Missing CVEs in quirks

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Missing CVEs in quirks

Rafael Sadowski
The diff contains some forgotten CVE entries in quirks. I went through
all the January commits and looked for CVE in the commit msg.

I also ran sort over the list.

OK, opinions?

Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/quirks/Makefile,v
retrieving revision 1.834
diff -u -p -u -p -r1.834 Makefile
--- Makefile 31 Jan 2020 04:18:03 -0000 1.834
+++ Makefile 31 Jan 2020 05:20:09 -0000
@@ -5,7 +5,7 @@ CATEGORIES = devel databases
 DISTFILES =
 
 # API.rev
-PKGNAME = quirks-3.225
+PKGNAME = quirks-3.226
 PKG_ARCH = *
 MAINTAINER = Marc Espie <[hidden email]>
 
Index: files/Quirks.pm
===================================================================
RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
retrieving revision 1.851
diff -u -p -u -p -r1.851 Quirks.pm
--- files/Quirks.pm 31 Jan 2020 04:18:03 -0000 1.851
+++ files/Quirks.pm 31 Jan 2020 05:20:09 -0000
@@ -1476,11 +1476,11 @@ my $cve = {
  'archivers/libmspack' => 'libmspack-<0.8alpha',
  'archivers/p5-Archive-Zip' => 'p5-Archive-Zip-<1.64',
  'audio/flac' => 'flac-<1.3.0p1',
- 'databases/sqlite3' => 'sqlite3-<3.25.3',
- 'databases/mariadb,-main' => 'mariadb-client-<10.3.15',
+ 'databases/mariadb,-main' => 'mariadb-client-<10.3.22',
  'databases/mariadb,-server' => 'mariadb-server-<10.3.15',
  'databases/postgresql,-main' => 'postgresql-client-<10.6',
  'databases/postgresql,-server' => 'postgresql-server-<10.6',
+ 'databases/sqlite3' => 'sqlite3-<3.25.3',
  'devel/git,-main' => 'git-<2.19.1',
  'devel/git,-svn' => 'git-svn-<2.19.1',
  'devel/git,-x11' => 'git-x11-<2.19.1',
@@ -1504,7 +1504,7 @@ my $cve = {
  'lang/ruby/2.6,-main' => 'ruby->2.6,<2.6.2',
  'mail/dovecot,-main' => 'dovecot-<2.3.6',
  'mail/exim' => 'exim-<4.83',
- 'mail/p5-Mail-SpamAssassin' => 'p5-Mail-SpamAssassin-<3.4.2',
+ 'mail/p5-Mail-SpamAssassin' => 'p5-Mail-SpamAssassin-<3.4.4',
  'mail/roundcubemail' => 'roundcubemail-<1.3.8',
  'math/hdf5' => 'hdf5-<1.8.21',
  'multimedia/libquicktime' => 'libquicktime-<1.2.4p13',
@@ -1522,7 +1522,8 @@ my $cve = {
  'net/powerdns,-main' => 'powerdns-<4.1.5',
  'net/powerdns,-mysql' => 'powerdns-mysql-<4.1.5',
  'net/powerdns,-pgsql' => 'powerdns-pgsql-<4.1.5',
- 'net/samba,-main' => 'samba-<4.8.4',
+ 'net/rsync' => 'rsync-<3.1.3p0',
+ 'net/samba,-main' => 'samba-<4.9.18',
  'net/tinc' => 'tinc-<1.0.35v0',
  'net/transmission,-gtk' => 'transmission-gtk-<2.84',
  'net/transmission,-main' => 'transmission-<2.84',
@@ -1535,6 +1536,7 @@ my $cve = {
  'print/cups,-main' => 'cups-<1.7.4',
  'security/clamav' => 'clamav-<0.100.2',
  'security/polarssl' => 'mbedtls-<2.16.4',
+ 'security/sudo' => 'sudo-<1.8.31',
  'shells/bash' => 'bash-<4.3.27',
  'sysutils/ansible,-main' => 'ansible-<2.7.1',
  'sysutils/mcollective' => 'mcollective-<2.5.3',

Reply | Threaded
Open this post in threaded view
|

Re: Missing CVEs in quirks

Björn Ketelaars
On Fri 31/01/2020 06:27, Rafael Sadowski wrote:
> The diff contains some forgotten CVE entries in quirks. I went through
> all the January commits and looked for CVE in the commit msg.
>
> I also ran sort over the list.
>
> OK, opinions?

My opinion is that we either maintain CVE entries in quirks, or remove
it completely. I prefer the first option.

Diff looks good.

OK bket@

Reply | Threaded
Open this post in threaded view
|

Re: Missing CVEs in quirks

Rafael Sadowski
On Fri Jan 31, 2020 at 06:57:02AM +0100, Björn Ketelaars wrote:

> On Fri 31/01/2020 06:27, Rafael Sadowski wrote:
> > The diff contains some forgotten CVE entries in quirks. I went through
> > all the January commits and looked for CVE in the commit msg.
> >
> > I also ran sort over the list.
> >
> > OK, opinions?
>
> My opinion is that we either maintain CVE entries in quirks, or remove
> it completely. I prefer the first option.

+1, I also prefer the first one! I think more committer need to pay
attention here. I can keep an eye on it.

>
> Diff looks good.
>
> OK bket@
>

Reply | Threaded
Open this post in threaded view
|

Re: Missing CVEs in quirks

Antoine Jacoutot-7
In reply to this post by Björn Ketelaars
On Fri, Jan 31, 2020 at 06:57:02AM +0100, Björn Ketelaars wrote:

> On Fri 31/01/2020 06:27, Rafael Sadowski wrote:
> > The diff contains some forgotten CVE entries in quirks. I went through
> > all the January commits and looked for CVE in the commit msg.
> >
> > I also ran sort over the list.
> >
> > OK, opinions?
>
> My opinion is that we either maintain CVE entries in quirks, or remove
> it completely. I prefer the first option.

Agreed.
Although I prefer the second.

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: Missing CVEs in quirks

Marc Espie-2
In reply to this post by Rafael Sadowski
On Fri, Jan 31, 2020 at 06:27:46AM +0100, Rafael Sadowski wrote:
> The diff contains some forgotten CVE entries in quirks. I went through
> all the January commits and looked for CVE in the commit msg.
>
> I also ran sort over the list.
>
> OK, opinions?
> + 'net/rsync' => 'rsync-<3.1.3p0',

Speaking more specifically about that one, the commit message for rsync
does explain that the CVE status is very much dubious for the fixes.

So adding it to quirks so that later we don't get into problems is good,
but it's definitely NOT an emergency.

It's getting to the point that you actually have to read CVEs to figure
out whether they are vulnerabilities or not. There's a huge difference
between Qualys's analysis and some undefined behavior that behaves the
same way in every architecture we have!

It's not really a problem to add things to the $cve list to be certain
we don't miss anything, but it's more of a question of whether or not
that stuff needs to hit stable.

Quirks is reasonably cheap.  Backporting fixes can be more costly, as we've
seen with firefox recently...

It's a bit annoying that you can no longer really trust CVE to really be that,
but I guess it was bound to happen.

Reply | Threaded
Open this post in threaded view
|

Re: Missing CVEs in quirks

Todd C. Miller-3
In reply to this post by Rafael Sadowski
On Fri, 31 Jan 2020 06:27:46 +0100, Rafael Sadowski wrote:

> The diff contains some forgotten CVE entries in quirks. I went through
> all the January commits and looked for CVE in the commit msg.

No objection from me.

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: Missing CVEs in quirks

Jeremie Courreges-Anglas-5
In reply to this post by Rafael Sadowski
On Fri, Jan 31 2020, Rafael Sadowski <[hidden email]> wrote:
> The diff contains some forgotten CVE entries in quirks. I went through
> all the January commits and looked for CVE in the commit msg.
>
> I also ran sort over the list.
>
> OK, opinions?

ok for the samba entry, thanks for caring!

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

signature.asc (847 bytes) Download Attachment