ports@,
Here an update for devel/sbt to 1.10.3
This updates contains fox for a securty issue:
sbt 1.10.3 updates protobuf-java library to 3.25.5 to address
CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing
unknown fields in the Protobuf Java library, a maliciously crafted
message can cause a StackOverflow error. Given the nature of how
Protobuf is used in Zinc as internal serialization, we think the impact
of this issue is minimum.
I think that it should be backported to -stable as well.
The full changelog available here:
https://github.com/sbt/sbt/releases/tag/v1.10.3
Tested on -current/amd64.
The diff:
Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/sbt/Makefile,v
diff -u -p -r1.4 Makefile
--- Makefile 3 Oct 2024 20:22:07 -0000 1.4
+++ Makefile 20 Oct 2024 17:32:53 -0000
@@ -1,6 +1,6 @@
COMMENT= interactive build tool, primarily for Scala/Java
-V= 1.10.2
+V= 1.10.3
DISTNAME= sbt-$V
CATEGORIES= devel
Index: distinfo
===================================================================
RCS file: /cvs/ports/devel/sbt/distinfo,v
diff -u -p -r1.4 distinfo
--- distinfo 3 Oct 2024 20:22:07 -0000 1.4
+++ distinfo 20 Oct 2024 17:32:53 -0000
@@ -1,2 +1,2 @@
-SHA256 (sbt-1.10.2.tgz) = pxbdAYvWi8epWi3RAzdmOqdvRDrWyZ3qvl6t0a38djk=
-SIZE (sbt-1.10.2.tgz) = 48057515
+SHA256 (sbt-1.10.3.tgz) = +9ELWXBHQ9kQMuCZcF3YH/FG7uKmWM66mcqYKEOx/HU=
+SIZE (sbt-1.10.3.tgz) = 48047092
--
wbr, Kirill
