Created attachment 268817 [details] go-ethereum-1.17.1.patch Changes: https://github.com/ethereum/go-ethereum/releases/tag/v1.17.1 https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0 Highlights: - Protocol and networking improvements - EVM performance and stability updates - Various bug fixes and dependency updates
Created attachment 269641 [details] go-ethereum-1.17.2.patch
Changes: https://github.com/ethereum/go-ethereum/releases/tag/v1.17.2 https://github.com/ethereum/go-ethereum/releases/tag/v1.17.1 https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0 Highlights: - FreeBSD patch applied upstream, no need for script. - Protocol and networking improvements - EVM performance and stability updates - Various bug fixes and dependency updates
Hi, Thank you for your submission. I have tested the patch in Poudriere (14.3-RELEASE-p9, amd64, main(0d519c7184f5)) and it seems OK. However, I think that PORTREVISION=3 should be removed. diff --git a/net-p2p/go-ethereum/Makefile b/net-p2p/go-ethereum/Makefile index c5fbe1c1d1b8..9467e6086dcb 100644 --- a/net-p2p/go-ethereum/Makefile +++ b/net-p2p/go-ethereum/Makefile @@ -1,7 +1,6 @@ PORTNAME= go-ethereum DISTVERSIONPREFIX= v DISTVERSION= 1.17.2 -PORTREVISION= 3 CATEGORIES= net-p2p MAINTAINER= me@enriquefynn.com
Sort pkg-plist. CVE-2026-26313, CVE-2026-26314, CVE-2026-26315.
Created attachment 269653 [details] 0001-net-p2p-go-ethereum-Update-1.16.8-1.17.2.patch (In reply to Vladimir Druzenko from comment #4) > Sort pkg-plist. Thanks, I have sorted using `env LANG=C sort`. > CVE-2026-26313, CVE-2026-26314, CVE-2026-26315. I must have overlooked these fixes, thanks!
Created attachment 269654 [details] 0001-security-vuxml-Add-go-ethereum-vulnerabilities.patch Added security/vuxml entries for those 3 CVEs.
(In reply to Yusuf Yaman from comment #5) Wrong order: %%DEVTOOLS%%bin/rlpdump bin/geth
(In reply to Vladimir Druzenko from comment #7) > Wrong order: > %%DEVTOOLS%%bin/rlpdump > bin/geth I guess every person's sort(1) may sort differently. I don't understand point of this honestly. I am not happy putting that bin/geth entry to the last part either.
(In reply to Yusuf Yaman from comment #8) Use manual sorting. :-D
Created attachment 269665 [details] 0001-net-p2p-go-ethereum-Update-1.16.8-1.17.2.patch (In reply to Vladimir Druzenko from comment #9) As a non-native, I google for an image of "english alphabet" whenever I am adding category/Makefile entry, then use sort(1) to validate if I done correctly. Sorting manually might be a idea. I suppose most people generate their pkg-plist using `make makeplist`, including me. I think it would save time if that make target already was doing a sorting process. How does it look now? bin/geth %%DEVTOOLS%%bin/abigen %%DEVTOOLS%%bin/blsync %%DEVTOOLS%%bin/clef %%DEVTOOLS%%bin/era %%DEVTOOLS%%bin/ethkey %%DEVTOOLS%%bin/evm %%DEVTOOLS%%bin/rlpdump
Thanks a lot for the thorough review. > However, I think that PORTREVISION=3 should be removed. Do I have to remove this all the time? What workflow should one use? It's a bit annoying having to think about this ^^. I think these vulnerabilities were corrected in prior versions, should we still include them in security/vuxml/vuln/2026.xml? Should I upload another patch or we use the one you submitted?
(In reply to Enrique Fynn from comment #11) > Thanks a lot for the thorough review. You are welcome! > > However, I think that PORTREVISION=3 should be removed. > Do I have to remove this all the time? What workflow should one use? > It's a bit annoying having to think about this ^^. Yes, when updating version of a port, it generally needs to be removed. > I think these vulnerabilities were corrected in prior versions, Security issues are fixed in v1.16.9 and v1.17.0 hence this patch updates to v1.17.2 which fixes all. > should we still include them in security/vuxml/vuln/2026.xml? Yes, since we should warn people to update from affected versions as soon as possible. > Should I upload another patch or we use the one you submitted? As you wish.
%%DEVTOOLS%%bin/abigen %%DEVTOOLS%%bin/blsync %%DEVTOOLS%%bin/clef %%DEVTOOLS%%bin/era %%DEVTOOLS%%bin/ethkey %%DEVTOOLS%%bin/evm bin/geth %%DEVTOOLS%%bin/rlpdump I'm not native speaker too, but I remember order: abcdefghijklmnopqrstuvwxyz. :-o
Created attachment 269719 [details] 0001-net-p2p-go-ethereum-Update-1.16.8-1.17.2.patch (In reply to Vladimir Druzenko from comment #13) Well, thanks.
If you really sort it, it would be something like: %%DEVTOOLS%%bin/abigen %%DEVTOOLS%%bin/blsync %%DEVTOOLS%%bin/clef %%DEVTOOLS%%bin/era %%DEVTOOLS%%bin/ethkey %%DEVTOOLS%%bin/evm %%DEVTOOLS%%bin/rlpdump bin/geth But it looks good for me in any case.
(In reply to Enrique Fynn from comment #15) PLIST must be sorted after substitutions.
> (In reply to Enrique Fynn from comment #15) > PLIST must be sorted after substitutions. Makes sense! Thanks again!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=abbfe437e46c2fde7b7ea759f93df8c8e71ebe9b commit abbfe437e46c2fde7b7ea759f93df8c8e71ebe9b Author: Enrique Fynn <me@enriquefynn.com> AuthorDate: 2026-04-11 20:43:56 +0000 Commit: Yusuf Yaman <nxjoseph@FreeBSD.org> CommitDate: 2026-04-16 14:58:42 +0000 net-p2p/go-ethereum: Update 1.16.8 => 1.17.2 Changelogs: * https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9 * https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0 * https://github.com/ethereum/go-ethereum/releases/tag/v1.17.1 * https://github.com/ethereum/go-ethereum/releases/tag/v1.17.2 Port changes: * Sort pkg-plist. * Drop backported patch since it's in upstream now PR: 293829 Reported by: Enrique Fynn <me@enriquefynn.com> (maintainer) Approved by: vvd (co-mentor) MFH: 2026Q2 Security: CVE-2026-26313 Security: CVE-2026-26314 Security: CVE-2026-26315 net-p2p/go-ethereum/Makefile | 11 +++++------ net-p2p/go-ethereum/distinfo | 10 +++++----- ..._github.com_karalabe_hid_hid__enabled.go (gone) | 23 ---------------------- net-p2p/go-ethereum/pkg-plist | 7 +++++-- 4 files changed, 15 insertions(+), 36 deletions(-)
A commit in branch 2026Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4f3e314f2defb0cbc95d74c1c1758cc40351fe7f commit 4f3e314f2defb0cbc95d74c1c1758cc40351fe7f Author: Enrique Fynn <me@enriquefynn.com> AuthorDate: 2026-04-11 20:43:56 +0000 Commit: Yusuf Yaman <nxjoseph@FreeBSD.org> CommitDate: 2026-04-16 14:59:57 +0000 net-p2p/go-ethereum: Update 1.16.8 => 1.17.2 Changelogs: * https://github.com/ethereum/go-ethereum/releases/tag/v1.16.9 * https://github.com/ethereum/go-ethereum/releases/tag/v1.17.0 * https://github.com/ethereum/go-ethereum/releases/tag/v1.17.1 * https://github.com/ethereum/go-ethereum/releases/tag/v1.17.2 Port changes: * Sort pkg-plist. * Drop backported patch since it's in upstream now PR: 293829 Reported by: Enrique Fynn <me@enriquefynn.com> (maintainer) Approved by: vvd (co-mentor) MFH: 2026Q2 Security: CVE-2026-26313 Security: CVE-2026-26314 Security: CVE-2026-26315 (cherry picked from commit abbfe437e46c2fde7b7ea759f93df8c8e71ebe9b) net-p2p/go-ethereum/Makefile | 11 +++++------ net-p2p/go-ethereum/distinfo | 10 +++++----- ..._github.com_karalabe_hid_hid__enabled.go (gone) | 23 ---------------------- net-p2p/go-ethereum/pkg-plist | 7 +++++-- 4 files changed, 15 insertions(+), 36 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4abd8b03fba6c6780d1076e483bfba0692435d44 commit 4abd8b03fba6c6780d1076e483bfba0692435d44 Author: Yusuf Yaman <nxjoseph@FreeBSD.org> AuthorDate: 2026-04-16 15:05:40 +0000 Commit: Yusuf Yaman <nxjoseph@FreeBSD.org> CommitDate: 2026-04-16 15:06:13 +0000 security/vuxml: Add go-ethereum vulnerabilities PR: 293829 Approved by: vvd (co-mentor) security/vuxml/vuln/2026.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
Committed, thanks, sorry for the delay.