From owner-freebsd-ports@FreeBSD.ORG Sun Aug 28 10:44:50 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D6BE1065672; Sun, 28 Aug 2011 10:44:50 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id B19508FC08; Sun, 28 Aug 2011 10:44:49 +0000 (UTC) Received: by gxk28 with SMTP id 28so4900616gxk.13 for ; Sun, 28 Aug 2011 03:44:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=QJGwQBePW6CSK8FAbgPYm5yr1kH2wV1jIjfqXArQTrk=; b=eLs0FHxMPV8aaulk01AWIv9Gp3DFY6o4Irxp/kYefnjvtrWnozRl6jiUHdGcbX5wmh a5ms2X7I+m/5bb2o6ndn0fLpJZp1inYuDZ8wJxIwDu0vE85bYHA3SYr+dVhtXn9IbE7s cQNovF0NBucKA5IOo2YIkZSPXwCcJcXxJmScY= Received: by 10.231.56.75 with SMTP id x11mr7373541ibg.98.1314528288043; Sun, 28 Aug 2011 03:44:48 -0700 (PDT) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.231.42.4 with HTTP; Sun, 28 Aug 2011 03:44:18 -0700 (PDT) In-Reply-To: <4E5A19F4.1050406@twe.net> References: <4E57FBC1.1020009@FreeBSD.org> <4E580082.1030202@FreeBSD.org> <4E59324E.5070602@twe.net> <4E595C14.9030503@FreeBSD.org> <4E597167.8030403@twe.net> <4E598506.2030507@FreeBSD.org> <4E5A19F4.1050406@twe.net> From: Chris Rees Date: Sun, 28 Aug 2011 11:44:18 +0100 X-Google-Sender-Auth: 2Y_urw7oLHsWctd8-5sYsqxyv5A Message-ID: To: urb@twe.net, mnag@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ports@freebsd.org Subject: Re: mail/postfix-policyd-spf relies on vulnerable mail/libspf2-10 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2011 10:44:50 -0000 On 28 August 2011 11:35, Uffe R. B. Andersen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Den 28-08-2011 02:00, Doug Barton skrev: >> I appreciate your responses, but I think you're missing one or >> more large'ish pieces of the puzzle. Here is what I'm seeing with >> an up to date portaudit db: >> >> portaudit -a Affected package: libspf2-1.0.4_1 Type of problem: >> libspf2 -- Buffer overflow. Reference: >> http://portaudit.FreeBSD.org/2ddbfd29-a455-11dd-a55e-00163e000016.html >> >> =A0pkg_info -qo libspf2-1.0.4_1 mail/libspf2-10 >> >> pkg_info -R libspf2-1.0.4_1 Information for libspf2-1.0.4_1: >> >> Required by: postfix-policyd-spf-1.0.1_3 >> >> cd /usr/ports/mail/libspf2-10/ make -V PKGNAME libspf2-1.0.4_1 >> >> >> The solution here is that postfix-policyd-spf needs to be updated >> to not rely on a vulnerable version of libspf2. > > Indeed you're right. Googling the issue reveal that > postfix-policyd-spf apparently is rather unmaintained and people > suggest using the perl or python versions instead. I do remember > having this issue myself, some 2 years ago and nothing seems to have > happened since then. The Google result also show, that > postfix-policyd-spf doesn't compile with newer versions of libspf2. > > Perhaps we should ask to have postfix-policyd-spf removed from the > ports tree altogether? Hm, perhaps: FORBIDDEN=3D depends on forbidden software (libspf2) DEPRECATED=3D dead upstream, depends on forbidden software (libspf2) EXPIRATION_DATE=3D 2011-10-28 Maintainer added back to the CC list. Chris