Hello, I noticed that FreeBSD's twisted version is a bit outdated, so I'll try taking a go at it. It is not entirely impossible that while at it I'll have to update other ports like attrs, we'll see. I'm also using the chance to document the whole process for myself (my future self too) and hopefully people who would consider doing things like this. Will be posting a patch over the next few days. Cheers,
Created attachment 212951 [details] py-twisted update to 20.3.0 Changelog: https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst QA: * portlint: OK (looks fine.) * testport: OK (poudriere: 3.3.3, amd64) Related Security issues: CVE-2020-10108 CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2019-12387 CVE-2019-12855 https://twistedmatrix.com/trac/ticket/9420
It was mentioned on IRC that a review without PR existed. https://reviews.freebsd.org/D24186 I have reviewed the dependencies and will test it since it adds build options to twisted which might be interesting.
I've tested the current version contained in the review. Port builds fine (with all options enabled). The testsuite throws some errors, but these are virtually identical to the ones that the 18.9.0 version had and look mostly harmless. I've also tested this version with py-matrix-synapse, which heavily relies on py-twisted. Synapse's testsuit passes just fine with the new version and py-twisted-20.3.0 works seemingly well on a production instance (and seems to improve synapse's performance noticably on my part). I've also summarized CVE infos in a vuxml entry, which I'll attach to this PR. It would be nice to get this committed since the version currently in ports exposes users of py-matrix-synapse to the possibility of request smuggling, see [1]. On another note: Can we get this into quarterly? Cheers, Sascha [1] https://github.com/matrix-org/synapse/releases/tag/v1.12.0
Created attachment 213260 [details] vuln.xml entry for py-twisted<20.3.0
Created attachment 213280 [details] D24186 py-twisted update to 20.3.0 I reviewed the dependencies on D24186 and the submitter (Derek Schrock) mentioned via IRC I should follow up on this. Finally managed to test the build with different options, and as Sascha mentioned, it builds and works fine. This patch is a dump from phabricator's D24186.
A commit references this bug: Author: dbaio Date: Tue Apr 21 12:25:02 UTC 2020 New revision: 532266 URL: https://svnweb.freebsd.org/changeset/ports/532266 Log: security/vuxml: Document devel/py-twisted vulnerabilities PR: 245252 Submitted by: Sascha Biberhofer <ports@skyforge.at> Reported by: contact@evilham.com Changes: head/security/vuxml/vuln.xml
Build test in ports that depends on py-twisted seems fine. We still can have some runtime issues here, see 'Deprecations and Removals' in the changelog, but I would proceed with this update because of that amount of CVEs. Just a minor change in the patch (don't need to update it), we can always improve options descriptions, see here: https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/makefile-options.html#makefile-options-syntax My suggestion: CONCH_DESC= Conch secure shell SSH SERIAL_DESC= Serial port extension HTTP2_DESC and TLS_DESC are already present in Mk/bsd.options.desc.mk and fits here.
Exp-run looks fine
A commit references this bug: Author: dbaio Date: Sun Apr 26 14:16:59 UTC 2020 New revision: 533065 URL: https://svnweb.freebsd.org/changeset/ports/533065 Log: devel/py-twisted: Update to 20.3.0, Fix security vulnerabilities Add extra_require dependencies as options, enabled by default. Changelog: https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst PR: 245252 Exp-run by: antoine Submitted by: contact@evilham.com Submitted by: dereks_lifeofadishwasher.com MFH: 2020Q2 Security: 9fbaefb3-837e-11ea-b5b4-641c67a117d8 Differential Revision: https://reviews.freebsd.org/D24186 Changes: head/devel/py-twisted/Makefile head/devel/py-twisted/distinfo
A commit references this bug: Author: dbaio Date: Mon Apr 27 12:01:24 UTC 2020 New revision: 533127 URL: https://svnweb.freebsd.org/changeset/ports/533127 Log: MFH: r533065 devel/py-twisted: Update to 20.3.0, Fix security vulnerabilities Add extra_require dependencies as options, enabled by default. Changelog: https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst PR: 245252 Exp-run by: antoine Submitted by: contact@evilham.com Submitted by: dereks_lifeofadishwasher.com Security: 9fbaefb3-837e-11ea-b5b4-641c67a117d8 Differential Revision: https://reviews.freebsd.org/D24186 Approved by: ports-secteam (joneum) Changes: _U branches/2020Q2/ branches/2020Q2/devel/py-twisted/Makefile branches/2020Q2/devel/py-twisted/distinfo
Committed, thank you all.