MFH 526773 for CVE-2020-1938
??? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244256 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244864
The commit needs to be tagged for merging from Latest to Quarterly, since it's a security update. (That 526773 there is the commit that needs to be merged.)
Did you said about branches/2020Q1?
Ah, you don't need my maintainer-feedback. Ok.
Yep, that's it.
Other tomcat versions need this MFH too: tomcat85, but tomcat7 isn't updated yet.
If you stick a note in future security updates that they need to be merged from head, it looks like usually they'll get picked up.
(In reply to VVD from comment #6) Could you list all the required port merges in the following form please: www/tomcat<version>: ports rXXXXXX (bug XXXXX) www/tomcat<version>: ports rXXXXXX (bug XXXXX) www/tomcat<version>: ports rXXXXXX (bug XXXXX) Where ports rXXXXX refers to the revision id of the head commit that has already taken place), and bug XXXX refers to the existing/previous bugzilla bug ID that the original commit was committed via, if a bug was created for it.
Also, can someone please clarify: - the current state of VuXML entries for all tomcat versions and whether entries are needed or missing - Provide links to the changelogs for each tomcat port version, and mention the 'range' of versions covered in the head commits that last landed, so we can include *all* vulnerabilities in all intermediate versions
(In reply to Kubilay Kocak from comment #8) > www/tomcat<version>: ports rXXXXXX (bug XXXXX) www/tomcat9: ports r526773 (bug 244256) - 9.0.31 www/tomcat9: ports r528794 (bug 244864) - 9.0.33 www/tomcat85: ports r526774 (bug 244255) - 8.5.51 www/tomcat85: ports r528795 (bug 244865) - 8.5.53 www/tomcat7 not fixed yet.
so, there is now 2020Q2 active, i will close here.