subject:"Re\: SECURITY UPDATE\: devel\/jenkins\-2.150.1\/2.155 \(fixes multiple CVEs\)"

Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)

2018-12-17 Thread Stuart Henderson

On 2018/12/17 18:58, Edward Lopez-Acosta wrote:
> Not sure why the title got changed so I fixed it.
> 
> Thank you for the explanation on when to use, and how to update, quirks. I
> will keep this in mind for future submissions if applicable.
> 
> What is the logic in not updating this for -stable too? Because they
> constantly update for security issues and this is not convenient? Security
> is not always convenient. Or am I somehow confused by the goals of the
> OpenBSD project?

I didn't say anything about *not* updating, rather stick to the 2.138.x
branch (i.e. 2.138.4) rather than pulling in the bunch of other changes
that come with 2.150.x

Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)

2018-12-17 Thread Theo de Raadt

Edward Lopez-Acosta  wrote:

> What is the logic in not updating this for -stable too?

There are no magic fairies building -stable packages on a constant
basis.

> Because they constantly update for security issues and this is not convenient?

Yes.  Also it isn't just a matter of building using robots.  Fairies
would need to keep a close eye on things, because it is a complicated
ecosystem.

As a result, it would detract from their time working on newer issues.

There are 3 kinds of projects out there:

- ones that maintain -stable variations using lots of $$$ they get
  from support contracts
- ones that maintain -stable variations using teams, but then they
  don't do so much future-facing work (security or not) in other
  areas
- the OpenBSD approach of doing substantial security work in the base
  system, adapting largely unready software to the new tougher rules,
  and making a release every 6 months which is still pretty bleeding
  edge

> Security is not always convenient.

Security isn't achieved by simply being a robot building the latest
software.  There are factors you cannot simply wave away with a wand.

> Or am I somehow confused by the goals of the OpenBSD project?

Probably.  Isn't everyone?

Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)

2018-12-17 Thread Edward Lopez-Acosta


Not sure why the title got changed so I fixed it.

Thank you for the explanation on when to use, and how to update, quirks. 
I will keep this in mind for future submissions if applicable.


What is the logic in not updating this for -stable too? Because they 
constantly update for security issues and this is not convenient? 
Security is not always convenient. Or am I somehow confused by the goals 
of the OpenBSD project?


Edward Lopez-Acosta

On 12/17/18 5:43 PM, Stuart Henderson wrote:

Bringing ports@ to CC

On 2018/12/17 16:54, Ian Darwin wrote:

Hi Stuart. Do all updates that have CVEs associated have to go into "my $cve" 
in quirks/Quirks.pm?


That is the intention (I'd go for listing any known security fixes whether
or not there's a CVE number for it).


The format appears to be to list the "bad" values, so would this be  for 
example:
devel/jenkins/stable < 2.150.1


I think it would look like the diff below but ideally it should be
tested to make sure that it does whine when you try to install a "bad"
version (i.e. the ones for both jenkins/devel and jenkins/stable
branches in current snapshots) and doesn't whine when you try
to install a new version (by pointing pkg_add at locally built
packages and adding).

doas env PKG_PATH= TRUSTED_PKG_PATH=/usr/ports/packages/amd64/all pkg_add 
jenkins%devel

and same for ...jenkins%stable

For 6.4-stable it should probably stay on the 2.138.x branch rather than
jumping to the new 2.150.x.

(from the look of the changelog, pretty much all jenkins updates include
security fixes..)

Index: Makefile
===
RCS file: /cvs/ports/devel/quirks/Makefile,v
retrieving revision 1.670
diff -u -p -r1.670 Makefile
--- Makefile17 Dec 2018 01:10:00 -  1.670
+++ Makefile17 Dec 2018 23:33:38 -
@@ -5,7 +5,7 @@ CATEGORIES =devel databases
  DISTFILES =
  
  # API.rev

-PKGNAME =  quirks-3.63
+PKGNAME =  quirks-3.64
  PKG_ARCH =*
  MAINTAINER =  Marc Espie 
  
Index: files/Quirks.pm

===
RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
retrieving revision 1.684
diff -u -p -r1.684 Quirks.pm
--- files/Quirks.pm 17 Dec 2018 01:10:00 -  1.684
+++ files/Quirks.pm 17 Dec 2018 23:33:38 -
@@ -1235,6 +1235,8 @@ my $cve = {
'devel/git,-main' => 'git-<2.19.1',
'devel/git,-svn' => 'git-svn-<2.19.1',
'devel/git,-x11' => 'git-x11-<2.19.1',
+   'devel/jenkins/devel' => 'jenkins-<2.154',
+   'devel/jenkins/stable' => 'jenkins-<2.150.1',
'devel/libgit2/libgit2' => 'libgit2-<0.27.7',
'devel/mercurial,-main' => 'mercurial-<4.5.3p1',
'devel/mercurial,-x11' => 'mercurial-x11-<4.5.3p1',




Thx
Ian
- Forwarded message from Edward Lopez-Acosta  -

Date: Mon, 17 Dec 2018 21:25:05 +0000
From: Edward Lopez-Acosta 
To: i...@openbsd.org
Subject: Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)

Hi Ian,

Just following up on this due to the critical issue fixed. Does quirks need 
updated or is this change good to go?

Thank you

On December 14, 2018 11:47:06 PM UTC, Ian Darwin  wrote:

On Fri, Dec 14, 2018 at 04:41:53PM -0600, Edward Lopez-Acosta wrote:

Version update for multiple security issues including one marked as
critical.

I was not sure how to update quirks so that is not included in this

diff. If

someone is willing to teach me what to do I can add that in, or

review

changes to quirks after this is merged.


Why do you think it needs quirks?


Builds, installs, and runs fine on amd64. No special upgrade steps

when

upgrading from 2.138.3 currently in the tree.

- MAINTAINER CC'ed
- No tests present
- No change to required libs or current PLIST
- Nothing relies on this
- Self tested some projects and did not run into issues
- Diff applies fine with `patch`

CHANGELOG:
https://jenkins.io/changelog-stable/

https://jenkins.io/security/advisory/2018-12-05/

  Severity

 SECURITY-595: critical
 SECURITY-904: medium
 SECURITY-1072: medium
 SECURITY-1193: medium

Affected Versions

 Jenkins weekly up to and including 2.153
 Jenkins LTS up to and including 2.138.3

Fix

 Jenkins weekly should be updated to version 2.154
 Jenkins LTS should be updated to version either 2.138.4 or

2.150.1


--
Edward Lopez-Acosta



diff --git devel/Makefile devel/Makefile
index 26817c51381..03fb8174712 100644
--- devel/Makefile
+++ devel/Makefile
@@ -1,6 +1,6 @@
  # $OpenBSD: Makefile,v 1.31 2018/11/29 14:10:10 rsadowski Exp $
  
-VERSION =	2.152

+VERSION =  2.155
  MASTER_SITES =http://mirrors.jenkins-ci.org/war/${VERSION}/
  DIST_SUBDIR = jenkins-devel
  
diff --git devel/distinfo devel/distinfo

index e5c0c28e049..a8b70855619 100644
--- devel/distinfo
+++ devel/distinfo
@@ -1,2 +1,2 @@
-SHA256 (jenkins/2.152/j

Re: [elopezaco...@gmail.com: Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)]

2018-12-17 Thread Stuart Henderson

Bringing ports@ to CC

On 2018/12/17 16:54, Ian Darwin wrote:
> Hi Stuart. Do all updates that have CVEs associated have to go into "my $cve" 
> in quirks/Quirks.pm?

That is the intention (I'd go for listing any known security fixes whether
or not there's a CVE number for it).

> The format appears to be to list the "bad" values, so would this be  for 
> example:
>   devel/jenkins/stable < 2.150.1

I think it would look like the diff below but ideally it should be
tested to make sure that it does whine when you try to install a "bad"
version (i.e. the ones for both jenkins/devel and jenkins/stable
branches in current snapshots) and doesn't whine when you try
to install a new version (by pointing pkg_add at locally built
packages and adding).

doas env PKG_PATH= TRUSTED_PKG_PATH=/usr/ports/packages/amd64/all pkg_add 
jenkins%devel

and same for ...jenkins%stable

For 6.4-stable it should probably stay on the 2.138.x branch rather than
jumping to the new 2.150.x.

(from the look of the changelog, pretty much all jenkins updates include
security fixes..)

Index: Makefile
===
RCS file: /cvs/ports/devel/quirks/Makefile,v
retrieving revision 1.670
diff -u -p -r1.670 Makefile
--- Makefile17 Dec 2018 01:10:00 -  1.670
+++ Makefile17 Dec 2018 23:33:38 -
@@ -5,7 +5,7 @@ CATEGORIES =devel databases
 DISTFILES =
 
 # API.rev
-PKGNAME =  quirks-3.63
+PKGNAME =  quirks-3.64
 PKG_ARCH = *
 MAINTAINER =   Marc Espie 
 
Index: files/Quirks.pm
===
RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
retrieving revision 1.684
diff -u -p -r1.684 Quirks.pm
--- files/Quirks.pm 17 Dec 2018 01:10:00 -  1.684
+++ files/Quirks.pm 17 Dec 2018 23:33:38 -
@@ -1235,6 +1235,8 @@ my $cve = {
'devel/git,-main' => 'git-<2.19.1',
'devel/git,-svn' => 'git-svn-<2.19.1',
'devel/git,-x11' => 'git-x11-<2.19.1',
+   'devel/jenkins/devel' => 'jenkins-<2.154',
+   'devel/jenkins/stable' => 'jenkins-<2.150.1',
'devel/libgit2/libgit2' => 'libgit2-<0.27.7',
'devel/mercurial,-main' => 'mercurial-<4.5.3p1',
'devel/mercurial,-x11' => 'mercurial-x11-<4.5.3p1',



> Thx
> Ian
> - Forwarded message from Edward Lopez-Acosta  
> -
> 
> Date: Mon, 17 Dec 2018 21:25:05 +0000
> From: Edward Lopez-Acosta 
> To: i...@openbsd.org
> Subject: Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple 
> CVEs)
> 
> Hi Ian,
> 
> Just following up on this due to the critical issue fixed. Does quirks need 
> updated or is this change good to go?
> 
> Thank you
> 
> On December 14, 2018 11:47:06 PM UTC, Ian Darwin  wrote:
> >On Fri, Dec 14, 2018 at 04:41:53PM -0600, Edward Lopez-Acosta wrote:
> >> Version update for multiple security issues including one marked as
> >> critical.
> >> 
> >> I was not sure how to update quirks so that is not included in this
> >diff. If
> >> someone is willing to teach me what to do I can add that in, or
> >review
> >> changes to quirks after this is merged.
> >
> >Why do you think it needs quirks?
> > 
> >> Builds, installs, and runs fine on amd64. No special upgrade steps
> >when
> >> upgrading from 2.138.3 currently in the tree.
> >> 
> >> - MAINTAINER CC'ed
> >> - No tests present
> >> - No change to required libs or current PLIST
> >> - Nothing relies on this
> >> - Self tested some projects and did not run into issues
> >> - Diff applies fine with `patch`
> >> 
> >> CHANGELOG:
> >> https://jenkins.io/changelog-stable/
> >> 
> >> https://jenkins.io/security/advisory/2018-12-05/
> >> 
> >>  Severity
> >> 
> >> SECURITY-595: critical
> >> SECURITY-904: medium
> >> SECURITY-1072: medium
> >> SECURITY-1193: medium
> >> 
> >> Affected Versions
> >> 
> >> Jenkins weekly up to and including 2.153
> >> Jenkins LTS up to and including 2.138.3
> >> 
> >> Fix
> >> 
> >> Jenkins weekly should be updated to version 2.154
> >> Jenkins LTS should be updated to version either 2.138.4 or
> >2.150.1
> >> 
> >> -- 
> >> Edward Lopez-Acosta
> >
> >> diff --git devel/Makefile devel/Makefile
> >> index 26817c51381..03fb8174712 100644
> >> --- devel/Makefile
> >> +++ devel/Makefile
> >> @@ -1,6 +1,6 @@
> >>  # $OpenBSD: Makefile,v 1.31 2018/11/29 14:10:10

Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)

Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)

Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)

Re: [elopezaco...@gmail.com: Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)]

4 matches

Site Navigation

Mail list logo

Footer information