Bug 251213 - www/typo3-9: Update to 9.5.23
Summary: www/typo3-9: Update to 9.5.23
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Kurt Jaeger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-17 12:48 UTC by Helmut Ritter
Modified: 2021-05-14 09:28 UTC (History)
4 users (show)

See Also:
fernape: merge-quarterly?


Attachments
Update to 9.5.23 (749 bytes, text/plain)
2020-11-17 12:48 UTC, Helmut Ritter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 commit-hook freebsd_committer 2020-11-18 18:07:45 UTC
A commit references this bug:

Author: pi
Date: Wed Nov 18 18:04:37 UTC 2020
New revision: 555654
URL: https://svnweb.freebsd.org/changeset/ports/555654

Log:
  www/typo3-9: upgrade 9.5.21 -> 9.5.23

  - Fixes three XSS vulnerabilities detected in Fluid Engine

  PR:		251213
  Submitted by:	Helmut Ritter <freebsd-ports@charlieroot.de> (maintainer)
  MFH:		2020Q4
  Relnotes:	https://typo3.org/article/typo3-10410-and-9523-security-releases-published
  Security:	TYPO3-CORE-SA-2020-009, TYPO3-CORE-SA-2020-010,
  		TYPO3-CORE-SA-2020-011, TYPO3-CORE-SA-2020-012

Changes:
  head/www/typo3-9/Makefile
  head/www/typo3-9/distinfo
Comment 2 Kurt Jaeger freebsd_committer 2020-11-18 18:07:46 UTC
TODO: needs vuxml entries
Comment 3 commit-hook freebsd_committer 2020-11-18 18:12:03 UTC
A commit references this bug:

Author: pi
Date: Wed Nov 18 18:04:37 UTC 2020
New revision: 555654
URL: https://svnweb.freebsd.org/changeset/ports/555654

Log:
  www/typo3-9: upgrade 9.5.21 -> 9.5.23

  - Fixes three XSS vulnerabilities detected in Fluid Engine

  PR:		251213
  Submitted by:	Helmut Ritter <freebsd-ports@charlieroot.de> (maintainer)
  MFH:		2020Q4
  Relnotes:	https://typo3.org/article/typo3-10410-and-9523-security-releases-published
  Security:	TYPO3-CORE-SA-2020-009, TYPO3-CORE-SA-2020-010,
  		TYPO3-CORE-SA-2020-011, TYPO3-CORE-SA-2020-012

Changes:
  head/www/typo3-9/Makefile
  head/www/typo3-9/distinfo
Comment 4 commit-hook freebsd_committer 2020-11-18 18:15:14 UTC
A commit references this bug:

Author: pi
Date: Wed Nov 18 18:04:37 UTC 2020
New revision: 555654
URL: https://svnweb.freebsd.org/changeset/ports/555654

Log:
  www/typo3-9: upgrade 9.5.21 -> 9.5.23

  - Fixes three XSS vulnerabilities detected in Fluid Engine

  PR:		251213
  Submitted by:	Helmut Ritter <freebsd-ports@charlieroot.de> (maintainer)
  MFH:		2020Q4
  Relnotes:	https://typo3.org/article/typo3-10410-and-9523-security-releases-published
  Security:	TYPO3-CORE-SA-2020-009, TYPO3-CORE-SA-2020-010,
  		TYPO3-CORE-SA-2020-011, TYPO3-CORE-SA-2020-012

Changes:
  head/www/typo3-9/Makefile
  head/www/typo3-9/distinfo
Comment 5 Fernando Apesteguía freebsd_committer 2020-11-18 19:23:28 UTC
^Triage assigning to committer resolving the issue.

^Triage: security releases, MFH to quarterly
Comment 6 commit-hook freebsd_committer 2020-11-19 20:07:35 UTC
A commit references this bug:

Author: pi
Date: Thu Nov 19 20:06:34 UTC 2020
New revision: 555712
URL: https://svnweb.freebsd.org/changeset/ports/555712

Log:
  MFH: r555654

  www/typo3-9: upgrade 9.5.21 -> 9.5.23

  - Fixes three XSS vulnerabilities detected in Fluid Engine

  PR:		251213
  Submitted by:	Helmut Ritter <freebsd-ports@charlieroot.de> (maintainer)
  Relnotes:	https://typo3.org/article/typo3-10410-and-9523-security-releases-published
  Security:	TYPO3-CORE-SA-2020-009, TYPO3-CORE-SA-2020-010,
  		TYPO3-CORE-SA-2020-011, TYPO3-CORE-SA-2020-012
  Approved by:	ports-secteam (fluffy)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/www/typo3-9/Makefile
  branches/2020Q4/www/typo3-9/distinfo
Comment 7 Fernando Apesteguía freebsd_committer 2021-04-23 16:30:36 UTC
Reopening since there are still vuxml entries pending.
Comment 8 Nuno Teixeira freebsd_committer 2021-05-14 06:53:57 UTC
(In reply to Fernando Apesteguía from comment #7)
Hello Fernando!

I've updated this port to 9.5.27 and maybe this PR can be closed, what you think?

Cheers
Comment 9 Kurt Jaeger freebsd_committer 2021-05-14 07:04:12 UTC
(In reply to Nuno Teixeira from comment #8)
Are the necessary vuxml entries in place ?
Comment 10 Nuno Teixeira freebsd_committer 2021-05-14 08:30:36 UTC
(In reply to Kurt Jaeger from comment #9)
Good question.

It was a simple update to 9.5.27 that I commit, later maintainer told me about this pending PRs.

What should I do?
Comment 11 Kurt Jaeger freebsd_committer 2021-05-14 08:31:39 UTC
(In reply to Nuno Teixeira from comment #10)
If you have the time, provide vuxml entries for the CVEs mentioned in this PR.
Comment 12 Nuno Teixeira freebsd_committer 2021-05-14 08:43:23 UTC
(In reply to Kurt Jaeger from comment #11)

For what https://get.typo3.org/release-notes/9.5.27 say, all security fixes was solved because it not mention any security problems with this version.
Comment 13 Kurt Jaeger freebsd_committer 2021-05-14 08:54:09 UTC
So the use-case for vuxml is to list CVEs for versions that are vulnerable.

If 9.5.27 is not vulnerable, but 9.5.22, and there's a CVE for that
and that CVE is not in the vuxml port, we still miss that entry and should
provide for one.

That's why this PR is still open.
Comment 14 Nuno Teixeira freebsd_committer 2021-05-14 09:28:36 UTC
(In reply to Kurt Jaeger from comment #13)

Thanks for explanation!