Date: Sun, 14 Dec 2014 17:16:31 +0100 From: =?windows-1252?Q?Jean-S=E9bastien_P=E9dron?= <dumbbell@FreeBSD.org> To: freebsd-x11@freebsd.org Subject: Re: Forbidden due to CVE-2014-8298: nvidia-driver-173, nvidia-driver-96, nvidia-driver-71 Message-ID: <548DB7DF.3080805@FreeBSD.org> In-Reply-To: <20141214114244.GA2487@FreeBSD.org> References: <201412141121.sBEBLsvP017491@svn.freebsd.org> <20141214114244.GA2487@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --RTANKhCVstIJ6bRiMDHdRMu0Vbl8hLX7v Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 14.12.2014 12:42, Alexey Dokuchaev wrote: > I've marked these ports FORBIDDEN for now, but their fate yet to be dec= ided. > Last update to -173 legacy branch, 173.14.39 added support for X.org xs= erver > ABI 15 (xorg-server 1.15), and it was confirmed to work with upcoming v= 1.14 > update (PR 195781), so it would be unfortunate to lose it just because = NVidia > does not care about it anymore and won't provide a fix CVE-2014-8298. I agree, there's no need to remove -173 for now, as it works. > So perhaps instead of forbidding them and subsequently removing, we can= > provide pkg-message that tells users what are they facing and how to st= ay > safe (with an legal bla-bla about that FreeBSD cannot guarantee anythin= g > if you use this vulnerable, unmaintained upstream port)? >=20 > I wonder what other people think. If the problem is well documented and workarounds are described, I believe it's fine. Making the user's life easier is more important to me than this security issue; it's not like we're talking about OpenSSL here. We already live with the hole for 9 months, it can stay a bit longer. However, I have no strong opinion on that matter, I'll accept the decision of more experienced ports/security people :) --=20 Jean-S=E9bastien P=E9dron --RTANKhCVstIJ6bRiMDHdRMu0Vbl8hLX7v Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJUjbffXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEDnpl2Gl/ZTMO9UP/jqfTu+qbtAwhOiX9hXefHjC 2HEJQ+hjV0ZTXwdYO08ZHBBS578vadHTXwHAvlNCkqBNY/NHb7ws3V51WZTjz9A1 YiJvy08HwAqDPwsC5RFWxuc8B0bcDBGPzXY+SC4YkZRaHmmcgiLQdmvb+Qay6LFk DviJb4iwXcLXO3DVMk5FZkAbzMonT17DNauZFUaEKB6/ohavATgL+rwdvZ0qB2UL 5XnsvMGJ1QC5fBrUfHyUQbzFpOldbfpNYfs/VwLwe3D4tGhy+iy8poh+5nJzxxkd GGDyqOAAKXJtcTLqFYfp4ATIFlHMB5RfJ85BO5XwMK8ZVIVw0R7BxhDPp2s3/S+g 5l/cFThowrj7CB13DzXbuK4fC146TE//n/vmZO2M/vCTO4hV/omM6kNmLx5KNW1y MMwoLoiQAwHMAUnexs0WaghJTGsw5IJBygJjXGkVkAow1X8ndFuT1wc7jjfLM9zc hMXjlxx7x0bum7DM5a7/L9IUpXCST9GDuTw8R7z9sYSjx4lJlUKgWARg2umAo/vE J8FJvPEwZiPxpetre/HCMdiuwJrExjV+R7ICHaFWYoC59lHHdmk7pq+xA7hHhTbF p/2q8ZMvTyeo8q7NH3pNLoEDe48ypyN9jjtDifIfyet3i/HPNv6oCWpFGDQoxtxv Nv+iLZZbiObIi5kJ5ECc =/v1t -----END PGP SIGNATURE----- --RTANKhCVstIJ6bRiMDHdRMu0Vbl8hLX7v--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?548DB7DF.3080805>