Bug 238864 - textproc/expat2: Update to 2.2.7
Summary: textproc/expat2: Update to 2.2.7
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kurt Jaeger
URL: https://github.com/libexpat/libexpat
Keywords: security
: 238715 (view as bug list)
Depends on: 239282
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-28 11:50 UTC by Sergei Vyshenski
Modified: 2019-09-25 17:45 UTC (History)
4 users (show)

See Also:
svysh.fbsd: maintainer-feedback+
antoine: merge-quarterly-


Attachments
patch to update the port (1.61 KB, patch)
2019-06-28 11:50 UTC, Sergei Vyshenski
svysh.fbsd: maintainer-approval+
Details | Diff
vuxml entry (1.41 KB, patch)
2019-06-28 13:35 UTC, Sergei Vyshenski
svysh.fbsd: maintainer-approval+
Details | Diff
patch-to-2.2.8 (1.39 KB, patch)
2019-09-15 18:28 UTC, Kurt Jaeger
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sergei Vyshenski 2019-06-28 11:50:11 UTC
Created attachment 205397 [details]
patch to update the port

- Update 2.2.6 --> 2.2.7
	Changes: 
	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
- "portlint -AC" gives non-relevant warns.
- testport of poudriere 3.3.2_1 runs ok at 12.0-release-p6, amd64.
- As 222 ports depend on this one, maybe exprun is needed?
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-28 11:56:38 UTC
Given this also fixes a security vulnerability that should be merged to the quarterly branch, an exp-run is probably justified

@Sergei Could you produce a vuxml entry for this issue?
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-28 11:58:24 UTC
I checked to see whether this was "just a point release", but there appear to be sufficient functional changes to warrant extra QA, in particular:

- #212  CMake: Make libdir of pkgconfig expat.pc support multilib
- #195 #197  Autotools/CMake: Utilize -fvisibility=hidden to stop exporting non-API symbols
Comment 3 Sergei Vyshenski 2019-06-28 13:35:40 UTC
Created attachment 205398 [details]
vuxml entry
Comment 5 Tobias Kortkamp freebsd_committer 2019-07-03 11:57:22 UTC
*** Bug 238715 has been marked as a duplicate of this bug. ***
Comment 6 Sergei Vyshenski 2019-08-20 16:43:20 UTC
@Antonie:
The problem seems to be fixed now: cf PR#239282
Comment 7 Sergei Vyshenski 2019-09-15 16:34:13 UTC
Security fix release 2.2.8 is available:

https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes

Shall I wait for the commit of 2.2.7, or shall I submit a new patch with 2.2.8 now? Asking because of exp-run etc.
Comment 8 Kurt Jaeger freebsd_committer 2019-09-15 18:28:51 UTC
Created attachment 207511 [details]
patch-to-2.2.8

Update to 2.2.8, probably needs a new exp-run ?
Comment 9 Kurt Jaeger freebsd_committer 2019-09-15 18:30:20 UTC
and: we need an additional vuxml entry for the new vulnerability ?
Comment 10 Antoine Brodin freebsd_committer 2019-09-16 05:26:45 UTC
Please update the port to 2.2.7 (exp-run was already done).

If you want to update to 2.2.8,  open another PR but the exp-run won't happen before a few days.
Comment 11 commit-hook freebsd_committer 2019-09-16 11:17:33 UTC
A commit references this bug:

Author: pi
Date: Mon Sep 16 11:16:56 UTC 2019
New revision: 512162
URL: https://svnweb.freebsd.org/changeset/ports/512162

Log:
  textproc/expat2: upgrade 2.2.6 -> 2.2.7

  - exp-run by antoine

  PR:		238864
  Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
  Reviewed by:	koobs
  Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
  Security:	https://github.com/libexpat/libexpat/issues/186
  		https://github.com/libexpat/libexpat/pull/262

Changes:
  head/textproc/expat2/Makefile
  head/textproc/expat2/distinfo
  head/textproc/expat2/pkg-plist
Comment 12 commit-hook freebsd_committer 2019-09-16 11:20:37 UTC
A commit references this bug:

Author: pi
Date: Mon Sep 16 11:19:51 UTC 2019
New revision: 512164
URL: https://svnweb.freebsd.org/changeset/ports/512164

Log:
  security/vuxml: document expat2 pre-2.2.7 vulnerability

  PR:		238864
  Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 13 Kurt Jaeger freebsd_committer 2019-09-16 11:21:18 UTC
Committed, thanks!
Comment 14 commit-hook freebsd_committer 2019-09-16 11:45:47 UTC
A commit references this bug:

Author: pi
Date: Mon Sep 16 11:45:33 UTC 2019
New revision: 512172
URL: https://svnweb.freebsd.org/changeset/ports/512172

Log:
  security/vuxml: fix vuln.xml entry for expat

  PR:		238864
  Submitted by:	tobik

Changes:
  head/security/vuxml/vuln.xml
Comment 15 commit-hook freebsd_committer 2019-09-25 17:45:45 UTC
A commit references this bug:

Author: delphij
Date: Wed Sep 25 17:45:04 UTC 2019
New revision: 512800
URL: https://svnweb.freebsd.org/changeset/ports/512800

Log:
  MFH: r512162, r512335

  textproc/expat2: upgrade 2.2.6 -> 2.2.7

  - exp-run by antoine

  PR:		238864
  Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
  Reviewed by:	koobs
  Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
  Security:	https://github.com/libexpat/libexpat/issues/186
  		https://github.com/libexpat/libexpat/pull/262

  textproc/expat2: upgrade 2.2.7 -> 2.2.8

  PR:		240613
  Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
  Exp-Run by:	antoine
  Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes
  Security:	CVE-2019-15903

  Approved by:	ports-secteam

Changes:
_U  branches/2019Q3/
  branches/2019Q3/textproc/expat2/Makefile
  branches/2019Q3/textproc/expat2/distinfo
  branches/2019Q3/textproc/expat2/pkg-plist