Date: Fri, 27 Apr 2012 15:13:24 GMT From: Eric Freeman <freebsdports@chillibear.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/167363: [MAINTAINER] update mail/rubygem-mail to 2.4.4 Message-ID: <201204271513.q3RFDO5s076417@red.freebsd.org> Resent-Message-ID: <201204271520.q3RFK9K9070486@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 167363 >Category: ports >Synopsis: [MAINTAINER] update mail/rubygem-mail to 2.4.4 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Apr 27 15:20:09 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Eric Freeman >Release: 9.0 >Organization: Sundive Networks >Environment: FreeBSD bsd9.local 9.0-CURRENT-201008 FreeBSD 9.0-CURRENT-201008 #0: Tue Aug 3 20:09:44 UTC 2010 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: Eitan Adler alerted me to two flaws that are present in the version of the 'mail' gem currently in ports. These are both fixed in the current (2.4.4) version. Please see http://seclists.org/oss-sec/2012/q2/190 for details of the flaws. These will have CVE-2012-2139 and CVE-2012-2140 assigned. The patch in this PR updates the mail gem to 2.4.4 As it stands by the gemspecs there should be some version mismatches with 2.4.4, some pre-existing, some new[1]. That said I've successfully installed on a clean system and run test scripts using - mail/rubygem-actionmailer - mail/rubygem-pony - mail/rubygem-mail to send email, so I'm fairly confident this wont break rails or anything. I have removed the active-support dependency, since this appears to have been removed back in version 2.3.0 [1] By the gemspec mail requires: * i18n >= 0.4.0 * mime-types ~> 1.16 * treetop ~> 1.4.8 Currently ports has: * devel/rubygem-i18n 0.6.0 * misc/rubygem-mime-types 1.17.2 * devel/rubygem-treetop 1.4.10 So mime-types and treetop are currently wrong, but it still appears to work without issues I can see with my limited testing. >How-To-Repeat: See http://seclists.org/oss-sec/2012/q2/190 CVE-2012-2139 CVE-2012-2140 >Fix: --- mail/rubygem-mail.old/Makefile 2012-04-26 20:44:48.000000000 +0100 +++ mail/rubygem-mail/Makefile 2012-04-26 20:47:28.000000000 +0100 @@ -6,7 +6,7 @@ # PORTNAME= mail -PORTVERSION= 2.4.1 +PORTVERSION= 2.4.4 PORTEPOCH= 1 CATEGORIES= mail rubygems MASTER_SITES= RG @@ -18,7 +18,6 @@ RUN_DEPENDS= rubygem-treetop>=1.4.8:${PORTSDIR}/devel/rubygem-treetop \ rubygem-mime-types>=1.16:${PORTSDIR}/misc/rubygem-mime-types \ - rubygem-activesupport>=2.3.6:${PORTSDIR}/devel/rubygem-activesupport \ rubygem-i18n>=0.4.0:${PORTSDIR}/devel/rubygem-i18n USE_RUBY= yes diff -ru mail/rubygem-mail.old/distinfo mail/rubygem-mail/distinfo --- mail/rubygem-mail.old/distinfo 2012-04-26 20:44:48.000000000 +0100 +++ mail/rubygem-mail/distinfo 2012-04-26 20:47:40.000000000 +0100 @@ -1,2 +1,2 @@ -SHA256 (rubygem/mail-2.4.1.gem) = 80d742e6f93c01e7f25015f2cd1f88e8869b9ef4bce3fc22f0f568ce925c050e -SIZE (rubygem/mail-2.4.1.gem) = 121856 +SHA256 (rubygem/mail-2.4.4.gem) = 237625b7e70f8cd9615658e0963c9880094a974cfa9dda7325e3537bcba7be45 +SIZE (rubygem/mail-2.4.4.gem) = 121856 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204271513.q3RFDO5s076417>