Created attachment 165494 [details] patch including security vuln.xml update & h2o version bump # change log www/h2o: update to 1.6.2 to resolve CVE-2016-1133 NB issue was reported on h2o project public issue list # checks - poudriere OK (10.2 amd64) - portlint -AC OK WARN: /usr/ports/www/h2o/pkg-plist: If and only if your port is DATADIR-safe (that is, a user can override DATADIR when building this port and the port will still work correctly) consider using DATADIR macro; if you are unsure if this port is DATADIR-safe, then ignore this warning WARN: Makefile: possible use of absolute pathname "/var/log/${PORTNAME}...". 0 fatal errors and 5 warnings found. # poudriere http://pkg.skunkwerks.at/poudriere/data/latest-per-pkg/h2o/1.6.2/ # pretty diff https://github.com/dch/freebsd-ports/tree/h2o
COMMITTERS: this needs to be merged into quarterly updates as well -- thanks!
Thanks for your submission Dave :) For future issues, please: * Set maintainer-approval to + on attachments for ports you are maintainer of. You can do this with Attachment -> Flags: maintainer-approval [+] * Omit [tags] in Summary * Feel free to just confirm your changes pass QA (portlint, poudriere), rather than using attachments or remote links to logs Thanks!
A commit references this bug: Author: miwi Date: Fri Jan 15 15:22:44 UTC 2016 New revision: 406163 URL: https://svnweb.freebsd.org/changeset/ports/406163 Log: - Document h2o -- directory traversal vulnerability PR: 206193 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: miwi Date: Fri Jan 15 15:40:37 UTC 2016 New revision: 406168 URL: https://svnweb.freebsd.org/changeset/ports/406168 Log: - Update to 1.6.2 PR: 206193 Submitted by: maintainer MFH: 2016Q1 Security: 6c808811-bb9a-11e5-a65c-485d605f4717 Changes: head/www/h2o/Makefile head/www/h2o/distinfo
Thank you.
A commit references this bug: Author: junovitch Date: Tue Jan 19 09:48:59 UTC 2016 New revision: 406677 URL: https://svnweb.freebsd.org/changeset/ports/406677 Log: MFH: r405714, r406010 (manual; www/h2o only), r406168 www/h2o: update 1.6.0 -> 1.6.2 and add LibreSSL option - OPTIONS: Add bundled LIBRESSL option and set as default - HTTP/2 support requires TLS ALPN extension missing in base OpenSSL - Upstream expectation is the bundled LibreSSL is used to support HTTP/2 - Enables ChaCha20-Poly1305 ciphers as a bonus - Update sample configuration file - Fix typos in USE_* knobs for www/h2o Changes: https://github.com/h2o/h2o/releases/tag/v1.6.1 Changes: https://github.com/h2o/h2o/releases/tag/v1.6.2 PR: 205946 PR: 206193 Submitted by: Dave Cottlehuber <dch@skunkwerks.at> (maintainer) Approved by: ports-secteam (miwi) Security: 6c808811-bb9a-11e5-a65c-485d605f4717 Changes: _U branches/2016Q1/ branches/2016Q1/www/h2o/Makefile branches/2016Q1/www/h2o/distinfo branches/2016Q1/www/h2o/files/h2o.conf.sample