dns/dnsmasq: security update to 2.83
CHANGELOG of version 2.83:
Use the values of --min-port and --max-port in outgoing
TCP connections to upstream DNS servers.
Fix a remote buffer overflow problem in the DNSSEC code. Any
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
CVE-2020-25687.
Be sure to only accept UDP DNS query replies at the address
from which the query was originated. This keeps as much entropy
in the {query-ID, random-port} tuple as possible, to help defeat
cache poisoning attacks. Refer: CVE-2020-25684.
Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded
independently. This is, in theory, inefficent but in practise
not a problem, _except_ that is means that an answer for any
of the forwarded queries will be accepted and cached.
An attacker can send a query multiple times, and for each repeat,
another {port, ID} becomes capable of accepting the answer he is
sending in the blind, to random IDs and ports. The chance of a
succesful attack is therefore multiplied by the number of repeats
of the query. The new behaviour detects repeated queries and
merely stores the clients sending repeats so that when the
first query completes, the answer can be sent to all the
clients who asked. Refer: CVE-2020-25686.
Security: 5b5cf6e5-5b51-11eb-95ac-7f9491278677
Security: CVE-2020-25684
Security: CVE-2020-25685
Security: CVE-2020-25686
Security: CVE-2020-25681
Security: CVE-2020-25682
Security: CVE-2020-25683
Security: CVE-2020-25687
- Fix name of PAM policy file, so that it is actually used
- While here, install PAM policy file using @sample directive, so it
is managed as a condfiguration file
PR: 252837
Submitted by: genneko217@gmail.com
games/pinball: fix build on GCC architectures
Pinball.cpp:733: error: expected `(' before '{' token
Pinball.cpp: At global scope:
Pinball.cpp:733: error: mixing declarations and function-definitions is forbidden
Pinball.cpp:733: error: a function-definition is not allowed here before '{' token
Pinball.cpp:733: error: expected unqualified-id before ',' token
Pinball.cpp:733: error: a function-definition is not allowed here before '{' token
Pinball.cpp:733: error: expected unqualified-id before ',' token
Pinball.cpp:733: error: a function-definition is not allowed here before '{' token
Pinball.cpp:734: error: expected unqualified-id before '{' token
audio/kid3*: Switch to the smaller tar.xz distfile from the KDE mirrors.
There is no change in the content between this and the tar.gz distfile from
Sourceforge, so no need to rebuild.
Update WWW which was redirecting.
math/cppad: fix build on GCC architectures
The c++ complier flag __cplusplus is less than 201103. Starting with
cppad-20201202, c++11 or higher is required.
multimedia/kodi-addon-pvr-iptvsimple: fix build on GCC architectures
CMake Error in CMakeLists.txt:
Target "pvr.iptvsimple" requires the language dialect "CXX14" , but CMake
does not know the compile flags to use to enable it.
graphics/pdfpc: fix build on GCC architectures
In file included from /usr/local/include/webkitgtk-4.0/jsc/jsc.h:25,
from /usr/local/include/webkitgtk-4.0/webkit2/WebKitJavascriptResult.h:28,
from /usr/local/include/webkitgtk-4.0/webkit2/webkit2.h:57,
from src/classes/view/markdown.c:4:
/usr/local/include/webkitgtk-4.0/jsc/JSCClass.h:37: error: redefinition of typedef 'JSCClass'
/usr/local/include/webkitgtk-4.0/jsc/JSCValue.h:43: error: previous declaration of 'JSCClass' was here
/usr/local/include/webkitgtk-4.0/jsc/JSCClass.h:40: error: redefinition of typedef 'JSCContext'
/usr/local/include/webkitgtk-4.0/jsc/JSCValue.h:44: error: previous declaration of 'JSCContext' was here
