On 2024/11/07 10:36, Kirill A. Korinsky wrote:
> ports@,
> 
> Here an update for devel/apr to 1.7.5 which was released August 26, 2024 and
> which contains fix CVE-2023-49582.
> 
> Tested on -current/amd64 by rebuilding:
>  - devel/apr-util
>  - devel/subversion
>  - net/serf
>  - www/ap2-mod_dnssd
>  - www/ap2-mod_perl
>  - www/apache-httpd
>  - www/p5-libapreq2
> 
> /usr/src/lib/check_sym confrims that only one symbols was added.

Nope,

/usr/local/lib/libapr-1.so.7.1 --> /pobj/apr-1.7.5/fake-amd64//usr/local/lib/libapr-1.so.7.2
No dynamic export changes
External reference changes:
added:
        fchmod

"No dynamic export changes" is the important bit here. "External
reference changes" is not really relevant for ports.

Library bumps in -stable cause certain problems. Sometimes there's not
really a way around it, but you want to be pretty sure that they're
required first.

> Ok for -current and 7.6?

: ===>  Generating configure for apr-1.7.5
: >>> Can't find autoconf 2.71 signature in /pobj/apr-1.7.5/apr-1.7.5/configure:
: # Generated by GNU Autoconf 2.72.

AUTOCONF_VERSION should be bymped to 2.72