Bug 201704
| Summary: | lang/groovy: update 2.3.9 -> 2.4.4 for remote execution of untrusted code fix (CVE-2015-3253) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||||||
| Component: | Individual Port(s) | Assignee: | Jason Unovitch <junovitch> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Some People | CC: | junovitch, mjs | ||||||||
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(mjs) |
||||||||
| Version: | Latest | ||||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Jason Unovitch
2015-07-20 02:44:34 UTC
Created attachment 159661 [details]
lang/groovy: security update 2.3.9 -> 2.4.4
lang/groovy: security update 2.3.9 -> 2.4.4
- Add NO_ARCH
- Remove various LICENSE files that were removed upstream
- Remove PDF documentation that was removed upstream
- Switch @dirrm to @dir
PR: 201704
Security: CVE-2015-3253
Security: 67b3fef2-2bea-11e5-86ff-14dae9d210b8
Approved by: maintainer timeout (20 days), feld|delphij|pgollucci (mentor)
MFH: 2015Q3
(In reply to Jason Unovitch from comment #1) Details/Comments for the records: - Add NO_ARCH This is Java and other non-arch specific. pkg-static: DEVELOPER_MODE: Notice: arch "FreeBSD:11:amd64" -- no architecture specific files found: - Remove various LICENSE files that were removed upstream https://github.com/apache/incubator-groovy/commit/0f645889a49ce867671c79ea480952394807fdcb That commit removed ANTLR-LICENSE.txt, ASM-LICENSE.txt, and JSR223-LICENSE.txt. However there were several other commits after that point that affected licenses embedded with the Groovy distfile. I would advise anyone with concern over this to review the upstream Git closely. - Remove PDF documentation that was removed upstream https://github.com/apache/incubator-groovy/commit/de6161fcc55fdd124478baa8a9e2309abd084e5f Upstream mentions replacing with Asciidoctor documentation however the gradle/assemble.gradle still attempts to use the pre-built PDF that used to be included under Git revision control. I would speculate that PDF support may come back in a future release when the Asciidoctor efforts are finished. - Switch @dirrm to @dir The plist is built dynamically, so fix the Makefile where it's generate to handle this Poudriere QA warning: pkg-static: Warning: @dirrm[try] is deprecated, please use @dir Created attachment 159662 [details]
Poudriere testport log from 10.1-RELEASE jail
QA:
Portlint:
Portlint is showing a false positive as there are multiple DISTFILES in the form of DISTFILES and DOCS_DISTFILES for the DOCS option.
portlint -ac
WARN: Makefile: use of DISTFILES with single file discouraged. distribution filename should be set by DISTNAME and EXTRACT_SUFX.
WARN: Makefile: DISTFILES/DISTNAME affects WRKSRC. take caution when changing them.
0 fatal errors and 2 warnings found.
Poudriere:
Log attached and issues addressed were commented on above. The patch was tested across a range of Poudriere jails:
8.4-RELEASE-p36 amd64
8.4-RELEASE-p36 i386
9.3-RELEASE-p21 amd6
9.3-RELEASE-p21 i386
10.1-RELEASE-p16 amd64
10.1-RELEASE-p16 i386
10.2-RC2 amd64
10.2-RC2 i386
11.0-CURRENT r286208 amd64
11.0-CURRENT r286208 i386
Runtime:
Basic sanity checking via the groovysh command in a Poudriere jail.
root@110amd64-default:/usr/local/bin # groovysh
Groovy Shell (2.4.4, JVM: 1.7.0_80)
Type ':help' or ':h' for help.
-------------------------------------------------------------------------------------------------------------------------------------
groovy:000> println "test"
test
===> null
groovy:000> :exit
Created attachment 159664 [details] lang/groovy: security update 2.3.9 -> 2.4.4 lang/groovy: security update 2.3.9 -> 2.4.4 - Add NO_ARCH - Remove various LICENSE files that were removed upstream - Remove PDF documentation that was removed upstream - Switch @dirrm to @dir - Reset maintainer to ports@FreeBSD.org by private request [1] PR: 201704 Security: CVE-2015-3253 Security: 67b3fef2-2bea-11e5-86ff-14dae9d210b8 Approved by: mjs@Bur.st (outgoing maintainer) [1], feld|delphij|pgollucci (mentor) MFH: 2015Q3 A commit references this bug: Author: junovitch Date: Mon Aug 10 21:36:25 UTC 2015 New revision: 393909 URL: https://svnweb.freebsd.org/changeset/ports/393909 Log: lang/groovy: security update 2.3.9 -> 2.4.4 - Add NO_ARCH - Remove various LICENSE files that were removed upstream - Remove PDF documentation that was removed upstream - Switch @dirrm to @dir - Reset maintainer to ports@FreeBSD.org by private request [1] PR: 201704 Security: CVE-2015-3253 Security: 67b3fef2-2bea-11e5-86ff-14dae9d210b8 Approved by: mjs@Bur.st (outgoing maintainer) [1], feld (mentor) MFH: 2015Q3 Changes: head/lang/groovy/Makefile head/lang/groovy/distinfo A commit references this bug: Author: junovitch Date: Mon Aug 10 21:40:44 UTC 2015 New revision: 393910 URL: https://svnweb.freebsd.org/changeset/ports/393910 Log: MFH: r393909 lang/groovy: security update 2.3.9 -> 2.4.4 - Add NO_ARCH - Remove various LICENSE files that were removed upstream - Remove PDF documentation that was removed upstream - Switch @dirrm to @dir - Reset maintainer to ports@FreeBSD.org by private request [1] PR: 201704 Security: CVE-2015-3253 Security: 67b3fef2-2bea-11e5-86ff-14dae9d210b8 Approved by: mjs@Bur.st (outgoing maintainer) [1], feld (mentor) Approved by: ports-secteam (feld) Changes: _U branches/2015Q3/ branches/2015Q3/lang/groovy/Makefile branches/2015Q3/lang/groovy/distinfo |