Date: Mon, 19 Apr 2021 11:06:55 -0700 From: Kevin Bowling <kevin.bowling@kev009.com> To: Mathieu Arnold <mat@freebsd.org> Cc: Baptiste Daroussin <bapt@freebsd.org>, Kevin Bowling <kbowling@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 887cfadcdf5e - main - devel/maven: update to 3.8.1 Message-ID: <CAK7dMtBPU_DYmO7zOJVU8nUEUaDndVdKmqskk-RaoiLaZ1vt8g@mail.gmail.com> In-Reply-To: <20210419080542.5dl2j76hwiu2lb35@aching.in.mat.cc> References: <202104190411.13J4BfrC096512@gitrepo.freebsd.org> <20210419072338.ixoex7jzy42zkfqm@aniel.nours.eu> <CAK7dMtD85eK45H41_2YYHTqT2kpYRfYj6Lp8f3HRkEBaLQeyEA@mail.gmail.com> <20210419073153.zdqcpyw5kqs2qcbo@aniel.nours.eu> <20210419080542.5dl2j76hwiu2lb35@aching.in.mat.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
https://reviews.freebsd.org/D29841 On Mon, Apr 19, 2021 at 1:05 AM Mathieu Arnold <mat@freebsd.org> wrote: > > On Mon, Apr 19, 2021 at 09:31:53AM +0200, Baptiste Daroussin wrote: > > On Mon, Apr 19, 2021 at 12:29:58AM -0700, Kevin Bowling wrote: > > > On Mon, Apr 19, 2021 at 12:23 AM Baptiste Daroussin <bapt@freebsd.org> wrote: > > > > > > > > On Mon, Apr 19, 2021 at 04:11:41AM +0000, Kevin Bowling wrote: > > > > > The branch main has been updated by kbowling: > > > > > > > > > > URL: https://cgit.FreeBSD.org/ports/commit/?id=887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 > > > > > > > > > > commit 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 > > > > > Author: Kevin Bowling <kbowling@FreeBSD.org> > > > > > AuthorDate: 2021-04-19 04:05:30 +0000 > > > > > Commit: Kevin Bowling <kbowling@FreeBSD.org> > > > > > CommitDate: 2021-04-19 04:11:34 +0000 > > > > > > > > > > devel/maven: update to 3.8.1 > > > > > > > > > > This is not just a bugfix as it contains three features that cause a change of > > > > > default behavior (external HTTP insecure URLs are now blocked by default): your > > > > > builds may fail when using this new Maven release, if you use now blocked > > > > > repositories. Please check and eventually fix before upgrading. > > > > > > > > > > Changes http://maven.apache.org/docs/3.8.1/release-notes.html > > > > > > > > > > PR: 255161 > > > > > Approved by: Jonathan Chen <jonc@chen.org.nz> (maintainer) > > > > > Security: CVE-2021-26291 > > > > > CVE-2020-13956 > > > > > --- > > > > > devel/maven/Makefile | 2 +- > > > > > devel/maven/distinfo | 6 ++--- > > > > > devel/maven/pkg-plist | 18 ++++++------- > > > > > security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ > > > > > 4 files changed, 80 insertions(+), 13 deletions(-) > > > > > > > > You are not supposed to commit the vuxml entry with that actual port (as > > > > explained in the porter handbook), The reason for that is fairly simple, vuxml > > > > entries are not merged back to quarterly branches, so now merging this to the > > > > quarterly branch (which is what we are supposed to do for CVE in particular) > > > > will result in a conflict on vuxml instead of a simple straight forward > > > > cherry-pick > > > > > > Ok. Would you like me to handle the MFH to drop that part of the change? > > > > Would be nice yes > > > > Thank you very much! > > > > Note there used to be a hook to prevent that seems like it has been lost in the > > git transition. > > The hook is ready, just waiting for deployement. > > -- > Mathieu Arnold
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAK7dMtBPU_DYmO7zOJVU8nUEUaDndVdKmqskk-RaoiLaZ1vt8g>