Date: Sun, 14 Dec 2014 11:42:44 +0000 From: Alexey Dokuchaev <danfe@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Cc: x11@FreeBSD.org Subject: Forbidden due to CVE-2014-8298: nvidia-driver-173, nvidia-driver-96, nvidia-driver-71 Message-ID: <20141214114244.GA2487@FreeBSD.org> In-Reply-To: <201412141121.sBEBLsvP017491@svn.freebsd.org> References: <201412141121.sBEBLsvP017491@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 14, 2014 at 11:21:54AM +0000, Alexey Dokuchaev wrote: > New Revision: 374697 > URL: https://svnweb.freebsd.org/changeset/ports/374697 > QAT: https://qat.redports.org/buildarchive/r374697/ > > Log: > Mark legacy branches -173, -96, and -71 as FORBIDDEN: they are > unsupported by NVidia and no security updates for them were issued > to fix CVE-2014-8298. > > Security: fdf72a0e-8371-11e4-bc20-001636d274f3 I've marked these ports FORBIDDEN for now, but their fate yet to be decided. Last update to -173 legacy branch, 173.14.39 added support for X.org xserver ABI 15 (xorg-server 1.15), and it was confirmed to work with upcoming v1.14 update (PR 195781), so it would be unfortunate to lose it just because NVidia does not care about it anymore and won't provide a fix CVE-2014-8298. On the other hand, NVidia did provide mitigation techniques: - Configure the X server to prohibit X connections from the local area network (by passing the "-nolisten tcp" command line option to the X.Org X server) -- which we also default to, or - Disable GLX indirect contexts. With any of the fixed NVIDIA driver versions mentioned above, indirect GLX contexts can be prohibited by setting the "AllowIndirectGLXProtocol" X configuration option to False, or setting the "-iglx" X server command line option on X.Org 1.16 or newer. So perhaps instead of forbidding them and subsequently removing, we can provide pkg-message that tells users what are they facing and how to stay safe (with an legal bla-bla about that FreeBSD cannot guarantee anything if you use this vulnerable, unmaintained upstream port)? I wonder what other people think. ./danfe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141214114244.GA2487>