Ports that build out of source now simply can use "USES=cmake"
instead of "USES=cmake:outsource". Ports that fail to build
out of source now need to specify "USES=cmake:insource".
I tried to only set insource where explictely needed.
PR: 232038
Exp-run by: antoine
- Update the embedded SQLite library from 3.18.0 to 3.26.0 to
address a remote code execution vulnerability ("Magellan").
- Uses a bundled version of the actor-framework (caf) library so
we can remove the port-local build for caf.
Replace broctl-config.sh absolute symlink with a relative one.
Approved by: ler (mentor, implicit)
MFH: 2018Q4
Security: b80f039d-579e-4b82-95ad-b534a709f220
defined via Mk/bsd.default-versions.mk which has moved from GCC 7.4 t
GCC 8.2 under most circumstances.
This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c11, c++0x, c++11-lang,
c++11-lib, c++14-lang, c++17-lang, or gcc-c++11-lib
plus, as a double check, everything INDEX-11 showed depending on lang/gcc7.
PR: 231590
in the base. Unbreak build by statically linking against
security/openssl. This is a stopgap until Bro 2.6 which supports
openssl 1.1 is released. It is currently in beta and due in a
few weeks.
Add missing NETMAP_DESC while we're here.
Reviewed by: ler (mentor)
Approved by: ler (mentor)
Differential Revision: https://reviews.freebsd.org/D17602
- Fix array bounds checking in BinPAC: for arrays that are
fields within a record, the bounds check was based on a pointer
to the start of the record rather than the start of the array
field, potentially resulting in a buffer over-read.
- Fix SMTP command string comparisons: the number of bytes
compared was based on the user-supplied string length and can
lead to incorrect matches. e.g. giving a command of "X"
incorrectly matched "X-ANONYMOUSTLS" (and an empty commands
match anything).
- Weird" events are now generally suppressed/sampled by default
according to some tunable parameters.
- Improved handling of empty lines in several text protocol
analyzers that can cause performance issues when seen in long
sequences.
- Add `smtp_excessive_pending_cmds' weird which serves as a
notification for when the "pending command" queue has reached
an upper limit and been cleared to prevent one from attempting
to slowly exhaust memory.
Approved by: ler (mentor, implicit)
MFH: 2018Q3
Security: d0be41fe-2a20-4633-b057-4e8b25c41780
in the ports tree (via Mk/bsd.default-versions.mk and lang/gcc) which
has now moved from GCC 6 to GCC 7 by default.
This includes ports
- featuring USE_GCC=yes or USE_GCC=any,
- featuring USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and those
- with USES=compiler specifying one of openmp, nestedfct, c11, c++0x,
c++11-lib, c++11-lang, c++14-lang, c++17-lang, or gcc-c++11-lib.
PR: 222542
- Multiple fixes and improvements to BinPAC generated code
related to array parsing, with potential impact to all Bro's
BinPAC-generated analyzers in the form of buffer over-reads
or other invalid memory accesses depending on whether a
particular analyzer incorrectly assumed that the
evaulated-array-length expression is actually the number of
elements that were parsed out from the input.
- The NCP analyzer (not enabled by default and also updated
to actually work with newer Bro APIs in the release) performed
a memory allocation based directly on a field in the input
packet and using signed integer storage. This could result
in a signed integer overflow and memory allocations of
negative or very large size, leading to a crash or memory
exhaustion. The new NCP::max_frame_size tuning option now
limits the maximum amount of memory that can be allocated.
Other fixes:
- A memory leak in the SMBv1 analyzer.
- The MySQL analyzer was generally not working as intended,
for example, it now is able to parse responses that contain
multiple results/rows.
Add gettext-runtime to USES to address a poudriere testport
warning.
Reviewed by: matthew (mentor)
Approved by: matthew (mentor)
MFH: 2018Q2
Security: 2f4fd3aa-32f8-4116-92f2-68f05398348e
Differential Revision: https://reviews.freebsd.org/D15678
(via Mk/bsd.default-versions.mk and lang/gcc) which has moved from
GCC 5.4 to GCC 6.4 under most circumstances.
This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c++11-lib, c++11-lang,
c++14-lang, c++0x, c11, or gcc-c++11-lib.
PR: 219275
lang/gcc which have moved from GCC 4.9.4 to GCC 5.4 (at least under some
circumstances such as versions of FreeBSD or platforms).
This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using using Mk/bsd.octave.mk which in turn has USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c++11-lib, c++14-lang,
c++11-lang, c++0x, c11, or gcc-c++11-lib.
PR: 216707
The "build with Ports SSL" option is no longer valid. The SSL library is
selected through the SSL_DEFAULT value. While removing the PORTS_SSL
option, modernize the entire set of options under the general
infrastructure blanket. The SSL work, including the support for LibreSSL
was done under the SSL blanket.
WITH_OPENSSL_* can't be set after bsd.port.pre.mk.
Fold all other usage into using SSL_DEFAULT == foo
PR: 210149
Submitted by: mat
Exp-run by: antoine
Sponsored by: The FreeBSD Foundation, Absolight
Differential Revision: https://reviews.freebsd.org/D6577
This updates bro and broccoli from 2.3 and 2.3.2, which is a security
update.
Changes to the bro port:
- Rework openssl option logic
- Remove obsolete
- pkgng related changes
Changes to the broccoli port:
- Remove unused DOCS option
- Enable PYTHON by default
- pkgng related changes
- Minor portlint changes
Changes in 2.3.2:
- DNP3: fix reachable assertion and buffer over-read/overflow.
CVE number pending. (Travis Emmert, Jon Siwek)
- Update binpac: Fix potential out-of-bounds memory reads in
generated code. CVE-2014-9586. (John Villamil and Chris Rohlf
- Yahoo Paranoids, Jon Siwek)
- BIT-1234: Fix build on systems that already have ntohll/htonll.
(Jon Siwek)
- BIT-1291: Delete prebuilt python bytecode files from git. (Jon Siwek)
- Adding call to new binpac::init() function. (Robin Sommer)
Changes in 2.3.1:
- Fix a reference counting bug in ListVal ctor. (Jon Siwek)
- Fix possible buffer over-read in DNS TSIG parsing. (Jon Siwek)
- Change EDNS parsing code to use rdlength more cautiously. (Jon Siwek)
- Fix null pointer dereference in OCSP verification code in
case no certificate is sent as part as the ocsp reply. Addresses
BIT-1212. (Johanna Amann)
- Fix OCSP reply validation. Addresses BIT-1212 (Johanna Amann)
- Make links in documentation templates protocol relative. (Johanna Amann)
PR: 197107
Submitted by: Craig Leres <leres@ee.lbl.gov> (maintainer)
Reviewed by: koobs
Merge back bsd.pkgng.mk into bsd.port.mk
Add a note about @stopdaemon not being supported anymore
With hat: portmgr
Differential Revision: https://reviews.freebsd.org/D693
- Fix build on FreeBSD 8: depend on libmagic ABI version from ports
- While here, use new LIB_DEPENDS syntax
PR: ports/184194
PR: ports/184381
Submitted by: Craig Leres (maintainer)
Reported by: Mark Martinec and pkg-fallout
