Date: Tue, 25 Jun 2002 08:40:04 -0700 (PDT) From: Juha Ylitalo <juha.ylitalo@iki.fi> To: freebsd-ports@FreeBSD.org Subject: Re: ports/35037: New port: sysutils/cfengine2 Message-ID: <200206251540.g5PFe4Q36079@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/35037; it has been noted by GNATS. From: Juha Ylitalo <juha.ylitalo@iki.fi> To: freebsd-gnats-submit@FreeBSD.org Cc: Subject: Re: ports/35037: New port: sysutils/cfengine2 Date: 25 Jun 2002 18:33:05 +0300 --=-U4bXpc5UTZLQ2OLreTgE Content-Type: text/plain Content-Transfer-Encoding: quoted-printable NOTE: Due to changes in dhs.org policies, latest version of this port can now be found from http://jylitalo.homeip.net/cvsweb/FreeBSD/local/cfengine2 (shar file can be generated on request). Old address at jylitalo.2y.net will probably disappear at second half of July. On its long journey to ports, sysutils/cfengine2 has now been upgraded from cfengine version 2.0.2 to 2.0.3. Port itself didn't change much (minor updates in Makefile, distinfo and patch-aa), but cfengine itself lists following things in its Changelog: - import in cfservd.conf was blocked. - update.conf run when doing -a or -z - DESTINATION used in link.c (legacy) without allocation - caused segfault. - IMPORT in cfservd was excluded - -b for --update-only was used up, changed to -B (too many options!) - hyphen in cfservd.conf admit/deny hostname was misinterpreted as IP range in 2.0.2 (Fixed) - Unknown edit command error in include/exclude. SECURITY : Recursive descent functions vulnerable to race conditions. Directories could be replaced by symbolic links and this would affect any operation that relies on directory parsing; files, tidy, editfiles (copy is non-destructive). Recursive descent functions are reworked to check inode numbers and device numbers in order to detect attacks. This leads to a small inefficiency in recursive descent. The solution is to chdir to the actual directory concerned, check that it is the same one we stat'ed and scan only those relative names afterwards, so we freeze each directory one at a time. The problem only applies to systems who have non-trusted users. - Editfiles error messages added for class definitions within conditionals. - Some segmentation faults corrected. - Check added to prevent cfagent from following links it does not own. - Work around to delete cfparse.c from the distribution cause autoconf won't do it. This was causing incorrect alloca() usage for HPUX and AIX. [end of changelog] --=20 Juha Ylitalo juha.ylitalo@iki.fi <e-mail> +358 40 562 6152 <mobile> http://www.iki.fi/jylitalo <www> "Some tools are used, because its policy, others because they are good." --=-U4bXpc5UTZLQ2OLreTgE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQA9GI0wT3Z0FVGK5qMRAqC1AJ44jaR5PvtiFxTCo0ybZhXMGdYAvgCfY49q PFjVj6N6B0Z/woU7nUHFg3g= =mGh1 -----END PGP SIGNATURE----- --=-U4bXpc5UTZLQ2OLreTgE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206251540.g5PFe4Q36079>