From owner-svn-ports-head@freebsd.org Thu Aug 13 14:24:44 2015 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D1FA9B7E27 for ; Thu, 13 Aug 2015 14:24:44 +0000 (UTC) (envelope-from feld@feld.me) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DF037A9 for ; Thu, 13 Aug 2015 14:24:44 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 7F16022C58 for ; Thu, 13 Aug 2015 10:24:36 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Thu, 13 Aug 2015 10:24:37 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=lejeN0Ey+PdeaPCglgL1B9BC78o=; b=hJap88 ubK0olYbE1DMO3LyjZHjEBh0EfG4QgXH/9iq+cy3H3o41V6FXWjyB6/nKzwj6HU4 kiiNFEUVXZD3iNafTHi5FNDqdz6D7qPFQ52dETiqDBmoVXdWfj0aoFLCIxHyR2+e vPEIu/DIO4zLnUrOnMB0B5C6f0oU0TP6Qn/6Y= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=lejeN0Ey+PdeaPC glgL1B9BC78o=; b=d+0a/l5jg+se9Gs/oalCLgASToqLn+E0kr2vcyrW0XDHG4T B3TiPus2yi0btQ1l3FyQ1iTsbd4mVnPKRjlZv3+6fSp1KJTAuK3tM1IRGUhw+eI0 aJqcRRWelBmhznmDJkkdxJTKeELYcJKE5SLDN88CPor3rx0mK3UX2zBs1m/c= Received: by web3.nyi.internal (Postfix, from userid 99) id 74E85103673; Thu, 13 Aug 2015 10:24:36 -0400 (EDT) Message-Id: <1439475876.1691528.355344625.7BD76BF3@webmail.messagingengine.com> X-Sasl-Enc: fMxtenG5LdImM0RRFSSFQB70no6DK1TZiJe/gF4TcNFI 1439475876 From: Mark Felder To: Jan Beich Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-4fee8ba5 Subject: Re: svn commit: r393962 - head/security/vuxml Date: Thu, 13 Aug 2015 09:24:36 -0500 In-Reply-To: References: <201508111903.t7BJ3aD3086878@repo.freebsd.org> <1439388100.608633.354360737.36774BC8@webmail.messagingengine.com> X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2015 14:24:44 -0000 On Wed, Aug 12, 2015, at 13:46, Jan Beich wrote: > Mark Felder writes: > > > On Tue, Aug 11, 2015, at 14:03, Jan Beich wrote: > >> Author: jbeich > >> Date: Tue Aug 11 19:03:36 2015 > >> New Revision: 393962 > >> URL: https://svnweb.freebsd.org/changeset/ports/393962 > >> > >> Log: > >> Move libvpx vulnerability into its own entry > [...] > >> > >> + > >> + libvpx -- multiple buffer overflows > >> + > >> + > >> + libvpx > >> + 1.5.0 > >> + > >> + > > > > This should probably be 1.4.0 as although > > would be deceptive. The package is vulnerable. Whether there's a > known fix is less important. Current range is just a rough guess and can > be updated as the affected port is fixed. > I don't understand how it's deceptive; it's accurate. What happens if your range was wrong and nobody remembers to fix the entry? Maintainer commits 1.4.1 to ports to fix it and now users won't be able to install the fix without ports tree/pkg screaming at them about it being a vulnerable package. Updating the vuxml entry is going to take 24 hours to work through most users systems unless the user knows they can force an update with pkg audit -F. > On the downside maintainers may not be aware of a vulnerability. It'd be > nice if there were periodic mails about (still) vulnerable ports similar > to porstscout. For one, multimedia/ffmpeg0 haven't been updated yet > despite how trivial it should be -> too few users to notice? > I strongly agree here. I try to get vuxml entries in when I have time, but don't always have time to address the port. I email maintainers when possible, but sometimes I forget to come back around and check on vulnerable ports whose entry I added. > > their release process seems obvious, they could release 1.4.1 or we > > could backport security fixes to 1.4.0_1 > > Depending on PORTREVISION in advance is unreliable as it can be > bumped for an unrelated reason. > No different than a PORTEPOCH bump invalidating your vuxml entries. If you add the entry to vuxml you should try to watch it until the official fix has landed. It definitely takes a team effort to make sure mistakes are not made. I guess we'll just have to agree to disagree on the approach here. > Upstream doesn't have a good track record for patch releases. For one, > CVE-2014-1578 was never fixed in 1.3.x and Debian still carries around > the patch for it in their package. > That's really unfortunate. :-( > > I'll try to keep an eye on this too. >