Created attachment 252973 [details] [PATCH] devel/mcpp: update 2.7.2 → 2.7.2.1, fix CVE
https://nvd.nist.gov/vuln/detail/CVE-2019-14274
(In reply to Fernando Apesteguía from comment #1) > Summary: devel/mcpp: update 2.7.2 → 2.7.2.1, fix CVE → devel/mcpp: update to 2.7.2.1, fix CVE What's the point of removing source versions from the subject?
(In reply to Vladimir Druzenko from comment #2) To keep the summary clean, especially when it includes symbols like arrows and such. When updating a port, or any software really, the important information is the target version, not the source. I've been doing this for some time now. I also remove unnecessary words that make the summary verbose, like: "foo/bar: update the port from version x.x to version y.y" This becomes: "foo/bar: update to y.y"
(In reply to Fernando Apesteguía from comment #3) I have already had to search commits and PRs for changes in specific ports many times, looking for reasons for some changes. So, having a version of the source in the topic makes the search much easier.
(In reply to Vladimir Druzenko from comment #4) I don't think bugzilla is the right tool for that, especially if you rely on a field where you can write anything you like. The proper tool for the search you try to do is git. Then, the PR in Bugzilla which is recorded in the commit log will contain the discussion you might be interested in.
(In reply to Fernando Apesteguía from comment #5) In an ideal world, yes. But we live in a real one. Having such information in the subject allows you to avoid opening unnecessary links or, on the contrary, find what you need faster.
(In reply to Vladimir Druzenko from comment #6) I don't know what additional links you are referring to. What I mean is that if you want to know when "originversion" was bumped, the fastest way is git and not relying on the summary. In addition, we don't have *anywhere* in the documentation that submitters should have the origin version in the summary which is why you can not realy on that field in the first place. We do specify that "category/port" should be the first text in the summary and that is why you can rely on that to do a search. Finally, we do have this: 'Clean up & "normalize" issue Summary' for the triage training wiki. That is what I do with these changes. If you don't agree, please, take this discussion to the bugmeisters@ mail list. Actually it would be good to see a mail there every other year.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=d2c2fbb45db04a1b5985a8daebd8c458d7bcd42d commit d2c2fbb45db04a1b5985a8daebd8c458d7bcd42d Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2024-08-23 18:08:24 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2024-08-23 18:09:50 +0000 security/vuxml: Record heap buffer overflow for mcpp PR: 280962 Reported by: Älven <alster@vinterdalen.se> security/vuxml/vuln/2024.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
Committed, Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1386a9a718e50df51bbe3027d6e3abf4425a7be6 commit 1386a9a718e50df51bbe3027d6e3abf4425a7be6 Author: Älven <alster@vinterdalen.se> AuthorDate: 2024-08-23 07:55:44 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2024-08-23 18:11:37 +0000 devel/mcpp: update to 2.7.2.1, fix CVE ChangeLog: https://github.com/museoa/mcpp/compare/2.7.2...2.7.2.1 Fixes CVE-2019-14274: heap-based buffer overflow * Base Score: 5.5 MEDIUM * Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H PR: 280962 Reported by: alster@vinterdalen.se MFH: 2024Q3 (security fix) Security: CVE-2019-14274 devel/mcpp/Makefile | 12 ++++++------ devel/mcpp/distinfo | 5 +++-- devel/mcpp/files/patch-src__internal.H (gone) | 19 ------------------- devel/mcpp/files/patch-src__main.c (gone) | 11 ----------- devel/mcpp/files/patch-src__support.c (gone) | 20 -------------------- devel/mcpp/files/patch-src__system.c (gone) | 21 --------------------- 6 files changed, 9 insertions(+), 79 deletions(-)
A commit in branch 2024Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4095b1563fb800a65076d8d9f4de9cc6c851686a commit 4095b1563fb800a65076d8d9f4de9cc6c851686a Author: Älven <alster@vinterdalen.se> AuthorDate: 2024-08-23 07:55:44 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2024-08-25 11:54:24 +0000 devel/mcpp: update to 2.7.2.1, fix CVE ChangeLog: https://github.com/museoa/mcpp/compare/2.7.2...2.7.2.1 Fixes CVE-2019-14274: heap-based buffer overflow * Base Score: 5.5 MEDIUM * Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H PR: 280962 Reported by: alster@vinterdalen.se MFH: 2024Q3 (security fix) Security: CVE-2019-14274 (cherry picked from commit 1386a9a718e50df51bbe3027d6e3abf4425a7be6) devel/mcpp/Makefile | 12 ++++++------ devel/mcpp/distinfo | 5 +++-- devel/mcpp/files/patch-src__internal.H (gone) | 19 ------------------- devel/mcpp/files/patch-src__main.c (gone) | 11 ----------- devel/mcpp/files/patch-src__support.c (gone) | 20 -------------------- devel/mcpp/files/patch-src__system.c (gone) | 21 --------------------- 6 files changed, 9 insertions(+), 79 deletions(-)