* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication instead
of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This bug
didn't affect Dovecot's Submission service.
PR: 235523
Submitted by: pascal.christen@hostpoint.ch
MFH: 2019Q1
Security: 1340fcc1-2953-11e9-bc44-a4badb296695
Security: CVE-2019-3814
2019-01-31 mail/dovecot-pigeonhole04: End of Life upstream, use mail/dovecot-pigeonhole instead
2019-01-31 multimedia/pyjama: Unmaintained upstream
2019-01-31 devel/py-omniorb-3: Uses legacy version of omniORB, consider using devel/py-omniorb
2019-01-31 mail/dovecot22: End of Life upstream, use mail/dovecot instead
2019-01-31 devel/hs-uuagc-bootstrap: No release since 2011
2019-01-31 sysutils/hs-angel: No releases since 2016
2019-01-31 devel/hs-uuagc: No release since 2015
2019-01-31 ports-mgmt/hs-porte: No updates since 2010
2019-02-01 net/pdb: Depends on expired net/py-pcs
2019-02-01 irc/iroffer: Abandoned upstream
2019-02-03 sysutils/fusefs-wdfs: Abandonware, functionally incomplete, has problems with caching
2018-12-19 net/py-pcs: Broken for more than 6 months
mail-parser is not only a wrapper for email Python Standard Library. It give you
an easy way to pass from raw mail to Python object that you can use in your
code. It's the key module of SpamScope.
mail-parser can parse Outlook email format (.msg) with msgconvert from
mail/p5-Email-Outlook-Message.
mail-parser takes as input a raw email and generates a parsed object. The
properties of this object are the same name of RFC headers: bcc, cc, date,
delivered_to, from_ (not from because is a keyword of Python), message_id,
received, reply_to, subject, to.
There are other properties to get: body, body html, body plain, headers,
attachments, sender IP address, to domains, timezone.
WWW: https://github.com/SpamScope/mail-parser
pkg-static: Unable to access file /wrkdirs/usr/ports/mail/qmail-ldap/work/stage/var/qmail/%%EXTERNAL_TODO%%bin/qmail-todo:No such file or directory
Reported by: pkg-fallout
* Bump the LLVM revision used for GNUstep to 7, the minimum to support
the new ABI.
* GNUstep-back does not work with lld, so mark it to use Gold (BFD LD
doesn't seem able to link Objective-C things).
* Turn off some annoying debug logs in GNUstep back, which generate
several messages per second when you move the mouse. These should
never have been enabled in a release build anyway.
* Downgrade Cenon to 4.0.2. This was the last version to actually work
with GNUstep (the later ones use XCode >= 5 .xib files, which GNUstep
can't parse).
* Update gorm to git head. The current release doesn't work with the
new Objective-C ABI, but -head has the patches to fix it.
* Update PikoPixel and add it to the gnustep-app meta-package.
* Update the three core GNUstep packages to the latest release.
* Update gnumail and pantomime to the latest release and fix a linking
error with the new ABI.
* Update GNUstep FTP to the latest version.
Reviewed by: bapt (previous version)
--enable-dtrace is only tested on macOS where dtrace -G isn't used.
Let's stop wasting time on dtrace -G issues as the support disappeared
since Firefox 61, anyway.
- Add license
- Fix config file location
- Reorder some things to pet portlint
- Mark it deprecated too as it appears to have no upstream anymore
and only works properly with unencrypted traffic
PR: 232134
Submitted by: freebsd_ports@k-worx.org
MFH: 2019Q1
- Add missing dependencies
- Remove unneeded patches
- Regenerate and rename legacy patches
- Add NLS option to ports providing such a knob, and missing the
option
- Add INSTALL_TARGET=install-strip where missing
- Sort things
- Remove unneeded +=
- Cosmetic changes to OPTION related variables to improve readability
- Update WWW
- Silence portlint warnings about variables order
- Bump PORTREVISION where changing dependencies and/or adding
install-strip
* Bring back SNI (server name indication) support for TLS connections,
lost in 6.3.26_10 (PORTREVISION=10) as a regression over _9.
Pointy hat: mandree@
* Drop the X11 option, remove the Python dependency, and create a new
mail/fetchmailconf slave port/package that installs the fetchmailconf
configurator. Note that the _DEPENDS of the ports reflects a technical
dependence (fetchmailconf needs fetchmail), and we cannot keep an
X11 option that depends on fetchmailconf, since that would create
a circular dependency, which we must avoid.
* Patch configure instead of configure.ac with Cy's Kerberos fix, drop
autoreconf from USES, and add a new configure check directly to set
HAVE_DECL_SSLV3_CLIENT_METHOD to cover the various TLS providers
(currently five, base, openssl, openssl111, libressl, libressl-devel)
* Add -Wl,--as-needed to LDFLAGS so as not to pull in unneeded .so
libraries, for instance, libcom_err when compiling under GSSAPI_NONE.
* Bump PORTREVISION.
Very fruitful and nice collaboration with and
Approved by: chalpin@cs.wisc.edu (maintainer)
ClamAV.xs:219:66: error: too few arguments to function call, expected 6, have 5
status = cl_scandesc(fd, &virname, &scanned, c->root, options);
Reported by: pkg-fallout
a symbol matches multiple clauses the last one takes precedence. If the
catch-all is last it captures everything. In the case of Qt5 libraries
this caused all symbols to have a Qt_5 label while some should have
Qt_5_PRIVATE_API. This only affects lld because GNU ld always gives the
catch-all lowest priority.
Older versions of Qt5Webengine exported some memory allocation symbols from
the bundled Chromium. Version 5.9 stopped exporting these [1] but the
symbols were kept as weak wrappers for the standard allocation functions to
maintain binary compatibility. [2][3] The problem is that the call to the
standard function in these weak wrappers is only resolved to the standard
function if there's a call to this standard function in other parts of
Qt5Webengine, because only then is there a non-weak symbol that takes
precedence over the weak one. If there's no such non-weak symbol the call
in the weak wrapper resolves to the weak wrapper itself creating an infinite
call loop that overflows the stack and causes a crash. Some of the
allocation functions are variants of C++ new and delete and it probably
depends on the compiler whether these variants are used in other parts of
Qt5Webengine.
Remove the weak wrappers (make them Linux specific). This isn't binary
compatible but we are already breaking that with the changes to the symbol
versions.
[1] 5c2cbfccf9
[2] 2ed5054e3a
[3] 009f5ebb4b
Bump all ports that depend on Qt5.
PR: 234070
Exp-run by: antoine
Approved by: kde (adridg)
