midnightbsd / mports Goto Github PK
View Code? Open in Web Editor NEWMidnightBSD mports collection. (makefiles for third party software to build)
Home Page: http://www.midnightbsd.org/mports/
License: Other
mports's People
Contributors
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Stargazers
Watchers
mports's Issues
Update rust to at least 1.56 so we can update clamav
This may only work on 3.0-current
yarn ports all tied to node16
p7zip
p7zip is no longer maintained from the original sourceforge site. A third party has started working on it on github. https://github.com/jinfeihan57/p7zip
Investigate migrating our port over to that release as it fixes multiple security issues and adds a lot of new compression options. (zstd, etc)
if we don't do this and we do get 7-zip ported, just drop the port.
blackbox wm is now on github
migrate to new github releases https://github.com/bbidulock/blackboxwm
the sf mirror is dead.
Cut down on the number of compiler dependencies
Getting a desktop installed requires like 4-5 different compilers now. Try to trim that down. The native compiler works on some ports now since 2.0 release.
Update security/courier-authlib-base
There is a newer version of courier-authlib that fixes a number of issues. The current port fails to build the courier-authlib-base port.
WRKSRC path wrong for some gitlab ports with commit id
Some ports are duplicating the commit id when extracting and it's causing some issues.
Figure out why this is happening and fix.
e.g. projname-ad08ad08f-ad08ad08f rather than projname-ad08ad08f
The bigger problem is that the later steps only expect the latter so builds fail.
PORTEXAMPLES not running targets sometimes
do-install-EXAMPLES-on target not run on tnftpd when EXAMPLES enabled.
CVE-2021-33503 (High) detected in urllib3-1.23-py2.py3-none-any.whl
CVE-2021-33503 - High Severity Vulnerability
Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: mports/devel/py-blinker/files/patch
Path to vulnerable library: /devel/py-blinker/files/patch,/lang/python27/files/patch,/databases/py-sqlite3/files,/databases/py-hiredis/files/patch,/lang/python37/files/patch,/lang/python27/files/extra-patch,/www/moinmoin/files/patch,/devel/py-opengrok-tools/files/patch-opengrok-tools_requirements.txt,/net/py-oauth2/files/patch,/x11-fonts/py-opentype-sanitizer/files/patch,/devel/py-nose2/files/patch,/databases/rrdtool/files/patch-bindings_python,/textproc/py-sphinxcontrib-bitbucket/files/patch,/print/py-reportlab/files/patch,/textproc/py-sphinxcontrib-adadomain/files/patch,/textproc/py-sphinx-autoapi/files/patch,/devel/py-coverage/files/patch
Dependency Hierarchy:
- ❌ urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: d613120ec27f8b32fc4ca81d7598a071f4823857
Found in base branch: master
Vulnerability Details
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
Step up your Open Source Security Game with WhiteSource here
KMODDIR not set right on packages
We're seeing errors with some packages built on magus that have the FAKE prefix path in front on KMODDIR including open-vm-tools-nox11
its' defined as /boot/modules in kmod.mk but it could be getting overridden somewhere. also check what gets written to the temp plist.
CVE-2020-14343 (High) detected in PyYAML-3.13.tar.gz - autoclosed
CVE-2020-14343 - High Severity Vulnerability
Vulnerable Library - PyYAML-3.13.tar.gz
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz
Path to dependency file: mports/lang/python37/files/patch
Path to vulnerable library: /lang/python37/files/patch,/lang/python27/files/patch,/textproc/py-sphinx-autoapi/files/patch,/textproc/py-sphinxcontrib-adadomain/files/patch,/devel/py-coverage/files/patch,/print/py-reportlab/files/patch,/net/py-oauth2/files/patch,/lang/python27/files/extra-patch,/www/moinmoin/files/patch,mports/devel/py-opengrok-tools/files/patch-opengrok-tools_requirements.txt,/textproc/py-sphinxcontrib-bitbucket/files/patch,/databases/rrdtool/files/patch-bindings_python,/x11-fonts/py-opentype-sanitizer/files/patch,/devel/py-nose2/files/patch,/databases/py-sqlite3/files,/devel/py-blinker/files/patch,/databases/py-hiredis/files/patch
Dependency Hierarchy:
- ❌ PyYAML-3.13.tar.gz (Vulnerable Library)
Found in HEAD commit: d613120ec27f8b32fc4ca81d7598a071f4823857
Found in base branch: master
Vulnerability Details
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Publish Date: 2021-02-09
URL: CVE-2020-14343
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
Release Date: 2021-02-09
Fix Resolution: PyYAML - 5.4
Step up your Open Source Security Game with WhiteSource here
CVE-2019-9740 (Medium) detected in urllib3-1.23-py2.py3-none-any.whl - autoclosed
CVE-2019-9740 - Medium Severity Vulnerability
Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: mports/devel/py-blinker/files/patch
Path to vulnerable library: /devel/py-blinker/files/patch,/lang/python27/files/patch,/databases/py-sqlite3/files,/databases/py-hiredis/files/patch,/lang/python37/files/patch,/lang/python27/files/extra-patch,/www/moinmoin/files/patch,/devel/py-opengrok-tools/files/patch-opengrok-tools_requirements.txt,/net/py-oauth2/files/patch,/x11-fonts/py-opentype-sanitizer/files/patch,/devel/py-nose2/files/patch,/databases/rrdtool/files/patch-bindings_python,/textproc/py-sphinxcontrib-bitbucket/files/patch,/print/py-reportlab/files/patch,/textproc/py-sphinxcontrib-adadomain/files/patch,/textproc/py-sphinx-autoapi/files/patch,/devel/py-coverage/files/patch
Dependency Hierarchy:
- ❌ urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: d613120ec27f8b32fc4ca81d7598a071f4823857
Found in base branch: master
Vulnerability Details
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
Publish Date: 2019-03-13
URL: CVE-2019-9740
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740
Release Date: 2019-03-13
Fix Resolution: v2.7.17,v3.5.8,v3.6.9,3.7.4,3.7.5
Step up your Open Source Security Game with WhiteSource here
update avahi
Our avahi port is extremely old. we tend to prefer mdnsresponder due to base system integration, but some things still need this.
Midori browser screen crashes
Getting an error like
libEGL warning: DRI2: failed to authenticate
libEGL warning: MESA-LOADER: failed to open swrast (search paths /usr/local/lib/dri)
Cannot create EGL sharing context: invalid display
MidnightBSD 3.0
Magus indexer support for quarterly branches
Add the possibility of supporting quarterly branches to magus indexer.
it will need to check out a given branch (or figure out the latest quarterly) and create a mports tarball with the checkout and index that.
DepShield Deprecation Notice
Depshield will be deprecated on Monday December 12th
Please install our new product, Sonatype Lift with advanced features
boost-libs broken on 3.x
Issue seems to be with the ${WRKSRC}/libs/test directory. Removing it allows a build but we're lacking the following files in plist:
lib/cmake/boost_prg_exec_monitor-1.81.0/boost_prg_exec_monitor-config-version.cmake installed in /usr/local
lib/cmake/boost_prg_exec_monitor-1.81.0/boost_prg_exec_monitor-config.cmake installed in /usr/local
lib/cmake/boost_prg_exec_monitor-1.81.0/libboost_prg_exec_monitor-variant-shared.cmake installed in /usr/local
lib/cmake/boost_prg_exec_monitor-1.81.0/libboost_prg_exec_monitor-variant-static.cmake installed in /usr/local
lib/cmake/boost_test_exec_monitor-1.81.0/boost_test_exec_monitor-config-version.cmake installed in /usr/local
lib/cmake/boost_test_exec_monitor-1.81.0/boost_test_exec_monitor-config.cmake installed in /usr/local
lib/cmake/boost_test_exec_monitor-1.81.0/libboost_test_exec_monitor-variant-shared.cmake installed in /usr/local
lib/cmake/boost_test_exec_monitor-1.81.0/libboost_test_exec_monitor-variant-static.cmake installed in /usr/local
lib/cmake/boost_unit_test_framework-1.81.0/boost_unit_test_framework-config-version.cmake installed in /usr/local
lib/cmake/boost_unit_test_framework-1.81.0/boost_unit_test_framework-config.cmake installed in /usr/local
lib/cmake/boost_unit_test_framework-1.81.0/libboost_unit_test_framework-variant-shared.cmake installed in /usr/local
lib/cmake/boost_unit_test_framework-1.81.0/libboost_unit_test_framework-variant-static.cmake installed in /usr/local
lib/libboost_prg_exec_monitor.a installed in /usr/local
lib/libboost_prg_exec_monitor.so installed in /usr/local
lib/libboost_prg_exec_monitor.so.1 installed in /usr/local
lib/libboost_prg_exec_monitor.so.1.81 installed in /usr/local
lib/libboost_prg_exec_monitor.so.1.81.0 installed in /usr/local
lib/libboost_test_exec_monitor.a installed in /usr/local
lib/libboost_unit_test_framework.a installed in /usr/local
lib/libboost_unit_test_framework.so installed in /usr/local
lib/libboost_unit_test_framework.so.1 installed in /usr/local
lib/libboost_unit_test_framework.so.1.81 installed in /usr/local
lib/libboost_unit_test_framework.so.1.81.0 installed in /usr/local
Fix the python extension include
Sometimes, when using python ports, the config pops up at each build stage. Debug the problem.
Maybe the extension is getting run more than once? Having trouble writing the options file out?
mlogind startup on fresh install
If X doesn't start up for some reason, mlogind just dies. Investigate the possibility of trying to generate an X config during system install and testing it. If we can't do that, at least warn the user about this situation.
One test scenario is a fresh install of 2.1.1 with an Intel 10th gen GPU which is not yet supported by drm/dri code booted on an UEFI console. It seems to need some extra monitor config, a PCI id and the driver changed to scfb.
options issues
mports has had bugs with options for some time. The files aren't getting written properly in the /var/db/ ... directories when saving ports and unlike freebsd, we don't use the same unique identifier for the name which causes problems with flavors.
Try to determine the root cause of the mports options issues, particularly with python ports.
magus dist cache bug with multiple sites
download failed: 485/erlang-otp-OTP-21.3.8.20_GH0.tar.gz:otp cp: /usr/magus/distfiles/485/erlang-otp-OTP-21.3.8.20_GH0.tar.gz:otp: No such file or directory
When using multiple dist sites, need to strip the :otp (or whatever) off
Magus: refactor make test target run to be AFTER all packages built
This would be somewhat redundant in work, but we often run into circular dependencies. This often happens with python ports.
Update xorg server
We're currently using a very old version of X server and it's preventing bugfixes for the xf86-video-qxl driver.
It's like this will work with current easily but need to test 2.2 also. We have a lot of custom patches to work with 2.2 now.
DEFAULT OPTIONS for openssl required to build apache
Try to get the default to work or at least warn the user about this. Seems to build on magus ok.
create newer openjdk mports
update cups
our cups port is old and newer versions seem to fail to build. figure out why
Port 7zip
7-zip is now availble in freebsd ports and as a linux port from the official site. Investigate a port.
Looks like a missing call in libc elf_aux_info, is needed to get it working. Might need to see if we can workaround that issu
CVE-2020-26137 (Medium) detected in urllib3-1.23-py2.py3-none-any.whl - autoclosed
CVE-2020-26137 - Medium Severity Vulnerability
Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: mports/devel/py-blinker/files/patch
Path to vulnerable library: /devel/py-blinker/files/patch,/lang/python27/files/patch,/databases/py-sqlite3/files,/databases/py-hiredis/files/patch,/lang/python37/files/patch,/lang/python27/files/extra-patch,/www/moinmoin/files/patch,/devel/py-opengrok-tools/files/patch-opengrok-tools_requirements.txt,/net/py-oauth2/files/patch,/x11-fonts/py-opentype-sanitizer/files/patch,/devel/py-nose2/files/patch,/databases/rrdtool/files/patch-bindings_python,/textproc/py-sphinxcontrib-bitbucket/files/patch,/print/py-reportlab/files/patch,/textproc/py-sphinxcontrib-adadomain/files/patch,/textproc/py-sphinx-autoapi/files/patch,/devel/py-coverage/files/patch
Dependency Hierarchy:
- ❌ urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: d613120ec27f8b32fc4ca81d7598a071f4823857
Found in base branch: master
Vulnerability Details
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
Step up your Open Source Security Game with WhiteSource here
firefox port fails to start
On 3.0, getting the following error from libxul.so
Shared object "libvpx.so.6" not found, required by libxul.so
Implement SPDX compatibility
In addition to our own license types, export SPDX identifiers also for compatibility with out systems tools.
raw files
https://github.com/spdx/license-list-data/blob/master/json/licenses.json
we'll want to import this into the postgres magus database on index and eventually expose it to libmport
Jetbrains Clion
Jetbrains products seem to use a "console" driver that is a java lib to start terminals on different platforms. It doesn't currently work on MidnightBSD.
Investigate porting it to MidnightBSD and upstreaming the patch. We won't be able to build binaries for the C code in there but it seems to use FreeBSD 10 libs which are compatible with MidnightBSD 2.x
info files broken on emacs and slime ports
CVE-2019-11324 (High) detected in urllib3-1.23-py2.py3-none-any.whl
CVE-2019-11324 - High Severity Vulnerability
Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: mports/devel/py-blinker/files/patch
Path to vulnerable library: /devel/py-blinker/files/patch,/lang/python27/files/patch,/databases/py-sqlite3/files,/databases/py-hiredis/files/patch,/lang/python37/files/patch,/lang/python27/files/extra-patch,/www/moinmoin/files/patch,/devel/py-opengrok-tools/files/patch-opengrok-tools_requirements.txt,/net/py-oauth2/files/patch,/x11-fonts/py-opentype-sanitizer/files/patch,/devel/py-nose2/files/patch,/databases/rrdtool/files/patch-bindings_python,/textproc/py-sphinxcontrib-bitbucket/files/patch,/print/py-reportlab/files/patch,/textproc/py-sphinxcontrib-adadomain/files/patch,/textproc/py-sphinx-autoapi/files/patch,/devel/py-coverage/files/patch
Dependency Hierarchy:
- ❌ urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: d613120ec27f8b32fc4ca81d7598a071f4823857
Found in base branch: master
Vulnerability Details
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Publish Date: 2019-04-18
URL: CVE-2019-11324
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324
Release Date: 2019-04-18
Fix Resolution: 1.24.2
Step up your Open Source Security Game with WhiteSource here
Segmentation fault
It looks like I have the same error again, what can I do?
# mport install qt5-webkit
Segmentation fault
# uname -a
MidnightBSD tester2 2.2.7 MidnightBSD 2.2.7 #7 1cccc4496e(stable/2.2)-dirty: Sun Feb 12 16:43:04 EST 2023 root@m2264:/usr/obj/usr/src/sys/GENERIC amd64
#mport ...
mport 2.2.5 for MidnightBSD 2.2, Bundle Version 5
(Host OS version, not configured)
meson port not cleaning up python site-packages when uninstalling
PORTDATA not working
PORTDATA=foo does not seem to populate foo in the plist.
example port: usbids
Many ports can't handle Perl installed from mports
Work on improving use of a ports build of perl with other ports on a local system. Mostly seems to be some bad interactions with OpenSSL.
kmod.mk modified to use @kld command
We added kld to plist support in mport. Use it when available on newer releases.
create aarch64-binutils port
CVE-2017-18342 (High) detected in PyYAML-3.13.tar.gz - autoclosed
CVE-2017-18342 - High Severity Vulnerability
Vulnerable Library - PyYAML-3.13.tar.gz
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz
Path to dependency file: mports/lang/python37/files/patch
Path to vulnerable library: /lang/python37/files/patch,/lang/python27/files/patch,/textproc/py-sphinx-autoapi/files/patch,/textproc/py-sphinxcontrib-adadomain/files/patch,/devel/py-coverage/files/patch,/print/py-reportlab/files/patch,/net/py-oauth2/files/patch,/lang/python27/files/extra-patch,/www/moinmoin/files/patch,mports/devel/py-opengrok-tools/files/patch-opengrok-tools_requirements.txt,/textproc/py-sphinxcontrib-bitbucket/files/patch,/databases/rrdtool/files/patch-bindings_python,/x11-fonts/py-opentype-sanitizer/files/patch,/devel/py-nose2/files/patch,/databases/py-sqlite3/files,/devel/py-blinker/files/patch,/databases/py-hiredis/files/patch
Dependency Hierarchy:
- ❌ PyYAML-3.13.tar.gz (Vulnerable Library)
Found in HEAD commit: d613120ec27f8b32fc4ca81d7598a071f4823857
Found in base branch: master
Vulnerability Details
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
Publish Date: 2018-06-27
URL: CVE-2017-18342
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18342
Release Date: 2018-06-27
Fix Resolution: PyYAML - 5.1
Step up your Open Source Security Game with WhiteSource here
Munin plugin has an invalid hashbang at top of file, not executing python version
/usr/local/etc/munin/plugins/smart_ada0: import: not found
16:20:05.592
2023/01/09-16:20:03 [51119] /usr/local/etc/munin/plugins/smart_ada0: 102: Syntax error: "(" unexpected
update sonarqube port and rename sonarqube-community
Our sonarqube port is ancient and newer versions support more languages such as kotlin.
Update ghc
Create a new port for CDE
Create an x11/cde port. Look at the FreeBSD port for guidance.
CVE-2020-1747 (High) detected in PyYAML-3.13.tar.gz - autoclosed
CVE-2020-1747 - High Severity Vulnerability
Vulnerable Library - PyYAML-3.13.tar.gz
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz
Path to dependency file: mports/lang/python37/files/patch
Path to vulnerable library: /lang/python37/files/patch,/lang/python27/files/patch,/textproc/py-sphinx-autoapi/files/patch,/textproc/py-sphinxcontrib-adadomain/files/patch,/devel/py-coverage/files/patch,/print/py-reportlab/files/patch,/net/py-oauth2/files/patch,/lang/python27/files/extra-patch,/www/moinmoin/files/patch,mports/devel/py-opengrok-tools/files/patch-opengrok-tools_requirements.txt,/textproc/py-sphinxcontrib-bitbucket/files/patch,/databases/rrdtool/files/patch-bindings_python,/x11-fonts/py-opentype-sanitizer/files/patch,/devel/py-nose2/files/patch,/databases/py-sqlite3/files,/devel/py-blinker/files/patch,/databases/py-hiredis/files/patch
Dependency Hierarchy:
- ❌ PyYAML-3.13.tar.gz (Vulnerable Library)
Found in HEAD commit: d613120ec27f8b32fc4ca81d7598a071f4823857
Found in base branch: master
Vulnerability Details
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
Publish Date: 2020-03-24
URL: CVE-2020-1747
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6757-jp84-gxfx
Release Date: 2020-03-24
Fix Resolution: pyyaml - 5.3.1
Step up your Open Source Security Game with WhiteSource here
CVE-2019-11236 (Medium) detected in urllib3-1.23-py2.py3-none-any.whl
CVE-2019-11236 - Medium Severity Vulnerability
Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: mports/devel/py-blinker/files/patch
Path to vulnerable library: /devel/py-blinker/files/patch,/lang/python27/files/patch,/databases/py-sqlite3/files,/databases/py-hiredis/files/patch,/lang/python37/files/patch,/lang/python27/files/extra-patch,/www/moinmoin/files/patch,/devel/py-opengrok-tools/files/patch-opengrok-tools_requirements.txt,/net/py-oauth2/files/patch,/x11-fonts/py-opentype-sanitizer/files/patch,/devel/py-nose2/files/patch,/databases/rrdtool/files/patch-bindings_python,/textproc/py-sphinxcontrib-bitbucket/files/patch,/print/py-reportlab/files/patch,/textproc/py-sphinxcontrib-adadomain/files/patch,/textproc/py-sphinx-autoapi/files/patch,/devel/py-coverage/files/patch
Dependency Hierarchy:
- ❌ urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: d613120ec27f8b32fc4ca81d7598a071f4823857
Found in base branch: master
Vulnerability Details
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
Publish Date: 2019-04-15
URL: CVE-2019-11236
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236
Release Date: 2019-04-15
Fix Resolution: 1.24.3
Step up your Open Source Security Game with WhiteSource here
Evaluate perl ports that use openssl
Some ports seem to be crashing or having issues since perl is built against base system openssl and ports openssl is newer. Determine if anything can be done to fix this
nvidia-driver-304 has a 2.1 version, but not one for 2.2
Currently running MidnightBSD on an older system which necessitates the 304-series driver. linux-nvidia-libs-304 has a 2.2 version, but not the driver proper. Was support dropped in the 2.2 release?
Port Arctic Fox Browser to MidnightBSD
From an email discussion between me and Lucas, we agreed that exploring Arctic Fox as an additional browser in mports is potentially worthwhile.
Introduction
Arctic Fox started as a forked and rebranded Pale Moon 27.9.4 and retains its classic interface. Many fixes and enhancements have been imported from Firefox and TenFourFox.
Arctic Fox aims to be a desktop oriented browser with phone support removed, or no longer updated in the tree.
Repo: https://github.com/wicknix/Arctic-Fox
Rationale
Not speaking for Lucas or anyone else in Midnight, as I'm essentially a "rookie" here if that. Rust is a constantly moving target for primary ports like Firefox. Webkit has ports.
Pale Moon, the upstream of Arctic Fox, is known to be aggressive, hostile towards the BSDs and incredibly eccentric when they aren't. To avoid drama, it's best to go straight to Arctic Fox. There exists another option, but the name is incredibly explicit "Male P*on" and while it's obvious it's intended as a joke, it's not appropriate IMHO for mports as it is.
python ports not cleaning up
on python ports with autoplist enabled, files and directories do not get cleaned on uninstall. meson port is a good example.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.