| Summary: | app-misc/mosquitto-1.4.15 version bump (fixes CVE?) | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Neil Bothwick <neil> |
| Component: | Current packages | Assignee: | Rage <oxr463> <ramage.lucas> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | jstein, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://github.com/gentoo/gentoo/pull/8003 https://bugs.gentoo.org/show_bug.cgi?id=653238 https://github.com/gentoo/gentoo/pull/8027 |
||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: |
app-misc-mosquitto-1.4.5.ebuild
New conditional tests patch |
||
Created attachment 524142 [details, diff]
New conditional tests patch
Thank you. Please add a note, which CVE are fixed with this contribution. I could not see any open CVE ticket. According to the changelog, it's CVE-2017-7652. I apologize for the delay. I pushed v1.4.15 on March 4th, but I was not aware of this bug until yesterday. I will add your changes to mosquitto-1.4.15-r1.ebuild The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45182783da2fdcb0d34bfeb72a4f9e619254234a commit 45182783da2fdcb0d34bfeb72a4f9e619254234a Author: lramage94 <ramage.lucas@openmailbox.org> AuthorDate: 2018-04-14 19:13:20 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2018-04-14 21:03:37 +0000 app-misc/mosquitto: add patch against CVE-2017-7652. Bug: https://bugs.gentoo.org/650632 Package-Manager: Portage-2.3.24, Repoman-2.3.6 Closes: https://github.com/gentoo/gentoo/pull/8003 .../mosquitto-1.4.15-r1-conditional-tests.patch | 12 +++ app-misc/mosquitto/mosquitto-1.4.15-r1.ebuild | 100 +++++++++++++++++++++ 2 files changed, 112 insertions(+)} "conditional tests patch" has _nothing_ to do with CVE-2017-7652 in first place. That's right, it was the version bump to 1.4.15 as per my original post. The conditional tests patch is a new version because the old version didn't apply to 1.4.15, that's why I posted a new one along with the ebuild. The in-tree ebuild fails on the patch. (In reply to Neil Bothwick from comment #7) > That's right, it was the version bump to 1.4.15 as per my original post. The > conditional tests patch is a new version because the old version didn't > apply to 1.4.15, that's why I posted a new one along with the ebuild. The > in-tree ebuild fails on the patch. How should I proceed with this? Do we need the patch at all? Yes. I created the patch when I was originally preparing the ebuild in order to proxy maintain it, as suggested by wraeth. Without it some tests may fail under certain USE situations. The patch attached to this bug, and for that matter the whole ebuild, works and fulfils the various suggestions made by wraeth, some of which have been undone in the new ebuild. (In reply to Neil Bothwick from comment #9) > Yes. I created the patch when I was originally preparing the ebuild in order > to proxy maintain it, as suggested by wraeth. Without it some tests may fail > under certain USE situations. The patch attached to this bug, and for that > matter the whole ebuild, works and fulfils the various suggestions made by > wraeth, some of which have been undone in the new ebuild. Would you like to co-maintain this package with me? I was working with mgorny to update this package and most of the changes were because of QA issues he found. https://github.com/gentoo/gentoo/pull/7362 Here is the new pull request with some changes that I need to make before resolving this bug https://github.com/gentoo/gentoo/pull/8027 I hope we can work together! That's interesting because those changes undid changes I was asked to make for QA, it seems the rues have changed. Co-maintaining makes sense. I see yu have dropped the conditional tests patch entirely, if we use the one attached to this bug it applies fine with 1.4.15. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a10e73daa7b72d562e006beb77817712dbb606e5 commit a10e73daa7b72d562e006beb77817712dbb606e5 Author: Lucas Ramage <ramage.lucas@openmailbox.org> AuthorDate: 2018-04-26 17:19:14 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-04-30 01:26:19 +0000 app-misc/mosquitto: fix conditional tests for v1.4.15 Closes: https://bugs.gentoo.org/650632 Closes: https://bugs.gentoo.org/653238 Closes: https://github.com/gentoo/gentoo/pull/8027 Package-Manager: Portage-2.3.24, Repoman-2.3.6 .../files/mosquitto-1.4.15-conditional-tests.patch | 12 +++ app-misc/mosquitto/mosquitto-1.4.15-r2.ebuild | 102 +++++++++++++++++++++ 2 files changed, 114 insertions(+) |
Created attachment 524140 [details] app-misc-mosquitto-1.4.5.ebuild I had left this a while for the new proxy maintainer to handle, but as it fixes a couple of CVEs I don't want to leave it any longer. Here is a new ebuild and patch file for the new release.