Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)
On 2018/12/17 18:58, Edward Lopez-Acosta wrote: > Not sure why the title got changed so I fixed it. > > Thank you for the explanation on when to use, and how to update, quirks. I > will keep this in mind for future submissions if applicable. > > What is the logic in not updating this for -stable too? Because they > constantly update for security issues and this is not convenient? Security > is not always convenient. Or am I somehow confused by the goals of the > OpenBSD project? I didn't say anything about *not* updating, rather stick to the 2.138.x branch (i.e. 2.138.4) rather than pulling in the bunch of other changes that come with 2.150.x
Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)
Edward Lopez-Acosta wrote: > What is the logic in not updating this for -stable too? There are no magic fairies building -stable packages on a constant basis. > Because they constantly update for security issues and this is not convenient? Yes. Also it isn't just a matter of building using robots. Fairies would need to keep a close eye on things, because it is a complicated ecosystem. As a result, it would detract from their time working on newer issues. There are 3 kinds of projects out there: - ones that maintain -stable variations using lots of $$$ they get from support contracts - ones that maintain -stable variations using teams, but then they don't do so much future-facing work (security or not) in other areas - the OpenBSD approach of doing substantial security work in the base system, adapting largely unready software to the new tougher rules, and making a release every 6 months which is still pretty bleeding edge > Security is not always convenient. Security isn't achieved by simply being a robot building the latest software. There are factors you cannot simply wave away with a wand. > Or am I somehow confused by the goals of the OpenBSD project? Probably. Isn't everyone?
Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)
Not sure why the title got changed so I fixed it. Thank you for the explanation on when to use, and how to update, quirks. I will keep this in mind for future submissions if applicable. What is the logic in not updating this for -stable too? Because they constantly update for security issues and this is not convenient? Security is not always convenient. Or am I somehow confused by the goals of the OpenBSD project? Edward Lopez-Acosta On 12/17/18 5:43 PM, Stuart Henderson wrote: Bringing ports@ to CC On 2018/12/17 16:54, Ian Darwin wrote: Hi Stuart. Do all updates that have CVEs associated have to go into "my $cve" in quirks/Quirks.pm? That is the intention (I'd go for listing any known security fixes whether or not there's a CVE number for it). The format appears to be to list the "bad" values, so would this be for example: devel/jenkins/stable < 2.150.1 I think it would look like the diff below but ideally it should be tested to make sure that it does whine when you try to install a "bad" version (i.e. the ones for both jenkins/devel and jenkins/stable branches in current snapshots) and doesn't whine when you try to install a new version (by pointing pkg_add at locally built packages and adding). doas env PKG_PATH= TRUSTED_PKG_PATH=/usr/ports/packages/amd64/all pkg_add jenkins%devel and same for ...jenkins%stable For 6.4-stable it should probably stay on the 2.138.x branch rather than jumping to the new 2.150.x. (from the look of the changelog, pretty much all jenkins updates include security fixes..) Index: Makefile === RCS file: /cvs/ports/devel/quirks/Makefile,v retrieving revision 1.670 diff -u -p -r1.670 Makefile --- Makefile17 Dec 2018 01:10:00 - 1.670 +++ Makefile17 Dec 2018 23:33:38 - @@ -5,7 +5,7 @@ CATEGORIES =devel databases DISTFILES = # API.rev -PKGNAME = quirks-3.63 +PKGNAME = quirks-3.64 PKG_ARCH =* MAINTAINER = Marc Espie Index: files/Quirks.pm === RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v retrieving revision 1.684 diff -u -p -r1.684 Quirks.pm --- files/Quirks.pm 17 Dec 2018 01:10:00 - 1.684 +++ files/Quirks.pm 17 Dec 2018 23:33:38 - @@ -1235,6 +1235,8 @@ my $cve = { 'devel/git,-main' => 'git-<2.19.1', 'devel/git,-svn' => 'git-svn-<2.19.1', 'devel/git,-x11' => 'git-x11-<2.19.1', + 'devel/jenkins/devel' => 'jenkins-<2.154', + 'devel/jenkins/stable' => 'jenkins-<2.150.1', 'devel/libgit2/libgit2' => 'libgit2-<0.27.7', 'devel/mercurial,-main' => 'mercurial-<4.5.3p1', 'devel/mercurial,-x11' => 'mercurial-x11-<4.5.3p1', Thx Ian - Forwarded message from Edward Lopez-Acosta - Date: Mon, 17 Dec 2018 21:25:05 + From: Edward Lopez-Acosta To: i...@openbsd.org Subject: Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs) Hi Ian, Just following up on this due to the critical issue fixed. Does quirks need updated or is this change good to go? Thank you On December 14, 2018 11:47:06 PM UTC, Ian Darwin wrote: On Fri, Dec 14, 2018 at 04:41:53PM -0600, Edward Lopez-Acosta wrote: Version update for multiple security issues including one marked as critical. I was not sure how to update quirks so that is not included in this diff. If someone is willing to teach me what to do I can add that in, or review changes to quirks after this is merged. Why do you think it needs quirks? Builds, installs, and runs fine on amd64. No special upgrade steps when upgrading from 2.138.3 currently in the tree. - MAINTAINER CC'ed - No tests present - No change to required libs or current PLIST - Nothing relies on this - Self tested some projects and did not run into issues - Diff applies fine with `patch` CHANGELOG: https://jenkins.io/changelog-stable/ https://jenkins.io/security/advisory/2018-12-05/ Severity SECURITY-595: critical SECURITY-904: medium SECURITY-1072: medium SECURITY-1193: medium Affected Versions Jenkins weekly up to and including 2.153 Jenkins LTS up to and including 2.138.3 Fix Jenkins weekly should be updated to version 2.154 Jenkins LTS should be updated to version either 2.138.4 or 2.150.1 -- Edward Lopez-Acosta diff --git devel/Makefile devel/Makefile index 26817c51381..03fb8174712 100644 --- devel/Makefile +++ devel/Makefile @@ -1,6 +1,6 @@ # $OpenBSD: Makefile,v 1.31 2018/11/29 14:10:10 rsadowski Exp $ -VERSION = 2.152 +VERSION = 2.155 MASTER_SITES =http://mirrors.jenkins-ci.org/war/${VERSION}/ DIST_SUBD
Re: [elopezaco...@gmail.com: Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)]
Bringing ports@ to CC On 2018/12/17 16:54, Ian Darwin wrote: > Hi Stuart. Do all updates that have CVEs associated have to go into "my $cve" > in quirks/Quirks.pm? That is the intention (I'd go for listing any known security fixes whether or not there's a CVE number for it). > The format appears to be to list the "bad" values, so would this be for > example: > devel/jenkins/stable < 2.150.1 I think it would look like the diff below but ideally it should be tested to make sure that it does whine when you try to install a "bad" version (i.e. the ones for both jenkins/devel and jenkins/stable branches in current snapshots) and doesn't whine when you try to install a new version (by pointing pkg_add at locally built packages and adding). doas env PKG_PATH= TRUSTED_PKG_PATH=/usr/ports/packages/amd64/all pkg_add jenkins%devel and same for ...jenkins%stable For 6.4-stable it should probably stay on the 2.138.x branch rather than jumping to the new 2.150.x. (from the look of the changelog, pretty much all jenkins updates include security fixes..) Index: Makefile === RCS file: /cvs/ports/devel/quirks/Makefile,v retrieving revision 1.670 diff -u -p -r1.670 Makefile --- Makefile17 Dec 2018 01:10:00 - 1.670 +++ Makefile17 Dec 2018 23:33:38 - @@ -5,7 +5,7 @@ CATEGORIES =devel databases DISTFILES = # API.rev -PKGNAME = quirks-3.63 +PKGNAME = quirks-3.64 PKG_ARCH = * MAINTAINER = Marc Espie Index: files/Quirks.pm === RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v retrieving revision 1.684 diff -u -p -r1.684 Quirks.pm --- files/Quirks.pm 17 Dec 2018 01:10:00 - 1.684 +++ files/Quirks.pm 17 Dec 2018 23:33:38 - @@ -1235,6 +1235,8 @@ my $cve = { 'devel/git,-main' => 'git-<2.19.1', 'devel/git,-svn' => 'git-svn-<2.19.1', 'devel/git,-x11' => 'git-x11-<2.19.1', + 'devel/jenkins/devel' => 'jenkins-<2.154', + 'devel/jenkins/stable' => 'jenkins-<2.150.1', 'devel/libgit2/libgit2' => 'libgit2-<0.27.7', 'devel/mercurial,-main' => 'mercurial-<4.5.3p1', 'devel/mercurial,-x11' => 'mercurial-x11-<4.5.3p1', > Thx > Ian > - Forwarded message from Edward Lopez-Acosta > - > > Date: Mon, 17 Dec 2018 21:25:05 + > From: Edward Lopez-Acosta > To: i...@openbsd.org > Subject: Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple > CVEs) > > Hi Ian, > > Just following up on this due to the critical issue fixed. Does quirks need > updated or is this change good to go? > > Thank you > > On December 14, 2018 11:47:06 PM UTC, Ian Darwin wrote: > >On Fri, Dec 14, 2018 at 04:41:53PM -0600, Edward Lopez-Acosta wrote: > >> Version update for multiple security issues including one marked as > >> critical. > >> > >> I was not sure how to update quirks so that is not included in this > >diff. If > >> someone is willing to teach me what to do I can add that in, or > >review > >> changes to quirks after this is merged. > > > >Why do you think it needs quirks? > > > >> Builds, installs, and runs fine on amd64. No special upgrade steps > >when > >> upgrading from 2.138.3 currently in the tree. > >> > >> - MAINTAINER CC'ed > >> - No tests present > >> - No change to required libs or current PLIST > >> - Nothing relies on this > >> - Self tested some projects and did not run into issues > >> - Diff applies fine with `patch` > >> > >> CHANGELOG: > >> https://jenkins.io/changelog-stable/ > >> > >> https://jenkins.io/security/advisory/2018-12-05/ > >> > >> Severity > >> > >> SECURITY-595: critical > >> SECURITY-904: medium > >> SECURITY-1072: medium > >> SECURITY-1193: medium > >> > >> Affected Versions > >> > >> Jenkins weekly up to and including 2.153 > >> Jenkins LTS up to and including 2.138.3 > >> > >> Fix > >> > >> Jenkins weekly should be updated to version 2.154 > >> Jenkins LTS should be updated to version either 2.138.4 or > >2.150.1 > >> > >> -- > >> Edward Lopez-Acosta > > > >> diff --git devel/Makefile devel/Makefile > >> index 26817c51381
SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)
Version update for multiple security issues including one marked as critical. I was not sure how to update quirks so that is not included in this diff. If someone is willing to teach me what to do I can add that in, or review changes to quirks after this is merged. Builds, installs, and runs fine on amd64. No special upgrade steps when upgrading from 2.138.3 currently in the tree. - MAINTAINER CC'ed - No tests present - No change to required libs or current PLIST - Nothing relies on this - Self tested some projects and did not run into issues - Diff applies fine with `patch` CHANGELOG: https://jenkins.io/changelog-stable/ https://jenkins.io/security/advisory/2018-12-05/ Severity SECURITY-595: critical SECURITY-904: medium SECURITY-1072: medium SECURITY-1193: medium Affected Versions Jenkins weekly up to and including 2.153 Jenkins LTS up to and including 2.138.3 Fix Jenkins weekly should be updated to version 2.154 Jenkins LTS should be updated to version either 2.138.4 or 2.150.1 -- Edward Lopez-Acosta diff --git devel/Makefile devel/Makefile index 26817c51381..03fb8174712 100644 --- devel/Makefile +++ devel/Makefile @@ -1,6 +1,6 @@ # $OpenBSD: Makefile,v 1.31 2018/11/29 14:10:10 rsadowski Exp $ -VERSION = 2.152 +VERSION = 2.155 MASTER_SITES = http://mirrors.jenkins-ci.org/war/${VERSION}/ DIST_SUBDIR = jenkins-devel diff --git devel/distinfo devel/distinfo index e5c0c28e049..a8b70855619 100644 --- devel/distinfo +++ devel/distinfo @@ -1,2 +1,2 @@ -SHA256 (jenkins/2.152/jenkins.war) = jde/3OIrMtlBsnJ5qFeVQoGxfJu4d02G6H6c1A4UQMM= -SIZE (jenkins/2.152/jenkins.war) = 75939426 +SHA256 (jenkins/2.155/jenkins.war) = A0xtY7Vb+TjF0btTJ3XZqhj7NL1lqtTj6WgyWXi+hrg= +SIZE (jenkins/2.155/jenkins.war) = 76037370 diff --git stable/Makefile stable/Makefile index db693c9e5dd..ba2cdfff6fa 100644 --- stable/Makefile +++ stable/Makefile @@ -1,6 +1,6 @@ # $OpenBSD: Makefile,v 1.30 2018/11/29 14:07:02 rsadowski Exp $ -VERSION = 2.138.3 +VERSION = 2.150.1 MASTER_SITES = http://mirrors.jenkins-ci.org/war-stable/${VERSION}/ DIST_SUBDIR = jenkins-stable diff --git stable/distinfo stable/distinfo index dc95ebe1334..77a061aea34 100644 --- stable/distinfo +++ stable/distinfo @@ -1,2 +1,2 @@ -SHA256 (jenkins/2.138.3/jenkins.war) = lT5N2i0wZShMABaz6CeeCX+DDBKLH3EthHgP8rB1Hn0= -SIZE (jenkins/2.138.3/jenkins.war) = 75733340 +SHA256 (jenkins/2.150.1/jenkins.war) = ejhYbVo6GoNJiAmoNxVyi7LwG1in3TqINm8Hbv2vZmk= +SIZE (jenkins/2.150.1/jenkins.war) = 75938045