Summary: | net-im/py-matrix-synapse: Update to 1.7.1 (fixes security vulnerabilities) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Sascha Biberhofer <ports> | ||||||||
Component: | Individual Port(s) | Assignee: | Bernhard Froehlich <decke> | ||||||||
Status: | Closed FIXED | ||||||||||
Severity: | Affects Many People | CC: | decke, ports-secteam | ||||||||
Priority: | --- | Keywords: | buildisok, security | ||||||||
Version: | Latest | Flags: | koobs:
merge-quarterly-
|
||||||||
Hardware: | Any | ||||||||||
OS: | Any | ||||||||||
Attachments: |
|
Description
Sascha Biberhofer
2019-12-18 12:27:23 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/104025583 Created attachment 210038 [details]
vuxml entry for py-matrix-synapse releases prior to 1.7.1
Here's the vuxml entry adapted from the release notes. :)
Created attachment 210084 [details]
net-im/py-matrix-synapse patch from 1.6.1 to 1.7.2
Here's another bump to 1.7.2, which includes two bugfixes for regressions introduced in the 1.7 release.
A commit references this bug: Author: decke Date: Fri Dec 20 21:05:45 UTC 2019 New revision: 520526 URL: https://svnweb.freebsd.org/changeset/ports/520526 Log: Document py-matrix-synapse vulnerabilities PR: 242702 Submitted by: Sascha Biberhofer <ports@skyforge.at> Changes: head/security/vuxml/vuln.xml I'll take it A commit references this bug: Author: decke Date: Fri Dec 20 21:16:09 UTC 2019 New revision: 520527 URL: https://svnweb.freebsd.org/changeset/ports/520527 Log: net-im/py-matrix-synapse: - Update to 1.7.2 - Enable PostgreSQL support per default as recommended from upstream - Add messages for updating PR: 242702 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) Changes: head/net-im/py-matrix-synapse/Makefile head/net-im/py-matrix-synapse/distinfo head/net-im/py-matrix-synapse/files/pkg-message.in Committed, Thanks! The change to the default backend should have been separated from the security update. Combining them makes it more difficult to merge to the quarterly branch (In reply to Kubilay Kocak from comment #8) While I can see your point, I wouldn't really call this a change to the default backend. The package just pulls in both backends now, so people have a choice by default and no longer need to install the postgres dependencies manually. I didn't drop sqlite from the default options so that existing installations are not affected, but I would like to think about this in a future release. The 1.7 release itself also doesn't change the way sqlite is handled, it just prints a tiny warning on start making it more clear to the user that sqlite comes with performance limitations, so sqlite users shouldn't be affected in any way by the new version and don't need to migrate anything on update in the immediate future. I hope this is "ok" (while probably not ideal) for a merge into quarterly, but if there's anything else I can (and should) do about this then please let me know. ^Triage: Track no MFH |