Date: Mon, 19 Apr 2021 00:29:58 -0700 From: Kevin Bowling <kevin.bowling@kev009.com> To: Baptiste Daroussin <bapt@freebsd.org> Cc: Kevin Bowling <kbowling@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 887cfadcdf5e - main - devel/maven: update to 3.8.1 Message-ID: <CAK7dMtD85eK45H41_2YYHTqT2kpYRfYj6Lp8f3HRkEBaLQeyEA@mail.gmail.com> In-Reply-To: <20210419072338.ixoex7jzy42zkfqm@aniel.nours.eu> References: <202104190411.13J4BfrC096512@gitrepo.freebsd.org> <20210419072338.ixoex7jzy42zkfqm@aniel.nours.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 19, 2021 at 12:23 AM Baptiste Daroussin <bapt@freebsd.org> wrote: > > On Mon, Apr 19, 2021 at 04:11:41AM +0000, Kevin Bowling wrote: > > The branch main has been updated by kbowling: > > > > URL: https://cgit.FreeBSD.org/ports/commit/?id=887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 > > > > commit 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 > > Author: Kevin Bowling <kbowling@FreeBSD.org> > > AuthorDate: 2021-04-19 04:05:30 +0000 > > Commit: Kevin Bowling <kbowling@FreeBSD.org> > > CommitDate: 2021-04-19 04:11:34 +0000 > > > > devel/maven: update to 3.8.1 > > > > This is not just a bugfix as it contains three features that cause a change of > > default behavior (external HTTP insecure URLs are now blocked by default): your > > builds may fail when using this new Maven release, if you use now blocked > > repositories. Please check and eventually fix before upgrading. > > > > Changes http://maven.apache.org/docs/3.8.1/release-notes.html > > > > PR: 255161 > > Approved by: Jonathan Chen <jonc@chen.org.nz> (maintainer) > > Security: CVE-2021-26291 > > CVE-2020-13956 > > --- > > devel/maven/Makefile | 2 +- > > devel/maven/distinfo | 6 ++--- > > devel/maven/pkg-plist | 18 ++++++------- > > security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ > > 4 files changed, 80 insertions(+), 13 deletions(-) > > You are not supposed to commit the vuxml entry with that actual port (as > explained in the porter handbook), The reason for that is fairly simple, vuxml > entries are not merged back to quarterly branches, so now merging this to the > quarterly branch (which is what we are supposed to do for CVE in particular) > will result in a conflict on vuxml instead of a simple straight forward > cherry-pick Ok. Would you like me to handle the MFH to drop that part of the change? > Best regards, > Bapt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAK7dMtD85eK45H41_2YYHTqT2kpYRfYj6Lp8f3HRkEBaLQeyEA>