showed us we might want to track its development.
(cherry picked from commit 4e44a84dcc9abab445f7cd2dc37346338bfd9691)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Fix DNS resolution when no IPv6 address is configured on any
interface [1]
- Disable MTU changes to avoid frequent interface up/down [2]
[1] https://github.com/SoftEtherVPN/SoftEtherVPN/pull/1510
[2] https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1677
Obtained from: https://github.com/SoftEtherVPN/SoftEtherVPN/pull/1510
PR: 267178
(cherry picked from commit a2224f647693714ea938138649f4c5d24627ae3e)
|
|
|
|
|
|
|
|
|
|
| |
- This update includes a patch to fix upstream code that breaks UTF-8
identification and/or conversion.
- Fix WEBHOST option symlink.
PR: 268087
MFH: 2022Q4 (bug fixes)
(cherry picked from commit 8aa12b7bb4ba0282b310958b9897d95bc1c3e5db)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/zeek/zeek/releases/tag/v5.0.4
This release fixes the following potential DoS vulnerabilities:
- A specially-crafted series of HTTP 0.9 packets can cause Zeek
to spend large amounts of time processing the packets.
- A specially-crafted FTP packet can cause Zeek to spend large
amounts of time processing the command.
- A specially-crafted IPv6 packet can cause Zeek to overflow memory
and potentially crash.
This release fixes the following bugs:
- Fix a potential stall in Broker’s internal data pipeline.
Reported by: Tim Wojtulewicz
Security: ???
(cherry picked from commit a940eea46e391fb788b2663c20ccdf6a8554fe4f)
|
|
|
|
|
|
|
|
|
|
| |
A malicious OCSP responder could forge OCSP responses due to a failure
to validate that an embedded certificate was issued by the end-entity
issuing certificate authority.
Security: CVE-2022-43705
MFH: 2022Q4
(cherry picked from commit 5616c284b3db74c319aaf362204bd48877629f55)
|
|
|
|
|
|
| |
Security: e0f26ac5-6a17-11ed-93e7-901b0e9408dc
Security: CVE-2022-41925
(cherry picked from commit 0b66bab44f6bc4f0f6e8ca940fbf99df2d5317ef)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python is only needed in developer mode and only to regenerate already
provided files in lib/wind.
PR: 267814
Submitted by: jkim
Reported by: jkim
Fixes: a5523d807d01
(cherry picked from commit 68dcf2c91fa47302d8224fbebb7bec190cc0efe9)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Three problems were discovered when building under poudriere or in
a clean jail.
1. Python is now a prerequisite.
2. liblockfile is now needed.
3. clang-format is needed for asn1_compile. Unfortunately the base llvm
does not install clang-format so we need install $LLVM_DEFAULT to get
this file.
PR: 267814
Reported by: many
Fixes: 83f79ba0e0ca
(cherry picked from commit a5523d807d01b1ed31614f346db2b348d7046420)
|
|
|
|
|
|
|
|
|
| |
Upstream released new source archive of 0.105.1 again to fix the
problem introduced by previous update of source archive.
Reference: https://blog.clamav.net/2022/11/second-clamav-100-release-candidate-and.html
MFH: 2022Q4
(cherry picked from commit 30502135f297ff727b4992afbb76f0ca675c53ec)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This upgrade fixes multiple security vulnerabilities.
The following issues are patched:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
on the Common Vulnerability Scoring System (CVSS) v3, as we believe
it should be possible to get an RCE on a KDC, which means that
credentials can be compromised that can be used to impersonate
anyone in a realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE types
used in Heimdal, though not all cases will be exploitable. We have
not completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
only affect Heimdal 1.6 and up. It was first reported by Douglas
Bagnall, though it had been found independently by the Heimdal
maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in protocol-transition
- CVE-2019-14870: Apply forwardable policy in protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
Reported by: so (philip)
Approved by: so (philip)
Security: Many, see above
Sponsored by: so (philip)
(cherry picked from commit 83f79ba0e0caa8abed52887a693b7ab8074a590e)
|
|
|
|
|
| |
Security: CVE-2022-42898
(cherry picked from commit eed9a797cd42e81b9e21dc6b51af826836e9cc79)
|
|
|
|
|
| |
Security: CVE-2022-42898
(cherry picked from commit abcf942f2ba44a1f333ce3daa2b8961202351a09)
|
|
|
|
| |
(cherry picked from commit 9d9929566c981bbb9e64a6ec0b067430dd041388)
|
|
|
|
| |
(cherry picked from commit 3cabb1a1f33a7485e5a256be70fb61ac3f946d6b)
|
|
|
|
| |
(cherry picked from commit 5ba52ce059ae6860de85c65cccdcddf90459e85c)
|
|
|
|
|
|
|
|
|
| |
krb5-118 was desupported by MIT when krb5-120 was released. CVE-2022-42898
now requires its accelerated removal from the tree. It is now
flagged IGNORE until its removal on Nov 30, 2022.
Security: CVE-2022-42898
(cherry picked from commit c49050564ffcf36e155344562f594e15b82a5194)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Topic: Vulnerabilities in PAC parsing
CVE-2022-42898: integer overflow vulnerabilities in PAC parsing
SUMMARY
=======
Three integer overflow vulnerabilities have been discovered in the MIT
krb5 library function krb5_parse_pac().
IMPACT
======
An authenticated attacker may be able to cause a KDC or kadmind
process to crash by reading beyond the bounds of allocated memory,
creating a denial of service. A privileged attacker may similarly be
able to cause a Kerberos or GSS application service to crash.
On a 32-bit platform, an authenticated attacker may be able to cause
heap corruption in a KDC or kadmind process, possibly leading to
remote code execution. A privileged attacker may similarly be able to
cause heap corruption in a Kerberos or GSS application service running
on a 32-bit platform.
An attacker with the privileges of a cross-realm KDC may be able to
extract secrets from a KDC process's memory by having them copied into
the PAC of a new ticket.
AFFECTED SOFTWARE
=================
Kerberos and GSS application services using krb5-1.8 or later are
affected. kadmind in krb5-1.8 or later is affected. The krb5-1.20
KDC is affected. The krb5-1.8 through krb5-1.19 KDC is affected when
using the Samba or FreeIPA KDB modules.
REFERENCES
==========
This announcement is posted at:
https://web.mit.edu/kerberos/advisories/MITKRB5-SA-2022-001.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
https://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
https://web.mit.edu/kerberos/index.html
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898
Security: CVE-2022-42898
(cherry picked from commit de40003bfd697e98cdd342e253699e83e1040961)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://github.com/zeek/zeek/releases/tag/v5.0.3
This release fixes the following potential DoS vulnerabilities:
- Fix an issue where a specially-crafted FTP packet can cause Zeek
to spend large amounts of time attempting to search for valid
commands in the data stream.
- Fix a possible overflow in the Zeek dictionary code that may
lead to a memory leak.
- Fix an issue where a specially-crafted packet can cause Zeek to
spend large amounts of time reporting analyzer violations.
- Fix a possible assert and crash in the HTTP analyzer when receiving
a specially-crafted packet.
- Fix an issue where a specially-crafted HTTP or SMTP packet can
cause Zeek to spend a large amount of time attempting to search
for filenames within the packet data.
- Fix two separate possible crashes when converting processed IP
headers for logging via the raw_packet event handlers.
This release fixes the following bugs:
- Fix a possible crash with when statements where lambda captures
of local variables sometimes overflowed the frame counter.
- Reduced the amount of analyzer_confirmation events that are
raised for packets that contain tunnels.
- Fix a long-standing bug where TCP reassembly would not function
correctly for some analyzers if dpd_reassemble_first_packets was
set to false.
- Fix a performance bug in the Zeek dictionary code in certain
cases, such as copying a large number of entries from one
dictionary into another.
- Fix a performance issue when inserting large numbers of elements
into a Broker store when Broker::scheduler_policy is set to
stealing.
- Fix a Broker performance issue when distributing large amounts
of data from the input framework to proxies/workers at startup.
- Fix an issue with messaging between proxies and workers that
resulted in error messages being reported.
- Updated the list of DNS type strings to reflect the correct.
Reported by: Tim Wojtulewicz
Security: 60d4d31a-a573-41bd-8c1e-5af7513c1ee9
(cherry picked from commit f7beb19cdf537aacb741f1f19fccff683954371b)
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release includes fixes to minor bugs, including a fix for
CVE-2022-43995, a non-exploitable potential out-of-bounds write on
systems that do not use PAM, AIX authentication or BSD authentication.
PR: 267617
Approved by: garga (Maintainer)
Security: CVE-2022-43995
(cherry picked from commit 271b349b390a6036d501ed3d27c0189ff3d43e47)
|
|
|
|
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 8885a02766c06861e00d35aa819fa517321160be)
|
|
|
|
|
|
|
|
|
|
|
|
| |
At least libreoffice users cannot use some suite components due to
package built against latest patched ABI while pkg keept a previous
package on client side.
PR: 266262, 266920
With hat: ports-secteam
(cherry picked from commit efe501e4d54986b53bfc8bcb7d8dcb9bb027a921)
|
|
|
|
|
|
|
| |
Approved by: hrs (maintainer, timeout), tcberner (mentor)
Differential Revision: https://reviews.freebsd.org/D37051
(cherry picked from commit 61d86b17dc17566372dc8666f23dddc18679c3b1)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This imports an upstream patch from dependency
github.com/go-piv/piv-go to address a missing cast.
See also: https://github.com/go-piv/piv-go/commit/1902689552e974ba88750e3ab71902d253172ead
PR: 267197
Approved by: maintainer timeout, >2 weeks
MFH: 2022Q4
(cherry picked from commit 302d7c2ddde491d2ab6bc7e25dad42d46509007f)
|
|
|
|
|
|
|
|
|
| |
Upstream released new source archive of 0.105.1 to address critical
bugs in bundled libraries.
Reference: https://lists.clamav.net/pipermail/clamav-announce/2022/000067.html
MFH: 2022Q4
(cherry picked from commit 2db375ffbc2fe8ad146e0d9f49a501031b8f256d)
|
|
|
|
|
| |
PR: 267431
(cherry picked from commit 6f9ecc04ad359bf3cc9c6cf46caecb984f070799)
|
|
|
|
| |
(cherry picked from commit 427a15a973365496da3b18eb3794848e8b39ba0c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid the message:
"plugin 'gcm': failed to load - gcm_plugin_create not found and no
plugin file available"
According to strongSwan's 5.9.8 release notes[1]:
The gcm plugin has been enabled by default, so that the TLS 1.3 unit
tests (now indirectly enabled if the pki tool is built due to the
implementation of EST) can be completed successfully with just the
default plugins.
Let's also enable it by default.
[1]: https://github.com/strongswan/strongswan/releases/tag/5.9.8
PR: 267352
(cherry picked from commit a0103c803b137d9cd95310bbfd315103d8e046b2)
|
|
|
|
| |
(cherry picked from commit eac29b0409dea240d3810f2fdfa19aa2a5f30f3f)
|
|
|
|
|
|
|
|
|
|
|
| |
Add a rc.conf variable to support passing extra arguments to tailscale
up.
Thanks to Gregory for advicing on the implementation.
Reported by: Gregory Shapiro <gshapiro at gshapiro dot net>
(cherry picked from commit 1e38c92fd199d83be41d4a15b894a45e552cf1be)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.8
Fixes CVE-2022-40617.
PR: 267037
Reported by: franco@opnsense.org
Approved by: strongswan@Nanoteq.com (maintainer, implicit)
MFH: 2022Q4 (security update)
Security: CVE-2022-40617 DoS attack vulnerability
(cherry picked from commit a28166f3b1e22d446f76d5f71f27f082b0e7e19f)
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add case for armv7 to configure script
- adapt aarch64 case to arm64
https://github.com/openca/libpki/issues/57
- while we are at it, hook up test suite
- bump PORTREVISION
PR: 266955
MFH: 2022Q4
(cherry picked from commit e5a5d9c7275237e116c0a5bf7a7c8436c0db061b)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add missing type casts for sizeof(time_t) > sizeof(long)
- neuter -Werror as per policy
- while we are at it, pet portlint
Approved by: maintainer timeout (acm)
Submitted by: Robert Clausecker
PR: 266725
MFH: 2022Q4
(cherry picked from commit a774bfbbb08cf1c3529696f9ddc205ca460a6743)
|
|
|
|
|
|
|
|
| |
Changes: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uV-FYp6SUr8
Changes: https://hg.mozilla.org/projects/nss/shortlog/NSS_3_84_RTM
Reported by: Repology
(cherry picked from commit c88472edb3dff4e62fe2300e19fd9005fa8ef80d)
|
|
|
|
| |
(cherry picked from commit 11d4d9bcd4c002f9f27dabd7d392552f40480cc9)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick a test patch from upstream maintainer:
- this uses fallback code for compilers not providing vaddq_p128
(f.i. clang-10 on FreeBSD 12.3 AMD64/aarch64)
- and uses vaddq_p128 on systems that provide it, for instance,
FreeBSD 13-STABLE AMD64/aarch64 with clang 14.0.5
Obtained from: Simon Tatham
MFH: 2022Q4
(cherry picked from commit 1632d93d92d9ba58401834a571ba89860963a171)
|