=> Bootstrap dependency digest>=20010302: found digest-20190127 => Checksum SHA1 OK for nostromo-1.9.6.tar.gz => Checksum RMD160 OK for nostromo-1.9.6.tar.gz => Checksum SHA512 OK for nostromo-1.9.6.tar.gz ===> Installing dependencies for nostromo-1.9.6nb2 => Tool dependency nbpatch-[0-9]*: found nbpatch-20151107 => Tool dependency checkperms>=1.1: found checkperms-1.12 => Build dependency cwrappers>=20150314: found cwrappers-20180325 ===> Skipping vulnerability checks. WARNING: No /opt/pkg/pkgdb/pkg-vulnerabilities file found. WARNING: To fix run: `/opt/pkg/sbin/pkg_admin -K /opt/pkg/pkgdb fetch-pkg-vulnerabilities'. ===> Overriding tools for nostromo-1.9.6nb2 ===> Extracting for nostromo-1.9.6nb2 => Substituting "nostromo" in GNUmakefile ===> Patching for nostromo-1.9.6nb2 => Applying pkgsrc patches for nostromo-1.9.6nb2 => Verifying /opt/pkgsrc/www/nostromo/patches/patch-http_header_comp => Applying pkgsrc patch /opt/pkgsrc/www/nostromo/patches/patch-http_header_comp Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |$NetBSD: patch-http_header_comp,v 1.1 2019/10/20 20:02:13 ast Exp $ | |The function http_header_comp() should return the number of received |headers, not only 0 on fail or 1 on success. | |Without this functionality, one could send more than the default |of 16 headers and overflow the header array to craft a DoS as |shown in nostromo CVE-2019-16279. | |This patch adds the missing header count functionality to the function |http_header_comp(). | |--- src/nhttpd/http.c.orig 2019-10-20 15:20:47.521119966 +0200 |+++ src/nhttpd/http.c 2019-10-20 15:28:02.327722735 +0200 -------------------------- Patching file src/nhttpd/http.c using Plan A... Hunk #1 succeeded at 1074. Hunk #2 succeeded at 1097. done => Verifying /opt/pkgsrc/www/nostromo/patches/patch-strcutl => Applying pkgsrc patch /opt/pkgsrc/www/nostromo/patches/patch-strcutl Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |$NetBSD: patch-strcutl,v 1.1 2019/10/20 20:02:13 ast Exp $ | |Mitigate nostromo CVE-2019-16278 (bypassing a check for /../ allowing |execution of /bin/sh with arbitrary arguments). | |Nostromo as such handles encoded URI correctly but the strcutl() |function in the string manipulation library removes 0x0d in the |URI string resulting in a valid path. What should happen instead |is that the decoded 0x0d character remains in the URI, resulting |in an invalid path, giving rise to a 404. | |--- src/libmy/strcutl.c.orig 2005-06-04 10:30:04.000000000 +0200 |+++ src/libmy/strcutl.c 2019-10-20 11:30:29.704645745 +0200 -------------------------- Patching file src/libmy/strcutl.c using Plan A... Hunk #1 succeeded at 26. Hunk #2 succeeded at 46. done ===> Creating toolchain wrappers for nostromo-1.9.6nb2 ===> Configuring for nostromo-1.9.6nb2 => Checking for portability problems in extracted files