|Summary:||net-mgmt/cacti: Update to 1.2.10|
|Product:||Ports & Packages||Reporter:||Michael Muenz <m.muenz>|
|Component:||Individual Port(s)||Assignee:||Ben Woods <woodsb02>|
|Severity:||Affects Only Me||CC:||fernape, freebsd-ports, woodsb02|
|Bug Depends on:|
Description Michael Muenz 2020-03-31 06:52:42 UTC
Created attachment 212884 [details] Cacti 1.2.10 Update to latest version 1.2.10. There are several security related CVE's fixed with 1.2.9 and 1.2.10 (CVE-2020-8813, CVE-2020-7106, CVE-2020-7237). Maybe need quarterly. I'll add a separate PR for vuxml later today.
Comment 1 Automation User 2020-03-31 12:11:42 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/131308333
Comment 2 Ben Woods 2020-04-01 22:25:42 UTC
Hi Dan, can I request a quick response from you on this one, given it fixes multiple security vulnerabilities? Also, I noticed there have been a few maintainer timeouts recently for cacti - are you still interesting in maintaining this port? I know all too well how life takes over and gets in the way of volunteer efforts such as port maintainership.
Comment 3 Ben Woods 2020-04-05 05:13:08 UTC
Hi Dan, sorry to hassle, but could I please push for a comment on this diff?
Comment 4 Daniel Austin 2020-04-05 12:41:15 UTC
(In reply to Ben Woods from comment #3) Hi Ben, Sorry, super busy here :( Diff looks ok, other than all the occurrences of '%%CACTIUSER%%' in pkg-plist filenames instead of the word 'cacti'... so long as the user IS cacti, it will be ok - but if anyone changes the username it would fail as those files are statically named after the product not the username. I'm more than happy for anyone to take over maintainership of this port. I'm really stuck for time lately :(
Comment 5 Michael Muenz 2020-04-06 07:33:29 UTC
The cacti user changes in plist came from poudriere, I'll enclose an updated patch without it. Today Cacti 1.2.11 is out but no security issues, so we can stick with 1.2.10 and after-merge I'll create a new PR for 1.2.11 and replace the maintainer as you already wished couple of updates ago.
Comment 6 Michael Muenz 2020-04-06 07:34:09 UTC
Created attachment 213117 [details] updated 1.2.10 patch
Comment 7 commit-hook 2020-04-07 14:25:30 UTC
A commit references this bug: Author: woodsb02 Date: Tue Apr 7 14:24:40 UTC 2020 New revision: 530981 URL: https://svnweb.freebsd.org/changeset/ports/530981 Log: net-mgmt/cacti: Update to 1.2.10 Changes this release: https://github.com/Cacti/cacti/blob/release/1.2.10/CHANGELOG PR: 245198 Submitted by: Michael Muenz <email@example.com> Approved by: Daniel Austin <firstname.lastname@example.org> (maintainer) MFH: 2020Q2 Security: https://www.vuxml.org/freebsd/e2b564fc-7462-11ea-af63-38d547003487.html Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo head/net-mgmt/cacti/pkg-plist
Comment 8 Ben Woods 2020-04-07 14:30:18 UTC
Committed with 1 change (the %%CACTIUSER%% and %%CACTIGROUP%% variables were deliberately used in the owner and group commands within pkg-plist, so I did not commit that part of the diff). Thanks for the patch Michael, and for your review+approval Dan. Awaiting approval from ports-secteam to merge this commit to ports quarterly branch to mitigate the security vulnerability there also.
Comment 9 commit-hook 2020-04-08 14:14:23 UTC
A commit references this bug: Author: woodsb02 Date: Wed Apr 8 14:13:37 UTC 2020 New revision: 531118 URL: https://svnweb.freebsd.org/changeset/ports/531118 Log: MFH: r530981 net-mgmt/cacti: Update to 1.2.10 Changes this release: https://github.com/Cacti/cacti/blob/release/1.2.10/CHANGELOG PR: 245198 Submitted by: Michael Muenz <email@example.com> Approved by: Daniel Austin <firstname.lastname@example.org> (maintainer) Security: https://www.vuxml.org/freebsd/e2b564fc-7462-11ea-af63-38d547003487.html Approved by: ports-secteam (joneum) Changes: _U branches/2020Q2/ branches/2020Q2/net-mgmt/cacti/Makefile branches/2020Q2/net-mgmt/cacti/distinfo branches/2020Q2/net-mgmt/cacti/pkg-plist
Comment 10 Ben Woods 2020-04-08 14:14:55 UTC
Committed to ports quarterly branch. Thanks again team, consider this one closed!