Mon May 28 19:12:29 UTC 201820180528191229

a/pkgtools-15.0-noarch-13.txz:  Rebuilt.
  installpkg: default line length for --terselength is the number of columns.
  removepkg: added --terse mode.
  upgradepkg: default line length for --terselength is the number of columns.
  upgradepkg: accept -option in addition to --option.
ap/vim-8.1.0026-x86_64-1.txz:  Upgraded.
d/bison-3.0.5-x86_64-1.txz:  Upgraded.
e/emacs-26.1-x86_64-1.txz:  Upgraded.
kde/kopete-4.14.3-x86_64-8.txz:  Rebuilt.
  Recompiled against libidn-1.35.
n/conntrack-tools-1.4.5-x86_64-1.txz:  Upgraded.
n/libnetfilter_conntrack-1.0.7-x86_64-1.txz:  Upgraded.
n/libnftnl-1.1.0-x86_64-1.txz:  Upgraded.
n/links-2.16-x86_64-2.txz:  Rebuilt.
  Rebuilt to enable X driver for -g mode.
n/lynx-2.8.9dev.19-x86_64-1.txz:  Upgraded.
n/nftables-0.8.5-x86_64-1.txz:  Upgraded.
n/p11-kit-0.23.11-x86_64-1.txz:  Upgraded.
n/ulogd-2.0.7-x86_64-1.txz:  Upgraded.
n/whois-5.3.1-x86_64-1.txz:  Upgraded.
xap/network-manager-applet-1.8.12-x86_64-1.txz:  Upgraded.
xap/vim-gvim-8.1.0026-x86_64-1.txz:  Upgraded.

1 files changed, 61 insertions, 0 deletions

diff --git a/source/n/lynx/lynx-CVE-2008-4690.patch b/source/n/lynx/lynx-CVE-2008-4690.patch
new file mode 100644
index 000000000..a0a6a3206
--- /dev/null
+++ b/source/n/lynx/lynx-CVE-2008-4690.patch
@@ -0,0 +1,61 @@
+From c60c227ab9a36246730d7454e33d40d2c66c88b3 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 13 Feb 2013 15:26:22 +0100
+Subject: [PATCH] fix CVE-2008-4690
+
+prompt user before executing command via a lynxcgi link even in advanced mode,
+as the actual URL may not be shown but hidden behind an HTTP redirect and set
+TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
+---
+ CHANGES     |    7 +++++++
+ lynx.cfg    |    2 +-
+ src/LYCgi.c |    2 +-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index 360be68..8eca013 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1237,6 +1237,13 @@ Changes since Lynx 2.8 release
+ * update win32 makefiles/build scripts to add LYmktime, parsdate modules -TD
+ * update config.guess (2008-04-14), config.sub (2008-06-16)
+ 
++2008-10-26
++* modify patch for CVE-2005-2929 to prompt user before executing command via
++  a lynxcgi link even in advanced mode, as the actual URL may not be shown but
++  hidden behind an HTTP redirect
++* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
++  [CVE-2008-4690]
++
+ 2008-09-21 (2.8.7dev.10)
+ * remove rw.po, since the translation project no longer supplies it -TD
+ * implement "readonly" attribute for TEXTAREA and TEXT fields -TD
+diff --git a/lynx.cfg b/lynx.cfg
+index ee2aad3..144050d 100644
+--- a/lynx.cfg
++++ b/lynx.cfg
+@@ -1087,7 +1087,7 @@ CHARACTER_SET:utf-8
+ #
+ # The default TRUSTED_LYNXCGI rule is "none".
+ #
+-#TRUSTED_LYNXCGI:none
++TRUSTED_LYNXCGI:none
+ 
+ .h2 LYNXCGI_ENVIRONMENT
+ # Unix:
+diff --git a/src/LYCgi.c b/src/LYCgi.c
+index 832bb89..0ae8a7e 100644
+--- a/src/LYCgi.c
++++ b/src/LYCgi.c
+@@ -167,7 +167,7 @@ static BOOL can_exec_cgi(const char *linktext, const char *linkargs)
+     if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
+ 	/* exec_ok gives out msg. */
+ 	result = FALSE;
+-    } else {
++    } else if (user_mode < ADVANCED_MODE) {
+ 	StrAllocCopy(command, linktext);
+ 	if (non_empty(linkargs)) {
+ 	    HTSprintf(&command, " %s", linkargs);
+-- 
+1.7.1
+