Bug 206193 - www/h2o: Update to 1.6.2, Add security/vuxml entry
Summary: www/h2o: Update to 1.6.2, Add security/vuxml entry
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Martin Wilke
Keywords: easy, patch, security
Depends on:
Reported: 2016-01-13 11:25 UTC by Dave Cottlehuber
Modified: 2016-01-19 09:49 UTC (History)
2 users (show)

See Also:
koobs: merge-quarterly?

patch including security vuln.xml update & h2o version bump (2.54 KB, text/plain)
2016-01-13 11:25 UTC, Dave Cottlehuber
koobs: maintainer-approval+

Note You need to log in before you can comment on or make changes to this bug.
Description Dave Cottlehuber freebsd_committer 2016-01-13 11:25:17 UTC
Created attachment 165494 [details]
patch including security vuln.xml update & h2o version bump

# change log

www/h2o: update to 1.6.2 to resolve CVE-2016-1133

NB issue was reported on h2o project public issue list

# checks

- poudriere      OK (10.2 amd64)
- portlint -AC   OK

WARN: /usr/ports/www/h2o/pkg-plist: If and only if your port is DATADIR-safe (that is, a user can override DATADIR when building this port and the port will still work correctly) consider using DATADIR macro; if you are unsure if this port is DATADIR-safe, then ignore this warning
WARN: Makefile: possible use of absolute pathname "/var/log/${PORTNAME}...".
0 fatal errors and 5 warnings found.

# poudriere


# pretty diff

Comment 1 Dave Cottlehuber freebsd_committer 2016-01-13 11:29:54 UTC
COMMITTERS: this needs to be merged into quarterly updates as well -- thanks!
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-01-13 11:32:48 UTC
Thanks for your submission Dave :)

For future issues, please:

 * Set maintainer-approval to + on attachments for ports you are maintainer of. You can do this with Attachment -> Flags: maintainer-approval [+]
 * Omit [tags] in Summary
 * Feel free to just confirm your changes pass QA (portlint, poudriere), rather than using attachments or remote links to logs

Comment 3 commit-hook freebsd_committer 2016-01-15 15:22:53 UTC
A commit references this bug:

Author: miwi
Date: Fri Jan 15 15:22:44 UTC 2016
New revision: 406163
URL: https://svnweb.freebsd.org/changeset/ports/406163

  - Document h2o -- directory traversal vulnerability

  PR:		206193

Comment 4 commit-hook freebsd_committer 2016-01-15 15:41:02 UTC
A commit references this bug:

Author: miwi
Date: Fri Jan 15 15:40:37 UTC 2016
New revision: 406168
URL: https://svnweb.freebsd.org/changeset/ports/406168

  - Update to 1.6.2

  PR:		206193
  Submitted by:	maintainer
  MFH:		2016Q1
  Security:	6c808811-bb9a-11e5-a65c-485d605f4717

Comment 5 Martin Wilke freebsd_committer 2016-01-15 15:41:36 UTC
Thank you.
Comment 6 commit-hook freebsd_committer 2016-01-19 09:49:07 UTC
A commit references this bug:

Author: junovitch
Date: Tue Jan 19 09:48:59 UTC 2016
New revision: 406677
URL: https://svnweb.freebsd.org/changeset/ports/406677

  MFH: r405714, r406010 (manual; www/h2o only), r406168

  www/h2o: update 1.6.0 -> 1.6.2 and add LibreSSL option
  - OPTIONS: Add bundled LIBRESSL option and set as default
    - HTTP/2 support requires TLS ALPN extension missing in base OpenSSL
    - Upstream expectation is the bundled LibreSSL is used to support HTTP/2
    - Enables ChaCha20-Poly1305 ciphers as a bonus
  - Update sample configuration file
  - Fix typos in USE_* knobs for www/h2o

  Changes:	https://github.com/h2o/h2o/releases/tag/v1.6.1
  Changes:	https://github.com/h2o/h2o/releases/tag/v1.6.2

  PR:		205946
  PR:		206193
  Submitted by:	Dave Cottlehuber <dch@skunkwerks.at> (maintainer)
  Approved by:	ports-secteam (miwi)
  Security:	6c808811-bb9a-11e5-a65c-485d605f4717

_U  branches/2016Q1/