Maintainer of devel/cgit, Cgit has announced several security vulnerabilities [1] are fixed in the most recent upstream release [2]. Can you please provide a tested patch for the port? [1] http://www.openwall.com/lists/oss-security/2016/01/14/3 [2] http://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html
Take and add CC. I'll be working this security update.
Created attachment 165849 [details] Untested patch with update Untested patch with update to 0.12. I don't have access to a poudriere just this moment, so it would be great if someone could poudriere-test this patch.
Redundant line in pkg-plist: %%PORTDOCS%%%%DOCSDIR%%/%%PORTNAME%%rc.5.txt This file was listed in PORTDOCS.
A commit references this bug: Author: junovitch Date: Wed Jan 20 23:41:20 UTC 2016 New revision: 406815 URL: https://svnweb.freebsd.org/changeset/ports/406815 Log: Document cgit -- multiple vulnerabilities PR: 206417 Security: CVE-2016-1899 Security: CVE-2016-1900 Security: CVE-2016-1901 Security: https://vuxml.FreeBSD.org/freebsd/62c0dbbd-bfce-11e5-b5fe-002590263bf5.html Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: junovitch Date: Wed Jan 20 23:42:59 UTC 2016 New revision: 406816 URL: https://svnweb.freebsd.org/changeset/ports/406816 Log: devel/cgit: update 0.11.2 -> 0.12 Changes: http://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html PR: 206417 Submitted by: Kevin Zheng <kevinz5000@gmail.com> (maintainer) Security: CVE-2016-1899 Security: CVE-2016-1900 Security: CVE-2016-1901 Security: https://vuxml.FreeBSD.org/freebsd/62c0dbbd-bfce-11e5-b5fe-002590263bf5.html MFH: 2016Q1 Changes: head/devel/cgit/Makefile head/devel/cgit/distinfo head/devel/cgit/pkg-plist
A commit references this bug: Author: junovitch Date: Thu Jan 21 01:24:45 UTC 2016 New revision: 406817 URL: https://svnweb.freebsd.org/changeset/ports/406817 Log: MFH: r406816 devel/cgit: update 0.11.2 -> 0.12 Changes: http://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html PR: 206417 Submitted by: Kevin Zheng <kevinz5000@gmail.com> (maintainer) Approved by: ports-secteam (miwi) Security: CVE-2016-1899 Security: CVE-2016-1900 Security: CVE-2016-1901 Security: https://vuxml.FreeBSD.org/freebsd/62c0dbbd-bfce-11e5-b5fe-002590263bf5.html Changes: _U branches/2016Q1/ branches/2016Q1/devel/cgit/Makefile branches/2016Q1/devel/cgit/distinfo branches/2016Q1/devel/cgit/pkg-plist
(In reply to Kevin Zheng from comment #2) Done. Poudriere was clean on 9.3 -> CURRENT after the removal of the redundant line mentioned in comment 3. Thank you for the quick turnaround. - Set merge-quarterly+ as it was approved by ports-secteam (miwi) - Set maintainer-feedback+ as the patch was from the port's maintainer - Fix keywords: drop needs-patch and needs-qa and add patch/patch-ready - Close PR