Bug 244987 - www/tomcat9: MFH port r526773 (Security update: CVE-2020-1938)
Summary: www/tomcat9: MFH port r526773 (Security update: CVE-2020-1938)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Jochen Neumeister
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-03-22 21:09 UTC by Harrison Grundy
Modified: 2020-04-02 04:56 UTC (History)
3 users (show)

See Also:
harrison.grundy: maintainer-feedback? (vvd)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Harrison Grundy 2020-03-22 21:09:28 UTC 
MFH 526773 for CVE-2020-1938
Comment 2 Harrison Grundy 2020-03-23 00:10:56 UTC 
The commit needs to be tagged for merging from Latest to Quarterly, since it's a security update. (That 526773 there is the commit that needs to be merged.)
Comment 3 Vladimir Druzenko freebsd_committer freebsd_triage 2020-03-23 00:13:39 UTC 
Did you said about branches/2020Q1?
Comment 4 Vladimir Druzenko freebsd_committer freebsd_triage 2020-03-23 00:14:21 UTC 
Ah, you don't need my maintainer-feedback. Ok.
Comment 5 Harrison Grundy 2020-03-23 00:14:39 UTC 
Yep, that's it.
Comment 6 Vladimir Druzenko freebsd_committer freebsd_triage 2020-03-23 00:15:28 UTC 
Other tomcat versions need this MFH too: tomcat85, but tomcat7 isn't updated yet.
Comment 7 Harrison Grundy 2020-03-23 00:17:00 UTC 
If you stick a note in future security updates that they need to be merged from head, it looks like usually they'll get picked up.
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-23 02:26:26 UTC 
(In reply to VVD from comment #6)

Could you list all the required port merges in the following form please:

www/tomcat<version>: ports rXXXXXX (bug XXXXX)
www/tomcat<version>: ports rXXXXXX (bug XXXXX)
www/tomcat<version>: ports rXXXXXX (bug XXXXX)

Where ports rXXXXX refers to the revision id of the head commit that has already taken place), and bug XXXX refers to the existing/previous bugzilla bug ID that the original commit was committed via, if a bug was created for it.
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-23 02:27:40 UTC 
Also, can someone please clarify:

- the current state of VuXML entries for all tomcat versions and whether entries are needed or missing
- Provide links to the changelogs for each tomcat port version, and mention the 'range' of versions covered in the head commits that last landed, so we can include *all* vulnerabilities in all intermediate versions
Comment 10 Vladimir Druzenko freebsd_committer freebsd_triage 2020-03-23 19:24:31 UTC 
(In reply to Kubilay Kocak from comment #8)
> www/tomcat<version>: ports rXXXXXX (bug XXXXX)

www/tomcat9: ports r526773 (bug 244256) - 9.0.31
www/tomcat9: ports r528794 (bug 244864) - 9.0.33

www/tomcat85: ports r526774 (bug 244255) - 8.5.51
www/tomcat85: ports r528795 (bug 244865) - 8.5.53

www/tomcat7 not fixed yet.
Comment 11 Jochen Neumeister freebsd_committer freebsd_triage 2020-04-02 04:56:10 UTC 
so, there is now 2020Q2 active, i will close here.