pkgsrc-changes: CVS commit: [pkgsrc-2005Q1] pkgsrc/devel/cvs

Subject: CVS commit: [pkgsrc-2005Q1] pkgsrc/devel/cvs
To: None <pkgsrc-changes@NetBSD.org>
From: Lubomir Sedlacik <salo@netbsd.org>
List: pkgsrc-changes
Date: 04/22/2005 14:39:14
Module Name:	pkgsrc
Committed By:	salo
Date:		Fri Apr 22 14:39:14 UTC 2005

Modified Files:
	pkgsrc/devel/cvs [pkgsrc-2005Q1]: Makefile distinfo
	pkgsrc/devel/cvs/patches [pkgsrc-2005Q1]: patch-ab patch-ae patch-af
	    patch-ag patch-ai patch-al patch-ar patch-as patch-az

Log Message:
Pullup ticket 464 - requested by Thomas Klausner
security update for cvs

Revisions pulled up:
- pkgsrc/devel/cvs/Makefile		1.84
- pkgsrc/devel/cvs/distinfo		1.26
- pkgsrc/devel/cvs/patches/patch-ab	1.15
- pkgsrc/devel/cvs/patches/patch-ae	1.10
- pkgsrc/devel/cvs/patches/patch-af	1.12
- pkgsrc/devel/cvs/patches/patch-ag	1.6
- pkgsrc/devel/cvs/patches/patch-ai	1.9
- pkgsrc/devel/cvs/patches/patch-al	1.11
- pkgsrc/devel/cvs/patches/patch-ar	1.16
- pkgsrc/devel/cvs/patches/patch-as	1.8
- pkgsrc/devel/cvs/patches/patch-az	1.9

   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Tue Apr 19 12:39:18 UTC 2005

   Modified Files:
   	pkgsrc/devel/cvs: Makefile distinfo
   	pkgsrc/devel/cvs/patches: patch-ab patch-ae patch-af patch-ag
   	    patch-ai patch-al patch-ar patch-as patch-az

   Log Message:
   Update to 1.11.20.

   NOTE: currently without IPv6 support, until there is an updated KAME
         patch for it.

   Changes:

   Changes since 1.11.19:
   **********************

   SERVER SECURITY FIXES

   * Thanks to a report from Alen Zukich, several minor security issues
     have been addressed.  One was a buffer overflow that is potentially
     serious but which may not be exploitable, assigned CAN-2005-0753 by
     the Common Vulnerabilities and Exposures Project
     <http://www.cve.mitre.org>.  Other fixes resulting from Alen's report
     include repair of an arbitrary free with no known exploit and several
     plugged memory leaks and potentially freed NULL pointers which may
     have been exploitable for a denial of service attack.

   * Thanks to a report from Craig Monson, minor potential
     vulnerabilities in the contributed Perl scripts have been fixed.
     The confirmed vulnerability could allow the execution of arbitrary
     code on the CVS server, but only if a user already had commit access
     and if one of the contrib scripts was installed improperly,
     a condition which should have been quickly visible to any
     administrator.  The complete description of the problem is here:
     <https://ccvs.cvshome.org/issues/show_bug.cgi?id=224>.  If you were
     making use of any of the contributed trigger scripts on a CVS server,
     you should probably still replace them with the new versions, to be
     on the safe side.

     Unfortunately, our fix is incomplete.  Taint-checking has been
     enabled in all the contributed Perl scripts intended to be run as
     trigger scripts, but no attempt has been made to ensure that they
     still run in taint mode.  You will most likely have to tweak the
     scripts in some way to make them run.  Please send any patches you
     find necessary back to <bug-cvs@gnu.org> so that we may again ship
     fully enabled scripts in the future.

     You should also make sure that any home-grown Perl scripts that you
     might have installed as CVS triggers also have taint-checking enabled.
     This can be done by adding `-T' on the scripts' #! lines.  Please try
     running `perldoc perlsec' if you would like more information on
     general Perl security and taint-checking.

   BUG FIXES

   * Thanks to a report and a patch from Georg Scwharz
     CVS now builds without error on IRIX 5.3

   DEVELOPER ISSUES

   * We've standardized on Automake 1.9.5 to get some at new features
     that make our jobs easier.  See the HACKING file for more on using
     the autotools with CVS.


To generate a diff of this commit:
cvs rdiff -r1.82 -r1.82.2.1 pkgsrc/devel/cvs/Makefile
cvs rdiff -r1.25 -r1.25.2.1 pkgsrc/devel/cvs/distinfo
cvs rdiff -r1.14 -r1.14.2.1 pkgsrc/devel/cvs/patches/patch-ab
cvs rdiff -r1.9 -r1.9.2.1 pkgsrc/devel/cvs/patches/patch-ae
cvs rdiff -r1.11 -r1.11.2.1 pkgsrc/devel/cvs/patches/patch-af
cvs rdiff -r1.5 -r1.5.2.1 pkgsrc/devel/cvs/patches/patch-ag
cvs rdiff -r1.8 -r1.8.2.1 pkgsrc/devel/cvs/patches/patch-ai \
    pkgsrc/devel/cvs/patches/patch-az
cvs rdiff -r1.10 -r1.10.2.1 pkgsrc/devel/cvs/patches/patch-al
cvs rdiff -r1.15 -r1.15.2.1 pkgsrc/devel/cvs/patches/patch-ar
cvs rdiff -r1.7 -r1.7.2.1 pkgsrc/devel/cvs/patches/patch-as

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.