From owner-cvs-all@FreeBSD.ORG Sun Mar 11 21:59:38 2012 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B00CC106564A; Sun, 11 Mar 2012 21:59:38 +0000 (UTC) (envelope-from ohauer@FreeBSD.org) Received: from p578be941.dip0.t-ipconnect.de (p578be941.dip0.t-ipconnect.de [87.139.233.65]) by mx1.freebsd.org (Postfix) with ESMTP id 668FC8FC08; Sun, 11 Mar 2012 21:59:38 +0000 (UTC) Received: from [192.168.0.100] (cde1100.uni.vrs [192.168.0.100]) (Authenticated sender: ohauer) by p578be941.dip0.t-ipconnect.de (Postfix) with ESMTPSA id 6F64F2082D; Sun, 11 Mar 2012 22:59:29 +0100 (CET) Message-ID: <4F5D2046.4030309@FreeBSD.org> Date: Sun, 11 Mar 2012 22:59:34 +0100 From: Olli Hauer User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: "Simon L. Nielsen" References: <201203112132.q2BLWwTZ074498@repoman.freebsd.org> In-Reply-To: <201203112132.q2BLWwTZ074498@repoman.freebsd.org> X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: ports/ports-mgmt/portaudit Makefile pkg-plist ports/ports-mgmt/portaudit/files portaudit-cmd.sh X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ohauer@FreeBSD.org List-Id: **OBSOLETE** CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2012 21:59:38 -0000 On 2012-03-11 22:32, Simon L. Nielsen wrote: > simon 2012-03-11 21:32:58 UTC > > FreeBSD ports repository > > Modified files: > ports-mgmt/portaudit Makefile pkg-plist > ports-mgmt/portaudit/files portaudit-cmd.sh > Log: > Portaudit 0.6.0: > > Fix remote code execution which can occur with a specially crafted > audit file. The attacker would need to get the portaudit(1) to > download the bad audit database, e.g. by performing a man in the > middle attack. > > Add signature verification of the portaudit database. The public key > is for the database generated for portaudit.FreeBSD.org is included > in the distribution. > > Submitted by: Michael Gmelin > Reported by: Michael Gmelin , Joerg Scheinert > Security: Remote code execution > Security: http://vuxml.FreeBSD.org/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html > Feature safe: yes > With hat: so > > Revision Changes Path > 1.30 +2 -1 ports/ports-mgmt/portaudit/Makefile > 1.20 +69 -10 ports/ports-mgmt/portaudit/files/portaudit-cmd.sh > 1.6 +1 -0 ports/ports-mgmt/portaudit/pkg-plist > > http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/ports-mgmt/portaudit/Makefile.diff?&r1=1.29&r2=1.30&f=h > http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/ports-mgmt/portaudit/files/portaudit-cmd.sh.diff?&r1=1.19&r2=1.20&f=h > http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/ports-mgmt/portaudit/pkg-plist.diff?&r1=1.5&r2=1.6&f=h > Hi Simon, seems the public key was not committed. and thanks for removing the annoying ""Vulnerability check disabled ..." message