Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Apr 2021 09:23:38 +0200
From:      Baptiste Daroussin <bapt@FreeBSD.org>
To:        Kevin Bowling <kbowling@FreeBSD.org>
Cc:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   Re: git: 887cfadcdf5e - main - devel/maven: update to 3.8.1
Message-ID:  <20210419072338.ixoex7jzy42zkfqm@aniel.nours.eu>
In-Reply-To: <202104190411.13J4BfrC096512@gitrepo.freebsd.org>
References:  <202104190411.13J4BfrC096512@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Apr 19, 2021 at 04:11:41AM +0000, Kevin Bowling wrote:
> The branch main has been updated by kbowling:
> 
> URL: https://cgit.FreeBSD.org/ports/commit/?id=887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830
> 
> commit 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830
> Author:     Kevin Bowling <kbowling@FreeBSD.org>
> AuthorDate: 2021-04-19 04:05:30 +0000
> Commit:     Kevin Bowling <kbowling@FreeBSD.org>
> CommitDate: 2021-04-19 04:11:34 +0000
> 
>     devel/maven: update to 3.8.1
>     
>     This is not just a bugfix as it contains three features that cause a change of
>     default behavior (external HTTP insecure URLs are now blocked by default): your
>     builds may fail when using this new Maven release, if you use now blocked
>     repositories. Please check and eventually fix before upgrading.
>     
>     Changes http://maven.apache.org/docs/3.8.1/release-notes.html
>     
>     PR:             255161
>     Approved by:    Jonathan Chen <jonc@chen.org.nz> (maintainer)
>     Security:       CVE-2021-26291
>                     CVE-2020-13956
> ---
>  devel/maven/Makefile    |  2 +-
>  devel/maven/distinfo    |  6 ++---
>  devel/maven/pkg-plist   | 18 ++++++-------
>  security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 80 insertions(+), 13 deletions(-)

You are not supposed to commit the vuxml entry with that actual port (as
explained in the porter handbook), The reason for that is fairly simple, vuxml
entries are not merged back to quarterly branches, so now merging this to the
quarterly branch (which is what we are supposed to do for CVE in particular)
will result in a conflict on vuxml instead of a simple straight forward
cherry-pick

Best regards,
Bapt

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210419072338.ixoex7jzy42zkfqm>