[BACK]Return to patch-configure CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / net / xymonclient / patches

File: [cvs.NetBSD.org] / pkgsrc / net / xymonclient / patches / patch-configure (download)

Revision 1.2, Tue Feb 16 05:58:57 2016 UTC (4 years, 5 months ago) by spz
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2, pkgsrc-2020Q1-base, pkgsrc-2020Q1, pkgsrc-2019Q4-base, pkgsrc-2019Q4, pkgsrc-2019Q3-base, pkgsrc-2019Q3, pkgsrc-2019Q2-base, pkgsrc-2019Q2, pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4, pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2, pkgsrc-2018Q1-base, pkgsrc-2018Q1, pkgsrc-2017Q4-base, pkgsrc-2017Q4, pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-2017Q2-base, pkgsrc-2017Q2, pkgsrc-2017Q1-base, pkgsrc-2017Q1, pkgsrc-2016Q4-base, pkgsrc-2016Q4, pkgsrc-2016Q3-base, pkgsrc-2016Q3, pkgsrc-2016Q2-base, pkgsrc-2016Q2, pkgsrc-2016Q1-base, pkgsrc-2016Q1, HEAD
Changes since 1.1: +5 -5 lines

update of xymon and xymonclient from 4.3.17 to 4.3.25

The following security issues are fixed with this update:
* Resolve buffer overflow when handling "config" file requests (CVE-2016-2054)
* Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory
  (symlinks disallowed) (CVE-2016-2055). Also, require that the initial filename
  end in '.cfg' by default
* Resolve shell command injection vulnerability in useradm and chpasswd CGIs
  (CVE-2016-2056)
* Tighten permissions on the xymond BFQ used for message submission to restrict
  access to the xymon user and group. It is now 0620. (CVE-2016-2057)
* Restrict javascript execution in current and historical status messages by
  the addition of appropriate Content-Security-Policy headers to prevent XSS
  attacks. (CVE-2016-2058)
* Fix CVE-2015-1430, a buffer overflow in the acknowledge.cgi script.
  Thank you to Mark Felder for noting the impact and Martin Lenko
  for the original patch.
* Mitigate CVE-2014-6271 (bash 'Shell shock' vulnerability) by
  eliminating the shell script CGI wrappers

Please refer to
https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/Changes/download
for further information on fixes and new features.

$NetBSD: patch-configure,v 1.2 2016/02/16 05:58:57 spz Exp $

Make sure the toplevel configure script exits on failure.

--- configure.orig	2011-03-08 17:20:28.000000000 +0000
+++ configure
@@ -14,11 +14,11 @@ chmod 755 $BASEDIR/configure* $BASEDIR/b
 
 case "$TARGET" in
   "--client")
-	exec $BASEDIR/configure.client $*
+	exec $BASEDIR/configure.client "$@" || exit 1
 	;;
 
   "--server"|"")
-	exec $BASEDIR/configure.server $*
+	exec $BASEDIR/configure.server "$@" || exit 1
 	;;
 
   "--help")