Created attachment 175927 [details] nodejs 4.6.1 Bump to the latest upstream 4.x release. This is a security release to address the c-ares single-byte buffer overwrite, CVE-2016-5180. Note that www/node4 builds against a shared c-ares by default, so users should ensure to update dns/c-ares as well. https://nodejs.org/en/blog/release/v4.6.1/ https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ portlint: OK (-C, looks fine.) testport: OK (poudriere, 11.0-R, 10.[123]-R, 9.3-R, amd64/i386, default options) testport: OK (poudriere, 11.0-R, 10.[123]-R, 9.3-R, amd64/i386, BUNDLED_SSL enabled)
dns/c-ares should be updated as well to get the full "effect" of this release. Adding dependency on 213495.
This also needs a security/vuxml entry
Created attachment 176009 [details] updated nodejs 4.6.1 patch Bump to the latest upstream 4.x release. This is a security release to address the c-ares single-byte buffer overwrite, CVE-2016-5180. Note that www/node4 builds against a shared c-ares by default, so users should ensure to update dns/c-ares as well. Cleanup clang vs. gcc handling by using USES=compiler:c++-lib https://nodejs.org/en/blog/release/v4.6.1/ https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
See 213800 for vuxml entries :)
A commit references this bug: Author: feld Date: Fri Oct 28 13:42:28 UTC 2016 New revision: 424840 URL: https://svnweb.freebsd.org/changeset/ports/424840 Log: www/node4: Update to 4.6.1 PR: 213603 Security: CVE-2016-5180 Changes: head/www/node4/Makefile head/www/node4/distinfo
A commit references this bug: Author: feld Date: Fri Oct 28 13:42:54 UTC 2016 New revision: 424841 URL: https://svnweb.freebsd.org/changeset/ports/424841 Log: MFH: r424840 www/node4: Update to 4.6.1 PR: 213603 Security: CVE-2016-5180 Approved by: ports-secteam (with hat) Changes: _U branches/2016Q4/ branches/2016Q4/www/node4/Makefile branches/2016Q4/www/node4/distinfo