From owner-freebsd-ports@FreeBSD.ORG Sun Aug 28 10:36:06 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A4D0106564A for ; Sun, 28 Aug 2011 10:36:06 +0000 (UTC) (envelope-from urb@twe.net) Received: from xerox.twe.net (0107ds2-ba.0.fullrate.dk [90.184.98.110]) by mx1.freebsd.org (Postfix) with ESMTP id A2C4E8FC12 for ; Sun, 28 Aug 2011 10:36:05 +0000 (UTC) Received: from xerox.twe.net (localhost [127.0.0.1]) by xerox.twe.net (Postfix) with ESMTP id 97A1B6D431 for ; Sun, 28 Aug 2011 12:36:02 +0200 (CEST) X-Virus-Scanned: amavisd-new at twe.net Received: from xerox.twe.net ([127.0.0.1]) by xerox.twe.net (xerox.twe.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id agrQ_AiURzNh for ; Sun, 28 Aug 2011 12:35:45 +0200 (CEST) Received: from [192.168.21.3] (eddie.internt.twe.net [192.168.21.3]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by xerox.twe.net (Postfix) with ESMTPSA id E09336D429 for ; Sun, 28 Aug 2011 12:35:44 +0200 (CEST) Message-ID: <4E5A19F4.1050406@twe.net> Date: Sun, 28 Aug 2011 12:35:32 +0200 From: "Uffe R. B. Andersen" Organization: Andersen|nu User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: freebsd-ports@freebsd.org References: <4E57FBC1.1020009@FreeBSD.org> <4E580082.1030202@FreeBSD.org> <4E59324E.5070602@twe.net> <4E595C14.9030503@FreeBSD.org> <4E597167.8030403@twe.net> <4E598506.2030507@FreeBSD.org> In-Reply-To: <4E598506.2030507@FreeBSD.org> X-Enigmail-Version: 1.3.1 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: Re: mail/postfix-policyd-spf relies on vulnerable mail/libspf2-10 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: urb@twe.net List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2011 10:36:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Den 28-08-2011 02:00, Doug Barton skrev: > I appreciate your responses, but I think you're missing one or > more large'ish pieces of the puzzle. Here is what I'm seeing with > an up to date portaudit db: > > portaudit -a Affected package: libspf2-1.0.4_1 Type of problem: > libspf2 -- Buffer overflow. Reference: > http://portaudit.FreeBSD.org/2ddbfd29-a455-11dd-a55e-00163e000016.html > > pkg_info -qo libspf2-1.0.4_1 mail/libspf2-10 > > pkg_info -R libspf2-1.0.4_1 Information for libspf2-1.0.4_1: > > Required by: postfix-policyd-spf-1.0.1_3 > > cd /usr/ports/mail/libspf2-10/ make -V PKGNAME libspf2-1.0.4_1 > > > The solution here is that postfix-policyd-spf needs to be updated > to not rely on a vulnerable version of libspf2. Indeed you're right. Googling the issue reveal that postfix-policyd-spf apparently is rather unmaintained and people suggest using the perl or python versions instead. I do remember having this issue myself, some 2 years ago and nothing seems to have happened since then. The Google result also show, that postfix-policyd-spf doesn't compile with newer versions of libspf2. Perhaps we should ask to have postfix-policyd-spf removed from the ports tree altogether? - -- Med venlig hilsen - Sincerely Uffe R. B. Andersen - mailto:urb@twe.net http://blog.andersen.nu/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) iEYEARECAAYFAk5aGfQACgkQxC95nUQcrpibUwCfUT5KUxfE/0Q+5AC5WKSDD4xY IbIAoOPIJhDRXtr7OdQR008uUWVObd74 =6qj0 -----END PGP SIGNATURE-----