239843 – www/h2o and www/h2o-devel: update to 2.2.6/2.3.0-beta2 with multiple CVE fixes

Bug 239843 - www/h2o and www/h2o-devel: update to 2.2.6/2.3.0-beta2 with multiple CVE fixes

Summary: www/h2o and www/h2o-devel: update to 2.2.6/2.3.0-beta2 with multiple CVE fixes

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Dave Cottlehuber

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-08-14 11:39 UTC by Max Kostikov
Modified:	2019-08-26 07:58 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (dch)

Attachments
update to 2.2.6 (2.70 KB, patch) 2019-08-14 11:39 UTC, Max Kostikov	no flags	Details \| Diff
h2o-devel (4.62 KB, patch) 2019-08-14 15:06 UTC, Adam Weinberger	no flags	Details \| Diff
updated patch for 2.2.6 (14.59 KB, patch) 2019-08-14 15:18 UTC, Max Kostikov	no flags	Details \| Diff
update to 2.2.6 (3.45 KB, patch) 2019-08-14 17:59 UTC, Max Kostikov	no flags	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Max Kostikov 2019-08-14 11:39:39 UTC

Created attachment 206521 [details]
update to 2.2.6

Fixed CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), CVE-2019-9515 (Settings Flood)

Comment 1 Adam Weinberger freebsd_committer

2019-08-14 15:04:33 UTC

(In reply to Max Kostikov from comment #0)
That patch needs to be edited. The plist removes the %%MRUBY%% option_sub. There's also not a lot of point in sorting %%DATADIR%% if the rest of the plist isn't strictly sorted.

Comment 2 Adam Weinberger freebsd_committer

2019-08-14 15:06:09 UTC

Created attachment 206542 [details]
h2o-devel

Attaching a patch to update h2o-devel to 2.3.0-beta2

Comment 3 Max Kostikov 2019-08-14 15:18:42 UTC

Created attachment 206544 [details]
updated patch for 2.2.6

(In reply to Adam Weinberger from comment #1)
Adam, thanks for pointed this.
See new .diff in attachment. Hope it will be ok now.

Comment 4 Adam Weinberger freebsd_committer

2019-08-14 17:42:30 UTC

(In reply to Max Kostikov from comment #3)
Hi Max,

Unfortunately, this one is actually made it worse. Now there's two plists in the patch, everything is reversed, and the mruby files are listed twice.

Comment 5 Max Kostikov 2019-08-14 17:59:17 UTC

Created attachment 206549 [details]
update to 2.2.6

(In reply to Adam Weinberger from comment #4)
Sorry. That's my bad. See one more revision in attachment.

Comment 6 Adam Weinberger freebsd_committer

2019-08-14 18:07:21 UTC

(In reply to Max Kostikov from comment #5)
This one looks great!

Dave, I believe these patches are ready for you!

Comment 7 commit-hook freebsd_committer

2019-08-25 18:30:18 UTC

A commit references this bug:

Author: dch
Date: Sun Aug 25 18:29:33 UTC 2019
New revision: 509831
URL: https://svnweb.freebsd.org/changeset/ports/509831

Log:
  www/h2o: update to 2.2.6

  resolves:

  - CVE-2019-9512 (Ping Flood)
  - CVE-2019-9514 (Reset Flood)
  - CVE-2019-9515 (Settings Flood)

  PR:		239843
  Submitted by:	Max Kostikov <max@kostikov.co>
  Reported by:	Max Kostikov <max@kostikov.co>
  Reviewed by:	adamw
  Approved by:	jrm (mentor, implicit)
  MFH:		2019Q3
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

Changes:
  head/www/h2o/Makefile
  head/www/h2o/distinfo
  head/www/h2o/pkg-plist

Comment 8 commit-hook freebsd_committer

2019-08-25 18:35:25 UTC

A commit references this bug:

Author: dch
Date: Sun Aug 25 18:34:50 UTC 2019
New revision: 509834
URL: https://svnweb.freebsd.org/changeset/ports/509834

Log:
  security/vuxml: Document multiple vulnerabilities in www/h2o*

  http://blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html

  PR: 239843
  Reported by:	Kazuho Oku
  Approved by:	jrm (mentor, implicit)
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

Changes:
  head/security/vuxml/vuln.xml

Comment 9 commit-hook freebsd_committer

2019-08-25 18:37:26 UTC

A commit references this bug:

Author: dch
Date: Sun Aug 25 18:37:21 UTC 2019
New revision: 509835
URL: https://svnweb.freebsd.org/changeset/ports/509835

Log:
  www/h2o-devel: update to 2.3.0-beta2

  resolves:

  - CVE-2019-9512 (Ping Flood)
  - CVE-2019-9514 (Reset Flood)
  - CVE-2019-9515 (Settings Flood)

  PR:		239843
  Submitted by:	Max Kostikov <max@kostikov.co>
  Reported by:	Max Kostikov <max@kostikov.co>
  Reviewed by:	adamw
  Approved by:	jrm (mentor, implicit)
  MFH:		2019Q3
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

Changes:
  head/www/h2o-devel/Makefile
  head/www/h2o-devel/distinfo
  head/www/h2o-devel/pkg-plist

Comment 10 Dave Cottlehuber freebsd_committer

2019-08-25 18:39:49 UTC

committed, thanks Adam & Max for the report & tweaks.
vuxml updated accordingly, post returning from vacation.

Comment 11 commit-hook freebsd_committer

2019-08-26 07:56:41 UTC

A commit references this bug:

Author: dch
Date: Mon Aug 26 07:56:06 UTC 2019
New revision: 509884
URL: https://svnweb.freebsd.org/changeset/ports/509884

Log:
  MFH: r509835

  www/h2o-devel: update to 2.3.0-beta2

  resolves:

  - CVE-2019-9512 (Ping Flood)
  - CVE-2019-9514 (Reset Flood)
  - CVE-2019-9515 (Settings Flood)

  PR:		239843
  Submitted by:	Max Kostikov <max@kostikov.co>
  Reported by:	Max Kostikov <max@kostikov.co>
  Reviewed by:	adamw
  Approved by:	jrm (mentor, implicit)
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

  Approved by:	ports-secteam

Changes:
_U  branches/2019Q3/
  branches/2019Q3/www/h2o-devel/Makefile
  branches/2019Q3/www/h2o-devel/distinfo
  branches/2019Q3/www/h2o-devel/pkg-plist

Comment 12 commit-hook freebsd_committer

2019-08-26 07:58:42 UTC

A commit references this bug:

Author: dch
Date: Mon Aug 26 07:57:50 UTC 2019
New revision: 509886
URL: https://svnweb.freebsd.org/changeset/ports/509886

Log:
  MFH: r509831

  www/h2o: update to 2.2.6

  resolves:

  - CVE-2019-9512 (Ping Flood)
  - CVE-2019-9514 (Reset Flood)
  - CVE-2019-9515 (Settings Flood)

  PR:		239843
  Submitted by:	Max Kostikov <max@kostikov.co>
  Reported by:	Max Kostikov <max@kostikov.co>
  Reviewed by:	adamw
  Approved by:	jrm (mentor, implicit)
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

  Approved by:	ports-secteam

Changes:
_U  branches/2019Q3/
  branches/2019Q3/www/h2o/Makefile
  branches/2019Q3/www/h2o/distinfo
  branches/2019Q3/www/h2o/pkg-plist