Bug 206746 - security/py-rsa: Update to 3.3 (Fixes CVE-2016-1494)
Summary: security/py-rsa: Update to 3.3 (Fixes CVE-2016-1494)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Kubilay Kocak
URL: http://web.nvd.nist.gov/view/vuln/det...
Keywords: security
Depends on:
Blocks:
 
Reported: 2016-01-29 21:13 UTC by Sevan Janiyan
Modified: 2016-02-04 10:46 UTC (History)
2 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-02-04 08:49:20 UTC
A commit references this bug:

Author: koobs
Date: Thu Feb  4 08:48:40 UTC 2016
New revision: 408017
URL: https://svnweb.freebsd.org/changeset/ports/408017

Log:
  ports-mgmt/portscout: Loop through all PyPI files

  While processing Issue 206746 [1] for a security update to
  security/py-rsa (For versions < 3.3), it was noticed that Portscout
  had not identified the the newer version, released on 2016-01-13.

  Investigation revealed that the PyPI SiteHandler in Portscout only
  processed the first url/filename returned by PyPI, which in many cases
  is not a tar.gz, the default EXTRACT_SUFFIX for source distribution
  (sdist) files:

  [py-rsa] VersionCheck()
  [py-rsa] Checking site: https://pypi.python.org/packages/source/r/rsa/
  Does site handler exist ... Yes
  (Portscout::SiteHandler::PyPI) GET https://pypi.python.org/pypi/rsa/json
  (Portscout::SiteHandler::PyPI) GET success: 200 Filename: rsa-3.3-py2.py3-none-any.whl
  FindNewest: Checking rsa-3.3-py2.py3-none-any.whl ... against port DISTFILES.
  FindNewest: Checking DISTFILE ... rsa-3.1.4.tar.gz (ver: 3.1.4, sufx: .tar.gz)
  [py-rsa] Done

  This change backports a commit [1] made to Portroach which adds a loop to
  enumerate all URLs/filenames in the PyPI JSON response, not just the
  first.

  [1] https://github.com/jasperla/portroach/commit/e93b8331f6e5f850bbb5faca866efcbf73de756c

  PR:		206746 [1]
  Obtained from:	https://github.com/jasperla/portroach

Changes:
  head/ports-mgmt/portscout/Makefile
  head/ports-mgmt/portscout/files/files-Portscout-SiteHandler-PyPI.pm
  head/ports-mgmt/portscout/files/patch-Portscout_SiteHandler_PyPI.pm
Comment 2 commit-hook freebsd_committer freebsd_triage 2016-02-04 10:36:29 UTC
A commit references this bug:

Author: koobs
Date: Thu Feb  4 10:35:32 UTC 2016
New revision: 408019
URL: https://svnweb.freebsd.org/changeset/ports/408019

Log:
  security/vuxml: Add CVE-2016-1494 for security/py-rsa

  PR:		206746
  Reported by:	 Sevan Janiyan <venture37 geeklan co.uk>

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-02-04 10:40:31 UTC
A commit references this bug:

Author: koobs
Date: Thu Feb  4 10:39:49 UTC 2016
New revision: 408021
URL: https://svnweb.freebsd.org/changeset/ports/408021

Log:
  security/py-rsa: Update to 3.3 (Fixes CVE-2016-1494)

  - Update PORTVERSION and distinfo checksum (3.3)
  - Modernize TEST entries (test target, TEST_DEPENDS, et al)
  - Update setup.py patch (zip_safe no longer needed)
  - Add LICENSE_FILE
  - Enable NO_ARCH

  This version fixed a security vulnerability:

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1494

  PR:		206746
  Reported by:	Sevan Janiyan <venture37 geeklan co.uk>
  Security:	e78bfc9d-cb1e-11e5-b251-0050562a4d7b
  Security:	CVE-2016-1494
  MFH:		2016Q1

Changes:
  head/security/py-rsa/Makefile
  head/security/py-rsa/distinfo
  head/security/py-rsa/files/patch-setup.py
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-02-04 10:45:33 UTC
A commit references this bug:

Author: koobs
Date: Thu Feb  4 10:44:34 UTC 2016
New revision: 408022
URL: https://svnweb.freebsd.org/changeset/ports/408022

Log:
  MFH: r408021 security/py-rsa: Update to 3.3 (Fixes CVE-2016-1494)

  - Update PORTVERSION and distinfo checksum (3.3)
  - Modernize TEST entries (test target, TEST_DEPENDS, et al)
  - Update setup.py patch (zip_safe no longer needed)
  - Add LICENSE_FILE
  - Enable NO_ARCH

  This version fixed a security vulnerability:

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1494

  PR:		206746
  Reported by:	Sevan Janiyan <venture37 geeklan co.uk>
  Security:	e78bfc9d-cb1e-11e5-b251-0050562a4d7b
  Security:	CVE-2016-1494

  Approved by:	ports-secteam (security)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/security/py-rsa/Makefile
  branches/2016Q1/security/py-rsa/distinfo
  branches/2016Q1/security/py-rsa/files/patch-setup.py
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2016-02-04 10:46:24 UTC
Committed, thank you for the report Sevan. 

You should join ports-secteam :)