Date: Thu, 14 Oct 2021 16:52:23 -0700 From: Craig Leres <leres@freebsd.org> To: Bryan Drewery <bdrewery@FreeBSD.org>, ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: Re: git: 3d4619833226 - main - security/vuxml: Document OpenSSH CVE-2021-41617 Message-ID: <61fe3d1f-bea3-b247-f549-ac7422e5d753@freebsd.org> In-Reply-To: <ec1f0830-502b-e245-292d-aeb8038c6b67@freebsd.org> References: <202110121807.19CI72HS040075@gitrepo.freebsd.org> <ec1f0830-502b-e245-292d-aeb8038c6b67@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/13/21 10:06, Craig Leres wrote: > On 10/12/21 11:07, Bryan Drewery wrote: >> The branch main has been updated by bdrewery: >> >> URL:https://cgit.FreeBSD.org/ports/commit/?id=3d461983322612b91c19bf5fc6455b91dec8d60b >> >> >> commit 3d461983322612b91c19bf5fc6455b91dec8d60b >> Author: Bryan Drewery<bdrewery@FreeBSD.org> >> AuthorDate: 2021-10-12 18:06:43 +0000 >> Commit: Bryan Drewery<bdrewery@FreeBSD.org> >> CommitDate: 2021-10-12 18:06:43 +0000 >> >> security/vuxml: Document OpenSSH CVE-2021-41617 >> --- >> security/vuxml/vuln-2021.xml | 44 >> ++++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 44 insertions(+) >> >> diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml >> index 82095255b54d..ca46c8d2fcce 100644 >> --- a/security/vuxml/vuln-2021.xml >> +++ b/security/vuxml/vuln-2021.xml >> @@ -1,3 +1,47 @@ >> + <vuln vid="2a1b931f-2b86-11ec-8acd-c80aa9043978"> >> + <topic>OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly >> initialise supplemental groups when executing an AuthorizedKeysCommand >> or AuthorizedPrincipalsCommand</topic> >> + <affects> >> + <package> >> + <name>openssh-portable</name> >> + <name>openssh-portable-hpn</name> >> + <name>openssh-portable-gssapi</name> >> + <range><ge>6.2.p1,1</ge><lt>8.8.p1,1</lt></range> > > On 10/12/21 14:15, Bryan Drewery wrote: > > diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml > > index ca46c8d2fcce..42300253f921 100644 > > --- a/security/vuxml/vuln-2021.xml > > +++ b/security/vuxml/vuln-2021.xml > > @@ -5,7 +5,7 @@ > > <name>openssh-portable</name> > > <name>openssh-portable-hpn</name> > > <name>openssh-portable-gssapi</name> > > - <range><ge>6.2.p1,1</ge><lt>8.8.p1,1</lt></range> > > + <range><ge>6.2.p1,1</ge><lt>8.7.p1_2,1</lt></range> > > </package> > > </affects> > > <description> > > What am I doing wrong? Why don't I see the new openssh-portable vuxml db > entry on my live systems by now? I believe pkg audit uses: > > http://vuxml.freebsd.org/freebsd/vuln.xml.xz > > in the past changes to the security/vuxml have been visible there fairly > quickly. > > Craig > > # pkg info | fgrep openssh > openssh-portable-8.7.p1_1,1 The portable version of OpenBSD's OpenSSH > # rm -v /var/db/pkg/vuln.xml > /var/db/pkg/vuln.xml > # pkg audit -F -f /var/db/pkg/vuln.xml > Fetching vuln.xml.xz: 100% 913 KiB 934.6kB/s 00:01 > 0 problem(s) in 0 installed package(s) found. > # fgrep 8.7.p1_2 /var/db/pkg/vuln.xml > # About an hour after posting this the publicly visible vuln.xml picked up the new openssh-portable entry. But I suspect this was a coincidence since I never saw any email explaining the delay. This afternoon I see a commit that has a <vuln> for Node.js (~18:31 UTC) but I don't see it in the public vuln.xml yet. Did something change or is my expectation that a commit to security/vuxml becomes publicly visible within minute/hours flawed? Craig
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61fe3d1f-bea3-b247-f549-ac7422e5d753>