Date: Thu, 13 Aug 2015 09:24:36 -0500 From: Mark Felder <feld@feld.me> To: Jan Beich <jbeich@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r393962 - head/security/vuxml Message-ID: <1439475876.1691528.355344625.7BD76BF3@webmail.messagingengine.com> In-Reply-To: <oaic-ny53-wny@FreeBSD.org> References: <201508111903.t7BJ3aD3086878@repo.freebsd.org> <1439388100.608633.354360737.36774BC8@webmail.messagingengine.com> <oaic-ny53-wny@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 12, 2015, at 13:46, Jan Beich wrote: > Mark Felder <feld@feld.me> writes: > > > On Tue, Aug 11, 2015, at 14:03, Jan Beich wrote: > >> Author: jbeich > >> Date: Tue Aug 11 19:03:36 2015 > >> New Revision: 393962 > >> URL: https://svnweb.freebsd.org/changeset/ports/393962 > >> > >> Log: > >> Move libvpx vulnerability into its own entry > [...] > >> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > >> + <vuln vid="34e60332-2448-4ed6-93f0-12713749f250"> > >> + <topic>libvpx -- multiple buffer overflows</topic> > >> + <affects> > >> + <package> > >> + <name>libvpx</name> > >> + <range><lt>1.5.0</lt></range> > >> + </package> > >> + </affects> > > > > This should probably be <le>1.4.0</le> as although > > <le> would be deceptive. The package is vulnerable. Whether there's a > known fix is less important. Current range is just a rough guess and can > be updated as the affected port is fixed. > I don't understand how it's deceptive; it's accurate. What happens if your range was wrong and nobody remembers to fix the entry? Maintainer commits 1.4.1 to ports to fix it and now users won't be able to install the fix without ports tree/pkg screaming at them about it being a vulnerable package. Updating the vuxml entry is going to take 24 hours to work through most users systems unless the user knows they can force an update with pkg audit -F. > On the downside maintainers may not be aware of a vulnerability. It'd be > nice if there were periodic mails about (still) vulnerable ports similar > to porstscout. For one, multimedia/ffmpeg0 haven't been updated yet > despite how trivial it should be -> too few users to notice? > I strongly agree here. I try to get vuxml entries in when I have time, but don't always have time to address the port. I email maintainers when possible, but sometimes I forget to come back around and check on vulnerable ports whose entry I added. > > their release process seems obvious, they could release 1.4.1 or we > > could backport security fixes to 1.4.0_1 > > Depending on PORTREVISION in advance is unreliable as it can be > bumped for an unrelated reason. > No different than a PORTEPOCH bump invalidating your vuxml entries. If you add the entry to vuxml you should try to watch it until the official fix has landed. It definitely takes a team effort to make sure mistakes are not made. I guess we'll just have to agree to disagree on the approach here. > Upstream doesn't have a good track record for patch releases. For one, > CVE-2014-1578 was never fixed in 1.3.x and Debian still carries around > the patch for it in their package. > That's really unfortunate. :-( > > I'll try to keep an eye on this too. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1439475876.1691528.355344625.7BD76BF3>