From owner-dev-commits-ports-all@freebsd.org Mon Apr 19 07:23:42 2021 Return-Path: Delivered-To: dev-commits-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 530E55E5485; Mon, 19 Apr 2021 07:23:42 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FNywZ22RCz3JP9; Mon, 19 Apr 2021 07:23:42 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from aniel.nours.eu (ns393929.ip-176-31-115.eu [176.31.115.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: bapt) by smtp.freebsd.org (Postfix) with ESMTPSA id 251CF2D16B; Mon, 19 Apr 2021 07:23:42 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: by aniel.nours.eu (Postfix, from userid 1001) id E0BBE3A3F5; Mon, 19 Apr 2021 09:23:38 +0200 (CEST) Date: Mon, 19 Apr 2021 09:23:38 +0200 From: Baptiste Daroussin To: Kevin Bowling Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: Re: git: 887cfadcdf5e - main - devel/maven: update to 3.8.1 Message-ID: <20210419072338.ixoex7jzy42zkfqm@aniel.nours.eu> References: <202104190411.13J4BfrC096512@gitrepo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202104190411.13J4BfrC096512@gitrepo.freebsd.org> X-BeenThere: dev-commits-ports-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 07:23:42 -0000 On Mon, Apr 19, 2021 at 04:11:41AM +0000, Kevin Bowling wrote: > The branch main has been updated by kbowling: > > URL: https://cgit.FreeBSD.org/ports/commit/?id=887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 > > commit 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 > Author: Kevin Bowling > AuthorDate: 2021-04-19 04:05:30 +0000 > Commit: Kevin Bowling > CommitDate: 2021-04-19 04:11:34 +0000 > > devel/maven: update to 3.8.1 > > This is not just a bugfix as it contains three features that cause a change of > default behavior (external HTTP insecure URLs are now blocked by default): your > builds may fail when using this new Maven release, if you use now blocked > repositories. Please check and eventually fix before upgrading. > > Changes http://maven.apache.org/docs/3.8.1/release-notes.html > > PR: 255161 > Approved by: Jonathan Chen (maintainer) > Security: CVE-2021-26291 > CVE-2020-13956 > --- > devel/maven/Makefile | 2 +- > devel/maven/distinfo | 6 ++--- > devel/maven/pkg-plist | 18 ++++++------- > security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 80 insertions(+), 13 deletions(-) You are not supposed to commit the vuxml entry with that actual port (as explained in the porter handbook), The reason for that is fairly simple, vuxml entries are not merged back to quarterly branches, so now merging this to the quarterly branch (which is what we are supposed to do for CVE in particular) will result in a conflict on vuxml instead of a simple straight forward cherry-pick Best regards, Bapt