Bug 225970

Summary:

www/gitlab security update to 10.4.x

Product:

Ports & Packages

Reporter:

Matthias Fechner <mfechner>

Component:

Individual Port(s)

Assignee:

Jochen Neumeister <joneum>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

hans, joneum, tz

Priority:

---

Flags:

mfechner: maintainer-feedback+

Version:

Latest

Hardware:

Any

OS:

Any

Bug Depends on:

225971, 225972, 225973, 225974, 225975, 225976, 225977, 225978, 225979, 225980, 225984

Bug Blocks:

Attachments:

Description	Flags
Security update to 10.4.3	none
Security update to 10.4.4.	mfechner: maintainer-approval+

Description Matthias Fechner freebsd_committer

2018-02-17 09:55:32 UTC

Created attachment 190715 [details]
Security update to 10.4.3

Comment 1 Matthias Fechner freebsd_committer

2018-02-17 10:04:45 UTC

Please do not commit yet, I will add the next days all required updates that blocks this one, I will switch the mainterflag the moment everything is commited that blocks this update.

Comment 2 Jochen Neumeister freebsd_committer

2018-02-17 10:06:35 UTC

Moin Matthias :-)

Okay, then give me a go when done. I want to try and pull all the PRs to me.

Joneum

Comment 3 Po-Chuan Hsieh freebsd_committer

2018-02-17 10:13:19 UTC

10.4.4 is released yesterday. Please use this version instead.

Comment 4 Matthias Fechner freebsd_committer

2018-02-17 11:02:55 UTC

I created now hopefully all changes that are required, I will upgrade the to 10.4.4 and provide with a new diff if everything is fine.

Comment 5 Jochen Neumeister freebsd_committer

2018-02-17 11:37:13 UTC

(In reply to Matthias Fechner from comment #4)

I think we can, as in the past, do that again in several steps. Let's work on the update for 10.4.3, and then 10.4.4

I will test all updates again in poudrire, and then open a review to catch up with the opinion of @tz ( i cc him here)

Comment 6 Matthias Fechner freebsd_committer

2018-02-17 11:47:29 UTC

Created attachment 190729 [details]
Security update to 10.4.4.

This patch also includes a fix for gem update security/rubygem-attr_encrypted to security/rubygem-attr_encrypted30 which breaks gitlab.

Comment 7 Matthias Fechner freebsd_committer

2018-02-17 11:49:47 UTC

If you would like to see all changes collected, you can also use the branch 10.4 from here:
http://gitlab.toco-domains.de/FreeBSD/GitLab

I pushed all modification required for the update 10.4.4 to it.

Comment 8 Po-Chuan Hsieh freebsd_committer

2018-02-17 12:01:21 UTC

(In reply to Jochen Neumeister from comment #5)

I suggest to update to 10.4.4 directly because it's only 1 dependency change (nokogiri from 1.8.1 to 1.8.2) and mostly bugfixes from 10.4.3.

Comment 9 Matthias Fechner freebsd_committer

2018-02-17 15:05:34 UTC

All tests were successful, so we should be ready to merge all PRs into HEAD.

Comment 10 Torsten Zuehlsdorff freebsd_committer

2018-02-20 16:22:34 UTC

Committed in r462404

Comment 11 Matthias Fechner freebsd_committer

2018-02-20 23:03:18 UTC

Thanks @tz for your time spend to commit everything!

We should create a security entry and mark every version of gitlab < 10.4.3 with critical security bugs.

Comment 12 Matthias Fechner freebsd_committer

2018-02-21 16:58:00 UTC

Security bulletin added:
https://svnweb.freebsd.org/changeset/ports/462481

Comment 13 Hans 2018-02-23 07:54:01 UTC

Hello,

Firstly thanks for all you guys work on the packages!

It seems like the latest bump of the gitlab + gems made my system want to remove gitlab when running pkg upgrade.

Below is a paste of the output of pkg:

Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking for upgrades (19 candidates): 100%
Processing candidates (19 candidates): 100%
Checking integrity... done (9 conflicting)
  - rubygem-sass-rails-rails4-5.0.7 conflicts with rubygem-sass-rails5-5.0.7 on /usr/local/lib/ruby/gems/2.4/specifications/sass-rails-5.0.7.gemspec
  - rubygem-pg0-0.21.0 conflicts with rubygem-pg-0.21.0 on /usr/local/lib/ruby/gems/2.4/specifications/pg-0.21.0.gemspec
  - rubygem-unicorn51-5.1.0 conflicts with rubygem-unicorn-5.4.0 on /usr/local/bin/unicorn
  - rubygem-unicorn-worker-killer044-0.4.4 conflicts with rubygem-unicorn-worker-killer-0.4.4 on /usr/local/lib/ruby/gems/2.4/specifications/unicorn-worker-killer-0.4.4.gemspec
  - rubygem-hamlit26-2.6.2 conflicts with rubygem-hamlit-2.8.7 on /usr/local/bin/hamlit
  - rubygem-hamlit26-2.6.2 conflicts with rubygem-hamlit-2.8.6 on /usr/local/bin/hamlit
  - rubygem-github-linguist47-4.7.6 conflicts with rubygem-github-linguist-6.0.1 on /usr/local/bin/git-linguist
  - rubygem-sentry-raven25-2.5.3 conflicts with rubygem-sentry-raven-2.7.2 on /usr/local/bin/raven
  - rubygem-ruby-prof016-0.16.2 conflicts with rubygem-ruby-prof-0.17.0 on /usr/local/bin/ruby-prof
Cannot solve problem using SAT solver, trying another plan
Checking integrity... done (0 conflicting)
The following 59 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
	gitlab-10.1.6_2
	rubygem-sass-rails5-5.0.7

New packages to be INSTALLED:
	rubygem-sass-rails-rails4: 5.0.7
	rubygem-pg0: 0.21.0
	rubygem-uglifier27: 2.7.2
	rubygem-toml-rb03: 0.3.15
	rubygem-rack-cors: 1.0.2
	rubygem-rack-attack44: 4.4.1
	rubygem-kubeclient22: 2.2.0
	rubygem-recursive-open-struct100: 1.0.0
	rubygem-jquery-atwho-rails13: 1.3.2
	rubygem-gon61: 6.1.0
	rubygem-dropzonejs-rails07: 0.7.4
	rubygem-wikicloth081: 0.8.1
	rubygem-version_sorter21: 2.1.0
	rubygem-loofah20: 2.0.3
	rubygem-diffy31: 3.1.0
	rubygem-asciidoctor-plantuml007: 0.0.7
	rubygem-rack-oauth212: 1.2.3
	rubygem-omniauth14: 1.4.3
	rubygem-omniauth-shibboleth12: 1.2.1
	rubygem-omniauth-saml17: 1.7.0
	rubygem-net-ssh41: 4.1.0
	rubygem-attr_encrypted30: 3.0.3
	rubygem-omniauth-twitter12: 1.2.1
	rubygem-omniauth-auth014: 1.4.2
	rubygem-octokit46: 4.6.2
	rubygem-fog-google0: 0.6.0
	rubygem-asset_sync220: 2.2.0
	rubygem-hipchat15: 1.5.4
	rubygem-premailer-rails19: 1.9.7
	rubygem-recaptcha3: 3.4.0
	rubygem-omniauth_crowd22: 2.2.3
	rubygem-health_check26: 2.6.0
	rubygem-grape-entity060: 0.6.0
	rubygem-gettext_i18n_rails_js12: 1.2.0
	rubygem-flipper011: 0.11.0
	rubygem-flipper-active_support_cache_store011: 0.11.0
	rubygem-batch-loader: 1.2.1
	rubygem-seed-fu236: 2.3.6
	rubygem-redis-namespace15: 1.5.3
	rubygem-flipper-active_record011: 0.11.0

Installed packages to be UPGRADED:
	vim-tiny: 8.0.1496 -> 8.0.1521
	rubygem-rails4: 4.2.10 -> 4.2.10_1
	rubygem-rack-protection: 2.0.0 -> 2.0.1
	rubygem-rack-oauth2: 1.8.0 -> 1.8.1
	rubygem-prometheus-client-mmap: 0.7.0.b18 -> 0.7.0.b44
	rubygem-pg: 0.21.0 -> 1.0.0
	rubygem-peek-pg: 1.3.0 -> 1.3.0_1
	rubygem-peek-performance_bar: 1.3.0 -> 1.3.1
	rubygem-mustermann: 1.0.1 -> 1.0.2
	rubygem-hamlit: 2.8.6 -> 2.8.7
	rubygem-google-api-client: 0.19.7 -> 0.19.8
	ruby24-gems: 2.7.5 -> 2.7.6
	npm: 5.6.0_1 -> 5.6.0_2
	gmake: 4.2.1_1 -> 4.2.1_2
	gitlab-workhorse: 2.3.0 -> 3.3.1
	gitlab-shell: 5.9.3 -> 5.11.0
	git: 2.16.1 -> 2.16.2

Number of packages to be removed: 2
Number of packages to be installed: 40
Number of packages to be upgraded: 17


Thanks,
Hans

Comment 14 Matthias Fechner freebsd_committer

2018-02-23 17:19:21 UTC

(In reply to Hans from comment #13)
Please follow the manual you can find here:
http://gitlab.toco-domains.de/FreeBSD/GitLab-docu/blob/master/update/10.1-10.4-freebsd.md

or here:
https://gitlab.fechner.net/mfechner/Gitlab-docu/blob/master/update/10.1-10.4-freebsd.md

Comment 15 Hans 2018-02-23 20:06:48 UTC

(In reply to Matthias Fechner from comment #14)

Thanks a ton!

That was a semi scarry upgrade (Not a Ruby guy AT ALL).

Snapshotted the jail and followed the guide at: https://gitlab.fechner.net/mfechner/Gitlab-docu/blob/master/update/10.1-10.4-freebsd.md

And it worked like a charm!

Thanks for saving me a headache over the weekend and sorry for thinking it was a bug.