Summary: | lang/bsh: Update to version 2.0b6 (Fixes security vulnerability, CVE-2016-2510) | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Pedro F. Giffuni <pfg> | ||||
Component: | Individual Port(s) | Assignee: | Jason Unovitch <junovitch> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | junovitch, koobs, ports-secteam | ||||
Priority: | Normal | Keywords: | patch, patch-ready, security | ||||
Version: | Latest | Flags: | junovitch:
merge-quarterly+
|
||||
Hardware: | Any | ||||||
OS: | Any | ||||||
URL: | https://github.com/beanshell/beanshell/blob/master/CHANGES.md | ||||||
Attachments: |
|
Description
Pedro F. Giffuni
2016-02-19 14:29:55 UTC
Thanks Pedro :) For this an future issues, please set maintainer-approval to + on any attachments for ports you are maintainer of. This can be done by: Attachment -> Details -> maintainer-approval [+] If you can also confirm that this change passes QA (poudriere, portlint), I'd be happy to approve you to commit to the ports tree. This will also need a VuXML entry created for it. It also appears that their github repository has a tag for 2.0b6, which should be used in preference to a git hash. Comment on attachment 167176 [details]
Update to 2.0b6
Maintainer approved (me)
Hello Koobs (In reply to Kubilay Kocak from comment #1) Sorry about the maintainer approval ... I thought bugzilla already knew the submitter is the maintainer. Upstream is waiting for a CVE (which may not happen?). Except for the security fix, there are no changes but I tested it with check-plist. My svn ports tree is read-only (to avoid accidents and so I don't have to do authentication when checking out a new tree). I'd prefer if someone else does the honors. (In reply to Pedro F. Giffuni from comment #3) Not a problem Pedro, over to ports-secteam. We can create a VuXML entry even without a CVE, and update/add the entry later A commit references this bug: Author: junovitch Date: Sun Feb 21 15:25:54 UTC 2016 New revision: 409296 URL: https://svnweb.freebsd.org/changeset/ports/409296 Log: lang/bsh: update 2.0b5 -> 2.0b6 Changes: https://github.com/beanshell/beanshell/releases/tag/2.0b6 PR: 207334 Submitted by: pfg (maintainer) Security: CVE-2016-2510 Security: https://vuxml.FreeBSD.org/freebsd/9e5bbffc-d8ac-11e5-b2bd-002590263bf5.html MFH: 2016Q1 Changes: head/lang/bsh/Makefile head/lang/bsh/distinfo A commit references this bug: Author: junovitch Date: Sun Feb 21 15:25:58 UTC 2016 New revision: 409297 URL: https://svnweb.freebsd.org/changeset/ports/409297 Log: Document bsh remote code execution vulnerability PR: 207334 Submitted by: pfg (maintainer) Security: CVE-2016-2510 Security: https://vuxml.FreeBSD.org/freebsd/9e5bbffc-d8ac-11e5-b2bd-002590263bf5.html Changes: head/security/vuxml/vuln.xml Take for MFH and subsequent close... IMHO this really should be ports@ with maintainer approval. I don't see a need to restrict who can commit a maintainer approved fix. A commit references this bug: Author: junovitch Date: Sun Feb 21 15:37:33 UTC 2016 New revision: 409298 URL: https://svnweb.freebsd.org/changeset/ports/409298 Log: MFH: r409296 lang/bsh: update 2.0b5 -> 2.0b6 Changes: https://github.com/beanshell/beanshell/releases/tag/2.0b6 PR: 207334 Submitted by: pfg (maintainer) Approved by: ports-secteam (miwi) Security: CVE-2016-2510 Security: https://vuxml.FreeBSD.org/freebsd/9e5bbffc-d8ac-11e5-b2bd-002590263bf5.html Changes: _U branches/2016Q1/ branches/2016Q1/lang/bsh/Makefile branches/2016Q1/lang/bsh/distinfo Set merge-quarterly+ and close. |