Maintainer of lang/groovy, CVE-2015-3253: Remote execution of untrusted code applies to Groovy 1.7.0 to 2.4.3. The current version of lang/groovy is 2.3.9. This port will require an update. References: http://www.vuxml.org/freebsd/67b3fef2-2bea-11e5-86ff-14dae9d210b8.html https://issues.apache.org/jira/browse/GROOVY-7504 http://seclists.org/oss-sec/2015/q3/121 http://groovy-lang.org/security.html
Created attachment 159661 [details] lang/groovy: security update 2.3.9 -> 2.4.4 lang/groovy: security update 2.3.9 -> 2.4.4 - Add NO_ARCH - Remove various LICENSE files that were removed upstream - Remove PDF documentation that was removed upstream - Switch @dirrm to @dir PR: 201704 Security: CVE-2015-3253 Security: 67b3fef2-2bea-11e5-86ff-14dae9d210b8 Approved by: maintainer timeout (20 days), feld|delphij|pgollucci (mentor) MFH: 2015Q3
(In reply to Jason Unovitch from comment #1) Details/Comments for the records: - Add NO_ARCH This is Java and other non-arch specific. pkg-static: DEVELOPER_MODE: Notice: arch "FreeBSD:11:amd64" -- no architecture specific files found: - Remove various LICENSE files that were removed upstream https://github.com/apache/incubator-groovy/commit/0f645889a49ce867671c79ea480952394807fdcb That commit removed ANTLR-LICENSE.txt, ASM-LICENSE.txt, and JSR223-LICENSE.txt. However there were several other commits after that point that affected licenses embedded with the Groovy distfile. I would advise anyone with concern over this to review the upstream Git closely. - Remove PDF documentation that was removed upstream https://github.com/apache/incubator-groovy/commit/de6161fcc55fdd124478baa8a9e2309abd084e5f Upstream mentions replacing with Asciidoctor documentation however the gradle/assemble.gradle still attempts to use the pre-built PDF that used to be included under Git revision control. I would speculate that PDF support may come back in a future release when the Asciidoctor efforts are finished. - Switch @dirrm to @dir The plist is built dynamically, so fix the Makefile where it's generate to handle this Poudriere QA warning: pkg-static: Warning: @dirrm[try] is deprecated, please use @dir
Created attachment 159662 [details] Poudriere testport log from 10.1-RELEASE jail QA: Portlint: Portlint is showing a false positive as there are multiple DISTFILES in the form of DISTFILES and DOCS_DISTFILES for the DOCS option. portlint -ac WARN: Makefile: use of DISTFILES with single file discouraged. distribution filename should be set by DISTNAME and EXTRACT_SUFX. WARN: Makefile: DISTFILES/DISTNAME affects WRKSRC. take caution when changing them. 0 fatal errors and 2 warnings found. Poudriere: Log attached and issues addressed were commented on above. The patch was tested across a range of Poudriere jails: 8.4-RELEASE-p36 amd64 8.4-RELEASE-p36 i386 9.3-RELEASE-p21 amd6 9.3-RELEASE-p21 i386 10.1-RELEASE-p16 amd64 10.1-RELEASE-p16 i386 10.2-RC2 amd64 10.2-RC2 i386 11.0-CURRENT r286208 amd64 11.0-CURRENT r286208 i386 Runtime: Basic sanity checking via the groovysh command in a Poudriere jail. root@110amd64-default:/usr/local/bin # groovysh Groovy Shell (2.4.4, JVM: 1.7.0_80) Type ':help' or ':h' for help. ------------------------------------------------------------------------------------------------------------------------------------- groovy:000> println "test" test ===> null groovy:000> :exit
Created attachment 159664 [details] lang/groovy: security update 2.3.9 -> 2.4.4 lang/groovy: security update 2.3.9 -> 2.4.4 - Add NO_ARCH - Remove various LICENSE files that were removed upstream - Remove PDF documentation that was removed upstream - Switch @dirrm to @dir - Reset maintainer to ports@FreeBSD.org by private request [1] PR: 201704 Security: CVE-2015-3253 Security: 67b3fef2-2bea-11e5-86ff-14dae9d210b8 Approved by: mjs@Bur.st (outgoing maintainer) [1], feld|delphij|pgollucci (mentor) MFH: 2015Q3
A commit references this bug: Author: junovitch Date: Mon Aug 10 21:36:25 UTC 2015 New revision: 393909 URL: https://svnweb.freebsd.org/changeset/ports/393909 Log: lang/groovy: security update 2.3.9 -> 2.4.4 - Add NO_ARCH - Remove various LICENSE files that were removed upstream - Remove PDF documentation that was removed upstream - Switch @dirrm to @dir - Reset maintainer to ports@FreeBSD.org by private request [1] PR: 201704 Security: CVE-2015-3253 Security: 67b3fef2-2bea-11e5-86ff-14dae9d210b8 Approved by: mjs@Bur.st (outgoing maintainer) [1], feld (mentor) MFH: 2015Q3 Changes: head/lang/groovy/Makefile head/lang/groovy/distinfo
A commit references this bug: Author: junovitch Date: Mon Aug 10 21:40:44 UTC 2015 New revision: 393910 URL: https://svnweb.freebsd.org/changeset/ports/393910 Log: MFH: r393909 lang/groovy: security update 2.3.9 -> 2.4.4 - Add NO_ARCH - Remove various LICENSE files that were removed upstream - Remove PDF documentation that was removed upstream - Switch @dirrm to @dir - Reset maintainer to ports@FreeBSD.org by private request [1] PR: 201704 Security: CVE-2015-3253 Security: 67b3fef2-2bea-11e5-86ff-14dae9d210b8 Approved by: mjs@Bur.st (outgoing maintainer) [1], feld (mentor) Approved by: ports-secteam (feld) Changes: _U branches/2015Q3/ branches/2015Q3/lang/groovy/Makefile branches/2015Q3/lang/groovy/distinfo