Date: Sun, 24 May 2015 00:53:44 -0700 From: Xin Li <delphij@delphij.net> To: Jason Unovitch <jason.unovitch@gmail.com>, ports-secteam@FreeBSD.org, freebsd-security@freebsd.org, freebsd-ports@freebsd.org Cc: Roger Marquis <marquis@roble.com>, xmj@FreeBSD.org, pi@FreeBSD.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <55618388.7000504@delphij.net> In-Reply-To: <CABW2x9oPxhzrNmRd8qmVkw13F9zwqQpMGV-UqxJ0TJgiZF6Zyw@mail.gmail.com> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153031.A1A07357@hub.freebsd.org> <CABW2x9oPxhzrNmRd8qmVkw13F9zwqQpMGV-UqxJ0TJgiZF6Zyw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, On 5/23/15 09:14, Jason Unovitch wrote: > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis <marquis@roble.com> > wrote: >> If you find a vulnerability such as a new CVE or mailing list >> announcement please send it to the port maintainer and >> <ports-secteam@FreeBSD.org> as quickly as possible. They are >> whoefully understaffed and need our help. Though freebsd.org >> indicates that security alerts should be sent to >> <secteam@FreeBSD.org> this is incorrect. If the vulnerability is >> in a port or package send an alert to ports-secteam@ and NOT >> secteam@ as the secteam will generally not reply to your email or >> forward the alerts to ports-secteam. >> >> Roger >> > > I've attempted to knock out a couple of these over the past 2 > days. There's certainly a non-trivial amount of PRs stuck in > Bugzilla that mention security or CVE that need some care and > attention. Here's a few that are now ready for the taking. > > vuxml patch ready: emulators/virtualbox-ose -- > https://bugs.freebsd.org/200311 I've added the information to the main entry and discarded virtualbox specific text from Oracle. Since Xen is also affected I have applied the fix to xen-tools; the 2015Q2 branch version is not affected as Dom0 support is not there so I haven't merged the change there. > databases/cassandra -- https://bugs.freebsd.org/199091 Committed, thanks! I've assigned the PR to the maintainer for the port update. > databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to > vuxml patch in PR 199091) I've assigned the PR to the maintainer. We should probably mark the above two ports as FORBIDDEN and/or DEPRECATED. > sysutils/py-salt -- https://bugs.freebsd.org/200172 This was already done by xmj@. This one seems serious, can the fix be backported or should the port merged to 2015Q2 branch? > vuxml previously done and update patch ready: net/chrony -- > https://bugs.freebsd.org/199508 The vuxml entry was committed by jbeich@ and port updated by pi@. I think the update should be merged to quarterly branch. > both vuxml and update patch ready: mail/davmail -- > https://bugs.freebsd.org/198297 This was done by pi@. I think this fix should also go to 2015Q2 branch? Thanks everyone working on these issues and thanks for taking time preparing the patches. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVYYOGAAoJEJW2GBstM+nsmeoP+wVfw1Uw7YYGqhLXMEsFgQ/E CtWD9LfDgia9ffQIANXi61nUKJ8ex0QZHEFborUMoUMGxPMic5fILFIsKY/FeaLq Rq6jkVfHlelvHgi4XXf4v9u9JWFISu0jnYqafQiiOc4CK5a3d/JiouC9DJX74fau jaDZ2snv4VjVnbZHwO35hWTQiN5iCJFt9bkdMV5iQkd/jU1waSDTVuzv9zstaVcQ jJadqLCNX8ENhNwTZt0SbBBsRNL9mwRMEKbdYcCtxLJoKyQ+GYjbd5UEERajGSLv H8TaO/wYIrMdeOMFjBe1ppNp+2mX8pn1AnxZx//N9am8dKhTiI+itV2FGonRluzs aJJmzOHFYUSxwmSkyrcEm/XC0+BEAsTq24fxggJWNKFpD8brCd5ENt8oiA/uOkPR fkCr1wG8dCW3OV2TYeiFW1XWGmA41J57wP/9WRRLmYTbBqUGTmLsNtnFT0KcdJwQ G7tbd86xiHQjeF+Al1XAwL/9WgzIsrwjjQ7NO4737yNqvlAMyME30qtmCTwv1beX 3VQWqxJQ82FzI2x7OZgX5NAwyp0InaEI3j+cgTuJY5a6uMd49IMj+Wj+u3E52G/U wTtp4D3FzaxH4ZCs9pxLM8glvmoCmH6E11+G/WPESFxOXbxw/mkjD+wus5HyCsa7 M7b0T5Y6hN425BmaPaeA =tvL9 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55618388.7000504>