Date: Tue, 1 Mar 2005 23:20:36 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: daniel quinn <freebsd@danielquinn.org> Cc: ports@freebsd.org Subject: Re: curl -- authentication buffer overflow vulnerability. Message-ID: <20050301222035.GA822@zaphod.nitro.dk> In-Reply-To: <200503011646.22680.freebsd@danielquinn.org> References: <200503011646.22680.freebsd@danielquinn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.03.01 16:46:22 -0500, daniel quinn wrote: > Affected package: curl-7.12.3_2 > Type of problem: curl -- authentication buffer overflow vulnerability. > Reference: > <http://www.FreeBSD.org/ports/portaudit/96df5fd0-8900-11d9-aa18-0001020ee= d82.html> [...] > # portupgrade curl > > and nothing happened. i went looking around and found that the port hasn= 't > been updated: > > http://www.freebsd.org/cgi/cvsweb.cgi/ports/ftp/curl/ > > so my question is: "is this normal"? i'm new to freebsd (formerly gentoo Yes, that's quite normal. > linux) and i'm not used to security warnings that can't be fixed right aw= ay. The reason this happens is that security issues for the FreeBSD Ports Collection are often documented before the fix for the port is committed. This done since when an issue is documented, it is already public information, so we prefer to warn users sooner rather than later. This makes it possible for users them self to evaluate if they are affected by the particular problem and if needed take whatever measures they find appropriate (e.g. uninstall the program). The description and references you find for each documented security vulnerability (which can be found on the web page in the portaudit output) are there to help users judge the how and if they are impacted. Whenever a security issue is documented the maintainer for the particular port is informed, so it's up to the maintainer of the port to fix the port. In some cases, generally if the issue is very serious, the Security Team might fix the issue without waiting for OK =66rom the port maintainer, but that's the exception. BTW. note that issues with the base system is handled differently as described on the "FreeBSD Security Information" [1] page. > curl's website tells me that version 7.13.1 is available, so i'm thinking > this is isolated to freebsd. The issue is present on all operating systems which ship curl, not just FreeBSD. The latest version I can find is 7.13.0 which does not have the issues fixed yet. > should i be emailing the maintainer? isn't that rude? what are my > options here? In general (unless the normal procedure failed) the maintainer will already know of a documented security issue, so the best you can do is check if the issue is a problem for you (using the above reference) and wait for the fix. In most cases the issues are fixed rather quickly. I hope this answers your questions. [1] http://www.FreeBSD.org/security/ --=20 Simon L. Nielsen FreeBSD Security Team --7JfCtLOvnd9MIVvH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCJOqzh9pcDSc1mlERAnt7AJ90PatQwCWGZMNr1K8WhVd5qy1xbACcDfJ6 MQuNV1Fec7LVme5ifwpM6bI= =QoLh -----END PGP SIGNATURE----- --7JfCtLOvnd9MIVvH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050301222035.GA822>