From owner-svn-ports-all@freebsd.org  Thu Aug 13 14:03:16 2015
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BEA239B7B45
 for <svn-ports-all@mailman.ysv.freebsd.org>;
 Thu, 13 Aug 2015 14:03:16 +0000 (UTC)
 (envelope-from jbeich@freebsd.org)
Received: from vfemail.net (ninezero.vfemail.net [96.30.253.190])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 62D27C79
 for <svn-ports-all@freebsd.org>; Thu, 13 Aug 2015 14:03:15 +0000 (UTC)
 (envelope-from jbeich@freebsd.org)
Received: (qmail 14668 invoked by uid 89); 13 Aug 2015 14:03:03 -0000
Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1)
 by localhost with (DHE-RSA-AES256-SHA encrypted) SMTP;
 13 Aug 2015 14:03:01 -0000
Received: (qmail 79442 invoked by uid 89); 12 Aug 2015 18:46:30 -0000
Received: by simscan 1.3.1 ppid: 79434, pid: 79438, t: 0.0043s scanners:none
Received: from unknown (HELO smtp102-2.vfemail.net) (172.16.100.62)
 by FreeQueue with SMTP; 12 Aug 2015 18:46:30 -0000
Received: (qmail 28290 invoked by uid 89); 12 Aug 2015 18:46:30 -0000
Received: by simscan 1.4.0 ppid: 28187, pid: 28213, t: 15.8875s scanners:none
Received: from unknown (HELO nil) (amJlaWNoQHZmZW1haWwubmV0@172.16.100.27)
 by 172.16.100.62 with ESMTPA; 12 Aug 2015 18:46:14 -0000
From: Jan Beich <jbeich@FreeBSD.org>
To: Mark Felder <feld@feld.me>
Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: Re: svn commit: r393962 - head/security/vuxml
References: <201508111903.t7BJ3aD3086878@repo.freebsd.org>
 <1439388100.608633.354360737.36774BC8@webmail.messagingengine.com>
Date: Wed, 12 Aug 2015 20:46:00 +0200
In-Reply-To: <1439388100.608633.354360737.36774BC8@webmail.messagingengine.com>
 (Mark Felder's message of "Wed, 12 Aug 2015 09:01:40 -0500")
Message-ID: <oaic-ny53-wny@FreeBSD.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 14:03:16 -0000

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Mark Felder <feld@feld.me> writes:

> On Tue, Aug 11, 2015, at 14:03, Jan Beich wrote:
>> Author: jbeich
>> Date: Tue Aug 11 19:03:36 2015
>> New Revision: 393962
>> URL: https://svnweb.freebsd.org/changeset/ports/393962
>>=20
>> Log:
>>   Move libvpx vulnerability into its own entry
[...]
>>  <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">
>> +  <vuln vid=3D"34e60332-2448-4ed6-93f0-12713749f250">
>> +    <topic>libvpx -- multiple buffer overflows</topic>
>> +    <affects>
>> +      <package>
>> +       <name>libvpx</name>
>> +       <range><lt>1.5.0</lt></range>
>> +      </package>
>> +    </affects>
>
> This should probably be <le>1.4.0</le> as although

<le> would be deceptive. The package is vulnerable. Whether there's a
known fix is less important. Current range is just a rough guess and can
be updated as the affected port is fixed.

On the downside maintainers may not be aware of a vulnerability. It'd be
nice if there were periodic mails about (still) vulnerable ports similar
to porstscout. For one, multimedia/ffmpeg0 haven't been updated yet
despite how trivial it should be -> too few users to notice?

> their release process seems obvious, they could release 1.4.1 or we
> could backport security fixes to 1.4.0_1

Depending on PORTREVISION in advance is unreliable as it can be
bumped for an unrelated reason.

Upstream doesn't have a good track record for patch releases. For one,
CVE-2014-1578 was never fixed in 1.3.x and Debian still carries around
the patch for it in their package.

> I'll try to keep an eye on this too.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202270

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQF8BAEBCgBmBQJVy5RpXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREQjQ0MzY3NEM3RDIzNTc4NkUxNDkyQ0VF
NEM3Nzg4MzQ3OURCRERCAAoJEOTHeINHnb3blyEIAI9jeC0nQsntrcEBYxS0oOS6
LYasOpAw54M+idkfgkqFtF6YyP3Y3JfAPQux0fPpuqDAKKzU09lnPNdQV07kAh4o
DzdJHeK6HB7XgKYL5lqks+UUAV/vepBwhkmnoCwFeSuAlNLC2w2KB6hp6X2A1DsU
mguzvTKbOj+1CWJRbtP+4Fc5o78g0zXGY9oV4XIN0+qRGB854ZNL1k04ausspcR8
VPSV+iZ1rNG3APDf0mOosvbRBGuorPKgKOof3sLkFyU90VjcdxwXNStgNtufCVbM
y3tXusM+wF185khTwJvrtp3Uy4I5NVbeDmQ2cJrd9hZR85TFDxuXJbZziUgSTyE=
=sIbh
-----END PGP SIGNATURE-----
--=-=-=--