Incoherence in libidn2 vulnerability
# pkg audit libidn2-2.2.0 is vulnerable: libidn2 -- roundtrip check vulnerability CVE: CVE-2019-12290 WWW: https://vuxml.FreeBSD.org/freebsd/f04f840d-0840-11ea-8d66-75d3253ef913.html Opening the link, I find: GNU libidn2 *before* 2.2.0 fails... Which is right? Is 2.2.0 affected or not? bye & Thanks av. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: [Bug 233475] www/gitea: Update to 1.6.0 (Fixes security vulnerability)
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233475 > > Bernhard Froehlich changed: > > What|Removed |Added > > Status|New |Closed > Resolution|--- |FIXED > > --- Comment #4 from Bernhard Froehlich --- > The mentioned security issues do not have any CVE numbers assigned so we > normally do not document those in our vuxml. Since there was no patch for the > port itself to bring it to 1.6.0 I did the update myself and did some light > runtime testing which seemed fine. Thanks! I must have accidentally replaced the gate patch with he vuxml patch. And regarding vuxml: other committers feel quite strongly about adding entries for project-reported vulnerabilities/fixes. I’m happy to do it either way, but it would be great if there was consensus what should be documented that way and what shouldn’t. Cheers, Stefan -- Stefan BethkeFon +49 151 14070811 ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: net-p2p/transmission-daemon vulnerability
Please excuse the earlier blank mail- Android Gmail being moronic again :( Hello all, I've just been alerted to an issue with transmission, but only the daemon. Basically, you can fool it into believing that a remote host is localhost, and can therefore break in to it. This is an issue if all of the following are true: Port 9091 is accessible from the Internet (or you don't trust your LAN) You have no password set You rely on host authentication for security Unless I'm misunderstanding the issue, you can resolve it by setting a password. There is a patch at [1] that fixes this, but annoyingly they have messed with whitespace since 2.92, and the patch doesn't apply. I expect a release very soon incorporating this fix anyway. It also appears to break on all but Mac OS. tl;dr set a password for transmission-daemon Chris [1] https://github.com/transmission/transmission/pull/468 On 11 January 2018 21:15:26 GMT+00:00, "Janky Jay, III"wrote: >Uhh... Chris? :) > >On 01/11/2018 02:08 PM, Chris Rees wrote: >> ___ >> freebsd-ports@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to >"freebsd-ports-unsubscr...@freebsd.org" -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
net-p2p/transmission-daemon vulnerability
___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Vulnerability
Op 30-6-2017 om 18:23 schreef Carlos Jacobo Puga Medina: I have submitted a patch to update libgcrypt to 1.7.8 (still pending for an exp-run) https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220382 You can grab the patch, apply and build the port. Thanks Carlos, appreciate your support. ./Jos ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Vulnerability
Hi, > Enviar: viernes 30 de junio de 2017 a las 18:04 > De: "Jos Chrispijn" <bsdpo...@cloudzeeland.nl> > Para: "FreeBSD Ports ML" <freebsd-ports@freebsd.org>, c...@freebsd.org > Asunto: Vulnerability > > Dear port maintainer, > > Just to let you know that I ran into the following vulenerability report: > > libgcrypt-1.7.7 is vulnerable: > libgcrypt -- side-channel attack on RSA secret keys > CVE: CVE-2017-7526 > WWW:https://vuxml.FreeBSD.org/freebsd/ed3bf433-5d92-11e7-aa14-e8e0b747a45a.html > > Could you send out a port update? Thanks in advance! > I have submitted a patch to update libgcrypt to 1.7.8 (still pending for an exp-run) https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220382 You can grab the patch, apply and build the port. > Keep up the good work, > Jos Chrispijn > > Kind regards, -- Carlos Jacobo Puga Medina <c...@gmx.es> ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Vulnerability
> On 30 Jun, 2017, at 10:04, Jos Chrispijnwrote: > > Dear port maintainer, > > Just to let you know that I ran into the following vulenerability report: > > libgcrypt-1.7.7 is vulnerable: > libgcrypt -- side-channel attack on RSA secret keys > CVE: CVE-2017-7526 > WWW:https://vuxml.FreeBSD.org/freebsd/ed3bf433-5d92-11e7-aa14-e8e0b747a45a.html > > Could you send out a port update? Thanks in advance! > > Keep up the good work, > Jos Chrispijn Hi Jos, See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220382 It's in the exp-run queue. # Adam -- Adam Weinberger ad...@adamw.org https://www.adamw.org ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Vulnerability
Dear port maintainer, Just to let you know that I ran into the following vulenerability report: libgcrypt-1.7.7 is vulnerable: libgcrypt -- side-channel attack on RSA secret keys CVE: CVE-2017-7526 WWW:https://vuxml.FreeBSD.org/freebsd/ed3bf433-5d92-11e7-aa14-e8e0b747a45a.html Could you send out a port update? Thanks in advance! Keep up the good work, Jos Chrispijn ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: mariadb101-server vulnerability?
On 2016-08-08 12:02, Bernard Spil wrote: The CVE's mention MariaDB where applicable. Added versions where these vulns were fixed for MariaDB. PerconaDB follows the MySQL release numbering and has also received updates so I added version checks there as well. See https://svnweb.freebsd.org/ports?view=revision=419813 Cheers, Bernard. I'd like to thank everyone involved in getting this issue solved. Thanks and regards, Michael ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: mariadb101-server vulnerability?
> On Aug 8, 2016, at 05:02, Bernard Spil <br...@freebsd.org> wrote: > >> On 2016-08-06 23:17, Mark Felder wrote: >>> On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote: >>> On 6/08/2016 7:23 AM, Michael Grimm wrote: >>> > Hi — >>> > >>> > Kubilay Kocak <ko...@freebsd.org> wrote: >>> > >>> >> Unfortunately you are yet one more example of a user that's been left in >>> >> the lurch without information or recourse wondering (rightfully) how >>> >> they can resolve or mitigate this vulnerability. Our apologies. >>> > >>> > While we are that topic, I am wondering about that 14 days old warning, >>> > as well: >>> > >>> >mariadb101-server-10.1.16 is vulnerable: >>> >MySQL -- Multiple vulnerabilities >>> >CVE: CVE-2016-3452 >>> > [long list of CVEs snipped] >>> >CVE: CVE-2016-3477 >>> > >>> > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html >>> > >>> > I really do not know how serious this report is. Every feedback is highly >>> > appreciated. >>> Hi Michael: >>> Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274 >>> Your comment on that issue would be appreciated. >>> The parent issue (assigned to ports-secteam (cc'd)) for coordinating the >>> multiple vulnerable ports is: >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248 >> From what I can see MariaDB hasn't released an update to address these >> issues yet. I believe Oracles does not coordinate release of security >> issues with third parties / forks. This has probably caught MariaDB off >> guard and they're likely waiting for access to the relevant commits to >> import the fixes. > > Hi Mark, > > The CVE's mention MariaDB where applicable. > > Added versions where these vulns were fixed for MariaDB. PerconaDB follows > the MySQL release numbering and has also received updates so I added version > checks there as well. > > See https://svnweb.freebsd.org/ports?view=revision=419813 > Thanks for keeping an eye on this! ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: mariadb101-server vulnerability?
On 2016-08-06 23:17, Mark Felder wrote: On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote: On 6/08/2016 7:23 AM, Michael Grimm wrote: > Hi — > > Kubilay Kocak <ko...@freebsd.org> wrote: > >> Unfortunately you are yet one more example of a user that's been left in >> the lurch without information or recourse wondering (rightfully) how >> they can resolve or mitigate this vulnerability. Our apologies. > > While we are that topic, I am wondering about that 14 days old warning, as well: > >mariadb101-server-10.1.16 is vulnerable: >MySQL -- Multiple vulnerabilities >CVE: CVE-2016-3452 > [long list of CVEs snipped] >CVE: CVE-2016-3477 >https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html > > I really do not know how serious this report is. Every feedback is highly appreciated. Hi Michael: Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274 Your comment on that issue would be appreciated. The parent issue (assigned to ports-secteam (cc'd)) for coordinating the multiple vulnerable ports is: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248 From what I can see MariaDB hasn't released an update to address these issues yet. I believe Oracles does not coordinate release of security issues with third parties / forks. This has probably caught MariaDB off guard and they're likely waiting for access to the relevant commits to import the fixes. Hi Mark, The CVE's mention MariaDB where applicable. Added versions where these vulns were fixed for MariaDB. PerconaDB follows the MySQL release numbering and has also received updates so I added version checks there as well. See https://svnweb.freebsd.org/ports?view=revision=419813 Cheers, Bernard. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: mariadb101-server vulnerability?
On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote: > On 6/08/2016 7:23 AM, Michael Grimm wrote: > > Hi — > > > > Kubilay Kocak <ko...@freebsd.org> wrote: > > > >> Unfortunately you are yet one more example of a user that's been left in > >> the lurch without information or recourse wondering (rightfully) how > >> they can resolve or mitigate this vulnerability. Our apologies. > > > > While we are that topic, I am wondering about that 14 days old warning, as > > well: > > > > mariadb101-server-10.1.16 is vulnerable: > > MySQL -- Multiple vulnerabilities > > CVE: CVE-2016-3452 > > [long list of CVEs snipped] > > CVE: CVE-2016-3477 > > > > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html > > > > I really do not know how serious this report is. Every feedback is highly > > appreciated. > > Hi Michael: > > Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274 > > Your comment on that issue would be appreciated. > > The parent issue (assigned to ports-secteam (cc'd)) for coordinating the > multiple vulnerable ports is: > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248 > > From what I can see MariaDB hasn't released an update to address these issues yet. I believe Oracles does not coordinate release of security issues with third parties / forks. This has probably caught MariaDB off guard and they're likely waiting for access to the relevant commits to import the fixes. -- Mark Felder f...@feld.me ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: mariadb101-server vulnerability?
On 6/08/2016 7:23 AM, Michael Grimm wrote: > Hi — > > Kubilay Kocak <ko...@freebsd.org> wrote: > >> Unfortunately you are yet one more example of a user that's been left in >> the lurch without information or recourse wondering (rightfully) how >> they can resolve or mitigate this vulnerability. Our apologies. > > While we are that topic, I am wondering about that 14 days old warning, as > well: > > mariadb101-server-10.1.16 is vulnerable: > MySQL -- Multiple vulnerabilities > CVE: CVE-2016-3452 > [long list of CVEs snipped] > CVE: CVE-2016-3477 > > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html > > I really do not know how serious this report is. Every feedback is highly > appreciated. Hi Michael: Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274 Your comment on that issue would be appreciated. The parent issue (assigned to ports-secteam (cc'd)) for coordinating the multiple vulnerable ports is: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248 > Thanks and with kind regards, > Michael > > ___ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" > ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: tiff vulnerability in ports?
On 06/08/2016 04:39, alphachi wrote: > Any update doesn't still land on ports tree, but now "pkg audit -F" won't > report graphics/tiff is vulnerable. There has been a revised judgement about the gif2tiff program, in that while it can be made to crash by a specially crafted gif file, that does not in itself constitute a security problem. This is not just the opinion of ports secteam, but concurs with, for example, the Debian security team. I don't know what the current thinking is about removing gif2tiff from the libtiff package, but libtiff is one of those packages which very many other packages depend upon, and portmgr consequently requires experimental package build runs and in general much more stringent levels of testing before allowing any such change. Cheers, Matthew signature.asc Description: OpenPGP digital signature
Re: tiff vulnerability in ports?
On Fri, Aug 5, 2016 at 5:19 PM, Kevin Oberman <rkober...@gmail.com> wrote: > On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak <ko...@freebsd.org> wrote: > >> On 5/08/2016 11:35 PM, Matthew Seaman wrote: >> > On 2016/08/05 13:55, alphachi wrote: >> >> Please see this link to get more information: >> >> >> >> https://svnweb.freebsd.org/ports?view=revision=418585 >> >> >> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiros...@gmail.com>: >> >> >> >>> This is perhaps a question for the tiff devs more than anything, but I >> >>> noticed that pkg audit has been complaining about libtiff >> (graphics/tiff) >> >>> for some time now. >> >>> >> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but >> >>> apparently that version hasn't been released yet (according to >> >>> http://www.remotesensing.org/libtiff/, the latest stable release is >> still >> >>> 4.0.6). >> >>> >> >>> Anyone know what's going on? Is there a release upcoming to fix this? >> > >> > Yeah -- this vulnerability: >> > >> > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd- >> 14dae9d210b8.html >> > >> > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 >> > release from upstream yet. >> > >> > Given their approach to fixing the buffer overflow was to delete the >> > offending gif2tiff application from the package, perhaps we could simply >> > do the same until 4.0.7 comes out. >> > >> > Cheers, >> > >> > Matthew >> > >> > >> >> Hi Aleksandr :) >> >> Also: >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405 >> >> Please add a comment to that bug to request resolution of the issue. >> >> Alternatively you (and anyone else) can just delete gif2tiff >> >> Unfortunately you are yet one more example of a user that's been left in >> the lurch without information or recourse wondering (rightfully) how >> they can resolve or mitigate this vulnerability. Our apologies. >> >> > This one is really annoying in that it is so easily fixed. Just modify the > port to not build or even not install gif2tiff. It's not going to be fixed > upstream. At least the last message in the bugzilla indicates that the > program will simply be removed from 4.0.7 whenever it comes out. FreeBSD > should get out front and just delete it now. > > A fix is trivial, but touches 20 files and, of course, the plist. Guess I > should add it to the ticket. > Never mind. Mark Felder submitted it a week ago. If someone could look at it and commit? I'd also suggest a note to UPDATING that gif2tif is gone. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: tiff vulnerability in ports?
On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak <ko...@freebsd.org> wrote: > On 5/08/2016 11:35 PM, Matthew Seaman wrote: > > On 2016/08/05 13:55, alphachi wrote: > >> Please see this link to get more information: > >> > >> https://svnweb.freebsd.org/ports?view=revision=418585 > >> > >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiros...@gmail.com>: > >> > >>> This is perhaps a question for the tiff devs more than anything, but I > >>> noticed that pkg audit has been complaining about libtiff > (graphics/tiff) > >>> for some time now. > >>> > >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but > >>> apparently that version hasn't been released yet (according to > >>> http://www.remotesensing.org/libtiff/, the latest stable release is > still > >>> 4.0.6). > >>> > >>> Anyone know what's going on? Is there a release upcoming to fix this? > > > > Yeah -- this vulnerability: > > > > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6- > a7bd-14dae9d210b8.html > > > > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 > > release from upstream yet. > > > > Given their approach to fixing the buffer overflow was to delete the > > offending gif2tiff application from the package, perhaps we could simply > > do the same until 4.0.7 comes out. > > > > Cheers, > > > > Matthew > > > > > > Hi Aleksandr :) > > Also: > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405 > > Please add a comment to that bug to request resolution of the issue. > > Alternatively you (and anyone else) can just delete gif2tiff > > Unfortunately you are yet one more example of a user that's been left in > the lurch without information or recourse wondering (rightfully) how > they can resolve or mitigate this vulnerability. Our apologies. > > This one is really annoying in that it is so easily fixed. Just modify the port to not build or even not install gif2tiff. It's not going to be fixed upstream. At least the last message in the bugzilla indicates that the program will simply be removed from 4.0.7 whenever it comes out. FreeBSD should get out front and just delete it now. A fix is trivial, but touches 20 files and, of course, the plist. Guess I should add it to the ticket. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
mariadb101-server vulnerability? (was: tiff vulnerability in ports?)
Hi — Kubilay Kocak <ko...@freebsd.org> wrote: > Unfortunately you are yet one more example of a user that's been left in > the lurch without information or recourse wondering (rightfully) how > they can resolve or mitigate this vulnerability. Our apologies. While we are that topic, I am wondering about that 14 days old warning, as well: mariadb101-server-10.1.16 is vulnerable: MySQL -- Multiple vulnerabilities CVE: CVE-2016-3452 [long list of CVEs snipped] CVE: CVE-2016-3477 https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html I really do not know how serious this report is. Every feedback is highly appreciated. Thanks and with kind regards, Michael ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: tiff vulnerability in ports?
On 5/08/2016 11:35 PM, Matthew Seaman wrote: > On 2016/08/05 13:55, alphachi wrote: >> Please see this link to get more information: >> >> https://svnweb.freebsd.org/ports?view=revision=418585 >> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiros...@gmail.com>: >> >>> This is perhaps a question for the tiff devs more than anything, but I >>> noticed that pkg audit has been complaining about libtiff (graphics/tiff) >>> for some time now. >>> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but >>> apparently that version hasn't been released yet (according to >>> http://www.remotesensing.org/libtiff/, the latest stable release is still >>> 4.0.6). >>> >>> Anyone know what's going on? Is there a release upcoming to fix this? > > Yeah -- this vulnerability: > > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.html > > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 > release from upstream yet. > > Given their approach to fixing the buffer overflow was to delete the > offending gif2tiff application from the package, perhaps we could simply > do the same until 4.0.7 comes out. > > Cheers, > > Matthew > > Hi Aleksandr :) Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405 Please add a comment to that bug to request resolution of the issue. Alternatively you (and anyone else) can just delete gif2tiff Unfortunately you are yet one more example of a user that's been left in the lurch without information or recourse wondering (rightfully) how they can resolve or mitigate this vulnerability. Our apologies. Hope that helps. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: tiff vulnerability in ports?
On 2016/08/05 13:55, alphachi wrote: > Please see this link to get more information: > > https://svnweb.freebsd.org/ports?view=revision=418585 > > 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiros...@gmail.com>: > >> This is perhaps a question for the tiff devs more than anything, but I >> noticed that pkg audit has been complaining about libtiff (graphics/tiff) >> for some time now. >> >> FreeBSD's VUXML database says anything before 4.0.7 is affected, but >> apparently that version hasn't been released yet (according to >> http://www.remotesensing.org/libtiff/, the latest stable release is still >> 4.0.6). >> >> Anyone know what's going on? Is there a release upcoming to fix this? Yeah -- this vulnerability: https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.html has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 release from upstream yet. Given their approach to fixing the buffer overflow was to delete the offending gif2tiff application from the package, perhaps we could simply do the same until 4.0.7 comes out. Cheers, Matthew signature.asc Description: OpenPGP digital signature
Re: graphics/ImageMagick vulnerability status?
Really doesn't help that they keep revising the fix, 3 releases in 6 days, latest version actually being 6.9.4-1 :( On 10/05/2016 15:09, Stefan Bethke wrote: Hey, according to https://www.imagemagick.org/discourse-server/viewtopic.php?f=4=29588, a release 6.9.4-0 should be out that improves the situation significantly. It appears that graphics/ImageMagick is at 6.9.3. It would be nice if people who follow ImageMagick more closely than me could speak to the security status of the current port, updates planned, and/or additional mitigation recommended. Heise News is reporting that exploits have been posted and are seen in the wild. Thanks, Stefan ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
graphics/ImageMagick vulnerability status?
Hey, according to https://www.imagemagick.org/discourse-server/viewtopic.php?f=4=29588, a release 6.9.4-0 should be out that improves the situation significantly. It appears that graphics/ImageMagick is at 6.9.3. It would be nice if people who follow ImageMagick more closely than me could speak to the security status of the current port, updates planned, and/or additional mitigation recommended. Heise News is reporting that exploits have been posted and are seen in the wild. Thanks, Stefan -- Stefan BethkeFon +49 151 14070811 ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: openoffice vulnerability?
On 05/15/15 07:11, George Mitchell wrote: Nightly security report sez: Checking for packages with security vulnerabilities: Database fetched: Thu May 14 03:10:05 EDT 2015 apache-openoffice-4.1.1_9 [...] And now Don Lewis has removed this erroneous entry from the data base of vulnerabilities. Thank you, Don! -- George ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
openoffice vulnerability?
Nightly security report sez: Checking for packages with security vulnerabilities: Database fetched: Thu May 14 03:10:05 EDT 2015 apache-openoffice-4.1.1_9 I first got this last week for version 4.1.1_7 and consequently updated my ports tree and rebuilt, specifically including changeset 385792: Add a patch to fix the HWP filter vulnerability documented in CVE-2015-1774 and http://www.openoffice.org/security/cves/CVE-2015-1774.html Approved by:mat (mentor) MFH:2015Q2 Security: b13af778-f4fc-11e4-a95d-ac9e174be3af Differential Revision: https://reviews.freebsd.org/D2478 So is it still broken, or did another vulnerability already crop up? -- George ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Vulnerability on Tomcat 6.x (6.0.42) and 7.x (7.0.55) and 8.x (8.0.9)
Hi, A CVE-2014-0227 was released yesterday about possibles DOS attacks on apache tomcat. Updates are available on the website[2]. Cheers, - rodrigo [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0227 [2] http://tomcat.apache.org/security-7.html ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Vulnerability on Tomcat 6.x (6.0.42) and 7.x (7.0.55) and 8.x (8.0.9)
Hi! A CVE-2014-0227 was released yesterday about possibles DOS attacks on apache tomcat. Updates are available on the website[2]. ale@ updated the ports. -- p...@opsec.eu+49 171 3101372 5 years to go ! ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: portaudit: Wrong vulnerability information for devel/dbus
Am 2013-06-14 06:19, schrieb RyōTa SimaMoto: Hi, portaudit rejects the latest version (1.6.12) of devel/dbus because acceptable version is set too higher (1.16.12) than it. http://portaudit.FreeBSD.org/4e9e410b-d462-11e2-8d57-080027019be0.html ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org Yup, happens for me too -- Frank BRONIEWSKI METRICO s.à r.l. géomètres technologies d'information géographique rue des Romains 36 L-5433 NIEDERDONVEN tél.: +352 26 74 94 - 28 fax.: +352 26 74 94 99 http://www.metrico.lu ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
portaudit: Wrong vulnerability information for devel/dbus
Hi, portaudit rejects the latest version (1.6.12) of devel/dbus because acceptable version is set too higher (1.16.12) than it. http://portaudit.FreeBSD.org/4e9e410b-d462-11e2-8d57-080027019be0.html ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Opera vulnerability, marked forbidden instead of update?
About updating opera port, it's matter of updating plist to make sure that opera cleans up after deinstall properly. Opera have a habit of silently adding new files between versions, so it's must be checked. Speaking from user perspective, you don't even need to bump version in Makefile, nobody stops you from downloading from opera.com directly and using their installer as well as their uninstaller (they provide both). It works, and should always work, as long FreeBSD is supported platform. Just when something is in ports, it must be integrated into infrastructure fully. -- View this message in context: http://freebsd.1045724.n5.nabble.com/Opera-vulnerability-marked-forbidden-instead-of-update-tp5763426p5765785.html Sent from the freebsd-ports mailing list archive at Nabble.com. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Opera vulnerability, marked forbidden instead of update?
On Fri, 23 Nov 2012 09:00:59 + Matthew Seaman matt...@freebsd.org wrote: On 23/11/2012 08:26, Matthieu Volat wrote: I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Marking a port 'FORBIDDEN' is a quick response measure that can be done without having to worry about time consuming testing the of port and so forth. It's an interim measure taken to ensure that users do not unwittingly install software with known vulnerabilities. Yes, updating the port to a non-vulnerable version is the ideal response, but that may not be possible to do straight away. You've sketched out the first couple of steps a port maintainer would take, but that 'there was no apparent problem' statement would need to be backed up by some more rigorous testing before a maintainer would feel confident in committing the update. Just a comment that, for any USERS who would like to take a chance with updating their Opera (rather than taking a chance running the vulnerable version), just modifying the Makefile as described above works to provide the update. I've updated www/opera and www/opera-linuxplugins, and my new Opera is running fine: About Opera Version information Version 12.11 Build 1661 PlatformFreeBSD System amd64, 8.3-STABLE -- greg byshenk - gbysh...@byshenk.net - Leiden, NL - Portland, OR USA ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Opera vulnerability, marked forbidden instead of update?
Hello, I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Regards, -- Matthieu Volat ma...@alkumuna.eu ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Opera vulnerability, marked forbidden instead of update?
On 23/11/2012 08:26, Matthieu Volat wrote: I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Marking a port 'FORBIDDEN' is a quick response measure that can be done without having to worry about time consuming testing the of port and so forth. It's an interim measure taken to ensure that users do not unwittingly install software with known vulnerabilities. Yes, updating the port to a non-vulnerable version is the ideal response, but that may not be possible to do straight away. You've sketched out the first couple of steps a port maintainer would take, but that 'there was no apparent problem' statement would need to be backed up by some more rigorous testing before a maintainer would feel confident in committing the update. Cheers, Matthew ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Opera vulnerability, marked forbidden instead of update?
On Friday 23 November 2012 03:00:59 Matthew Seaman wrote: On 23/11/2012 08:26, Matthieu Volat wrote: I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-h ead The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Marking a port 'FORBIDDEN' is a quick response measure that can be done without having to worry about time consuming testing the of port and so forth. It's an interim measure taken to ensure that users do not unwittingly install software with known vulnerabilities. Yes, updating the port to a non-vulnerable version is the ideal response, but that may not be possible to do straight away. You've sketched out the first couple of steps a port maintainer would take, but that 'there was no apparent problem' statement would need to be backed up by some more rigorous testing before a maintainer would feel confident in committing the update. Cheers, Matthew I did the same and I don't have problems... Mitja http://www.redbubble.com/people/lumiwa ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Opera vulnerability, marked forbidden instead of update?
On Fri, 23 Nov 2012 09:00:59 + Matthew Seaman matt...@freebsd.org wrote: On 23/11/2012 08:26, Matthieu Volat wrote: I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Marking a port 'FORBIDDEN' is a quick response measure that can be done without having to worry about time consuming testing the of port and so forth. It's an interim measure taken to ensure that users do not unwittingly install software with known vulnerabilities. Yes, updating the port to a non-vulnerable version is the ideal response, but that may not be possible to do straight away. You've sketched out the first couple of steps a port maintainer would take, but that 'there was no apparent problem' statement would need to be backed up by some more rigorous testing before a maintainer would feel confident in committing the update. Cheers, Matthew ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org Hello and thanks for the explanation, Cheers, -- Matthieu Volat ma...@alkumuna.eu ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Python upgrade to address vulnerability?
Doug Barton wrote on 15.02.2012 02:20: So apparently we have a python vulnerability according to http://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html, but I'm not seeing an upgrade to address it yet. Any idea when that will happen? Thanks, Doug Patch is there: http://people.freebsd.org/~rm/python-CVE-2012-0845.diff.txt Patch for 3.2 is taken there directly: http://bugs.python.org/file24522/xmlrpc_loop-1.diff Patch for 2.5, 2.6, 2.7, 3.1 is adopted from this patch: http://bugs.python.org/file24513/xmlrpc_loop.diff SimpleXMLRPCServer.py in 2.4 is too different and it is going to die anyway so I didn't messed with it. If noone objects, I can commit it. Please tell me what should i do. -- Regards, Ruslan Tinderboxing kills... the drives. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Python upgrade to address vulnerability?
2012/2/15 Ruslan Mahmatkhanov cvs-...@yandex.ru Doug Barton wrote on 15.02.2012 02:20: So apparently we have a python vulnerability according to http://portaudit.FreeBSD.org/**b4f8be9e-56b2-11e1-9fb7-** 003067b2972c.htmlhttp://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html , but I'm not seeing an upgrade to address it yet. Any idea when that will happen? Thanks, Doug Patch is there: http://people.freebsd.org/~rm/**python-CVE-2012-0845.diff.txthttp://people.freebsd.org/~rm/python-CVE-2012-0845.diff.txt Had this patch been committed into upstream? When I found it , it was in review state. And CVE-2012-0845 too. wen Patch for 3.2 is taken there directly: http://bugs.python.org/**file24522/xmlrpc_loop-1.diffhttp://bugs.python.org/file24522/xmlrpc_loop-1.diff Patch for 2.5, 2.6, 2.7, 3.1 is adopted from this patch: http://bugs.python.org/**file24513/xmlrpc_loop.diffhttp://bugs.python.org/file24513/xmlrpc_loop.diff SimpleXMLRPCServer.py in 2.4 is too different and it is going to die anyway so I didn't messed with it. If noone objects, I can commit it. Please tell me what should i do. -- Regards, Ruslan Tinderboxing kills... the drives. __**_ freebsd-pyt...@freebsd.org mailing list http://lists.freebsd.org/**mailman/listinfo/freebsd-**pythonhttp://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to freebsd-python-unsubscribe@**freebsd.orgfreebsd-python-unsubscr...@freebsd.org ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Python upgrade to address vulnerability?
wen heping wrote on 15.02.2012 14:16: 2012/2/15 Ruslan Mahmatkhanovcvs-...@yandex.ru Doug Barton wrote on 15.02.2012 02:20: So apparently we have a python vulnerability according to http://portaudit.FreeBSD.org/**b4f8be9e-56b2-11e1-9fb7-** 003067b2972c.htmlhttp://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html , but I'm not seeing an upgrade to address it yet. Any idea when that will happen? Thanks, Doug Patch is there: http://people.freebsd.org/~rm/**python-CVE-2012-0845.diff.txthttp://people.freebsd.org/~rm/python-CVE-2012-0845.diff.txt Had this patch been committed into upstream? When I found it , it was in review state. And CVE-2012-0845 too. wen Yes, it is not yet committed, but comments looks promisingly :). And i can't reproduce this bug after patching, using procedure described in bug report. -- Regards, Ruslan Tinderboxing kills... the drives. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Python upgrade to address vulnerability?
2012/2/15 Ruslan Mahmatkhanov cvs-...@yandex.ru wen heping wrote on 15.02.2012 14:16: 2012/2/15 Ruslan Mahmatkhanovcvs-...@yandex.ru** Doug Barton wrote on 15.02.2012 02:20: So apparently we have a python vulnerability according to http://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-**http://portaudit.FreeBSD.org/**b4f8be9e-56b2-11e1-9fb7-** 003067b2972c.htmlhttp://**portaudit.FreeBSD.org/** b4f8be9e-56b2-11e1-9fb7-**003067b2972c.htmlhttp://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html , but I'm not seeing an upgrade to address it yet. Any idea when that will happen? Thanks, Doug Patch is there: http://people.freebsd.org/~rm/python-CVE-2012-0845.diff.**txthttp://people.freebsd.org/~rm/**python-CVE-2012-0845.diff.txt http://people.freebsd.org/**~rm/python-CVE-2012-0845.diff.**txthttp://people.freebsd.org/~rm/python-CVE-2012-0845.diff.txt Had this patch been committed into upstream? When I found it , it was in review state. And CVE-2012-0845 too. wen Yes, it is not yet committed, but comments looks promisingly :). And i can't reproduce this bug after patching, using procedure described in bug report. Me too :) I trust this patch too but I would like wait some time. wen -- Regards, Ruslan Tinderboxing kills... the drives. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Python upgrade to address vulnerability?
So apparently we have a python vulnerability according to http://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html, but I'm not seeing an upgrade to address it yet. Any idea when that will happen? Thanks, Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
[joernc...@phenoelit.de: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability]
Please update this port. - Forwarded message from joernchen of Phenoelit joernc...@phenoelit.de - Date: Mon, 30 Jan 2012 14:56:26 +0100 From: joernchen of Phenoelit joernc...@phenoelit.de To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com Subject: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111224 Thunderbird/9.0.1 Hi, FYI, see attached. cheers, joernchen -- joernchen ~ Phenoelit joernc...@phenoelit.de ~ C776 3F67 7B95 03BF 5344 http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC Phenoelit Advisory wir-haben-auch-mal-was-gefunden #0815 +--++ [ Authors ] joernchen joernchen () phenoelit de Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] sudo 1.8.0 - 1.8.3p1 (http://sudo.ws) [ Vendor communication ] 2012-01-24 Send vulnerability details to sudo maintainer 2012-01-24 Maintainer is embarrased 2012-01-27 Asking maintainer how the fixing goes 2012-01-27 Maintainer responds with a patch and a release date of 2012-01-30 for the patched sudo and advisory 2012-01-30 Release of this advisory [ Description ] Observe src/sudo.c: void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(fmt2, %s: %s\n, getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); } Here getprogname() is argv[0] and by this user controlled. So argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The result is a Format String vulnerability. [ Example ] /tmp $ ln -s /usr/bin/sudo %n /tmp $ ./%n -D9 *** %n in writable segment detected *** Aborted /tmp $ A note regarding exploitability: The above example shows the result of FORTIFY_SOURCE which makes explotitation painful but not impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight forward: 1. Use formatstring to overwrite the setuid() call with setgid() 2. Trigger with formatstring -D9 3. Make use of SUDO_ASKPASS and have shellcode in askpass script 4. As askpass will be called after the formatstring has overwritten setuid() the askepass script will run with uid 0 5. Enjoy the rootshell [ Solution ] Update to version 1.8.3.p2 [ References ] [0] http://www.phrack.org/issues.html?issue=67id=9 [ end of file ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - End forwarded message - -- ;s =; ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: ports/155355: mail/mailman: XXS vulnerability affecting Mailman 2.1.14 and prior
I'm going to be traveling from 3/8 through 3/9. If anyone can get to this before I return please feel free to commit as necessary. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PHP52 vulnerability
I question the vulnerability. I don't think it applies. the alert is from 2006, and there isn't a POC I have tested against php52- 5.2.17 with nulls in it that seems to trigger anything but 404 errors. (please don't try on ours... this is not a challenge. but if you have a POC, let me know and _I_ will try it) so, php 5.3? big differences! BIG. look at /usr/ports/UPDATING to see. php_ini needs changes also. On 3/3/11 3:09 PM, Andrea Venturoli wrote: Is there any news on the horizon? Will a new version be released and/or the port updated? Any possible patch? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PHP52 vulnerability
Hi, On Thu, Mar 3, 2011 at 12:09 PM, Andrea Venturoli m...@netfence.it wrote: Hello. As you probably know, it looks like php52 is vulnerable: Affected package: php52-5.2.17 Type of problem: php -- NULL byte poisoning. Reference: http://portaudit.FreeBSD.org/3761df02-0f9c-11e0-becc-0022156e8794.html Is there any news on the horizon? I think PHP developers haven't get that patched for 5.2.x (yet), as the branch is considered to be obsolete. We may have to patch the port ourselves. Note that FreeBSD PHP port comes with Suhosin by default, which _could_ have mitigated the attack (disclaimer: I'm not very confident that this solves all problems, though, as it requires a more through code review). Cheers, -- Xin LI delp...@delphij.net http://www.delphij.net ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: fixing the vulnerability in linux-f10-pango-1.22.3_1
Quoting Jan Henrik Sylvester m...@janh.de (from Mon, 14 Feb 2011 10:35:05 +0100): There is one more problem to solve: http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html That mail go unanswered (at least as far as the mailing list archive goes). Probably, the procedure above would have to be put into a shell script for a willing commiter to repeat. Every time this vulnerability comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm to fix it. Thus, there might be one. There was another person doing something similar too. I got a little step-by-step guide how he did it. Currently (after two months without time to have a look at it) I am downloading an F10 install image which I want to feed to virtualbox to compile a fixed pango version. If nothing urgent interferes, you can expect a commit in the not so distant future (maybe not today, maybe not tomorrow, but maybe next week). For me, the real question is: Considering the age of Fedora 10 and the time it has not been supported anymore, it is likely that there are more vulnerabilities in our Linux-f10 framework that are not documented in our vulnerability database. Does fixing the pango vulnerability really make the Linux emulation save? (Is it worse the it?) Good question. Feel free to have a look at the RPMs from linux_base-f10 and find out if there are unfixed vulnerabilities. Bye, Alexander. -- Make it right before you make it faster. http://www.Leidinger.netAlexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: fixing the vulnerability in linux-f10-pango-1.22.3_1
Jan Henrik Sylvester wrote: The easiest way would probably be: - Take the src-rpm of the pango version in RHEL 5. - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3 - Extract the src-rpm of pango-1.22.3 from Fedora 10. - Apply the RHEL 5 patch with --ignore-whitespace. - Diff for creating a patch that applies without --ignore-whitespace. - Bump version number and repackge a src-rpm for Fedora 10 with the new patch. - Build it on a clean Fedora 10 system. There is one more problem to solve: http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html That mail go unanswered (at least as far as the mailing list archive goes). Probably, the procedure above would have to be put into a shell script for a willing commiter to repeat. Every time this vulnerability comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm to fix it. Thus, there might be one. Peter Littmann's RPMs probably won't work for me since i'm looking for 9-current amd64. would a src-rpm verifiably generated from the Fedora 10 src-rpm (or the pango project tarball) and the RHEL 5 patch solve this? I may not have a Reputation, but I've been around since 4.1BSD and a search of the tree and the PRs will turn up a few bugfixes that I've submitted. tom ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: fixing the vulnerability in linux-f10-pango-1.22.3_1
On Mon, Feb 14, 2011 at 8:45 AM, Tom Uffner t...@uffner.com wrote: would a src-rpm verifiably generated from the Fedora 10 src-rpm (or the pango project tarball) and the RHEL 5 patch solve this? I may not have a Reputation, but I've been around since 4.1BSD and a search of the tree and the PRs will turn up a few bugfixes that I've submitted. It was said in the past that there is a Fedora 11 RPM (not from the cd, but an update) that has the patch and works as a drop in replacement. -- Rob Farmer ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: fixing the vulnerability in linux-f10-pango-1.22.3_1
On Mon, Feb 14, 2011 at 18:45, Tom Uffner t...@uffner.com wrote: Jan Henrik Sylvester wrote: The easiest way would probably be: - Take the src-rpm of the pango version in RHEL 5. - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3 - Extract the src-rpm of pango-1.22.3 from Fedora 10. - Apply the RHEL 5 patch with --ignore-whitespace. - Diff for creating a patch that applies without --ignore-whitespace. - Bump version number and repackge a src-rpm for Fedora 10 with the new patch. - Build it on a clean Fedora 10 system. There is one more problem to solve: http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html That mail go unanswered (at least as far as the mailing list archive goes). Probably, the procedure above would have to be put into a shell script for a willing commiter to repeat. Every time this vulnerability comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm to fix it. Thus, there might be one. Peter Littmann's RPMs probably won't work for me since i'm looking for 9-current amd64. would a src-rpm verifiably generated from the Fedora 10 src-rpm (or the pango project tarball) and the RHEL 5 patch solve this? I may not have a Reputation, but I've been around since 4.1BSD and a search of the tree and the PRs will turn up a few bugfixes that I've submitted. tom Most likely you've already noticed my efforts in this matter, but let me still mention them: http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008285.html http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008295.html http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008296.html Sadly, I'm still struggling to find enough time to prepare for and apply for ports committer (I'm afraid that while I might be known around the academic security community and projects like the European GÉANT, that's not the case with FreeBSD), but that's irrelevant now, anyway. Of course, anyone who feels not particularly security concerned could still use the patches for the ports tree provided in the first mail (I do keep the relevant distfiles online). The step-by-step description in the second set of mails could hopefully be helpful for someone whom the community would trust to build an RPM. I do realize it's way too detailed and long, so I was indeed thinking about preparing a shorter version these days -- especially now that the Flash update brings the issue with linux-pango again. Please let me know if I could be of help somehow. Cheers, Luchesar ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
fixing the vulnerability in linux-f10-pango-1.22.3_1
is there any point in trying to update linux-f10-pango to address this vulnerability? Affected package: linux-f10-pango-1.22.3_1 Type of problem: pango -- integer overflow. Reference: http://portaudit.FreeBSD.org/4b172278-3f46-11de-becb-001cc0377035.html I realize that I can install it w/ DISABLE_VULNERABILITIES. but I hate having known exploits on my system not installing it breaks flashplugin and acroread (among others). I've never tried to create or modify a linux emulation port before; so I'm wondering just how annoying tedious it's going to be? it looks like there are no Fedora 10 RPMs of pango 1.24 so it would probably involve finding an F10 box and building one from source. But would updating just Pango be possible? Or would it start the RPM Hell avalanche and require me to re-roll all of my linux ports? Is it time for a complete upgrade of our Linux ports to Fedora 14? or some other distro that is easier to track update? tom ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: fixing the vulnerability in linux-f10-pango-1.22.3_1
Am 13.02.2011 22:53, schrieb Tom Uffner: is there any point in trying to update linux-f10-pango to address this vulnerability? Affected package: linux-f10-pango-1.22.3_1 Type of problem: pango -- integer overflow. Reference: http://portaudit.FreeBSD.org/4b172278-3f46-11de-becb-001cc0377035.html I realize that I can install it w/ DISABLE_VULNERABILITIES. but I hate having known exploits on my system not installing it breaks flashplugin and acroread (among others). I've never tried to create or modify a linux emulation port before; so I'm wondering just how annoying tedious it's going to be? it looks like there are no Fedora 10 RPMs of pango 1.24 so it would probably involve finding an F10 box and building one from source. Fedora 10 hasn't been supported for over a year now (EOL Mid December 2009), chances are, however, that newer versions of the system can build an RPM that would fit F10. There are online build services (for instance by/for openSUSE, starts with Fedora 12 however), if you find a release that is close enough in other shared library versions, that might help. Backporting just a security fix, if a reliable and reasonable patch exists, might be an easier option because you can take F10's 1.22.3 *source* RPM, add the security patch, and rebuild (see below). But would updating just Pango be possible? Or would it start the RPM Hell avalanche and require me to re-roll all of my linux ports? If you build an updated port of a compatible pango version on F10, that would likely be painless *unless* the new pango version has changed requirements; building on a newer Fedora release might warrant checking dependencies though, with rpm -qp --requires or similar, and paying attention to library versions. Sometimes, it's possible to (un)define C preprocessor macros to avoid newer features; I used to build bogofilter RPMs for older glibc releases that way a couple of years ago, but there's no guarantee this works, and it's a tedious read the source Tom task. Is it time for a complete upgrade of our Linux ports to Fedora 14? or some other distro that is easier to track update? It would be time, but new distros always raise the question is the kernel part of the linuxulator up to the job? If [e]glibc or other libraries require newer Linux kernel features not provided by the FreeBSD linuxulator, that is a hard dependency to be fixed before. Personally I'd prefer some other distro that is easier to track update, particularly something with long-term support by the respective vendor, so candidates are CentOS (closer to Fedora, also RPM-based, lags a bit behind but is more or less a free spin of Red Hat Enterprise Linux), Ubuntu LTS (3 years for desktop stuff), or possibly Debian. The latter two use .dpkg as the packaging format, which is apparently ar based. I don't have the time to get involved here though, beyond answering an occasional Linux question. HTH -- Matthias Andree ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
apr vulnerability
On one of the servers I manage, portaudit claims: portaudit Affected package: apr-0.9.19.0.9.19 Type of problem: apr -- multiple vulnerabilities. Reference: http://portaudit.FreeBSD.org/eb9212f7-526b-11de-bbf2-001b77d09812.html Following the above links, I find that apr1.3.5.1.3.7 is involved. I see on Freshports that apr was updated on 2010/10/20 to address a security risk: the link is: http://www.vuxml.org/freebsd/dd943fbb-d0fe-11df-95a8-00219b0fc4d8.html There, however, it says apr00.9.19.0.9.19 is involved. So, I'm confused: is apr-0.9.19.0.9.19 (which is the one I have) vulnerable or not? bye Thanks av. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: apr vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/28/10 07:29, Andrea Venturoli wrote: On one of the servers I manage, portaudit claims: portaudit Affected package: apr-0.9.19.0.9.19 Type of problem: apr -- multiple vulnerabilities. Reference: http://portaudit.FreeBSD.org/eb9212f7-526b-11de-bbf2-001b77d09812.html Following the above links, I find that apr1.3.5.1.3.7 is involved. I see on Freshports that apr was updated on 2010/10/20 to address a security risk: the link is: http://www.vuxml.org/freebsd/dd943fbb-d0fe-11df-95a8-00219b0fc4d8.html There, however, it says apr00.9.19.0.9.19 is involved. So, I'm confused: is apr-0.9.19.0.9.19 (which is the one I have) vulnerable or not? apr has 3 tracks: devel/apr0 - apr0: legacy: apr/0.9.19, apr-util/0.9.19 devel/apr1 - apr1: ga: apr/1.3.5, apr-util/1.3.7 devel/apr2 - apr2: devel not released yet neither devel/apr0 or devel/apr1 are vunerable. devel/apr2 needs to be updated to a newer snapshot. To fix your error, the PKGNAME for devel/apr0 needs to be updated to match the security/vuxml entry. I should able to get to that Friday during $work time. - -- - 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollu...@p6m7g8.com) c: 703.336.9354 VP Apache Infrastructure; Member, Apache Software Foundation Committer,FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (FreeBSD) iD8DBQFMySy2dbiP+9ubjBwRArPPAJ9qVkmlzYSy0oCetYFao8vfSKHTswCePFiK jCyftRKJ6ki9NcQbmAohVzs= =+Eqs -END PGP SIGNATURE- ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: linux-f10-pango security vulnerability
On 2010-Feb-08 18:05:43 -0800, Paul Pathiakis pathia...@yahoo.com wrote: /usr/ports/x11-toolkits/linux-f10-pango still has a security vulnerability and means that no one can build the linux port to install linux-f10-flashplugin. Not good. Please fix asap. FreeBSD is maintained by volunteers. That sort of attitude will just annoy people. Feel free to fix it yourself. -- Peter Jeremy PS: Politely asking the port maintainer might get you somewhere. pgpAyTBW3qz3E.pgp Description: PGP signature
Re: linux-f10-pango security vulnerability
Sorry if there seemed to be any attitude. There wasn't. It was just that it seemed like something had slipped through the cracks. Also, I've watched BSD and derivatives since 1984, I'm fully aware of FreeBSDs volunteer support. Also, notice it was posted with a please and asap not ASAP. If I had the time, I would fix it myself. Heck, if I could work on FreeBSD and support a decent lifestyle, I'd work on getting it where it's interface could be much better for a junior or intermediate system administrator would better understand it and there would probably be a larger following than the haphazard junk that is the Linux kernel. The linux kernel is larger than the entire FreeBSD OS with kernel and userland. Bloat much? Personally, FreeBSD is a vastly superior OS to many commercial and all free OSes. (I'm still holding back on my decision about MacOSX and OpenSolaris --making huge strides in tech again.) Also, the information flow between SUN/Solaris and BSD is better than it's been in years (since the times of NFS/NIS and RPCs) with the advent of ZFS and DTrace and VirtualBox. Also, Apple and DarwinOS make me cheer for the desktop invasion of BSD. I still look back at all the doom and gloom about FreeBSD's death 5 years ago and now it's stronger than ever. It's like the bionic OS Gentlemen, we have the technology... we can make it better... stronger faster. smaller in footprint (OK, so the 1984 reference and the 6 million dollar man reference shows my age. :-) ) Take no offense, FreeBSD people. I'm a 2.1 to 8.x user. I have all my subscription CD's in my home server room. I'm closing on my 25th year as a System Administrator/Consultant/Contractor/Architect... UNIX and networking with Comp. Sci degree. I worked with BSD 4.2, 4.3, 4.3-Tahoe, 4.3-Reno, etc. Awaiting HAST at this point. Already have ZFS (gpt with zfsboot - no ufs) and FreeBSD 8.0 at home. BTW, someone should port OpenNMS to FreeBSD. It is, by far, vastly superior to all of the other the monitoring tools: Nagios, Ganglia, mrtg, etc. It is enterprise class. Ending my rant Paul From: Peter Jeremy peterjer...@acm.org To: Paul Pathiakis pathia...@yahoo.com Cc: po...@freebsd.org Sent: Tue, February 9, 2010 2:56:33 PM Subject: Re: linux-f10-pango security vulnerability On 2010-Feb-08 18:05:43 -0800, Paul Pathiakis pathia...@yahoo.com wrote: /usr/ports/x11-toolkits/linux-f10-pango still has a security vulnerability and means that no one can build the linux port to install linux-f10-flashplugin. Not good. Please fix asap. FreeBSD is maintained by volunteers. That sort of attitude will just annoy people. Feel free to fix it yourself. -- Peter Jeremy PS: Politely asking the port maintainer might get you somewhere. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
linux-f10-pango security vulnerability
Hi, /usr/ports/x11-toolkits/linux-f10-pango still has a security vulnerability and means that no one can build the linux port to install linux-f10-flashplugin. Not good. Please fix asap. Thank you! Paul Pathiakis ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: linux-f10-pango security vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 8 Feb 2010 21:05, pathiaki2@ wrote: Hi, /usr/ports/x11-toolkits/linux-f10-pango still has a security vulnerability and means that no one can build the linux port to install linux-f10-flashplugin. Not good. Please fix asap. Thank you! Paul Pathiakis make -DDISABLE_VULNERABILITIES=yes install clean or add DISABLE_VULNERABILITIES=yes to your make.conf and comment it out when your finished. This has been known for a long time. - -- jhell -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLcPofAAoJEJBXh4mJ2FR+lMMH/1R2zlP/vd/sypGZI1847D0L pk81j3G+UzSFhm3ZPJ6f9j0c/3xKiOkb6GMy/bdJmpwRPMbtzRBWppGSrMOi5S7h df1Egen9ksshVoJv54V8rufGN7YYenebZrs+ChUU7iDsQgnohumKHCQ7f31SmEUU gl1VAf01ULh/axMHHy9MaJC+nQqGvJgsJL5N7ZiLsDXf4bmwEYwxq4ZFolXoZLW5 ddB5AdViquicdYjhbJ24pAXWTuFntadjR8jp822E5boTV/WLFBeeFnfCbFzYj5TW b2jsXrw6VLh+bQVZV7loqgu05h43AiMItviFIMlSmZwPSIXpZGOi6noRYnWsUXE= =Ev9M -END PGP SIGNATURE- ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: linux-f10-pango security vulnerability
On Tue, 9 Feb 2010 01:00, jhell@ wrote: On Mon, 8 Feb 2010 21:05, pathiaki2@ wrote: Hi, /usr/ports/x11-toolkits/linux-f10-pango still has a security vulnerability and means that no one can build the linux port to install linux-f10-flashplugin. Not good. Please fix asap. Thank you! Paul Pathiakis make -DDISABLE_VULNERABILITIES=yes install clean or add DISABLE_VULNERABILITIES=yes to your make.conf and comment it out when your finished. This has been known for a long time. -- jhell I should have mentioned that this also only takes effect when ports-mgmt/portaudit is installed. If it is not installed then no port being installed will stop and warn of security implications. Make sure to include Maintainer in the CC. Best regards. -- jhell ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Synopsis: lang/php5: PHP session.save_path vulnerability Responsible-Changed-From-To: freebsd-ports-ale Responsible-Changed-By: miwi Responsible-Changed-When: Sat Sep 19 18:35:31 UTC 2009 Responsible-Changed-Why: over to php maintainer http://www.freebsd.org/cgi/query-pr.cgi?pr=138698 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: ports/138698: lang/php5: PHP session.save_path vulnerability
The following reply was made to PR ports/138698; it has been noted by GNATS. From: Maciej =?ISO-8859-2?Q?Andzi=F1ski?= andzi...@volt.iem.pw.edu.pl To: Miroslav Lachman 000.f...@quip.cz Cc: bug-follo...@freebsd.org Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Date: Sun, 13 Sep 2009 18:38:44 +0200 I am linux user, so maybe you could recomend better location in FreeBSD than /var/lib/php5? I am also thinking where to add mkdir command, is there any special place in makefile? What do you think? ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Old Synopsis: PHP session.save_path vulnerability New Synopsis: lang/php5: PHP session.save_path vulnerability Responsible-Changed-From-To: freebsd-www-freebsd-ports Responsible-Changed-By: remko Responsible-Changed-When: Thu Sep 10 10:24:18 UTC 2009 Responsible-Changed-Why: reassign to ports team; this has nothing to do with the webmasters queue http://www.freebsd.org/cgi/query-pr.cgi?pr=138698 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: ports/138698: lang/php5: PHP session.save_path vulnerability
The following reply was made to PR ports/138698; it has been noted by GNATS. From: Miroslav Lachman 000.f...@quip.cz To: bug-follo...@freebsd.org, andzi...@volt.iem.pw.edu.pl Cc: Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Date: Thu, 10 Sep 2009 13:14:32 +0200 I don't know what you are trying to solve. If PHP runs under user www (Apache), it can still read the content of the directory. If you want to disallow access to sessions of different domains (VirtualHosts), you can do it by using different session.save_path for each domain. In context of VirtualHost for www.domain1.tld: php_admin_valuesession.save_path/web/www.domain1.tld/tmp In context of VirtualHost for www.domain2.tld: php_admin_valuesession.save_path/web/www.domain2.tld/tmp ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: ports/138698: lang/php5: PHP session.save_path vulnerability
The following reply was made to PR ports/138698; it has been noted by GNATS. From: Maciej Andzinski andzi...@volt.iem.pw.edu.pl To: Miroslav Lachman 000.f...@quip.cz Cc: bug-follo...@freebsd.org Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Date: Thu, 10 Sep 2009 13:58:42 +0200 (CEST) The problem is in permissions and that is what I suggest to fix. Bu you are right, I've made a mistake - the owner of /var/lib/php5 should be root, not www. I suggest changing permissions to 01733 (rwx-wx-wt), it can prevent session numbers leaking. Is it clear now? ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: ports/138698: lang/php5: PHP session.save_path vulnerability
The following reply was made to PR ports/138698; it has been noted by GNATS. From: Miroslav Lachman 000.f...@quip.cz To: bug-follo...@freebsd.org, andzi...@volt.iem.pw.edu.pl Cc: Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Date: Thu, 10 Sep 2009 20:49:14 +0200 Yes, it is clear now and with owner root, it works. I propose to make this optional, as somebody has /tmp optimized for better speed (another disk device, flash device, RAM disk etc.) but not /var/lib/php5. And FreeBSD doesn't have /var/lib by default. /var/lib/* is mostly used by some Linux distributions). I am not sure if it is the right place to put these files, according to man hier(7). Next thing to think about is, that /tmp is (or easily can be) cleared at system startup, but /var/*/* not. If we do some change in default php.ini, it affects more then just files are moved to another place, so things need to be done carefully. Maybe leave the default as is and put these hardening steps in comments in php.ini, then anybody can make own decision. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: ports/138698: lang/php5: PHP session.save_path vulnerability
On Thu, 10 Sep 2009 18:50:02 GMT, Miroslav Lachman wrote The following reply was made to PR ports/138698; it has been noted by GNATS. From: Miroslav Lachman 000.f...@quip.cz To: bug-follo...@freebsd.org, andzi...@volt.iem.pw.edu.pl Cc: Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Date: Thu, 10 Sep 2009 20:49:14 +0200 Yes, it is clear now and with owner root, it works. I propose to make this optional, as somebody has /tmp optimized for better speed (another disk device, flash device, RAM disk etc.) but not /var/lib/php5. And FreeBSD doesn't have /var/lib by default. /var/lib/* is mostly used by some Linux distributions). I am not sure if it is the right place to put these files, according to man hier(7). Next thing to think about is, that /tmp is (or easily can be) cleared at system startup, but /var/*/* not. If we do some change in default php.ini, it affects more then just files are moved to another place, so things need to be done carefully. Maybe leave the default as is and put these hardening steps in comments in php.ini, then anybody can make own decision. UPDATING msg would be in place, too IMO. -- Piotr Smyrak piotr.smy...@heron.pl ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
ffmpeg vulnerability
(Resending, I did not see it posted earlier) ffmpeg has 3 announced vulnerabilities in this past month. Here is the latest... 09.6.23 CVE: Not Available Platform: Cross Platform Title: FFmpeg libavformat/4xm.c Remote Code Execution Description: FFmpeg is an application used to record, convert, and stream audio and video. The application is exposed to a remote code execution issue because it fails to adequately validate user-supplied input. This issue occurs in the libavformat/4xm.c source file, and occurs because of a NULL pointer dereference error. FFmpeg trunk revision versions prior to 16846 are vulnerable. Ref: http://www.trapkit.de/advisories/TKADV2009-004.txt http://www.trapkit.de/advisories/TKADV2009-004.txt Normally I would submit a vuxml entry, but not sure how to indicate the proper fixed versiona since the port uses 2008.07.07_7 while the fixed version is revision 16846. -- Realization #2031: That the meaning of life is now just another Google search. Mark D. Foster m...@foster.cc http://mark.foster.cc/ | http://conshell.net/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Critical vulnerability patch need in BINDx ports
Hello, Doug. I hope, you've already seen patch for BINDx, that close critical vulnerability. Could you register it in your FreeBSD-port(s)? http://www.isc.org/index.pl?/sw/bind/index.php === Index: inet_network.c diff -u inet_network.c:1.5 inet_network.c:1.6 --- inet_network.c:1.5 Wed Apr 27 04:56:21 2005 +++ inet_network.c Tue Jan 15 04:02:01 2008 @@ -84,9 +84,9 @@ } if (!digit) return (INADDR_NONE); + if (pp = parts + 4 || val 0xffU) + return (INADDR_NONE); if (*cp == '.') { - if (pp = parts + 4 || val 0xffU) - return (INADDR_NONE); *pp++ = val, cp++; goto again; } === --- With best regards, sysadmin of Ozerki.Net Dennis Yusupoff ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Critical vulnerability patch need in BINDx ports
Dennis Yusupoff wrote: Hello, Doug. I hope, you've already seen patch for BINDx, that close critical vulnerability. Could you register it in your FreeBSD-port(s)? That change is included in the versions of BIND already in the ports. Doug -- This .signature sanitized for your protection ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Critical vulnerability patch need in BINDx ports
Xin LI wrote: This is for BIND8... Yeah, that too. :) No one should be running BIND 8 BTW, just in case that news has escaped your notice. Doug -- This .signature sanitized for your protection ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Critical vulnerability patch need in BINDx ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug Barton wrote: | Dennis Yusupoff wrote: | Hello, Doug. | | I hope, you've already seen patch for BINDx, that close critical | vulnerability. | Could you register it in your FreeBSD-port(s)? | | That change is included in the versions of BIND already in the ports. Any plan to update them to corresponding -P1 versions? :) Cheers, - -- Xin LI [EMAIL PROTECTED]http://www.delphij.net/ FreeBSD - The Power to Serve! -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkh1CPMACgkQi+vbBBjt66C0vwCfYSm19+xjJp34TeePCfBg3shx iJMAoIlPG/WgelPFhc0wYWRkUaEF6ENp =UI7c -END PGP SIGNATURE- ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: Critical vulnerability patch need in BINDx ports
Доброго время суток, Doug! DB Dennis Yusupoff wrote: Hello, Doug. I hope, you've already seen patch for BINDx, that close critical vulnerability. Could you register it in your FreeBSD-port(s)? DB That change is included in the versions of BIND already in the ports. DB This is for BIND8... Oh... I'm sorry. I'm feeling idiot. %-) I mean this one: http://www.isc.org/sw/bind/forgery-resilience.php What will you say? С уважением, Юсупов Д. Р. -- TheBat! 4.0.24 Написано 09.07.2008 в 22:52 в ответ на письмо от 09.07.2008 22:25 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Critical vulnerability patch need in BINDx ports
Xin LI wrote: Doug Barton wrote: | Dennis Yusupoff wrote: | Hello, Doug. | | I hope, you've already seen patch for BINDx, that close critical | vulnerability. | Could you register it in your FreeBSD-port(s)? | | That change is included in the versions of BIND already in the ports. Any plan to update them to corresponding -P1 versions? :) No, I really don't care about security vulnerabilities. Running secure systems is highly overrated. Doug -- This .signature sanitized for your protection ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.
On Wed, 2 Aug 2006 13:46:04 +0330 Babak Farrokhi [EMAIL PROTECTED] wrote: Hi, Awstats-devel (which has solved this security issue) is in GNATS waiting for submission (PR ports/100162). If nothing bad happens once again, I plan to dedicate all the upcoming weekend for committing the PRs I responsible for. Sorry for the long time :( -- IOnut - Un^d^dregistered ;) FreeBSD user Intellectual Property is nowhere near as valuable as Intellect Ferengi Rule of Acquisition #3: Never pay more for an acquisition than you have to. -- ST:DS9, The Maquis, Part II signature.asc Description: PGP signature
awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.
mail# pwd /usr/ports/www/awstats mail# make fetch === awstats-6.5_1,1 is forbidden: Command Injection Vulnerability. *** Error code 1 Stop in /usr/ports/www/awstats. please fix !! thank you ! -- Regards. Chevy ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.
Hi, Awstats-devel (which has solved this security issue) is in GNATS waiting for submission (PR ports/100162). -- Babak Farrokhi -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of Stanislav Sedov Sent: Wednesday, August 02, 2006 12:57 PM To: freebsd-ports@freebsd.org Subject: Re: awstats-6.5_1,1 is forbidden: Command Injection Vulnerability. On Wed, 2 Aug 2006 17:17:16 +0800 chevy [EMAIL PROTECTED] mentioned: mail# pwd /usr/ports/www/awstats mail# make fetch === awstats-6.5_1,1 is forbidden: Command Injection Vulnerability. *** Error code 1 Stop in /usr/ports/www/awstats. please fix !! thank you ! You should for vendor's fix or contact port maintainer - the fix might be already here. Alternately you can comment-out FORBIDDEN line in the port's Makefile and install port anyway if you are understanding what you are doing. -- Stanislav Sedov MBSD labs, Inc. [EMAIL PROTECTED] Россия, Москва http://mbsd.msk.ru If the facts don't fit the theory, change the facts. -- A. Einstein PGP fingerprint: F21E D6CC 5626 9609 6CE2 A385 2BF5 5993 EB26 9581 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: awstats-6.5_1,1 is forbidden: Command Injection Vulnerability.
Thank you very much, thanks for Stanislav. On 8/2/06, Babak Farrokhi [EMAIL PROTECTED] wrote: Hi, Awstats-devel (which has solved this security issue) is in GNATS waiting for submission (PR ports/100162). -- Babak Farrokhi -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of Stanislav Sedov Sent: Wednesday, August 02, 2006 12:57 PM To: freebsd-ports@freebsd.org Subject: Re: awstats-6.5_1,1 is forbidden: Command Injection Vulnerability. On Wed, 2 Aug 2006 17:17:16 +0800 chevy [EMAIL PROTECTED] mentioned: mail# pwd /usr/ports/www/awstats mail# make fetch === awstats-6.5_1,1 is forbidden: Command Injection Vulnerability. *** Error code 1 Stop in /usr/ports/www/awstats. please fix !! thank you ! You should for vendor's fix or contact port maintainer - the fix might be already here. Alternately you can comment-out FORBIDDEN line in the port's Makefile and install port anyway if you are understanding what you are doing. -- Stanislav Sedov MBSD labs, Inc. [EMAIL PROTECTED] Россия, Москва http://mbsd.msk.ru If the facts don't fit the theory, change the facts. -- A. Einstein PGP fingerprint: F21E D6CC 5626 9609 6CE2 A385 2BF5 5993 EB26 9581 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED] -- Regards. Chevy ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ruby vulnerability?
Sergey Matveychuk wrote: Good. There is three patches there. I'll test if they fix the vulnerabilities. FYI The fixes was committed. -- Dixi. Sem. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ruby vulnerability?
Sergey Matveychuk wrote: Sergey Matveychuk wrote: Good. There is three patches there. I'll test if they fix the vulnerabilities. FYI The fixes was committed. Thanks a lot for the work Sergey! -- Kind regards, Remko Lodder ** [EMAIL PROTECTED] FreeBSD** [EMAIL PROTECTED] /* Quis custodiet ipsos custodes */ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ruby vulnerability?
On Sun, 30 Jul 2006 17:47:33 +0200 Frank Steinborn [EMAIL PROTECTED] wrote: Shaun Amott wrote: On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: FYI, Red Hat released an advisory today about a vulnerability in Ruby. So far it doesn't appear in the VuXML, but am I correct in presuming it will soon? I've added it; thanks for the report. Hmm, i saw the flaw with portaudit -Fda yesterday, however - today my ruby isn't shown as vulnerable anymore. Why? I show it as a vulnerability here. It could be that you may have gotten your last update from a server that hasn't caught up yet. Try running it again and see if that helps. Randy -- ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ruby vulnerability?
On 2006.07.30 17:47:33 +0200, Frank Steinborn wrote: Shaun Amott wrote: On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: FYI, Red Hat released an advisory today about a vulnerability in Ruby. So far it doesn't appear in the VuXML, but am I correct in presuming it will soon? I've added it; thanks for the report. Hmm, i saw the flaw with portaudit -Fda yesterday, however - today my ruby isn't shown as vulnerable anymore. Why? The database was broken for a bit due to an invalid entry, try again now. -- Simon L. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ruby vulnerability?
Dear Sirs, CVE report is very unpleasant: Multiple unspecified vulnerabilities. Secunia has more professional report. RedHat is only vendor who released updates, but they are binary. So, there is no known fix now. Following information maybe help you: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029 But matz(ruby creator) has not mentioned about this yet. And he has said that he has no will to release patch for the vulnerabilites. http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-list/42575 The message is in Japanese and the content is as follows. At present, a patch for these vulnerabilites is not ready because the problems occur only with $SAFE=4. So the vulnerabilities will be serious only when alll the following conditions are satisfied. * You use $SAFE=4 sandbox * You run untrusted codes I hope ruby team will release 1.8.5 ASAP. On 18th July, ruby 1.8.5 preview2 was released and release date of 1.8.5 will be near middle of August if they works on schedule. Best regards. - UEDA Hiroyuki [EMAIL PROTECTED] ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]