pkgsrc-changes: CVS commit: pkgsrc/devel/cvs

Subject: CVS commit: pkgsrc/devel/cvs
To: None <pkgsrc-changes@NetBSD.org>
From: Thomas Klausner <wiz@netbsd.org>
List: pkgsrc-changes
Date: 04/19/2005 12:39:18
Module Name:	pkgsrc
Committed By:	wiz
Date:		Tue Apr 19 12:39:18 UTC 2005

Modified Files:
	pkgsrc/devel/cvs: Makefile distinfo
	pkgsrc/devel/cvs/patches: patch-ab patch-ae patch-af patch-ag patch-ai
	    patch-al patch-ar patch-as patch-az

Log Message:
Update to 1.11.20.

NOTE: currently without IPv6 support, until there is an updated KAME patch
for it.

Changes:

Changes since 1.11.19:
**********************

SERVER SECURITY FIXES

* Thanks to a report from Alen Zukich, several minor
  security issues have been addressed.  One was a buffer overflow that is
  potentially serious but which may not be exploitable, assigned CAN-2005-0753
  by the Common Vulnerabilities and Exposures Project
  <http://www.cve.mitre.org>.  Other fixes resulting from Alen's report include
  repair of an arbitrary free with no known exploit and several plugged memory
  leaks and potentially freed NULL pointers which may have been exploitable for
  a denial of service attack.

* Thanks to a report from Craig Monson, minor
  potential vulnerabilities in the contributed Perl scripts have been fixed.
  The confirmed vulnerability could allow the execution of arbitrary code on
  the CVS server, but only if a user already had commit access and if one of
  the contrib scripts was installed improperly, a condition which should have
  been quickly visible to any administrator.  The complete description of the
  problem is here: <https://ccvs.cvshome.org/issues/show_bug.cgi?id=224>.  If
  you were making use of any of the contributed trigger scripts on a CVS
  server, you should probably still replace them with the new versions, to be
  on the safe side.

  Unfortunately, our fix is incomplete.  Taint-checking has been enabled in all
  the contributed Perl scripts intended to be run as trigger scripts, but no
  attempt has been made to ensure that they still run in taint mode.  You will
  most likely have to tweak the scripts in some way to make them run.  Please
  send any patches you find necessary back to <bug-cvs@gnu.org> so that we may
  again ship fully enabled scripts in the future.

  You should also make sure that any home-grown Perl scripts that you might
  have installed as CVS triggers also have taint-checking enabled.  This can be
  done by adding `-T' on the scripts' #! lines.  Please try running
  `perldoc perlsec' if you would like more information on general Perl security
  and taint-checking.

BUG FIXES

* Thanks to a report and a patch from Georg Scwharz
  CVS now builds without error on IRIX 5.3

DEVELOPER ISSUES

* We've standardized on Automake 1.9.5 to get some at new features that make
  our jobs easier.  See the HACKING file for more on using the autotools with
  CVS.


To generate a diff of this commit:
cvs rdiff -r1.83 -r1.84 pkgsrc/devel/cvs/Makefile
cvs rdiff -r1.25 -r1.26 pkgsrc/devel/cvs/distinfo
cvs rdiff -r1.14 -r1.15 pkgsrc/devel/cvs/patches/patch-ab
cvs rdiff -r1.9 -r1.10 pkgsrc/devel/cvs/patches/patch-ae
cvs rdiff -r1.11 -r1.12 pkgsrc/devel/cvs/patches/patch-af
cvs rdiff -r1.5 -r1.6 pkgsrc/devel/cvs/patches/patch-ag
cvs rdiff -r1.8 -r1.9 pkgsrc/devel/cvs/patches/patch-ai \
    pkgsrc/devel/cvs/patches/patch-az
cvs rdiff -r1.10 -r1.11 pkgsrc/devel/cvs/patches/patch-al
cvs rdiff -r1.15 -r1.16 pkgsrc/devel/cvs/patches/patch-ar
cvs rdiff -r1.7 -r1.8 pkgsrc/devel/cvs/patches/patch-as

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.