Fixes security issue: https://github.com/advisories/GHSA-9825-56cx-cfg6
Created attachment 260160 [details] Update to version 2.4.6 and switch the download source to GitHub
Additional changes: 1. Replace PORTVERSION with DISTVERSION. 2. Update WWW - old is down: -WWW= http://www.fastcgi.com/ +WWW= https://fastcgi-archives.github.io/ 3. USES+=pathfix - for install *.pc files in correct path. 4. Fix warnings from portclippy - order of lines in Makefile. 5. Remove MAKE_JOBS_UNSAFE=yes - obsoleted, build fine without it on host with 24 threads 10 times in a row. 6. COPYTREE_SHARE docs only if DOCS option is ON. www/fcgi/Makefile: @@ -1,36 +1,37 @@ PORTNAME= fcgi -PORTVERSION= 2.4.0 -PORTREVISION= 6 +DISTVERSION= 2.4.6 CATEGORIES= www -MASTER_SITES= LOCAL/adamw PKGNAMESUFFIX= -devkit MAINTAINER= john@essenz.com COMMENT= FastCGI Development Kit -WWW= http://www.fastcgi.com/ +WWW= https://fastcgi-archives.github.io/ LICENSE= Open_Market_FastCGI_license LICENSE_NAME= Open Market FastCGI license -LICENSE_FILE= ${WRKSRC}/LICENSE.TERMS +LICENSE_FILE= ${WRKSRC}/LICENSE LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept -USES= cpe libtool +USES= autoreconf cpe libtool pathfix CPE_VENDOR= fastcgi +USE_GITHUB= yes +GH_ACCOUNT= FastCGI-Archives +GH_PROJECT= fcgi2 +USE_LDCONFIG= yes GNU_CONFIGURE= yes -USE_LDCONFIG= yes -MAKE_JOBS_UNSAFE= yes OPTIONS_DEFINE= DOCS post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libfcgi.so.0.0.0 ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libfcgi++.so.0.0.0 - - @${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_MAN} ${WRKSRC}/doc/*.1 ${STAGEDIR}${PREFIX}/share/man/man1 ${INSTALL_MAN} ${WRKSRC}/doc/*.3 ${STAGEDIR}${PREFIX}/share/man/man3 + +post-install-DOCS-on: + @${MKDIR} ${STAGEDIR}${DOCSDIR} (cd ${WRKSRC}/doc && \ ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR} "! -name *\.[13]") .include <bsd.port.mk> 7. Remove obsoleted patch www/fcgi/files/patch-include__fcgio.h added in https://bugs.freebsd.org/154190. Tested build with GCC 14. 8. Add files to pkg-plist: libdata/pkgconfig/fcgi++.pc libdata/pkgconfig/fcgi.pc 9. Fix order in www/fcgi/pkg-plist: @@ -14,11 +14,8 @@ lib/libfcgi.a lib/libfcgi.so lib/libfcgi.so.0 lib/libfcgi.so.0.0.0 -share/man/man1/cgi-fcgi.1.gz -share/man/man3/FCGI_Accept.3.gz -share/man/man3/FCGI_Finish.3.gz -share/man/man3/FCGI_SetExitStatus.3.gz -share/man/man3/FCGI_StartFilterData.3.gz +libdata/pkgconfig/fcgi++.pc +libdata/pkgconfig/fcgi.pc %%PORTDOCS%%%%DOCSDIR%%/fastcgi-prog-guide/ap_guida.htm %%PORTDOCS%%%%DOCSDIR%%/fastcgi-prog-guide/ap_guide.htm %%PORTDOCS%%%%DOCSDIR%%/fastcgi-prog-guide/apaman.htm @@ -43,3 +40,8 @@ share/man/man3/FCGI_StartFilterData.3.gz %%PORTDOCS%%%%DOCSDIR%%/omi-logo.gif %%PORTDOCS%%%%DOCSDIR%%/overview.html %%PORTDOCS%%%%DOCSDIR%%/www5-api-workshop.html +share/man/man1/cgi-fcgi.1.gz +share/man/man3/FCGI_Accept.3.gz +share/man/man3/FCGI_Finish.3.gz +share/man/man3/FCGI_SetExitStatus.3.gz +share/man/man3/FCGI_StartFilterData.3.gz
Commit log: https://github.com/FastCGI-Archives/fcgi2/compare/2.4.0...2.4.6 Changelogs: https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1.1 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.2 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.3 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.4 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.6
I see last activity from maintainer (John von Essen <john@essenz.com>) in 2019. This update fix CVE. I guess we don't have to wait 2 weeks for maintainer timeout.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7809d8810df0f784a50ef375e6b828df1e3bbad3 commit 7809d8810df0f784a50ef375e6b828df1e3bbad3 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-05-08 21:21:58 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-05-08 21:29:15 +0000 www/fcgi: Update 2.4.0 => 2.4.6 (fix CVE-2025-23016), improve port Commit log: https://github.com/FastCGI-Archives/fcgi2/compare/2.4.0...2.4.6 Changelogs: https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1.1 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.2 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.3 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.4 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.6 Improve port: - Replace PORTVERSION with DISTVERSION. - Update WWW - old is down. - Switch upstream to GitHub. - Add USES+=pathfix for install *.pc files in correct path. - Fix warnings from portclippy - order of lines in Makefile. - Remove MAKE_JOBS_UNSAFE=yes - obsoleted. - Make run COPYTREE_SHARE docs only if DOCS option is ON. - Remove upstreamed and obsoleted patches. - Fix order in plist. PR: 286589 Approved by: John von Essen <john@essenz.com> (maintainer, timeout - last activity 2019) Security: CVE-2025-23016 Co-authored-by: Christos Chatzaras <chris@cretaforce.gr> MFH: 2025Q2 www/fcgi/Makefile | 21 +++--- www/fcgi/distinfo | 5 +- www/fcgi/files/patch-CVE-2012-6687-pool (gone) | 79 ----------------------- www/fcgi/files/patch-examples__Makefile.in (gone) | 11 ---- www/fcgi/files/patch-include__fcgio.h (gone) | 10 --- www/fcgi/pkg-plist | 12 ++-- 6 files changed, 21 insertions(+), 117 deletions(-)
A commit in branch 2025Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a98cffa6bfdf24036fc1bfd02ce8277f3342f1d0 commit a98cffa6bfdf24036fc1bfd02ce8277f3342f1d0 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-05-08 21:21:58 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-05-08 21:43:28 +0000 www/fcgi: Update 2.4.0 => 2.4.6 (fix CVE-2025-23016), improve port Commit log: https://github.com/FastCGI-Archives/fcgi2/compare/2.4.0...2.4.6 Changelogs: https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1.1 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.2 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.3 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.4 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5 https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.6 Improve port: - Replace PORTVERSION with DISTVERSION. - Update WWW - old is down. - Switch upstream to GitHub. - Add USES+=pathfix for install *.pc files in correct path. - Fix warnings from portclippy - order of lines in Makefile. - Remove MAKE_JOBS_UNSAFE=yes - obsoleted. - Make run COPYTREE_SHARE docs only if DOCS option is ON. - Remove upstreamed and obsoleted patches. - Fix order in plist. PR: 286589 Approved by: John von Essen <john@essenz.com> (maintainer, timeout - last activity 2019) Security: CVE-2025-23016 Co-authored-by: Christos Chatzaras <chris@cretaforce.gr> MFH: 2025Q2 (cherry picked from commit 7809d8810df0f784a50ef375e6b828df1e3bbad3) www/fcgi/Makefile | 21 +++--- www/fcgi/distinfo | 5 +- www/fcgi/files/patch-CVE-2012-6687-pool (gone) | 79 ----------------------- www/fcgi/files/patch-examples__Makefile.in (gone) | 11 ---- www/fcgi/files/patch-include__fcgio.h (gone) | 10 --- www/fcgi/pkg-plist | 12 ++-- 6 files changed, 21 insertions(+), 117 deletions(-)
Thanks, committed!
A question: How did you found the missing pkg-plist files? Did you use `make check-plist` or another tool?
(In reply to Christos Chatzaras from comment #8) Yes: "make check-plist stage-qa". Also I'm using poudriere testport - it uses "make check-plist stage-qa" too.
^Triage: assigned to committer who resolved. To committer: is there anything further that needs to be done with this PR?
(In reply to Mark Linimon from comment #10) > To committer: is there anything further that needs to be done with this PR? Add record to security/vuxml. Same for bug #286624.
(In reply to Vladimir Druzenko from comment #11) It's already added: bug #286590
(In reply to Christos Chatzaras from comment #12) Ok!