From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: devel/apr: update to 1.7.5, fix CVE-2023-49582
To: "Kirill A. Korinsky" <kirill@korins.ky>, OpenBSD ports <ports@openbsd.org>, Klemens Nanni <kn@openbsd.org>, Stefan Sperling <stsp@openbsd.org>
Date: Thu, 07 Nov 2024 13:04:16 +0100

On Thu, 07 Nov 2024 12:25:55 +0100,
Stuart Henderson <stu@spacehopper.org> wrote:
> 
> On 2024/11/07 10:36, Kirill A. Korinsky wrote:
> > ports@,
> > 
> > Here an update for devel/apr to 1.7.5 which was released August 26, 2024 and
> > which contains fix CVE-2023-49582.
> > 
> > Tested on -current/amd64 by rebuilding:
> >  - devel/apr-util
> >  - devel/subversion
> >  - net/serf
> >  - www/ap2-mod_dnssd
> >  - www/ap2-mod_perl
> >  - www/apache-httpd
> >  - www/p5-libapreq2
> > 
> > /usr/src/lib/check_sym confrims that only one symbols was added.
> 
> Nope,
> 
> /usr/local/lib/libapr-1.so.7.1 --> /pobj/apr-1.7.5/fake-amd64//usr/local/lib/libapr-1.so.7.2
> No dynamic export changes
> External reference changes:
> added:
>         fchmod
> 
> "No dynamic export changes" is the important bit here. "External
> reference changes" is not really relevant for ports.
> 
> Library bumps in -stable cause certain problems. Sometimes there's not
> really a way around it, but you want to be pretty sure that they're
> required first.
>

Noted. Have I broke something in -stable?

> > Ok for -current and 7.6?
> 
> : ===>  Generating configure for apr-1.7.5
> : >>> Can't find autoconf 2.71 signature in /pobj/apr-1.7.5/apr-1.7.5/configure:
> : # Generated by GNU Autoconf 2.72.
> 
> AUTOCONF_VERSION should be bymped to 2.72
> 

Which is wired because when I run:

    env FETCH_PACKAGES=-Dsnap make clean configure

it works like this

    ===>  Generating configure for apr-1.7.2
    Running autoconf-2.71 in /build/pobj/apr-1.7.2/apr-1.7.2
    configure.in:10: warning: The macro `AC_CONFIG_HEADER' is obsolete.

-- 
wbr, Kirill