Created attachment 174482 [details] update thunderbird to 45.3.0 attached patch updates thunderbird and friends to 45.3.0 and included enigmail to 1.9.5. Note deleted file files/patch-bug1285501 - patch has been merged upstream.
Created attachment 174483 [details] poudriere testport log
Created attachment 174484 [details] vuln.xml fragment MFSA 2016-62
Comment on attachment 174482 [details] update thunderbird to 45.3.0 >-BUILD_DEPENDS= nspr>=4.12:devel/nspr \ >+BUILD_DEPENDS= ar:devel/binutils \ >+ nspr>=4.12:devel/nspr \ Why do you need binutils? thunderbird-45.3.0 builds fine without this change on 10.1 i386 (clang 3.4.1).
Created attachment 174517 [details] update to thunderbird 45.3.0 drats, thanks for noticing, that was a leftover. Attached new patch (rebased to today,fixed BUILD_DEPENDSa and retested).
Comment on attachment 174484 [details] vuln.xml fragment MFSA 2016-62 > <vuln vid="aa1aefe3-6e37-47db-bfda-343ef4acb1b5"> Unless you want to keep this specific to MFSA 2016-62 use same VID as in ports r419401. > <topic>Mozilla -- Memory Safety Hazards</topic> > <affects> > <package> > <name>firefox</name> > <range><lt>48.0</lt></range> > </package> www/firefox has PORTEPOCH. Why not just copy <affects> section from previous VuXML entry then increment numbers? > <package> > <name>thunderbird</name> > <name>linux-thunderbird</name> > <range><lt>45.3.0</lt></range> > </package> Did you forget www/libxul? > <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/"> > <p>MFSA2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)</p> For whatever you cite make sure to include a proper quote, not just its heading. Notice, most Mozilla multi-entries cite a parent page while you're citing a specific advisory.
(In reply to Jan Beich from comment #5) >Unless you want to keep this specific to MFSA 2016-62 use same VID as in ports > r419401. If it did exist... (it's neither in my checkout nor in http://vuxml.freebsd.org/freebsd/index-vid.html)
Created attachment 174541 [details] vuln.xml fragment for mozilla 48/45.3esr so, in absence of any other 48/45.3esr vuxml documentation, I put everything of that into this fragment. If I'm not mistaken, this matches the style of former (at least the last few) mozilla entries, so I assume it's ok.
Comment on attachment 174541 [details] vuln.xml fragment for mozilla 48/45.3esr Looks good enough to land but some things can be improved. > <blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.3"> This one lacks MFSA 2016-{66,68,69,71,74,75,81..84} better cite one of the following: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox48 https://www.mozilla.org/en-US/security/advisories/ > <dates> > <discovery>2016-08-30</discovery> According to the cited page and "Announced" field within those MFSAs it should be 2016-08-02. Have I missed something? (In reply to Christoph Moench-Tegeder from comment #6) >>> <vuln vid="aa1aefe3-6e37-47db-bfda-343ef4acb1b5"> >> Unless you want to keep this specific to MFSA 2016-62 use same VID as in ports > r419401. > If it did exist... Apologies, I did reserve VID (ahead of the announcement) but haven't found time to fill it in. The intent was to warn users about security impact regardless of VuXML.
A commit references this bug: Author: cmt Date: Fri Sep 9 10:57:45 UTC 2016 New revision: 421608 URL: https://svnweb.freebsd.org/changeset/ports/421608 Log: update thunderbird to 45.3.0 PR: 212463 Approved by: jbeich (maintainer), rene (mentor) MFH: 2016Q3 Security: aa1aefe3-6e37-47db-bfda-343ef4acb1b5 Changes: head/mail/linux-thunderbird/Makefile head/mail/linux-thunderbird/distinfo head/mail/thunderbird/Makefile head/mail/thunderbird/distinfo head/mail/thunderbird/files/patch-bug1285501 head/mail/thunderbird-i18n/Makefile head/mail/thunderbird-i18n/distinfo
A commit references this bug: Author: cmt Date: Fri Sep 9 11:02:06 UTC 2016 New revision: 421609 URL: https://svnweb.freebsd.org/changeset/ports/421609 Log: document mozilla vulnerabilities (<48, <45.3esr) PR: 212463 Approved by: jbeich (maintainer), rene (mentor) Changes: head/security/vuxml/vuln.xml
committed, thanks.
A commit references this bug: Author: cmt Date: Sat Sep 10 18:01:48 UTC 2016 New revision: 421717 URL: https://svnweb.freebsd.org/changeset/ports/421717 Log: MFH: r421608 update thunderbird to 45.3.0 PR: 212463 Approved by: jbeich (maintainer), rene (mentor) Security: aa1aefe3-6e37-47db-bfda-343ef4acb1b5 Approved by: ports-secteam (feld) Changes: _U branches/2016Q3/ branches/2016Q3/mail/linux-thunderbird/Makefile branches/2016Q3/mail/linux-thunderbird/distinfo branches/2016Q3/mail/thunderbird/Makefile branches/2016Q3/mail/thunderbird/distinfo branches/2016Q3/mail/thunderbird-i18n/Makefile branches/2016Q3/mail/thunderbird-i18n/distinfo
committed and MFH'ed.