From nobody Fri May 20 12:49:47 2022 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1DCDB1B3FA88 for ; Fri, 20 May 2022 12:49:56 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L4RQB4MRNz4vH5; Fri, 20 May 2022 12:49:54 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 3777B49441; Fri, 20 May 2022 05:49:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=roble.com; s=rs060402; t=1653050987; bh=M1Nzc+Izdfls3KZ/1wdsdL5W2cgPr57VsKmVAR1Sdrg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=k6t4/aT6bnbqmwgXQViBEgP/I4FNvtK99kaATF3RsxF1fePyfKWgHa4lBiG62xELO Nj70MBZkfvIbuSCX7GzkdDTSfmVbU3kzalZOp9g5UctMHyOqJRcjXMBYlW2mZv5Y1g 5FFcE4YyD1ghw3RlKZNUH+FBjnzwGGB9OzgC5OkM= Date: Fri, 20 May 2022 05:49:47 -0700 (PDT) From: Roger Marquis To: Florian Smeets cc: Andrea Venturoli , yasu@FreeBSD.org, ports@freebsd.org Subject: Re: ClamAV security update In-Reply-To: Message-ID: References: <9fafaa47-0695-389f-11a9-940ab26364fc@netfence.it> List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 4L4RQB4MRNz4vH5 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=roble.com header.s=rs060402 header.b="k6t4/aT6"; dmarc=pass (policy=none) header.from=roble.com; spf=pass (mx1.freebsd.org: domain of marquis@roble.com designates 209.237.23.5 as permitted sender) smtp.mailfrom=marquis@roble.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[roble.com:s=rs060402]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.237.23.0/24]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[roble.com:+]; DMARC_POLICY_ALLOW(-0.50)[roble.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[ports]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Thank you Florian! If there are any policy changes that can be made to prevent this sort of issue (critical vulnerabilities not getting patches or not showing up in vuln.xml for days or weeks after a CVE and/or update) please do recommend them to, well, who does set ports/security management policies? Roger Marquis > On 19.05.22 09:30, Andrea Venturoli wrote: >> >> Hello. >> >> I see Clamav 0.105.0, 0.104.3 and 0.103.6 were released on May 5th, the >> latter two closing "several CVE fixes". >> >> However, the port was not updated and not even portaudit entries were >> added. >> >> Was this overlooked? >> Are the FreeBSD ports somehow not affected? >> > > I created a patch and PR a week ago. I was waiting for the maintainer > timeout. After discussing with bapt I went ahead and committed the update > without approval of the maintainer. > > IMHO, security fixes should be specifically mentioned in the blanket section. > > Florian >