Date: Wed, 21 Aug 2013 12:37:32 GMT From: Steve Wills <swills@freebsd.org> To: FreeBSD-gnats-submit@freebsd.org Cc: bsdports@wayfair.com Subject: ports/181453: [PATCH] www/py27-graphite-web: update to 0.9.11 and fix security issue Message-ID: <201308211237.r7LCbW4Q063598@meatwad.mouf.net> Resent-Message-ID: <201308211240.r7LCe2np042895@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 181453 >Category: ports >Synopsis: [PATCH] www/py27-graphite-web: update to 0.9.11 and fix security issue >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Aug 21 12:40:02 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Steve Wills >Release: FreeBSD 10.0-CURRENT amd64 >Organization: >Environment: System: FreeBSD meatwad.mouf.net 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r253898: Sat Aug 3 00:09:09 >Description: - Update to 0.9.11 - Fix security issue Port maintainer (bsdports@wayfair.com) is cc'd. Generated with FreeBSD Port Tools 0.99_8 (mode: update, diff: SVN) >How-To-Repeat: >Fix: --- py27-graphite-web-0.9.11.patch begins here --- Index: Makefile =================================================================== --- Makefile (revision 325114) +++ Makefile (working copy) @@ -2,11 +2,9 @@ # $FreeBSD$ PORTNAME= graphite-web -PORTVERSION= 0.9.10 -PORTREVISION= 1 +PORTVERSION= 0.9.11 CATEGORIES= www python -#MASTER_SITES= CHEESESHOP \ -MASTER_SITES= https://github.com/downloads/graphite-project/${PORTNAME}/ +MASTER_SITES= https://github.com/graphite-project/${PORTNAME}/archive/${PORTVERSION}.tar.gz?dummy= PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} MAINTAINER= bsdports@wayfair.com @@ -14,10 +12,10 @@ RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cairo>=1.8.10:${PORTSDIR}/graphics/py-cairo \ ${PYTHON_PKGNAMEPREFIX}carbon>=${PORTVERSION}:${PORTSDIR}/databases/py-carbon \ - ${PYTHON_PKGNAMEPREFIX}django>=1.3.1:${PORTSDIR}/www/py-django \ + ${PYTHON_PKGNAMEPREFIX}django>=1.4:${PORTSDIR}/www/py-django \ ${PYTHON_PKGNAMEPREFIX}django-tagging>=0.3.1:${PORTSDIR}/www/py-django-tagging -FETCH_ARGS= -pRr +FETCH_ARGS= -o ${DISTNAME}${EXTRACT_SUFX} USE_PYTHON= -2.7 USE_PYDISTUTILS=yes Index: distinfo =================================================================== --- distinfo (revision 325114) +++ distinfo (working copy) @@ -1,2 +1,2 @@ -SHA256 (graphite-web-0.9.10.tar.gz) = 4fd1d16cac3980fddc09dbf0a72243c7ae32444903258e1b65e28428a48948be -SIZE (graphite-web-0.9.10.tar.gz) = 2117421 +SHA256 (graphite-web-0.9.11.tar.gz) = 1aeb0fa2dd346725ca067a42a366dd9f90072d0d8b660026211ce3e37103e4e3 +SIZE (graphite-web-0.9.11.tar.gz) = 2333562 Index: files/patch-webapp-graphite-local__settings.py.example =================================================================== --- files/patch-webapp-graphite-local__settings.py.example (revision 325114) +++ files/patch-webapp-graphite-local__settings.py.example (working copy) @@ -39,16 +39,3 @@ ##################################### -@@ -156,6 +167,12 @@ - #DATABASE_PASSWORD = 'graphite-is-awesome' - #DATABASE_HOST = 'mysql.mycompany.com' - #DATABASE_PORT = '3306' -+DATABASES = { -+ 'default': { -+ 'NAME': '/usr/local/graphite/storage/graphite.db', -+ 'ENGINE': 'django.db.backends.sqlite3', -+ } -+} - - - ######################### Index: pkg-plist =================================================================== --- pkg-plist (revision 325114) +++ pkg-plist (working copy) @@ -54,6 +54,7 @@ graphite/webapp/content/img/arrow1.gif graphite/webapp/content/img/blank.gif graphite/webapp/content/img/calBt.gif +graphite/webapp/content/img/carbon-fiber.png graphite/webapp/content/img/clock_16.png graphite/webapp/content/img/delete.gif graphite/webapp/content/img/error.png @@ -62,11 +63,26 @@ graphite/webapp/content/img/graphite_short.png graphite/webapp/content/img/indicator.png graphite/webapp/content/img/leaf.gif +graphite/webapp/content/img/line_chart.png graphite/webapp/content/img/mini-bottom2.gif graphite/webapp/content/img/mini-top2.gif graphite/webapp/content/img/save.gif graphite/webapp/content/img/searching.gif graphite/webapp/content/img/updateGraph.gif +graphite/webapp/content/js/ace/ace.js +graphite/webapp/content/js/ace/keybinding-vim.js +graphite/webapp/content/js/ace/mode-c_cpp.js +graphite/webapp/content/js/ace/mode-clojure.js +graphite/webapp/content/js/ace/mode-coffee.js +graphite/webapp/content/js/ace/mode-csharp.js +graphite/webapp/content/js/ace/mode-css.js +graphite/webapp/content/js/ace/mode-groovy.js +graphite/webapp/content/js/ace/mode-html.js +graphite/webapp/content/js/ace/mode-java.js +graphite/webapp/content/js/ace/mode-javascript.js +graphite/webapp/content/js/ace/mode-json.js +graphite/webapp/content/js/ace/theme-textmate.js +graphite/webapp/content/js/ace/worker-javascript.js graphite/webapp/content/js/browser.js graphite/webapp/content/js/cli.js graphite/webapp/content/js/completer.js @@ -797,6 +813,7 @@ @dirrm graphite/webapp/content/js/ext/adapter/ext @dirrm graphite/webapp/content/js/ext/adapter @dirrm graphite/webapp/content/js/ext +@dirrm graphite/webapp/content/js/ace @dirrm graphite/webapp/content/js @dirrm graphite/webapp/content/img @dirrm graphite/webapp/content/html --- py27-graphite-web-0.9.11.patch ends here --- --- vuln.xml.patch begins here --- Index: vuln.xml =================================================================== --- vuln.xml (revision 325081) +++ vuln.xml (working copy) @@ -51,6 +51,50 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="e1f99d59-81aa-4662-bf62-c1076f5016c8"> + <topic>py-graphite-web -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>py26-graphite-web</name> + <range><lt>0.9.11</lt></range> + </package> + <package> + <name>py27-graphite-web</name> + <range><lt>0.9.11</lt></range> + </package> + <package> + <name>py31-graphite-web</name> + <range><lt>0.9.11</lt></range> + </package> + <package> + <name>py32-graphite-web</name> + <range><lt>0.9.11</lt></range> + </package> + <package> + <name>py33-graphite-web</name> + <range><lt>0.9.11</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Graphite developers report:</p> + <blockquote cite="http://graphite.readthedocs.org/en/0.9.11/releases/0_9_11.html">; + <p>This release contains several security fixes for cross-site + scripting (XSS) as well as a fix for a remote-execution exploit in + graphite-web (CVE-2013-5903).</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-5093</cvename> + <url>https://github.com/rapid7/metasploit-framework/pull/2260</url>; + </references> + <dates> + <discovery>2013-08-21</discovery> + <entry>2013-08-21</entry> + </dates> + </vuln> + <vuln vid="4d087b35-0990-11e3-a9f4-bcaec565249c"> <topic>gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav</topic> <affects> --- vuln.xml.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201308211237.r7LCbW4Q063598>