Comment 1 Niclas Zeising 2016-01-30 11:31:45 UTC

Created attachment 166297 [details]
Build log from poudriere

Build log for ftp/curl from poudriere.

Comment 2 Kubilay Kocak 2016-01-30 11:35:13 UTC

Set merge-quarterly to + once committed in the branch

Comment 3 Martin Wilke 2016-01-30 13:52:37 UTC

Hi,

I pass it over to portmgr for an exp-run, this is a security update, but 111 changes in the code are not consider as minor update.

@portmgr can you please prioritize this exp-run.

Thanks.

Comment 4 Niclas Zeising 2016-01-30 14:33:39 UTC

Created attachment 166301 [details]
Patch to fix CVE-2016-0755

Attached patch fixes only the CVE.  Might be more suitable to merge to the quarterly branch, for instance.

Comment 5 Kubilay Kocak 2016-01-30 15:08:51 UTC

*** Bug 206759 has been marked as a duplicate of this bug. ***

Comment 6 Kurt Jaeger 2016-01-30 15:14:06 UTC

Created attachment 166303 [details]
patch-curl-wrong-versions

Comment 7 Niclas Zeising 2016-01-30 16:59:14 UTC

Comment on attachment 166303 [details]
patch-curl-wrong-versions

A similar fix to this for vuln.xml was comitted in r407535.

Comment 8 Po-Chuan Hsieh 2016-01-30 18:11:52 UTC

(In reply to Martin Wilke from comment #3)

Thank you, miwi. Exp-run is required for safety. :)

Comment 9 Antoine Brodin 2016-01-31 15:48:46 UTC

Exp-run results: 0 new failure on 93i386 and 102amd64 with this update.

Comment 10 Mikhail Teterin 2016-02-01 10:16:27 UTC

(In reply to Sunpoet Po-Chuan Hsieh from comment #8)
> Exp-run is required for safety. :)

Actually, no it is not. The proposed upgrade is very minor and, even if completely botched, would not have caused any new breakage because everything depending on curl is _already_ broken by the vuxml.

Our clumsy way of handling these advisories means, even people who turn off the NTLM-option are affected, and the only way to sidestep the problem is the scary "DISABLE_VULNERABILITIES".

Raising the requirement to performing an exp-run so often simply slows us down needlessly. While I may be accused of being too cavalier and erring on the dangerous side too often, there really is no additional danger in this particular case...

Comment 11 commit-hook 2016-02-01 17:04:42 UTC

A commit references this bug:

Author: zeising
Date: Mon Feb  1 17:04:14 UTC 2016
New revision: 407725
URL: https://svnweb.freebsd.org/changeset/ports/407725

Log:
  Update to 7.47.0

  PR:		206756
  Submitted by:	zeising
  Approved by:	ports-secteam (miwi)
  MFH:		2016Q1
  Security:	CVE-2016-0755

Changes:
  head/ftp/curl/Makefile
  head/ftp/curl/distinfo
  head/ftp/curl/files/patch-docs_examples_getredirect.c

Comment 12 commit-hook 2016-02-02 20:01:06 UTC

A commit references this bug:

Author: zeising
Date: Tue Feb  2 20:00:16 UTC 2016
New revision: 407840
URL: https://svnweb.freebsd.org/changeset/ports/407840

Log:
  MFH: r405919 r407725

  - Simplify Makefile:
    - Use USES=localbase unconditionally
    - Use *_CONFIGURE_{ENABLE,WITH}
  - Bump PORTREVISION for package change

  Differential Revision:	https://reviews.FreeBSD.org/D4757
  PR:		205804
  Exp-run by:	antoine
  Accepted by:	bapt (portmgr)

  Update to 7.47.0

  PR:		206756
  Submitted by:	zeising
  Approved by:	ports-secteam (miwi)
  Security:	CVE-2016-0755

  Approved by:	portmgr (erwin)
  Apprived by:	ports-secteam (feld)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/ftp/curl/Makefile
  branches/2016Q1/ftp/curl/distinfo
  branches/2016Q1/ftp/curl/files/patch-docs_examples_getredirect.c

Comment 13 Kubilay Kocak 2016-02-03 05:13:48 UTC

Assign to Committer that is resolving