Bug 239897 - www/jetty9: Update to 9.4.20
Summary: www/jetty9: Update to 9.4.20
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Jochen Neumeister
URL: https://www.eclipse.org/lists/jetty-d...
Keywords: needs-patch, security
: 239251 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-08-16 02:57 UTC by Greg Lewis
Modified: 2019-09-13 10:22 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (dharrigan)
koobs: merge-quarterly+


Attachments
Update to 9.4.20 (44.50 KB, patch)
2019-08-16 02:57 UTC, Greg Lewis
no flags Details | Diff
Updated patch (44.12 KB, patch)
2019-08-20 17:39 UTC, Greg Lewis
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Greg Lewis freebsd_committer 2019-08-16 02:57:14 UTC
Created attachment 206606 [details]
Update to 9.4.20

* Update to 9.4.20
* Remove some unnecessary library removals from the Makefile
* Remove some unnecessary @dir directives from the packing list
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-08-16 03:09:47 UTC
A *substantial* number of bugfixes have been fixed between 9.3.9 (current port version, committed 18 Jun 2016) and 9.4.20, along with at least 7 security vulnerabilities, oldest dating to 2018/06/25

https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html

Pending complete review of changelogs, confirmation of QA, and VuXML entries for these security vulnerabilities.
Comment 2 Walter Schwarzenfeld freebsd_triage 2019-08-16 13:27:05 UTC
*** Bug 239251 has been marked as a duplicate of this bug. ***
Comment 3 Jochen Neumeister freebsd_committer 2019-08-20 09:15:17 UTC
There is an error: http://joneumbox.org/data/120i386-ports/2019-08-20_10h25m39s/logs/errors/jetty9-9.4.20.log

===========================================================================
====> Running Q/A tests (stage-qa)
====> Checking for pkg-plist issues (check-plist)
===> Parsing plist
===> Checking for items in STAGEDIR missing from pkg-plist
Error: Orphaned: %%APP_NAME%%/lib/setuid/libsetuid-linux.so
Error: Orphaned: %%APP_NAME%%/lib/setuid/libsetuid-osx.so
Error: Orphaned: @dir %%APP_NAME%%/resources
===> Checking for items in pkg-plist which are not in STAGEDIR
===> Error: Plist issues found.
*** Error code 1
Comment 4 Greg Lewis freebsd_committer 2019-08-20 17:38:28 UTC
Thanks for catching that.  I'll attach an updated patch.
Comment 5 Greg Lewis freebsd_committer 2019-08-20 17:39:37 UTC
Created attachment 206737 [details]
Updated patch
Comment 6 commit-hook freebsd_committer 2019-08-28 16:40:06 UTC
A commit references this bug:

Author: joneum
Date: Wed Aug 28 16:39:52 UTC 2019
New revision: 510078
URL: https://svnweb.freebsd.org/changeset/ports/510078

Log:
  Update to 9.4.20

  Changelog: https://www.eclipse.org/lists/jetty-dev/msg03343.html

  PR:		239897
  MFH:		2019Q3
  Sponsored by:	Netzkommune GmbH

Changes:
  head/www/jetty9/Makefile
  head/www/jetty9/distinfo
  head/www/jetty9/pkg-plist
Comment 7 commit-hook freebsd_committer 2019-08-28 16:45:08 UTC
A commit references this bug:

Author: joneum
Date: Wed Aug 28 16:44:31 UTC 2019
New revision: 510080
URL: https://svnweb.freebsd.org/changeset/ports/510080

Log:
  MFH: r510078

  Update to 9.4.20

  Changelog: https://www.eclipse.org/lists/jetty-dev/msg03343.html

  PR:		239897
  Sponsored by:	Netzkommune GmbH

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2019Q3/
  branches/2019Q3/www/jetty9/Makefile
  branches/2019Q3/www/jetty9/distinfo
  branches/2019Q3/www/jetty9/pkg-plist
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-02 08:09:29 UTC
Was there a vuxml entry created for these (7+) vulnerabilities?
Comment 9 Jochen Neumeister freebsd_committer 2019-09-12 08:59:36 UTC
i don't see anything in the log for a vuxml that i would add as a port-secteam member
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-12 11:45:18 UTC
(In reply to Jochen Neumeister from comment #9)

In the security reports link mentioned in comment 1:

https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html

The version diff for this change was  9.3.9 -> 9.4.20.

There are 7 CVE's, for this version range, again mentioned in comment 1, none of which have been documented in VuXML

Here's is the explicit list:

CVE-2019-10247
CVE-2019-10246
CVE-2019-10241
CVE-2018-12536
CVE-2017-7658
CVE-2017-7657
CVE-2017-7656

Triage: While I'm here, set merge-quarterly correctly (the change was merged)

Pending VuXML entries
Comment 11 Jochen Neumeister freebsd_committer 2019-09-13 05:42:22 UTC
so please add a patch for vuxml
Comment 12 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-13 10:22:28 UTC
(In reply to Jochen Neumeister from comment #11)

I'm sorry Jochen, I'm doing this for triage purposes, so security issues don't get missed for our users.

It is usual for either the Reporter, the port Maintainer or the Assignee of the issue in the last instance, to take care of the correct and appropriate changes