Date: Wed, 25 Dec 2024 14:34:38 -0800 From: Enji Cooper <yaneurabeya@gmail.com> To: Daniel Engberg <diizzy@FreeBSD.org> Cc: "current@freebsd.org" <current@FreeBSD.org> Subject: Re: Software in contrib we probably want to update before 14.2-RELEASE Message-ID: <85B3FB4C-84E3-4F08-AAA0-FCF144FC733D@gmail.com> In-Reply-To: <cd0e64d7-238d-40fc-a3b5-92892392cd53@FreeBSD.org> References: <cd0e64d7-238d-40fc-a3b5-92892392cd53@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_3A6D1D54-56CF-4A84-8A5A-6636774CCBFD Content-Type: multipart/alternative; boundary="Apple-Mail=_9480A359-E9C0-45F7-B3AF-0531297D76BC" --Apple-Mail=_9480A359-E9C0-45F7-B3AF-0531297D76BC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Oct 23, 2024, at 12:26=E2=80=AFPM, Daniel Engberg = <diizzy@FreeBSD.org> wrote: >=20 > Hi, >=20 > I just had a quick look at contrib and found the following: >=20 > OpenSSL should probably be updated due to = https://openssl-library.org/news/secadv/20241016.txt >=20 > Not imported as far as I can tell >=20 > expat(2) should probably be updated due to = https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes >=20 > Committed in main as of ffd294a1f4c23863c3e515d16dce31d5509bcb01 Hi Daniel, I see that you posted this over 2 months ago, but I wanted to = get back to you since no one did... - Xin Li took care of the 2.6.4 update / MFC of my changes. - CVE-2024-9143 is a low severity OpenSSL CVE (the CVE sounds = like it=E2=80=99s not likely to trigger in the wild due to a combination = of reasons). If I was re@, I=E2=80=99d personally like to see it rolled = into an actual OpenSSL release first before taking the change in to a = FreeBSD release so close to the actual FreeBSD release, or have it be = rolled in to main and get some wall time first. I=E2=80=99ll see if I can do something about the CVE, since my = group already tried addressing it [upstream]. Cheers, -Enji= --Apple-Mail=_9480A359-E9C0-45F7-B3AF-0531297D76BC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; = -webkit-nbsp-mode: space; line-break: = after-white-space;"><div><br><div><blockquote type=3D"cite"><div>On Oct = 23, 2024, at 12:26=E2=80=AFPM, Daniel Engberg <diizzy@FreeBSD.org> = wrote:</div><br class=3D"Apple-interchange-newline"><div><div>Hi,<br><br>I= just had a quick look at contrib and found the = following:<br><br>OpenSSL should probably be updated due to = https://openssl-library.org/news/secadv/20241016.txt<br><br>Not imported = as far as I can tell<br><br>expat(2) should probably be updated due to = https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes<br><br>Com= mitted in main as of = ffd294a1f4c23863c3e515d16dce31d5509bcb01<br></div></div></blockquote></div= ><br></div><div>Hi Daniel,</div><div><span class=3D"Apple-tab-span" = style=3D"white-space:pre"> </span>I see that you posted this over 2 = months ago, but I wanted to get back to you since no one = did...</div><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">= </span>- Xin Li took care of the 2.6.4 update / MFC of my = changes.</div><div><span class=3D"Apple-tab-span" = style=3D"white-space:pre"> </span>- <font = color=3D"#000000"><span style=3D"caret-color: rgb(0, 0, = 0);">CVE-2024-9143 is a low severity OpenSSL CVE (the CVE sounds like = it=E2=80=99s not likely to trigger in the wild due to a combination of = reasons). If I was re@, </span>I=E2=80=99d personally like to see = it rolled into an actual OpenSSL release first before taking the change = in to a FreeBSD release so close to the actual FreeBSD release, or have = it be rolled in to main and get some wall time = first.</font></div><div><span class=3D"Apple-tab-span" = style=3D"white-space:pre"> </span>I=E2=80=99ll see if I can do = something about the CVE, since my group already tried addressing it = [upstream].</div><div>Cheers,</div><div><font = color=3D"#000000">-Enji</font></div></body></html>= --Apple-Mail=_9480A359-E9C0-45F7-B3AF-0531297D76BC-- --Apple-Mail=_3A6D1D54-56CF-4A84-8A5A-6636774CCBFD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEkHfexGRJ3gYRdA2gGpE5DjPsNJgFAmdsiH8ACgkQGpE5DjPs NJi5nw/+LupWaI8lxF9KL7IEBPfQ31/crZUZ536M3ytfUaKL8pT/6cYBb5QE5tI6 LM1u0RC45fv9y1ICXpoZylBXFARcT+yDxnfx9n2sMwyuB6DvXfkXkZ92rPfgx/ph gbcwJmkQDLegzS/51r14DJJYublMhqCpaR2nY9HzW0XrMzNzY3L84WLVTTGxe8Kd Ud+o7arqnFtJLdDynnUhPW1rgtCJ07t4iy8BqBe9jknWDSjAvoa1kbcQBvCK7lkQ yBaLLTBIviI+Nb7WQLssNGI6AvlP+8byakEn4G/xZMvcaxsiB4BTtf3wNNnVwklN 17QcW6B2gGPXRP2nGT2s9BvzuuJULUtLNjm+trNFm9yyrDUB8hY8m+GfZ1xR6A4e KlTdEGZPjL0BTWzxGAgKzQUBGmJS+rQBy7mcS5RQidk/uzJU54Pj97eSFK2lcQkQ 3KgtNHNOnpqG3RqgYdXm/giUD2B/ZP4oGOw23rWnHyLRijrHijYywnS+gt69OOrw IGxy9Zxv8NJq9J4zsJfSkRlLvYjZmI/fLjtdr/1NstrpreDSDtGWqEiH9LpBixNU H5vWIjL3D31LmaBQLLs89rULK1eM2VYt9guu8k/eo5qBKB8zen21UcHeashQ94cf /XBKc8pe31O8L4Q9TATs5xvdb8g5xOl2ViZGaHH/hYmddusG8Q4= =7RQ1 -----END PGP SIGNATURE----- --Apple-Mail=_3A6D1D54-56CF-4A84-8A5A-6636774CCBFD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85B3FB4C-84E3-4F08-AAA0-FCF144FC733D>