Merge branch '3.3' into 3.4

2018-02-04 17:28:18 +01:00 · 2018-02-04 17:28:18 +01:00 · 7c401a2666
commit 7c401a2666
parent 2c390b10fa 93b6fe2d9d
19 changed files with 96 additions and 650 deletions
--- a/btrfs-progs/.md5sum
+++ b/btrfs-progs/.md5sum
@ -1 +1 @@
-fa1618a0ee07e88d39c4e4e39775ed35  btrfs-progs-v4.14.1.tar.xz
+e7dd633a27e8edca98457dc9d3e4912c  btrfs-progs-v4.15.tar.xz
--- a/btrfs-progs/.signature
+++ b/btrfs-progs/.signature
@ -1,5 +1,5 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/Q7wgzrsi19uEXc6VEoZaU50F6OtwzzBryDNGwN+ROe08nyndAMhkqZWwBcY7sdX+FLyry9q8Zof/dDGzjA4RA8=
-SHA256 (Pkgfile) = 1f65344dbb80a8e80864ba3166b0f9e7013b71a6a4a452ebef1467ad00ce6d8d
+RWSE3ohX2g5d/bPcR/WsfAMc7jrTCcYzUipQAVxLttosS7Ysynw4+1hpkDRv/4TELrLm8668xSCOFC0SXzvFEPuXhJj6Q22aVwM=
+SHA256 (Pkgfile) = f89f8517945eb20eb420f48ea7c1d3f21c254bdbd0d224134614cf6257cc3765
 SHA256 (.footprint) = a29435b0a075edf510a96e949e3a0d21138e6af59f76ac28307f4435b35da84d
-SHA256 (btrfs-progs-v4.14.1.tar.xz) = 90c5b3a73d0a5194754bb148d362b4d2b0755527324c4e9d9fa0b4c15bb354dd
+SHA256 (btrfs-progs-v4.15.tar.xz) = 9e3528c60c76970b73297ea4b01bdc23a70c39c82d540b61cf07a7c0612339e9
--- a/btrfs-progs/Pkgfile
+++ b/btrfs-progs/Pkgfile
@ -4,7 +4,7 @@
 # Depends on:  e2fsprogs lzo zstd

 name=btrfs-progs
-version=4.14.1
+version=4.15
 release=1
 source=(https://www.kernel.org/pub/linux/kernel/people/kdave/btrfs-progs/btrfs-progs-v$version.tar.xz)

--- a/dovecot/.md5sum
+++ b/dovecot/.md5sum
@ -1,3 +1,4 @@
+a1a5efc13766e3b2d0a154e9716f0f7a  CVE-2017-15132-1.patch
 f043e0bb2773cd38f74ada8c164524a6  CVE-2017-15132.patch
 ec342928dd97131f82dba41546741b5f  dovecot
 a8802617ddf68972f5f97bd8677e5856  dovecot-2.3.0.tar.gz
--- a/dovecot/.signature
+++ b/dovecot/.signature
@ -1,8 +1,9 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/SihfglHd/nyxWOIuJQMl+JGBQBCDkigF+pqp87P7EyBt9dC8e7bvYN/L5VAH5T1yYeOkiDQPNnRAogyCZk8qww=
-SHA256 (Pkgfile) = 0bedafa60b3e7d7db93c113f28760308b77cdda87756884c0bf391f2b02c6a05
+RWSE3ohX2g5d/SkROei+JVsseDKn6SIUNsjxW4JVhAKiDa6r4HZW5ka8HbQjpy6OBAAyHGpg/+/NM5m9pchHJcjlYyFH2k1VXQs=
+SHA256 (Pkgfile) = f325affa0506d8e0a7f7ac40e81503af99fa2ee54a3a8c38a76205de6e8e396b
 SHA256 (.footprint) = d464c6eb14ad58ab166c901d6c1a6f66a010f3e934f3b1645a9cd20d24663b4b
 SHA256 (dovecot-2.3.0.tar.gz) = de60cb470d025e4dd0f8e8fbbb4b9316dfd4930eb949d307330669ffbeaf8581
 SHA256 (CVE-2017-15132.patch) = ddbfdb187e1e763aa10364e57ed82bd37d264d66ed01559a7dbdeccb9f41e91f
+SHA256 (CVE-2017-15132-1.patch) = 480980136322c3361ab334346218504397668df49d66afef0bca70b7e4d40fae
 SHA256 (dovecot-config.patch) = a6f09e637f1ac15368d2d18736dc353e4a188959c5940dedd5306b689156e91c
 SHA256 (dovecot) = ead06d36290cca8be6be350f2c05edf53a4e9ce8aec5d5d663b1162ae96c17c7
--- a/dovecot/CVE-2017-15132-1.patch
+++ b/dovecot/CVE-2017-15132-1.patch
@ -0,0 +1,57 @@
+From a9b135760aea6d1790d447d351c56b78889dac22 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@dovecot.fi>
+Date: Fri, 26 Jan 2018 10:55:54 +0200
+Subject: [PATCH] lib-auth: Remove request after abort
+
+Otherwise the request will still stay in hash table
+and get dereferenced when all requests are aborted
+causing an attempt to access free'd memory.
+
+Found by Apollon Oikonomopoulos <apoikos@debian.org>
+
+Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
+---
+ src/lib-auth/auth-client-request.c    | 2 ++
+ src/lib-auth/auth-server-connection.c | 7 +++++++
+ src/lib-auth/auth-server-connection.h | 2 ++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
+index 046f7c307d..f6d0290a13 100644
+--- a/src/lib-auth/auth-client-request.c
+++ b/src/lib-auth/auth-client-request.c
+@@ -186,6 +186,8 @@ void auth_client_request_abort(struct auth_client_request **_request)
+ 
+ 	auth_client_send_cancel(request->conn->client, request->id);
+ 	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
+	/* remove the request */
+	auth_server_connection_remove_request(request->conn, request->id);
+ 	pool_unref(&request->pool);
+ }
+ 
+diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c
+index 9d65450fb3..7eea061cad 100644
+--- a/src/lib-auth/auth-server-connection.c
+++ b/src/lib-auth/auth-server-connection.c
+@@ -483,3 +483,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn,
+ 	hash_table_insert(conn->requests, POINTER_CAST(id), request);
+ 	return id;
+ }
+
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+					   unsigned int id)
+{
+	i_assert(conn->handshake_received);
+	hash_table_remove(conn->requests, POINTER_CAST(id));
+}
+diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h
+index 179b5dbd4c..c2c533a41d 100644
+--- a/src/lib-auth/auth-server-connection.h
+++ b/src/lib-auth/auth-server-connection.h
+@@ -40,4 +40,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn,
+ unsigned int
+ auth_server_connection_add_request(struct auth_server_connection *conn,
+ 				   struct auth_client_request *request);
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+					   unsigned int id);
+ #endif
--- a/dovecot/Pkgfile
+++ b/dovecot/Pkgfile
@ -5,15 +5,16 @@

 name=dovecot
 version=2.3.0
-release=2
+release=3
 source=(https://dovecot.org/releases/2.3/$name-$version.tar.gz
-        CVE-2017-15132.patch
+        CVE-2017-15132.patch CVE-2017-15132-1.patch
        dovecot-config.patch dovecot)

 build () {
    cd $name-ce-$version

    patch -p1 -i $SRC/CVE-2017-15132.patch
+    patch -p1 -i $SRC/CVE-2017-15132-1.patch
    patch -p1 -i $SRC/$name-config.patch

    ./configure --prefix=/usr \
--- a/sylpheed/.footprint
+++ b/sylpheed/.footprint
@ -48,13 +48,13 @@ drwxr-xr-x	root/root	usr/include/sylpheed/sylph/
 -rw-r--r--	root/root	usr/include/sylpheed/sylph/xml.h
 drwxr-xr-x	root/root	usr/lib/
 -rwxr-xr-x	root/root	usr/lib/libsylph-0.la
-lrwxrwxrwx	root/root	usr/lib/libsylph-0.so -> libsylph-0.so.1.2.1
-lrwxrwxrwx	root/root	usr/lib/libsylph-0.so.1 -> libsylph-0.so.1.2.1
-rwxr-xr-x	root/root	usr/lib/libsylph-0.so.1.2.1
+lrwxrwxrwx	root/root	usr/lib/libsylph-0.so -> libsylph-0.so.1.3.0
+lrwxrwxrwx	root/root	usr/lib/libsylph-0.so.1 -> libsylph-0.so.1.3.0
+-rwxr-xr-x	root/root	usr/lib/libsylph-0.so.1.3.0
 -rwxr-xr-x	root/root	usr/lib/libsylpheed-plugin-0.la
-lrwxrwxrwx	root/root	usr/lib/libsylpheed-plugin-0.so -> libsylpheed-plugin-0.so.1.2.1
-lrwxrwxrwx	root/root	usr/lib/libsylpheed-plugin-0.so.1 -> libsylpheed-plugin-0.so.1.2.1
-rwxr-xr-x	root/root	usr/lib/libsylpheed-plugin-0.so.1.2.1
+lrwxrwxrwx	root/root	usr/lib/libsylpheed-plugin-0.so -> libsylpheed-plugin-0.so.1.3.0
+lrwxrwxrwx	root/root	usr/lib/libsylpheed-plugin-0.so.1 -> libsylpheed-plugin-0.so.1.3.0
+-rwxr-xr-x	root/root	usr/lib/libsylpheed-plugin-0.so.1.3.0
 drwxr-xr-x	root/root	usr/share/
 drwxr-xr-x	root/root	usr/share/applications/
 -rw-r--r--	root/root	usr/share/applications/sylpheed.desktop
--- a/sylpheed/.md5sum
+++ b/sylpheed/.md5sum
@ -1 +1 @@
-5b72a9173963be38efe5fb0b3f5cc44b  sylpheed-3.6.0.tar.bz2
+af1ea33e82050b8bd034b8cfbcd2f75e  sylpheed-3.7.0.tar.xz
--- a/sylpheed/.signature
+++ b/sylpheed/.signature
@ -1,5 +1,5 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/aisZBtzqBrVl4S6HdJIGt5dIfoiDRAzIPj/IfPUu3NDARPwgBi56ot0ZEMXlagbjvvWPu7jOriblyRE5hoYSwQ=
-SHA256 (Pkgfile) = f89d6c94357174fe0137384b7ab8ab8be5f1dce0835ef0c0ce434575f7fcc0c4
-SHA256 (.footprint) = 42ac93bc878b3219179df22b99e1b9c3e75945853adf16e7723d721d3fecd63a
-SHA256 (sylpheed-3.6.0.tar.bz2) = eba4a70b43b49dbf419934796677a69a71d069b71b0dd697a0008836be4db345
+RWSE3ohX2g5d/bMPF5xLTU6DYW4Y+x2oK6McZluEH+qW6HnDXdLuoL/AZbod6Usq3zWlOMcBusunbisVJTLaIaJSbX0IqKIH0wo=
+SHA256 (Pkgfile) = 753625fbcf72cb78c44a961e6c7f9fd81761a92c661ce7d47740e1120b4aa924
+SHA256 (.footprint) = 84bb6c474dfc59b15db032cb57e4925186f2912127cb208a718de89adbc7126c
+SHA256 (sylpheed-3.7.0.tar.xz) = 0d6bc5eb46f5d0a463757c62bc80b00d219b294b3c3662840e4540f6db2e3e49
--- a/sylpheed/Pkgfile
+++ b/sylpheed/Pkgfile
@ -4,9 +4,9 @@
 # Depends on:  gtk

 name=sylpheed
-version=3.6.0
+version=3.7.0
 release=1
-source=(https://sylpheed.sraoss.jp/sylpheed/v3.6/$name-$version.tar.bz2)
+source=(https://sylpheed.sraoss.jp/sylpheed/v3.7/$name-$version.tar.xz)

 build () {
    cd $name-$version
--- a/transmission-gtk/.md5sum
+++ b/transmission-gtk/.md5sum
@ -1,2 +1 @@
-7d60fa6b8ec69d27503c4f61922b3aba  CVE-2018-5702.patch
-3fce404a436e3cd7fde80fb6ed61c264  transmission-2.92.tar.xz
+a1b8113ebc3402787312ecb443d9d3c1  transmission-2.93.tar.xz
--- a/transmission-gtk/.signature
+++ b/transmission-gtk/.signature
@ -1,6 +1,5 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/eeCGcvDY0PrAIetaAuahiu0bSZPYI1/qqRzvLPraFcZ+1Nfw2gKwWgkPOBF2N9HT2mqABISDceAaD012LzaoAg=
-SHA256 (Pkgfile) = ad8bc82246eff91bdd0518c2ac5d0d06e8b48f19c5412b5fb6cb7d90b03bb7b5
+RWSE3ohX2g5d/YupckVBaZDqikF3ce5HwEedOwqf/y86QeARgU4F0EgBc+4rnWD+4Zc0wE0d/uGaFeAFkSCIHQZDMiJ78RdewAI=
+SHA256 (Pkgfile) = d1aa192d216259b40699999d54103906585008106370e14d8938c78be3b7255e
 SHA256 (.footprint) = 4a1315e013b8d882bbcb6d165b7ab03f5f55c9e0cd035bab12d13ab3199a1b07
-SHA256 (transmission-2.92.tar.xz) = 3a8d045c306ad9acb7bf81126939b9594553a388482efa0ec1bfb67b22acd35f
-SHA256 (CVE-2018-5702.patch) = eae7fc4b93b4be760c4d3277ff75b39573cc9e0e4eb851d12269ea004f46c54a
+SHA256 (transmission-2.93.tar.xz) = 8815920e0a4499bcdadbbe89a4115092dab42ce5199f71ff9a926cfd12b9b90b
--- a/transmission-gtk/CVE-2018-5702.patch
+++ b/transmission-gtk/CVE-2018-5702.patch
@ -1,302 +0,0 @@
-Fix a weakness that allows remote code execution via the Transmission
-RPC server using DNS rebinding:
-
-https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
-
-Patch adapted from Tavis Ormandy's patch on the Transmission master
-branch to the Transmission 2.92 release by Leo Famulari
-<leo@famulari.name>:
-
-https://github.com/transmission/transmission/pull/468/commits
-
-From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001
-From: Tavis Ormandy <taviso@google.com>
-Date: Thu, 11 Jan 2018 10:00:41 -0800
-Subject: [PATCH] mitigate dns rebinding attacks against daemon
-
---
- libtransmission/quark.c        |   2 + 
- libtransmission/quark.h        |   2 + 
- libtransmission/rpc-server.c   | 116 +++++++++++++++++++++++++++++++++++++----
- libtransmission/rpc-server.h   |   4 ++
- libtransmission/session.c      |   2 + 
- libtransmission/transmission.h |   1 + 
- libtransmission/web.c          |   3 ++
- 7 files changed, 121 insertions(+), 9 deletions(-)
-
-diff --git a/libtransmission/quark.c b/libtransmission/quark.c
-index 30cc2bca4..b4fd7aabd 100644
--- a/libtransmission/quark.c
-+++ b/libtransmission/quark.c
-@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] =
-   { "rpc-authentication-required", 27 },
-   { "rpc-bind-address", 16 },
-   { "rpc-enabled", 11 },
-+  { "rpc-host-whitelist", 18 },
-+  { "rpc-host-whitelist-enabled", 26 },
-   { "rpc-password", 12 },
-   { "rpc-port", 8 },
-   { "rpc-url", 7 },
-diff --git a/libtransmission/quark.h b/libtransmission/quark.h
-index 7f5212733..17464be8f 100644
--- a/libtransmission/quark.h
-+++ b/libtransmission/quark.h
-@@ -291,6 +291,8 @@ enum
-   TR_KEY_rpc_authentication_required,
-   TR_KEY_rpc_bind_address,
-   TR_KEY_rpc_enabled,
-+  TR_KEY_rpc_host_whitelist,
-+  TR_KEY_rpc_host_whitelist_enabled,
-   TR_KEY_rpc_password,
-   TR_KEY_rpc_port,
-   TR_KEY_rpc_url,
-diff --git a/libtransmission/rpc-server.c b/libtransmission/rpc-server.c
-index a3485f3fa..292cd5fce 100644
--- a/libtransmission/rpc-server.c
-+++ b/libtransmission/rpc-server.c
-@@ -52,6 +52,7 @@ struct tr_rpc_server
-     bool               isEnabled;
-     bool               isPasswordEnabled;
-     bool               isWhitelistEnabled;
-+    bool               isHostWhitelistEnabled;
-     tr_port            port;
-     char             * url;
-     struct in_addr     bindAddress;
-@@ -63,6 +64,7 @@ struct tr_rpc_server
-     char             * password;
-     char             * whitelistStr;
-     tr_list          * whitelist;
-+    tr_list          * hostWhitelist;
- 
-     char             * sessionId;
-     time_t             sessionIdExpiresAt;
-@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const char * address)
-   return false;
- }
- 
-+static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req)
-+{
-+    /* If password auth is enabled, any hostname is permitted. */
-+    if (server->isPasswordEnabled)
-+    {
-+        return true;
-+    }
-+
-+    char const* const host = evhttp_find_header(req->input_headers, "Host");
-+
-+    // If whitelist is disabled, no restrictions.
-+    if (!server->isHostWhitelistEnabled)
-+        return true;
-+
-+    /* No host header, invalid request. */
-+    if (host == NULL)
-+    {
-+        return false;
-+    }
-+
-+    /* Host header might include the port. */
-+    char* const hostname = tr_strndup(host, strcspn(host, ":"));
-+
-+    /* localhost or ipaddress is always acceptable. */
-+    if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname))
-+    {
-+        tr_free(hostname);
-+        return true;
-+    }
-+
-+    /* Otherwise, hostname must be whitelisted. */
-+    for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) {
-+        if (tr_wildmat(hostname, l->data))
-+        {
-+            tr_free(hostname);
-+            return true;
-+        }
-+    }
-+
-+    tr_free(hostname);
-+    return false;
-+}
-+
- static bool
- test_session_id (struct tr_rpc_server * server, struct evhttp_request * req)
- {
-@@ -663,6 +708,23 @@ handle_request (struct evhttp_request * req, void * arg)
-           handle_upload (req, server);
-         }
- #ifdef REQUIRE_SESSION_ID
-+        else if (!isHostnameAllowed(server, req))
-+        {
-+            char* tmp = tr_strdup_printf(
-+                "<p>Transmission received your request, but the hostname was unrecognized.</p>"
-+                "<p>To fix this, choose one of the following options:"
-+                "<ul>"
-+                "<li>Enable password authentication, then any hostname is allowed.</li>"
-+                "<li>Add the hostname you want to use to the whitelist in settings.</li>"
-+                "</ul></p>"
-+                "<p>If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.</p>"
-+                "<p>This requirement has been added to help prevent "
-+                "<a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\">DNS Rebinding</a> "
-+                "attacks.</p>");
-+            send_simple_response(req, 421, tmp);
-+            tr_free(tmp);
-+        }
-+
-       else if (!test_session_id (server, req))
-         {
-           const char * sessionId = get_current_session_id (server);
-@@ -674,7 +736,7 @@ handle_request (struct evhttp_request * req, void * arg)
-             "<li> When you get this 409 error message, resend your request with the updated header"
-             "</ol></p>"
-             "<p>This requirement has been added to help prevent "
-            "<a href=\"http://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> "
-+            "<a href=\"https://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> "
-             "attacks.</p>"
-             "<p><code>%s: %s</code></p>",
-             TR_RPC_SESSION_ID_HEADER, sessionId);
-@@ -875,19 +937,14 @@ tr_rpcGetUrl (const tr_rpc_server * server)
-   return server->url ? server->url : "";
- }
- 
-void
-tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)
-+static void
-+tr_rpcSetList (char const* whitelistStr, tr_list** list)
- {
-   void * tmp;
-   const char * walk;
- 
-  /* keep the string */
-  tmp = server->whitelistStr;
-  server->whitelistStr = tr_strdup (whitelistStr);
-  tr_free (tmp);
-
-   /* clear out the old whitelist entries */
-  while ((tmp = tr_list_pop_front (&server->whitelist)))
-+  while ((tmp = tr_list_pop_front (list)) != NULL)
-     tr_free (tmp);
- 
-   /* build the new whitelist entries */
-@@ -896,7 +953,7 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)
-       const char * delimiters = " ,;";
-       const size_t len = strcspn (walk, delimiters);
-       char * token = tr_strndup (walk, len);
-      tr_list_append (&server->whitelist, token);
-+      tr_list_append (list, token);
-       if (strcspn (token, "+-") < len)
-         tr_logAddNamedInfo (MY_NAME, "Adding address to whitelist: %s (And it has a '+' or '-'!  Are you using an old ACL by mistake?)", token);
-       else
-@@ -909,6 +966,21 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)
-     }
- }
- 
-+void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelistStr)
-+{
-+    tr_rpcSetList(whitelistStr, &server->hostWhitelist);
-+}
-+
-+void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr)
-+{
-+    /* keep the string */
-+    char* const tmp = server->whitelistStr;
-+    server->whitelistStr = tr_strdup(whitelistStr);
-+    tr_free(tmp);
-+
-+    tr_rpcSetList(whitelistStr, &server->whitelist);
-+}
-+
- const char*
- tr_rpcGetWhitelist (const tr_rpc_server * server)
- {
-@@ -930,6 +1002,11 @@ tr_rpcGetWhitelistEnabled (const tr_rpc_server * server)
-   return server->isWhitelistEnabled;
- }
- 
-+void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled)
-+{
-+    server->isHostWhitelistEnabled = isEnabled;
-+}
-+
- /****
- *****  PASSWORD
- ****/
-@@ -1063,6 +1140,28 @@ tr_rpcInit (tr_session  * session, tr_variant * settings)
-   else
-     tr_rpcSetWhitelistEnabled (s, boolVal);
- 
-+  key = TR_KEY_rpc_host_whitelist_enabled;
-+
-+  if (!tr_variantDictFindBool(settings, key, &boolVal))
-+  {
-+      missing_settings_key(key);
-+  }
-+  else
-+  {
-+      tr_rpcSetHostWhitelistEnabled(s, boolVal);
-+  }
-+
-+  key = TR_KEY_rpc_host_whitelist;
-+
-+  if (!tr_variantDictFindStr(settings, key, &str, NULL) && str != NULL)
-+  {
-+      missing_settings_key(key);
-+  }
-+  else
-+  {
-+      tr_rpcSetHostWhitelist(s, str);
-+  }
-+
-   key = TR_KEY_rpc_authentication_required;
-   if (!tr_variantDictFindBool (settings, key, &boolVal))
-     missing_settings_key (key);
-diff --git a/libtransmission/rpc-server.h b/libtransmission/rpc-server.h
-index e0302c5ea..8c9e6b24e 100644
--- a/libtransmission/rpc-server.h
-+++ b/libtransmission/rpc-server.h
-@@ -49,6 +49,10 @@ void            tr_rpcSetWhitelist (tr_rpc_server * server,
- 
- const char*     tr_rpcGetWhitelist (const tr_rpc_server * server);
- 
-+void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled);
-+
-+void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelist);
-+
- void            tr_rpcSetPassword (tr_rpc_server * server,
-                                    const char *    password);
- 
-diff --git a/libtransmission/session.c b/libtransmission/session.c
-index 844cadba8..58b717913 100644
--- a/libtransmission/session.c
-+++ b/libtransmission/session.c
-@@ -359,6 +359,8 @@ tr_sessionGetDefaultSettings (tr_variant * d)
-   tr_variantDictAddStr  (d, TR_KEY_rpc_username,                    "");
-   tr_variantDictAddStr  (d, TR_KEY_rpc_whitelist,                   TR_DEFAULT_RPC_WHITELIST);
-   tr_variantDictAddBool (d, TR_KEY_rpc_whitelist_enabled,           true);
-+  tr_variantDictAddStr(d, TR_KEY_rpc_host_whitelist, TR_DEFAULT_RPC_HOST_WHITELIST);
-+  tr_variantDictAddBool(d, TR_KEY_rpc_host_whitelist_enabled, true);
-   tr_variantDictAddInt  (d, TR_KEY_rpc_port,                        atoi (TR_DEFAULT_RPC_PORT_STR));
-   tr_variantDictAddStr  (d, TR_KEY_rpc_url,                         TR_DEFAULT_RPC_URL_STR);
-   tr_variantDictAddBool (d, TR_KEY_scrape_paused_torrents_enabled,  true);
-diff --git a/libtransmission/transmission.h b/libtransmission/transmission.h
-index 4f76adfd6..e213a8f4e 100644
--- a/libtransmission/transmission.h
-+++ b/libtransmission/transmission.h
-@@ -123,6 +123,7 @@ const char* tr_getDefaultDownloadDir (void);
- #define TR_DEFAULT_BIND_ADDRESS_IPV4        "0.0.0.0"
- #define TR_DEFAULT_BIND_ADDRESS_IPV6             "::"
- #define TR_DEFAULT_RPC_WHITELIST          "127.0.0.1"
-+#define TR_DEFAULT_RPC_HOST_WHITELIST              ""
- #define TR_DEFAULT_RPC_PORT_STR                "9091"
- #define TR_DEFAULT_RPC_URL_STR       "/transmission/"
- #define TR_DEFAULT_PEER_PORT_STR              "51413"
-diff --git a/libtransmission/web.c b/libtransmission/web.c
-index ee495e9fc..c7f062730 100644
--- a/libtransmission/web.c
-+++ b/libtransmission/web.c
-@@ -594,6 +594,7 @@ tr_webGetResponseStr (long code)
-       case 415: return "Unsupported Media Type";
-       case 416: return "Requested Range Not Satisfiable";
-       case 417: return "Expectation Failed";
-+      case 421: return "Misdirected Request";
-       case 500: return "Internal Server Error";
-       case 501: return "Not Implemented";
-       case 502: return "Bad Gateway";
--- a/transmission-gtk/Pkgfile
+++ b/transmission-gtk/Pkgfile
@ -4,16 +4,13 @@
 # Depends on:  gtk3 libevent

 name=transmission-gtk
-version=2.92
-release=2
-source=(https://github.com/transmission/transmission-releases/raw/master/transmission-$version.tar.xz
-        CVE-2018-5702.patch)
+version=2.93
+release=1
+source=(https://github.com/transmission/transmission-releases/raw/master/transmission-$version.tar.xz)

 build() {
    cd transmission-$version

-    patch -p1 -i $SRC/CVE-2018-5702.patch
-
    export LINGUAS=" "

    ./configure --prefix=/usr \
--- a/transmission/.md5sum
+++ b/transmission/.md5sum
@ -1,2 +1 @@
-7d60fa6b8ec69d27503c4f61922b3aba  CVE-2018-5702.patch
-3fce404a436e3cd7fde80fb6ed61c264  transmission-2.92.tar.xz
+a1b8113ebc3402787312ecb443d9d3c1  transmission-2.93.tar.xz
--- a/transmission/.signature
+++ b/transmission/.signature
@ -1,6 +1,5 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/T7ZPrdrfFR6Tg7QKJwzvE8lyuVRtomlS4r7krZfhj9X0JDKsxaE/nmwWKV1PCqax72aVFr9zn8OqCFNR2EJqgU=
-SHA256 (Pkgfile) = 9e160f363f1dd403c633094632c2b99d94fd25c0f8abbb60129e0941064407e9
+RWSE3ohX2g5d/X9Dw1ktQ+Z/FUeFdRQc5daIvMBNW3EvmH/zLDTtFMuiGptJ2nQYmEa0oyafSwsIjVLLi5+EnArNsUNL5OI3+gA=
+SHA256 (Pkgfile) = 93abf392ca580349342cedfd2be58fced1c7fd3d15e061d7d227264546dffdbd
 SHA256 (.footprint) = e366ff7971b7fce0a0e6b44521fecdeb5b7baa20d56f25250ae8edc3ac88b1bf
-SHA256 (transmission-2.92.tar.xz) = 3a8d045c306ad9acb7bf81126939b9594553a388482efa0ec1bfb67b22acd35f
-SHA256 (CVE-2018-5702.patch) = eae7fc4b93b4be760c4d3277ff75b39573cc9e0e4eb851d12269ea004f46c54a
+SHA256 (transmission-2.93.tar.xz) = 8815920e0a4499bcdadbbe89a4115092dab42ce5199f71ff9a926cfd12b9b90b
--- a/transmission/CVE-2018-5702.patch
+++ b/transmission/CVE-2018-5702.patch
@ -1,302 +0,0 @@
-Fix a weakness that allows remote code execution via the Transmission
-RPC server using DNS rebinding:
-
-https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
-
-Patch adapted from Tavis Ormandy's patch on the Transmission master
-branch to the Transmission 2.92 release by Leo Famulari
-<leo@famulari.name>:
-
-https://github.com/transmission/transmission/pull/468/commits
-
-From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001
-From: Tavis Ormandy <taviso@google.com>
-Date: Thu, 11 Jan 2018 10:00:41 -0800
-Subject: [PATCH] mitigate dns rebinding attacks against daemon
-
---
- libtransmission/quark.c        |   2 + 
- libtransmission/quark.h        |   2 + 
- libtransmission/rpc-server.c   | 116 +++++++++++++++++++++++++++++++++++++----
- libtransmission/rpc-server.h   |   4 ++
- libtransmission/session.c      |   2 + 
- libtransmission/transmission.h |   1 + 
- libtransmission/web.c          |   3 ++
- 7 files changed, 121 insertions(+), 9 deletions(-)
-
-diff --git a/libtransmission/quark.c b/libtransmission/quark.c
-index 30cc2bca4..b4fd7aabd 100644
--- a/libtransmission/quark.c
-+++ b/libtransmission/quark.c
-@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] =
-   { "rpc-authentication-required", 27 },
-   { "rpc-bind-address", 16 },
-   { "rpc-enabled", 11 },
-+  { "rpc-host-whitelist", 18 },
-+  { "rpc-host-whitelist-enabled", 26 },
-   { "rpc-password", 12 },
-   { "rpc-port", 8 },
-   { "rpc-url", 7 },
-diff --git a/libtransmission/quark.h b/libtransmission/quark.h
-index 7f5212733..17464be8f 100644
--- a/libtransmission/quark.h
-+++ b/libtransmission/quark.h
-@@ -291,6 +291,8 @@ enum
-   TR_KEY_rpc_authentication_required,
-   TR_KEY_rpc_bind_address,
-   TR_KEY_rpc_enabled,
-+  TR_KEY_rpc_host_whitelist,
-+  TR_KEY_rpc_host_whitelist_enabled,
-   TR_KEY_rpc_password,
-   TR_KEY_rpc_port,
-   TR_KEY_rpc_url,
-diff --git a/libtransmission/rpc-server.c b/libtransmission/rpc-server.c
-index a3485f3fa..292cd5fce 100644
--- a/libtransmission/rpc-server.c
-+++ b/libtransmission/rpc-server.c
-@@ -52,6 +52,7 @@ struct tr_rpc_server
-     bool               isEnabled;
-     bool               isPasswordEnabled;
-     bool               isWhitelistEnabled;
-+    bool               isHostWhitelistEnabled;
-     tr_port            port;
-     char             * url;
-     struct in_addr     bindAddress;
-@@ -63,6 +64,7 @@ struct tr_rpc_server
-     char             * password;
-     char             * whitelistStr;
-     tr_list          * whitelist;
-+    tr_list          * hostWhitelist;
- 
-     char             * sessionId;
-     time_t             sessionIdExpiresAt;
-@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const char * address)
-   return false;
- }
- 
-+static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req)
-+{
-+    /* If password auth is enabled, any hostname is permitted. */
-+    if (server->isPasswordEnabled)
-+    {
-+        return true;
-+    }
-+
-+    char const* const host = evhttp_find_header(req->input_headers, "Host");
-+
-+    // If whitelist is disabled, no restrictions.
-+    if (!server->isHostWhitelistEnabled)
-+        return true;
-+
-+    /* No host header, invalid request. */
-+    if (host == NULL)
-+    {
-+        return false;
-+    }
-+
-+    /* Host header might include the port. */
-+    char* const hostname = tr_strndup(host, strcspn(host, ":"));
-+
-+    /* localhost or ipaddress is always acceptable. */
-+    if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname))
-+    {
-+        tr_free(hostname);
-+        return true;
-+    }
-+
-+    /* Otherwise, hostname must be whitelisted. */
-+    for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) {
-+        if (tr_wildmat(hostname, l->data))
-+        {
-+            tr_free(hostname);
-+            return true;
-+        }
-+    }
-+
-+    tr_free(hostname);
-+    return false;
-+}
-+
- static bool
- test_session_id (struct tr_rpc_server * server, struct evhttp_request * req)
- {
-@@ -663,6 +708,23 @@ handle_request (struct evhttp_request * req, void * arg)
-           handle_upload (req, server);
-         }
- #ifdef REQUIRE_SESSION_ID
-+        else if (!isHostnameAllowed(server, req))
-+        {
-+            char* tmp = tr_strdup_printf(
-+                "<p>Transmission received your request, but the hostname was unrecognized.</p>"
-+                "<p>To fix this, choose one of the following options:"
-+                "<ul>"
-+                "<li>Enable password authentication, then any hostname is allowed.</li>"
-+                "<li>Add the hostname you want to use to the whitelist in settings.</li>"
-+                "</ul></p>"
-+                "<p>If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.</p>"
-+                "<p>This requirement has been added to help prevent "
-+                "<a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\">DNS Rebinding</a> "
-+                "attacks.</p>");
-+            send_simple_response(req, 421, tmp);
-+            tr_free(tmp);
-+        }
-+
-       else if (!test_session_id (server, req))
-         {
-           const char * sessionId = get_current_session_id (server);
-@@ -674,7 +736,7 @@ handle_request (struct evhttp_request * req, void * arg)
-             "<li> When you get this 409 error message, resend your request with the updated header"
-             "</ol></p>"
-             "<p>This requirement has been added to help prevent "
-            "<a href=\"http://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> "
-+            "<a href=\"https://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> "
-             "attacks.</p>"
-             "<p><code>%s: %s</code></p>",
-             TR_RPC_SESSION_ID_HEADER, sessionId);
-@@ -875,19 +937,14 @@ tr_rpcGetUrl (const tr_rpc_server * server)
-   return server->url ? server->url : "";
- }
- 
-void
-tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)
-+static void
-+tr_rpcSetList (char const* whitelistStr, tr_list** list)
- {
-   void * tmp;
-   const char * walk;
- 
-  /* keep the string */
-  tmp = server->whitelistStr;
-  server->whitelistStr = tr_strdup (whitelistStr);
-  tr_free (tmp);
-
-   /* clear out the old whitelist entries */
-  while ((tmp = tr_list_pop_front (&server->whitelist)))
-+  while ((tmp = tr_list_pop_front (list)) != NULL)
-     tr_free (tmp);
- 
-   /* build the new whitelist entries */
-@@ -896,7 +953,7 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)
-       const char * delimiters = " ,;";
-       const size_t len = strcspn (walk, delimiters);
-       char * token = tr_strndup (walk, len);
-      tr_list_append (&server->whitelist, token);
-+      tr_list_append (list, token);
-       if (strcspn (token, "+-") < len)
-         tr_logAddNamedInfo (MY_NAME, "Adding address to whitelist: %s (And it has a '+' or '-'!  Are you using an old ACL by mistake?)", token);
-       else
-@@ -909,6 +966,21 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)
-     }
- }
- 
-+void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelistStr)
-+{
-+    tr_rpcSetList(whitelistStr, &server->hostWhitelist);
-+}
-+
-+void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr)
-+{
-+    /* keep the string */
-+    char* const tmp = server->whitelistStr;
-+    server->whitelistStr = tr_strdup(whitelistStr);
-+    tr_free(tmp);
-+
-+    tr_rpcSetList(whitelistStr, &server->whitelist);
-+}
-+
- const char*
- tr_rpcGetWhitelist (const tr_rpc_server * server)
- {
-@@ -930,6 +1002,11 @@ tr_rpcGetWhitelistEnabled (const tr_rpc_server * server)
-   return server->isWhitelistEnabled;
- }
- 
-+void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled)
-+{
-+    server->isHostWhitelistEnabled = isEnabled;
-+}
-+
- /****
- *****  PASSWORD
- ****/
-@@ -1063,6 +1140,28 @@ tr_rpcInit (tr_session  * session, tr_variant * settings)
-   else
-     tr_rpcSetWhitelistEnabled (s, boolVal);
- 
-+  key = TR_KEY_rpc_host_whitelist_enabled;
-+
-+  if (!tr_variantDictFindBool(settings, key, &boolVal))
-+  {
-+      missing_settings_key(key);
-+  }
-+  else
-+  {
-+      tr_rpcSetHostWhitelistEnabled(s, boolVal);
-+  }
-+
-+  key = TR_KEY_rpc_host_whitelist;
-+
-+  if (!tr_variantDictFindStr(settings, key, &str, NULL) && str != NULL)
-+  {
-+      missing_settings_key(key);
-+  }
-+  else
-+  {
-+      tr_rpcSetHostWhitelist(s, str);
-+  }
-+
-   key = TR_KEY_rpc_authentication_required;
-   if (!tr_variantDictFindBool (settings, key, &boolVal))
-     missing_settings_key (key);
-diff --git a/libtransmission/rpc-server.h b/libtransmission/rpc-server.h
-index e0302c5ea..8c9e6b24e 100644
--- a/libtransmission/rpc-server.h
-+++ b/libtransmission/rpc-server.h
-@@ -49,6 +49,10 @@ void            tr_rpcSetWhitelist (tr_rpc_server * server,
- 
- const char*     tr_rpcGetWhitelist (const tr_rpc_server * server);
- 
-+void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled);
-+
-+void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelist);
-+
- void            tr_rpcSetPassword (tr_rpc_server * server,
-                                    const char *    password);
- 
-diff --git a/libtransmission/session.c b/libtransmission/session.c
-index 844cadba8..58b717913 100644
--- a/libtransmission/session.c
-+++ b/libtransmission/session.c
-@@ -359,6 +359,8 @@ tr_sessionGetDefaultSettings (tr_variant * d)
-   tr_variantDictAddStr  (d, TR_KEY_rpc_username,                    "");
-   tr_variantDictAddStr  (d, TR_KEY_rpc_whitelist,                   TR_DEFAULT_RPC_WHITELIST);
-   tr_variantDictAddBool (d, TR_KEY_rpc_whitelist_enabled,           true);
-+  tr_variantDictAddStr(d, TR_KEY_rpc_host_whitelist, TR_DEFAULT_RPC_HOST_WHITELIST);
-+  tr_variantDictAddBool(d, TR_KEY_rpc_host_whitelist_enabled, true);
-   tr_variantDictAddInt  (d, TR_KEY_rpc_port,                        atoi (TR_DEFAULT_RPC_PORT_STR));
-   tr_variantDictAddStr  (d, TR_KEY_rpc_url,                         TR_DEFAULT_RPC_URL_STR);
-   tr_variantDictAddBool (d, TR_KEY_scrape_paused_torrents_enabled,  true);
-diff --git a/libtransmission/transmission.h b/libtransmission/transmission.h
-index 4f76adfd6..e213a8f4e 100644
--- a/libtransmission/transmission.h
-+++ b/libtransmission/transmission.h
-@@ -123,6 +123,7 @@ const char* tr_getDefaultDownloadDir (void);
- #define TR_DEFAULT_BIND_ADDRESS_IPV4        "0.0.0.0"
- #define TR_DEFAULT_BIND_ADDRESS_IPV6             "::"
- #define TR_DEFAULT_RPC_WHITELIST          "127.0.0.1"
-+#define TR_DEFAULT_RPC_HOST_WHITELIST              ""
- #define TR_DEFAULT_RPC_PORT_STR                "9091"
- #define TR_DEFAULT_RPC_URL_STR       "/transmission/"
- #define TR_DEFAULT_PEER_PORT_STR              "51413"
-diff --git a/libtransmission/web.c b/libtransmission/web.c
-index ee495e9fc..c7f062730 100644
--- a/libtransmission/web.c
-+++ b/libtransmission/web.c
-@@ -594,6 +594,7 @@ tr_webGetResponseStr (long code)
-       case 415: return "Unsupported Media Type";
-       case 416: return "Requested Range Not Satisfiable";
-       case 417: return "Expectation Failed";
-+      case 421: return "Misdirected Request";
-       case 500: return "Internal Server Error";
-       case 501: return "Not Implemented";
-       case 502: return "Bad Gateway";
--- a/transmission/Pkgfile
+++ b/transmission/Pkgfile
@ -4,16 +4,13 @@
 # Depends on:  curl libevent

 name=transmission
-version=2.92
-release=2
-source=(https://github.com/transmission/transmission-releases/raw/master/transmission-$version.tar.xz
-        CVE-2018-5702.patch)
+version=2.93
+release=1
+source=(https://github.com/transmission/transmission-releases/raw/master/transmission-$version.tar.xz)

 build() {
    cd $name-$version

-    patch -p1 -i $SRC/CVE-2018-5702.patch
-
    ./configure --prefix=/usr \
                --disable-nls \
                --enable-cli \