On Wed, Aug 29, 2012 at 09:34:22PM +0200, Patrick Lamaiziere wrote: > Le Wed, 29 Aug 2012 09:59:46 +0200, > Sebastien Marie <semarie-open...@latrappe.fr> a écrit :
Hello, > > > I currently follow STABLE branch for openbsd (and so, for ports too), > > which is OPENBSD_5_1. > > > > But, I saw that the last security updates for ports go to OPENBSD_5_2 > > and not to OPENBSD_5_1. > > Any examples ? The probleme may not be present in 5.1. > databases/postgresql version 9.1.4 (in OPENBSD_5_1) is vulnerable to CVE-2012-3488 and CVE-2012-3489 CVE-2012-3488 : insecure use of xslt (xslt is in contrib, so need activation) CVE-2012-3489 : insecure use of libxml2 (XXE possible) OPENBSD_5_2 has upgraded from 9.1.4 to 9.1.5 editors/emacs23 same version in OPENBSD_5_1 (emacs-23.4) and OPENBSD_5_2 (emacs-23.4p2) vulnerable to CVE-2012-3479 (GNU Emacs "enable-local-variables" Variable Processing Vulnerability) games/openttd same version in OPENBSD_5_1 (openttd-1.1.5) and OPENBSD_5_2 (openttd-1.1.5p1) vulnerable to CVE-2012-3436 (Denial of service (server) using ships on half tiles and landscaping) net/tor same version in OPENBSD_5_1 (tor-0.2.2.37) and OPENBSD_5_2_BASE OPENBSD_5_2 upgrade to tor-0.2.2.38 Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; fixes a remotely triggerable crash bug; and fixes a timing attack that could in theory leak path information. www/py-django OPENBSD_5_1 has version 1.3p3 NIST reports version before 1.3.2 are vulnerable (for CVE-2012-3442 at least) CVE-2012-3442 CVE-2012-3443 CVE-2012-3444 Others ports that would need more investigation for determine if vulnerable or not in OPENBSD_5_1: graphics/GraphicsMagick CVE-2012-3438 graphics/ImageMagick CVE-2012-3437 mail/roundcubemail CVE-2012-3508 I not used all pervious ports, and some are used in "safe" usage (like using postgresql ports, but not for server). It just a question to known what follow, in order to keep updated... Thanks. -- Sebastien Marie