From owner-svn-ports-all@freebsd.org Thu Jun 30 21:29:00 2016 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23210B8706A; Thu, 30 Jun 2016 21:29:00 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E6D8A2DC4; Thu, 30 Jun 2016 21:28:59 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id D45CE20372; Thu, 30 Jun 2016 17:28:58 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute3.internal (MEProxy); Thu, 30 Jun 2016 17:28:58 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=uQ2Nf8HoFUbkbH+ JQZ/oLaZaJaY=; b=WuW1iepejdciOgb7OB4aue48wJQnA4lAbbxTbc45D8tlkPA Fahn9cNkeCbBcjFuCgJeKsosu/m05XFVGUHk0yRvIpY5GXmEIJrtRTCRXWZwmSXF O4E29H4FeowMogDJzVXuDkmiEn7civvURwCfIe+sqy0f/HmIQ0AOdU0y7hSY= Received: by mailuser.nyi.internal (Postfix, from userid 99) id A718ECC24D; Thu, 30 Jun 2016 17:28:58 -0400 (EDT) Message-Id: <1467322138.3172610.653592441.61683319@webmail.messagingengine.com> X-Sasl-Enc: 3dxN+EpOW+uSiUeqB8LR1XjwtuwzWuhkSaxUbbLyCalM 1467322138 From: Mark Felder To: Cy Schubert , Cy Schubert Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-03c7c087 In-Reply-To: <201606302116.u5ULGObZ089496@slippy.cwsent.com> References: <201606302116.u5ULGObZ089496@slippy.cwsent.com> Subject: Re: svn commit: r417842 - head/security/vuxml Date: Thu, 30 Jun 2016 16:28:58 -0500 X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2016 21:29:00 -0000 On Thu, Jun 30, 2016, at 16:16, Cy Schubert wrote: > Cy Schubert writes: > > In message <201606302052.u5UKqdNR025451@repo.freebsd.org>, Mark Felder > > writes: > > > Author: feld > > > Date: Thu Jun 30 20:52:39 2016 > > > New Revision: 417842 > > > URL: https://svnweb.freebsd.org/changeset/ports/417842 > > > > > > Log: > > > Document openssl vulnerability > > > > > > PR: 210550 > > > Security: CVE-2016-2177 > > > > > > Modified: > > > head/security/vuxml/vuln.xml > > > > > > Modified: head/security/vuxml/vuln.xml > > > =========================================================================== > > == > > > = > > > --- head/security/vuxml/vuln.xml Thu Jun 30 20:38:36 2016 (r41784 > > > 1) > > > +++ head/security/vuxml/vuln.xml Thu Jun 30 20:52:39 2016 (r41784 > > > 2) > > > @@ -58,6 +58,38 @@ Notes: > > > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > > > --> > > > > > > + > > > + openssl -- denial of service > > > + > > > + > > > + openssl > > > + 1.0.2_14 > > > > Shouldn't this be 1.0.2_14 ? > > My mistake. The wording in the following is incorrect: > > > +

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic > > The word "through" includes 1.0.2h, which it shouldn't. "To" excludes > 1.0.2h. Or, simply replace 1.0.2h with 1.0.2g. > Yeah, I believe OpenSSL has not cut the 1.0.2g release so this is a backported patch from their git. So their official stance is correct, but it's confusing in the context of how we triaged this in the ports tree. -- Mark Felder ports-secteam member feld@FreeBSD.org