The current version of devel/opengrok is vulnerable to an easy exploitable issue that allows remote takeover of the opengrok instance. https://www.cvedetails.com/cve/CVE-2021-2322/ Needs to be updated past 1.6.7 to fix and perhaps a mention in the security/vuxml file
Note also: Latest opengrok version is 1.7.25
^Triage: Fix update collision, py-opengrok-tools likely depends on and needs to match this ports version.
Created attachment 230360 [details] patch to upgrade opengrok to version 1.6.9 Both opengrok 1.6.9 and 1.7.x require Java 11 and Tomcat 10. Unfortunately both cause JRE to segfault when trying to index anything, even something as simple as /usr/src/bin/sh. % opengrok -s /usr/src/bin/sh -d /var/opengrok/data -H -P -S -G -W /var/opengrok/etc/configuration.xml [snip] # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x000037ab410bf046, pid=94043, tid=312124 # # JRE version: OpenJDK Runtime Environment (11.0.13+8) (build 11.0.13+8-1) # Java VM: OpenJDK 64-Bit Server VM (11.0.13+8-1, mixed mode, tiered, compressed oops, g1 gc, bsd-amd64) # Problematic frame: # V [libjvm.so+0xebf046] JVM_RaiseSignal+0x3d15c6 #
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=065c811cfc470bd7495c11f895b7ae0bd2bb8dde commit 065c811cfc470bd7495c11f895b7ae0bd2bb8dde Author: Don Lewis <truckman@FreeBSD.org> AuthorDate: 2022-04-26 18:08:39 +0000 Commit: Don Lewis <truckman@FreeBSD.org> CommitDate: 2022-04-26 18:19:28 +0000 devel/opengrok: Upgrade to version 1.7.31 Upgrade opengrok to the latest upstream version to fix CVE-2021-2322, which was actually fixed upstream in 1.6.7. Convert the wrapper script from /bin/csh to /bin/sh. Jave 11+ is required. PR: 260534 MFH: 2022Q2 Security: 1135e939-62b4-11ec-b8e2-1c1b0d9ea7e6 devel/opengrok/Makefile | 90 ++------- devel/opengrok/distinfo | 6 +- devel/opengrok/files/opengrok.in | 15 +- devel/opengrok/files/pkg-message.in (new) | 18 ++ devel/opengrok/pkg-message (gone) | 8 - devel/opengrok/pkg-plist | 291 ++++++++++++++---------------- 6 files changed, 173 insertions(+), 255 deletions(-)
A commit in branch 2022Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=045a0fa59ee83a3503785f60b738e802eb38143e commit 045a0fa59ee83a3503785f60b738e802eb38143e Author: Don Lewis <truckman@FreeBSD.org> AuthorDate: 2022-04-26 18:08:39 +0000 Commit: Don Lewis <truckman@FreeBSD.org> CommitDate: 2022-04-26 18:23:15 +0000 devel/opengrok: Upgrade to version 1.7.31 Upgrade opengrok to the latest upstream version to fix CVE-2021-2322, which was actually fixed upstream in 1.6.7. Convert the wrapper script from /bin/csh to /bin/sh. Jave 11+ is required. PR: 260534 MFH: 2022Q2 Security: 1135e939-62b4-11ec-b8e2-1c1b0d9ea7e6 (cherry picked from commit 065c811cfc470bd7495c11f895b7ae0bd2bb8dde) devel/opengrok/Makefile | 90 ++------- devel/opengrok/distinfo | 6 +- devel/opengrok/files/opengrok.in | 15 +- devel/opengrok/files/pkg-message.in (new) | 18 ++ devel/opengrok/pkg-message (gone) | 8 - devel/opengrok/pkg-plist | 291 ++++++++++++++---------------- 6 files changed, 173 insertions(+), 255 deletions(-)