Bug 238864

Summary: textproc/expat2: Update to 2.2.7
Product: Ports & Packages Reporter: Sergei Vyshenski <svysh.fbsd>
Component: Individual Port(s)Assignee: Kurt Jaeger <pi>
Status: Closed FIXED    
Severity: Affects Some People CC: luzpaz, pi, svysh.fbsd, swills
Priority: --- Keywords: security
Version: LatestFlags: svysh.fbsd: maintainer-feedback+
antoine: merge-quarterly-
Hardware: Any   
OS: Any   
URL: https://github.com/libexpat/libexpat
Bug Depends on: 239282    
Bug Blocks:    
Attachments:
Description Flags
patch to update the port
svysh.fbsd: maintainer-approval+
vuxml entry
svysh.fbsd: maintainer-approval+
patch-to-2.2.8 none

Description Sergei Vyshenski 2019-06-28 11:50:11 UTC
Created attachment 205397 [details]
patch to update the port

- Update 2.2.6 --> 2.2.7
	Changes: 
	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
- "portlint -AC" gives non-relevant warns.
- testport of poudriere 3.3.2_1 runs ok at 12.0-release-p6, amd64.
- As 222 ports depend on this one, maybe exprun is needed?
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-28 11:56:38 UTC
Given this also fixes a security vulnerability that should be merged to the quarterly branch, an exp-run is probably justified

@Sergei Could you produce a vuxml entry for this issue?
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-28 11:58:24 UTC
I checked to see whether this was "just a point release", but there appear to be sufficient functional changes to warrant extra QA, in particular:

- #212  CMake: Make libdir of pkgconfig expat.pc support multilib
- #195 #197  Autotools/CMake: Utilize -fvisibility=hidden to stop exporting non-API symbols
Comment 3 Sergei Vyshenski 2019-06-28 13:35:40 UTC
Created attachment 205398 [details]
vuxml entry
Comment 5 Tobias Kortkamp freebsd_committer freebsd_triage 2019-07-03 11:57:22 UTC
*** Bug 238715 has been marked as a duplicate of this bug. ***
Comment 6 Sergei Vyshenski 2019-08-20 16:43:20 UTC
@Antonie:
The problem seems to be fixed now: cf PR#239282
Comment 7 Sergei Vyshenski 2019-09-15 16:34:13 UTC
Security fix release 2.2.8 is available:

https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes

Shall I wait for the commit of 2.2.7, or shall I submit a new patch with 2.2.8 now? Asking because of exp-run etc.
Comment 8 Kurt Jaeger freebsd_committer freebsd_triage 2019-09-15 18:28:51 UTC
Created attachment 207511 [details]
patch-to-2.2.8

Update to 2.2.8, probably needs a new exp-run ?
Comment 9 Kurt Jaeger freebsd_committer freebsd_triage 2019-09-15 18:30:20 UTC
and: we need an additional vuxml entry for the new vulnerability ?
Comment 10 Antoine Brodin freebsd_committer freebsd_triage 2019-09-16 05:26:45 UTC
Please update the port to 2.2.7 (exp-run was already done).

If you want to update to 2.2.8,  open another PR but the exp-run won't happen before a few days.
Comment 11 commit-hook freebsd_committer freebsd_triage 2019-09-16 11:17:33 UTC
A commit references this bug:

Author: pi
Date: Mon Sep 16 11:16:56 UTC 2019
New revision: 512162
URL: https://svnweb.freebsd.org/changeset/ports/512162

Log:
  textproc/expat2: upgrade 2.2.6 -> 2.2.7

  - exp-run by antoine

  PR:		238864
  Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
  Reviewed by:	koobs
  Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
  Security:	https://github.com/libexpat/libexpat/issues/186
  		https://github.com/libexpat/libexpat/pull/262

Changes:
  head/textproc/expat2/Makefile
  head/textproc/expat2/distinfo
  head/textproc/expat2/pkg-plist
Comment 12 commit-hook freebsd_committer freebsd_triage 2019-09-16 11:20:37 UTC
A commit references this bug:

Author: pi
Date: Mon Sep 16 11:19:51 UTC 2019
New revision: 512164
URL: https://svnweb.freebsd.org/changeset/ports/512164

Log:
  security/vuxml: document expat2 pre-2.2.7 vulnerability

  PR:		238864
  Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 13 Kurt Jaeger freebsd_committer freebsd_triage 2019-09-16 11:21:18 UTC
Committed, thanks!
Comment 14 commit-hook freebsd_committer freebsd_triage 2019-09-16 11:45:47 UTC
A commit references this bug:

Author: pi
Date: Mon Sep 16 11:45:33 UTC 2019
New revision: 512172
URL: https://svnweb.freebsd.org/changeset/ports/512172

Log:
  security/vuxml: fix vuln.xml entry for expat

  PR:		238864
  Submitted by:	tobik

Changes:
  head/security/vuxml/vuln.xml
Comment 15 commit-hook freebsd_committer freebsd_triage 2019-09-25 17:45:45 UTC
A commit references this bug:

Author: delphij
Date: Wed Sep 25 17:45:04 UTC 2019
New revision: 512800
URL: https://svnweb.freebsd.org/changeset/ports/512800

Log:
  MFH: r512162, r512335

  textproc/expat2: upgrade 2.2.6 -> 2.2.7

  - exp-run by antoine

  PR:		238864
  Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
  Reviewed by:	koobs
  Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
  Security:	https://github.com/libexpat/libexpat/issues/186
  		https://github.com/libexpat/libexpat/pull/262

  textproc/expat2: upgrade 2.2.7 -> 2.2.8

  PR:		240613
  Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
  Exp-Run by:	antoine
  Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes
  Security:	CVE-2019-15903

  Approved by:	ports-secteam

Changes:
_U  branches/2019Q3/
  branches/2019Q3/textproc/expat2/Makefile
  branches/2019Q3/textproc/expat2/distinfo
  branches/2019Q3/textproc/expat2/pkg-plist