Re: git: 307e28238343 - main - sysutils/screen49: Fix fetch
Date: Tue, 13 May 2025 15:53:36 UTC
In message <aCNoja_-Cf325kXy@FreeBSD.org>, Alexey Dokuchaev writes: > On Tue, May 13, 2025 at 07:54:17AM -0700, Cy Schubert wrote: > > In message <aCNYd_lIrbSJVRzC@FreeBSD.org>, Alexey Dokuchaev writes: > > > On Mon, May 12, 2025 at 03:48:27PM -0700, Cy Schubert wrote: > > > > In message <cb102568-0820-487d-9afe-f9d47cb28849@FreeBSD.org>, Daniel E > ngberg writes: > > > > > ... > > > > > > > > > > Please undo this hack as upstream provides a tarball since 2023-08-17 > > > > > > > > Their tarball doesn't include security patches. Security patches are > > > > included in their 4.9.1 branch but not in the tarball. > > > > > > > > Do you still want me to undo and mark the port FORBIDDEN? > > > > > > Please don't, it's okay. I use this port and have no intention to move > > > to 5.x branch. Thanks! > > > > It suffers multiple CVEs. I don't see upstream releasing tagging 4.9.2. Are > > we willing to have a virtually unmaintained (by upstream) screen in ports? > > With the recent CVE-2025-23395 and unsafe strncpy() being introduced in 5.x > branch only, I'd rather stay with 4.9 at least until the dust settles with > that new code. I'll try to reach out to devs about releasing 4.9.2. They did commit it to the screen-49 branch. I don't know why they didn't tag it like they did the screen-50 branch. For the time being I've reverted the deprecation and have imported the patches directly into the port. The port is presently unsustainable without full upstream supprt. The default screen will remain pointed to screen50. People wishing to continue to use screen 4.9.1 should switch to screen49. And they should be aware that it will be scheduled for removal should there be unfixed by upstream CVEs. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0