From nobody Thu Oct 14 23:52:23 2021 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5E56918068B9; Thu, 14 Oct 2021 23:52:25 +0000 (UTC) (envelope-from leres@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HVmRF1pKwz3w3j; Thu, 14 Oct 2021 23:52:25 +0000 (UTC) (envelope-from leres@freebsd.org) Received: from [IPV6:2620:83:8000:102::cb] (hot.ee.lbl.gov [IPv6:2620:83:8000:102::cb]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: leres) by smtp.freebsd.org (Postfix) with ESMTPSA id BB1F38312; Thu, 14 Oct 2021 23:52:24 +0000 (UTC) (envelope-from leres@freebsd.org) Message-ID: <61fe3d1f-bea3-b247-f549-ac7422e5d753@freebsd.org> Date: Thu, 14 Oct 2021 16:52:23 -0700 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: git: 3d4619833226 - main - security/vuxml: Document OpenSSH CVE-2021-41617 Content-Language: en-US From: Craig Leres To: Bryan Drewery , ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org References: <202110121807.19CI72HS040075@gitrepo.freebsd.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-ThisMailContainsUnwantedMimeParts: N On 10/13/21 10:06, Craig Leres wrote: > On 10/12/21 11:07, Bryan Drewery wrote: >> The branch main has been updated by bdrewery: >> >> URL:https://cgit.FreeBSD.org/ports/commit/?id=3d461983322612b91c19bf5fc6455b91dec8d60b >> >> >> commit 3d461983322612b91c19bf5fc6455b91dec8d60b >> Author:     Bryan Drewery >> AuthorDate: 2021-10-12 18:06:43 +0000 >> Commit:     Bryan Drewery >> CommitDate: 2021-10-12 18:06:43 +0000 >> >>      security/vuxml: Document OpenSSH CVE-2021-41617 >> --- >>   security/vuxml/vuln-2021.xml | 44 >> ++++++++++++++++++++++++++++++++++++++++++++ >>   1 file changed, 44 insertions(+) >> >> diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml >> index 82095255b54d..ca46c8d2fcce 100644 >> --- a/security/vuxml/vuln-2021.xml >> +++ b/security/vuxml/vuln-2021.xml >> @@ -1,3 +1,47 @@ >> +  >> +    OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly >> initialise supplemental groups when executing an AuthorizedKeysCommand >> or AuthorizedPrincipalsCommand >> +    >> +      >> +    openssh-portable >> +    openssh-portable-hpn >> +    openssh-portable-gssapi >> +    6.2.p1,18.8.p1,1 > > On 10/12/21 14:15, Bryan Drewery wrote: > > diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml > > index ca46c8d2fcce..42300253f921 100644 > > --- a/security/vuxml/vuln-2021.xml > > +++ b/security/vuxml/vuln-2021.xml > > @@ -5,7 +5,7 @@ > >       openssh-portable > >       openssh-portable-hpn > >       openssh-portable-gssapi > > -    6.2.p1,18.8.p1,1 > > +    6.2.p1,18.7.p1_2,1 > >         > >       > >       > > What am I doing wrong? Why don't I see the new openssh-portable vuxml db > entry on my live systems by now? I believe pkg audit uses: > >     http://vuxml.freebsd.org/freebsd/vuln.xml.xz > > in the past changes to the security/vuxml have been visible there fairly > quickly. > >         Craig > > # pkg info | fgrep openssh > openssh-portable-8.7.p1_1,1    The portable version of OpenBSD's OpenSSH > # rm -v /var/db/pkg/vuln.xml > /var/db/pkg/vuln.xml > # pkg audit -F -f /var/db/pkg/vuln.xml > Fetching vuln.xml.xz: 100%  913 KiB 934.6kB/s    00:01 > 0 problem(s) in 0 installed package(s) found. > # fgrep 8.7.p1_2 /var/db/pkg/vuln.xml > # About an hour after posting this the publicly visible vuln.xml picked up the new openssh-portable entry. But I suspect this was a coincidence since I never saw any email explaining the delay. This afternoon I see a commit that has a for Node.js (~18:31 UTC) but I don't see it in the public vuln.xml yet. Did something change or is my expectation that a commit to security/vuxml becomes publicly visible within minute/hours flawed? Craig