On 2017/11/22 11:47, Klemens Nanni wrote:
> On Wed, Nov 15, 2017 at 05:14:11PM +0100, Klemens Nanni wrote:
> > This is a security update[0] fixing a data leak:
> >
> > A wrong if statement in the varnishd source code means that
> > synthetic objects in stevedores which over-allocate, may leak up
> > to page size of data from a malloc(3) memory allocation.
> >
> > In a unpredictable percentage of the cases where this condition
> > arises, a segmentation fault will happen instead.
> >
> > Tests continue to pass:
> >
> > # TOTAL: 636
> > # PASS: 630
> > # SKIP: 5
> > # XFAIL: 0
> > # FAIL: 1
> > # XPASS: 0
> > # ERROR: 0
> >
> > FAIL tests/u00000.vtc (exit status: 2)
> >
> > Removed TEST_TARGET=check as it's default. I also replaced cp with
> > ${INSTALL_DATA} post-install and pointed users to 5.2 docs.
> >
> > Since Varnish compiles .vsc files to C using python with 2.7 specific
> > code (import StringIO), I added lang/python and explicity set
> > MODPY_VERSION=2.7.
> >
> > Feedback? Does anyone want to commit this?
> >
> > 0: https://varnish-cache.org/releases/rel5.2.1.html#rel5-2-1
> >
> > diff --git a/www/varnish/Makefile b/www/varnish/Makefile
> > index b0fa5029ab4..5cf58670364 100644
> > --- a/www/varnish/Makefile
> > +++ b/www/varnish/Makefile
> > @@ -2,7 +2,7 @@
> >
> > COMMENT = high-performance HTTP accelerator
> >
> > -DISTNAME = varnish-5.2.0
> > +DISTNAME = varnish-5.2.1
> >
> > CATEGORIES = www
> >
> > @@ -16,12 +16,16 @@ MAINTAINER = Jim Razmus II
> > <j...@openbsd.org> \
> > # BSD
> > PERMIT_PACKAGE_CDROM = Yes
> >
> > -MASTER_SITES = https://varnish-cache.org/_downloads/
> > +MASTER_SITES = ${HOMEPAGE}_downloads/
We stopped doing that, it's annoying if you want to copy the URL from
Makefile and open it in a browser.
> > EXTRACT_SUFX = .tgz
> >
> > WANTLIB += c execinfo m ncursesw pcre pthread readline termcap
> >
> > +MODULES = lang/python
> > +
> > +MODPY_VERSION = 2.7
> > +
> > BUILD_DEPENDS = ${MODGNU_AUTOCONF_DEPENDS} \
> > ${MODGNU_AUTOMAKE_DEPENDS} \
> > devel/libtool \
> > @@ -30,6 +34,8 @@ LIB_DEPENDS = devel/pcre
> > # The internal backtrace implementation fails to build with -Werror on
> > arm/hppa
> > LIB_DEPENDS += devel/libexecinfo
> >
> > +MODPY_RUNDEP = No
> > +
> > WRKDIST = ${WRKDIR}/${DISTNAME}
> > USE_GMAKE = Yes
> > CONFIGURE_STYLE = gnu
> > @@ -38,7 +44,7 @@ AUTOMAKE_VERSION = 1.15
> > CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \
> > LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}"
> >
> > -TEST_TARGET = check
> > +MODPY_ADJ_FILES = lib/lib*/*.py
> >
> > post-patch:
> > cd ${WRKSRC} && env AUTOCONF_VERSION=${AUTOCONF_VERSION} \
> > @@ -47,7 +53,7 @@ post-patch:
> > post-install:
> > ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/varnish
> > ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/varnish
> > - cp ${WRKDIST}${SYSCONFDIR}/{example,builtin}.vcl \
> > + ${INSTALL_DATA} ${WRKDIST}${SYSCONFDIR}/{example,builtin}.vcl \
> > ${PREFIX}/share/examples/varnish
> > rm -f ${PREFIX}/lib/varnish/{vmods,}/*.{a,la}
> >
> > diff --git a/www/varnish/distinfo b/www/varnish/distinfo
> > index f7dc351f783..cdba07a9889 100644
> > --- a/www/varnish/distinfo
> > +++ b/www/varnish/distinfo
> > @@ -1,2 +1,2 @@
> > -SHA256 (varnish-5.2.0.tgz) = zEgmoEgPSSaNOZYwnkt+RlFR6aUjzPjq1JnsV1FJ9H4=
> > -SIZE (varnish-5.2.0.tgz) = 2828867
> > +SHA256 (varnish-5.2.1.tgz) = uEUsnXjBb3jIz9HBoeaWUjv2S3chwzAVDcwIUkWQFLM=
> > +SIZE (varnish-5.2.1.tgz) = 2827676
> > diff --git a/www/varnish/pkg/MESSAGE b/www/varnish/pkg/MESSAGE
> > index 5f50b1bbf2a..ce02efaef87 100644
> > --- a/www/varnish/pkg/MESSAGE
> > +++ b/www/varnish/pkg/MESSAGE
> > @@ -5,4 +5,4 @@ or the following link for more information:
> >
> > and for further information:
> >
> > - https://www.varnish-cache.org/docs/5.0/
> > + https://www.varnish-cache.org/docs/5.2/
> >
MESSAGE doesn't really add anything. Better to just remove it IMHO.
> One week bump, neither of the two maintainers have replied so far.
>
> I can take of the python 2.7 bits in another diff so the next
> revision/release won't depend on 2.7 anymore.
A word of advice: if you're trying to get what looks like it might be
a relatively simple security update in quickly, don't make any
unnecessary Makefile changes on top.
