Comment 1 VK 2017-01-06 11:20:34 UTC

Looks like the upstream we're tracking (SF) is dead, hasn't had updates since 2011 and version 0.5.3 that we have.

Question for maintainer, could we use the Debian's GitHub repo for w3m? Looks fresh with recent fixes:

* https://github.com/tats/w3m

That's also the repo with fixes listed in the VuXML entry linked by the reporter.

Comment 2 Jason Unovitch 2017-01-08 00:48:18 UTC

It does look like we would want to start using later Github release tags (https://github.com/tats/w3m/releases).  We can switch/MFH and amend the VuXML version accordingly.  Your thoughts, nobutaka@?

Comment 3 commit-hook 2017-01-09 07:49:15 UTC

A commit references this bug:

Author: nobutaka
Date: Mon Jan  9 07:48:31 UTC 2017
New revision: 430919
URL: https://svnweb.freebsd.org/changeset/ports/430919

Log:
  - Update to 0.5.3.20170102.
  - Switch to code maintained by the Debian Project.
  - This version fixes multiple vulnerabilities.
  - Add LICENSE.
  - Add NLS option.
  - Change default Japanese character encoding to UTF-8.

  PR:		215822
  Reported by:	Daniel <d.stoye@cms.hu-berlin.de>
  MFH:		2017Q1
  Security:	http://www.vuxml.org/freebsd/eafa3aec-211b-4dd4-9b8a-a664a3f0917a.html

Changes:
  head/www/w3m/Makefile
  head/www/w3m/distinfo
  head/www/w3m/files/
  head/www/w3m/pkg-plist

Comment 4 MANTANI Nobutaka 2017-01-09 08:09:38 UTC

Thank you Daniel, Vladimir and Jason.
I have updated w3m port to 0.5.3+git20170102 that is maintained by the Debian Project and updated the VuXML entry accordingly.
I will do MFH after I get approval to do it.

ty, it's up in the ports

Comment 6 VK 2017-01-09 17:54:15 UTC

Someone please set merge-quarterly to (+), I don't have the permission yet. (and please remember to set it in teh future too, ;) )

Comment 7 commit-hook 2017-01-09 18:06:06 UTC

A commit references this bug:

Author: feld
Date: Mon Jan  9 18:05:59 UTC 2017
New revision: 430994
URL: https://svnweb.freebsd.org/changeset/ports/430994

Log:
  MFH: r430919

  - Update to 0.5.3.20170102.
  - Switch to code maintained by the Debian Project.
  - This version fixes multiple vulnerabilities.
  - Add LICENSE.
  - Add NLS option.
  - Change default Japanese character encoding to UTF-8.

  PR:		215822
  Reported by:	Daniel <d.stoye@cms.hu-berlin.de>
  Security:	http://www.vuxml.org/freebsd/eafa3aec-211b-4dd4-9b8a-a664a3f0917a.html

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/www/w3m/Makefile
  branches/2017Q1/www/w3m/distinfo
  branches/2017Q1/www/w3m/files/
  branches/2017Q1/www/w3m/pkg-plist

Comment 8 Mark Felder 2017-01-09 18:06:24 UTC

I took care of the MFH as I was grinding away at outstanding ports-secteam work and noticed this.

One last thing on this bug...

pkg-audit is reporting this when you try to install w3m:

w3m is vulnerable:
Affected versions:
<= 0.5.4
w3m -- multiple vulnerabilities
CVE: CVE-2016-9633
    <lots of CVE's...>

The fix was in www/w3m 0.5.3.20170102, but the vulnerability database will not be satisfied until there's a version 0.5.4 (which may never happen now that we're following the fork).  The VuXML database may need to be updated.

Comment 10 Mark Felder 2017-01-09 23:25:52 UTC

Your vuxml database is just out of date. Try pkg audit -F first ?

It was changed to be <0.5.3.20170102

(In reply to Mark Felder from comment #10)

You're quite right...thanks...