git: 887cfadcdf5e - main - devel/maven: update to 3.8.1

Kevin Bowling kevin.bowling at kev009.com
Mon Apr 19 18:07:08 UTC 2021 

https://reviews.freebsd.org/D29841

On Mon, Apr 19, 2021 at 1:05 AM Mathieu Arnold <mat at freebsd.org> wrote:
>
> On Mon, Apr 19, 2021 at 09:31:53AM +0200, Baptiste Daroussin wrote:
> > On Mon, Apr 19, 2021 at 12:29:58AM -0700, Kevin Bowling wrote:
> > > On Mon, Apr 19, 2021 at 12:23 AM Baptiste Daroussin <bapt at freebsd.org> wrote:
> > > >
> > > > On Mon, Apr 19, 2021 at 04:11:41AM +0000, Kevin Bowling wrote:
> > > > > The branch main has been updated by kbowling:
> > > > >
> > > > > URL: https://cgit.FreeBSD.org/ports/commit/?id=887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830
> > > > >
> > > > > commit 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830
> > > > > Author:     Kevin Bowling <kbowling at FreeBSD.org>
> > > > > AuthorDate: 2021-04-19 04:05:30 +0000
> > > > > Commit:     Kevin Bowling <kbowling at FreeBSD.org>
> > > > > CommitDate: 2021-04-19 04:11:34 +0000
> > > > >
> > > > >     devel/maven: update to 3.8.1
> > > > >
> > > > >     This is not just a bugfix as it contains three features that cause a change of
> > > > >     default behavior (external HTTP insecure URLs are now blocked by default): your
> > > > >     builds may fail when using this new Maven release, if you use now blocked
> > > > >     repositories. Please check and eventually fix before upgrading.
> > > > >
> > > > >     Changes http://maven.apache.org/docs/3.8.1/release-notes.html
> > > > >
> > > > >     PR:             255161
> > > > >     Approved by:    Jonathan Chen <jonc at chen.org.nz> (maintainer)
> > > > >     Security:       CVE-2021-26291
> > > > >                     CVE-2020-13956
> > > > > ---
> > > > >  devel/maven/Makefile    |  2 +-
> > > > >  devel/maven/distinfo    |  6 ++---
> > > > >  devel/maven/pkg-plist   | 18 ++++++-------
> > > > >  security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
> > > > >  4 files changed, 80 insertions(+), 13 deletions(-)
> > > >
> > > > You are not supposed to commit the vuxml entry with that actual port (as
> > > > explained in the porter handbook), The reason for that is fairly simple, vuxml
> > > > entries are not merged back to quarterly branches, so now merging this to the
> > > > quarterly branch (which is what we are supposed to do for CVE in particular)
> > > > will result in a conflict on vuxml instead of a simple straight forward
> > > > cherry-pick
> > >
> > > Ok.  Would you like me to handle the MFH to drop that part of the change?
> >
> > Would be nice yes
> >
> > Thank you very much!
> >
> > Note there used to be a hook to prevent that seems like it has been lost in the
> > git transition.
>
> The hook is ready, just waiting for deployement.
>
> --
> Mathieu Arnold

More information about the dev-commits-ports-all mailing list