On Wed, Nov 15, 2017 at 05:14:11PM +0100, Klemens Nanni wrote:
> This is a security update[0] fixing a data leak:
>
> A wrong if statement in the varnishd source code means that
> synthetic objects in stevedores which over-allocate, may leak up
> to page size of data from a malloc(3) memory allocation.
>
> In a unpredictable percentage of the cases where this condition
> arises, a segmentation fault will happen instead.
>
> Tests continue to pass:
>
> # TOTAL: 636
> # PASS: 630
> # SKIP: 5
> # XFAIL: 0
> # FAIL: 1
> # XPASS: 0
> # ERROR: 0
>
> FAIL tests/u00000.vtc (exit status: 2)
>
> Removed TEST_TARGET=check as it's default. I also replaced cp with
> ${INSTALL_DATA} post-install and pointed users to 5.2 docs.
>
> Since Varnish compiles .vsc files to C using python with 2.7 specific
> code (import StringIO), I added lang/python and explicity set
> MODPY_VERSION=2.7.
>
> Feedback? Does anyone want to commit this?
>
> 0: https://varnish-cache.org/releases/rel5.2.1.html#rel5-2-1
>
> diff --git a/www/varnish/Makefile b/www/varnish/Makefile
> index b0fa5029ab4..5cf58670364 100644
> --- a/www/varnish/Makefile
> +++ b/www/varnish/Makefile
> @@ -2,7 +2,7 @@
>
> COMMENT = high-performance HTTP accelerator
>
> -DISTNAME = varnish-5.2.0
> +DISTNAME = varnish-5.2.1
>
> CATEGORIES = www
>
> @@ -16,12 +16,16 @@ MAINTAINER = Jim Razmus II
> <j...@openbsd.org> \
> # BSD
> PERMIT_PACKAGE_CDROM = Yes
>
> -MASTER_SITES = https://varnish-cache.org/_downloads/
> +MASTER_SITES = ${HOMEPAGE}_downloads/
>
> EXTRACT_SUFX = .tgz
>
> WANTLIB += c execinfo m ncursesw pcre pthread readline termcap
>
> +MODULES = lang/python
> +
> +MODPY_VERSION = 2.7
> +
> BUILD_DEPENDS = ${MODGNU_AUTOCONF_DEPENDS} \
> ${MODGNU_AUTOMAKE_DEPENDS} \
> devel/libtool \
> @@ -30,6 +34,8 @@ LIB_DEPENDS = devel/pcre
> # The internal backtrace implementation fails to build with -Werror on
> arm/hppa
> LIB_DEPENDS += devel/libexecinfo
>
> +MODPY_RUNDEP = No
> +
> WRKDIST = ${WRKDIR}/${DISTNAME}
> USE_GMAKE = Yes
> CONFIGURE_STYLE = gnu
> @@ -38,7 +44,7 @@ AUTOMAKE_VERSION = 1.15
> CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \
> LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}"
>
> -TEST_TARGET = check
> +MODPY_ADJ_FILES = lib/lib*/*.py
>
> post-patch:
> cd ${WRKSRC} && env AUTOCONF_VERSION=${AUTOCONF_VERSION} \
> @@ -47,7 +53,7 @@ post-patch:
> post-install:
> ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/varnish
> ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/varnish
> - cp ${WRKDIST}${SYSCONFDIR}/{example,builtin}.vcl \
> + ${INSTALL_DATA} ${WRKDIST}${SYSCONFDIR}/{example,builtin}.vcl \
> ${PREFIX}/share/examples/varnish
> rm -f ${PREFIX}/lib/varnish/{vmods,}/*.{a,la}
>
> diff --git a/www/varnish/distinfo b/www/varnish/distinfo
> index f7dc351f783..cdba07a9889 100644
> --- a/www/varnish/distinfo
> +++ b/www/varnish/distinfo
> @@ -1,2 +1,2 @@
> -SHA256 (varnish-5.2.0.tgz) = zEgmoEgPSSaNOZYwnkt+RlFR6aUjzPjq1JnsV1FJ9H4=
> -SIZE (varnish-5.2.0.tgz) = 2828867
> +SHA256 (varnish-5.2.1.tgz) = uEUsnXjBb3jIz9HBoeaWUjv2S3chwzAVDcwIUkWQFLM=
> +SIZE (varnish-5.2.1.tgz) = 2827676
> diff --git a/www/varnish/pkg/MESSAGE b/www/varnish/pkg/MESSAGE
> index 5f50b1bbf2a..ce02efaef87 100644
> --- a/www/varnish/pkg/MESSAGE
> +++ b/www/varnish/pkg/MESSAGE
> @@ -5,4 +5,4 @@ or the following link for more information:
>
> and for further information:
>
> - https://www.varnish-cache.org/docs/5.0/
> + https://www.varnish-cache.org/docs/5.2/
>
One week bump, neither of the two maintainers have replied so far.
I can take of the python 2.7 bits in another diff so the next
revision/release won't depend on 2.7 anymore.
