Date: Wed, 12 Aug 2015 20:46:00 +0200 From: Jan Beich <jbeich@FreeBSD.org> To: Mark Felder <feld@feld.me> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r393962 - head/security/vuxml Message-ID: <oaic-ny53-wny@FreeBSD.org> In-Reply-To: <1439388100.608633.354360737.36774BC8@webmail.messagingengine.com> (Mark Felder's message of "Wed, 12 Aug 2015 09:01:40 -0500") References: <201508111903.t7BJ3aD3086878@repo.freebsd.org> <1439388100.608633.354360737.36774BC8@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Mark Felder <feld@feld.me> writes: > On Tue, Aug 11, 2015, at 14:03, Jan Beich wrote: >> Author: jbeich >> Date: Tue Aug 11 19:03:36 2015 >> New Revision: 393962 >> URL: https://svnweb.freebsd.org/changeset/ports/393962 >>=20 >> Log: >> Move libvpx vulnerability into its own entry [...] >> <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">; >> + <vuln vid=3D"34e60332-2448-4ed6-93f0-12713749f250"> >> + <topic>libvpx -- multiple buffer overflows</topic> >> + <affects> >> + <package> >> + <name>libvpx</name> >> + <range><lt>1.5.0</lt></range> >> + </package> >> + </affects> > > This should probably be <le>1.4.0</le> as although <le> would be deceptive. The package is vulnerable. Whether there's a known fix is less important. Current range is just a rough guess and can be updated as the affected port is fixed. On the downside maintainers may not be aware of a vulnerability. It'd be nice if there were periodic mails about (still) vulnerable ports similar to porstscout. For one, multimedia/ffmpeg0 haven't been updated yet despite how trivial it should be -> too few users to notice? > their release process seems obvious, they could release 1.4.1 or we > could backport security fixes to 1.4.0_1 Depending on PORTREVISION in advance is unreliable as it can be bumped for an unrelated reason. Upstream doesn't have a good track record for patch releases. For one, CVE-2014-1578 was never fixed in 1.3.x and Debian still carries around the patch for it in their package. > I'll try to keep an eye on this too. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202270 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQF8BAEBCgBmBQJVy5RpXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREQjQ0MzY3NEM3RDIzNTc4NkUxNDkyQ0VF NEM3Nzg4MzQ3OURCRERCAAoJEOTHeINHnb3blyEIAI9jeC0nQsntrcEBYxS0oOS6 LYasOpAw54M+idkfgkqFtF6YyP3Y3JfAPQux0fPpuqDAKKzU09lnPNdQV07kAh4o DzdJHeK6HB7XgKYL5lqks+UUAV/vepBwhkmnoCwFeSuAlNLC2w2KB6hp6X2A1DsU mguzvTKbOj+1CWJRbtP+4Fc5o78g0zXGY9oV4XIN0+qRGB854ZNL1k04ausspcR8 VPSV+iZ1rNG3APDf0mOosvbRBGuorPKgKOof3sLkFyU90VjcdxwXNStgNtufCVbM y3tXusM+wF185khTwJvrtp3Uy4I5NVbeDmQ2cJrd9hZR85TFDxuXJbZziUgSTyE= =sIbh -----END PGP SIGNATURE----- --=-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?oaic-ny53-wny>