Bug 239843

Summary: www/h2o and www/h2o-devel: update to 2.2.6/2.3.0-beta2 with multiple CVE fixes
Product: Ports & Packages Reporter: Max Kostikov <max>
Component: Individual Port(s)Assignee: Dave Cottlehuber <dch>
Status: Closed FIXED    
Severity: Affects Many People CC: adamw
Priority: --- Flags: bugzilla: maintainer-feedback? (dch)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
update to 2.2.6
none
h2o-devel
none
updated patch for 2.2.6
none
update to 2.2.6 none

Description Max Kostikov 2019-08-14 11:39:39 UTC
Created attachment 206521 [details]
update to 2.2.6

Fixed CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), CVE-2019-9515 (Settings Flood)
Comment 1 Adam Weinberger freebsd_committer 2019-08-14 15:04:33 UTC
(In reply to Max Kostikov from comment #0)
That patch needs to be edited. The plist removes the %%MRUBY%% option_sub. There's also not a lot of point in sorting %%DATADIR%% if the rest of the plist isn't strictly sorted.
Comment 2 Adam Weinberger freebsd_committer 2019-08-14 15:06:09 UTC
Created attachment 206542 [details]
h2o-devel

Attaching a patch to update h2o-devel to 2.3.0-beta2
Comment 3 Max Kostikov 2019-08-14 15:18:42 UTC
Created attachment 206544 [details]
updated patch for 2.2.6

(In reply to Adam Weinberger from comment #1)
Adam, thanks for pointed this.
See new .diff in attachment. Hope it will be ok now.
Comment 4 Adam Weinberger freebsd_committer 2019-08-14 17:42:30 UTC
(In reply to Max Kostikov from comment #3)
Hi Max,

Unfortunately, this one is actually made it worse. Now there's two plists in the patch, everything is reversed, and the mruby files are listed twice.
Comment 5 Max Kostikov 2019-08-14 17:59:17 UTC
Created attachment 206549 [details]
update to 2.2.6

(In reply to Adam Weinberger from comment #4)
Sorry. That's my bad. See one more revision in attachment.
Comment 6 Adam Weinberger freebsd_committer 2019-08-14 18:07:21 UTC
(In reply to Max Kostikov from comment #5)
This one looks great!

Dave, I believe these patches are ready for you!
Comment 7 commit-hook freebsd_committer 2019-08-25 18:30:18 UTC
A commit references this bug:

Author: dch
Date: Sun Aug 25 18:29:33 UTC 2019
New revision: 509831
URL: https://svnweb.freebsd.org/changeset/ports/509831

Log:
  www/h2o: update to 2.2.6

  resolves:

  - CVE-2019-9512 (Ping Flood)
  - CVE-2019-9514 (Reset Flood)
  - CVE-2019-9515 (Settings Flood)

  PR:		239843
  Submitted by:	Max Kostikov <max@kostikov.co>
  Reported by:	Max Kostikov <max@kostikov.co>
  Reviewed by:	adamw
  Approved by:	jrm (mentor, implicit)
  MFH:		2019Q3
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

Changes:
  head/www/h2o/Makefile
  head/www/h2o/distinfo
  head/www/h2o/pkg-plist
Comment 8 commit-hook freebsd_committer 2019-08-25 18:35:25 UTC
A commit references this bug:

Author: dch
Date: Sun Aug 25 18:34:50 UTC 2019
New revision: 509834
URL: https://svnweb.freebsd.org/changeset/ports/509834

Log:
  security/vuxml: Document multiple vulnerabilities in www/h2o*

  http://blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html

  PR: 239843
  Reported by:	Kazuho Oku
  Approved by:	jrm (mentor, implicit)
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

Changes:
  head/security/vuxml/vuln.xml
Comment 9 commit-hook freebsd_committer 2019-08-25 18:37:26 UTC
A commit references this bug:

Author: dch
Date: Sun Aug 25 18:37:21 UTC 2019
New revision: 509835
URL: https://svnweb.freebsd.org/changeset/ports/509835

Log:
  www/h2o-devel: update to 2.3.0-beta2

  resolves:

  - CVE-2019-9512 (Ping Flood)
  - CVE-2019-9514 (Reset Flood)
  - CVE-2019-9515 (Settings Flood)

  PR:		239843
  Submitted by:	Max Kostikov <max@kostikov.co>
  Reported by:	Max Kostikov <max@kostikov.co>
  Reviewed by:	adamw
  Approved by:	jrm (mentor, implicit)
  MFH:		2019Q3
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

Changes:
  head/www/h2o-devel/Makefile
  head/www/h2o-devel/distinfo
  head/www/h2o-devel/pkg-plist
Comment 10 Dave Cottlehuber freebsd_committer 2019-08-25 18:39:49 UTC
committed, thanks Adam & Max for the report & tweaks.
vuxml updated accordingly, post returning from vacation.
Comment 11 commit-hook freebsd_committer 2019-08-26 07:56:41 UTC
A commit references this bug:

Author: dch
Date: Mon Aug 26 07:56:06 UTC 2019
New revision: 509884
URL: https://svnweb.freebsd.org/changeset/ports/509884

Log:
  MFH: r509835

  www/h2o-devel: update to 2.3.0-beta2

  resolves:

  - CVE-2019-9512 (Ping Flood)
  - CVE-2019-9514 (Reset Flood)
  - CVE-2019-9515 (Settings Flood)

  PR:		239843
  Submitted by:	Max Kostikov <max@kostikov.co>
  Reported by:	Max Kostikov <max@kostikov.co>
  Reviewed by:	adamw
  Approved by:	jrm (mentor, implicit)
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

  Approved by:	ports-secteam

Changes:
_U  branches/2019Q3/
  branches/2019Q3/www/h2o-devel/Makefile
  branches/2019Q3/www/h2o-devel/distinfo
  branches/2019Q3/www/h2o-devel/pkg-plist
Comment 12 commit-hook freebsd_committer 2019-08-26 07:58:42 UTC
A commit references this bug:

Author: dch
Date: Mon Aug 26 07:57:50 UTC 2019
New revision: 509886
URL: https://svnweb.freebsd.org/changeset/ports/509886

Log:
  MFH: r509831

  www/h2o: update to 2.2.6

  resolves:

  - CVE-2019-9512 (Ping Flood)
  - CVE-2019-9514 (Reset Flood)
  - CVE-2019-9515 (Settings Flood)

  PR:		239843
  Submitted by:	Max Kostikov <max@kostikov.co>
  Reported by:	Max Kostikov <max@kostikov.co>
  Reviewed by:	adamw
  Approved by:	jrm (mentor, implicit)
  Security:	CVE-2019-9512
  Security:	CVE-2019-9514
  Security:	CVE-2019-9515
  Sponsored by:	SkunkWerks, GmbH

  Approved by:	ports-secteam

Changes:
_U  branches/2019Q3/
  branches/2019Q3/www/h2o/Makefile
  branches/2019Q3/www/h2o/distinfo
  branches/2019Q3/www/h2o/pkg-plist