Knot DNS is a high-performance authoritative-only DNS server which
supports all key features of the domain name system including zone
AXFR and IXFR, DDNS and DNSSEC. Its key features:
* Open source
* High-performance, multi-threaded, and mostly lock-free
implementation which scales well on SMPs
* Object-oriented design
* Support for all important DNS protocols:
- Full and incremental zone transfers
- EDNS0 and DNSSEC extensions, including NSEC3
- NSID
WWW: https://www.knot-dns.cz/
PR: 249363
Submitted by: Leo Vandewoestijne <freebsd@dns.company>
Relnotes: https://www.knot-dns.cz/2020-09-09-version-300.html
New Features:
* XACT:
* Add support for WAVESTOP notifications
* Add support for engines without settings files (or empty settings files)
Fixes:
* Add power-of-two quantum fallback paths for *BSD and Emscripten
* Return a unique error code for audio engines with a bad platform ID
* Fix a deadlock in Wolfenstein: The Old Blood related to callbacks
* Fix a crash for streaming WaveBanks when calling Destroy
* stb_vorbis: Handle malloc(0) calls
Fix X11 in Gtk size regressions (thanks Robin Gareus)
Fix compilation on MacOS older than 10.12
Fix drag and drop for X11 in Gtk
Fix various minor warnings and other code quality issues
PR: 250078
Submitted by: Michael Beer (maintainer)
Fix memory leaks in lv2bench
Fix various minor warnings and other code quality issues
Make lilv_world_get() use translations
Split and clean up test suite
PR: 250079
Submitted by: Michael Beer (maintainer)
* Added WAVE_FORMAT_EXTENSIBLE with value 0xfffe and supressed error on wav
header parsing with that format
PR: 250088
Reported by: Danoz <danoz@danoz.net>
KDE Project Security Advisory
=============================
Title: KDE Connect: packet manipulation can be exploited in a Denial of Service attack
Risk Rating: Important
CVE: CVE-2020-26164
Versions: kdeconnect <= 20.08.1
Author: Albert Vaca Cintora <albertvaka@gmail.com>
Date: 2 October 2020
Overview
========
An attacker on your local network could send maliciously crafted packets to other hosts running
kdeconnect on the network, causing them to use large amounts of CPU, memory or network
connections, which could be used in a Denial of Service attack within the network.
Impact
======
Computers that run kdeconnect are susceptible to DoS attacks from the local network.
Workaround
==========
We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences.
Since kdeconnect is dbus activated it is relatively hard to make sure it stays stopped so the brute
force approach is to uninstall the kdeconnect package from your system and then run
kquitapp5 kdeconnectd
Just install the package again once you're back in a trusted network.
Solution
========
KDE Connect 20.08.2 patches several code paths that could result in a DoS.
You can apply these patches on top of 20.08.1:
f183b5447bb279c52101d35b88c1b2b496e668995310eae85d721ba9faafae58b9dec466c768aa9e85b691e40f48180b4655
Credits
=======
Thanks Matthias Gerstner and the openSUSE security team for reporting the issue.
Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the patches.
Security: CVE-2020-26164
Changelog since 7.9.1:
* Notable issues fixed
- Secret store thread safety issues with multiple pipelines
- Since 7.8.0, a change to optimise the speed of loading variables from
the Logstash Secret Store could cause Logstash not to be able to start
when the feature was used in conjunction with multiple pipelines.
- App Search output startup failure
- Since 7.9.0, a regression was introduced which prevented pipelines
using the Elastic App Search output from starting.
* Compatibility notice: Logstash and JDK 15
- Logstash is not yet compatible with JDK 15.
- While we are working to support JDK 15, we encourage you to use supported
JDK versions (8, 11 or 14). See Java (JVM) version for details and the
Elastic Support Matrix for the official word on supported versions
across products and releases.
* Plugins
- Sleep Filter - 3.0.7
- Changed Fixnum to Integer. Fixnum was deprecated in ruby 2.4.
- Elastic_app_search Output - 1.1.1
- Added missed dependency (elastic-app-search) to the gemspec
Release notes:
https://www.elastic.co/guide/en/logstash/current/logstash-7-9-2.html
PR: 249913
Submitted by: Juraj Lutter <juraj@lutter.sk>
Changelog since 7.9.1:
* Enhancement
- Machine Learning
- Improves performance of job exists check
* Bug fixes
- Alerting
- Fixes alerts unable to create or update when the name has trailing whitepace
- Machine Learning
- Swim lane pagination for viewing by job ID
- Fixes custom URLs processing for security app
- Management
- Fixes an issue in Snapshot and Restore UI where creating a policy, repository, or snapshot with a special character, like a colon, in the name would result in a 404 when viewing details or editing any of the aforementioned
- Indices that contain the characters % { [ @ no longer cause a 405 error in Index Management
- Fixes an issue in the snapshot and restore policy creation form that allowed a policy to be created without an index specified
- The snapshot and restore wizard now notifies users when a policy configured with a non-existing repository is being updated and requires that the user select a new repository
- Fixes an issue in the grok debugger where simulation error messages are not being displayed
- Maps
- Fixes drawing shapes in maps app broken in 7.9.1
- Monitoring
- Prevents edit/create for Stack Monitoring alerts in Alerts Management
- Fixes improper lodash syntax
- Fixes UI error when alerting is not available
- Platform
- Fixes bug causing multiple overrides to only show the last confirm modal
- Fixes remoteAddress being duplicated in userAgent field
- Fixes an issue that caused savedObject migration errors to not being displayed in the logs
- Fixes an issue where defaultAppId redirect could fire outside home app
- Suppresses error logs when clients connect over HTTP instead of HTTPS
- Reporting
- Adds back in custom images for reporting + tests
- Security
- Adds Lens as a readable saved object for read-only dashboard users
- Uptime
- Fixes alerting false positives
Release notes:
https://www.elastic.co/guide/en/kibana/7.9/release-notes-7.9.2.html
PR: 249914
Submitted by: Juraj Lutter <juraj@lutter.sk>
Changelog since 7.9.1:
* Deprecations
- Infra/Plugins
- Deprecate xpack.eql.enabled setting and make it a no-op
* Enhancements
- Mapping
- Improve error messages on bad [format] and [null_value] params for date mapper
* Bug fixes
- Aggregations
- Cardinality request breaker leak
- Fix bug with terms' min_doc_count
- Analysis
- Fix standard filter BWC check to allow for cacheing bug
- Authentication
- Ensure domain_name setting for AD realm is present
- Update authc failure headers on license change
- Authorization
- Ensure authz operation overrides transient authz headers
- CCR
- CCR should retry on CircuitBreakingException
- EQL
- Create the search request with a list of indices
- Engine
- Allow enabling soft-deletes on restore from snapshot
- Features/Data streams
- Always validate that only a create op is allowed in bulk api for data streams
- Fix NPE when deleting multiple backing indices on a data stream
- Fix data stream wildcard resolution bug in eql search api.
- Prohibit the usage of create index api in namespaces managed by data stream templates
- Features/ILM+SLM
- Fix condition in ILM step that cannot be met
- Features/Ingest
- Add Missing NamedWritable Registration for ExecuteEnrichPolicyStatus
- Features/Java High Level REST Client
- Drop assertion that rest client response warnings conform to RFC 7234
- Infra/Packaging
- Check glibc version
- Machine Learning
- Add null checks for C++ log handler
- Persist progress when setting data frame analytics task to failed
- Fix reporting of peak memory usage in memory stats for data frame analytics
- Fix reporting of peak memory usage in model size stats for anomaly detection
- Mapping
- Allow empty null values for date and IP field mappers
- Take resolution into account when parsing date null value
- Network
- Log alloc description after netty processors set
- SQL
- Do not resolve self-referencing aliases
- Search
- Fix disabling allow_leading_wildcard
- Search memory leak
- Transform
- Disable optimizations when using scripts in group_by
* Upgrades
- Infra/Packaging
- Upgrade the bundled JDK to JDK 15
Release notes:
https://www.elastic.co/guide/en/elasticsearch///reference/current/release-notes-7.9.2.html
PR: 249915
Submitted by: Juraj Lutter <juraj@lutter.sk>
Changes since 7.9.1:
* Breaking changes
- Affecting all Beats
- Autodiscover doesn’t generate any configuration when a variable is
missing. Previously it generated an incomplete configuration.
* Bugfixes
- Affecting all Beats
- Explicitly detect missing variables in autodiscover configuration,
log them at the debug level.
- Fix libbeat.output.write.bytes and libbeat.output.read.bytes metrics of
the Elasticsearch output.
- Filebeat
- Provide backwards compatibility for the set processor when Elasticsearch is
less than 7.9.0.
- Fix an error updating file size being logged when EOF is reached.
- Fix error when processing AWS Cloudtrail Digest logs.
- Metricbeat
- The Kibana collector applies backoff when errored at getting usage stats
- The elasticsearch/index metricset only requests wildcard expansion for hidden
indices if the monitored Elasticsearch cluster supports it.
- Fix panic index out of range error when getting AWS account name.
- Handle missing counters in the application_pool metricset.
- Functionbeat
- Do not need Google credentials if not required for the operation.
- Fix dependency issues of GCP functions.
* Added
- Affecting all Beats
- Add container ECS fields in kubernetes metadata.
FreeBSD notes:
- Fixed PRs:
- bug #248499
- bug #244627
- bug #228785
- Fix paths in various (mostly example) files
Release Notes:
https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-7.9.2.html
PR: 249912
Submitted by: Juraj Lutter <juraj@lutter.sk>
Bits we were replacing in dbus/dbus-sysdeps-unix.c were moved to
dbus/dbus-sysdeps-util-unix.c. Make the patch more robust by first using
a patch and then REINPLACE_CMD.
Approved by: portmgr blanket
If you have a TMPDIR in your environment that points to an existing
directory other than /tmp (e.g., TMPDIR=/bigfilesystem/tmp), when you build
devel/dbus, a couple files get built with that value.
When the package is installed on a target system that may not have the
non-default TMPDIR used at build time, then you will get run-time errors.
Such as:
% dbus-launch sh
Failed to start message bus: Failed to bind socket "/bigfilesystem/tmp/dbus-1nT4MYueXb": No such file or directory
EOF in dbus-launch reading address from bus daemon
PR: 238548
Submitted by: John Hein <jcfyecrayz@liamekaens.com>
It was most likely meant to be removed in r493840, together with other
related bits.
PR: 238963
Reported by: chadf@triularity.org
Approved by: portmgr blanket
Before this patch, the following error could be observed during the
installation of the port:
===> Creating homedir(s)
/bin/sh: gconftool-2: not found
chown: /usr/local/etc/gdm/home/.gconf.mandatory: No such file or directory
chmod: /usr/local/etc/gdm/home/.gconf.mandatory: No such file or directory
chmod: /usr/local/etc/gdm/home/.gconf.mandatory/*.xml: No such file or directory
GDM is installed.
Specifying USE_GNOME+=gconf2 seems to fix the error messages.
(BTW, for some reason the gconf2 dependency was removed in r372768.)
Approved by: portmgr blanket
MFH: 2020Q4
pkg-message does not contain %%PREFIX%% anymore, so a sed(1) call is not
necessary. In addition to that, passing pkg-message though fmt(1) was
breaking the UCL inside causing pkg-message to not be displayed at all.
Approved by: portmgr blanket
MFH: 2020Q4
It's been reported that it would be desired to treat the following
files as samples:
- etc/dbus-1/system.d/gdm.conf.sample
- etc/gdm/Init/Default.sample
- etc/gdm/Xsession.sample
- etc/pam.d/gdm-autologin.sample
- etc/pam.d/gdm-launch-environment.sample
- etc/pam.d/gdm-password.sample
PR: 187558
Submitted by: Eugene M. Kim <astralblue@gmail.com
Reported by: robmessick@gmail.com
Approved by: maintainer timeout
