Bug 250660 - multimedia/motion: Update to 4.3.2
Summary: multimedia/motion: Update to 4.3.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Fernando Apesteguía
URL: https://github.com/Motion-Project/mot...
Keywords: buildisok
Depends on:
Blocks:
 
Reported: 2020-10-27 00:02 UTC by ports
Modified: 2020-10-28 11:26 UTC (History)
2 users (show)

See Also:
fernape: merge-quarterly+


Attachments
Update to latest released version. (870 bytes, patch)
2020-10-27 00:02 UTC, ports
ports: maintainer-approval+
Details | Diff
Update to 4.3.2 and also re-order the Makefile to agree with portclippy's suggestions (3.42 KB, patch)
2020-10-27 21:40 UTC, ports
ports: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ports 2020-10-27 00:02:22 UTC
Created attachment 219127 [details]
Update to latest released version.

As per the summary. I have flagged this as "affects many people" as it contains a security update.
Comment 1 ports 2020-10-27 00:07:40 UTC
Comment on attachment 219127 [details]
Update to latest released version.

Added maintainer-approval.
Comment 2 Automation User 2020-10-27 00:47:33 UTC
Build and package info is available at https://gitlab.com/swills/freebsd-ports/pipelines/207928887
Comment 3 Fernando Apesteguía freebsd_committer 2020-10-27 06:33:50 UTC
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field.

Q/A: Consider reordering some variables in the Makefile.https://www.freebsd.org/doc/en/books/porters-handbook/book.html#porting-order


Thanks!
Comment 4 ports 2020-10-27 06:44:19 UTC
Added release notes (such as they are).
Comment 5 ports 2020-10-27 09:25:36 UTC
I looked through the documentation on the order of variables, and I didn't spot anything that looked to conflict with that document? What would you suggest should be re-ordered? Happy to make improvements, just not seeing what is wrong!
Comment 6 Fernando Apesteguía freebsd_committer 2020-10-27 10:37:17 UTC
(In reply to ports from comment #5)
I use portclippy along with portlint. As linters, sometimes they are wrong, but this is what I get when I run portclippy:

# PORTNAME block
PORTNAME
PORTVERSION
DISTVERSIONPREFIX
CATEGORIES

# Maintainer block
MAINTAINER
COMMENT

# License block
LICENSE
LICENSE_FILE

# Dependencies
LIB_DEPENDS

# USES block
USES
+KMODDIR
USE_GITHUB
GH_ACCOUNT
USE_RC_SUBR

# Configure block
GNU_CONFIGURE
CONFIGURE_ARGS

-KMODDIR

# Standard bsd.port.mk variables
SUB_FILES

# Packaging list block
PLIST_FILES
PORTDOCS
PORTEXAMPLES

# Options definitions
OPTIONS_DEFINE
+OPTIONS_DEFAULT
OPTIONS_RADIO
OPTIONS_RADIO_VIDEO
-OPTIONS_DEFAULT

# Options descriptions
-VIDEO_DESC
BKTR_DESC

-BKTR_CONFIGURE_WITH

PWCBSD_DESC

-PWCBSD_BUILD_DEPENDS
-PWCBSD_RUN_DEPENDS
-PWCBSD_CONFIGURE_WITH

+VIDEO_DESC
WEBCAMD_DESC

# Options helpers
-WEBCAMD_BUILD_DEPENDS
-WEBCAMD_CONFIGURE_WITH
+BKTR_CONFIGURE_WITH
FFMPEG_LIB_DEPENDS
FFMPEG_CONFIGURE_ON
FFMPEG_CONFIGURE_OFF
MYSQL_USES
MYSQL_CONFIGURE_ON
MYSQL_CONFIGURE_OFF
PGSQL_USES
PGSQL_CONFIGURE_ON
PGSQL_CONFIGURE_OFF
+PWCBSD_BUILD_DEPENDS
+PWCBSD_RUN_DEPENDS
+PWCBSD_CONFIGURE_WITH
SQLITE3_USES
SQLITE3_CONFIGURE_WITH
+WEBCAMD_BUILD_DEPENDS
+WEBCAMD_CONFIGURE_WITH

Cheers
Comment 7 ports 2020-10-27 21:40:03 UTC
Created attachment 219154 [details]
Update to 4.3.2 and also re-order the Makefile to agree with portclippy's suggestions

portclippy is pretty cool, thanks for that! Have updated.
Comment 8 Fernando Apesteguía freebsd_committer 2020-10-28 07:15:13 UTC
Build testing...

I don't see any security related changes in the ChangeLog. Which one do you mean?
Comment 9 commit-hook freebsd_committer 2020-10-28 08:08:31 UTC
A commit references this bug:

Author: fernape
Date: Wed Oct 28 08:08:25 UTC 2020
New revision: 553525
URL: https://svnweb.freebsd.org/changeset/ports/553525

Log:
  multimedia/motion: Update to 4.3.2

  ChangeLog: https://github.com/Motion-Project/motion/releases/tag/release-4.3.2

  PR:	250660
  Submitted by:	ports@blievers.net (maintainer)

Changes:
  head/multimedia/motion/Makefile
  head/multimedia/motion/distinfo
Comment 10 Fernando Apesteguía freebsd_committer 2020-10-28 08:09:34 UTC
Committed,

Please feel free to re-open this should you think this needs to be MFHed

Thanks!
Comment 11 ports 2020-10-28 09:17:20 UTC
CVE-2020-26566 is the security issue. Not sure why it isn't in the release notes, maybe giving people a chance to update?
Comment 12 ports 2020-10-28 09:19:17 UTC
Re-opening, given the CVE, I think this should be MFH'd. Sorry I wasn't clear in the first place.
Comment 13 Fernando Apesteguía freebsd_committer 2020-10-28 09:35:27 UTC
(In reply to ports from comment #12)
OK,

Thanks for checking.

Apparently, when they say "Use MHD function for url decoding" (https://github.com/Motion-Project/motion/issues/1227#issuecomment-716099090) they meant fixing a CVE... This is an example of a really bad ChangeLog :(

I'm on it.
Comment 14 ports 2020-10-28 09:45:19 UTC
Thanks! It does seem like the release notes could be better, I'm optimistically hoping that they update them once they feel the fix has been distributed enough.
Comment 15 commit-hook freebsd_committer 2020-10-28 10:25:54 UTC
A commit references this bug:

Author: fernape
Date: Wed Oct 28 10:25:26 UTC 2020
New revision: 553531
URL: https://svnweb.freebsd.org/changeset/ports/553531

Log:
  security/vuxml: Add entry for multimedia/motion

  Follow up commit for 553525.

  For some reason, "Use MHD function for url decoding" actually means fixing
  CVE-2020-26566

  PR:	250660

Changes:
  head/security/vuxml/vuln.xml
Comment 16 commit-hook freebsd_committer 2020-10-28 11:24:06 UTC
A commit references this bug:

Author: fernape
Date: Wed Oct 28 11:23:59 UTC 2020
New revision: 553538
URL: https://svnweb.freebsd.org/changeset/ports/553538

Log:
  MFH: r553525

  multimedia/motion: Update to 4.3.2

  ChangeLog: https://github.com/Motion-Project/motion/releases/tag/release-4.3.2

  Fixes CVE-2020-26566

  https://cve-search.iicrai.org/cve/CVE-2020-26566

  PR:	250660
  Submitted by:	ports@blievers.net (maintainer)

  Approved by:	ports-secteam (fluffy@)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/multimedia/motion/Makefile
  branches/2020Q4/multimedia/motion/distinfo
Comment 17 Fernando Apesteguía freebsd_committer 2020-10-28 11:26:04 UTC
MFHed.

Thanks!