Date: Tue, 6 Mar 2007 08:44:08 -0500 (EST) From: Jason Harris <jharris@widomaker.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Jason Harris <jharris@widomaker.com> Subject: ports/109992: ports/security/gnupg1 -> 1.4.7 Message-ID: <200703061344.l26Di8Lc013922@wilma.widomaker.com> Resent-Message-ID: <200703061350.l26Do6t7053507@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 109992
>Category: ports
>Synopsis: ports/security/gnupg1 -> 1.4.7
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 06 13:50:05 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Jason Harris
>Release: FreeBSD 6.2-STABLE i386
>Organization:
N/A
>Environment:
System: FreeBSD 6.2-STABLE i386
>Description:
Update ports/security/gnupg1 to 1.4.7 to work around a possible
security hole. From ./NEWS:
* By default, do not allow processing multiple plaintexts in a
single stream. Many programs that called GnuPG were assuming
that GnuPG did not permit this, and were thus not using the
plaintext boundary status tags that GnuPG provides. This change
makes GnuPG reject such messages by default which makes those
programs safe again. --allow-multiple-messages returns to the
old behavior.
>How-To-Repeat:
Apply patch below.
NB: "cvs rm files/patch-configure"
>Fix:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message
cvs server: Diffing .
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/gnupg1/Makefile,v
retrieving revision 1.92
diff -u -r1.92 Makefile
--- Makefile 25 Dec 2006 03:48:59 -0000 1.92
+++ Makefile 6 Mar 2007 13:37:00 -0000
@@ -6,8 +6,7 @@
#
PORTNAME= gnupg
-PORTVERSION= 1.4.6
-PORTREVISION= 3
+PORTVERSION= 1.4.7
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GNUPG}
MASTER_SITE_SUBDIR= gnupg
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/security/gnupg1/distinfo,v
retrieving revision 1.39
diff -u -r1.39 distinfo
--- distinfo 9 Dec 2006 08:36:47 -0000 1.39
+++ distinfo 6 Mar 2007 13:37:00 -0000
@@ -1,6 +1,15 @@
-MD5 (gnupg-1.4.6.tar.bz2) = ec8dc6df1bd83c1d7e1a1ea10653f9f4
-SHA256 (gnupg-1.4.6.tar.bz2) = fd5a72418e55669b88076c2a6f11c3a59bf92a2071008567e65ae12b7372008e
-SIZE (gnupg-1.4.6.tar.bz2) = 3149454
-MD5 (gnupg-1.4.6.tar.bz2.sig) = 8b905292140d60fe493fab7d5b22c96d
-SHA256 (gnupg-1.4.6.tar.bz2.sig) = fb9294762932b34f2fd5a4b168f4c3a248aa7403c2aed8bffa5f67274b1b052d
-SIZE (gnupg-1.4.6.tar.bz2.sig) = 158
+MD5 (gnupg-1.4.7.tar.bz2) = b06a141cca5cd1a55bbdd25ab833303c
+SHA1 (gnupg-1.4.7.tar.bz2) = 22149105845c79068771837c8deb7d5ba0854927
+RMD160 (gnupg-1.4.7.tar.bz2) = 630344c99834cf9adcf806d55e6f609a1e50bd8b
+SHA256 (gnupg-1.4.7.tar.bz2) = 69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d
+SIZE (gnupg-1.4.7.tar.bz2) = 3200642
+MD5 (gnupg-1.4.7.tar.bz2.sig) = 5430887043170806eb93f018e4236972
+SHA1 (gnupg-1.4.7.tar.bz2.sig) = a6db75da64c4e23b687147aa7d01f2085b2cf861
+RMD160 (gnupg-1.4.7.tar.bz2.sig) = 102323c28a41a7a2fcc479fc06ba98137e037baa
+SHA256 (gnupg-1.4.7.tar.bz2.sig) = e730e980840d3b97220e4393539de67c7647d9e9eac9d22f11f24ba7e874c18c
+SIZE (gnupg-1.4.7.tar.bz2.sig) = 158
+MD5 (gnupg-1.4.7.tar.bz2.sig) = 5430887043170806eb93f018e4236972
+SHA1 (gnupg-1.4.7.tar.bz2.sig) = a6db75da64c4e23b687147aa7d01f2085b2cf861
+RMD160 (gnupg-1.4.7.tar.bz2.sig) = 102323c28a41a7a2fcc479fc06ba98137e037baa
+SHA256 (gnupg-1.4.7.tar.bz2.sig) = e730e980840d3b97220e4393539de67c7647d9e9eac9d22f11f24ba7e874c18c
+SIZE (gnupg-1.4.7.tar.bz2.sig) = 158
cvs server: Diffing files
Index: files/patch-configure
===================================================================
RCS file: /home/ncvs/ports/security/gnupg1/files/Attic/patch-configure,v
retrieving revision 1.5
diff -u -r1.5 patch-configure
--- files/patch-configure 9 Dec 2006 08:36:48 -0000 1.5
+++ files/patch-configure 6 Mar 2007 13:37:01 -0000
@@ -1,10 +0,0 @@
---- configure.orig Fri Dec 8 17:02:30 2006
-+++ configure Fri Dec 8 17:02:52 2006
-@@ -27251,6 +27251,7 @@
- exec_prefix=$exec_prefix
- libdir=$libdir
- libexecdir=$libexecdir
-+datarootdir=$datarootdir
- datadir=$datadir
- DATADIRNAME=$DATADIRNAME
-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iJ0EARECAF0FAkXtbrhWGGh0dHA6Ly9rZXlzZXJ2ZXIua2pzbC5jb206MTEzNzEv
cGtzL2xvb2t1cD9vcD1nZXQmc2VhcmNoPTB4RDM5REEwRTMmd2VoYXZleW91bm93
PXRydWUACgkQSypIl9OdoONZUACfd2ARkTa8DfHpv5KBB9ChsjS4+2MAnRtnE+Pp
Si4VLT2w5MWdacZlJz02
=0fyV
-----END PGP SIGNATURE-----
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703061344.l26Di8Lc013922>