Bug 206193 - www/h2o: Update to 1.6.2, Add security/vuxml entry
Summary: www/h2o: Update to 1.6.2, Add security/vuxml entry
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Martin Wilke
URL:
Keywords: easy, patch, security
Depends on:
Blocks:
 
Reported: 2016-01-13 11:25 UTC by Dave Cottlehuber
Modified: 2016-01-19 09:49 UTC (History)
2 users (show)

See Also:
koobs: merge-quarterly?


Attachments
patch including security vuln.xml update & h2o version bump (2.54 KB, text/plain)
2016-01-13 11:25 UTC, Dave Cottlehuber
koobs: maintainer-approval+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dave Cottlehuber freebsd_committer 2016-01-13 11:25:17 UTC
Created attachment 165494 [details]
patch including security vuln.xml update & h2o version bump

# change log

www/h2o: update to 1.6.2 to resolve CVE-2016-1133

NB issue was reported on h2o project public issue list

# checks

- poudriere      OK (10.2 amd64)
- portlint -AC   OK


WARN: /usr/ports/www/h2o/pkg-plist: If and only if your port is DATADIR-safe (that is, a user can override DATADIR when building this port and the port will still work correctly) consider using DATADIR macro; if you are unsure if this port is DATADIR-safe, then ignore this warning
WARN: Makefile: possible use of absolute pathname "/var/log/${PORTNAME}...".
0 fatal errors and 5 warnings found.

# poudriere

http://pkg.skunkwerks.at/poudriere/data/latest-per-pkg/h2o/1.6.2/

# pretty diff

https://github.com/dch/freebsd-ports/tree/h2o
Comment 1 Dave Cottlehuber freebsd_committer 2016-01-13 11:29:54 UTC
COMMITTERS: this needs to be merged into quarterly updates as well -- thanks!
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-01-13 11:32:48 UTC
Thanks for your submission Dave :)

For future issues, please:

 * Set maintainer-approval to + on attachments for ports you are maintainer of. You can do this with Attachment -> Flags: maintainer-approval [+]
 * Omit [tags] in Summary
 * Feel free to just confirm your changes pass QA (portlint, poudriere), rather than using attachments or remote links to logs

Thanks!
Comment 3 commit-hook freebsd_committer 2016-01-15 15:22:53 UTC
A commit references this bug:

Author: miwi
Date: Fri Jan 15 15:22:44 UTC 2016
New revision: 406163
URL: https://svnweb.freebsd.org/changeset/ports/406163

Log:
  - Document h2o -- directory traversal vulnerability

  PR:		206193

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer 2016-01-15 15:41:02 UTC
A commit references this bug:

Author: miwi
Date: Fri Jan 15 15:40:37 UTC 2016
New revision: 406168
URL: https://svnweb.freebsd.org/changeset/ports/406168

Log:
  - Update to 1.6.2

  PR:		206193
  Submitted by:	maintainer
  MFH:		2016Q1
  Security:	6c808811-bb9a-11e5-a65c-485d605f4717

Changes:
  head/www/h2o/Makefile
  head/www/h2o/distinfo
Comment 5 Martin Wilke freebsd_committer 2016-01-15 15:41:36 UTC
Thank you.
Comment 6 commit-hook freebsd_committer 2016-01-19 09:49:07 UTC
A commit references this bug:

Author: junovitch
Date: Tue Jan 19 09:48:59 UTC 2016
New revision: 406677
URL: https://svnweb.freebsd.org/changeset/ports/406677

Log:
  MFH: r405714, r406010 (manual; www/h2o only), r406168

  www/h2o: update 1.6.0 -> 1.6.2 and add LibreSSL option
  - OPTIONS: Add bundled LIBRESSL option and set as default
    - HTTP/2 support requires TLS ALPN extension missing in base OpenSSL
    - Upstream expectation is the bundled LibreSSL is used to support HTTP/2
    - Enables ChaCha20-Poly1305 ciphers as a bonus
  - Update sample configuration file
  - Fix typos in USE_* knobs for www/h2o

  Changes:	https://github.com/h2o/h2o/releases/tag/v1.6.1
  Changes:	https://github.com/h2o/h2o/releases/tag/v1.6.2

  PR:		205946
  PR:		206193
  Submitted by:	Dave Cottlehuber <dch@skunkwerks.at> (maintainer)
  Approved by:	ports-secteam (miwi)
  Security:	6c808811-bb9a-11e5-a65c-485d605f4717

Changes:
_U  branches/2016Q1/
  branches/2016Q1/www/h2o/Makefile
  branches/2016Q1/www/h2o/distinfo
  branches/2016Q1/www/h2o/files/h2o.conf.sample