From owner-freebsd-security@freebsd.org Tue Nov 26 13:53:48 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8D3B91B7133 for ; Tue, 26 Nov 2019 13:53:48 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from smtp1.redcom.com (smtp1.redcom.com [192.86.3.143]) by mx1.freebsd.org (Postfix) with ESMTP id 47Mlk35JRhz3MRl for ; Tue, 26 Nov 2019 13:53:47 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from localhost (localhost [127.0.0.1]) by smtp1.redcom.com (Postfix) with ESMTP id B0EA2A0F4 for ; Tue, 26 Nov 2019 08:53:46 -0500 (EST) X-Virus-Scanned: amavisd-new at redcom.com Received: from smtp1.redcom.com ([127.0.0.1]) by localhost (smtp1.redcom.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XIV7anXHf2NF for ; Tue, 26 Nov 2019 08:53:44 -0500 (EST) Received: from pie.redcom.com (pie [192.168.33.15]) by smtp1.redcom.com (Postfix) with ESMTP id 77BACA0F3 for ; Tue, 26 Nov 2019 08:53:44 -0500 (EST) Received: from exch-03.redcom.com (exch-03.redcom.com [192.168.32.32]) by pie.redcom.com (8.11.7p1+Sun/8.10.2) with ESMTP id xAQDriL14101 for ; Tue, 26 Nov 2019 08:53:44 -0500 (EST) Received: from exch-03.redcom.com (fd00::8549:68c0:3d5f:ee62) by exch-03.redcom.com (fd00::8549:68c0:3d5f:ee62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.330.5; Tue, 26 Nov 2019 08:53:44 -0500 Received: from exch-03.redcom.com ([fe80::a442:ce34:c9c8:268f]) by exch-03.redcom.com ([fe80::a442:ce34:c9c8:268f%3]) with mapi id 15.02.0330.010; Tue, 26 Nov 2019 08:53:44 -0500 From: "Wall, Stephen" To: "freebsd-security@freebsd.org" Subject: libidn2 vulnerability Thread-Topic: libidn2 vulnerability Thread-Index: AdWkX9Uan8UQDBTETa2kLMXbpeJuZw== Date: Tue, 26 Nov 2019 13:53:44 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.84.20] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Rspamd-Queue-Id: 47Mlk35JRhz3MRl X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 192.86.3.143 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com X-Spamd-Result: default: False [-3.19 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:192.86.3.143/32]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[redcom.com]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-0.99)[ip: (-2.59), ipnet: 192.86.3.0/24(-1.29), asn: 46679(-1.03), country: US(-0.05)]; RCVD_IN_DNSWL_NONE(0.00)[143.3.86.192.list.dnswl.org : 127.0.10.0]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:46679, ipnet:192.86.3.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_SEVEN(0.00)[7] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Nov 2019 13:53:48 -0000 Attempting to build dns/libidn2 in 2019Q4 results in this error: libidn2-2.2.0 is vulnerable: libidn2 -- roundtrip check vulnerability CVE: CVE-2019-12290 WWW: https://vuxml.FreeBSD.org/freebsd/f04f840d-0840-11ea-8d66-75d3253ef913= .html The cited link says "libidn2 before 2.2.0", as does the CVE. Is 2.2.0 actu= ally vulnerable? Either the vulnerability database needs to be fixed, or v= ersion 2.3.0 should be ported from head. Thanks. --=20 Stephen Wall Senior Staff Software Engineer 585.924.7550 REDCOM Laboratories, Inc. One Redcom Center Victor, NY 14564-0995 www.redcom.com DUNS 09-166-5919 | CAGE 1U548 Woman Owned Small Business