Bug 245198
| Summary: | net-mgmt/cacti: Update to 1.2.10 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Michael Muenz <m.muenz> | ||||||
| Component: | Individual Port(s) | Assignee: | Ben Woods <woodsb02> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Only Me | CC: | fernape, freebsd-ports, woodsb02 | ||||||
| Priority: | --- | Keywords: | buildisok | ||||||
| Version: | Latest | Flags: | woodsb02:
maintainer-feedback+
woodsb02: merge-quarterly+ |
||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| URL: | https://www.cacti.net/changelog.php | ||||||||
| See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245205 | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 245205 | ||||||||
| Attachments: |
|
||||||||
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/131308333 Hi Dan, can I request a quick response from you on this one, given it fixes multiple security vulnerabilities? Also, I noticed there have been a few maintainer timeouts recently for cacti - are you still interesting in maintaining this port? I know all too well how life takes over and gets in the way of volunteer efforts such as port maintainership. Hi Dan, sorry to hassle, but could I please push for a comment on this diff? (In reply to Ben Woods from comment #3) Hi Ben, Sorry, super busy here :( Diff looks ok, other than all the occurrences of '%%CACTIUSER%%' in pkg-plist filenames instead of the word 'cacti'... so long as the user IS cacti, it will be ok - but if anyone changes the username it would fail as those files are statically named after the product not the username. I'm more than happy for anyone to take over maintainership of this port. I'm really stuck for time lately :( The cacti user changes in plist came from poudriere, I'll enclose an updated patch without it. Today Cacti 1.2.11 is out but no security issues, so we can stick with 1.2.10 and after-merge I'll create a new PR for 1.2.11 and replace the maintainer as you already wished couple of updates ago. Created attachment 213117 [details]
updated 1.2.10 patch
A commit references this bug: Author: woodsb02 Date: Tue Apr 7 14:24:40 UTC 2020 New revision: 530981 URL: https://svnweb.freebsd.org/changeset/ports/530981 Log: net-mgmt/cacti: Update to 1.2.10 Changes this release: https://github.com/Cacti/cacti/blob/release/1.2.10/CHANGELOG PR: 245198 Submitted by: Michael Muenz <m.muenz@gmail.com> Approved by: Daniel Austin <freebsd-ports@dan.me.uk> (maintainer) MFH: 2020Q2 Security: https://www.vuxml.org/freebsd/e2b564fc-7462-11ea-af63-38d547003487.html Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo head/net-mgmt/cacti/pkg-plist Committed with 1 change (the %%CACTIUSER%% and %%CACTIGROUP%% variables were deliberately used in the owner and group commands within pkg-plist, so I did not commit that part of the diff). Thanks for the patch Michael, and for your review+approval Dan. Awaiting approval from ports-secteam to merge this commit to ports quarterly branch to mitigate the security vulnerability there also. A commit references this bug: Author: woodsb02 Date: Wed Apr 8 14:13:37 UTC 2020 New revision: 531118 URL: https://svnweb.freebsd.org/changeset/ports/531118 Log: MFH: r530981 net-mgmt/cacti: Update to 1.2.10 Changes this release: https://github.com/Cacti/cacti/blob/release/1.2.10/CHANGELOG PR: 245198 Submitted by: Michael Muenz <m.muenz@gmail.com> Approved by: Daniel Austin <freebsd-ports@dan.me.uk> (maintainer) Security: https://www.vuxml.org/freebsd/e2b564fc-7462-11ea-af63-38d547003487.html Approved by: ports-secteam (joneum) Changes: _U branches/2020Q2/ branches/2020Q2/net-mgmt/cacti/Makefile branches/2020Q2/net-mgmt/cacti/distinfo branches/2020Q2/net-mgmt/cacti/pkg-plist Committed to ports quarterly branch. Thanks again team, consider this one closed! |
Created attachment 212884 [details] Cacti 1.2.10 Update to latest version 1.2.10. There are several security related CVE's fixed with 1.2.9 and 1.2.10 (CVE-2020-8813, CVE-2020-7106, CVE-2020-7237). Maybe need quarterly. I'll add a separate PR for vuxml later today.