From owner-svn-ports-head@freebsd.org  Thu Sep 22 12:57:24 2016
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 24451BE54EE;
 Thu, 22 Sep 2016 12:57:24 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com
 [66.111.4.26])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id F3967F3C;
 Thu, 22 Sep 2016 12:57:23 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id BCF3820851;
 Thu, 22 Sep 2016 08:57:16 -0400 (EDT)
Received: from web3 ([10.202.2.213])
 by compute7.internal (MEProxy); Thu, 22 Sep 2016 08:57:16 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=1supy2ImWiozy0q
 fbUNtJtxG5Uo=; b=jtoywxkDVihZ8EESjsj02gSKG/e+Rl/z4cbawmIrZDUtRy+
 lHNmi66NbwZSDDuJn2qjc6HmCDaKgNoZcjx/vZ0CMAMqAvDqLMPZy2z4Do407QO1
 0GVdoscpuugXjIlpzbpwrDgo628d0mEzUCmC6RKJxp0ju6XxlrRe+o7HWZ/s=
Received: by mailuser.nyi.internal (Postfix, from userid 99)
 id 916D62E184; Thu, 22 Sep 2016 08:57:16 -0400 (EDT)
Message-Id: <1474549036.1431804.733733225.0A2B9B36@webmail.messagingengine.com>
X-Sasl-Enc: f5IK5H/EJvbFo5xp74Pf0B/HYkaQExkcj8rQq/8mTomQ 1474549036
From: Mark Felder <feld@FreeBSD.org>
To: Bryan Drewery <bdrewery@FreeBSD.org>, ports-committers@freebsd.org,
 svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: MessagingEngine.com Webmail Interface - ajax-3ce3fca2
Subject: Re: svn commit: r422582 - head/security/vuxml
Date: Thu, 22 Sep 2016 07:57:16 -0500
In-Reply-To: <c6f6f1b7-3bdb-0d32-5581-6b7a19321825@FreeBSD.org>
References: <201609212059.u8LKxqfr042194@repo.freebsd.org>
 <c6f6f1b7-3bdb-0d32-5581-6b7a19321825@FreeBSD.org>
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2016 12:57:24 -0000



On Wed, Sep 21, 2016, at 17:00, Bryan Drewery wrote:
> On 9/21/16 1:59 PM, Mark Felder wrote:
> > Author: feld
> > Date: Wed Sep 21 20:59:52 2016
> > New Revision: 422582
> > URL: https://svnweb.freebsd.org/changeset/ports/422582
> > 
> > Log:
> >   Document irssi vulnerabilities
> >   
> >   PR:		212888
> >   Security:	CVE-2016-7044
> >   Security:	CVE-2016-7045
> > 
> > Modified:
> >   head/security/vuxml/vuln.xml
> > 
> > Modified: head/security/vuxml/vuln.xml
> > ==============================================================================
> > --- head/security/vuxml/vuln.xml	Wed Sep 21 20:59:25 2016	(r422581)
> > +++ head/security/vuxml/vuln.xml	Wed Sep 21 20:59:52 2016	(r422582)
> > @@ -58,6 +58,34 @@ Notes:
> >    * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> >  -->
> >  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> > +  <vuln vid="e78261e4-803d-11e6-a590-14dae9d210b8">
> > +    <topic>irssi -- heap corruption and missing boundary checks</topic>
> > +    <affects>
> > +      <package>
> > +	<name>irssi</name>
> > +	<range><lt>0.8.20</lt></range>
> > +      </package>
> 
> Only 0.8.17+ are affected.  See
> https://irssi.org/security/irssi_sa_2016.txt "Affected versions".  The
> irssi-devel port likely had vulnerable revisions too.
> 

Fixed the range. I'm having a hard time figuring out the old irssi-devel
port's relationship with actual releases. Those snapshots aren't
available anymore for inspection :(


-- 
  Mark Felder
  ports-secteam member
  feld@FreeBSD.org