ports/181453: [PATCH] www/py27-graphite-web: update to 0.9.11 and fix security issue

Steve Wills swills at freebsd.org
Wed Aug 21 12:40:02 UTC 2013 

>Number:         181453
>Category:       ports
>Synopsis:       [PATCH] www/py27-graphite-web: update to 0.9.11 and fix security issue
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 21 12:40:02 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Steve Wills
>Release:        FreeBSD 10.0-CURRENT amd64
>Organization:
>Environment:
System: FreeBSD meatwad.mouf.net 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r253898: Sat Aug  3 00:09:09
>Description:
- Update to 0.9.11
- Fix security issue

Port maintainer (bsdports at wayfair.com) is cc'd.

Generated with FreeBSD Port Tools 0.99_8 (mode: update, diff: SVN)
>How-To-Repeat:
>Fix:

--- py27-graphite-web-0.9.11.patch begins here ---
Index: Makefile
===================================================================
--- Makefile	(revision 325114)
+++ Makefile	(working copy)
@@ -2,11 +2,9 @@
 # $FreeBSD$
 
 PORTNAME=	graphite-web
-PORTVERSION=	0.9.10
-PORTREVISION=	1
+PORTVERSION=	0.9.11
 CATEGORIES=	www python
-#MASTER_SITES=	CHEESESHOP \
-MASTER_SITES=	https://github.com/downloads/graphite-project/${PORTNAME}/
+MASTER_SITES=	https://github.com/graphite-project/${PORTNAME}/archive/${PORTVERSION}.tar.gz?dummy=
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
 MAINTAINER=	bsdports at wayfair.com
@@ -14,10 +12,10 @@
 
 RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cairo>=1.8.10:${PORTSDIR}/graphics/py-cairo \
 		${PYTHON_PKGNAMEPREFIX}carbon>=${PORTVERSION}:${PORTSDIR}/databases/py-carbon \
-		${PYTHON_PKGNAMEPREFIX}django>=1.3.1:${PORTSDIR}/www/py-django \
+		${PYTHON_PKGNAMEPREFIX}django>=1.4:${PORTSDIR}/www/py-django \
 		${PYTHON_PKGNAMEPREFIX}django-tagging>=0.3.1:${PORTSDIR}/www/py-django-tagging
 
-FETCH_ARGS=	-pRr
+FETCH_ARGS=	-o ${DISTNAME}${EXTRACT_SUFX}
 USE_PYTHON=	-2.7
 USE_PYDISTUTILS=yes
 
Index: distinfo
===================================================================
--- distinfo	(revision 325114)
+++ distinfo	(working copy)
@@ -1,2 +1,2 @@
-SHA256 (graphite-web-0.9.10.tar.gz) = 4fd1d16cac3980fddc09dbf0a72243c7ae32444903258e1b65e28428a48948be
-SIZE (graphite-web-0.9.10.tar.gz) = 2117421
+SHA256 (graphite-web-0.9.11.tar.gz) = 1aeb0fa2dd346725ca067a42a366dd9f90072d0d8b660026211ce3e37103e4e3
+SIZE (graphite-web-0.9.11.tar.gz) = 2333562
Index: files/patch-webapp-graphite-local__settings.py.example
===================================================================
--- files/patch-webapp-graphite-local__settings.py.example	(revision 325114)
+++ files/patch-webapp-graphite-local__settings.py.example	(working copy)
@@ -39,16 +39,3 @@
  
  
  #####################################
-@@ -156,6 +167,12 @@
- #DATABASE_PASSWORD = 'graphite-is-awesome'
- #DATABASE_HOST = 'mysql.mycompany.com'
- #DATABASE_PORT = '3306'
-+DATABASES = {
-+	'default': {
-+		'NAME': '/usr/local/graphite/storage/graphite.db',
-+		'ENGINE': 'django.db.backends.sqlite3',
-+	}
-+}
- 
- 
- #########################
Index: pkg-plist
===================================================================
--- pkg-plist	(revision 325114)
+++ pkg-plist	(working copy)
@@ -54,6 +54,7 @@
 graphite/webapp/content/img/arrow1.gif
 graphite/webapp/content/img/blank.gif
 graphite/webapp/content/img/calBt.gif
+graphite/webapp/content/img/carbon-fiber.png
 graphite/webapp/content/img/clock_16.png
 graphite/webapp/content/img/delete.gif
 graphite/webapp/content/img/error.png
@@ -62,11 +63,26 @@
 graphite/webapp/content/img/graphite_short.png
 graphite/webapp/content/img/indicator.png
 graphite/webapp/content/img/leaf.gif
+graphite/webapp/content/img/line_chart.png
 graphite/webapp/content/img/mini-bottom2.gif
 graphite/webapp/content/img/mini-top2.gif
 graphite/webapp/content/img/save.gif
 graphite/webapp/content/img/searching.gif
 graphite/webapp/content/img/updateGraph.gif
+graphite/webapp/content/js/ace/ace.js
+graphite/webapp/content/js/ace/keybinding-vim.js
+graphite/webapp/content/js/ace/mode-c_cpp.js
+graphite/webapp/content/js/ace/mode-clojure.js
+graphite/webapp/content/js/ace/mode-coffee.js
+graphite/webapp/content/js/ace/mode-csharp.js
+graphite/webapp/content/js/ace/mode-css.js
+graphite/webapp/content/js/ace/mode-groovy.js
+graphite/webapp/content/js/ace/mode-html.js
+graphite/webapp/content/js/ace/mode-java.js
+graphite/webapp/content/js/ace/mode-javascript.js
+graphite/webapp/content/js/ace/mode-json.js
+graphite/webapp/content/js/ace/theme-textmate.js
+graphite/webapp/content/js/ace/worker-javascript.js
 graphite/webapp/content/js/browser.js
 graphite/webapp/content/js/cli.js
 graphite/webapp/content/js/completer.js
@@ -797,6 +813,7 @@
 @dirrm graphite/webapp/content/js/ext/adapter/ext
 @dirrm graphite/webapp/content/js/ext/adapter
 @dirrm graphite/webapp/content/js/ext
+ at dirrm graphite/webapp/content/js/ace
 @dirrm graphite/webapp/content/js
 @dirrm graphite/webapp/content/img
 @dirrm graphite/webapp/content/html
--- py27-graphite-web-0.9.11.patch ends here ---

--- vuln.xml.patch begins here ---
Index: vuln.xml
===================================================================
--- vuln.xml	(revision 325081)
+++ vuln.xml	(working copy)
@@ -51,6 +51,50 @@
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="e1f99d59-81aa-4662-bf62-c1076f5016c8">
+    <topic>py-graphite-web -- Multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>py26-graphite-web</name>
+	<range><lt>0.9.11</lt></range>
+      </package>
+      <package>
+	<name>py27-graphite-web</name>
+	<range><lt>0.9.11</lt></range>
+      </package>
+      <package>
+	<name>py31-graphite-web</name>
+	<range><lt>0.9.11</lt></range>
+      </package>
+      <package>
+	<name>py32-graphite-web</name>
+	<range><lt>0.9.11</lt></range>
+      </package>
+      <package>
+	<name>py33-graphite-web</name>
+	<range><lt>0.9.11</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Graphite developers report:</p>
+	<blockquote cite="http://graphite.readthedocs.org/en/0.9.11/releases/0_9_11.html">
+	  <p>This release contains several security fixes for cross-site
+	     scripting (XSS) as well as a fix for a remote-execution exploit in
+	     graphite-web (CVE-2013-5903).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-5093</cvename>
+      <url>https://github.com/rapid7/metasploit-framework/pull/2260</url>
+    </references>
+    <dates>
+      <discovery>2013-08-21</discovery>
+      <entry>2013-08-21</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="4d087b35-0990-11e3-a9f4-bcaec565249c">
     <topic>gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav</topic>
     <affects>
--- vuln.xml.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list