From nobody Fri Oct 13 02:44:14 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S69nx4sTzz4wJBl; Fri, 13 Oct 2023 02:44:37 +0000 (UTC) (envelope-from dan@langille.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S69nw46Gxz4gHX; Fri, 13 Oct 2023 02:44:36 +0000 (UTC) (envelope-from dan@langille.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=langille.org header.s=fm2 header.b=nwQaad7L; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=JwV4AO4J; spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.25 as permitted sender) smtp.mailfrom=dan@langille.org; dmarc=pass (policy=none) header.from=langille.org Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailout.nyi.internal (Postfix) with ESMTP id 9F15E5C0272; Thu, 12 Oct 2023 22:44:34 -0400 (EDT) Received: from imap42 ([10.202.2.92]) by compute7.internal (MEProxy); Thu, 12 Oct 2023 22:44:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1697165074; x=1697251474; bh=Gh AwrFqMnVa0RKwdMNqVGyWj8hmaiE4QghhgI2MJqjo=; b=nwQaad7LGxDEqlnJOz DczwQwJOFo9sTA0rdZb+lANMIPQtyWJhirrqTipRC7XKxllnS9Zed+YooBaieaEO Mfs5XhrTUJh37W00GU4cntMiytX46DC7IrLw+s3IhstWMFrsBWif/wT5qeppWsK5 84PNCRFwpcZg4FHK6ePY0bKrmDpX3xls7YPw4Pr5QdPMtDniqEu10BDGJdLli23/ a9GcVAXyRdskRSppXfetlx+Ru8cO9n1Lmjd0oO8CS9g0Wmes7CydeG8PXETYUjsT 7q6jOSj7lmuuzZ4iKbme9J+ot1mnhPEPRAiHqPMDFJVbnSyHefWKW7mzO5mEHL0c fRvw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1697165074; x=1697251474; bh=GhAwrFqMnVa0R KwdMNqVGyWj8hmaiE4QghhgI2MJqjo=; b=JwV4AO4Jj0ZEt4P3e2nIFJZKI6x/4 iKoQ6OZ8EJ+xquoYxwxq5/xXNGJI7yDU5/UE4P5X8SPyMejWEV4ZZd7BHnJzLx9Z 0BtyMKSsRX4g0pWv+3nndhXcbd7L5BV6lSd2ANJNzi2sKFHrA6JEtlCZI+IjY2EX A7+GId8EtZ+jcwm1+n1WzxuEVFe3q/+KsrsuaexMmcW9+HLGLnOM1MH7iMitxUHH 2WUM9rDJ0I37utO4H5rSB6eKW/a8xRPstGjKZcG5xO2PAdA31Vk1oQp5X3AeMspu vWf7+/XNqc+JWYPlHsHssWkUNUpZSdPMI5QN9Z6ueD7qZShYj4QejxfXQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedriedugdeiudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfffgrnhcu nfgrnhhgihhllhgvfdcuoegurghnsehlrghnghhilhhlvgdrohhrgheqnecuggftrfgrth htvghrnhepieefhefgvdekheffheduhefhhffhfeeiueekteelffevgeeuudeuieeiudeu vdelnecuffhomhgrihhnpehfrhgvvggsshgurdhorhhgnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomhepuggrnheslhgrnhhgihhllhgvrdhorhhg X-ME-Proxy: Feedback-ID: ifbf9424e:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 62345BC007C; Thu, 12 Oct 2023 22:44:34 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.9.0-alpha0-1019-ged83ad8595-fm-20231002.001-ged83ad85 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Message-Id: <9c707b4a-f8ee-4206-a935-5bc87409dfe9@app.fastmail.com> In-Reply-To: <202310112223.39BMNY2Y092294@gitrepo.freebsd.org> References: <202310112223.39BMNY2Y092294@gitrepo.freebsd.org> Date: Thu, 12 Oct 2023 22:44:14 -0400 From: "Dan Langille" To: "Sunpoet Po-Chuan Hsieh" , ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: Re: git: c06e206dffd4 - main - security/vuxml: Fix bca498407bf9e529936ebb68e9ca257bdd1428de Content-Type: text/plain X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.18 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.988]; DMARC_POLICY_ALLOW(-0.50)[langille.org,none]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25]; R_DKIM_ALLOW(-0.20)[langille.org:s=fm2,messagingengine.com:s=fm2]; RWL_MAILSPIKE_GOOD(-0.10)[66.111.4.25:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.25:from]; XM_UA_NO_VERSION(0.01)[]; MLMMJ_DEST(0.00)[dev-commits-ports-all@FreeBSD.org,dev-commits-ports-main@FreeBSD.org]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US]; FREEFALL_USER(0.00)[dan]; RCVD_COUNT_THREE(0.00)[3]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4S69nw46Gxz4gHX On Wed, Oct 11, 2023, at 6:23 PM, Po-Chuan Hsieh wrote: > The branch main has been updated by sunpoet: > > URL: > https://cgit.FreeBSD.org/ports/commit/?id=c06e206dffd44ca562f86fbf55c06e361881bf47 > > commit c06e206dffd44ca562f86fbf55c06e361881bf47 > Author: Po-Chuan Hsieh > AuthorDate: 2023-10-11 22:22:51 +0000 > Commit: Po-Chuan Hsieh > CommitDate: 2023-10-11 22:22:51 +0000 > > security/vuxml: Fix bca498407bf9e529936ebb68e9ca257bdd1428de > > The pkg audit result before the fix: > curl-8.4.0 is vulnerable: > curl -- SOCKS5 heap buffer overflow > CVE: CVE-2023-38545 > WWW: > https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html > > 1 problem(s) in 1 installed package(s) found. > --- > security/vuxml/vuln/2023.xml | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml > index d2b1be12644f..db04c1b9498f 100644 > --- a/security/vuxml/vuln/2023.xml > +++ b/security/vuxml/vuln/2023.xml > @@ -3,8 +3,7 @@ > > > curl > - 7.69.0 > - 8.4.0 > + 7.69.08.4.0 FreshPorts agrees with this change in that it no longer lists 8.4.0 as vuln However, my hosts are still getting: [2:42 dns1 dan ~] % sudo pkg audit -F vulnxml file up-to-date curl-8.4.0 is vulnerable: curl -- SOCKS5 heap buffer overflow CVE: CVE-2023-38545 WWW: https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html 1 problem(s) in 1 installed package(s) found. What do I need to do in order to propagate that fix? Thank you. > > > > @@ -35,6 +34,7 @@ > > 2023-09-30 > 2023-10-11 > + 2023-10-11 > > -- Dan Langille dan@langille.org