Created attachment 206606 [details] Update to 9.4.20 * Update to 9.4.20 * Remove some unnecessary library removals from the Makefile * Remove some unnecessary @dir directives from the packing list
A *substantial* number of bugfixes have been fixed between 9.3.9 (current port version, committed 18 Jun 2016) and 9.4.20, along with at least 7 security vulnerabilities, oldest dating to 2018/06/25 https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html Pending complete review of changelogs, confirmation of QA, and VuXML entries for these security vulnerabilities.
*** Bug 239251 has been marked as a duplicate of this bug. ***
There is an error: http://joneumbox.org/data/120i386-ports/2019-08-20_10h25m39s/logs/errors/jetty9-9.4.20.log =========================================================================== ====> Running Q/A tests (stage-qa) ====> Checking for pkg-plist issues (check-plist) ===> Parsing plist ===> Checking for items in STAGEDIR missing from pkg-plist Error: Orphaned: %%APP_NAME%%/lib/setuid/libsetuid-linux.so Error: Orphaned: %%APP_NAME%%/lib/setuid/libsetuid-osx.so Error: Orphaned: @dir %%APP_NAME%%/resources ===> Checking for items in pkg-plist which are not in STAGEDIR ===> Error: Plist issues found. *** Error code 1
Thanks for catching that. I'll attach an updated patch.
Created attachment 206737 [details] Updated patch
A commit references this bug: Author: joneum Date: Wed Aug 28 16:39:52 UTC 2019 New revision: 510078 URL: https://svnweb.freebsd.org/changeset/ports/510078 Log: Update to 9.4.20 Changelog: https://www.eclipse.org/lists/jetty-dev/msg03343.html PR: 239897 MFH: 2019Q3 Sponsored by: Netzkommune GmbH Changes: head/www/jetty9/Makefile head/www/jetty9/distinfo head/www/jetty9/pkg-plist
A commit references this bug: Author: joneum Date: Wed Aug 28 16:44:31 UTC 2019 New revision: 510080 URL: https://svnweb.freebsd.org/changeset/ports/510080 Log: MFH: r510078 Update to 9.4.20 Changelog: https://www.eclipse.org/lists/jetty-dev/msg03343.html PR: 239897 Sponsored by: Netzkommune GmbH Approved by: ports-secteam (joneum) Changes: _U branches/2019Q3/ branches/2019Q3/www/jetty9/Makefile branches/2019Q3/www/jetty9/distinfo branches/2019Q3/www/jetty9/pkg-plist
Was there a vuxml entry created for these (7+) vulnerabilities?
i don't see anything in the log for a vuxml that i would add as a port-secteam member
(In reply to Jochen Neumeister from comment #9) In the security reports link mentioned in comment 1: https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html The version diff for this change was 9.3.9 -> 9.4.20. There are 7 CVE's, for this version range, again mentioned in comment 1, none of which have been documented in VuXML Here's is the explicit list: CVE-2019-10247 CVE-2019-10246 CVE-2019-10241 CVE-2018-12536 CVE-2017-7658 CVE-2017-7657 CVE-2017-7656 Triage: While I'm here, set merge-quarterly correctly (the change was merged) Pending VuXML entries
so please add a patch for vuxml
(In reply to Jochen Neumeister from comment #11) I'm sorry Jochen, I'm doing this for triage purposes, so security issues don't get missed for our users. It is usual for either the Reporter, the port Maintainer or the Assignee of the issue in the last instance, to take care of the correct and appropriate changes