Created attachment 155186 [details] Security update dulwich-0.10.1a.patch - Security update to 0.10.1a release (Request MFH to quarterly branch, freebsd-portmgr@FreeBSD.org CC'ed) Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9706 - Update patches Note: Hg-Git extension works with Mercurial up to 3.3.2, but does not on version 3.3.3. A fix is being developed upstream and coming soon. Tests on head, stable/10, releng/9.3 - amd64: - portlint - poudriere testport + bulk, logs available - pkg install + delete - runtime on stable/10 amd64 (in combination with devel/hg-git) Thanks!
Created attachment 155187 [details] vuxml database patch vuxml database patch
Thanks for your submission Marco. Can you additionally please: * Attach portlint -AC output * Attach poudriere testport (or bulk -t) output * Attach `make validate` output for VuXML changes (See: 11.3.3 in Porters Handbook [1]) Also, can you explain why all of the changes are needed for SOURCES.txt and setup.py? [1] http://www2.au.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#security-notify
Created attachment 155369 [details] py27-dulwich-0.10a.log The changes to SOURCES.txt, MANIFEST.in and setup.py are there to disable building and installing all the tests. They are pointless to the user and several tests are broken even in upstream's environments. It does not make sense to install / run them at the moment. For the other things, see the attached log and posted output. # portlint -AC WARN: Makefile: for new port, make $FreeBSD$ tag in comment section empty, to make SVN happy. 0 fatal errors and 1 warning found. This is bogus. It is not a new port! portlint -C is more reasonable. # portlint -C looks fine. The poudriere testport log file is attached. I know the Porter's Handbook section about VuXML. There are already new entries for other ports. So I guess the patch will not apply anymore. Btw, this whole VuXML procedure is a pain in the ass. Do not get me wrong but I unless something changes there I do not care about it in the future. The make validate output is not attached (~ 14 MiB output), because it does not validate and never has for me with or without my patch. I do not exactly know what is wrong with it. It fails to load the external schemes and cannot validate anything. But I guess my changes are fine. Some example output: ==== http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd:41: warning: failed to load external entity "http://www.w3.org/TR/xhtml-modularization/DTD/xhtml-datatypes-1.mod" [...] http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd:82: warning: failed to load external entity "http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd" [...] vuln.xml:59: element vuxml: validity error : No declaration for attribute xmlns of element vuxml <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> ^ vuln.xml:60: element vuln: validity error : No declaration for attribute vid of element vuln <vuln vid="5fee3f02-de37-11e4-b7c3-001999f8d30b"> [...] ==== and so on for all lines of vuln.xml. Just wondering if it is a new requirement for a submission to post all the logs? A committer has to test it anyway and I never had to post logs / output before. ;-) Thank you and regards!
A commit references this bug: Author: jbeich Date: Fri Apr 17 22:11:16 UTC 2015 New revision: 384191 URL: https://svnweb.freebsd.org/changeset/ports/384191 Log: Document new Dulwich vulnerability. CVE-2015-0838 PR: 199162 Submitted by: Marco Br?der (maintainer) Changes: head/security/vuxml/vuln.xml
Committed. Thanks.
A commit references this bug: Author: jbeich Date: Fri Apr 17 22:47:43 UTC 2015 New revision: 384194 URL: https://svnweb.freebsd.org/changeset/ports/384194 Log: - Update to 0.10.1a PR: 199162 Submitted by: Marco Br?der (maintainer) MFH: 2015Q2 Security: https://vuxml.freebsd.org/freebsd/e426eda9-dae1-11e4-8107-94de806b0af9.html Changes: head/devel/dulwich/Makefile head/devel/dulwich/distinfo head/devel/dulwich/files/patch-MANIFEST.in head/devel/dulwich/files/patch-dulwich.egg-info_SOURCES.txt head/devel/dulwich/files/patch-dulwich.egg-info__SOURCES.txt head/devel/dulwich/files/patch-setup.py
A commit references this bug: Author: jbeich Date: Fri Apr 17 23:06:04 UTC 2015 New revision: 384195 URL: https://svnweb.freebsd.org/changeset/ports/384195 Log: MFH: r384194 - Update to 0.10.1a PR: 199162 Submitted by: Marco Br?der (maintainer) Security: https://vuxml.freebsd.org/freebsd/e426eda9-dae1-11e4-8107-94de806b0af9.html Approved by: portmgr (erwin) Changes: _U branches/2015Q2/ branches/2015Q2/devel/dulwich/Makefile branches/2015Q2/devel/dulwich/distinfo branches/2015Q2/devel/dulwich/files/patch-MANIFEST.in branches/2015Q2/devel/dulwich/files/patch-dulwich.egg-info_SOURCES.txt branches/2015Q2/devel/dulwich/files/patch-dulwich.egg-info__SOURCES.txt branches/2015Q2/devel/dulwich/files/patch-setup.py