New 0.8.0 release to fix a grave security issue. https://conduit.rs/changelog/
Created attachment 251449 [details] Trivial upgrade to 0.8.0 Upgrade seems to be trivial, I tested this manually (at first glance seems to work fine) and I'm currently running this on my poudriere, but it will take a while (needs to update both rust and llvm).
Oh, sorry, that patch was against 0.6.0_6, not against 0.7.0.
Created attachment 251451 [details] tested with poudriere on 13.2 and 14.1
Thank you. I'm taking a look at this, and once it finishes building, and no issues, I'll commit it.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=638793efa7ccb592897e18e6bcbb69b3e90bdf07 commit 638793efa7ccb592897e18e6bcbb69b3e90bdf07 Author: Lapo Luchini <lapo@lapo.it> AuthorDate: 2024-06-14 16:34:47 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2024-06-15 07:38:51 +0000 net-im/conduit: Update to 0.8.0 to fix security issue PR: 279728 MFH: 2024Q2 (security issue) net-im/conduit/Makefile | 5 +- net-im/conduit/Makefile.crates | 318 ++++++++++---------- net-im/conduit/distinfo | 642 ++++++++++++++++++++++------------------- 3 files changed, 512 insertions(+), 453 deletions(-)
A commit in branch 2024Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a002e5d7fa36abbe9d4a46f7a8854ed68a7d46a1 commit a002e5d7fa36abbe9d4a46f7a8854ed68a7d46a1 Author: Lapo Luchini <lapo@lapo.it> AuthorDate: 2024-06-14 16:34:47 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2024-06-15 07:43:49 +0000 net-im/conduit: Update to 0.8.0 to fix security issue PR: 279728 MFH: 2024Q2 (security issue) (cherry picked from commit 638793efa7ccb592897e18e6bcbb69b3e90bdf07) net-im/conduit/Makefile | 5 +- net-im/conduit/Makefile.crates | 318 ++++++++++---------- net-im/conduit/distinfo | 642 ++++++++++++++++++++++------------------- 3 files changed, 512 insertions(+), 453 deletions(-)
Committed, thanks!
Thank you! PS: I didn't propose changes against the security issues XML, do you think it would make sense to do it?
(In reply to Lapo Luchini from comment #8) Hi, I was hoping for a formal announcement from conduit team on that. Because there is no CVE, nor the details about the vulnerability in the changelog.[0] Please feel free to prepare one[1] if you have the requisite information, and attach here. References: [0] https://conduit.rs/changelog/#v0-8-0-2024-06-12 [1] https://docs.freebsd.org/en/books/porters-handbook/security/index.html#security-notify Thanks!