Date: Wed, 22 Aug 2012 00:08:07 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Eygene Ryabinkin <rea@freebsd.org> Cc: svn-ports-head@freebsd.org, ports-security@freebsd.org, svn-ports-all@freebsd.org, Eitan Adler <eadler@freebsd.org>, ports-committers@freebsd.org Subject: Re: svn commit: r302900 - head/security/vuxml Message-ID: <50348557.9000100@FreeBSD.org> In-Reply-To: <20120822042824.GE59200@gprs-internet-client-10.234.sonicduo.com> References: <201208212056.q7LKuiwn004348@svn.freebsd.org> <CAF6rxg=FJWHxT1ffpPcFsa4ADwAsVQSQR8Tm9p42LQW8hFxJsA@mail.gmail.com> <20120822042824.GE59200@gprs-internet-client-10.234.sonicduo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 8/21/2012 9:28 PM, Eygene Ryabinkin wrote: > Eitan, good day. > > Tue, Aug 21, 2012 at 05:54:15PM -0400, Eitan Adler wrote: >> On 21 August 2012 16:56, Eygene Ryabinkin <rea@freebsd.org> wrote: >> ... >>> Log: >>> rssh: document arbitrary code execution, CVE-2012-3478 >> ... >>> + <url>http://sourceforge.net/mailarchive/message.php?msg_id=29235647</url>; >> >> Given this mailing list discussion, should the port be marked >> FORBIDDEN? > > No: there is a patch that fixes this issue from the main developer > (last two messages in the above cited thread; they are mangled > at the web page, but downloading as HTML gives the patch). > > I intend to update rssh to 2.3.3, apply the patch and possibly > bring the support for rsync from Debian. Once my conversion > of the Git repository for ports from using CVS to Subversion > will end ;)) What is your timeline on implementing that plan? Completely aside from my conviction that ALL ports in the vuxml should be marked FORBIDDEN until they are fixed, Eitan has a point here. This is a serious compromise, and I would not want users to install the port in its current form. Please remember, most of our users do not use portaudit, so they have no idea that this thing is badly broken. OTOH, given the author's reluctance to do further work on this tool, it may be better just to remove it altogether. Doug - -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) iQEcBAEBCAAGBQJQNIVXAAoJEFzGhvEaGryESmsH/ikSuflHq54gIsNBvHdvW19H 5v/mfU9HMtoovtRFE7bJ/QJdryr86iQWIzbvrDl+ZOAxmvteuOTNmA8IXqwvXTbi Kac/TWHpFLqseku6IEuRpwvAqWlCO6PhKcAdm9P6Q0g2joOoYRqnidm74KZ1mqPA B0+52HjNKC3fKz7Rv96AQ59z13X3nR9KSpkPJldFy/UWkDoBuURr3GQDz01luVaU v5eoo7IFUUm+pP0ZPU4sA1Vami4GB5VrXQJKUUSRHtuXJ4zHtbSfy5xKoxwXMAXH M9IEcqG0xqKwVL4sSYmDX/oL5TpS3jZ+sAEWW27mo6+CzrJM2fJc9Fl0LUuLBKA= =RL8R -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50348557.9000100>