From owner-svn-ports-all@freebsd.org Fri Jun 8 14:43:45 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7BC4F101CC8E; Fri, 8 Jun 2018 14:43:45 +0000 (UTC) (envelope-from adamw@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1665A858C5; Fri, 8 Jun 2018 14:43:45 +0000 (UTC) (envelope-from adamw@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EC149106DF; Fri, 8 Jun 2018 14:43:44 +0000 (UTC) (envelope-from adamw@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w58EhiOw008499; Fri, 8 Jun 2018 14:43:44 GMT (envelope-from adamw@FreeBSD.org) Received: (from adamw@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w58Ehikf008497; Fri, 8 Jun 2018 14:43:44 GMT (envelope-from adamw@FreeBSD.org) Message-Id: <201806081443.w58Ehikf008497@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: adamw set sender to adamw@FreeBSD.org using -f From: Adam Weinberger Date: Fri, 8 Jun 2018 14:43:44 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r472006 - branches/2018Q2/security/gnupg X-SVN-Group: ports-branches X-SVN-Commit-Author: adamw X-SVN-Commit-Paths: branches/2018Q2/security/gnupg X-SVN-Commit-Revision: 472006 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2018 14:43:45 -0000 Author: adamw Date: Fri Jun 8 14:43:44 2018 New Revision: 472006 URL: https://svnweb.freebsd.org/changeset/ports/472006 Log: MFH: r467022 r469025 r472003 Update gnupg to 2.2.6 * gpg,gpgsm: New option --request-origin to pretend requests coming from a browser or a remote site. * gpg: Fix race condition on trustdb.gpg updates due to too early released lock. [#3839] * gpg: Emit FAILURE status lines in almost all cases. [#3872] * gpg: Implement --dry-run for --passwd to make checking a key's passphrase straightforward. * gpg: Make sure to only accept a certification capable key for key signatures. [#3844] * gpg: Better user interaction in --card-edit for the factory-reset sub-command. * gpg: Improve changing key attributes in --card-edit by adding an explicit "key-attr" sub-command. [#3781] * gpg: Print the keygrips in the --card-status. * scd: Support KDF DO setup. [#3823] * scd: Fix some issues with PC/SC on Windows. [#3825] * scd: Fix suspend/resume handling in the CCID driver. * agent: Evict cached passphrases also via a timer. [#3829] * agent: Use separate passphrase caches depending on the request origin. [#3858] * ssh: Support signature flags. [#3880] * dirmngr: Handle failures related to missing IPv6 support gracefully. [#3331] * Fix corner cases related to specified home directory with drive letter on Windows. [#3720] * Allow the use of UNC directory names as homedir. [#3818] Update gnupg to 2.2.7 Also, remove unnecessary USE_LDCONFIG. * gpg: New option --no-symkey-cache to disable the passphrase cache for symmetrical en- and decryption. * gpg: The ERRSIG status now prints the fingerprint if that is part of the signature. * gpg: Relax emitting of FAILURE status lines * gpg: Add a status flag to "sig" lines printed with --list-sigs. * gpg: Fix "Too many open files" when using --multifile. [#3951] * ssh: Return an error for unknown ssh-agent flags. [#3880] * dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL caches under Windows. [#2448,#3923] * dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed mapping of keys.gnupg.net to sks-keyservers.net. [#3755] * dirmngr: Try resurrecting dead hosts earlier (from 3 to 1.5 hours). * dirmngr: Fallback to CRL if no default OCSP responder is configured. * dirmngr: Implement CRL fetching via https. Here a redirection to http is explictly allowed. * dirmngr: Make LDAP searching and CRL fetching work under Windows. This stopped working with 2.1. [#3937] * agent,dirmngr: New sub-command "getenv" for "getinfo" to ease debugging. Update gnupg to 2.2.8 (security release) CVE-2018-12020: The OpenPGP protocol allows to include the file name of the original input file into a signed or encrypted message. During decryption and verification the GPG tool can display a notice with that file name. The displayed file name is not sanitized and as such may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages. These status messages are parsed by programs to get information from gpg about the validity of a signature and an other parameters. Status messages are created with the option "--status-fd N" where N is a file descriptor. Now if N is 2 the status messages and the regular diagnostic messages share the stderr output channel. By using a made up file name in the message it is possible to fake status messages. Using this technique it is for example possible to fake the verification status of a signed mail. Also: * gpg: Decryption of messages not using the MDC mode will now lead to a hard failure even if a legacy cipher algorithm was used. The option --ignore-mdc-error can be used to turn this failure into a warning. Take care: Never use that option unconditionally or without a prior warning. * gpg: The MDC encryption mode is now always used regardless of the cipher algorithm or any preferences. For testing --rfc2440 can be used to create a message without an MDC. * gpg: Sanitize the diagnostic output of the original file name in verbose mode. [#4012,CVE-2018-12020] * gpg: Detect suspicious multiple plaintext packets in a more reliable way. [#4000] * gpg: Fix the duplicate key signature detection code. [#3994] * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, --disable-mdc and --no-disable-mdc have no more effect. * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the list of startup environment variables. [#3947] Security: CVE-2018-12020 Approved by: ports-secteam (miwi) Modified: branches/2018Q2/security/gnupg/Makefile branches/2018Q2/security/gnupg/distinfo Directory Properties: branches/2018Q2/ (props changed) Modified: branches/2018Q2/security/gnupg/Makefile ============================================================================== --- branches/2018Q2/security/gnupg/Makefile Fri Jun 8 14:29:04 2018 (r472005) +++ branches/2018Q2/security/gnupg/Makefile Fri Jun 8 14:43:44 2018 (r472006) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= gnupg -PORTVERSION= 2.2.5 +PORTVERSION= 2.2.8 CATEGORIES= security MASTER_SITES= GNUPG @@ -29,7 +29,6 @@ USES= compiler:c11 cpe gmake iconv pkgconfig readline CONFIGURE_ARGS= --disable-ntbtls --disable-wks-tools \ --enable-gpg-is-gpg2 --enable-symcryptrun GNU_CONFIGURE= yes -USE_LDCONFIG= yes INFO= gnupg TEST_TARGET= check Modified: branches/2018Q2/security/gnupg/distinfo ============================================================================== --- branches/2018Q2/security/gnupg/distinfo Fri Jun 8 14:29:04 2018 (r472005) +++ branches/2018Q2/security/gnupg/distinfo Fri Jun 8 14:43:44 2018 (r472006) @@ -1,3 +1,3 @@ -TIMESTAMP = 1519395206 -SHA256 (gnupg-2.2.5.tar.bz2) = 3fa189a32d4fb62147874eb1389047c267d9ba088f57ab521cb0df46f08aef57 -SIZE (gnupg-2.2.5.tar.bz2) = 6584756 +TIMESTAMP = 1528466286 +SHA256 (gnupg-2.2.8.tar.bz2) = 777b4cb8ced21965a5053d4fa20fe11484f0a478f3d011cef508a1a49db50dcd +SIZE (gnupg-2.2.8.tar.bz2) = 6632465