From owner-freebsd-ports@FreeBSD.ORG Sun May 24 07:53:51 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7AB9CE7B; Sun, 24 May 2015 07:53:51 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 590B51ED6; Sun, 24 May 2015 07:53:51 +0000 (UTC) Received: from Xins-MBP.home.us.delphij.net (c-71-202-112-39.hsd1.ca.comcast.net [71.202.112.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 6D4CD15BC7; Sun, 24 May 2015 00:53:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1432454025; x=1432468425; bh=M/xtWT73tH5z05/4IvK3eIS/r/JnWCXPJWbDcTfrv28=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=04/xcajxFKNPoA5FeuvJnVUs5Nrpc0Zy9mN6XDQaGK/RQMvQdWE0R3oqLmKYW4gNn 5lccecEK2+AUYJHLOM+6+x5ClBH0iJsj/qXSa+E1QZEux8LBGOvY96SB8FIfRkfZqB ABS6V3FYryqJ8Ej6Bcg45y0ePUj73Lqc5pAtrpTg= Message-ID: <55618388.7000504@delphij.net> Date: Sun, 24 May 2015 00:53:44 -0700 From: Xin Li User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Jason Unovitch , ports-secteam@FreeBSD.org, freebsd-security@freebsd.org, freebsd-ports@freebsd.org CC: Roger Marquis , xmj@FreeBSD.org, pi@FreeBSD.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) References: <20150523153031.A1A07357@hub.freebsd.org> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 May 2015 07:53:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, On 5/23/15 09:14, Jason Unovitch wrote: > On Sat, May 23, 2015 at 11:30 AM, Roger Marquis > wrote: >> If you find a vulnerability such as a new CVE or mailing list >> announcement please send it to the port maintainer and >> as quickly as possible. They are >> whoefully understaffed and need our help. Though freebsd.org >> indicates that security alerts should be sent to >> this is incorrect. If the vulnerability is >> in a port or package send an alert to ports-secteam@ and NOT >> secteam@ as the secteam will generally not reply to your email or >> forward the alerts to ports-secteam. >> >> Roger >> > > I've attempted to knock out a couple of these over the past 2 > days. There's certainly a non-trivial amount of PRs stuck in > Bugzilla that mention security or CVE that need some care and > attention. Here's a few that are now ready for the taking. > > vuxml patch ready: emulators/virtualbox-ose -- > https://bugs.freebsd.org/200311 I've added the information to the main entry and discarded virtualbox specific text from Oracle. Since Xen is also affected I have applied the fix to xen-tools; the 2015Q2 branch version is not affected as Dom0 support is not there so I haven't merged the change there. > databases/cassandra -- https://bugs.freebsd.org/199091 Committed, thanks! I've assigned the PR to the maintainer for the port update. > databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to > vuxml patch in PR 199091) I've assigned the PR to the maintainer. We should probably mark the above two ports as FORBIDDEN and/or DEPRECATED. > sysutils/py-salt -- https://bugs.freebsd.org/200172 This was already done by xmj@. This one seems serious, can the fix be backported or should the port merged to 2015Q2 branch? > vuxml previously done and update patch ready: net/chrony -- > https://bugs.freebsd.org/199508 The vuxml entry was committed by jbeich@ and port updated by pi@. I think the update should be merged to quarterly branch. > both vuxml and update patch ready: mail/davmail -- > https://bugs.freebsd.org/198297 This was done by pi@. I think this fix should also go to 2015Q2 branch? Thanks everyone working on these issues and thanks for taking time preparing the patches. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVYYOGAAoJEJW2GBstM+nsmeoP+wVfw1Uw7YYGqhLXMEsFgQ/E CtWD9LfDgia9ffQIANXi61nUKJ8ex0QZHEFborUMoUMGxPMic5fILFIsKY/FeaLq Rq6jkVfHlelvHgi4XXf4v9u9JWFISu0jnYqafQiiOc4CK5a3d/JiouC9DJX74fau jaDZ2snv4VjVnbZHwO35hWTQiN5iCJFt9bkdMV5iQkd/jU1waSDTVuzv9zstaVcQ jJadqLCNX8ENhNwTZt0SbBBsRNL9mwRMEKbdYcCtxLJoKyQ+GYjbd5UEERajGSLv H8TaO/wYIrMdeOMFjBe1ppNp+2mX8pn1AnxZx//N9am8dKhTiI+itV2FGonRluzs aJJmzOHFYUSxwmSkyrcEm/XC0+BEAsTq24fxggJWNKFpD8brCd5ENt8oiA/uOkPR fkCr1wG8dCW3OV2TYeiFW1XWGmA41J57wP/9WRRLmYTbBqUGTmLsNtnFT0KcdJwQ G7tbd86xiHQjeF+Al1XAwL/9WgzIsrwjjQ7NO4737yNqvlAMyME30qtmCTwv1beX 3VQWqxJQ82FzI2x7OZgX5NAwyp0InaEI3j+cgTuJY5a6uMd49IMj+Wj+u3E52G/U wTtp4D3FzaxH4ZCs9pxLM8glvmoCmH6E11+G/WPESFxOXbxw/mkjD+wus5HyCsa7 M7b0T5Y6hN425BmaPaeA =tvL9 -----END PGP SIGNATURE-----