pkgsrcCon 2018 - Berlin, CFP
Hi everyone, It's almost time again for another pkgsrcCon, this year the conference will be held at C-Base, Berlin, Germany on the 7th & 8th of July with a social event on the Friday night before (6th). I wanted to give a heads up here to ask if any folks wanted to just us there in July. Talks about ports and packaging software for OpenBSD would be most welcome. Send your talk submission to pkgsrcCon2018 AT NetBSD org There's more details at https://pkgsrc.org/pkgsrcCon/2018/ Regards, Sevan
pkgsrcCon 2017 London, registration open
Hello, Registration for pkgsrcCon, London is now open[1]. A pre-event social will be held at the end of the month (details will be post on the website[2]). Saturday the 1st of July we will hold a day of talks at The BCS followed by another social event and on Sunday the 2nd of July we'll have a hack day at the London Hack Space. The events are open to all, there are no tickets on sale. However registration is required for The BCS on Saturday. Registration website closes on the 29th of June. You are likely to hear the following talks to on Saturday and others (waiting for replies). In no particular order: Giovanni Bechis - Pledge in OpenBSD Pierre Pronchery - pkg-query Thomas Merkel - Testing your pkgsrc development on multiple platforms with vagrant and virtualbox Sevan Janiyan - A mix of two halves Bennie Siegert - Bulk builds in the cloud Alistair Crooks - pkgsrc - foundations & abstractions, building from source on 23 platforms Alistair Crooks - Running a third of the internet on BSD David Spencer - Slackbuilds Charles Forsyth - Something regarding portability (details TBA) If you would like to give a talk on Saturday, we still have slots open. Let me know :) Sevan [1] https://events.bcs.org/book/2610/ [2] http://pkgsrc.org/pkgsrcCon/2017/
pkgsrcCon 2017 CFT
Hello, This years annual pkgsrcCon is being held in London on the July 1st & 2nd with a evening social event on 30 of June. While the primary focus is on pkgsrc, the event is about building open source software in general and the challenges we all face. Last year the event was held in Kraków, Poland with representatives from a wide range of communities giving talks about their respective projects including OpenBSD, tanks to Adam Wolk & Frederic Cambus :). I'd very much like to continue the same theme with this years event. If you would like to give a talk about OpenBSD on July the 1st (preferably on ports but other areas is fine) it would be cool, please send the title, slot duration (minimum of 15 minutes) and a brief description (for the web site) to me, off-list. Stuart? Ed? Adam? Frederic? Sevan
security/py-crypto - CVE-2013-7459
Hello, security/py-crypto in ports is vulnerable to CVE-2013-7459, the attached patches apply the changes from the following commit to v2.6.1. https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 Sevan --- lib/Crypto/SelfTest/Cipher/common.py.orig 2017-03-07 16:48:08.0 + +++ lib/Crypto/SelfTest/Cipher/common.py @@ -239,19 +239,33 @@ class RoundtripTest(unittest.TestCase): return """%s .decrypt() output of .encrypt() should not be garbled""" % (self.module_name,) def runTest(self): -for mode in (self.module.MODE_ECB, self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP): +## ECB mode + mode = self.module.MODE_ECB + encryption_cipher = self.module.new(a2b_hex(self.key), mode) + ciphertext = encryption_cipher.encrypt(self.plaintext) + decryption_cipher = self.module.new(a2b_hex(self.key), mode) + decrypted_plaintext = decryption_cipher.decrypt(ciphertext) + self.assertEqual(self.plaintext, decrypted_plaintext) + + ## OPENPGP mode + mode = self.module.MODE_OPENPGP + encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) + eiv_ciphertext = encryption_cipher.encrypt(self.plaintext) + eiv = eiv_ciphertext[:self.module.block_size+2] + ciphertext = eiv_ciphertext[self.module.block_size+2:] + decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv) + decrypted_plaintext = decryption_cipher.decrypt(ciphertext) + self.assertEqual(self.plaintext, decrypted_plaintext) + + ## All other non-AEAD modes (but CTR) + for mode in (self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB): encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) ciphertext = encryption_cipher.encrypt(self.plaintext) - -if mode != self.module.MODE_OPENPGP: -decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) -else: -eiv = ciphertext[:self.module.block_size+2] -ciphertext = ciphertext[self.module.block_size+2:] -decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv) + decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) decrypted_plaintext = decryption_cipher.decrypt(ciphertext) self.assertEqual(self.plaintext, decrypted_plaintext) + class PGPTest(unittest.TestCase): def __init__(self, module, params): unittest.TestCase.__init__(self) --- src/block_template.c.orig 2017-03-07 16:58:09.0 + +++ src/block_template.c @@ -170,6 +170,17 @@ ALGnew(PyObject *self, PyObject *args, P "Key cannot be the null string"); return NULL; } + if (IVlen != 0 && mode == MODE_ECB) + { + PyErr_Format(PyExc_ValueError, "ECB mode does not use IV"); + return NULL; + } + if (IVlen != 0 && mode == MODE_CTR) + { + PyErr_Format(PyExc_ValueError, + "CTR mode needs counter parameter, not IV"); + return NULL; + } if (IVlen != BLOCK_SIZE && mode != MODE_ECB && mode != MODE_CTR) { PyErr_Format(PyExc_ValueError,
Re: Vulnerable packages in ports 30/11/16
On 30/11/2016 02:48, Josh Grosse wrote: > archivers/p7zip fix already committed Thanks. A better link for math/hdf5 is http://blog.talosintel.com/2016/11/hdf5-vulns.html which covers more advisories. Sevan
Vulnerable packages in ports 30/11/16
Hello, www/moinmoin CVE-2016-7146 CVE-2016-7148 science/hdf5-18 http://www.talosintelligence.com/reports/TALOS-2016-0176/ archivers/p7zip CVE-2016-9296 patch: https://sourceforge.net/p/p7zip/bugs/185/ libxml CVE-2016-9318 patch https://bugzilla.gnome.org/show_bug.cgi?id=772726 Sevan
mail/mailman - csrf vulnerability
Hello, Version in ports is vulnerable to CVE-2016-6893. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6893 Sevan
Vulnerable packages in ports 4/08/16
Hello, devel/kf5/karchive - CVE-2016-6232 graphics/gd - possibly not vulnerable to http://seclists.org/bugtraq/2016/Aug/35 Sevan
Vulnerable packages in ports 26/07/2016
textproc/xerces-c - http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt databases/sqlite3 https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt Sevan
security/botan - multiple vulnerabilities
Hello, security/botan in ports is vulnerable to the following advisories: CVE-2016-2194 CVE-2016-2195 CVE-2016-2849 CVE-2015-7827 http://botan.randombit.net/security.html On security.html, 1.10.13 is not mentioned as containing fix for CVE-2016-2849 and CVE-2015-7824 but it is mentioned in release announcement https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html Regards Sevan
security/wpa_supplicant - multiple vulnerabilities
Hello, The version of security/wpa_supplicant in ports is vulnerable to the following CVEs http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4476 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4477 Sevan
net/openafs - multiple vulnerabilites
Hello, The version of net/openafs in ports is vulnerable to the following CVEs and CVE-2016-4536 - http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt CVE-2016-2860 - http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt CVE-2015-8312 - https://www.openafs.org/dl/1.6.16/RELNOTES-1.6.16 Others as listed on http://www.openafs.org/pages/security/ Sevan
Re: telephony/kamailio - CVE-2016-2385
On 24/04/2016 19:29, Stuart Henderson wrote: > Hmm, is patches/patch-modules_seas_encode_msg_c not enough then? Sorry Stuart, I slipped up. The package hadn't received a bump for the patch I didn't delve into the patches directory. History on openports is not up to date either: http://openports.se/telephony/kamailio Sevan
telephony/kamailio - CVE-2016-2385
Hello, telephony/kamailio in ports is vulnerable to the advisory outlined in https://census-labs.com/news/2016/03/30/kamailio-seas-heap-overflow/ Regards Sevan
devel/jenkins - multiple vulnerabilities
Hello, Both the devel & stable releases of Jenkins in ports are vulnerable to CVE-2016-0788 through to 0792. Sevan
Re: pcre CVE-2016-3191
On 22/03/2016 19:52, Jeremie Courreges-Anglas wrote: >> > devel/pcre - CVE-2016-3191 > Blindly copy/pasted from upstream's repo. Seems to be patch adopted elsewhere as well. While we're here, pcre also appears to be missing a patch for CVE-2016-1283 http://vcs.pcre.org/pcre?view=revision=1636 Sevan
Re: Vulnerable packages in ports 20/03/2016
On 21/03/2016 02:46, Michael McConville wrote: > Looks like PCRE 8.39 isn't being mirrored yet. Should we patch manually? > That looks like a pretty serious vulnerability: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191 Hi Michael, Ideally, it'll probably bring a revision bump for a plethora of packages as they pull in pcre as well. Sevan
Vulnerable packages in ports 20/03/2016
net/quagga - CVE-2016-2342 devel/pcre - CVE-2016-3191 Sevan
devel/git CVE-2016-2324
Hi, Git is currently vulnerable to a buffer overflow attack which is only fixed in the upcoming 3.8.0 release. https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d http://seclists.org/oss-sec/2016/q1/645 https://security-tracker.debian.org/tracker/CVE-2016-2324 Regards, Sevan
libgcrypt - CVE-2015-7511
Version of security/libgcrypt is vulnerable to CVE-2015-7511 https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html Sevan