Bug 253822 - lang/jruby: Update to 9.2.17.0
Summary: lang/jruby: Update to 9.2.17.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Koichiro Iwao
URL:
Keywords:
Depends on:
Blocks: 250731
  Show dependency treegraph
 
Reported: 2021-02-24 20:08 UTC by Thomas Hurst
Modified: 2021-04-07 14:01 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ruby)

Attachments
Patch lang/jruby to 9.2.15.0 (38.15 KB, patch)
2021-02-24 20:08 UTC, Thomas Hurst 		no flags Details | Diff
Patch lang/jruby to 9.2.16.0 (39.46 KB, patch)
2021-03-03 21:52 UTC, Thomas Hurst 		no flags Details | Diff
Patch lang/jruby to 9.2.17.0 (40.46 KB, patch)
2021-03-29 19:52 UTC, Thomas Hurst 		tom: maintainer-approval? (ruby)
 Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Hurst 2021-02-24 20:08:41 UTC 
Created attachment 222797 [details]
Patch lang/jruby to 9.2.15.0

This includes fixes for various security issues, in particular:

* CVE-2011-4815 (predictable hashing DoS)
* CVE-2017-17742, CVE-2019-16254, CVE-2020-25613 (WeBrick request smuggling/splitting)
* CVE-2017-18640 (SnakeYAML entity expansion DoS)

As well as fixes for File.stat/lstat on FreeBSD 12 and later, which previously rendered JRuby unusable on these systems.

Port passes portlint and poudriere testport.
Comment 1 Thomas Hurst 2021-03-03 19:54:43 UTC 
An update to 9.2.16.0 will follow shortly.
Comment 2 Thomas Hurst 2021-03-03 21:52:26 UTC 
Created attachment 222956 [details]
Patch lang/jruby to 9.2.16.0
Comment 3 Thomas Hurst 2021-03-29 19:52:40 UTC 
Created attachment 223687 [details]
Patch lang/jruby to 9.2.17.0
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-04-07 10:43:51 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8147a5a7044e7a055288252731de647ca5e4ecd1

commit 8147a5a7044e7a055288252731de647ca5e4ecd1
Author:     Koichiro Iwao <meta@FreeBSD.org>
AuthorDate: 2021-04-07 10:37:06 +0000
Commit:     Koichiro Iwao <meta@FreeBSD.org>
CommitDate: 2021-04-07 10:42:46 +0000

    lang/jruby: Update to 9.2.17.0

    CVEs are fixed at 9.2.15.0.

    PR:             253822
    Reported by:    Thomas Hurst <tom@hur.st>
    Relnotes:       https://www.jruby.org/2021/03/29/jruby-9-2-17-0.html
    Security:       CVE-2011-4815
    Security:       CVE-2017-17742
    Security:       CVE-2019-16254
    Security:       CVE-2020-25613
    Security:       CVE-2017-18640

 lang/jruby/Makefile  |   3 +-
 lang/jruby/distinfo  |   6 +-
 lang/jruby/pkg-plist | 357 ++++++++++++++++++++++++++++++---------------------
 3 files changed, 213 insertions(+), 153 deletions(-)
Comment 5 Koichiro Iwao freebsd_committer freebsd_triage 2021-04-07 14:01:44 UTC 
Committed, thanks!