Created attachment 228950 [details] v1 ("git am") libwpe, wpebackend-fdo, webkit2-gtk3 updates were tested with all three patches applied together. Tested via 12.2/amd64 jail with passed /dev for x11-wm/cage DRM backend. Note: I am waiting for inverted options build to pass. Requesting approval because there is no way to request it after posting PR, AFAIK.
(In reply to Evgeniy Khramtsov from comment #0) Build with inverted OPTIONS passed. "Changes" field for www/libwpe and www/wpebackend-fdo can be replaced with links from Bugzilla URL field, because when updating from 1.10.1 -> 1.12.0 upstream announcement is incomplete (lacks changes from older versions that ports skipped). On an unrelated note, I plan to create upstream PRs about libc++ build issues (ports 895bc805a and ports f73bc57ac) this week. Another note, upstream is known to publish a release [1] first, then a security advisory [2] days after: 1: https://webkitgtk.org/2021/09/17/webkitgtk2.32.4-released.html 2: https://webkitgtk.org/security/WSA-2021-0005.html Dates "17 SEPTEMBER 2021" and "20 SEPTEMBER 2021" available in the news section: https://webkitgtk.org/news.html
(In reply to Evgeniy Khramtsov from comment #1) > f73bc57ac Likely not, I can't edit comments on Bugzilla.
https://cgit.freebsd.org/ports/commit/?id=cfd3cae26ce21f6 nc@, maybe at least reference the PR?
Sorry. I committed without even knowing of your PR (all my work). Extremely sorry again.
WebKit <2.34.1 is vulnerable: https://webkitgtk.org/security/WSA-2021-0006.html Merge-quarterly was requested 4 days before the disclosure but 2.34.1 didn't land into 2021Q4. VuXML entry is needed now, but I don't have time until weekend, so it would be nice if someone else fills it.
Created attachment 229177 [details] VuXML entry ("git am")
(In reply to Evgeniy Khramtsov from comment #6) Ping! Don't leave quarterly users using vulnerable WebKit without knowing!
(In reply to Evgeniy Khramtsov from comment #7) I decided I don't care.