From nobody Mon Dec  8 18:48:31 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dQ9x641RFz6KCRQ
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Mon, 08 Dec 2025 18:48:42 +0000 (UTC)
	(envelope-from hello@bacula-web.org)
Received: from mail-24421.protonmail.ch (mail-24421.protonmail.ch [109.224.244.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "protonmail.com", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dQ9x41jVnz3ghQ
	for <freebsd-security@FreeBSD.org>; Mon, 08 Dec 2025 18:48:39 +0000 (UTC)
	(envelope-from hello@bacula-web.org)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=bacula-web.org header.s=protonmail header.b="NAv/Kk25";
	dmarc=pass (policy=none) header.from=bacula-web.org;
	spf=pass (mx1.freebsd.org: domain of hello@bacula-web.org designates 109.224.244.21 as permitted sender) smtp.mailfrom=hello@bacula-web.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bacula-web.org;
	s=protonmail; t=1765219716; x=1765478916;
	bh=NpomqKx+04HEt3xDhynHBY7sTqTtgqnE1W9lugcNgA0=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
	 Message-ID:BIMI-Selector;
	b=NAv/Kk25dp4gqVsf0tQkxzlFNNCaxghXDWZBSqbHz/qymfRuQrTU/urJENdcGFXkj
	 RC4YhYp+dOUspucVbWdGi52CM27B7oGNQSRBxISRn0yO3Adb4/GJyNawsyt+Ldjypy
	 M2otd7pSjeTY1z/d7WwJpsBSQarJOuIevSNWA9KotOf6dQaETOfG+e604tsOfC3k0x
	 dOKEv8bSTEwN5EQIXnVMEGsT/QDgPDqx8bibFDeZEapHhIel0JHEj4DOSXFp5QwC13
	 txwlqFtIvtb4AUm/l3/VzXPgH8bcI6alp+odvRYv9JLwxVjq7RVpMbZDsutQzceLHe
	 ryu64G7dppWmw==
Date: Mon, 08 Dec 2025 18:48:31 +0000
To: Dimitry Andric <dim@FreeBSD.org>
From: Bacula-Web project maintainer <hello@bacula-web.org>
Cc: "freebsd-security@FreeBSD.org" <freebsd-security@FreeBSD.org>
Subject: Re: Guidance on how to handle FreeBSD port vulnerability
Message-ID: <VACCz5LMa4FMxnmNWApM_IkcUyWsyJIfaC_aV7MO8_5swa_7SFEfU9EZXclK1VBVY8c-WGov2XTt_9Z_KLMap2aj0LWFU1jjVDqdFIZ4FUE=@bacula-web.org>
In-Reply-To: <11DA25E7-8840-4182-995A-B976439C2E04@FreeBSD.org>
References: <cXTG30QIfXitaGbKSlG7Uj3ytQSr9Iwe6xcuhV_WSSmTA4gYKUzb0RZV2MDm9bi7EHeImSfmx66JWr26-O1iM1w4WyMWnGOI4s8KjJqNNq8=@bacula-web.org> <11DA25E7-8840-4182-995A-B976439C2E04@FreeBSD.org>
Feedback-ID: 62987555:user:proton
X-Pm-Message-ID: 81fe97b1bb18739ed0b3db0cd3b62e572dc04907
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.39 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.992];
	DMARC_POLICY_ALLOW(-0.50)[bacula-web.org,none];
	RWL_MAILSPIKE_EXCELLENT(-0.40)[109.224.244.21:from];
	R_DKIM_ALLOW(-0.20)[bacula-web.org:s=protonmail];
	R_SPF_ALLOW(-0.20)[+ip4:109.224.244.0/24];
	MIME_GOOD(-0.10)[text/plain];
	TO_DN_EQ_ADDR_SOME(0.00)[];
	MISSING_XM_UA(0.00)[];
	ARC_NA(0.00)[];
	TO_DN_SOME(0.00)[];
	MIME_TRACE(0.00)[0:+];
	MID_RHS_MATCH_FROM(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[109.224.244.21:from];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_ZERO(0.00)[0];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	MLMMJ_DEST(0.00)[freebsd-security@FreeBSD.org];
	DKIM_TRACE(0.00)[bacula-web.org:+]
X-Rspamd-Queue-Id: 4dQ9x41jVnz3ghQ

Thanks for your feedback Dimitry, I=E2=80=99ll create a bug asap.

Best,

Davide

-------- Original Message --------
On Sunday, 12/07/25 at 12:35 Dimitry Andric <dim@FreeBSD.org> wrote:
On 7 Dec 2025, at 12:28, Bacula-Web project maintainer <hello@bacula-web.or=
g> wrote:
>
>
> Hello there,
>
> I'd need some help to tackle a known FreeBSD port vulnerability which doe=
sn't seem to be referenced on FreshPort.org.
>
> The affected port is https://www.freshports.org/www/bacula-web/.
>
> Also, I'd like to put some efforts to keep updated above ports as it dese=
rve some more "love".
>
> An hints / link to documented process would be nice.

Report a bug on https://bugs.freebsd.org/bugzilla/, the "Report an update o=
r defect to a port" link there is the most appropriate. If you start the su=
bject of the bug report with the string "www/bacula-web: " it will automati=
cally get assigned to the port maintainer, which at the moment is ler@FreeB=
SD.org <mailto:ler@FreeBSD.org>.

-Dimitry




From nobody Mon Dec  8 21:25:33 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dQFQN1KTCz6KPVt
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Mon, 08 Dec 2025 21:25:48 +0000 (UTC)
	(envelope-from polarian@polarian.dev)
Received: from mail.polarian.dev (mail.polarian.dev [IPv6:2001:8b0:57a:2385::8])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dQFQM00kHz47M5
	for <freebsd-security@freebsd.org>; Mon, 08 Dec 2025 21:25:46 +0000 (UTC)
	(envelope-from polarian@polarian.dev)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=polarian.dev header.s=polarian header.b=zRnfyrPS;
	dmarc=pass (policy=reject) header.from=polarian.dev;
	spf=pass (mx1.freebsd.org: domain of polarian@polarian.dev designates 2001:8b0:57a:2385::8 as permitted sender) smtp.mailfrom=polarian@polarian.dev
DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=polarian.dev;
	s=polarian; t=1765229134;
	bh=9Yve9i5SR/kPNKC7yURGmJKhTGebQZnJXtTyPo4ik/Q=;
	h=Date:From:To:Subject:In-Reply-To:References;
	b=zRnfyrPSfvLU25ZLWPYz8fWbk+mdDQBMMUy1e6L2awDanbeZSjmB+7jbNY/tn38sX
	 2KJl/A37ZLvRbOFBx2A7NzcGGpy4wCZ9iyB07ylbPPehIFQrw39OdGbOCniydLbvpj
	 F71eFzLZUR/wZFKTuy/7O4o39P0/x0WPFNajGtbY=
Date: Mon, 8 Dec 2025 21:25:33 +0000
From: Polarian <polarian@polarian.dev>
To: freebsd-security@freebsd.org
Subject: Re: Guidance on how to handle FreeBSD port vulnerability
Message-ID: <20251208212533.48a22c85@Hydrogen>
In-Reply-To: <VACCz5LMa4FMxnmNWApM_IkcUyWsyJIfaC_aV7MO8_5swa_7SFEfU9EZXclK1VBVY8c-WGov2XTt_9Z_KLMap2aj0LWFU1jjVDqdFIZ4FUE=@bacula-web.org>
References: <cXTG30QIfXitaGbKSlG7Uj3ytQSr9Iwe6xcuhV_WSSmTA4gYKUzb0RZV2MDm9bi7EHeImSfmx66JWr26-O1iM1w4WyMWnGOI4s8KjJqNNq8=@bacula-web.org>
	<11DA25E7-8840-4182-995A-B976439C2E04@FreeBSD.org>
	<VACCz5LMa4FMxnmNWApM_IkcUyWsyJIfaC_aV7MO8_5swa_7SFEfU9EZXclK1VBVY8c-WGov2XTt_9Z_KLMap2aj0LWFU1jjVDqdFIZ4FUE=@bacula-web.org>
X-Mailer: Claws Mail 3.21.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.48 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.98)[-0.984];
	MID_RHS_NOT_FQDN(0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[polarian.dev,reject];
	R_SPF_ALLOW(-0.20)[+ip6:2001:8b0:57a:2385::8];
	R_DKIM_ALLOW(-0.20)[polarian.dev:s=polarian];
	MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:20712, ipnet:2001:8b0::/34, country:GB];
	RCVD_COUNT_ZERO(0.00)[0];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	BLOCKLISTDE_FAIL(0.00)[2001:8b0:57a:2385::8:server fail];
	FROM_EQ_ENVFROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	DKIM_TRACE(0.00)[polarian.dev:+]
X-Rspamd-Queue-Id: 4dQFQM00kHz47M5

Hey,

I assume you are referencing CVE-2025-45346?

I checked now I still do not see a bug for this.

Take care,
-- 
Polarian
Jabber/XMPP: polarian@icebound.dev

From nobody Tue Dec  9 05:15:57 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dQRs24VjBz6K05X
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 09 Dec 2025 05:16:06 +0000 (UTC)
	(envelope-from hello@bacula-web.org)
Received: from mail-24421.protonmail.ch (mail-24421.protonmail.ch [109.224.244.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "protonmail.com", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dQRs222lzz430b
	for <freebsd-security@freebsd.org>; Tue, 09 Dec 2025 05:16:06 +0000 (UTC)
	(envelope-from hello@bacula-web.org)
Authentication-Results: mx1.freebsd.org;
	none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bacula-web.org;
	s=protonmail; t=1765257363; x=1765516563;
	bh=t63Vx1LYIGBqiooFKgyHWi8fBkYrVlVY21LE0aS/18E=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
	 Message-ID:BIMI-Selector;
	b=ljCHITk42ItZ4pJXjn2zGymQqmh7R/XY/Ixi/TpT9dZg2YKgC04pUQuBsllzR6rSK
	 DEU9UJ5f8WXKp0RzzdN1+gpdeGo78cICc5VkMdWEQmpqIBSK/1bByo04IoCMkHEs1P
	 RHZKl9zsZiU/ApV9KXWHAZfyv0sCrkFDUrbKwUBFIA9yTbdlL/wK11N7ltgJ0IsFn7
	 0wOMfaz97Dl0mBURhyS78717B9+HQ7kIxQw2B7cWQZhPzDzet5UarZ1b8bJqd0ZjXy
	 kTqBA83d9u0sfVXAxzNgtxJQzMxDSea8EwxSWhiBH5UHdE2TljGyLsqU4KZhXWItXZ
	 iR8MIBgiE4+2A==
Date: Tue, 09 Dec 2025 05:15:57 +0000
To: Polarian <polarian@polarian.dev>
From: Bacula-Web project maintainer <hello@bacula-web.org>
Cc: freebsd-security@freebsd.org
Subject: Re: Guidance on how to handle FreeBSD port vulnerability
Message-ID: <Dn9ZQCiTno3chgAUh90EUetbOP89ECT50OdyVgesB_0Rjjtsq4eIfSXtxp8mXcu3QWyRXXZmJNV_58C60nSPRR7e7TVVqcOHMPH7YW2BzOE=@bacula-web.org>
In-Reply-To: <20251208212533.48a22c85@Hydrogen>
References: <cXTG30QIfXitaGbKSlG7Uj3ytQSr9Iwe6xcuhV_WSSmTA4gYKUzb0RZV2MDm9bi7EHeImSfmx66JWr26-O1iM1w4WyMWnGOI4s8KjJqNNq8=@bacula-web.org> <11DA25E7-8840-4182-995A-B976439C2E04@FreeBSD.org> <VACCz5LMa4FMxnmNWApM_IkcUyWsyJIfaC_aV7MO8_5swa_7SFEfU9EZXclK1VBVY8c-WGov2XTt_9Z_KLMap2aj0LWFU1jjVDqdFIZ4FUE=@bacula-web.org> <20251208212533.48a22c85@Hydrogen>
Feedback-ID: 62987555:user:proton
X-Pm-Message-ID: e21edbc321adaadd24f1dec415972f565f8826ac
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Rspamd-Queue-Id: 4dQRs222lzz430b

Hi,

> Hey,
>=20
> I assume you are referencing CVE-2025-45346?

Yes, this is exactly the CVE I had in mind.

>=20
> I checked now I still do not see a bug for this.

I've created this one -> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=
=3D291505

>=20
> Take care,
> --
> Polarian
> Jabber/XMPP: polarian@icebound.dev

Best regards

Davide