databases/couchdb is still version 1.2.0, and hasn't been updated since a number of security issues were announced in January. The change list for version 1.2.1 notes: * Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with Adobe Flash * Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon UI These security issues are not reported by pkg audit, either. The current recommended version is 1.2.2. Fix: Upgrade to 1.2.2. I'm looking now to see if it's non-trivial; haven't tried it yet. How-To-Repeat: portinstall couchdb
Maintainer of databases/couchdb, Please note that PR ports/178331 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/178331 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
The following patch updates the port to 1.2.2. I tried bringing it all the way to the current 1.3 release but ended up with a binary that hard-crashed the Erlang VM on startup. Index: databases/couchdb/Makefile =================================================================== --- databases/couchdb/Makefile (revision 319091) +++ databases/couchdb/Makefile (working copy) @@ -2,19 +2,19 @@ # $FreeBSD$ PORTNAME= couchdb -PORTVERSION= 1.2.0 +PORTVERSION= 1.2.2 PORTEPOCH= 1 -PORTREVISION= 2 +#PORTREVISION= CATEGORIES= databases MASTER_SITES= ${MASTER_SITE_APACHE} -MASTER_SITE_SUBDIR= couchdb/releases/${PORTVERSION} +MASTER_SITE_SUBDIR= couchdb/source/${PORTVERSION} DISTNAME= apache-couchdb-${PORTVERSION} MAINTAINER= till@php.net COMMENT= A document database server, accessible via a RESTful JSON API LIB_DEPENDS= icudata:${PORTSDIR}/devel/icu \ - js:${PORTSDIR}/lang/spidermonkey17 \ + mozjs185:${PORTSDIR}/lang/spidermonkey185 \ curl:${PORTSDIR}/ftp/curl BUILD_DEPENDS= ${LOCALBASE}/bin/help2man:${PORTSDIR}/misc/help2man \ erlc:${PORTSDIR}/lang/erlang @@ -35,6 +35,11 @@ --with-js-lib=${LOCALBASE}/lib PLIST_SUB+= PORTVERSION="${PORTVERSION}" +# Override default value of ${STRIP} because the underlying makefile +# erroneously tries to install a shell script with ${STRIP}, causing +# an install error. +STRIP="" + MAN1= couchdb.1 couchjs.1 .include <bsd.port.options.mk> Index: databases/couchdb/distinfo =================================================================== --- databases/couchdb/distinfo (revision 319091) +++ databases/couchdb/distinfo (working copy) @@ -1,2 +1,2 @@ -SHA256 (apache-couchdb-1.2.0.tar.gz) = 0f254ddea2471dbc4d3c6cd1fa61e4782c75475fb325024e10f68bf1aa8d5c37 -SIZE (apache-couchdb-1.2.0.tar.gz) = 1326925 +SHA256 (apache-couchdb-1.2.2.tar.gz) = 6824b9eec0c05d022ef52f663074c67eca5493d848574ff2d73611e92bff8701 +SIZE (apache-couchdb-1.2.2.tar.gz) = 1408271
Responsible Changed From-To: freebsd-ports-bugs->crees I'll take it.
Author: crees Date: Thu May 30 14:07:20 2013 New Revision: 319429 URL: http://svnweb.freebsd.org/changeset/ports/319429 Log: Update to 1.2.2, fixing security issues. PR: ports/178331 Submitted by: wollman Security: CVE-2012-5649 Security: CVE-2012-5650 Modified: head/databases/couchdb/Makefile head/databases/couchdb/distinfo Modified: head/databases/couchdb/Makefile ============================================================================== --- head/databases/couchdb/Makefile Thu May 30 14:04:10 2013 (r319428) +++ head/databases/couchdb/Makefile Thu May 30 14:07:20 2013 (r319429) @@ -2,19 +2,18 @@ # $FreeBSD$ PORTNAME= couchdb -PORTVERSION= 1.2.0 +PORTVERSION= 1.2.2 PORTEPOCH= 1 -PORTREVISION= 2 CATEGORIES= databases MASTER_SITES= ${MASTER_SITE_APACHE} -MASTER_SITE_SUBDIR= couchdb/releases/${PORTVERSION} +MASTER_SITE_SUBDIR= couchdb/source/${PORTVERSION} DISTNAME= apache-couchdb-${PORTVERSION} MAINTAINER= adams-ports@ateamsystems.com COMMENT= A document database server, accessible via a RESTful JSON API LIB_DEPENDS= icudata:${PORTSDIR}/devel/icu \ - js:${PORTSDIR}/lang/spidermonkey17 \ + mozjs185:${PORTSDIR}/lang/spidermonkey185 \ curl:${PORTSDIR}/ftp/curl BUILD_DEPENDS= ${LOCALBASE}/bin/help2man:${PORTSDIR}/misc/help2man \ erlc:${PORTSDIR}/lang/erlang @@ -35,6 +34,11 @@ CONFIGURE_ARGS= --with-erlang=${LOCALBAS --with-js-lib=${LOCALBASE}/lib PLIST_SUB+= PORTVERSION="${PORTVERSION}" +# Override default value of ${STRIP} because the underlying Makefile +# erroneously tries to install a shell script with ${STRIP}, causing +# an install error. +STRIP= #empty + MAN1= couchdb.1 couchjs.1 .include <bsd.port.options.mk> Modified: head/databases/couchdb/distinfo ============================================================================== --- head/databases/couchdb/distinfo Thu May 30 14:04:10 2013 (r319428) +++ head/databases/couchdb/distinfo Thu May 30 14:07:20 2013 (r319429) @@ -1,2 +1,2 @@ -SHA256 (apache-couchdb-1.2.0.tar.gz) = 0f254ddea2471dbc4d3c6cd1fa61e4782c75475fb325024e10f68bf1aa8d5c37 -SIZE (apache-couchdb-1.2.0.tar.gz) = 1326925 +SHA256 (apache-couchdb-1.2.2.tar.gz) = 6824b9eec0c05d022ef52f663074c67eca5493d848574ff2d73611e92bff8701 +SIZE (apache-couchdb-1.2.2.tar.gz) = 1408271 _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed. Thanks!