Vulnerable package in ports tree 29/01

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerable package in ports tree 29/01

Sevan / Venture37-2
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable package in ports tree 29/01

Michael McConville-3
Sevan / Venture37 wrote:
> emulators/qemu -
>
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1779

Do you mean in the 5.7 or 5.8 release trees? This was patched in August.

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable package in ports tree 29/01

Stefan Sperling-5
In reply to this post by Sevan / Venture37-2
On Fri, Jan 29, 2016 at 06:19:53AM +0000, Sevan / Venture37 wrote:
> devel/subversion -
> http://subversion.apache.org/security/CVE-2015-5259-advisory.txt

This bug affected the 1.9 series only.

I haven't upgraded the OpenBSD port to 1.9 yet. I am still waiting
for more bugs to shake out. E.g. there are known crashes on sparc64
with a fix scheduled for the next 1.9.x release.

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable package in ports tree 29/01

Landry Breuil-6
On Fri, Jan 29, 2016 at 11:32:03AM +0100, Stefan Sperling wrote:
> On Fri, Jan 29, 2016 at 06:19:53AM +0000, Sevan / Venture37 wrote:
> > devel/subversion -
> > http://subversion.apache.org/security/CVE-2015-5259-advisory.txt
>
> This bug affected the 1.9 series only.
>
> I haven't upgraded the OpenBSD port to 1.9 yet. I am still waiting
> for more bugs to shake out. E.g. there are known crashes on sparc64
> with a fix scheduled for the next 1.9.x release.

Which means.. sevan, instead of dropping a cold list of 'boooh, ports
affected by cves found on the internet' (that's how i interpret your
mails titled "Vulnerable package in ports tree"), it would be great if
you could assess the severity of the 'vulnerabilities' and check if they
actually affect the version we have in ports.

Yeah, i know, more homework, but in the end everyone wins :)

Landry

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable package in ports tree 29/01

Stuart Henderson-6
In reply to this post by Sevan / Venture37-2
On 2016/01/29 06:19, Sevan / Venture37 wrote:
> emulators/qemu -
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1779
> devel/subversion -
> http://subversion.apache.org/security/CVE-2015-5259-advisory.txt
>
> Sevan / Venture37
>

Don't forget java :-)

Reply | Threaded
Open this post in threaded view
|

Re: Vulnerable package in ports tree 29/01

Sevan / Venture37-2
In reply to this post by Landry Breuil-6


> On 29 January 2016 at 10:59, Landry Breuil <[hidden email]> wrote:
> Which means.. sevan, instead of dropping a cold list of 'boooh, ports
> affected by cves found on the internet' (that's how i interpret your
> mails titled "Vulnerable package in ports tree"), it would be great if
> you could assess the severity of the 'vulnerabilities' and check if they
> actually affect the version we have in ports.
>
> Yeah, i know, more homework, but in the end everyone wins :)


Apologies guys about the false alarm.
I'm not just blindly matching CVE with package name which I draft into an email.
For the qemu entry though the patch went in to the qemu tree early last year, the advisory was only published this month.
Looking in cvsweb, though the affected file does include a patch in ports, the CVE referenced is not listed (I should've looked at patches not making any assumptions).
What I'm saying is that I made a small effort, piled up on a couple of mistakes.
Subversion I took a listing elsewhere as correct (everything before 1.9.3).
Will try harder next time (earlier in the night as well).

Sevan