From owner-svn-ports-all@FreeBSD.ORG Wed Aug 22 07:08:27 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 1E605106566C; Wed, 22 Aug 2012 07:08:27 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from [127.0.0.1] (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id C44E014DDC5; Wed, 22 Aug 2012 07:08:06 +0000 (UTC) Message-ID: <50348557.9000100@FreeBSD.org> Date: Wed, 22 Aug 2012 00:08:07 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Eygene Ryabinkin References: <201208212056.q7LKuiwn004348@svn.freebsd.org> <20120822042824.GE59200@gprs-internet-client-10.234.sonicduo.com> In-Reply-To: <20120822042824.GE59200@gprs-internet-client-10.234.sonicduo.com> X-Enigmail-Version: 1.4.3 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: svn-ports-head@freebsd.org, ports-security@freebsd.org, svn-ports-all@freebsd.org, Eitan Adler , ports-committers@freebsd.org Subject: Re: svn commit: r302900 - head/security/vuxml X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2012 07:08:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 8/21/2012 9:28 PM, Eygene Ryabinkin wrote: > Eitan, good day. > > Tue, Aug 21, 2012 at 05:54:15PM -0400, Eitan Adler wrote: >> On 21 August 2012 16:56, Eygene Ryabinkin wrote: >> ... >>> Log: >>> rssh: document arbitrary code execution, CVE-2012-3478 >> ... >>> + http://sourceforge.net/mailarchive/message.php?msg_id=29235647 >> >> Given this mailing list discussion, should the port be marked >> FORBIDDEN? > > No: there is a patch that fixes this issue from the main developer > (last two messages in the above cited thread; they are mangled > at the web page, but downloading as HTML gives the patch). > > I intend to update rssh to 2.3.3, apply the patch and possibly > bring the support for rsync from Debian. Once my conversion > of the Git repository for ports from using CVS to Subversion > will end ;)) What is your timeline on implementing that plan? Completely aside from my conviction that ALL ports in the vuxml should be marked FORBIDDEN until they are fixed, Eitan has a point here. This is a serious compromise, and I would not want users to install the port in its current form. Please remember, most of our users do not use portaudit, so they have no idea that this thing is badly broken. OTOH, given the author's reluctance to do further work on this tool, it may be better just to remove it altogether. Doug - -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) iQEcBAEBCAAGBQJQNIVXAAoJEFzGhvEaGryESmsH/ikSuflHq54gIsNBvHdvW19H 5v/mfU9HMtoovtRFE7bJ/QJdryr86iQWIzbvrDl+ZOAxmvteuOTNmA8IXqwvXTbi Kac/TWHpFLqseku6IEuRpwvAqWlCO6PhKcAdm9P6Q0g2joOoYRqnidm74KZ1mqPA B0+52HjNKC3fKz7Rv96AQ59z13X3nR9KSpkPJldFy/UWkDoBuURr3GQDz01luVaU v5eoo7IFUUm+pP0ZPU4sA1Vami4GB5VrXQJKUUSRHtuXJ4zHtbSfy5xKoxwXMAXH M9IEcqG0xqKwVL4sSYmDX/oL5TpS3jZ+sAEWW27mo6+CzrJM2fJc9Fl0LUuLBKA= =RL8R -----END PGP SIGNATURE-----