Bringing ports@ to CC
On 2018/12/17 16:54, Ian Darwin wrote:
> Hi Stuart. Do all updates that have CVEs associated have to go into "my $cve"
> in quirks/Quirks.pm?
That is the intention (I'd go for listing any known security fixes whether
or not there's a CVE number for it).
> The format appears to be to list the "bad" values, so would this be for
> example:
> devel/jenkins/stable < 2.150.1
I think it would look like the diff below but ideally it should be
tested to make sure that it does whine when you try to install a "bad"
version (i.e. the ones for both jenkins/devel and jenkins/stable
branches in current snapshots) and doesn't whine when you try
to install a new version (by pointing pkg_add at locally built
packages and adding).
doas env PKG_PATH= TRUSTED_PKG_PATH=/usr/ports/packages/amd64/all pkg_add
jenkins%devel
and same for ...jenkins%stable
For 6.4-stable it should probably stay on the 2.138.x branch rather than
jumping to the new 2.150.x.
(from the look of the changelog, pretty much all jenkins updates include
security fixes..)
Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/quirks/Makefile,v
retrieving revision 1.670
diff -u -p -r1.670 Makefile
--- Makefile 17 Dec 2018 01:10:00 -0000 1.670
+++ Makefile 17 Dec 2018 23:33:38 -0000
@@ -5,7 +5,7 @@ CATEGORIES = devel databases
DISTFILES =
# API.rev
-PKGNAME = quirks-3.63
+PKGNAME = quirks-3.64
PKG_ARCH = *
MAINTAINER = Marc Espie <es...@openbsd.org>
Index: files/Quirks.pm
===================================================================
RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
retrieving revision 1.684
diff -u -p -r1.684 Quirks.pm
--- files/Quirks.pm 17 Dec 2018 01:10:00 -0000 1.684
+++ files/Quirks.pm 17 Dec 2018 23:33:38 -0000
@@ -1235,6 +1235,8 @@ my $cve = {
'devel/git,-main' => 'git-<2.19.1',
'devel/git,-svn' => 'git-svn-<2.19.1',
'devel/git,-x11' => 'git-x11-<2.19.1',
+ 'devel/jenkins/devel' => 'jenkins-<2.154',
+ 'devel/jenkins/stable' => 'jenkins-<2.150.1',
'devel/libgit2/libgit2' => 'libgit2-<0.27.7',
'devel/mercurial,-main' => 'mercurial-<4.5.3p1',
'devel/mercurial,-x11' => 'mercurial-x11-<4.5.3p1',
> Thx
> Ian
> ----- Forwarded message from Edward Lopez-Acosta <elopezaco...@gmail.com>
> -----
>
> Date: Mon, 17 Dec 2018 21:25:05 +0000
> From: Edward Lopez-Acosta <elopezaco...@gmail.com>
> To: i...@openbsd.org
> Subject: Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple
> CVEs)
>
> Hi Ian,
>
> Just following up on this due to the critical issue fixed. Does quirks need
> updated or is this change good to go?
>
> Thank you
>
> On December 14, 2018 11:47:06 PM UTC, Ian Darwin <i...@darwinsys.com> wrote:
> >On Fri, Dec 14, 2018 at 04:41:53PM -0600, Edward Lopez-Acosta wrote:
> >> Version update for multiple security issues including one marked as
> >> critical.
> >>
> >> I was not sure how to update quirks so that is not included in this
> >diff. If
> >> someone is willing to teach me what to do I can add that in, or
> >review
> >> changes to quirks after this is merged.
> >
> >Why do you think it needs quirks?
> >
> >> Builds, installs, and runs fine on amd64. No special upgrade steps
> >when
> >> upgrading from 2.138.3 currently in the tree.
> >>
> >> - MAINTAINER CC'ed
> >> - No tests present
> >> - No change to required libs or current PLIST
> >> - Nothing relies on this
> >> - Self tested some projects and did not run into issues
> >> - Diff applies fine with `patch`
> >>
> >> CHANGELOG:
> >> https://jenkins.io/changelog-stable/
> >>
> >> https://jenkins.io/security/advisory/2018-12-05/
> >>
> >> Severity
> >>
> >> SECURITY-595: critical
> >> SECURITY-904: medium
> >> SECURITY-1072: medium
> >> SECURITY-1193: medium
> >>
> >> Affected Versions
> >>
> >> Jenkins weekly up to and including 2.153
> >> Jenkins LTS up to and including 2.138.3
> >>
> >> Fix
> >>
> >> Jenkins weekly should be updated to version 2.154
> >> Jenkins LTS should be updated to version either 2.138.4 or
> >2.150.1
> >>
> >> --
> >> Edward Lopez-Acosta
> >
> >> diff --git devel/Makefile devel/Makefile
> >> index 26817c51381..03fb8174712 100644
> >> --- devel/Makefile
> >> +++ devel/Makefile
> >> @@ -1,6 +1,6 @@
> >> # $OpenBSD: Makefile,v 1.31 2018/11/29 14:10:10 rsadowski Exp $
> >>
> >> -VERSION = 2.152
> >> +VERSION = 2.155
> >> MASTER_SITES = http://mirrors.jenkins-ci.org/war/${VERSION}/
> >> DIST_SUBDIR = jenkins-devel
> >>
> >> diff --git devel/distinfo devel/distinfo
> >> index e5c0c28e049..a8b70855619 100644
> >> --- devel/distinfo
> >> +++ devel/distinfo
> >> @@ -1,2 +1,2 @@
> >> -SHA256 (jenkins/2.152/jenkins.war) =
> >jde/3OIrMtlBsnJ5qFeVQoGxfJu4d02G6H6c1A4UQMM=
> >> -SIZE (jenkins/2.152/jenkins.war) = 75939426
> >> +SHA256 (jenkins/2.155/jenkins.war) =
> >A0xtY7Vb+TjF0btTJ3XZqhj7NL1lqtTj6WgyWXi+hrg=
> >> +SIZE (jenkins/2.155/jenkins.war) = 76037370
> >> diff --git stable/Makefile stable/Makefile
> >> index db693c9e5dd..ba2cdfff6fa 100644
> >> --- stable/Makefile
> >> +++ stable/Makefile
> >> @@ -1,6 +1,6 @@
> >> # $OpenBSD: Makefile,v 1.30 2018/11/29 14:07:02 rsadowski Exp $
> >>
> >> -VERSION = 2.138.3
> >> +VERSION = 2.150.1
> >> MASTER_SITES = http://mirrors.jenkins-ci.org/war-stable/${VERSION}/
> >> DIST_SUBDIR = jenkins-stable
> >>
> >> diff --git stable/distinfo stable/distinfo
> >> index dc95ebe1334..77a061aea34 100644
> >> --- stable/distinfo
> >> +++ stable/distinfo
> >> @@ -1,2 +1,2 @@
> >> -SHA256 (jenkins/2.138.3/jenkins.war) =
> >lT5N2i0wZShMABaz6CeeCX+DDBKLH3EthHgP8rB1Hn0=
> >> -SIZE (jenkins/2.138.3/jenkins.war) = 75733340
> >> +SHA256 (jenkins/2.150.1/jenkins.war) =
> >ejhYbVo6GoNJiAmoNxVyi7LwG1in3TqINm8Hbv2vZmk=
> >> +SIZE (jenkins/2.150.1/jenkins.war) = 75938045
>
> ----- End forwarded message -----
