git: 887cfadcdf5e - main - devel/maven: update to 3.8.1

Mathieu Arnold mat at freebsd.org
Mon Apr 19 08:05:46 UTC 2021 

On Mon, Apr 19, 2021 at 09:31:53AM +0200, Baptiste Daroussin wrote:
> On Mon, Apr 19, 2021 at 12:29:58AM -0700, Kevin Bowling wrote:
> > On Mon, Apr 19, 2021 at 12:23 AM Baptiste Daroussin <bapt at freebsd.org> wrote:
> > >
> > > On Mon, Apr 19, 2021 at 04:11:41AM +0000, Kevin Bowling wrote:
> > > > The branch main has been updated by kbowling:
> > > >
> > > > URL: https://cgit.FreeBSD.org/ports/commit/?id=887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830
> > > >
> > > > commit 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830
> > > > Author:     Kevin Bowling <kbowling at FreeBSD.org>
> > > > AuthorDate: 2021-04-19 04:05:30 +0000
> > > > Commit:     Kevin Bowling <kbowling at FreeBSD.org>
> > > > CommitDate: 2021-04-19 04:11:34 +0000
> > > >
> > > >     devel/maven: update to 3.8.1
> > > >
> > > >     This is not just a bugfix as it contains three features that cause a change of
> > > >     default behavior (external HTTP insecure URLs are now blocked by default): your
> > > >     builds may fail when using this new Maven release, if you use now blocked
> > > >     repositories. Please check and eventually fix before upgrading.
> > > >
> > > >     Changes http://maven.apache.org/docs/3.8.1/release-notes.html
> > > >
> > > >     PR:             255161
> > > >     Approved by:    Jonathan Chen <jonc at chen.org.nz> (maintainer)
> > > >     Security:       CVE-2021-26291
> > > >                     CVE-2020-13956
> > > > ---
> > > >  devel/maven/Makefile    |  2 +-
> > > >  devel/maven/distinfo    |  6 ++---
> > > >  devel/maven/pkg-plist   | 18 ++++++-------
> > > >  security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
> > > >  4 files changed, 80 insertions(+), 13 deletions(-)
> > >
> > > You are not supposed to commit the vuxml entry with that actual port (as
> > > explained in the porter handbook), The reason for that is fairly simple, vuxml
> > > entries are not merged back to quarterly branches, so now merging this to the
> > > quarterly branch (which is what we are supposed to do for CVE in particular)
> > > will result in a conflict on vuxml instead of a simple straight forward
> > > cherry-pick
> > 
> > Ok.  Would you like me to handle the MFH to drop that part of the change?
> 
> Would be nice yes
> 
> Thank you very much!
> 
> Note there used to be a hook to prevent that seems like it has been lost in the
> git transition.

The hook is ready, just waiting for deployement.

-- 
Mathieu Arnold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/dev-commits-ports-all/attachments/20210419/5f7f1410/attachment.sig>

More information about the dev-commits-ports-all mailing list