Bug 247713 - www/trafficserver: update to fix CVE-2020-9494, add vuxml entry
Summary: www/trafficserver: update to fix CVE-2020-9494, add vuxml entry
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Kurt Jaeger
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-07-02 12:08 UTC by rob2g2
Modified: 2020-08-10 10:10 UTC (History)
7 users (show)

See Also:
gaod: maintainer-feedback+
pi: merge-quarterly+


Attachments
patch to inform trafficserver users of CVE-2020-9494 (1.04 KB, patch)
2020-07-02 12:08 UTC, rob2g2
no flags Details | Diff
trafficserver 8.0.8 (fixes CVE-2020-9494) (1.25 KB, patch)
2020-07-03 08:09 UTC, Li-Wen Hsu
no flags Details | Diff
update to 8.0.8 for CVE-2020-9494 (1.07 KB, patch)
2020-07-12 18:25 UTC, Hung-Yi Chen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rob2g2 2020-07-02 12:08:10 UTC
Created attachment 216136 [details]
patch to inform trafficserver users of CVE-2020-9494
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-03 02:11:55 UTC
If there are issues related to addressing these security vulnerabilities, please include them in this issues "Depends On" field. If they don't exist, please create them for any/all affected port origins
Comment 2 Li-Wen Hsu freebsd_committer 2020-07-03 08:09:51 UTC
Created attachment 216160 [details]
trafficserver 8.0.8 (fixes CVE-2020-9494)
Comment 3 Hung-Yi Chen 2020-07-12 18:25:13 UTC
Created attachment 216406 [details]
update to 8.0.8 for CVE-2020-9494
Comment 4 Hung-Yi Chen 2020-07-12 18:27:38 UTC
And only use gcc to build while enabling WCCP.
Comment 5 Jochen Neumeister freebsd_committer 2020-07-24 09:01:48 UTC
Please delete obsolete patches
Comment 6 Li-Wen Hsu freebsd_committer 2020-08-08 19:24:07 UTC
www/trafficserver still needs updating.
Comment 7 Jochen Neumeister freebsd_committer 2020-08-08 22:53:15 UTC
(In reply to Li-Wen Hsu from comment #6)

please read comment #5
Comment 8 Kurt Jaeger freebsd_committer 2020-08-09 07:47:05 UTC
This PR is confusing:
- it has a patch for security/vuxml to warn of security issue
- it has a patch for the port itself
- portmgr closed it
- the maintainer provided the patch for the port itself

Please, can someone explain the confusion ?
Comment 9 Li-Wen Hsu freebsd_committer 2020-08-09 07:57:03 UTC
(In reply to Kurt Jaeger from comment #8)
Here is the story (as I understand):
1. The reporter submitted a vuxml entry to notify the security issue.
2. I provided a patch to update the port to fix the issue, wait for maintainer to check.
3. The maintainer provided a patch.
4. ports-secteam wanted to check which patch (to the port) should be used.
5. Due to busy(tm), feedback timeout.
6. I got the notification, want to work on it again to fix the security issue in ports.

So, what the work left here is check and merge the patches in 2 and 3, commit it and add a vuxml entry.

I am sorry that I haven't had time to do so, I'll try to do that. If anyone wants to help, that will be very appreciated.
Comment 10 commit-hook freebsd_committer 2020-08-09 07:58:24 UTC
A commit references this bug:

Author: pi
Date: Sun Aug  9 07:57:54 UTC 2020
New revision: 544547
URL: https://svnweb.freebsd.org/changeset/ports/544547

Log:
  www/trafficserver: update 8.0.2 -> 8.0.8, fix CVE-2020-9494

  PR:		247713
  Submitted by:	Hung-YI Chen <gaod@hychen.org> (maintainer), spam123@bitbert.com
  MFH:		2020Q3
  Relnotes:	https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.8
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.7
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.6
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.5
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.3
  Security:	CVE-2020-9494

Changes:
  head/www/trafficserver/Makefile
  head/www/trafficserver/distinfo
Comment 11 commit-hook freebsd_committer 2020-08-09 08:01:26 UTC
A commit references this bug:

Author: pi
Date: Sun Aug  9 08:00:28 UTC 2020
New revision: 544548
URL: https://svnweb.freebsd.org/changeset/ports/544548

Log:
  security/vuxml: add www/trafficserver entry for CVE-2020-9494

  PR:		247713
  Submitted by:	spam123@bitbert.com

Changes:
  head/security/vuxml/vuln.xml
Comment 12 commit-hook freebsd_committer 2020-08-10 08:02:07 UTC
A commit references this bug:

Author: pi
Date: Mon Aug 10 08:01:16 UTC 2020
New revision: 544602
URL: https://svnweb.freebsd.org/changeset/ports/544602

Log:
  MFH: r544547

  www/trafficserver: update 8.0.2 -> 8.0.8, fix CVE-2020-9494

  PR:		247713
  Submitted by:	Hung-YI Chen <gaod@hychen.org> (maintainer), spam123@bitbert.com
  Relnotes:	https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.8
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.7
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.6
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.5
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4
  		https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.3
  Security:	CVE-2020-9494
  Approved by:	portmgr (joneum)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/www/trafficserver/Makefile
  branches/2020Q3/www/trafficserver/distinfo