Incoherence in libidn2 vulnerability

[Andrea Venturoli]

# pkg audit
libidn2-2.2.0 is vulnerable:

libidn2 -- roundtrip check vulnerability
CVE: CVE-2019-12290
WWW: 
https://vuxml.FreeBSD.org/freebsd/f04f840d-0840-11ea-8d66-75d3253ef913.html


Opening the link, I find:
GNU libidn2 *before* 2.2.0 fails...

Which is right?
Is 2.2.0 affected or not?

 bye & Thanks
av.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: [Bug 233475] www/gitea: Update to 1.6.0 (Fixes security vulnerability)

[Stefan Bethke]

> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233475
> 
> Bernhard Froehlich  changed:
> 
>   What|Removed |Added
> 
> Status|New |Closed
> Resolution|--- |FIXED
> 
> --- Comment #4 from Bernhard Froehlich  ---
> The mentioned security issues do not have any CVE numbers assigned so we
> normally do not document those in our vuxml. Since there was no patch for the
> port itself to bring it to 1.6.0 I did the update myself and did some light
> runtime testing which seemed fine.

Thanks!

I must have accidentally replaced the gate patch with he vuxml patch.

And regarding vuxml: other committers feel quite strongly about adding entries 
for project-reported vulnerabilities/fixes. I’m happy to do it either way, but 
it would be great if there was consensus what should be documented that way and 
what shouldn’t.


Cheers,
Stefan

-- 
Stefan BethkeFon +49 151 14070811

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: net-p2p/transmission-daemon vulnerability

[Chris Rees]

Please excuse the earlier blank mail- Android Gmail being moronic again :(

Hello all,


I've just been alerted to an issue with transmission, but only the daemon.


Basically, you can fool it into believing that a remote host is localhost, and 
can therefore break in to it.


This is an issue if all of the following are true:


Port 9091 is accessible from the Internet (or you don't trust your LAN)

You have no password set

You rely on host authentication for security


Unless I'm misunderstanding the issue, you can resolve it by setting a 
password.  There is a patch at [1] that fixes this, but annoyingly they have 
messed with whitespace since 2.92, and the patch doesn't apply.  I expect a 
release very soon incorporating this fix anyway.  It also appears to break on 
all but Mac OS.


tl;dr set a password for transmission-daemon


Chris


[1] https://github.com/transmission/transmission/pull/468




On 11 January 2018 21:15:26 GMT+00:00, "Janky Jay, III"  wrote:
>Uhh... Chris? :)
>
>On 01/11/2018 02:08 PM, Chris Rees wrote:
>> ___
>> freebsd-ports@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>> To unsubscribe, send any mail to
>"freebsd-ports-unsubscr...@freebsd.org"

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

net-p2p/transmission-daemon vulnerability

[Chris Rees]

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Vulnerability

[Jos Chrispijn]

Op 30-6-2017 om 18:23 schreef Carlos Jacobo Puga Medina:
I have submitted a patch to update libgcrypt to 1.7.8 (still pending 
for an exp-run)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220382

You can grab the patch, apply and build the port.

Thanks Carlos, appreciate your support.

./Jos

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Vulnerability

[Carlos Jacobo Puga Medina]

Hi,

> Enviar: viernes 30 de junio de 2017 a las 18:04
> De: "Jos Chrispijn" <bsdpo...@cloudzeeland.nl>
> Para: "FreeBSD Ports ML" <freebsd-ports@freebsd.org>, c...@freebsd.org
> Asunto: Vulnerability
>
> Dear port maintainer,
> 
> Just to let you know that I ran into the following vulenerability report:
> 
> libgcrypt-1.7.7 is vulnerable:
> libgcrypt -- side-channel attack on RSA secret keys
> CVE: CVE-2017-7526
> WWW:https://vuxml.FreeBSD.org/freebsd/ed3bf433-5d92-11e7-aa14-e8e0b747a45a.html
> 
> Could you send out a port update? Thanks in advance!
> 

I have submitted a patch to update libgcrypt to 1.7.8 (still pending for an 
exp-run)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220382

You can grab the patch, apply and build the port.

> Keep up the good work,
> Jos Chrispijn
> 
> 

Kind regards,
--
Carlos Jacobo Puga Medina <c...@gmx.es>
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Vulnerability

[Adam Weinberger]

> On 30 Jun, 2017, at 10:04, Jos Chrispijn  wrote:
> 
> Dear port maintainer,
> 
> Just to let you know that I ran into the following vulenerability report:
> 
> libgcrypt-1.7.7 is vulnerable:
> libgcrypt -- side-channel attack on RSA secret keys
> CVE: CVE-2017-7526
> WWW:https://vuxml.FreeBSD.org/freebsd/ed3bf433-5d92-11e7-aa14-e8e0b747a45a.html
> 
> Could you send out a port update? Thanks in advance!
> 
> Keep up the good work,
> Jos Chrispijn

Hi Jos,

See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220382

It's in the exp-run queue.

# Adam


-- 
Adam Weinberger
ad...@adamw.org
https://www.adamw.org

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Vulnerability

[Jos Chrispijn]

Dear port maintainer,

Just to let you know that I ran into the following vulenerability report:

libgcrypt-1.7.7 is vulnerable:
libgcrypt -- side-channel attack on RSA secret keys
CVE: CVE-2017-7526
WWW:https://vuxml.FreeBSD.org/freebsd/ed3bf433-5d92-11e7-aa14-e8e0b747a45a.html

Could you send out a port update? Thanks in advance!

Keep up the good work,
Jos Chrispijn

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: mariadb101-server vulnerability?

[Michael Grimm]

On 2016-08-08 12:02, Bernard Spil wrote:


The CVE's mention MariaDB where applicable.

Added versions where these vulns were fixed for MariaDB. PerconaDB
follows the MySQL release numbering and has also received updates so I
added version checks there as well.

See https://svnweb.freebsd.org/ports?view=revision=419813

Cheers,
Bernard.


I'd like to thank everyone involved in getting this issue solved.

Thanks and regards,
Michael

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: mariadb101-server vulnerability?

[Mark Felder]

> On Aug 8, 2016, at 05:02, Bernard Spil <br...@freebsd.org> wrote:
> 
>> On 2016-08-06 23:17, Mark Felder wrote:
>>> On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote:
>>> On 6/08/2016 7:23 AM, Michael Grimm wrote:
>>> > Hi —
>>> >
>>> > Kubilay Kocak <ko...@freebsd.org> wrote:
>>> >
>>> >> Unfortunately you are yet one more example of a user that's been left in
>>> >> the lurch without information or recourse wondering (rightfully) how
>>> >> they can resolve or mitigate this vulnerability. Our apologies.
>>> >
>>> > While we are that topic, I am wondering about that 14 days old warning, 
>>> > as well:
>>> >
>>> >mariadb101-server-10.1.16 is vulnerable:
>>> >MySQL -- Multiple vulnerabilities
>>> >CVE: CVE-2016-3452
>>> > [long list of CVEs snipped]
>>> >CVE: CVE-2016-3477
>>> >
>>> > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html
>>> >
>>> > I really do not know how serious this report is. Every feedback is highly 
>>> > appreciated.
>>> Hi Michael:
>>> Bug:  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274
>>> Your comment on that issue would be appreciated.
>>> The parent issue (assigned to ports-secteam (cc'd)) for coordinating the
>>> multiple vulnerable ports is:
>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248
>> From what I can see MariaDB hasn't released an update to address these
>> issues yet. I believe Oracles does not coordinate release of security
>> issues with third parties / forks. This has probably caught MariaDB off
>> guard and they're likely waiting for access to the relevant commits to
>> import the fixes.
> 
> Hi Mark,
> 
> The CVE's mention MariaDB where applicable.
> 
> Added versions where these vulns were fixed for MariaDB. PerconaDB follows 
> the MySQL release numbering and has also received updates so I added version 
> checks there as well.
> 
> See https://svnweb.freebsd.org/ports?view=revision=419813
> 

Thanks for keeping an eye on this!
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: mariadb101-server vulnerability?

[Bernard Spil]

On 2016-08-06 23:17, Mark Felder wrote:

On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote:

On 6/08/2016 7:23 AM, Michael Grimm wrote:
> Hi —
>
> Kubilay Kocak <ko...@freebsd.org> wrote:
>
>> Unfortunately you are yet one more example of a user that's been left in
>> the lurch without information or recourse wondering (rightfully) how
>> they can resolve or mitigate this vulnerability. Our apologies.
>
> While we are that topic, I am wondering about that 14 days old warning, as 
well:
>
>mariadb101-server-10.1.16 is vulnerable:
>MySQL -- Multiple vulnerabilities
>CVE: CVE-2016-3452
> [long list of CVEs snipped]
>CVE: CVE-2016-3477
>https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html
>
> I really do not know how serious this report is. Every feedback is highly 
appreciated.

Hi Michael:

Bug:  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274

Your comment on that issue would be appreciated.

The parent issue (assigned to ports-secteam (cc'd)) for coordinating 
the

multiple vulnerable ports is:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248




From what I can see MariaDB hasn't released an update to address these
issues yet. I believe Oracles does not coordinate release of security
issues with third parties / forks. This has probably caught MariaDB off
guard and they're likely waiting for access to the relevant commits to
import the fixes.


Hi Mark,

The CVE's mention MariaDB where applicable.

Added versions where these vulns were fixed for MariaDB. PerconaDB 
follows the MySQL release numbering and has also received updates so I 
added version checks there as well.


See https://svnweb.freebsd.org/ports?view=revision=419813

Cheers,

Bernard.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: mariadb101-server vulnerability?

[Mark Felder]

On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote:
> On 6/08/2016 7:23 AM, Michael Grimm wrote:
> > Hi —
> > 
> > Kubilay Kocak <ko...@freebsd.org> wrote:
> > 
> >> Unfortunately you are yet one more example of a user that's been left in
> >> the lurch without information or recourse wondering (rightfully) how
> >> they can resolve or mitigate this vulnerability. Our apologies.
> > 
> > While we are that topic, I am wondering about that 14 days old warning, as 
> > well:
> > 
> > mariadb101-server-10.1.16 is vulnerable:
> > MySQL -- Multiple vulnerabilities
> > CVE: CVE-2016-3452
> > [long list of CVEs snipped]
> > CVE: CVE-2016-3477
> > 
> > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html
> > 
> > I really do not know how serious this report is. Every feedback is highly 
> > appreciated.
> 
> Hi Michael:
> 
> Bug:  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274
> 
> Your comment on that issue would be appreciated.
> 
> The parent issue (assigned to ports-secteam (cc'd)) for coordinating the
> multiple vulnerable ports is:
> 
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248
> 
> 

From what I can see MariaDB hasn't released an update to address these
issues yet. I believe Oracles does not coordinate release of security
issues with third parties / forks. This has probably caught MariaDB off
guard and they're likely waiting for access to the relevant commits to
import the fixes.


-- 
  Mark Felder
  f...@feld.me
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: mariadb101-server vulnerability?

[Kubilay Kocak]

On 6/08/2016 7:23 AM, Michael Grimm wrote:
> Hi —
> 
> Kubilay Kocak <ko...@freebsd.org> wrote:
> 
>> Unfortunately you are yet one more example of a user that's been left in
>> the lurch without information or recourse wondering (rightfully) how
>> they can resolve or mitigate this vulnerability. Our apologies.
> 
> While we are that topic, I am wondering about that 14 days old warning, as 
> well:
> 
>   mariadb101-server-10.1.16 is vulnerable:
>   MySQL -- Multiple vulnerabilities
>   CVE: CVE-2016-3452
> [long list of CVEs snipped]
>   CVE: CVE-2016-3477
>   
> https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html
> 
> I really do not know how serious this report is. Every feedback is highly 
> appreciated.

Hi Michael:

Bug:  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274

Your comment on that issue would be appreciated.

The parent issue (assigned to ports-secteam (cc'd)) for coordinating the
multiple vulnerable ports is:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248


> Thanks and with kind regards,
> Michael
> 
> ___
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
> 

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: tiff vulnerability in ports?

[Matthew Seaman]

On 06/08/2016 04:39, alphachi wrote:
> Any update doesn't still land on ports tree, but now "pkg audit -F" won't
> report graphics/tiff is vulnerable.

There has been a revised judgement about the gif2tiff program, in that
while it can be made to crash by a specially crafted gif file, that does
not in itself constitute a security problem.  This is not just the
opinion of ports secteam, but concurs with, for example, the Debian
security team.

I don't know what the current thinking is about removing gif2tiff from
the libtiff package, but libtiff is one of those packages which very
many other packages depend upon, and portmgr consequently requires
experimental package build runs and in general much more stringent
levels of testing before allowing any such change.

Cheers,

Matthew





signature.asc
Description: OpenPGP digital signature

Re: tiff vulnerability in ports?

[Kevin Oberman]

On Fri, Aug 5, 2016 at 5:19 PM, Kevin Oberman <rkober...@gmail.com> wrote:

> On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak <ko...@freebsd.org> wrote:
>
>> On 5/08/2016 11:35 PM, Matthew Seaman wrote:
>> > On 2016/08/05 13:55, alphachi wrote:
>> >> Please see this link to get more information:
>> >>
>> >> https://svnweb.freebsd.org/ports?view=revision=418585
>> >>
>> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiros...@gmail.com>:
>> >>
>> >>> This is perhaps a question for the tiff devs more than anything, but I
>> >>> noticed that pkg audit has been complaining about libtiff
>> (graphics/tiff)
>> >>> for some time now.
>> >>>
>> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
>> >>> apparently that version hasn't been released yet (according to
>> >>> http://www.remotesensing.org/libtiff/, the latest stable release is
>> still
>> >>> 4.0.6).
>> >>>
>> >>> Anyone know what's going on? Is there a release upcoming to fix this?
>> >
>> > Yeah -- this vulnerability:
>> >
>> > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-
>> 14dae9d210b8.html
>> >
>> > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
>> > release from upstream yet.
>> >
>> > Given their approach to fixing the buffer overflow was to delete the
>> > offending gif2tiff application from the package, perhaps we could simply
>> > do the same until 4.0.7 comes out.
>> >
>> >   Cheers,
>> >
>> >   Matthew
>> >
>> >
>>
>> Hi Aleksandr  :)
>>
>> Also:
>>
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405
>>
>> Please add a comment to that bug to request resolution of the issue.
>>
>> Alternatively you (and anyone else) can just delete gif2tiff
>>
>> Unfortunately you are yet one more example of a user that's been left in
>> the lurch without information or recourse wondering (rightfully) how
>> they can resolve or mitigate this vulnerability. Our apologies.
>>
>>
> This one is really annoying in that it is so easily fixed. Just modify the
> port to not build or even not install gif2tiff. It's not going to be fixed
> upstream. At least the last message in the bugzilla indicates that the
> program will simply be removed from 4.0.7 whenever it comes out. FreeBSD
> should get out front and just delete it now.
>
> A fix is trivial, but touches 20 files and, of course, the plist. Guess I
> should add it to the ticket.
>

Never mind. Mark Felder submitted it a week ago. If someone could look at
it and commit?  I'd also suggest a note to UPDATING that gif2tif is gone.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkober...@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: tiff vulnerability in ports?

[Kevin Oberman]

On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak <ko...@freebsd.org> wrote:

> On 5/08/2016 11:35 PM, Matthew Seaman wrote:
> > On 2016/08/05 13:55, alphachi wrote:
> >> Please see this link to get more information:
> >>
> >> https://svnweb.freebsd.org/ports?view=revision=418585
> >>
> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiros...@gmail.com>:
> >>
> >>> This is perhaps a question for the tiff devs more than anything, but I
> >>> noticed that pkg audit has been complaining about libtiff
> (graphics/tiff)
> >>> for some time now.
> >>>
> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
> >>> apparently that version hasn't been released yet (according to
> >>> http://www.remotesensing.org/libtiff/, the latest stable release is
> still
> >>> 4.0.6).
> >>>
> >>> Anyone know what's going on? Is there a release upcoming to fix this?
> >
> > Yeah -- this vulnerability:
> >
> > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-
> a7bd-14dae9d210b8.html
> >
> > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
> > release from upstream yet.
> >
> > Given their approach to fixing the buffer overflow was to delete the
> > offending gif2tiff application from the package, perhaps we could simply
> > do the same until 4.0.7 comes out.
> >
> >   Cheers,
> >
> >   Matthew
> >
> >
>
> Hi Aleksandr  :)
>
> Also:
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405
>
> Please add a comment to that bug to request resolution of the issue.
>
> Alternatively you (and anyone else) can just delete gif2tiff
>
> Unfortunately you are yet one more example of a user that's been left in
> the lurch without information or recourse wondering (rightfully) how
> they can resolve or mitigate this vulnerability. Our apologies.
>
>
This one is really annoying in that it is so easily fixed. Just modify the
port to not build or even not install gif2tiff. It's not going to be fixed
upstream. At least the last message in the bugzilla indicates that the
program will simply be removed from 4.0.7 whenever it comes out. FreeBSD
should get out front and just delete it now.

A fix is trivial, but touches 20 files and, of course, the plist. Guess I
should add it to the ticket.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkober...@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

mariadb101-server vulnerability? (was: tiff vulnerability in ports?)

[Michael Grimm]

Hi —

Kubilay Kocak <ko...@freebsd.org> wrote:

> Unfortunately you are yet one more example of a user that's been left in
> the lurch without information or recourse wondering (rightfully) how
> they can resolve or mitigate this vulnerability. Our apologies.

While we are that topic, I am wondering about that 14 days old warning, as well:

mariadb101-server-10.1.16 is vulnerable:
MySQL -- Multiple vulnerabilities
CVE: CVE-2016-3452
[long list of CVEs snipped]
CVE: CVE-2016-3477

https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html

I really do not know how serious this report is. Every feedback is highly 
appreciated.

Thanks and with kind regards,
Michael

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: tiff vulnerability in ports?

[Kubilay Kocak]

On 5/08/2016 11:35 PM, Matthew Seaman wrote:
> On 2016/08/05 13:55, alphachi wrote:
>> Please see this link to get more information:
>>
>> https://svnweb.freebsd.org/ports?view=revision=418585
>>
>> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiros...@gmail.com>:
>>
>>> This is perhaps a question for the tiff devs more than anything, but I
>>> noticed that pkg audit has been complaining about libtiff (graphics/tiff)
>>> for some time now.
>>>
>>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
>>> apparently that version hasn't been released yet (according to
>>> http://www.remotesensing.org/libtiff/, the latest stable release is still
>>> 4.0.6).
>>>
>>> Anyone know what's going on? Is there a release upcoming to fix this?
> 
> Yeah -- this vulnerability:
> 
> https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.html
> 
> has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
> release from upstream yet.
> 
> Given their approach to fixing the buffer overflow was to delete the
> offending gif2tiff application from the package, perhaps we could simply
> do the same until 4.0.7 comes out.
> 
>   Cheers,
> 
>   Matthew
> 
> 

Hi Aleksandr  :)

Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405

Please add a comment to that bug to request resolution of the issue.

Alternatively you (and anyone else) can just delete gif2tiff

Unfortunately you are yet one more example of a user that's been left in
the lurch without information or recourse wondering (rightfully) how
they can resolve or mitigate this vulnerability. Our apologies.

Hope that helps.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: tiff vulnerability in ports?

[Matthew Seaman]

On 2016/08/05 13:55, alphachi wrote:
> Please see this link to get more information:
> 
> https://svnweb.freebsd.org/ports?view=revision=418585
> 
> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiros...@gmail.com>:
> 
>> This is perhaps a question for the tiff devs more than anything, but I
>> noticed that pkg audit has been complaining about libtiff (graphics/tiff)
>> for some time now.
>>
>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
>> apparently that version hasn't been released yet (according to
>> http://www.remotesensing.org/libtiff/, the latest stable release is still
>> 4.0.6).
>>
>> Anyone know what's going on? Is there a release upcoming to fix this?

Yeah -- this vulnerability:

https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.html

has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
release from upstream yet.

Given their approach to fixing the buffer overflow was to delete the
offending gif2tiff application from the package, perhaps we could simply
do the same until 4.0.7 comes out.

Cheers,

Matthew




signature.asc
Description: OpenPGP digital signature

Re: graphics/ImageMagick vulnerability status?

[Steven Hartland]

Really doesn't help that they keep revising the fix, 3 releases in 6 
days, latest version actually being 6.9.4-1 :(


On 10/05/2016 15:09, Stefan Bethke wrote:

Hey,

according to 
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4=29588, a 
release 6.9.4-0 should be out that improves the situation significantly.  It 
appears that graphics/ImageMagick is at 6.9.3.  It would be nice if people who 
follow ImageMagick more closely than me could speak to the security status of the 
current port, updates planned, and/or additional mitigation recommended.  Heise 
News is reporting that exploits have been posted and are seen in the wild.


Thanks,
Stefan



___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

graphics/ImageMagick vulnerability status?

[Stefan Bethke]

Hey,

according to 
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4=29588, a 
release 6.9.4-0 should be out that improves the situation significantly.  It 
appears that graphics/ImageMagick is at 6.9.3.  It would be nice if people who 
follow ImageMagick more closely than me could speak to the security status of 
the current port, updates planned, and/or additional mitigation recommended.  
Heise News is reporting that exploits have been posted and are seen in the wild.


Thanks,
Stefan

-- 
Stefan Bethke    Fon +49 151 14070811




___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: openoffice vulnerability?

[George Mitchell]

On 05/15/15 07:11, George Mitchell wrote:
 Nightly security report sez:
 
 Checking for packages with security vulnerabilities:
 Database fetched: Thu May 14 03:10:05 EDT 2015
 apache-openoffice-4.1.1_9
 [...]
And now Don Lewis has removed this erroneous entry from the data base of
vulnerabilities.  Thank you, Don! -- George

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

openoffice vulnerability?

[George Mitchell]

Nightly security report sez:

Checking for packages with security vulnerabilities:
Database fetched: Thu May 14 03:10:05 EDT 2015
apache-openoffice-4.1.1_9

I first got this last week for version 4.1.1_7 and consequently updated
my ports tree and rebuilt, specifically including changeset 385792:

Add a patch to fix the HWP filter vulnerability documented in
CVE-2015-1774 and
http://www.openoffice.org/security/cves/CVE-2015-1774.html

Approved by:mat (mentor)
MFH:2015Q2
Security:   b13af778-f4fc-11e4-a95d-ac9e174be3af
Differential Revision:  https://reviews.freebsd.org/D2478


So is it still broken, or did another vulnerability already crop up?
-- George
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Vulnerability on Tomcat 6.x (6.0.42) and 7.x (7.0.55) and 8.x (8.0.9)

[Rodrigo Osorio]

Hi,

A CVE-2014-0227 was released yesterday
about possibles DOS attacks on apache
tomcat. Updates are available on the
website[2].

Cheers,
- rodrigo

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0227
[2] http://tomcat.apache.org/security-7.html
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Vulnerability on Tomcat 6.x (6.0.42) and 7.x (7.0.55) and 8.x (8.0.9)

[Kurt Jaeger]

Hi!

 A CVE-2014-0227 was released yesterday
 about possibles DOS attacks on apache
 tomcat. Updates are available on the
 website[2].

ale@ updated the ports.

-- 
p...@opsec.eu+49 171 3101372 5 years to go !
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: portaudit: Wrong vulnerability information for devel/dbus

[Frank Broniewski]

Am 2013-06-14 06:19, schrieb RyōTa SimaMoto:

Hi,

portaudit rejects the latest version (1.6.12) of devel/dbus
because acceptable version is set too higher (1.16.12) than it.

http://portaudit.FreeBSD.org/4e9e410b-d462-11e2-8d57-080027019be0.html
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org



Yup, happens for me too

--
Frank BRONIEWSKI

METRICO s.à r.l.
géomètres
technologies d'information géographique
rue des Romains 36
L-5433 NIEDERDONVEN

tél.: +352 26 74 94 - 28
fax.: +352 26 74 94 99
http://www.metrico.lu
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

portaudit: Wrong vulnerability information for devel/dbus

[RyōTa SimaMoto]

Hi,

portaudit rejects the latest version (1.6.12) of devel/dbus
because acceptable version is set too higher (1.16.12) than it.

http://portaudit.FreeBSD.org/4e9e410b-d462-11e2-8d57-080027019be0.html
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Opera vulnerability, marked forbidden instead of update?

[Jakub Lach]

About updating opera port, it's matter of updating plist to make 
sure that opera cleans up after deinstall properly.

Opera have a habit of silently adding new files between versions, 
so it's must be checked.

Speaking from user perspective, you don't even need to bump 
version in Makefile, nobody stops you from downloading from 
opera.com directly and using their installer as well as their 
uninstaller (they provide both). It works, and should always
work, as long FreeBSD is supported platform.

Just when something is in ports, it must be integrated into 
infrastructure fully.



--
View this message in context: 
http://freebsd.1045724.n5.nabble.com/Opera-vulnerability-marked-forbidden-instead-of-update-tp5763426p5765785.html
Sent from the freebsd-ports mailing list archive at Nabble.com.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Opera vulnerability, marked forbidden instead of update?

[Greg Byshenk]

On Fri, 23 Nov 2012 09:00:59 + Matthew Seaman matt...@freebsd.org wrote:
 On 23/11/2012 08:26, Matthieu Volat wrote:

  I've noticed that www/opera was marked FORBIDDEN because of a security hole:
  http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head
  
  The opera software compagny advisory indeed mark this bug as high severity,
  and mention that there is an update to fix it.
  
  I am not familiar with the security process in ports, but would not it be
  better to update the version? Marking it FORBIDDEN do not do much for the
  userbase that does already have it installed.
  
  I've bumped the versions in the Makefile
  OPERA_VER?= 12.11
  OPERA_BUILD?=   1661
  and made a `make makesum reinstall`, there was no apparent problem.
 
 Marking a port 'FORBIDDEN' is a quick response measure that can be done
 without having to worry about time consuming testing the of port and so
 forth.  It's an interim measure taken to ensure that users do not
 unwittingly install software with known vulnerabilities.
 
 Yes, updating the port to a non-vulnerable version is the ideal
 response, but that may not be possible to do straight away.  You've
 sketched out the first couple of steps a port maintainer would take, but
 that 'there was no apparent problem' statement would need to be backed
 up by some more rigorous testing before a maintainer would feel
 confident in committing the update.

Just a comment that, for any USERS who would like to take a
chance with updating their Opera (rather than taking a chance
running the vulnerable version), just modifying the Makefile
as described above works to provide the update.

I've updated www/opera and www/opera-linuxplugins, and my new
Opera is running fine:

About Opera
Version information
Version 12.11 
Build   1661 
PlatformFreeBSD 
System  amd64, 8.3-STABLE

-- 
greg byshenk  -  gbysh...@byshenk.net  -  Leiden, NL - Portland, OR USA
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Opera vulnerability, marked forbidden instead of update?

[Matthieu Volat]

Hello,

I've noticed that www/opera was marked FORBIDDEN because of a security hole:
http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head

The opera software compagny advisory indeed mark this bug as high severity, and 
mention that there is an update to fix it.

I am not familiar with the security process in ports, but would not it be 
better to update the version? Marking it FORBIDDEN do not do much for the 
userbase that does already have it installed.

I've bumped the versions in the Makefile
OPERA_VER?= 12.11
OPERA_BUILD?=   1661
and made a `make makesum reinstall`, there was no apparent problem.

Regards,

-- 
Matthieu Volat ma...@alkumuna.eu
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Opera vulnerability, marked forbidden instead of update?

[Matthew Seaman]

On 23/11/2012 08:26, Matthieu Volat wrote:
 I've noticed that www/opera was marked FORBIDDEN because of a security hole:
 http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head
 
 The opera software compagny advisory indeed mark this bug as high severity, 
 and mention that there is an update to fix it.
 
 I am not familiar with the security process in ports, but would not it be 
 better to update the version? Marking it FORBIDDEN do not do much for the 
 userbase that does already have it installed.
 
 I've bumped the versions in the Makefile
 OPERA_VER?= 12.11
 OPERA_BUILD?=   1661
 and made a `make makesum reinstall`, there was no apparent problem.

Marking a port 'FORBIDDEN' is a quick response measure that can be done
without having to worry about time consuming testing the of port and so
forth.  It's an interim measure taken to ensure that users do not
unwittingly install software with known vulnerabilities.

Yes, updating the port to a non-vulnerable version is the ideal
response, but that may not be possible to do straight away.  You've
sketched out the first couple of steps a port maintainer would take, but
that 'there was no apparent problem' statement would need to be backed
up by some more rigorous testing before a maintainer would feel
confident in committing the update.

Cheers,

Matthew
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Opera vulnerability, marked forbidden instead of update?

[ajtiM]

On Friday 23 November 2012 03:00:59 Matthew Seaman wrote:
 On 23/11/2012 08:26, Matthieu Volat wrote:
  I've noticed that www/opera was marked FORBIDDEN because of a security
  hole:
  http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-h
  ead
  
  The opera software compagny advisory indeed mark this bug as high
  severity, and mention that there is an update to fix it.
  
  I am not familiar with the security process in ports, but would not it be
  better to update the version? Marking it FORBIDDEN do not do much for
  the userbase that does already have it installed.
  
  I've bumped the versions in the Makefile
  OPERA_VER?= 12.11
  OPERA_BUILD?=   1661
  and made a `make makesum reinstall`, there was no apparent problem.
 
 Marking a port 'FORBIDDEN' is a quick response measure that can be done
 without having to worry about time consuming testing the of port and so
 forth.  It's an interim measure taken to ensure that users do not
 unwittingly install software with known vulnerabilities.
 
 Yes, updating the port to a non-vulnerable version is the ideal
 response, but that may not be possible to do straight away.  You've
 sketched out the first couple of steps a port maintainer would take, but
 that 'there was no apparent problem' statement would need to be backed
 up by some more rigorous testing before a maintainer would feel
 confident in committing the update.
 
   Cheers,
 
   Matthew


I did the same and I don't have problems...

Mitja

http://www.redbubble.com/people/lumiwa
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Opera vulnerability, marked forbidden instead of update?

[Matthieu Volat]

On Fri, 23 Nov 2012 09:00:59 +
Matthew Seaman matt...@freebsd.org wrote:

 On 23/11/2012 08:26, Matthieu Volat wrote:
  I've noticed that www/opera was marked FORBIDDEN because of a security hole:
  http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head
  
  The opera software compagny advisory indeed mark this bug as high severity, 
  and mention that there is an update to fix it.
  
  I am not familiar with the security process in ports, but would not it be 
  better to update the version? Marking it FORBIDDEN do not do much for the 
  userbase that does already have it installed.
  
  I've bumped the versions in the Makefile
  OPERA_VER?= 12.11
  OPERA_BUILD?=   1661
  and made a `make makesum reinstall`, there was no apparent problem.
 
 Marking a port 'FORBIDDEN' is a quick response measure that can be done
 without having to worry about time consuming testing the of port and so
 forth.  It's an interim measure taken to ensure that users do not
 unwittingly install software with known vulnerabilities.
 
 Yes, updating the port to a non-vulnerable version is the ideal
 response, but that may not be possible to do straight away.  You've
 sketched out the first couple of steps a port maintainer would take, but
 that 'there was no apparent problem' statement would need to be backed
 up by some more rigorous testing before a maintainer would feel
 confident in committing the update.
 
   Cheers,
 
   Matthew
 ___
 freebsd-ports@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-ports
 To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org 

Hello and thanks for the explanation,

Cheers,

-- 
Matthieu Volat ma...@alkumuna.eu
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Python upgrade to address vulnerability?

[Ruslan Mahmatkhanov]

Doug Barton wrote on 15.02.2012 02:20:

So apparently we have a python vulnerability according to
http://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html,
but I'm not seeing an upgrade to address it yet. Any idea when that will
happen?


Thanks,

Doug



Patch is there:
http://people.freebsd.org/~rm/python-CVE-2012-0845.diff.txt

Patch for 3.2 is taken there directly:
http://bugs.python.org/file24522/xmlrpc_loop-1.diff

Patch for 2.5, 2.6, 2.7, 3.1 is adopted from this patch:
http://bugs.python.org/file24513/xmlrpc_loop.diff

SimpleXMLRPCServer.py in 2.4 is too different and it is going to die 
anyway so I didn't messed with it.


If noone objects, I can commit it. Please tell me what should i do.

--
Regards,
Ruslan

Tinderboxing kills... the drives.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Python upgrade to address vulnerability?

[wen heping]

2012/2/15 Ruslan Mahmatkhanov cvs-...@yandex.ru

 Doug Barton wrote on 15.02.2012 02:20:

 So apparently we have a python vulnerability according to
 http://portaudit.FreeBSD.org/**b4f8be9e-56b2-11e1-9fb7-**
 003067b2972c.htmlhttp://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html
 ,
 but I'm not seeing an upgrade to address it yet. Any idea when that will
 happen?


 Thanks,

 Doug


 Patch is there:
 http://people.freebsd.org/~rm/**python-CVE-2012-0845.diff.txthttp://people.freebsd.org/~rm/python-CVE-2012-0845.diff.txt


Had this patch been committed into upstream? When I found it , it was in
review state.

And CVE-2012-0845 too.

wen






 Patch for 3.2 is taken there directly:
 http://bugs.python.org/**file24522/xmlrpc_loop-1.diffhttp://bugs.python.org/file24522/xmlrpc_loop-1.diff

 Patch for 2.5, 2.6, 2.7, 3.1 is adopted from this patch:
 http://bugs.python.org/**file24513/xmlrpc_loop.diffhttp://bugs.python.org/file24513/xmlrpc_loop.diff

 SimpleXMLRPCServer.py in 2.4 is too different and it is going to die
 anyway so I didn't messed with it.

 If noone objects, I can commit it. Please tell me what should i do.

 --
 Regards,
 Ruslan

 Tinderboxing kills... the drives.
 __**_
 freebsd-pyt...@freebsd.org mailing list
 http://lists.freebsd.org/**mailman/listinfo/freebsd-**pythonhttp://lists.freebsd.org/mailman/listinfo/freebsd-python
 To unsubscribe, send any mail to 
 freebsd-python-unsubscribe@**freebsd.orgfreebsd-python-unsubscr...@freebsd.org
 

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Python upgrade to address vulnerability?

[Ruslan Mahmatkhanov]

wen heping wrote on 15.02.2012 14:16:

2012/2/15 Ruslan Mahmatkhanovcvs-...@yandex.ru


Doug Barton wrote on 15.02.2012 02:20:


So apparently we have a python vulnerability according to
http://portaudit.FreeBSD.org/**b4f8be9e-56b2-11e1-9fb7-**
003067b2972c.htmlhttp://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html
,
but I'm not seeing an upgrade to address it yet. Any idea when that will
happen?


Thanks,

Doug



Patch is there:
http://people.freebsd.org/~rm/**python-CVE-2012-0845.diff.txthttp://people.freebsd.org/~rm/python-CVE-2012-0845.diff.txt



Had this patch been committed into upstream? When I found it , it was in
review state.

And CVE-2012-0845 too.

wen


Yes, it is not yet committed, but comments looks promisingly :). And i 
can't reproduce this bug after patching, using procedure described in 
bug report.


--
Regards,
Ruslan

Tinderboxing kills... the drives.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Python upgrade to address vulnerability?

[wen heping]

2012/2/15 Ruslan Mahmatkhanov cvs-...@yandex.ru

 wen heping wrote on 15.02.2012 14:16:

 2012/2/15 Ruslan Mahmatkhanovcvs-...@yandex.ru**

  Doug Barton wrote on 15.02.2012 02:20:

  So apparently we have a python vulnerability according to
 http://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-**http://portaudit.FreeBSD.org/**b4f8be9e-56b2-11e1-9fb7-**
 003067b2972c.htmlhttp://**portaudit.FreeBSD.org/**
 b4f8be9e-56b2-11e1-9fb7-**003067b2972c.htmlhttp://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html
 

 ,
 but I'm not seeing an upgrade to address it yet. Any idea when that will
 happen?


 Thanks,

 Doug


  Patch is there:
 http://people.freebsd.org/~rm/python-CVE-2012-0845.diff.**txthttp://people.freebsd.org/~rm/**python-CVE-2012-0845.diff.txt
 http://people.freebsd.org/**~rm/python-CVE-2012-0845.diff.**txthttp://people.freebsd.org/~rm/python-CVE-2012-0845.diff.txt
 



 Had this patch been committed into upstream? When I found it , it was in
 review state.

 And CVE-2012-0845 too.

 wen


 Yes, it is not yet committed, but comments looks promisingly :). And i
 can't reproduce this bug after patching, using procedure described in bug
 report.


Me too :)
I trust this patch too but I would like wait some time.

wen





 --
 Regards,
 Ruslan

 Tinderboxing kills... the drives.

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Python upgrade to address vulnerability?

[Doug Barton]

So apparently we have a python vulnerability according to
http://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html,
but I'm not seeing an upgrade to address it yet. Any idea when that will
happen?


Thanks,

Doug

-- 

It's always a long day; 86400 doesn't fit into a short.

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

[joernc...@phenoelit.de: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability]

[Jason Hellenthal]

Please update this port.

- Forwarded message from joernchen of Phenoelit joernc...@phenoelit.de 
-

Date: Mon, 30 Jan 2012 14:56:26 +0100
From: joernchen of Phenoelit joernc...@phenoelit.de
To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com
Subject: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111224
Thunderbird/9.0.1

Hi,

FYI, see attached.

cheers,

joernchen
-- 
joernchen ~ Phenoelit
joernc...@phenoelit.de ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

Phenoelit Advisory wir-haben-auch-mal-was-gefunden #0815 +--++

[ Authors ]
joernchen   joernchen () phenoelit de

Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
sudo 1.8.0 - 1.8.3p1 (http://sudo.ws)

[ Vendor communication ]
2012-01-24 Send vulnerability details to sudo maintainer
2012-01-24 Maintainer is embarrased
2012-01-27 Asking maintainer how the fixing goes
2012-01-27 Maintainer responds with a patch and a release date
   of 2012-01-30 for the patched sudo and advisory
2012-01-30 Release of this advisory

[ Description ]

Observe src/sudo.c:

void
sudo_debug(int level, const char *fmt, ...)
{
va_list ap;
char *fmt2;

if (level  debug_level)
return;

/* Backet fmt with program name and a newline to make it a single 
write */
easprintf(fmt2, %s: %s\n, getprogname(), fmt);
va_start(ap, fmt);
vfprintf(stderr, fmt2, ap);
va_end(ap);
efree(fmt2);
}

Here getprogname() is argv[0] and by this user controlled. So 
argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The
result is a Format String vulnerability.   

[ Example ]
/tmp $ ln -s /usr/bin/sudo %n
/tmp $ ./%n -D9
*** %n in writable segment detected ***
Aborted
/tmp $

   A note regarding exploitability: The above example shows the result
   of FORTIFY_SOURCE which makes explotitation painful but not 
   impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight
   forward:
 1. Use formatstring to overwrite the setuid() call with setgid()
 2. Trigger with formatstring -D9 
 3. Make use of SUDO_ASKPASS and have shellcode in askpass script
 4. As askpass will be called after the formatstring has 
overwritten setuid() the askepass script will run with uid 0
 5. Enjoy the rootshell
 
[ Solution ]
Update to version 1.8.3.p2 

[ References ]
[0] http://www.phrack.org/issues.html?issue=67id=9

[ end of file ]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


- End forwarded message -

-- 
;s =;
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/155355: mail/mailman: XXS vulnerability affecting Mailman 2.1.14 and prior

[Wesley Shields]

I'm going to be traveling from 3/8 through 3/9. If anyone can get to
this before I return please feel free to commit as necessary.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: PHP52 vulnerability

[Michael Scheidell]

I question the vulnerability.  I don't think it applies.  the alert is 
from 2006, and there isn't a POC I have tested against php52- 5.2.17 
with nulls in it that seems to trigger anything but 404 errors.
(please don't try on ours...  this is not a challenge. but if you have a 
POC, let me know and _I_ will try it)



so, php 5.3? big differences!  BIG.  look at /usr/ports/UPDATING to 
see.  php_ini needs changes also.


On 3/3/11 3:09 PM, Andrea Venturoli wrote:

Is there any news on the horizon?
Will a new version be released and/or the port updated?
Any possible patch?


--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best in Email Security,2010: Network Products Guide
   * King of Spam Filters, SC Magazine 2008

__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
__  
___

freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: PHP52 vulnerability

[Xin LI]

Hi,

On Thu, Mar 3, 2011 at 12:09 PM, Andrea Venturoli m...@netfence.it wrote:
 Hello.

 As you probably know, it looks like php52 is vulnerable:

 Affected package: php52-5.2.17
 Type of problem: php -- NULL byte poisoning.
 Reference:
 http://portaudit.FreeBSD.org/3761df02-0f9c-11e0-becc-0022156e8794.html

 Is there any news on the horizon?

I think PHP developers haven't get that patched for 5.2.x (yet), as
the branch is considered to be obsolete.  We may have to patch the
port ourselves.

Note that FreeBSD PHP port comes with Suhosin by default, which
_could_ have mitigated the attack (disclaimer: I'm not very confident
that this solves all problems, though, as it requires a more through
code review).

Cheers,
-- 
Xin LI delp...@delphij.net http://www.delphij.net
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: fixing the vulnerability in linux-f10-pango-1.22.3_1

[Alexander Leidinger]

Quoting Jan Henrik Sylvester m...@janh.de (from Mon, 14 Feb 2011  
10:35:05 +0100):


There is one more problem to solve:  
http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html


That mail go unanswered (at least as far as the mailing list archive  
goes). Probably, the procedure above would have to be put into a  
shell script for a willing commiter to repeat. Every time this  
vulnerability comes up at ports@ or emulation@, some commitor ask  
for a (trusted) rpm to fix it. Thus, there might be one.


There was another person doing something similar too. I got a little  
step-by-step guide how he did it. Currently (after two months without  
time to have a look at it) I am downloading an F10 install image which  
I want to feed to virtualbox to compile a fixed pango version. If  
nothing urgent interferes, you can expect a commit in the not so  
distant future (maybe not today, maybe not tomorrow, but maybe next  
week).


For me, the real question is: Considering the age of Fedora 10 and  
the time it has not been supported anymore, it is likely that there  
are more vulnerabilities in our Linux-f10 framework that are not  
documented in our vulnerability database. Does fixing the pango  
vulnerability really make the Linux emulation save? (Is it worse the  
it?)


Good question. Feel free to have a look at the RPMs from  
linux_base-f10 and find out if there are unfixed vulnerabilities.


Bye,
Alexander.

--
Make it right before you make it faster.

http://www.Leidinger.netAlexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org   netchild @ FreeBSD.org  : PGP ID = 72077137
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: fixing the vulnerability in linux-f10-pango-1.22.3_1

[Tom Uffner]

Jan Henrik Sylvester wrote:


The easiest way would probably be:

- Take the src-rpm of the pango version in RHEL 5.
- Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3
- Extract the src-rpm of pango-1.22.3 from Fedora 10.
- Apply the RHEL 5 patch with --ignore-whitespace.
- Diff for creating a patch that applies without --ignore-whitespace.
- Bump version number and repackge a src-rpm for Fedora 10 with the new
patch.
- Build it on a clean Fedora 10 system.

There is one more problem to solve:
http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html

That mail go unanswered (at least as far as the mailing list archive
goes). Probably, the procedure above would have to be put into a shell
script for a willing commiter to repeat. Every time this vulnerability
comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm
to fix it. Thus, there might be one.


Peter Littmann's RPMs probably won't work for me since i'm looking for
9-current amd64.

would a src-rpm verifiably generated from the Fedora 10 src-rpm (or
the pango project tarball) and the RHEL 5 patch solve this? I may not
have a Reputation, but I've been around since 4.1BSD and a search
of the tree and the PRs will turn up a few bugfixes that I've submitted.

tom
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: fixing the vulnerability in linux-f10-pango-1.22.3_1

[Rob Farmer]

On Mon, Feb 14, 2011 at 8:45 AM, Tom Uffner t...@uffner.com wrote:
 would a src-rpm verifiably generated from the Fedora 10 src-rpm (or
 the pango project tarball) and the RHEL 5 patch solve this? I may not
 have a Reputation, but I've been around since 4.1BSD and a search
 of the tree and the PRs will turn up a few bugfixes that I've submitted.


It was said in the past that there is a Fedora 11 RPM (not from the
cd, but an update) that has the patch and works as a drop in
replacement.

-- 
Rob Farmer
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: fixing the vulnerability in linux-f10-pango-1.22.3_1

[Luchesar V. ILIEV]

On Mon, Feb 14, 2011 at 18:45, Tom Uffner t...@uffner.com wrote:
 Jan Henrik Sylvester wrote:

 The easiest way would probably be:

 - Take the src-rpm of the pango version in RHEL 5.
 - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3
 - Extract the src-rpm of pango-1.22.3 from Fedora 10.
 - Apply the RHEL 5 patch with --ignore-whitespace.
 - Diff for creating a patch that applies without --ignore-whitespace.
 - Bump version number and repackge a src-rpm for Fedora 10 with the new
 patch.
 - Build it on a clean Fedora 10 system.

 There is one more problem to solve:

 http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html

 That mail go unanswered (at least as far as the mailing list archive
 goes). Probably, the procedure above would have to be put into a shell
 script for a willing commiter to repeat. Every time this vulnerability
 comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm
 to fix it. Thus, there might be one.

 Peter Littmann's RPMs probably won't work for me since i'm looking for
 9-current amd64.

 would a src-rpm verifiably generated from the Fedora 10 src-rpm (or
 the pango project tarball) and the RHEL 5 patch solve this? I may not
 have a Reputation, but I've been around since 4.1BSD and a search
 of the tree and the PRs will turn up a few bugfixes that I've submitted.

 tom

Most likely you've already noticed my efforts in this matter, but let
me still mention them:

http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008285.html

http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008295.html
http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008296.html

Sadly, I'm still struggling to find enough time to prepare for and
apply for ports committer (I'm afraid that while I might be known
around the academic security community and projects like the European
GÉANT, that's not the case with FreeBSD), but that's irrelevant now,
anyway. Of course, anyone who feels not particularly security
concerned could still use the patches for the ports tree provided in
the first mail (I do keep the relevant distfiles online).

The step-by-step description in the second set of mails could
hopefully be helpful for someone whom the community would trust to
build an RPM. I do realize it's way too detailed and long, so I was
indeed thinking about preparing a shorter version these days --
especially now that the Flash update brings the issue with linux-pango
again. Please let me know if I could be of help somehow.

Cheers,
Luchesar
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

fixing the vulnerability in linux-f10-pango-1.22.3_1

[Tom Uffner]

is there any point in trying to update linux-f10-pango to address this
vulnerability?

Affected package: linux-f10-pango-1.22.3_1
Type of problem: pango -- integer overflow.
Reference: 
http://portaudit.FreeBSD.org/4b172278-3f46-11de-becb-001cc0377035.html


I realize that I can install it w/ DISABLE_VULNERABILITIES. but I hate
having known exploits on my system  not installing it breaks flashplugin
and acroread (among others).

I've never tried to create or modify a linux emulation port before; so I'm
wondering just how annoying  tedious it's going to be?

it looks like there are no Fedora 10 RPMs of pango  1.24 so it would
probably involve finding an F10 box and building one from source.

But would updating just Pango be possible? Or would it start the RPM Hell
avalanche and require me to re-roll all of my linux ports?

Is it time for a complete upgrade of our Linux ports to Fedora 14? or some
other distro that is easier to track  update?

tom
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: fixing the vulnerability in linux-f10-pango-1.22.3_1

[Matthias Andree]

Am 13.02.2011 22:53, schrieb Tom Uffner:
 is there any point in trying to update linux-f10-pango to address this
 vulnerability?
 
 Affected package: linux-f10-pango-1.22.3_1
 Type of problem: pango -- integer overflow.
 Reference:
 http://portaudit.FreeBSD.org/4b172278-3f46-11de-becb-001cc0377035.html
 
 I realize that I can install it w/ DISABLE_VULNERABILITIES. but I hate
 having known exploits on my system  not installing it breaks flashplugin
 and acroread (among others).
 
 I've never tried to create or modify a linux emulation port before; so I'm
 wondering just how annoying  tedious it's going to be?
 
 it looks like there are no Fedora 10 RPMs of pango  1.24 so it would
 probably involve finding an F10 box and building one from source.

Fedora 10 hasn't been supported for over a year now (EOL Mid December
2009), chances are, however, that newer versions of the system can build
an RPM that would fit F10.

There are online build services (for instance by/for openSUSE, starts
with Fedora 12 however), if you find a release that is close enough in
other shared library versions, that might help.

Backporting just a security fix, if a reliable and reasonable patch
exists, might be an easier option because you can take F10's 1.22.3
*source* RPM, add the security patch, and rebuild (see below).

 But would updating just Pango be possible? Or would it start the RPM Hell
 avalanche and require me to re-roll all of my linux ports?

If you build an updated port of a compatible pango version on F10, that
would likely be painless *unless* the new pango version has changed
requirements; building on a newer Fedora release might warrant checking
dependencies though, with rpm -qp --requires or similar, and paying
attention to library versions.  Sometimes, it's possible to (un)define C
preprocessor macros to avoid newer features; I used to build bogofilter
RPMs for older glibc releases that way a couple of years ago, but
there's no guarantee this works, and it's a tedious read the source
Tom task.

 Is it time for a complete upgrade of our Linux ports to Fedora 14? or some
 other distro that is easier to track  update?

It would be time, but new distros always raise the question is the
kernel part of the linuxulator up to the job?  If [e]glibc or other
libraries require newer Linux kernel features not provided by the
FreeBSD linuxulator, that is a hard dependency to be fixed before.

Personally I'd prefer some other distro that is easier to track 
update, particularly something with long-term support by the respective
vendor, so candidates are CentOS (closer to Fedora, also RPM-based, lags
a bit behind but is more or less a free spin of Red Hat Enterprise
Linux), Ubuntu LTS (3 years for desktop stuff), or possibly Debian. The
latter two use .dpkg as the packaging format, which is apparently ar based.

I don't have the time to get involved here though, beyond answering an
occasional Linux question.

HTH

-- 
Matthias Andree
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

apr vulnerability

[Andrea Venturoli]

On one of the servers I manage, portaudit claims:
portaudit
Affected package: apr-0.9.19.0.9.19
Type of problem: apr -- multiple vulnerabilities.
Reference: 
http://portaudit.FreeBSD.org/eb9212f7-526b-11de-bbf2-001b77d09812.html


Following the above links, I find that apr1.3.5.1.3.7 is involved.



I see on Freshports that apr was updated on 2010/10/20 to address a 
security risk: the link is:

http://www.vuxml.org/freebsd/dd943fbb-d0fe-11df-95a8-00219b0fc4d8.html

There, however, it says apr00.9.19.0.9.19 is involved.



So, I'm confused: is apr-0.9.19.0.9.19 (which is the one I have) 
vulnerable or not?




 bye  Thanks
av.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: apr vulnerability

[Philip M. Gollucci]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/28/10 07:29, Andrea Venturoli wrote:
 On one of the servers I manage, portaudit claims:
 portaudit
 Affected package: apr-0.9.19.0.9.19
 Type of problem: apr -- multiple vulnerabilities.
 Reference:
 http://portaudit.FreeBSD.org/eb9212f7-526b-11de-bbf2-001b77d09812.html
 
 Following the above links, I find that apr1.3.5.1.3.7 is involved.
 
 
 
 I see on Freshports that apr was updated on 2010/10/20 to address a
 security risk: the link is:
 http://www.vuxml.org/freebsd/dd943fbb-d0fe-11df-95a8-00219b0fc4d8.html
 
 There, however, it says apr00.9.19.0.9.19 is involved.
 
 
 
 So, I'm confused: is apr-0.9.19.0.9.19 (which is the one I have)
 vulnerable or not?
apr has 3 tracks:

devel/apr0 - apr0: legacy: apr/0.9.19, apr-util/0.9.19
devel/apr1 - apr1: ga: apr/1.3.5,  apr-util/1.3.7
devel/apr2 - apr2: devel   not released yet

neither devel/apr0 or devel/apr1 are vunerable.
devel/apr2 needs to be updated to a newer snapshot.

To fix your error, the PKGNAME for devel/apr0 needs to be updated to
match the security/vuxml entry.

I should able to get to that Friday during $work time.







- -- 
- 
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollu...@p6m7g8.com) c: 703.336.9354
VP Apache Infrastructure; Member, Apache Software Foundation
Committer,FreeBSD Foundation
Consultant,   P6M7G8 Inc.
Sr. System Admin, Ridecharge Inc.

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (FreeBSD)

iD8DBQFMySy2dbiP+9ubjBwRArPPAJ9qVkmlzYSy0oCetYFao8vfSKHTswCePFiK
jCyftRKJ6ki9NcQbmAohVzs=
=+Eqs
-END PGP SIGNATURE-
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: linux-f10-pango security vulnerability

[Peter Jeremy]

On 2010-Feb-08 18:05:43 -0800, Paul Pathiakis pathia...@yahoo.com wrote:
/usr/ports/x11-toolkits/linux-f10-pango still has a security
vulnerability and means that no one can build the linux port to
install linux-f10-flashplugin.  Not good.  Please fix asap.

FreeBSD is maintained by volunteers.  That sort of attitude will just
annoy people.  Feel free to fix it yourself.

-- 
Peter Jeremy

PS: Politely asking the port maintainer might get you somewhere.


pgpAyTBW3qz3E.pgp
Description: PGP signature

Re: linux-f10-pango security vulnerability

[Paul Pathiakis]

Sorry if there seemed to be any attitude.  There wasn't.  It was just that it 
seemed like something had slipped through the cracks.  Also, I've watched BSD 
and derivatives since 1984, I'm fully aware of FreeBSDs volunteer support.  
Also, notice it was posted with a please and asap not ASAP.  If I had the 
time, I would fix it myself.  Heck, if I could work on FreeBSD and support a 
decent lifestyle, I'd work on getting it where it's interface could be much 
better for a junior or intermediate system administrator would better 
understand it and there would probably be a larger following than the haphazard 
junk that is the Linux kernel. The linux kernel is larger than the entire 
FreeBSD OS with kernel and userland.  Bloat much?

Personally, FreeBSD is a vastly superior OS to many commercial and all free 
OSes.  (I'm still holding back on my decision about MacOSX and OpenSolaris 
--making huge strides in tech again.)  Also, the information flow between 
SUN/Solaris and BSD is better than it's been in years (since the times of 
NFS/NIS and RPCs) with the advent of ZFS and DTrace and VirtualBox.  Also, 
Apple and DarwinOS make me cheer for the desktop invasion of BSD.  I still look 
back at all the doom and gloom about FreeBSD's death 5 years ago and now it's 
stronger than ever.  It's like the bionic OS Gentlemen, we have the 
technology... we can make it better... stronger faster. smaller in 
footprint (OK, so the 1984 reference and the 6 million dollar man reference 
shows my age. :-) )

Take no offense, FreeBSD people.  I'm a 2.1 to 8.x user.  I have all my 
subscription CD's in my home server room.  I'm closing on my 25th year as a 
System Administrator/Consultant/Contractor/Architect... UNIX and networking 
with Comp. Sci degree.  I worked with BSD 4.2, 4.3, 4.3-Tahoe, 4.3-Reno, etc.

Awaiting HAST at this point.  Already have ZFS (gpt with zfsboot - no ufs) and 
FreeBSD 8.0 at home.

BTW, someone should port OpenNMS to FreeBSD.  It is, by far, vastly superior to 
all of the other the monitoring tools:  Nagios, Ganglia, mrtg, etc.  It is 
enterprise class.

Ending my rant

Paul





From: Peter Jeremy peterjer...@acm.org
To: Paul Pathiakis pathia...@yahoo.com
Cc: po...@freebsd.org
Sent: Tue, February 9, 2010 2:56:33 PM
Subject: Re: linux-f10-pango security vulnerability

On 2010-Feb-08 18:05:43 -0800, Paul Pathiakis pathia...@yahoo.com wrote:
/usr/ports/x11-toolkits/linux-f10-pango still has a security
vulnerability and means that no one can build the linux port to
install linux-f10-flashplugin.  Not good.  Please fix asap.

FreeBSD is maintained by volunteers.  That sort of attitude will just
annoy people.  Feel free to fix it yourself.

-- 
Peter Jeremy

PS: Politely asking the port maintainer might get you somewhere.



  
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

linux-f10-pango security vulnerability

[Paul Pathiakis]

Hi,

/usr/ports/x11-toolkits/linux-f10-pango still has a security vulnerability and 
means that no one can build the linux port to install linux-f10-flashplugin.  
Not good.  Please fix asap.

Thank you!

Paul Pathiakis



  
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: linux-f10-pango security vulnerability

[jhell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On Mon, 8 Feb 2010 21:05, pathiaki2@ wrote:

Hi,

/usr/ports/x11-toolkits/linux-f10-pango still has a security vulnerability and 
means that no one can build the linux port to install linux-f10-flashplugin.  
Not good.  Please fix asap.

Thank you!

Paul Pathiakis



make -DDISABLE_VULNERABILITIES=yes install clean

or add DISABLE_VULNERABILITIES=yes to your make.conf and comment it out 
when your finished. This has been known for a long time.


- -- 


 jhell

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (FreeBSD)

iQEcBAEBAgAGBQJLcPofAAoJEJBXh4mJ2FR+lMMH/1R2zlP/vd/sypGZI1847D0L
pk81j3G+UzSFhm3ZPJ6f9j0c/3xKiOkb6GMy/bdJmpwRPMbtzRBWppGSrMOi5S7h
df1Egen9ksshVoJv54V8rufGN7YYenebZrs+ChUU7iDsQgnohumKHCQ7f31SmEUU
gl1VAf01ULh/axMHHy9MaJC+nQqGvJgsJL5N7ZiLsDXf4bmwEYwxq4ZFolXoZLW5
ddB5AdViquicdYjhbJ24pAXWTuFntadjR8jp822E5boTV/WLFBeeFnfCbFzYj5TW
b2jsXrw6VLh+bQVZV7loqgu05h43AiMItviFIMlSmZwPSIXpZGOi6noRYnWsUXE=
=Ev9M
-END PGP SIGNATURE-
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: linux-f10-pango security vulnerability

[jhell]

On Tue, 9 Feb 2010 01:00, jhell@ wrote:


On Mon, 8 Feb 2010 21:05, pathiaki2@ wrote:

Hi,

/usr/ports/x11-toolkits/linux-f10-pango still has a security vulnerability 
and means that no one can build the linux port to install 
linux-f10-flashplugin.  Not good.  Please fix asap.


Thank you!

Paul Pathiakis



make -DDISABLE_VULNERABILITIES=yes install clean

or add DISABLE_VULNERABILITIES=yes to your make.conf and comment it out
when your finished. This has been known for a long time.

--

jhell



I should have mentioned that this also only takes effect when 
ports-mgmt/portaudit is installed. If it is not installed then no port 
being installed will stop and warn of security implications.


Make sure to include Maintainer in the CC.

Best regards.

--

 jhell

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/138698: lang/php5: PHP session.save_path vulnerability

[miwi]

Synopsis: lang/php5: PHP session.save_path vulnerability

Responsible-Changed-From-To: freebsd-ports-ale
Responsible-Changed-By: miwi
Responsible-Changed-When: Sat Sep 19 18:35:31 UTC 2009
Responsible-Changed-Why: 
over to php maintainer

http://www.freebsd.org/cgi/query-pr.cgi?pr=138698
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/138698: lang/php5: PHP session.save_path vulnerability

[Maciej Andziński]

The following reply was made to PR ports/138698; it has been noted by GNATS.

From: Maciej =?ISO-8859-2?Q?Andzi=F1ski?= andzi...@volt.iem.pw.edu.pl
To: Miroslav Lachman 000.f...@quip.cz
Cc: bug-follo...@freebsd.org
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Sun, 13 Sep 2009 18:38:44 +0200

 I am linux user, so maybe you could recomend better location in FreeBSD than 
/var/lib/php5? I am also thinking where to add mkdir command, is there any 
special place in makefile? What do you think?
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/138698: lang/php5: PHP session.save_path vulnerability

[remko]

Old Synopsis: PHP session.save_path vulnerability
New Synopsis: lang/php5: PHP session.save_path vulnerability

Responsible-Changed-From-To: freebsd-www-freebsd-ports
Responsible-Changed-By: remko
Responsible-Changed-When: Thu Sep 10 10:24:18 UTC 2009
Responsible-Changed-Why: 
reassign to ports team; this has nothing to do with the webmasters queue

http://www.freebsd.org/cgi/query-pr.cgi?pr=138698
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/138698: lang/php5: PHP session.save_path vulnerability

[Miroslav Lachman]

The following reply was made to PR ports/138698; it has been noted by GNATS.

From: Miroslav Lachman 000.f...@quip.cz
To: bug-follo...@freebsd.org,  andzi...@volt.iem.pw.edu.pl
Cc:  
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 13:14:32 +0200

 I don't know what you are trying to solve.
 
 If PHP runs under user www (Apache), it can still read the content of 
 the directory.
 If you want to disallow access to sessions of different domains 
 (VirtualHosts), you can do it by using different session.save_path for 
 each domain.
 
 In context of VirtualHost for www.domain1.tld:
  php_admin_valuesession.save_path/web/www.domain1.tld/tmp
 
 
 In context of VirtualHost for www.domain2.tld:
  php_admin_valuesession.save_path/web/www.domain2.tld/tmp
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/138698: lang/php5: PHP session.save_path vulnerability

[Maciej Andzinski]

The following reply was made to PR ports/138698; it has been noted by GNATS.

From: Maciej Andzinski andzi...@volt.iem.pw.edu.pl
To: Miroslav Lachman 000.f...@quip.cz
Cc: bug-follo...@freebsd.org
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 13:58:42 +0200 (CEST)

 The problem is in permissions and that is what I suggest to fix. Bu you 
 are right, I've made a mistake - the owner of /var/lib/php5 should be 
 root, not www.
 
 I suggest changing permissions to 01733 (rwx-wx-wt), it can prevent 
 session numbers leaking.
 
 Is it clear now?
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/138698: lang/php5: PHP session.save_path vulnerability

[Miroslav Lachman]

The following reply was made to PR ports/138698; it has been noted by GNATS.

From: Miroslav Lachman 000.f...@quip.cz
To: bug-follo...@freebsd.org,  andzi...@volt.iem.pw.edu.pl
Cc:  
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 20:49:14 +0200

 Yes, it is clear now and with owner root, it works.
 
 I propose to make this optional, as somebody has /tmp optimized for 
 better speed (another disk device, flash device, RAM disk etc.) but not 
 /var/lib/php5.
 And FreeBSD doesn't have /var/lib by default. /var/lib/* is mostly used 
 by some Linux distributions). I am not sure if it is the right place to 
 put these files, according to man hier(7).
 Next thing to think about is, that /tmp is (or easily can be) cleared at 
 system startup, but /var/*/* not.
 If we do some change in default php.ini, it affects more then just 
 files are moved to another place, so things need to be done carefully.
 
 Maybe leave the default as is and put these hardening steps in comments 
 in php.ini, then anybody can make own decision.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/138698: lang/php5: PHP session.save_path vulnerability

[piotr . smyrak]

On Thu, 10 Sep 2009 18:50:02 GMT, Miroslav Lachman wrote
 The following reply was made to PR ports/138698; it has 
 been noted by GNATS.
 
 From: Miroslav Lachman 000.f...@quip.cz
 To: bug-follo...@freebsd.org,  andzi...@volt.iem.pw.edu.pl
 Cc:  
 Subject: Re: ports/138698: lang/php5: PHP 
 session.save_path vulnerability
 Date: Thu, 10 Sep 2009 20:49:14 +0200
 
  Yes, it is clear now and with owner root, it works.
 
  I propose to make this optional, as somebody has /tmp 
 optimized for  better speed (another disk device, flash 
 device, RAM disk etc.) but not  /var/lib/php5. And FreeBSD 
 doesn't have /var/lib by default. /var/lib/* is mostly 
 used  by some Linux distributions). I am not sure if it is 
 the right place to  put these files, according to man 
 hier(7). Next thing to think about is, that /tmp is (or 
 easily can be) cleared at  system startup, but /var/*/* 
 not. If we do some change in default php.ini, it affects 
 more then just  files are moved to another place, so 
 things need to be done carefully.
 
  Maybe leave the default as is and put these hardening 
 steps in comments  in php.ini, then anybody can make own decision.

UPDATING msg would be in place, too IMO.

-- 
 Piotr Smyrak
 piotr.smy...@heron.pl

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

ffmpeg vulnerability

[Mark Foster]

(Resending, I did not see it posted earlier)
ffmpeg has 3 announced vulnerabilities in this past month.
Here is the latest...
09.6.23 CVE: Not Available
Platform: Cross Platform
Title: FFmpeg libavformat/4xm.c Remote Code Execution
Description: FFmpeg is an application used to record, convert, and
stream audio and video. The application is exposed to a remote code
execution issue because it fails to adequately validate user-supplied
input. This issue occurs in the libavformat/4xm.c source file, and
occurs because of a NULL pointer dereference error. FFmpeg trunk
revision versions prior to 16846 are vulnerable.
Ref: http://www.trapkit.de/advisories/TKADV2009-004.txt 
http://www.trapkit.de/advisories/TKADV2009-004.txt


Normally I would submit a vuxml entry, but not sure how to indicate the 
proper fixed versiona since the port uses 2008.07.07_7 while the fixed 
version is revision 16846.


--
Realization #2031: That the meaning of life is now just another Google search.
Mark D. Foster m...@foster.cc  
http://mark.foster.cc/ | http://conshell.net/


___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Critical vulnerability patch need in BINDx ports

[Dennis Yusupoff]

Hello, Doug.

I hope, you've already seen patch for BINDx, that close critical
vulnerability.
Could you register it in your FreeBSD-port(s)?

http://www.isc.org/index.pl?/sw/bind/index.php
===
Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5  Wed Apr 27 04:56:21 2005
+++ inet_network.c  Tue Jan 15 04:02:01 2008
@@ -84,9 +84,9 @@
}
if (!digit)
return (INADDR_NONE);
+   if (pp = parts + 4 || val  0xffU)
+   return (INADDR_NONE);
if (*cp == '.') {
-   if (pp = parts + 4 || val  0xffU)
-   return (INADDR_NONE);
*pp++ = val, cp++;
goto again;
}
===

---
With best regards,
sysadmin of Ozerki.Net
Dennis Yusupoff

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Critical vulnerability patch need in BINDx ports

[Doug Barton]

Dennis Yusupoff wrote:

Hello, Doug.

I hope, you've already seen patch for BINDx, that close critical
vulnerability.
Could you register it in your FreeBSD-port(s)?


That change is included in the versions of BIND already in the ports.

Doug


--

This .signature sanitized for your protection

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Critical vulnerability patch need in BINDx ports

[Doug Barton]

Xin LI wrote:


This is for BIND8...


Yeah, that too. :) No one should be running BIND 8 BTW, just in case 
that news has escaped your notice.


Doug

--

This .signature sanitized for your protection

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Critical vulnerability patch need in BINDx ports

[Xin LI]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug Barton wrote:
| Dennis Yusupoff wrote:
| Hello, Doug.
|
| I hope, you've already seen patch for BINDx, that close critical
| vulnerability.
| Could you register it in your FreeBSD-port(s)?
|
| That change is included in the versions of BIND already in the ports.

Any plan to update them to corresponding -P1 versions? :)

Cheers,
- --
Xin LI [EMAIL PROTECTED]http://www.delphij.net/
FreeBSD - The Power to Serve!
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkh1CPMACgkQi+vbBBjt66C0vwCfYSm19+xjJp34TeePCfBg3shx
iJMAoIlPG/WgelPFhc0wYWRkUaEF6ENp
=UI7c
-END PGP SIGNATURE-
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re[2]: Critical vulnerability patch need in BINDx ports

[Dennis Yusupoff]

Доброго время суток, Doug!

DB Dennis Yusupoff wrote:
 Hello, Doug.
 
 I hope, you've already seen patch for BINDx, that close critical
 vulnerability.
 Could you register it in your FreeBSD-port(s)?

DB That change is included in the versions of BIND already in the ports.

DB This is for BIND8...

Oh...
I'm sorry.
I'm feeling idiot. %-)
I mean this one: http://www.isc.org/sw/bind/forgery-resilience.php
What will you say?

  
С уважением, 
   Юсупов Д. Р.  
-- TheBat! 4.0.24 
Написано 09.07.2008 в 22:52 в ответ на письмо от 09.07.2008 22:25

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Critical vulnerability patch need in BINDx ports

[Doug Barton]

Xin LI wrote:

Doug Barton wrote:
| Dennis Yusupoff wrote:
| Hello, Doug.
|
| I hope, you've already seen patch for BINDx, that close critical
| vulnerability.
| Could you register it in your FreeBSD-port(s)?
|
| That change is included in the versions of BIND already in the ports.

Any plan to update them to corresponding -P1 versions? :)


No, I really don't care about security vulnerabilities. Running secure 
systems is highly overrated.


Doug

--

This .signature sanitized for your protection

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.

[IOnut]

On Wed, 2 Aug 2006 13:46:04 +0330
Babak Farrokhi [EMAIL PROTECTED] wrote:

 Hi,
 
 Awstats-devel (which has solved this security issue) is in GNATS
 waiting for submission (PR ports/100162).

If nothing bad happens once again, I plan to dedicate all the upcoming
weekend for committing the PRs I responsible for.


Sorry for the long time :(

-- 
IOnut - Un^d^dregistered ;) FreeBSD user
  Intellectual Property is   nowhere near as valuable   as Intellect

Ferengi Rule of Acquisition #3:
 Never pay more for an acquisition than you have to.
-- ST:DS9, The Maquis, Part II




signature.asc
Description: PGP signature

awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.

[chevy]

mail# pwd
/usr/ports/www/awstats
mail# make fetch
===  awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.
*** Error code 1

Stop in /usr/ports/www/awstats.
please fix !! thank you !

--
Regards.

Chevy
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.

[Babak Farrokhi]

Hi,

Awstats-devel (which has solved this security issue) is in GNATS waiting for
submission (PR ports/100162).

-- Babak Farrokhi

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:owner-freebsd-
 [EMAIL PROTECTED] On Behalf Of Stanislav Sedov
 Sent: Wednesday, August 02, 2006 12:57 PM
 To: freebsd-ports@freebsd.org
 Subject: Re: awstats-6.5_1,1 is forbidden: Command Injection
 Vulnerability.
 
 On Wed, 2 Aug 2006 17:17:16 +0800
 chevy [EMAIL PROTECTED] mentioned:
 
  mail# pwd
  /usr/ports/www/awstats
  mail# make fetch
  ===  awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.
  *** Error code 1
 
  Stop in /usr/ports/www/awstats.
  please fix !! thank you !
 
 
 You should for vendor's fix or contact port maintainer - the fix might
 be already here.
 
 Alternately you can comment-out FORBIDDEN line in the port's Makefile
 and install port anyway if you are understanding what you are doing.
 
 --
 Stanislav Sedov MBSD labs, Inc. [EMAIL PROTECTED]
 Россия, Москва http://mbsd.msk.ru
 
 
 If the facts don't fit the theory, change the facts.  -- A. Einstein
 
 PGP fingerprint:  F21E D6CC 5626 9609 6CE2  A385 2BF5 5993 EB26 9581

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.

[chevy]

Thank you very much,

thanks for Stanislav.


On 8/2/06, Babak Farrokhi [EMAIL PROTECTED] wrote:


Hi,

Awstats-devel (which has solved this security issue) is in GNATS waiting
for
submission (PR ports/100162).

-- Babak Farrokhi

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:owner-freebsd-
 [EMAIL PROTECTED] On Behalf Of Stanislav Sedov
 Sent: Wednesday, August 02, 2006 12:57 PM
 To: freebsd-ports@freebsd.org
 Subject: Re: awstats-6.5_1,1 is forbidden: Command Injection
 Vulnerability.

 On Wed, 2 Aug 2006 17:17:16 +0800
 chevy [EMAIL PROTECTED] mentioned:

  mail# pwd
  /usr/ports/www/awstats
  mail# make fetch
  ===  awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.
  *** Error code 1
 
  Stop in /usr/ports/www/awstats.
  please fix !! thank you !
 

 You should for vendor's fix or contact port maintainer - the fix might
 be already here.

 Alternately you can comment-out FORBIDDEN line in the port's Makefile
 and install port anyway if you are understanding what you are doing.

 --
 Stanislav Sedov MBSD labs, Inc. [EMAIL PROTECTED]
 Россия, Москва http://mbsd.msk.ru

 
 If the facts don't fit the theory, change the facts.  -- A. Einstein
 
 PGP fingerprint:  F21E D6CC 5626 9609 6CE2  A385 2BF5 5993 EB26 9581

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]





--
Regards.

Chevy
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Ruby vulnerability?

[Sergey Matveychuk]

Sergey Matveychuk wrote:
 Good. There is three patches there.
 I'll test if they fix the vulnerabilities.
 

FYI The fixes was committed.

-- 
Dixi.
Sem.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Ruby vulnerability?

[Remko Lodder]

Sergey Matveychuk wrote:

Sergey Matveychuk wrote:

Good. There is three patches there.
I'll test if they fix the vulnerabilities.



FYI The fixes was committed.



Thanks a lot for the work Sergey!

--
Kind regards,

 Remko Lodder   ** [EMAIL PROTECTED]
 FreeBSD** [EMAIL PROTECTED]

 /* Quis custodiet ipsos custodes */
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Ruby vulnerability?

[Randy Pratt]

On Sun, 30 Jul 2006 17:47:33 +0200
Frank Steinborn [EMAIL PROTECTED] wrote:

 Shaun Amott wrote:
  On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote:
   
   FYI, Red Hat released an advisory today about a vulnerability in Ruby. So
   far it doesn't appear in the VuXML, but am I correct in presuming it will
   soon?
   
  
  I've added it; thanks for the report.
 
 Hmm, i saw the flaw with portaudit -Fda yesterday, however - today
 my ruby isn't shown as vulnerable anymore. Why?

I show it as a vulnerability here.  It could be that you may have
gotten your last update from a server that hasn't caught up yet.

Try running it again and see if that helps.

Randy

-- 
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Ruby vulnerability?

[Simon L. Nielsen]

On 2006.07.30 17:47:33 +0200, Frank Steinborn wrote:
 Shaun Amott wrote:
  On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote:
   
   FYI, Red Hat released an advisory today about a vulnerability in Ruby. So
   far it doesn't appear in the VuXML, but am I correct in presuming it will
   soon?
   
  
  I've added it; thanks for the report.
 
 Hmm, i saw the flaw with portaudit -Fda yesterday, however - today
 my ruby isn't shown as vulnerable anymore. Why?

The database was broken for a bit due to an invalid entry, try again
now.

-- 
Simon L. Nielsen
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Ruby vulnerability?

[植田 裕之]

Dear Sirs,


 CVE report is very unpleasant: Multiple unspecified vulnerabilities.
 Secunia has more professional report.
 
 RedHat is only vendor who released updates, but they are binary. So,
 there is no known fix now.

Following information maybe help you:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029

But matz(ruby creator) has not mentioned about this yet. And he has said
that he has no will to release patch for the vulnerabilites.

http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-list/42575

The message is in Japanese and the content is as follows.

At present, a patch for these vulnerabilites is not ready
because the problems occur only with $SAFE=4. So the
vulnerabilities will be serious only when alll the following
conditions are satisfied.

* You use $SAFE=4 sandbox
* You run untrusted codes


 I hope ruby team will release 1.8.5 ASAP.

On 18th July, ruby 1.8.5 preview2 was released and release date of 1.8.5
will be near middle of August if they works on schedule.


Best regards.

-
UEDA Hiroyuki [EMAIL PROTECTED]

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]