From nobody Wed Jun 22 09:01:05 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2A54585CFA4; Wed, 22 Jun 2022 09:01:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LScmy0kqtz4cSN; Wed, 22 Jun 2022 09:01:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655888466; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=43nJof5/H2Ds/7A2qrWdb/E3a+ySCrfO6XzQQrvAg3E=; b=puhMp2+EIsfKifOQv67riaY3OXrpgrgDiTSAthK3RMpVuSOyiJKNm4wkpJjJDBCFaRSspo 3S1jSiF6X6Mbq2UTIS6vFft9KzSWc/KV+8SCyc6F8SWEsReOf6EUQrUI/FuAj6YzGPA+/+ F/zQFOSC7IcvpDptI2TWtOmGg8CSrlDWcbRSsJvXiHa1KgU9zO04VSeooau0hnzDU4Kxef JQwMvruLmn8gMpV9xoM109nigmMnSACmlXZlpV8k1//bL67FXcVZXo7tcjXl2anM9BVrFN 8E89D7T7U4Z/wbDMRO51CHyRkhbb9PrzO1DVGAg+o5gYV3p9aEITku2v+37kbw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EE10F231B2; Wed, 22 Jun 2022 09:01:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 25M915Rt003824; Wed, 22 Jun 2022 09:01:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 25M915KB003823; Wed, 22 Jun 2022 09:01:05 GMT (envelope-from git) Date: Wed, 22 Jun 2022 09:01:05 GMT Message-Id: <202206220901.25M915KB003823@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Bernard Spil Subject: git: da7e737639a0 - main - security/vuxml: Document OpenSSL vulnerability List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: brnrd X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: da7e737639a077e954426e5400c3ce15754f54da Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655888466; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=43nJof5/H2Ds/7A2qrWdb/E3a+ySCrfO6XzQQrvAg3E=; b=RagxjIGXqkfFAJPme8e5KgmCs3tQiwpPBs8lkQR6q4LH19PtBH/HpOE7DPC60+gVseRW7/ v/vLNLKDeb7M0wGOEBhBuQkUqJhxhKjfW+mf7cqizLacM9RjguBvwyzEZXvYHuOqczjCUT NMjWeo6y7sNQVeJXU8+oJvQ+u6U4DFI+9bNRcdacmOWPXjVBZQ9ho5QEObiFp/vGQljqeY E+0azmw0xP3nFZVGByiq/pbTh4VR7CRODm2oLiCkDatd9LxZsqGLJI1y99GvZDjDPsVbMK VQZ1ZrUcYGm0DE1ume0t1Hddz3CT1t37H7H06mtYVmBDQrhyA0BlpxcpbrstwQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1655888466; a=rsa-sha256; cv=none; b=ckIhQxHFkDUT2sDt+g5o6TTYdBNrekx+1A8zovm3qlDtzLebW9P4yhIdOfoXWiZVLFL4Yd dChO/9gy6Lyc3uvsI4xhMwMLeJY2z88/7xV+eC0jRmChqXFiM8425mqzUUFSENb0d1xTvS NpPp5Qye0gpz6PEi1z6Sughw5muNyKVwzcaVfezsQmsQOxmakwzDYGvk9HxieO9ofCqfbx +ooRWdtT58FV0LIaS4bG/p3kPi5zQtHjWpbbNXNiMyc6+4p7DmXEu8dlFPT+7sp9ctVkMw rS2Njl5JnP+pfoQdySphSKDXaL2b1lhf1CWOEBxs9jYbbAOICOtMkJNLcOtBjQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=da7e737639a077e954426e5400c3ce15754f54da commit da7e737639a077e954426e5400c3ce15754f54da Author: Bernard Spil AuthorDate: 2022-06-22 08:29:39 +0000 Commit: Bernard Spil CommitDate: 2022-06-22 08:29:39 +0000 security/vuxml: Document OpenSSL vulnerability * Pet `make validate` * Fix spacing for 482456fb-e9af-11ec-93b6-318d1419ea39 * Add discovery date for 482456fb-e9af-11ec-93b6-318d1419ea39 using tor wiki page update date. --- .../files/patch-Configurations_10-main.conf | 16 --------- security/openssl/files/patch-config | 20 ----------- security/vuxml/vuln-2022.xml | 40 ++++++++++++++++++++-- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/security/openssl/files/patch-Configurations_10-main.conf b/security/openssl/files/patch-Configurations_10-main.conf deleted file mode 100644 index 03be5801b885..000000000000 --- a/security/openssl/files/patch-Configurations_10-main.conf +++ /dev/null @@ -1,16 +0,0 @@ ---- Configurations/10-main.conf.orig 2021-12-14 15:45:01 UTC -+++ Configurations/10-main.conf -@@ -988,6 +988,13 @@ my %targets = ( - perlasm_scheme => "elf", - }, - -+ "BSD-aarch64" => { -+ inherit_from => [ "BSD-generic64", asm("aarch64_asm") ], -+ lib_cppflags => add("-DL_ENDIAN"), -+ bn_ops => "SIXTY_FOUR_BIT_LONG", -+ perlasm_scheme => "linux64", -+ }, -+ - "bsdi-elf-gcc" => { - inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], - CC => "gcc", diff --git a/security/openssl/files/patch-config b/security/openssl/files/patch-config deleted file mode 100644 index d83edae81ff7..000000000000 --- a/security/openssl/files/patch-config +++ /dev/null @@ -1,20 +0,0 @@ ---- config.orig 2021-08-24 13:38:47 UTC -+++ config -@@ -708,14 +708,9 @@ case "$GUESSOS" in - ia64-*-*bsd*) OUT="BSD-ia64" ;; - x86_64-*-dragonfly*) OUT="BSD-x86_64" ;; - amd64-*-*bsd*) OUT="BSD-x86_64" ;; -- *86*-*-*bsd*) # mimic ld behaviour when it's looking for libc... -- if [ -L /usr/lib/libc.so ]; then # [Free|Net]BSD -- libc=/usr/lib/libc.so -- else # OpenBSD -- # ld searches for highest libc.so.* and so do we -- libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null` -- fi -- case "`(file -L $libc) 2>/dev/null`" in -+ arm64-*-*bsd*) OUT="BSD-aarch64" ;; -+ *86*-*-*bsd*) -+ case "`(file -L /bin/sh) 2>/dev/null`" in - *ELF*) OUT="BSD-x86-elf" ;; - *) OUT="BSD-x86"; options="$options no-sse2" ;; - esac ;; diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 93de1ddaa75c..eb6d8c7f454d 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,39 @@ + + OpenSSL -- Command injection vulnerability + + + openssl + 1.1.1p,1 + + + openssl-devel + 3.0.4 + + + openssl-quictls + 3.0.4 + + + + +

The OpenSSL project reports:

+
+

Circumstances where the c_rehash script does not properly + sanitise shell metacharacters to prevent command injection were + found by code review.

+
+ + + + CVE-2022-2068 + https://www.openssl.org/news/secadv/20220621.txt + + + 2022-06-21 + 2022-06-22 + + + chromium -- multiple vulnerabilities @@ -44,7 +80,7 @@ - Security Vulnerability found in ExifTool leading to RCE + Security Vulnerability found in ExifTool leading to RCE p5-Image-ExifTool @@ -129,7 +165,7 @@ https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE - TBD + 2022-06-14 2022-06-17