signature definitions). This allows the definitions to be updated
seperately as and when required.
PR: ports/62917, 62918
Submitted by: Tim Bishop <tim@bishnet.net> (maintainer)
- new command line tool
- new man page
- reworked database update code, incorporating feedback from
Max Khon <fjoe>, Radim Kolar <hsn@netmag.cz> (PR 63066) and
Ion-Mihai Tetcu <itetcu@apropo.ro> (PR 62655)
http://people.freebsd.org/~fenner/portsurvey/security.html#pidentd
pidentd
cvs tree / pkg-descr
File: pidentd-2.8.5.tar.gz has 2 possible URLs: 1 OK, 1 bad, 0 skipped
Port maintainer: dinoex@FreeBSD.org
ftp://ftp.lysator.liu.se/pub/ident/servers/pidentd-2.8.5.tar.gz: looking for file 550 pidentd-2.8.5.tar.gz: No such file or directory. (Last OK result Thu Apr 4 9:05:23 2002 )
ftp://ftp.fu-berlin.de/unix/security/ident/servers/pidentd-2.8.5.tar.gz: ok
File: pidentd-2.8.5-ipv6-1.5.diff.gz has 1 possible URL: OK!
Summary 2 files fetchable out of 2
Master Site # files fetchable
ftp.fu-berlin.de 1
www.imasy.or.jp 1
ftp.lysator.liu.se 0
$ ftp ftp://ftp.lysator.liu.se/pub/ident/servers/
Connected to ftp.lysator.liu.se.
220 Peter's Anonymous FTP server (pftpd 0.41 at Apr 29 2002 22:37:28) ready.
331 Guest login ok; use your e-mail address as password.
230 Login OK.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 Command successful.
250-This directory is the main distribution point for the pidentd IDENT
250-(RFC1413) protocol server and it originates from the site:
250-
250- ftp://ftp.lysator.liu.se/pub/ident/servers/
250-
250-Please report problems with the files in this directory to:
250-
250- Peter Eriksson <pen@lysator.liu.se>
250 Command successful.
ftp> ls
150 Opening ASCII mode data connection for file listing.
[...]
-rw-r--r-- 1 pen local 121835 Nov 26 1998 pidentd-2.8.5.tar.gz
-rw-r--r-- 1 pen local 366 Nov 26 1998 pidentd-2.8.5.tar.gz.sig
[...]
226 Transfer complete.
$ ftp ftp://ftp.fu-berlin.de/unix/security/ident/servers/
Connected to ftp.fu-berlin.de.
220 FTP.FU-Berlin.DE ready.
331 Anonymous login ok, send anything as password.
[...]
230-
Welcome at Freie Universität Berlin, Germany.
Willkommen auf dem FTP-Server der Freien Universität Berlin.
Ein Service der Zentraleinrichtung für Datenverarbeitung (ZEDAT).
230 FTP.FU-Berlin.DE login ok.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I
250 CWD command successful.
250 CWD command successful.
ftp> ls
150 Opening ASCII mode data connection for file list
[...]
-rw-r--r-- 1 ZEDAT FU-Berlin 121835 Nov 25 1998 pidentd-2.8.5.tar.gz
-rw-r--r-- 1 ZEDAT FU-Berlin 366 Nov 25 1998 pidentd-2.8.5.tar.gz.sig
[...]
226 Transfer complete.
$ fetch http://www.imasy.or.jp/~ume/ipv6/pidentd-2.8.5-ipv6-1.5.diff.gz
Receiving pidentd-2.8.5-ipv6-1.5.diff.gz (9635 bytes): 100%
9635 bytes transferred in 5.5 seconds (1.71 kBps)
(6.23.0.1 -> 6.24.0.2), current virus definition file (6.23.0.1 -> 6.24.0.6)
and an updated antivir.conf adding the new option "UpdaterKeepsBackups" for
for the current AV engine.
If you are using the auto-update facility you should already have the
updated AV engine binary and VDF.
- Install the original AV engine binary and the VDF from the tarball with
suffix "-dist_avfbmlt" instead of "-dist" so ${PREFIX}/AntiVir/antivir
can be shared between different H+BEDV AntiVir products without conflicts.
- Add another instance to MASTER_SITES.
Submitted by: marius
two databases cause more confusion than it is worth.
portaudit uses ports/security/vuxml/vuln.xml in the meantime,
please commit your changes there and send feedback wich format
you prefer.
Currently we have to migrate gnats, mailman, monkey and some
apache versions.
PR: 63022
Submitted by: rob@debank.tv
- Use fixStaleSocket by default
- Add clamav user to mail group (for exim users)
- clean up DOCSDIR variable
PR: 63022
Submitted by: rob@debank.tv
Suggested by: eik
and/or fails to build; and/or the maintainer has recommended
that the ports are obsolete and should be deleted.
In each of these cases, the port has been in trouble for quite some time.
The deprecation date is set for April 09, 2004, except for a very few
ports that are in really bad shape (or the maintainer has recommended
deletion), in which case they are set for March 09, 2004.
If anyone wants to keep these ports in the ports collection, now is
the time to step up and fix them.
PR: ports/62575
No objection: freebsd-ports, 10 days
These protocols are all used to run a remote session on a computer,
over a network. PuTTY implements the client end of that session:
the end at which the session is displayed, rather than the end
at which it runs.
WWW: http://www.chiark.greenend.org.uk/~sgtatham/putty/
- The install doesn't delete the database anymore
- Don't remove the database on deinstall
- Use OPTIONS target
- handle all config install via the port
You have to run freshclam manually once after upgrade to restore the database.
PR: 62653
Submitted by: rob@debank.tv
- Fix deinstall when no database was installed.
Submitted by: dinoex
C++ comments removed from chkproc.c. New rootkits detected: AjaKit
and zaRwT. New CGI backdoors detected. ifpromisc.c: better detection
of promisc mode on newer Linux kernels. New command line option
(-n) to skip NFS mounted dirs. Minor bug corrections.
PR: ports/62577
Submitted by: Luiz E. R. Cordeiro <cordeiro@nic.br> (maintainer)
- fix a trivially remote exploitable DOS vulnerability
<http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/62586>
<http://www.securityfocus.com/archive/1/353186>
while I'm here, fix stale socket removal. Perhaps enabling
FixStaleSocket in clamav.conf would be a better idea, but
I don't want to overuse this security related commit.
PR: 62586, 62601
Submitted by: eik, Vivek Khera <vivek@khera.org>
Reviewed by: bugtraq mailing list
Approved by: security-officer
new option SetBindAddress (--bind-address=...) to force
interface for outgoing connections on multi-interface box
use persistent connection to database by default
PR: ports/62290
Submitted by: David Thiel <lx@redundancy.redundancy.org>
Important changes:
==================
- Kmail and knode have been moved from kdenetwork to kdepim. This
means you will have to install kdepim if you want to continue using
kmail or knode. This is to ease integration with korganizer, in
the new 'Kontact' application.
- The arabic translations for KDE and KOffice have been moved from
misc to the arabic category.
- There is a new module called kdeaccessibility in the accessibility
category. It contains a few utilities for disabled users like a
magnification lens and a text-to-speech frontend.
- In KDM, you need to select the 'CUSTOM' session profile in order
to have your .xsession executed. This is particularly important if
you're using the aegypten tools
(http://freebsd.kde.org/howtos/aegypten-kmail.php).
- We have started making more parts of the ports optional. In kdepim,
both Kandy and KPilot can be turned off with ports-knobs. This
process will continue in the 3.2 series.
updated periodically. Loosely based on the script in the PR.
2. Reorder some operations in the various Makefile targets.
3. Bump PORTREVISION.
PR: 61966 [1]
Submitted by: Douglas K. Rand <rand@meridian-enviro.com>
Get default config files from BUILD_WRKSRC to fix upgrade when config files are untouched
Really use the POST-INSTALL target
PR: 62112
Submitted by: rob@debank.tv
in rc.conf.
Bumped PORTREVISION as this fix may be important for an user.
Mail is on its way to the maintainer but because of the actual virus
situation I do not wait for maintainer approval and commit the fix
right now (the submitter also submitted the startup-script for a previous
commit, so this is mainly a bugfix for a previously approved commit).
Submitted by: Marius Strobl <marius@alchemy.franken.de>
Version 1.1.91 is incompatible with 1.1.12.
The -devel is required by the upcoming GnuTLS version and the new vpnc version.
The Stable version is still required by the Aegypten plugins.
Approved by: portmgr(marcus)
Repocopied by: joe
This is a package to test FreeBSD port auditing systems, e.g. portaudit
and the upcoming VuXML based system. Even though it installs no files,
it is listed in the portaudit database as vulnerable.
Kind of a EICAR-STANDARD-ANTIVIRUS-TEST-FILE
of FreeBSD ports and tools to check if installed ports are listed.
Since this is a prerelease version, it is mostly usable for
committers that want to contribute to the project, and can currently
not be relied upon as an extensive security auditing tool.
Improve Kerberos support in ssh2:
- Change the WITH_KERBEROS knob into a WITHOUT_KERBEROS knob so kerberized
ssh2 automatically is built when MIT Kerberos is installed, unless the
WITHOUT_KERBEROS knob is defined.
- Check for a library unique to MIT Kerberos to make sure it's not Heimdal
that KRB5_HOME accidentally points to.
- Add dependency on security/krb5 when built with Kerberos support.
- When compiled with Kerberos support also turn it on by default in client
and server config files and set "PermitRootLogin" to "nopwd" to only allow
those with root tickets declared in ~root/.k5login" to login as root. [1]
Ssh2 now should work out of the box in an environment using MIT Kerberos.
Submitted by: Peter Losher <Peter_Losher@isc.org> [1] (kerberos-patch-*)
Tested by: Peter Losher <Peter_Losher@isc.org>
---snip---
Submitted by: maintainer
Strange commit log formatting to prevent
ambiguous "Submitted by" lines by: committer
rabbi@abditum.com (Len Sassaman) wrote:
I'm interested in taking over the maintainer role for PGP 6.5.8. Ian
Goldberg and I wrote some patches a while ago which correct the known
problems in it. It still has its uses, particularly with older scripts,
and the internal crypto is more easily auditable than GnuPG. I believe it
should be still accessible through the ports tree.
* Add ghostscript knobs [1]
* Add per-port persistent build options with a menu-driven front-end [2]
* Allow porters to override the message generated when do-configure fails [3]
* Add patch to obviate many pkg-plist files [4]
* Fix the PKG_DBDIR comment [5]
* Make ports framework more robust with regard to make index [6]
* Add new command macros to bsd.port.mk [7]
* Remove direct command use from bsd.port.mk [8]
* Make the ports system respect WITHOUT_CPU_CFLAGS [9]
* Break the SDL code out into bsd.sdl.mk [10]
* Add working support for USE_SIZE [11]
* Fix RANDOMIZE_MASTER_SITES on -CURRENT [12]
* Convert some spaces to tabs [13]
* Add new physcial categories accessibility and x11-themes [14]
* Speed up GNU configure scripts [15]
* Remove "//" from MLINKS items in PLISTs and fix make -s install and
make -s deinstall [16]
* Be more specific about looking for files in distinfo [17]
* Add new run-autotools target, and resort configure targets [18]
* Make CONFLICTS compare prefix for installed packages and PREFIX [19]
* Change directory to ${.CURDIR} before running certain make commands [20]
* When INSTALL_AS_USER is set, run ldconfig with failures ignored [21]
* Speed up the security check phase [22]
* Fix some corner cases in the PORTDOCS code [23]
* Add a new DEPRECATED macro [24]
* Make INDEX breakage more informative [25]
Look for a full write-up to follow on ports@ and ports-developers@.
PR: 36112 [1]
59909 [4]
61351 [6]
59058 [7]
59058 [8]
59493 [9]
55494 [10]
59058 [11]
59315 [12]
59058 [13]
59811 [15]
59058 [16]
59058 [17]
60882 [18]
58149 [19]
59058 [20]
61133 [21]
55331 [22]
59070 [23]
59362 [24]
59626 [25]
Submitted by: linimon [1]
eivind [2]
marcus [3]
trevor [4]
gerald [5]
linimon [6]
eik [7]
eik [8]
jeh [9]
edwin [10]
eik [11]
Sergey Matveychuk <sem@ciam.ru> [12]
eik [13]
trevor gnome [14]
adamw [15]
eik [16]
eik [17]
edwin [18]
clement [19]
eik [20]
edwin lev [21]
Eugene M. Kim <ab@astralblue.com> [22]
eik [23]
linimon [24]
eik [25]
Since our db42 requires to include db.h to use. existing configure
script cannot detect our db42. AC_CHECK_LIB() simply test if a
function exists. :(
Requested by: Dmitry Sorokin <dmitry_sorokin@yahoo.ca>
4315 Emergency Dat release due to:
Incorrect identification of EXPLOIT/LINUX
Incorrect identification of UNIX/EXPLOIT-SSHIDEN
************************************************
* Fix severe byte order related problem with "route-to" rules
(much help from Joris Vandalon with testing here)
* Make tcpdump's -w flag work for if_pfsync
* Fix byte order and drop lock for icmp_error() calls.
(note that it is necessary to allow icmp_error messages - from
"block-policy return" - as FreeBSD does not know about pf's
special tags, yet).
- update ALTQ-message to point to the new 5.2R-patchset from rofug.ro
as well
PR: ports/61318
Submitted by: Max Laier <max@love2party.net> (maintainer)
to be present, or does not compile on certain versions of FreeBSD. This
will potentially avoid needless compilations on bento, and has the added
benefit of improving certain reporting tools. To most users, this change
is a no-op.
PR: 61090
Submitted by: linimon
Upgrade security/amavisd-new port to 20030616.p7
Also make portlint less unhappy wrt file
PR: ports/61042
Submitted by: Blaz Zupan <blaz@si.FreeBSD.org>
- the W32/Sober@MM virus signature has been updated to detect
W32/Sober.c@MM variant
PR: 61025
Submitted by: Jim Shewmaker <jims@bluenotch.com>
Approved by: maintainer
sshd2 unless it detects an entry for ssh in /etc/inetd.conf. As there
are three ways to automatically start sshd2 and /etc/rc.conf is the
simplest one (at least on FreeBSD 4, with rcNG once /etc/rc.d/sshd is
fixed to not be tailored to the base sshd) this version of the port
is the last one to do so. Beginning with next version it will only
install a sample start-up script. To prevent foot shooting when
updating to the next version this port won't remove an existing
start-up scripting on deinstall. Please see also the pkg-message that
gets displayed on installation.
- Update to 3.2.9.1. This is _not_ a security update. For the non-commercial
version the only change worth mentioning since 3.2.5 is the addition of the
config option "DisableVersionFallback", see sshd2_config(5) for further
details.
- Use sites from the official list of mirrors for MASTER_SITES.
- Adjust COMMENT to justify why this port is security/ssh2, not security/ssh3.
- Revise list of installed documentation. No longer install MANIFEST (list of
source files) and INSTALL, install RFCs referenced in sshd2_config(5) and
HOWTO.anonymous.sftp (patched to better fit FreeBSD).
- Remove WITH_STATIC_SFTP knob. Using the internal sftp-server instead of the
external (static) one is much simpler to set up and maintain (using the
external one requires to install a copy of it in the home directory of the
anonymous sftp user which has to be manually updated when installing a newer
version of the port).
- Remove WITHOUT_TCPWRAP knob, libwarp is part of FreeBSD since 3.2.
- Install examples scripts for the ExternalAuthorizationProgram and
AuthKbdInt.Plugin config options in EXAMPLESDIR. See sshd2_config(5) for
further information.
- Replace references to /etc/ssh2/* in config files with PREFIX/etc/ssh2/*.
- Add a pkg-message displaying the different methods to automatically start
sshd2.
- Switch to the start-up script for Solaris which is part of the tarball, it
handles the name of the pidfile better.
- Fix detection of X11 headers, this enables compilation with support for X11
SECURITY extension. See TrustX11Applications in ssh2_config(5) for further
information.
- Add a test target to the Makefile of the port, the tests seem a bit outdated
and buggy but it's enough to e.g. do a bit of speed comparison when building
with different compilers.
- Minor changes and clean-up (sort pkg-plist, don't add /usr/local/lib to
the library search path when compiling, etc.).
Revive some local modifications lost with the update to 3.1.0:
- Use login_cap(3)/login_class(3) facilities to set environment variables,
prority and shell, get motd, copyright, hushlogin and nologin, respect
ignorenologin and requirehome. This changes are roughly based on former
patch-ah and patch-ai and patches of security/openssh.
- Don't print "No mail.", it's not FreeBSD login style.
Submitted by: maintainer
maintainer, in my response to request about build errors on 5.x:
As much as I may try, I just can't find the time anymore to spend on
projects such as this. Since there are some documented exploits
available against 6.5.x, it would probably be best to remove the port.
