From owner-dev-commits-ports-main@freebsd.org Mon Jun 14 16:23:27 2021 Return-Path: Delivered-To: dev-commits-ports-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3474F64F26B; Mon, 14 Jun 2021 16:23:27 +0000 (UTC) (envelope-from tcberner@gmail.com) Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com [209.85.218.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G3cFV1LlRz3krM; Mon, 14 Jun 2021 16:23:25 +0000 (UTC) (envelope-from tcberner@gmail.com) Received: by mail-ej1-f41.google.com with SMTP id k25so17638483eja.9; Mon, 14 Jun 2021 09:23:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=NWIE9F4fYDziIGmAULZK5et9YJmQzne1B5MgkjrncLg=; b=F1BUQewMhxLMbOlwkkjLmEzxJUlVpJZIaNVR7jdrCAa5rWb4Z5R/600Xkiiw9E72gU tNgxd8zgmbtTCbefVz2nDTmSPyRx8ULeYBtZiU/UlbFMcj7xWm37kV3yfCFbcg4AhhhJ Fu4M953hDQt9jM9t27Qs238iODcq/IRk8SBlDZcUVd9d0XGLqKPsdFScfz7eFl2AQ71c eG/THPiRaSXW+jpM2Jgo7pqf2MaGc76ucl2I5aJz4hGrqscyqdXKscDFeNPfQZtLLpF+ hgP7piZYH4LqwNT0V11alKSYK8Ohv2yuHbNcrWyPwDU3Th3wL9AKSIJONzhhnaHJla9l wYnA== X-Gm-Message-State: AOAM530AOrnpXb8wKyjJASgLuo/Qq7mBvPK+iZZCujNM1YzKSnEWC4QP VDa2TT0SDoxOXwAC2H98xwMx5cIKgO34lw== X-Google-Smtp-Source: ABdhPJys495c4fPkEWwiRaeqgFFiq4U94cGNJHenz1kkpuGsT4Is5TmMjPYQJGkkikRxdQcJNyd77A== X-Received: by 2002:a17:906:9706:: with SMTP id k6mr15872368ejx.456.1623687804604; Mon, 14 Jun 2021 09:23:24 -0700 (PDT) Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com. [209.85.208.46]) by smtp.gmail.com with ESMTPSA id cw24sm7738978ejb.20.2021.06.14.09.23.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 14 Jun 2021 09:23:24 -0700 (PDT) Received: by mail-ed1-f46.google.com with SMTP id r7so32874362edv.12; Mon, 14 Jun 2021 09:23:24 -0700 (PDT) X-Received: by 2002:a05:6402:48f:: with SMTP id k15mr17750912edv.262.1623687803867; Mon, 14 Jun 2021 09:23:23 -0700 (PDT) MIME-Version: 1.0 References: <202105270857.14R8v5ri039237@gitrepo.freebsd.org> In-Reply-To: From: "Tobias C. Berner" Date: Mon, 14 Jun 2021 18:23:13 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: git: 1454ab40206b - main - textprox/expat2: update to 2.4.1 -- fixes CVE-2013-0340/CWE-776 To: Dan Langille Cc: "Tobias C. Berner" , "ports-committers@freebsd.org" , "dev-commits-ports-all@freebsd.org" , "dev-commits-ports-main@freebsd.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4G3cFV1LlRz3krM X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of tcberner@gmail.com designates 209.85.218.41 as permitted sender) smtp.mailfrom=tcberner@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; RWL_MAILSPIKE_GOOD(0.00)[209.85.218.41:from]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[4]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[tcberner@freebsd.org,tcberner@gmail.com]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[209.85.218.41:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[tcberner@freebsd.org,tcberner@gmail.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEFALL_USER(0.00)[tcberner]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[209.85.218.41:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[209.85.218.41:from]; R_DKIM_NA(0.00)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[dev-commits-ports-all,dev-commits-ports-main] X-BeenThere: dev-commits-ports-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the main branch of the FreeBSD ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2021 16:23:27 -0000 Moin moin Done now in 7735cbdd131003bbbb0c9238f1468db734b89bc4 mfg Tobias On Fri, 11 Jun 2021 at 18:44, Dan Langille wrote: > > > > > On May 27, 2021, at 4:57 AM, Tobias C. Berner wrot= e: > > The branch main has been updated by tcberner: > > URL: https://cgit.FreeBSD.org/ports/commit/?id=3D1454ab40206b85f94edb6390= e0d96c9716a07399 > > commit 1454ab40206b85f94edb6390e0d96c9716a07399 > Author: Tobias C. Berner > AuthorDate: 2021-05-24 14:38:28 +0000 > Commit: Tobias C. Berner > CommitDate: 2021-05-27 08:56:26 +0000 > > textprox/expat2: update to 2.4.1 -- fixes CVE-2013-0340/CWE-776 > > See [1] for details: > Expat 2.4.0 and follow-up release 2.4.1 have both been release= d earlier > today (21-05-23). Release 2.4.0 fixes long known security issu= e CVE-2013-0340 by > adding protection against so-called Billion Laughs Attacks, a = form of > denial of service against applications accepting XML input, in= all known > variations, including recent flavor Parameter Laughs. > > [1] https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed= -in-expat-2-4-0 > > PR: 256121 > Exp-run by: antoine > > > Given this was a vuln fix, is there any reason I should not backport this= to 2021Q2? > > That branch still has 2.2.0 > > =E2=80=94 > Dan Langille > http://langille.org/ > > > > > > --- > textproc/expat2/Makefile | 4 +++- > textproc/expat2/distinfo | 6 +++--- > textproc/expat2/pkg-plist | 10 +++++----- > 3 files changed, 11 insertions(+), 9 deletions(-) > > diff --git a/textproc/expat2/Makefile b/textproc/expat2/Makefile > index 69d0c38f232c..f24d6a60a027 100644 > --- a/textproc/expat2/Makefile > +++ b/textproc/expat2/Makefile > @@ -1,7 +1,7 @@ > # Created by: Dirk Froemberg > > PORTNAME=3D expat > -DISTVERSION=3D 2.3.0 > +DISTVERSION=3D 2.4.1 > CATEGORIES=3D textproc > MASTER_SITES=3D https://github.com/libexpat/libexpat/releases/download/R_= ${DISTVERSION:S|.|_|g}/ > > @@ -30,6 +30,8 @@ SHEBANG_FILES=3D test-driver-wrapper.sh tests/udiffer.p= y tests/xmltest.sh > TEST_CONFIGURE_WITH=3D tests > TEST_TARGET=3D check > > +PLIST_SUB=3D EXPAT_VERSION=3D${DISTVERSION} > + > post-install: > ${INSTALL_MAN} ${WRKSRC}/doc/xmlwf.1 ${STAGEDIR}${MANPREFIX}/man/man1/ > > diff --git a/textproc/expat2/distinfo b/textproc/expat2/distinfo > index 96d40c66930f..5c679b618856 100644 > --- a/textproc/expat2/distinfo > +++ b/textproc/expat2/distinfo > @@ -1,3 +1,3 @@ > -TIMESTAMP =3D 1616672812 > -SHA256 (expat-2.3.0.tar.xz) =3D caa34f99b6e3bcea8502507eb6549a0a84510b24= 4a748dfb287271b2d47467a9 > -SIZE (expat-2.3.0.tar.xz) =3D 433508 > +TIMESTAMP =3D 1621866901 > +SHA256 (expat-2.4.1.tar.xz) =3D cf032d0dba9b928636548e32b327a2d66b1aab63= c4f4a13dd132c2d1d2f2fb6a > +SIZE (expat-2.4.1.tar.xz) =3D 445024 > diff --git a/textproc/expat2/pkg-plist b/textproc/expat2/pkg-plist > index 23469f8fae33..2e7b447c5e0f 100644 > --- a/textproc/expat2/pkg-plist > +++ b/textproc/expat2/pkg-plist > @@ -2,14 +2,14 @@ bin/xmlwf > include/expat.h > include/expat_config.h > include/expat_external.h > -lib/cmake/expat-2.3.0/expat-config-version.cmake > -lib/cmake/expat-2.3.0/expat-config.cmake > -lib/cmake/expat-2.3.0/expat-noconfig.cmake > -lib/cmake/expat-2.3.0/expat.cmake > +lib/cmake/expat-%%EXPAT_VERSION%%/expat-config-version.cmake > +lib/cmake/expat-%%EXPAT_VERSION%%/expat-config.cmake > +lib/cmake/expat-%%EXPAT_VERSION%%/expat-noconfig.cmake > +lib/cmake/expat-%%EXPAT_VERSION%%/expat.cmake > %%STATIC%%lib/libexpat.a > lib/libexpat.so > lib/libexpat.so.1 > -lib/libexpat.so.1.7.0 > +lib/libexpat.so.1.8.1 > libdata/pkgconfig/expat.pc > man/man1/xmlwf.1.gz > %%PORTDOCS%%%%DOCSDIR%%/AUTHORS > >