headers
Takahiro Kambe | 1 Jul 2006 02:22
Picon

CVS commit: pkgsrc/www/geeklog


Module Name:	pkgsrc
Committed By:	taca
Date:		Sat Jul  1 00:22:38 UTC 2006

Modified Files:
	pkgsrc/www/geeklog: Makefile PLIST distinfo
Removed Files:
	pkgsrc/www/geeklog/patches: patch-ag

Log Message:
Update geeklog-1.4.0.4 (1.4.0sr3).

----------------------------------------------------------------------------

Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all previous 1.4.0 releases.

 o  Some of the files outside of the public_html directory were not protected
    against direct execution. If Geeklog was installed such that those files
    were accessible from a URL (which has always been strongly discouraged in
    the installation instructions) then those files could be used to load and
    execute malicious code from a remote server.

    More information: So-called Geeklog "exploit" posted

    In this release, we've added the missing execution prevention for all files
    outside of public_html. We would still, however, suggest that you fix your
    Geeklog install if the files outside of public_html are accessible from a
(Continue reading)

Permalink | Reply | 0 comments |
headers
Takahiro Kambe | 1 Jul 2006 02:23
Picon

CVS commit: pkgsrc/doc


Module Name:	pkgsrc
Committed By:	taca
Date:		Sat Jul  1 00:23:27 UTC 2006

Modified Files:
	pkgsrc/doc: CHANGES-2006

Log Message:
Note update of www/geeklog package to 1.4.0.4.

To generate a diff of this commit:
cvs rdiff -r1.600 -r1.601 pkgsrc/doc/CHANGES-2006

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Permalink | Reply | 0 comments |
headers
Alistair Crooks | 1 Jul 2006 08:24

Re: CVS commit: pkgsrc/doc/guide/files

On Fri, Jun 30, 2006 at 09:41:39AM +0000, Roland Illig wrote:
> 
> Module Name:	pkgsrc
> Committed By:	rillig
> Date:		Fri Jun 30 09:41:39 UTC 2006
> 
> Modified Files:
> 	pkgsrc/doc/guide/files: fixes.xml
> 
> Log Message:
> INTERACTIVE_STAGE should not be set to "fetch".

There is no reason that this should be the case.

The reason that you give in the text for this that if the distfile
already exists, then an interactive fetch would be attempted. 

However, this should never happen, since a fetch will not be actioned
if the distfile already exists.  This previous infrastructure did this
correctly - fetch short-circuiting - if this behaviour has been
changed recently, that is a regression.

Regards,
Alistair
Permalink | Reply | 3 comments |
headers
Roland Illig | 1 Jul 2006 11:12
Picon

CVS commit: pkgsrc/devel/cqual


Module Name:	pkgsrc
Committed By:	rillig
Date:		Sat Jul  1 09:12:53 UTC 2006

Modified Files:
	pkgsrc/devel/cqual: distinfo
	pkgsrc/devel/cqual/patches: patch-bb patch-bk

Log Message:
Fixed the gcc4 warning reported in PR 33883 and another similar one. One
of them was a real bug (missing initialization of a structure; luckily
not introduced by me), the other was a false positive.

To generate a diff of this commit:
cvs rdiff -r1.6 -r1.7 pkgsrc/devel/cqual/distinfo
cvs rdiff -r1.1 -r1.2 pkgsrc/devel/cqual/patches/patch-bb
cvs rdiff -r1.2 -r1.3 pkgsrc/devel/cqual/patches/patch-bk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Permalink | Reply | 0 comments |
headers
Roland Illig | 1 Jul 2006 11:24
Picon

Re: CVS commit: pkgsrc/doc/guide/files

Alistair Crooks wrote:
> On Fri, Jun 30, 2006 at 09:41:39AM +0000, Roland Illig wrote:
> 
>>Module Name:	pkgsrc
>>Committed By:	rillig
>>Date:		Fri Jun 30 09:41:39 UTC 2006
>>
>>Modified Files:
>>	pkgsrc/doc/guide/files: fixes.xml
>>
>>Log Message:
>>INTERACTIVE_STAGE should not be set to "fetch".
> 
> 
> There is no reason that this should be the case.
> 
> The reason that you give in the text for this that if the distfile
> already exists, then an interactive fetch would be attempted.

I hope you misinterpreted the text, since I didn't want to say that. If 
I've chosen any wrong wording, please tell me or just fix it. I thought 
it would be clear that <quote>fetching the distfiles is only needed 
once</quote>.

Roland
Permalink | Reply | 2 comments |
headers
Roland Illig | 1 Jul 2006 11:26
Picon

CVS commit: pkgsrc/doc/guide/files


Module Name:	pkgsrc
Committed By:	rillig
Date:		Sat Jul  1 09:26:41 UTC 2006

Modified Files:
	pkgsrc/doc/guide/files: fixes.xml

Log Message:
Added another rationale that "fetch" should not be in INTERACTIVE_STAGE.

To generate a diff of this commit:
cvs rdiff -r1.59 -r1.60 pkgsrc/doc/guide/files/fixes.xml

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Permalink | Reply | 1 comment |
headers
Thomas Klausner | 1 Jul 2006 11:59
Picon

CVS commit: pkgsrc/devel/allegro


Module Name:	pkgsrc
Committed By:	wiz
Date:		Sat Jul  1 09:59:49 UTC 2006

Modified Files:
	pkgsrc/devel/allegro: distinfo
Added Files:
	pkgsrc/devel/allegro/patches: patch-ae

Log Message:
Add patch for gcc-4.1, provided by mrg <at> .

To generate a diff of this commit:
cvs rdiff -r1.10 -r1.11 pkgsrc/devel/allegro/distinfo
cvs rdiff -r0 -r1.3 pkgsrc/devel/allegro/patches/patch-ae

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Permalink | Reply | 0 comments |
headers
Dan McMahill | 1 Jul 2006 13:11
Picon

CVS commit: pkgsrc/mk/scripts


Module Name:	pkgsrc
Committed By:	dmcmahill
Date:		Sat Jul  1 11:11:21 UTC 2006

Added Files:
	pkgsrc/mk/scripts: binpkg-scan

Log Message:
Add a script that can be used to scan for NO_BIN_ON_FTP packages using
the cache files left by the README.html generation.  This is indended
to be used to monitor a ftp server, not for generating a file list for
uploading to a ftp server.

To generate a diff of this commit:
cvs rdiff -r0 -r1.1 pkgsrc/mk/scripts/binpkg-scan

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Permalink | Reply | 0 comments |
headers
Alistair Crooks | 1 Jul 2006 14:20

Re: CVS commit: pkgsrc/doc/guide/files

On Sat, Jul 01, 2006 at 11:24:39AM +0200, Roland Illig wrote:
> Alistair Crooks wrote:
> >On Fri, Jun 30, 2006 at 09:41:39AM +0000, Roland Illig wrote:
> >
> >>Module Name:	pkgsrc
> >>Committed By:	rillig
> >>Date:		Fri Jun 30 09:41:39 UTC 2006
> >>
> >>Modified Files:
> >>	pkgsrc/doc/guide/files: fixes.xml
> >>
> >>Log Message:
> >>INTERACTIVE_STAGE should not be set to "fetch".
> >
> >
> >There is no reason that this should be the case.
> >
> >The reason that you give in the text for this that if the distfile
> >already exists, then an interactive fetch would be attempted.
> 
> I hope you misinterpreted the text, since I didn't want to say that. If 
> I've chosen any wrong wording, please tell me or just fix it. I thought 
> it would be clear that <quote>fetching the distfiles is only needed 
> once</quote>.

The text you added (between revision 1.58 and 1.60) is:

+       <para>You should not use <varname>INTERACTIVE_STAGE</varname>
+       when fetching the distfiles needs to be done manually. See <xref
+       linkend="fixes.fetch"/> instead. The reason for this is that
(Continue reading)

Permalink | Reply | 1 comment |
headers
Alistair Crooks | 1 Jul 2006 14:21

Re: CVS commit: pkgsrc/doc/guide/files

On Sat, Jul 01, 2006 at 09:26:41AM +0000, Roland Illig wrote:
> 
> Module Name:	pkgsrc
> Committed By:	rillig
> Date:		Sat Jul  1 09:26:41 UTC 2006
> 
> Modified Files:
> 	pkgsrc/doc/guide/files: fixes.xml
> 
> Log Message:
> Added another rationale that "fetch" should not be in INTERACTIVE_STAGE.

Please refrain from trying to make policy by dictat - this is incorrect.

I'm disappointed that this is being done at the end of a pkgsrc freeze,
when modifications of anything should be kept to a minimum.

Alistair
Permalink | Reply | 0 comments |

Gmane