Created attachment 216136 [details] patch to inform trafficserver users of CVE-2020-9494
If there are issues related to addressing these security vulnerabilities, please include them in this issues "Depends On" field. If they don't exist, please create them for any/all affected port origins
Created attachment 216160 [details] trafficserver 8.0.8 (fixes CVE-2020-9494)
Created attachment 216406 [details] update to 8.0.8 for CVE-2020-9494
And only use gcc to build while enabling WCCP.
Please delete obsolete patches
www/trafficserver still needs updating.
(In reply to Li-Wen Hsu from comment #6) please read comment #5
This PR is confusing: - it has a patch for security/vuxml to warn of security issue - it has a patch for the port itself - portmgr closed it - the maintainer provided the patch for the port itself Please, can someone explain the confusion ?
(In reply to Kurt Jaeger from comment #8) Here is the story (as I understand): 1. The reporter submitted a vuxml entry to notify the security issue. 2. I provided a patch to update the port to fix the issue, wait for maintainer to check. 3. The maintainer provided a patch. 4. ports-secteam wanted to check which patch (to the port) should be used. 5. Due to busy(tm), feedback timeout. 6. I got the notification, want to work on it again to fix the security issue in ports. So, what the work left here is check and merge the patches in 2 and 3, commit it and add a vuxml entry. I am sorry that I haven't had time to do so, I'll try to do that. If anyone wants to help, that will be very appreciated.
A commit references this bug: Author: pi Date: Sun Aug 9 07:57:54 UTC 2020 New revision: 544547 URL: https://svnweb.freebsd.org/changeset/ports/544547 Log: www/trafficserver: update 8.0.2 -> 8.0.8, fix CVE-2020-9494 PR: 247713 Submitted by: Hung-YI Chen <gaod@hychen.org> (maintainer), spam123@bitbert.com MFH: 2020Q3 Relnotes: https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.8 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.7 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.6 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.5 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.3 Security: CVE-2020-9494 Changes: head/www/trafficserver/Makefile head/www/trafficserver/distinfo
A commit references this bug: Author: pi Date: Sun Aug 9 08:00:28 UTC 2020 New revision: 544548 URL: https://svnweb.freebsd.org/changeset/ports/544548 Log: security/vuxml: add www/trafficserver entry for CVE-2020-9494 PR: 247713 Submitted by: spam123@bitbert.com Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: pi Date: Mon Aug 10 08:01:16 UTC 2020 New revision: 544602 URL: https://svnweb.freebsd.org/changeset/ports/544602 Log: MFH: r544547 www/trafficserver: update 8.0.2 -> 8.0.8, fix CVE-2020-9494 PR: 247713 Submitted by: Hung-YI Chen <gaod@hychen.org> (maintainer), spam123@bitbert.com Relnotes: https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.8 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.7 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.6 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.5 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4 https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.3 Security: CVE-2020-9494 Approved by: portmgr (joneum) Changes: _U branches/2020Q3/ branches/2020Q3/www/trafficserver/Makefile branches/2020Q3/www/trafficserver/distinfo