From owner-freebsd-ports@FreeBSD.ORG  Sat Mar 24 19:41:34 2012
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5EF18106566C
	for <ports@freebsd.org>; Sat, 24 Mar 2012 19:41:34 +0000 (UTC)
	(envelope-from bogorodskiy@gmail.com)
Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com
	[209.85.214.54])
	by mx1.freebsd.org (Postfix) with ESMTP id D2E7F8FC1F
	for <ports@freebsd.org>; Sat, 24 Mar 2012 19:41:33 +0000 (UTC)
Received: by bkcjc3 with SMTP id jc3so4410361bkc.13
	for <ports@freebsd.org>; Sat, 24 Mar 2012 12:41:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=sender:date:from:to:cc:subject:message-id:references:mime-version
	:content-type:content-disposition:in-reply-to:user-agent;
	bh=EZ1PDvEaeEhwcsIJ4eX4PPQGU/bHX4+uMOO2NPv/o04=;
	b=u946NbHlHSc80MeIWIdZr4DPo+IClwR0Y9fj0olFKUo2DCyTmDOg70rIfhvDdB6y0G
	isdd4B5ghwnJD4Kntb3TZPpNykQOUlHhgDVQxTIyPCbLZIa3Nh1HNc1KTemMNQ1UsWC8
	56aZb/907TSjQfm+AAuUQExgfG4FjcybrbXzbGjkpN9UUp/cT85Qjz0K9e84lrqle9zr
	bx+FF63VN72v5GRtaBAtrWx0LgWwa3oZ2GBHMw/QxLozRUgzJ3QNBY7jzvKv/2NqZA09
	Xqf/AeNjtZsJDOsevvOU5R/6O7QuBE+284ZGMhWDev1mDX11cUcurCbEMwOSK6JIDtZG
	7kxA==
Received: by 10.205.135.132 with SMTP id ig4mr6555085bkc.20.1332618092639;
	Sat, 24 Mar 2012 12:41:32 -0700 (PDT)
Received: from kloomba ([95.104.138.75]) by mx.google.com with ESMTPS id
	zx16sm22838838bkb.13.2012.03.24.12.41.29
	(version=TLSv1/SSLv3 cipher=OTHER);
	Sat, 24 Mar 2012 12:41:30 -0700 (PDT)
Sender: Roman Bogorodskiy <bogorodskiy@gmail.com>
Date: Sat, 24 Mar 2012 23:41:27 +0400
From: Roman Bogorodskiy <novel@FreeBSD.org>
To: Kevin Oberman <kob6558@gmail.com>
Message-ID: <20120324194126.GA1296@kloomba>
References: <20120324172937.GA43822@DataIX.net>
	<CAN6yY1sZRYYB0ZGCp7J6yJUMyXtmjsNKnNPYn9O2_XorMRi3cQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6"
Content-Disposition: inline
In-Reply-To: <CAN6yY1sZRYYB0ZGCp7J6yJUMyXtmjsNKnNPYn9O2_XorMRi3cQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: ports@freebsd.org
Subject: Re: security/gnutls update when...
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2012 19:41:34 -0000


--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

  Kevin Oberman wrote:

> On Sat, Mar 24, 2012 at 10:29 AM, Jason Hellenthal
> <jhellenthal@dataix.net> wrote:
> >
> > Apparently this port has fell two versions behind. Is there anything
> > that is going to happen to update it to the current stable version ?
> >
> >
> > These advisories have been out for a week now. And the current version
> > is 2.12.18.
> >
> >
> > Database created: Sat Mar 24 13:15:03 EDT 2012
> > Affected package: gnutls-2.12.16
> > Type of problem: libtasn1 -- ASN.1 length decoding vulnerability.
> > Reference:
> > http://portaudit.FreeBSD.org/2e7e9072-73a0-11e1-a883-001cc0a36e12.html
> >
> > Affected package: gnutls-2.12.16
> > Type of problem: gnutls -- possible overflow/Denial of service
> > vulnerabilities.
> > Reference:
> > http://portaudit.FreeBSD.org/aecee357-739e-11e1-a883-001cc0a36e12.html
> >
> > 2 problem(s) in your installed packages found.
> >
> >
> >
> > --
> > ;s =3D;
>=20
> Note that one of these problems is with libtasn1 and is not a gnutls
> problems at all. So updating libtasn1actually fixes this one, although
> the other does require an update to a version of gnutls that has yet
> to be ported.

There's a vulnerability in gnutls also:

http://www.gnu.org/software/gnutls/security.html

Mu Dynamics released an advisory for both libtasn1 and gnutls:

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5959

gnutls one is tagged MU-201202-01 and libtasn1 on is MU-201202-02.

Roman Bogorodskiy

--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (FreeBSD)

iQEcBAEBAgAGBQJPbiNmAAoJEMltX/4IwiJqcSoIAKkVuwXfNOjO78wTACw4lbXb
Cu0aLKwVu1dE+7PDH+1beGnCZSHn7vBbxXh7hZBi7AVXSm59Jf7CscUaAx11/sKS
LijusGXyLTz/GeMq32ncf/JoCw6EBqnwoet1W044jc49A+GEKYg0W+0p4ui+Xkco
pAKyC2psiYPBL7N4EZPGfty4JXalhPmfDzEf+EPvJk5WcsllodU7wBrqIOU9EcQe
xIKzS/yfx88tffU9Q2OFKyTBnJTFNQ9wdKy0WyhQwfeWqxEnAKi8LUWp4VW3BEdB
iF+I27tFLbzx3wzxlz8qSSWqqyyRQSYbkhXTlxcCMAkc1onWp9WtzgjtlZwATcE=
=IpEM
-----END PGP SIGNATURE-----

--IJpNTDwzlM2Ie8A6--