Created attachment 185433 [details] Patch to update py-supervisor The attached patch updates sysutils/supervisor port to version 3.3.3 (currently latest): - Fix for CVE-2017-11610. - Use the "-j" switch to specify the pid file in the rc-script - Dynamically create the "/var/run/supervisor" in the rc-script now - Fixed some other issues reported by portlint and "make stage-qa"
Created attachment 185434 [details] Patch to insert the security issue into vuxml
A commit references this bug: Author: dbaio Date: Tue Aug 15 19:18:16 UTC 2017 New revision: 448003 URL: https://svnweb.freebsd.org/changeset/ports/448003 Log: security/vuxml: Document vulnerability in sysutils/py-supervisor PR: 221539 Submitted by: Franz Glasner <f.glasner@feldmann-mg.com> Security: CVE-2017-11610 Changes: head/security/vuxml/vuln.xml
Comment on attachment 185433 [details] Patch to update py-supervisor Could someone of the secteam take a look at that and commit? Looks like the maintainer isn't reacting and this should be patched asap..
I would omit any non-security related changes (if there are any) in the attached patch, to reduce complexity and isolate unrelated changes
Created attachment 185638 [details] 2nd (revised) patch that does only the upgrade to 3.3.3 Here is a new patch that only updates to supervisor 3.3.3 and fixes the CVE. Non security-related changes from the first patch are omitted.
Much appreciated Franz
*bump* (again).. Since there is now a patch containing just the security related stuff - can this be commited by the secteam asap? Thanks!
... maintainer-timeout?
Comment on attachment 185638 [details] 2nd (revised) patch that does only the upgrade to 3.3.3 Approved by: portmgr (maintainer timeout, 1 month)
There appear to be unrelated and likely incorrect changes in the patches, including but not limited to path changes: -+ searchpaths = [ '%%PREFIX%%/etc/supervisord.conf' ] ++ searchpaths = [ '/usr/local/etc/supervisord.conf' ] -file=/var/run/supervisor/supervisor.sock ; (the path to the socket file) +file=/tmp/supervisor.sock ; the path to the socket file among others
Created attachment 186416 [details] Update py-supervisor to v3.3.3 - only for SecFix - Update to v3.3.3, fixes Security Vulnerability - Add shebangfix ---- =========================================================================== ====> Running Q/A tests (stage-qa) ====> Checking for pkg-plist issues (check-plist) ===> Parsing plist ===> Checking for items in STAGEDIR missing from pkg-plist ===> Checking for items in pkg-plist which are not in STAGEDIR ===> No pkg-plist issues found (check-plist) ====>> Checking for staging violations... done =======================<phase: package >============================ ===> Building package for py27-supervisor-3.3.3,1 ----
Created attachment 186417 [details] 3.3.3 (secfix) + shebangfix Fix empty-line typo.. ---- Update py-supervisor to v3.3.3 - only for SecFix - Update to v3.3.3, fixes Security Vulnerability - Add shebangfix ---- =========================================================================== ====> Running Q/A tests (stage-qa) ====> Checking for pkg-plist issues (check-plist) ===> Parsing plist ===> Checking for items in STAGEDIR missing from pkg-plist ===> Checking for items in pkg-plist which are not in STAGEDIR ===> No pkg-plist issues found (check-plist) ====>> Checking for staging violations... done =======================<phase: package >============================ ===> Building package for py27-supervisor-3.3.3,1 ----
Created attachment 186419 [details] 3.3.3 (secfix) - Update to v3.3.3, fixes Security Vulnerability (Does not include shebangfix and license. This will follow in a second step.)
Comment on attachment 186419 [details] 3.3.3 (secfix) Reviewed by: koobs (python) Approved by: portmgr (maintainer timeout, 1+ month)
Comment on attachment 186417 [details] 3.3.3 (secfix) + shebangfix Approved by: portmgr (maintainer timeout, 1+ month)
Shebangfix will need to land with the update (secfix), stage-qa is currently a fatal error
A commit references this bug: Author: koobs Date: Sat Sep 16 03:59:26 UTC 2017 New revision: 449941 URL: https://svnweb.freebsd.org/changeset/ports/449941 Log: sysutils/py-supervisor: Update to 3.3.3 Update to 3.3.3, which fixes a security vulnerability (CVE-2017-11610). While I'm here, level up port compliance, limiting changes to a minimum. Still TODO: - Regenerate/verify patches - Clarify/Add LICENSE ('BSD-derived') - Fix/verify use of @[un]exec in pkg-plist Changelog: http://supervisord.org/changes.html PR: 221539 Submitted by: Dani <i.dani outlook com> Approved by: portmgr (maintainer timeout, 1 month) Security: c9460380-81e3-11e7-93af-005056925db4 MFH: 2017Q3 Changes: head/sysutils/py-supervisor/Makefile head/sysutils/py-supervisor/distinfo
A commit references this bug: Author: feld Date: Tue Sep 19 01:21:56 UTC 2017 New revision: 450093 URL: https://svnweb.freebsd.org/changeset/ports/450093 Log: MFH: r449941 sysutils/py-supervisor: Update to 3.3.3 Update to 3.3.3, which fixes a security vulnerability (CVE-2017-11610). While I'm here, level up port compliance, limiting changes to a minimum. Still TODO: - Regenerate/verify patches - Clarify/Add LICENSE ('BSD-derived') - Fix/verify use of @[un]exec in pkg-plist Changelog: http://supervisord.org/changes.html PR: 221539 Submitted by: Dani <i.dani outlook com> Approved by: portmgr (maintainer timeout, 1 month) Security: c9460380-81e3-11e7-93af-005056925db4 Approved by: ports-secteam (with hat) Changes: _U branches/2017Q3/ branches/2017Q3/sysutils/py-supervisor/Makefile branches/2017Q3/sysutils/py-supervisor/distinfo