Re: Software in contrib we probably want to update before 14.2-RELEASE

In reply to: Daniel Engberg : "Software in contrib we probably want to update before 14.2-RELEASE"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Enji Cooper <yaneurabeya_at_gmail.com>
Date: Wed, 25 Dec 2024 22:34:38 UTC

> On Oct 23, 2024, at 12:26 PM, Daniel Engberg <diizzy@FreeBSD.org> wrote:
> 
> Hi,
> 
> I just had a quick look at contrib and found the following:
> 
> OpenSSL should probably be updated due to https://openssl-library.org/news/secadv/20241016.txt
> 
> Not imported as far as I can tell
> 
> expat(2) should probably be updated due to https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes
> 
> Committed in main as of ffd294a1f4c23863c3e515d16dce31d5509bcb01

Hi Daniel,
	I see that you posted this over 2 months ago, but I wanted to get back to you since no one did...
	- Xin Li took care of the 2.6.4 update / MFC of my changes.
	- CVE-2024-9143 is a low severity OpenSSL CVE (the CVE sounds like it’s not likely to trigger in the wild due to a combination of reasons). If I was re@, I’d personally like to see it rolled into an actual OpenSSL release first before taking the change in to a FreeBSD release so close to the actual FreeBSD release, or have it be rolled in to main and get some wall time first.
	I’ll see if I can do something about the CVE, since my group already tried addressing it [upstream].
Cheers,
-Enji