Bug 279728

Summary:

net-im/conduit: upgrade to 0.8.0 to fix serious security issue

Product:

Ports & Packages

Reporter:

Lapo Luchini <lapo>

Component:

Individual Port(s)

Assignee:

Ashish SHUKLA <ashish>

Status:

Closed FIXED

Severity:

Affects Only Me

Flags:

ashish: maintainer-feedback+

Priority:

---

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Trivial upgrade to 0.8.0	none
tested with poudriere on 13.2 and 14.1	none

Description Lapo Luchini 2024-06-14 07:27:34 UTC

New 0.8.0 release to fix a grave security issue.

https://conduit.rs/changelog/

Comment 1 Lapo Luchini 2024-06-14 08:31:46 UTC

Created attachment 251449 [details]
Trivial upgrade to 0.8.0

Upgrade seems to be trivial, I tested this manually (at first glance seems to work fine) and I'm currently running this on my poudriere, but it will take a while (needs to update both rust and llvm).

Comment 2 Lapo Luchini 2024-06-14 08:37:44 UTC

Oh, sorry, that patch was against 0.6.0_6, not against 0.7.0.

Comment 3 Lapo Luchini 2024-06-14 14:25:12 UTC

Created attachment 251451 [details]
tested with poudriere on 13.2 and 14.1

Comment 4 Ashish SHUKLA freebsd_committer

2024-06-14 16:30:57 UTC

Thank you. I'm taking a look at this, and once it finishes building, and no issues, I'll commit it.

Comment 5 commit-hook freebsd_committer

2024-06-15 07:40:54 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=638793efa7ccb592897e18e6bcbb69b3e90bdf07

commit 638793efa7ccb592897e18e6bcbb69b3e90bdf07
Author:     Lapo Luchini <lapo@lapo.it>
AuthorDate: 2024-06-14 16:34:47 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2024-06-15 07:38:51 +0000

    net-im/conduit: Update to 0.8.0 to fix security issue

    PR:             279728
    MFH:            2024Q2 (security issue)

 net-im/conduit/Makefile        |   5 +-
 net-im/conduit/Makefile.crates | 318 ++++++++++----------
 net-im/conduit/distinfo        | 642 ++++++++++++++++++++++-------------------
 3 files changed, 512 insertions(+), 453 deletions(-)

Comment 6 commit-hook freebsd_committer

2024-06-15 07:44:55 UTC

A commit in branch 2024Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a002e5d7fa36abbe9d4a46f7a8854ed68a7d46a1

commit a002e5d7fa36abbe9d4a46f7a8854ed68a7d46a1
Author:     Lapo Luchini <lapo@lapo.it>
AuthorDate: 2024-06-14 16:34:47 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2024-06-15 07:43:49 +0000

    net-im/conduit: Update to 0.8.0 to fix security issue

    PR:             279728
    MFH:            2024Q2 (security issue)
    (cherry picked from commit 638793efa7ccb592897e18e6bcbb69b3e90bdf07)

 net-im/conduit/Makefile        |   5 +-
 net-im/conduit/Makefile.crates | 318 ++++++++++----------
 net-im/conduit/distinfo        | 642 ++++++++++++++++++++++-------------------
 3 files changed, 512 insertions(+), 453 deletions(-)

Comment 7 Ashish SHUKLA freebsd_committer

2024-06-15 07:57:23 UTC

Committed, thanks!

Comment 8 Lapo Luchini 2024-06-17 07:44:51 UTC

Thank you!

PS: I didn't propose changes against the security issues XML, do you think it would make sense to do it?

Comment 9 Ashish SHUKLA freebsd_committer

2024-06-17 16:06:41 UTC

(In reply to Lapo Luchini from comment #8)

Hi,

I was hoping for a formal announcement from conduit team on that. Because there is no CVE, nor the details about the vulnerability in the changelog.[0]

Please feel free to prepare one[1] if you have the requisite information, and attach here.

References:

[0] https://conduit.rs/changelog/#v0-8-0-2024-06-12
[1] https://docs.freebsd.org/en/books/porters-handbook/security/index.html#security-notify

Thanks!