From nobody Fri May 20 12:53:50 2022 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5312E1AE2176 for ; Fri, 20 May 2022 12:54:05 +0000 (UTC) (envelope-from fernando.apesteguia@gmail.com) Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L4RW04lg2z3Dwg; Fri, 20 May 2022 12:54:04 +0000 (UTC) (envelope-from fernando.apesteguia@gmail.com) Received: by mail-lf1-x12c.google.com with SMTP id u30so14146099lfm.9; Fri, 20 May 2022 05:54:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/joHZ5gTFSCfYOPCGyG+WnET2hKaIeAiWIOaO9CQgm8=; b=Qgztu9y6nHKqfoDhtcrjmhViWhhkbGIolDz8qFDko45WM/VqzmZFiVwkvqfuvhGTh3 6ss5fwJttCW3qls08K0eu2VmIlsFRlO00UHlwFJRq91qlQQiCaBWEPzha7dludo8mOsZ +DptzlmzMRgr/3L6S7ELIBlrUjrlDvBLh+WCdNl2nkskXsvkD7Sbt3R7pugvDfH5ax1M QvPbIJ6wlNvmUx7JJ9bVFJ79mHx8qs13oeFyNrxXupmzCppXPlx0fI5XrQhcj2M63hAS hnhJy4AcHq9D50Ff5iNB2W2c9jezDVvQvFqMsJflud8MpM/WZZKXTFhITdO5bvcyN1xc LnLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/joHZ5gTFSCfYOPCGyG+WnET2hKaIeAiWIOaO9CQgm8=; b=u5Bl8AlbqiROkZgLMkC3HLzQO48aos1UMHGCR5Yon7vZqLQVsGO5vOQRgw/gYiwt8V 17RCA9mQHFLninK9SzIj/TyzBuTf6jiyQqrxTtmP1CLwMQlAaALP7w6eFtZEMak5gh8o 9zqDoCxU54jKyCi9absvFH/1JfqEFRFxdVyzcMX1akH+z9EQqVeoBVOOiqpJ1w1+tGW0 5eWUL+yvEZnpicDbUS3MS36fxJQ7Ml98OcGVNMWm0a47qLDUGovJYFziD/qpn0fNLkP8 rh4sgwNc+ZUF6dtVJvmG9YnDBJjhhmuzQ7e8VlRtLzANbjyHj8lf+kcx4Y19Nxm5AxSs 2j3Q== X-Gm-Message-State: AOAM531BP5nG4Ak4GUIj8+5gy9J06Cc2wn4bv48QMhwuj1BvFDMDchKD QPeheEFzC5syFP/EHDIAcR/lb3jjhzQcWY53PyDCk9Eg X-Google-Smtp-Source: ABdhPJyTC9UnumOnvvvq9BIVj3YWzUb/6zM6ILnD4qbpRLxdyJmFJrNBDTGFLaJLGiyazhY6Ytj0wYuOT34mPCZeiW4= X-Received: by 2002:a05:6512:3da7:b0:477:cdb4:93fa with SMTP id k39-20020a0565123da700b00477cdb493famr3875393lfv.579.1653051243323; Fri, 20 May 2022 05:54:03 -0700 (PDT) List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 References: <9fafaa47-0695-389f-11a9-940ab26364fc@netfence.it> In-Reply-To: From: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= Date: Fri, 20 May 2022 14:53:50 +0200 Message-ID: Subject: Re: ClamAV security update To: Roger Marquis Cc: Florian Smeets , Andrea Venturoli , Yasuhiro Kimura , ports FreeBSD Content-Type: multipart/alternative; boundary="00000000000027666605df70fce1" X-Rspamd-Queue-Id: 4L4RW04lg2z3Dwg X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=Qgztu9y6; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of fernandoapesteguia@gmail.com designates 2a00:1450:4864:20::12c as permitted sender) smtp.mailfrom=fernandoapesteguia@gmail.com X-Spamd-Result: default: False [-2.91 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_FIVE(0.00)[5]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.75)[-0.747]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; R_MIXED_CHARSET(0.83)[subject]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::12c:from]; MLMMJ_DEST(0.00)[ports]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --00000000000027666605df70fce1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable El vie., 20 may. 2022 14:50, Roger Marquis escribi=C3= =B3: > Thank you Florian! If there are any policy changes that can be made to > prevent this sort of issue (critical vulnerabilities not getting patches > or not showing up in vuln.xml for days or weeks after a CVE and/or > update) please do recommend them to, well, who does set ports/security > management policies? > It helps if the PR contains the "security" keyword and sets "affects many people". That way it is easier for committers to notice which PRs might be critical. > Roger Marquis > > > > On 19.05.22 09:30, Andrea Venturoli wrote: > >> > >> Hello. > >> > >> I see Clamav 0.105.0, 0.104.3 and 0.103.6 were released on May 5th, th= e > >> latter two closing "several CVE fixes". > >> > >> However, the port was not updated and not even portaudit entries were > >> added. > >> > >> Was this overlooked? > >> Are the FreeBSD ports somehow not affected? > >> > > > > I created a patch and PR a week ago. I was waiting for the maintainer > > timeout. After discussing with bapt I went ahead and committed the > update > > without approval of the maintainer. > > > > IMHO, security fixes should be specifically mentioned in the blanket > section. > > > > Florian > > > > --00000000000027666605df70fce1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


El vie., 20 may. 2022 14:50, Roger Marquis <marquis@roble.com> escribi=C3=B3:
<= /div>
Thank you Florian!=C2=A0 If there are a= ny policy changes that can be made to
prevent this sort of issue (critical vulnerabilities not getting patches or not showing up in vuln.xml for days or weeks after a CVE and/or
update) please do recommend them to, well, who does set ports/security
management policies?

It helps if the PR contains the "security" ke= yword and sets "affects many people". That way it is easier for c= ommitters to notice which PRs might be critical.

Roger Marquis


> On 19.05.22 09:30, Andrea Venturoli wrote:
>>
>> Hello.
>>
>> I see Clamav 0.105.0, 0.104.3 and 0.103.6 were released on May 5th= , the
>> latter two closing "several CVE fixes".
>>
>> However, the port was not updated and not even portaudit entries w= ere
>> added.
>>
>> Was this overlooked?
>> Are the FreeBSD ports somehow not affected?
>>
>
> I created a patch and PR a week ago. I was waiting for the maintainer =
> timeout. After discussing with bapt I went ahead and committed the upd= ate
> without approval of the maintainer.
>
> IMHO, security fixes should be specifically mentioned in the blanket s= ection.
>
> Florian
>

--00000000000027666605df70fce1--