Created attachment 167176 [details] Update to 2.0b6 Addresses a security issue. See: https://github.com/beanshell/beanshell and hopefully portscout may give me a break now ;).
Thanks Pedro :) For this an future issues, please set maintainer-approval to + on any attachments for ports you are maintainer of. This can be done by: Attachment -> Details -> maintainer-approval [+] If you can also confirm that this change passes QA (poudriere, portlint), I'd be happy to approve you to commit to the ports tree. This will also need a VuXML entry created for it. It also appears that their github repository has a tag for 2.0b6, which should be used in preference to a git hash.
Comment on attachment 167176 [details] Update to 2.0b6 Maintainer approved (me)
Hello Koobs (In reply to Kubilay Kocak from comment #1) Sorry about the maintainer approval ... I thought bugzilla already knew the submitter is the maintainer. Upstream is waiting for a CVE (which may not happen?). Except for the security fix, there are no changes but I tested it with check-plist. My svn ports tree is read-only (to avoid accidents and so I don't have to do authentication when checking out a new tree). I'd prefer if someone else does the honors.
(In reply to Pedro F. Giffuni from comment #3) Not a problem Pedro, over to ports-secteam. We can create a VuXML entry even without a CVE, and update/add the entry later
A commit references this bug: Author: junovitch Date: Sun Feb 21 15:25:54 UTC 2016 New revision: 409296 URL: https://svnweb.freebsd.org/changeset/ports/409296 Log: lang/bsh: update 2.0b5 -> 2.0b6 Changes: https://github.com/beanshell/beanshell/releases/tag/2.0b6 PR: 207334 Submitted by: pfg (maintainer) Security: CVE-2016-2510 Security: https://vuxml.FreeBSD.org/freebsd/9e5bbffc-d8ac-11e5-b2bd-002590263bf5.html MFH: 2016Q1 Changes: head/lang/bsh/Makefile head/lang/bsh/distinfo
A commit references this bug: Author: junovitch Date: Sun Feb 21 15:25:58 UTC 2016 New revision: 409297 URL: https://svnweb.freebsd.org/changeset/ports/409297 Log: Document bsh remote code execution vulnerability PR: 207334 Submitted by: pfg (maintainer) Security: CVE-2016-2510 Security: https://vuxml.FreeBSD.org/freebsd/9e5bbffc-d8ac-11e5-b2bd-002590263bf5.html Changes: head/security/vuxml/vuln.xml
Take for MFH and subsequent close... IMHO this really should be ports@ with maintainer approval. I don't see a need to restrict who can commit a maintainer approved fix.
A commit references this bug: Author: junovitch Date: Sun Feb 21 15:37:33 UTC 2016 New revision: 409298 URL: https://svnweb.freebsd.org/changeset/ports/409298 Log: MFH: r409296 lang/bsh: update 2.0b5 -> 2.0b6 Changes: https://github.com/beanshell/beanshell/releases/tag/2.0b6 PR: 207334 Submitted by: pfg (maintainer) Approved by: ports-secteam (miwi) Security: CVE-2016-2510 Security: https://vuxml.FreeBSD.org/freebsd/9e5bbffc-d8ac-11e5-b2bd-002590263bf5.html Changes: _U branches/2016Q1/ branches/2016Q1/lang/bsh/Makefile branches/2016Q1/lang/bsh/distinfo
Set merge-quarterly+ and close.