Date: Sat, 27 Aug 2011 17:00:06 -0700 From: Doug Barton <dougb@FreeBSD.org> To: urb@twe.net Cc: mnag@FreeBSD.org, freebsd-ports@freebsd.org Subject: Re: mail/postfix-policyd-spf relies on vulnerable mail/libspf2-10 Message-ID: <4E598506.2030507@FreeBSD.org> In-Reply-To: <4E597167.8030403@twe.net> References: <4E57FBC1.1020009@FreeBSD.org> <4E580082.1030202@FreeBSD.org> <4E59324E.5070602@twe.net> <4E595C14.9030503@FreeBSD.org> <4E597167.8030403@twe.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/27/2011 15:36, Uffe R. B. Andersen wrote: > Den 27-08-2011 23:05, Doug Barton skrev: >>> libspf2 port is currently libspf2-1.2.9_1 and according to the >>> page you refer to, the vulnerability affects libspf2 <1.2.8. > >> Yes, that was my point. :) mail/libspf2-10 and mail/libspf2 are >> different ports. mail/postfix-policyd-spf currently relies on the >> former, it needs to be fixed to work with the latter instead. > > Sorry for missing that point, but as mail/libspf2-10 and mail/libspf2 > are different ports, why should vulnerabilities listed for only one of > them apply for both? I appreciate your responses, but I think you're missing one or more large'ish pieces of the puzzle. Here is what I'm seeing with an up to date portaudit db: portaudit -a Affected package: libspf2-1.0.4_1 Type of problem: libspf2 -- Buffer overflow. Reference: http://portaudit.FreeBSD.org/2ddbfd29-a455-11dd-a55e-00163e000016.html pkg_info -qo libspf2-1.0.4_1 mail/libspf2-10 pkg_info -R libspf2-1.0.4_1 Information for libspf2-1.0.4_1: Required by: postfix-policyd-spf-1.0.1_3 cd /usr/ports/mail/libspf2-10/ make -V PKGNAME libspf2-1.0.4_1 The solution here is that postfix-policyd-spf needs to be updated to not rely on a vulnerable version of libspf2. Doug - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOWYUGAAoJEFzGhvEaGryEnUAIAKf/lui9bgcm8tW/uFFoJcJm 3zjIRL5rdlCOX3T6pRurGMHI49sQRFEKPc/npEPq2UYTmnt9wYYB2Yv4l/OVz/WA N5qjldk4ciT9oFdYRFC6zEQzPjnDh0C4zmiJs6jrNxo9PZt+2ghuDIB0vpkmHbAv zvLfn8Gqy/LZY+mae/5xTfnUxPWHE87TmoajPjIwNMn2qWD8lA0RhxjjHeTBH9al lBM350BsOFhAo+SLeQ20+tycngi0PjF9SbrsTCTdMvNocB5PvisGadE4eGcJ46PT lu4Tnxh5U3dbC/qNfsug02v6pofKiiwtIJjcok40pKrVJNR79+VxjjoitzODlsY= =8sLS -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E598506.2030507>