Created attachment 250285 [details] Patch 10.0.14 to 10.0.15 This is a patch release of www/glpi from 10.0.14 to 10.0.15. Mostly a security release (2 high severity security fixes). ChangeLog: - https://github.com/glpi-project/glpi/releases/tag/10.0.15 Also attached the Poudriere testport logs. Will open a separate PR with adds the VUXML entry.
Created attachment 250286 [details] Poudriere logs for 10.0.15
Related to vuxml patch in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278642.
What do you think about adding in Makefile: PLIST_SUB+= VERSION="${PORTVERSION}" and changing in pkg-plist: -%%WWWDIR%%/version/10.0.15 +%%WWWDIR%%/version/%%VERSION%% ?
(In reply to Vladimir Druzenko from comment #3) Hi Vladimir, Thanks for your suggestion but regarding how the pkg-plist file is built automatically by my script, I am not sure your proposal would add value to the process. It would require more work on my side for IMO little benefit. Furthermore, `version/x.y.z` has been added upstream since 10.0.6 and there is no guarantee the GLPI devs will keep it in the future.
(In reply to Mathias Monnerville from comment #4) Ok! Testing build in poudriere - I must do it at least for one version of the FreeBSD before commit. > Related to vuxml patch in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278642. I don't know vuxml format otherwise I would have committed. Also merge-quarterly (MFH: 2024Q2).
> Warning: you might not need LIB_DEPENDS on libintl.so It's USES=gettext. Is it really used?
(In reply to Vladimir Druzenko from comment #6) The PHP's `intl` module is required (see https://glpi-install.readthedocs.io/en/latest/prerequisites.html#mandatory-extensions) which in turns depends on `devel/gettext-runtime`. I just tested by swapping `devel/gettext` with `devel/gettext-runtime` in the `USES` variable, rebuilt with Poudriere and got the exact same warning in the logs. Since this warning is a conditional statement, I would keep this runtime dependency to not break anything for users, unless you have a better proposal.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=35c59aa6e4e0930a98b482bfc3594ec9cd53bf19 commit 35c59aa6e4e0930a98b482bfc3594ec9cd53bf19 Author: Mathias Monnerville <mathias@monnerville.com> AuthorDate: 2024-04-29 10:16:57 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-04-29 10:16:57 +0000 www/glpi: update to 10.0.15 (CVE-2024-31456, CVE-2024-29889) Mostly a security release (2 high severity security fixes). ChangeLog: https://github.com/glpi-project/glpi/releases/tag/10.0.15 This release fixes a few security issues that have been recently discovered. Update is recommended! You will find below the list of security issues fixed in this bugfixes version: * [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456) * [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889) Also, here is a short list of main changes done in this version: * [FIX] Fix used right by reservation form. * [FIX] Do not rely on input to apply rules rights. * [FIX] Always store updated SMTP Oauth refresh token. * [TASK] Upgrade tinymce. PR: 278641 MFH: 2024Q2 www/glpi/Makefile | 2 +- www/glpi/distinfo | 6 +++--- www/glpi/pkg-plist | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 56 insertions(+), 5 deletions(-)
A commit in branch 2024Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1492fce2c6ad1c5b069735ed1fbc83bfe5fc5399 commit 1492fce2c6ad1c5b069735ed1fbc83bfe5fc5399 Author: Mathias Monnerville <mathias@monnerville.com> AuthorDate: 2024-04-29 10:16:57 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-04-29 10:34:09 +0000 www/glpi: update to 10.0.15 (CVE-2024-31456, CVE-2024-29889) Mostly a security release (2 high severity security fixes). ChangeLog: https://github.com/glpi-project/glpi/releases/tag/10.0.15 This release fixes a few security issues that have been recently discovered. Update is recommended! You will find below the list of security issues fixed in this bugfixes version: * [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456) * [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889) Also, here is a short list of main changes done in this version: * [FIX] Fix used right by reservation form. * [FIX] Do not rely on input to apply rules rights. * [FIX] Always store updated SMTP Oauth refresh token. * [TASK] Upgrade tinymce. PR: 278641 MFH: 2024Q2 (cherry picked from commit 35c59aa6e4e0930a98b482bfc3594ec9cd53bf19) www/glpi/Makefile | 2 +- www/glpi/distinfo | 6 +++--- www/glpi/pkg-plist | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 56 insertions(+), 5 deletions(-)
(In reply to Mathias Monnerville from comment #7) Ok. Thanks, committed!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=fc8db0625d9084fe6207904c4f91b48d986994ca commit fc8db0625d9084fe6207904c4f91b48d986994ca Author: Mathias Monnerville <mathias@monnerville.com> AuthorDate: 2024-04-28 19:51:00 +0000 Commit: Philip Paeps <philip@FreeBSD.org> CommitDate: 2024-04-29 10:39:04 +0000 security/vuxml: CVEs affecting www/glpi < 10.0.15 CVE-2024-31456 and CVE-2024-29889 were fixed in GLPI 10.0.15. PR: 278641 PR: 278642 security/vuxml/vuln/2024.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)