From owner-freebsd-ports@freebsd.org  Tue Aug 16 09:07:35 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 03ADFBBAAF7
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Tue, 16 Aug 2016 09:07:35 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com
 [IPv6:2607:f8b0:400e:c03::236])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id C4DB81F96
 for <freebsd-ports@freebsd.org>; Tue, 16 Aug 2016 09:07:34 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: by mail-pa0-x236.google.com with SMTP id pp5so24636620pac.3
 for <freebsd-ports@freebsd.org>; Tue, 16 Aug 2016 02:07:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=sender:reply-to:subject:references:to:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=oGzYysA6FjVzt7cpizpbC3vHRALva0dXLZ3WAhK1VgM=;
 b=tkl44L9DYehNaJs7PMJ/b85nQjokEujMbJ9IK4HKivi1V5r0l1jIrsNJJKQlzt+nEk
 yuzTb9L3xe8QOT7lbAC2ZkcMIYYX8meJpwnxbupzgRl2TLGg+ypgFr86s/deEiSpxCiX
 FfRPoc3eSrahTJOqevZN/tmZiC9O1LPZwYaoKmoI7brc/nHtttaLHEEW+AcJ+8iVMWYQ
 DcZZ6xYWKgsUW5CWNgrgpB/gP5/fGsbc1h1qt0QlHaSnjca7h5QAvpI4UYt8FzTfRvAQ
 DsKO+uJo0+743Kri5r3Swb/Wc1U8WqAmglkZ2KKt/Qkc9NX6o+R6G+DUDh1d1Uj2Tnlq
 /pUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:sender:reply-to:subject:references:to:from
 :message-id:date:user-agent:mime-version:in-reply-to
 :content-language:content-transfer-encoding;
 bh=oGzYysA6FjVzt7cpizpbC3vHRALva0dXLZ3WAhK1VgM=;
 b=fZ5aOr+IYIWNFscSZSgUKy/HS3t/1cteNqPO+Lsl/4FONvwPFJlPrV3gZnMdoX3GXa
 U07+O0XSMaP7ZA9VCC9XcwCbNyu7/y/KsFI9g2e7r2+k8LH5fk/iTe/khO3JRmbwRT6B
 mwwLkxrWPCXfJzJIfzdCKt7KJfSorO7T2Up+3LlGtAtiyi0JDMSe4W6kwHFZfQo+dZ2I
 soQmVVj/V1eDn+fx5ZAKZmeNKPM8+waVnkPTKyAJosfeDPUjpSTnI5GjSiFps/rwoFdJ
 vjNc+W3apLoe9nARMdhyHJwo4nKKVfYPFNsXswzkR6a+ShSatUtvBQJaxxraAMlo6Kaz
 b45w==
X-Gm-Message-State: AEkoousog8cqllSuDcjb84A0W/HndQCKYfVGBgA1TPObq+/1GZ1rKXQTI1IjP6bwrElQEQ==
X-Received: by 10.66.193.7 with SMTP id hk7mr61975726pac.78.1471338454147;
 Tue, 16 Aug 2016 02:07:34 -0700 (PDT)
Received: from ?IPv6:2001:44b8:31ae:7b01:f985:3c4b:2a0c:8bea?
 (2001-44b8-31ae-7b01-f985-3c4b-2a0c-8bea.static.ipv6.internode.on.net.
 [2001:44b8:31ae:7b01:f985:3c4b:2a0c:8bea])
 by smtp.gmail.com with ESMTPSA id tm1sm37440690pac.23.2016.08.16.02.07.32
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 16 Aug 2016 02:07:33 -0700 (PDT)
Sender: Kubilay Kocak <koobs.freebsd@gmail.com>
Reply-To: koobs@FreeBSD.org
Subject: Re: Perl upgrade - 5.20.x vulnerable
References: <3f8f41ff-3262-1021-2e28-2aaae89849b6@cloudzeeland.nl>
 <2915322d-0b1a-d36e-0725-c10bd0d32b7c@cloudzeeland.nl>
To: JosC <bsdports@cloudzeeland.nl>,
 FreeBSD Ports ML <freebsd-ports@freebsd.org>
From: Kubilay Kocak <koobs@FreeBSD.org>
Message-ID: <280f6f77-ad33-6ebb-d54a-a97129f793b3@FreeBSD.org>
Date: Tue, 16 Aug 2016 19:07:29 +1000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101
 Thunderbird/50.0a2
MIME-Version: 1.0
In-Reply-To: <2915322d-0b1a-d36e-0725-c10bd0d32b7c@cloudzeeland.nl>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 09:07:35 -0000

On 16/08/2016 6:55 PM, JosC wrote:
> Still get this port upgrade error:
> 
> --- cut text ---
> 
> ===>>> All >> perl5-5.20.3_14 (1/1)
> ===>  Cleaning for perl5-5.20.3_15
> ===>  perl5-5.20.3_15 has known vulnerabilities:
> perl5-5.20.3_15 is vulnerable:
> p5-XSLoader -- local arbitrary code execution
> CVE: CVE-2016-6185
> WWW:
> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html
> 
> 1 problem(s) in the installed packages found.
> => Please update your ports tree and try again.
> => Note: Vulnerable ports are marked as such even if there is no update
> available.
> => If you wish to ignore this vulnerability rebuild with 'make
> DISABLE_VULNERABILITIES=yes'
> *** Error code 1
> 
> Stop.
> make[1]: stopped in /usr/ports/lang/perl5.20
> *** Error code 1
> Stop.
> make: stopped in /usr/ports/lang/perl5.20
> 
> ===>>> make build failed for lang/perl5.20
> ===>>> Aborting update
> 
> ===>>> Update for lang/perl5.20 failed
> ===>>> Aborting update
> 
> ===>>> You can restart from the point of failure with this command line:
>        portmaster <flags> lang/perl5.20
> 
> --- cut text ---
> 
> Can only solve by deinstalling the port and reinstall with
> 
> 'DISABLE_VULNERABILITIES=yes'
> 
> Perhaps I miss something, but what is exactly the issue? I just try to
> understand how I can solve this...
> 
> Thanks,
> Jos
> 
> In een bericht van 11-8-2016 20:45:
>> Can someone tell me how to best upgrade from Perl5.20.x to the latest
>> stable version?
>>
>> Tried to upgrade to Perl5.22 but got (also) the same issue while doing
>> so:
>>
>>
>> ===>  Cleaning for perl5-5.20.3_14
>> ===>  perl5-5.20.3_14 has known vulnerabilities:
>> perl5-5.20.3_14 is vulnerable:
>> p5-XSLoader -- local arbitrary code execution
>> CVE: CVE-2016-6185
>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html
>>
>>
>> perl5-5.20.3_14 is vulnerable:
>> perl -- local arbitrary code execution
>> CVE: CVE-2016-1238
>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/72bfbb09-5a6a-11e6-a6c3-14dae9d210b8.html
>>
>>
>> 1 problem(s) in the installed packages found.
>> => Please update your ports tree and try again.
>> => Note: Vulnerable ports are marked as such even if there is no update
>> available.
>> => If you wish to ignore this vulnerability rebuild with 'make
>> DISABLE_VULNERABILITIES=yes'
>> *** Error code 1
>>
>> Stop.
>> make[1]: stopped in /usr/ports/lang/perl5.20
>> *** Error code 1
>>
>> Stop.
>> make: stopped in /usr/ports/lang/perl5.20
>>
>> --- cut ---
> 
> 
> 

Try running pkg audit -F to force updating/refreshing the latest VuXML
changes.

In this case the lang/perl5.20 (port) version string that the fix was
made in [1], was only added to an existing entry in security/vuxml as an
'update' yesterday [2]

[1] http://svnweb.freebsd.org/changeset/ports/420220
[2] http://svnweb.freebsd.org/changeset/ports/420219

In the absence of running 'pkg audit -F', only
the"LOCALBASE/periodic/security/410.pkg-audit script updates the vuxml
file and audit results. Until that happens, or pkg audit -F is run, pkg
will still see an older version.

Let us know how it goes

./koobs