Not sure why the title got changed so I fixed it.
Thank you for the explanation on when to use, and how to update, quirks.
I will keep this in mind for future submissions if applicable.
What is the logic in not updating this for -stable too? Because they
constantly update for security issues and this is not convenient?
Security is not always convenient. Or am I somehow confused by the goals
of the OpenBSD project?
Edward Lopez-Acosta
On 12/17/18 5:43 PM, Stuart Henderson wrote:
Bringing ports@ to CC
On 2018/12/17 16:54, Ian Darwin wrote:
Hi Stuart. Do all updates that have CVEs associated have to go into "my $cve"
in quirks/Quirks.pm?
That is the intention (I'd go for listing any known security fixes whether
or not there's a CVE number for it).
The format appears to be to list the "bad" values, so would this be for
example:
devel/jenkins/stable < 2.150.1
I think it would look like the diff below but ideally it should be
tested to make sure that it does whine when you try to install a "bad"
version (i.e. the ones for both jenkins/devel and jenkins/stable
branches in current snapshots) and doesn't whine when you try
to install a new version (by pointing pkg_add at locally built
packages and adding).
doas env PKG_PATH= TRUSTED_PKG_PATH=/usr/ports/packages/amd64/all pkg_add
jenkins%devel
and same for ...jenkins%stable
For 6.4-stable it should probably stay on the 2.138.x branch rather than
jumping to the new 2.150.x.
(from the look of the changelog, pretty much all jenkins updates include
security fixes..)
Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/quirks/Makefile,v
retrieving revision 1.670
diff -u -p -r1.670 Makefile
--- Makefile 17 Dec 2018 01:10:00 -0000 1.670
+++ Makefile 17 Dec 2018 23:33:38 -0000
@@ -5,7 +5,7 @@ CATEGORIES = devel databases
DISTFILES =
# API.rev
-PKGNAME = quirks-3.63
+PKGNAME = quirks-3.64
PKG_ARCH = *
MAINTAINER = Marc Espie <es...@openbsd.org>
Index: files/Quirks.pm
===================================================================
RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
retrieving revision 1.684
diff -u -p -r1.684 Quirks.pm
--- files/Quirks.pm 17 Dec 2018 01:10:00 -0000 1.684
+++ files/Quirks.pm 17 Dec 2018 23:33:38 -0000
@@ -1235,6 +1235,8 @@ my $cve = {
'devel/git,-main' => 'git-<2.19.1',
'devel/git,-svn' => 'git-svn-<2.19.1',
'devel/git,-x11' => 'git-x11-<2.19.1',
+ 'devel/jenkins/devel' => 'jenkins-<2.154',
+ 'devel/jenkins/stable' => 'jenkins-<2.150.1',
'devel/libgit2/libgit2' => 'libgit2-<0.27.7',
'devel/mercurial,-main' => 'mercurial-<4.5.3p1',
'devel/mercurial,-x11' => 'mercurial-x11-<4.5.3p1',
Thx
Ian
----- Forwarded message from Edward Lopez-Acosta <elopezaco...@gmail.com> -----
Date: Mon, 17 Dec 2018 21:25:05 +0000
From: Edward Lopez-Acosta <elopezaco...@gmail.com>
To: i...@openbsd.org
Subject: Re: SECURITY UPDATE: devel/jenkins-2.150.1/2.155 (fixes multiple CVEs)
Hi Ian,
Just following up on this due to the critical issue fixed. Does quirks need
updated or is this change good to go?
Thank you
On December 14, 2018 11:47:06 PM UTC, Ian Darwin <i...@darwinsys.com> wrote:
On Fri, Dec 14, 2018 at 04:41:53PM -0600, Edward Lopez-Acosta wrote:
Version update for multiple security issues including one marked as
critical.
I was not sure how to update quirks so that is not included in this
diff. If
someone is willing to teach me what to do I can add that in, or
review
changes to quirks after this is merged.
Why do you think it needs quirks?
Builds, installs, and runs fine on amd64. No special upgrade steps
when
upgrading from 2.138.3 currently in the tree.
- MAINTAINER CC'ed
- No tests present
- No change to required libs or current PLIST
- Nothing relies on this
- Self tested some projects and did not run into issues
- Diff applies fine with `patch`
CHANGELOG:
https://jenkins.io/changelog-stable/
https://jenkins.io/security/advisory/2018-12-05/
Severity
SECURITY-595: critical
SECURITY-904: medium
SECURITY-1072: medium
SECURITY-1193: medium
Affected Versions
Jenkins weekly up to and including 2.153
Jenkins LTS up to and including 2.138.3
Fix
Jenkins weekly should be updated to version 2.154
Jenkins LTS should be updated to version either 2.138.4 or
2.150.1
--
Edward Lopez-Acosta
diff --git devel/Makefile devel/Makefile
index 26817c51381..03fb8174712 100644
--- devel/Makefile
+++ devel/Makefile
@@ -1,6 +1,6 @@
# $OpenBSD: Makefile,v 1.31 2018/11/29 14:10:10 rsadowski Exp $
-VERSION = 2.152
+VERSION = 2.155
MASTER_SITES = http://mirrors.jenkins-ci.org/war/${VERSION}/
DIST_SUBDIR = jenkins-devel
diff --git devel/distinfo devel/distinfo
index e5c0c28e049..a8b70855619 100644
--- devel/distinfo
+++ devel/distinfo
@@ -1,2 +1,2 @@
-SHA256 (jenkins/2.152/jenkins.war) =
jde/3OIrMtlBsnJ5qFeVQoGxfJu4d02G6H6c1A4UQMM=
-SIZE (jenkins/2.152/jenkins.war) = 75939426
+SHA256 (jenkins/2.155/jenkins.war) =
A0xtY7Vb+TjF0btTJ3XZqhj7NL1lqtTj6WgyWXi+hrg=
+SIZE (jenkins/2.155/jenkins.war) = 76037370
diff --git stable/Makefile stable/Makefile
index db693c9e5dd..ba2cdfff6fa 100644
--- stable/Makefile
+++ stable/Makefile
@@ -1,6 +1,6 @@
# $OpenBSD: Makefile,v 1.30 2018/11/29 14:07:02 rsadowski Exp $
-VERSION = 2.138.3
+VERSION = 2.150.1
MASTER_SITES = http://mirrors.jenkins-ci.org/war-stable/${VERSION}/
DIST_SUBDIR = jenkins-stable
diff --git stable/distinfo stable/distinfo
index dc95ebe1334..77a061aea34 100644
--- stable/distinfo
+++ stable/distinfo
@@ -1,2 +1,2 @@
-SHA256 (jenkins/2.138.3/jenkins.war) =
lT5N2i0wZShMABaz6CeeCX+DDBKLH3EthHgP8rB1Hn0=
-SIZE (jenkins/2.138.3/jenkins.war) = 75733340
+SHA256 (jenkins/2.150.1/jenkins.war) =
ejhYbVo6GoNJiAmoNxVyi7LwG1in3TqINm8Hbv2vZmk=
+SIZE (jenkins/2.150.1/jenkins.war) = 75938045
----- End forwarded message -----
