From owner-svn-ports-all@freebsd.org  Wed Apr 22 19:55:09 2020
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3AA1C2BF8DE;
 Wed, 22 Apr 2020 19:55:09 +0000 (UTC) (envelope-from gjb@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2610:1c1:1:6074::16:84])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "freefall.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 496rkj0qh4z3FZZ;
 Wed, 22 Apr 2020 19:55:09 +0000 (UTC) (envelope-from gjb@freebsd.org)
Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by freefall.freebsd.org (Postfix) with ESMTPS id 8E1FF1C396;
 Wed, 22 Apr 2020 19:55:08 +0000 (UTC) (envelope-from gjb@freebsd.org)
Date: Wed, 22 Apr 2020 19:55:05 +0000
From: Glen Barber <gjb@freebsd.org>
To: Craig Leres <leres@freebsd.org>
Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: Re: svn commit: r532463 - head/security/vuxml
Message-ID: <20200422195505.GX9584@FreeBSD.org>
References: <202004221044.03MAixGc069557@repo.freebsd.org>
 <f0bca725-9dff-be68-780a-d2da56e1d51e@freebsd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="tz827eEgdc+99pmc"
Content-Disposition: inline
In-Reply-To: <f0bca725-9dff-be68-780a-d2da56e1d51e@freebsd.org>
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 19:55:09 -0000


--tz827eEgdc+99pmc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 22, 2020 at 11:02:07AM -0700, Craig Leres wrote:
> On 2020-04-22 03:44, Glen Barber wrote:
> > Author: gjb
> > Date: Wed Apr 22 10:44:59 2020
> > New Revision: 532463
> > URL: https://svnweb.freebsd.org/changeset/ports/532463
> >=20
> > Log:
> >    Attempt number 2 to fix the vuxml build.
> >    Sponsored by:	Rubicon Communications, LLC (netgate.com)
> >=20
> > Modified:
> >    head/security/vuxml/vuln.xml
> >=20
> > Modified: head/security/vuxml/vuln.xml
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
> > --- head/security/vuxml/vuln.xml	Wed Apr 22 10:36:57 2020	(r532462)
> > +++ head/security/vuxml/vuln.xml	Wed Apr 22 10:44:59 2020	(r532463)
> > @@ -96,7 +96,6 @@ Notes:
> >   	<name>FreeBSD</name>
> >   	<range><ge>12.1</ge><lt>12.1_4</lt></range>
> >   	<range><ge>11.3</ge><lt>11.3_8</lt></range>
> > -      </package>
> >   	<name>openssl</name>
> >   	<range><ge>1.1.1,1</ge><lt>1.1.1g,1</lt></range>
> >         </package>
>=20
> I think the right fix here would have been to change </package> to <packa=
ge>
> (instead of removing it). r532468 removes the openssl versions block
> completely.
>=20
> What I saw this morning is that my systems were briefly reporting
> openssl-1.1.1f,1 as vulnerable (1:46am PDT) and then later not vulnerable
> (4:46am).
>=20
> I believe the attached patch fixes this.
>=20
> 		Craig

> Index: security/vuxml/vuln.xml
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- security/vuxml/vuln.xml	(revision 532491)
> +++ security/vuxml/vuln.xml	(working copy)
> @@ -97,6 +97,10 @@
>  	<range><ge>12.1</ge><lt>12.1_4</lt></range>
>  	<range><ge>11.3</ge><lt>11.3_8</lt></range>
>        </package>
> +      <package>
> +	<name>openssl</name>
> +	<range><ge>1.1.1,1</ge><lt>1.1.1g,1</lt></range>
> +      </package>
>      </affects>
>      <description>
>        <body xmlns=3D"http://www.w3.org/1999/xhtml">

Please feel free to go ahead and commit your patch, assuming it does not
break the vuxml build.

Glen


--tz827eEgdc+99pmc
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAl6goRQACgkQAxRYpUeP
4pM/Nw//dACXzUlZfFtYxzs/GSg1d0rnI0jLnLTn9LbD0fuQcNHpWDXaMMVoeHwe
KcXKC2uIahrFhDlq9//8Lh5dS73IkG2xKwr2bl4uwbAghVx0HKn50Gv/L9IY15L2
i4mHNyLSB/dumX6B+9YAt01BJK5hElpbdeiv6zXyGhM1PSbNEJ1uUFHp4YDM8mTU
4aie/P5UHG1ahMHGiMftdYgmEZhQTdb9kiu7M9QCiZ7w8OHjTtZ6gtB7J8T4seP8
SiHk+pE42YXcB480Mhf6xSy2NXuRZXy18lXnTjrf/gasJL4OGM5cZW4BSmaRih3k
8H1Ny9ZKCofGWFipjemwVfcA/To+HZ2Teoxw+TQ9FNujyfiM6g0OeEG+2ojVPYDu
DYcNlCCbUb2qU/lmK60HKkAvKGboe/sqG7ESFijRY4tAk9fopzUKilnhHROg+9W+
htP4o6Qa7UiAsE7mAYLRnx8RPGnHoRICVsoA+2e/0ZDHzLqARCDpoCNmP+EqxLU6
3GFhkURAYxh8wcTDo3A28QxxKgVHfE+FDQpqP492Lg95a/ZWNoMK65UPSylMLV96
ytxR91cmYs42dWa329f+J0GPGSk0FlaaI8zpYuG918TNyCknU5F19XFMJrq5dpjQ
Fhs3hp3VXfwii3zSMK3ZeVAJMtCbYzcHR4LDVosCeqNAYvBedTU=
=6vea
-----END PGP SIGNATURE-----

--tz827eEgdc+99pmc--