Bug 245252 - devel/py-twisted: Update to 20.3.0 (includes security updates)
Summary: devel/py-twisted: Update to 20.3.0 (includes security updates)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Danilo G. Baio
URL: https://github.com/twisted/twisted/bl...
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2020-04-01 19:51 UTC by Evilham
Modified: 2020-04-27 12:04 UTC (History)
5 users (show)

See Also:
dbaio: maintainer-feedback+
dbaio: merge-quarterly+
antoine: exp-run+


Attachments
py-twisted update to 20.3.0 (1.90 KB, patch)
2020-04-01 20:57 UTC, Evilham
no flags Details | Diff
vuln.xml entry for py-twisted<20.3.0 (2.03 KB, application/xml)
2020-04-10 19:49 UTC, Sascha Biberhofer
no flags Details
D24186 py-twisted update to 20.3.0 (3.32 KB, patch)
2020-04-11 11:54 UTC, Evilham
contact: maintainer-approval? (python)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Evilham 2020-04-01 19:51:26 UTC
Hello, I noticed that FreeBSD's twisted version is a bit outdated, so I'll try taking a go at it.

It is not entirely impossible that while at it I'll have to update other ports like attrs, we'll see.

I'm also using the chance to document the whole process for myself (my future self too) and hopefully people who would consider doing things like this.

Will be posting a patch over the next few days.

Cheers,
Comment 1 Evilham 2020-04-01 20:57:58 UTC
Created attachment 212951 [details]
py-twisted update to 20.3.0

Changelog:
  https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst

QA:

  * portlint: OK (looks fine.)
  * testport: OK (poudriere: 3.3.3, amd64)


Related Security issues:

  CVE-2020-10108
  CVE-2019-9512
  CVE-2019-9514
  CVE-2019-9515
  CVE-2019-12387
  CVE-2019-12855
  https://twistedmatrix.com/trac/ticket/9420
Comment 2 Evilham 2020-04-02 17:44:47 UTC
It was mentioned on IRC that a review without PR existed.

https://reviews.freebsd.org/D24186

I have reviewed the dependencies and will test it since it adds build options to twisted which might be interesting.
Comment 3 Sascha Biberhofer 2020-04-10 19:48:34 UTC
I've tested the current version contained in the review. Port builds fine (with all options enabled). The testsuite throws some errors, but these are virtually identical to the ones that the 18.9.0 version had and look mostly harmless.

I've also tested this version with py-matrix-synapse, which heavily relies on py-twisted. Synapse's testsuit passes just fine with the new version and py-twisted-20.3.0 works seemingly well on a production instance (and seems to improve synapse's performance noticably on my part).

I've also summarized CVE infos in a vuxml entry, which I'll attach to this PR. It would be nice to get this committed since the version currently in ports exposes users of py-matrix-synapse to the possibility of request smuggling, see [1].

On another note: Can we get this into quarterly?

Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/releases/tag/v1.12.0
Comment 4 Sascha Biberhofer 2020-04-10 19:49:20 UTC
Created attachment 213260 [details]
vuln.xml entry for py-twisted<20.3.0
Comment 5 Evilham 2020-04-11 11:54:49 UTC
Created attachment 213280 [details]
D24186 py-twisted update to 20.3.0

I reviewed the dependencies on D24186 and the submitter (Derek Schrock) mentioned via IRC I should follow up on this.

Finally managed to test the build with different options, and as Sascha mentioned, it builds and works fine.

This patch is a dump from phabricator's D24186.
Comment 6 commit-hook freebsd_committer freebsd_triage 2020-04-21 12:25:10 UTC
A commit references this bug:

Author: dbaio
Date: Tue Apr 21 12:25:02 UTC 2020
New revision: 532266
URL: https://svnweb.freebsd.org/changeset/ports/532266

Log:
  security/vuxml: Document devel/py-twisted vulnerabilities

  PR:		245252
  Submitted by:	Sascha Biberhofer <ports@skyforge.at>
  Reported by:	contact@evilham.com

Changes:
  head/security/vuxml/vuln.xml
Comment 7 Danilo G. Baio freebsd_committer freebsd_triage 2020-04-23 01:24:27 UTC
Build test in ports that depends on py-twisted seems fine.

We still can have some runtime issues here, see 'Deprecations and Removals' in the changelog, but I would proceed with this update because of that amount of CVEs.

Just a minor change in the patch (don't need to update it), we can always improve options descriptions, see here:
https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/makefile-options.html#makefile-options-syntax

My suggestion:

CONCH_DESC= Conch secure shell SSH
SERIAL_DESC=  Serial port extension

HTTP2_DESC and TLS_DESC are already present in Mk/bsd.options.desc.mk and fits here.
Comment 8 Antoine Brodin freebsd_committer freebsd_triage 2020-04-26 08:24:02 UTC
Exp-run looks fine
Comment 9 commit-hook freebsd_committer freebsd_triage 2020-04-26 14:17:24 UTC
A commit references this bug:

Author: dbaio
Date: Sun Apr 26 14:16:59 UTC 2020
New revision: 533065
URL: https://svnweb.freebsd.org/changeset/ports/533065

Log:
  devel/py-twisted: Update to 20.3.0, Fix security vulnerabilities

  Add extra_require dependencies as options, enabled by default.

  Changelog:	https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst

  PR:		245252
  Exp-run by:		antoine
  Submitted by:	contact@evilham.com
  Submitted by:	dereks_lifeofadishwasher.com
  MFH:		2020Q2
  Security:	9fbaefb3-837e-11ea-b5b4-641c67a117d8
  Differential Revision:	https://reviews.freebsd.org/D24186

Changes:
  head/devel/py-twisted/Makefile
  head/devel/py-twisted/distinfo
Comment 10 commit-hook freebsd_committer freebsd_triage 2020-04-27 12:02:25 UTC
A commit references this bug:

Author: dbaio
Date: Mon Apr 27 12:01:24 UTC 2020
New revision: 533127
URL: https://svnweb.freebsd.org/changeset/ports/533127

Log:
  MFH: r533065

  devel/py-twisted: Update to 20.3.0, Fix security vulnerabilities

  Add extra_require dependencies as options, enabled by default.

  Changelog:	https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst

  PR:		245252
  Exp-run by:	antoine
  Submitted by:	contact@evilham.com
  Submitted by:	dereks_lifeofadishwasher.com
  Security:	9fbaefb3-837e-11ea-b5b4-641c67a117d8
  Differential Revision:	https://reviews.freebsd.org/D24186

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/devel/py-twisted/Makefile
  branches/2020Q2/devel/py-twisted/distinfo
Comment 11 Danilo G. Baio freebsd_committer freebsd_triage 2020-04-27 12:04:02 UTC
Committed, thank you all.