From nobody Wed Dec 25 22:34:38 2024 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YJRQj2NbZz5j4Js for ; Wed, 25 Dec 2024 22:34:53 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YJRQh2VBnz439m; Wed, 25 Dec 2024 22:34:52 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=Tn+c1ikY; spf=pass (mx1.freebsd.org: domain of yaneurabeya@gmail.com designates 2607:f8b0:4864:20::62c as permitted sender) smtp.mailfrom=yaneurabeya@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-21675fd60feso88528675ad.2; Wed, 25 Dec 2024 14:34:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1735166090; x=1735770890; darn=freebsd.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=fihRcoGAPuyKECrvEp09cRnK1aKTbyYkoRT+jpoMdUw=; b=Tn+c1ikYsBtKejx2IzcOFigCt6Xoit6ifgoe8++9iahtBf+titd6Lqzm3me6g+lwCo 3J4dG+T7vxm1G6poiv/GD7gewzilFiFJwKFa9uRbLURmhGwkfvcc9voTgiut66uojey4 0qnmPRoTdklnM4JBvLj+1IZpd+yjfro8vP3qkp8ZLdqkgbfyNtk0MZMFVsksqmXKfqtS FX3m1tCIVARsndqwrcS1z4htQlTUoKsblfMRO8wguPy8JYKDksnsjYbxek0xNfFwtZmr WV2bCI7oEau9P2i3E9BXoqMqqqAAEJ0Jq32UuT0QFEOk7rPPNYfH7+YYE3mS5TryaITG ddsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735166090; x=1735770890; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fihRcoGAPuyKECrvEp09cRnK1aKTbyYkoRT+jpoMdUw=; b=tYL9AurnUaZqKXDmjHTmNcm5Y6aNYLwv8OAe8bo+S9UtBhY6v/jywpNTRZZ6Casgzj 8RUjrGnudswTF7NIbb0kLv6xE7OctaEPABX+RzVnuJFjWZu4EgV0lQKoOJlFZrSOxPDb yBJeukAhFRypSz2+oCJK84hrL9n0dUi2pstsxufg9PL2mZ43jV0MHAjjoRqDyvhywIuA fl9d+M9n+CeinzuK/nnvANg0ZunClM0/5RgLoSFRfHO9mpJYdttZHAGSl3+6MUPEzzk1 yTjr5F8o33Fv3i+eoFMp5mepPsYN4dEcZcFvTBNZ0OWxFOOlWj7fAcrkKwprFS/mjAzc bSIA== X-Gm-Message-State: AOJu0Yzp5x6DMASehn9tZ2JBOugfUb6jWqV8/9on4WVAQ2wPYF43rcas +o/ugO2LNwhnHQ5nWBSxWvI9Bv2pHwBoGSJJ8pOGbZb7HuELXFyGzWLux2dK X-Gm-Gg: ASbGnctNuaiXOoM4qebCTw/L1mNiGxwes9Ke18DqwhpBnQpkr0Trgt0ZURZF70z8HyU LGpbQJPENDj/pGeKRcJv6666g1/sFvvQOyagFPUCgforYKsA5DG+9q5EWzalPZhHAKVIa1sGSjK webBfP2ayF4iNEWBNFgnvc6MaKwqvVz/AOca4zLf8RCpx9aFttaEWwHW2isOuCNjXE2wmYIphk6 hapuoqmYIA8SfOzG7M7eXVtptledPIty0FZy/09n02dmrsEItA+N7vos91/pmfauT0oXfcFjAw= X-Google-Smtp-Source: AGHT+IGRkxU7DVxCvi6Qoh5RSGiw8vWNtW60qocY5kUVbl64atZqWkISGnpx3LtUWH+/12v0Qs9AEQ== X-Received: by 2002:a17:902:f682:b0:215:f1c2:fcc4 with SMTP id d9443c01a7336-219e6f1480cmr283401315ad.41.1735166090410; Wed, 25 Dec 2024 14:34:50 -0800 (PST) Received: from smtpclient.apple ([162.118.1.182]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-219dc96eb83sm108844615ad.97.2024.12.25.14.34.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Dec 2024 14:34:49 -0800 (PST) From: Enji Cooper Message-Id: <85B3FB4C-84E3-4F08-AAA0-FCF144FC733D@gmail.com> Content-Type: multipart/signed; boundary="Apple-Mail=_3A6D1D54-56CF-4A84-8A5A-6636774CCBFD"; protocol="application/pgp-signature"; micalg=pgp-sha256 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.200.121\)) Subject: Re: Software in contrib we probably want to update before 14.2-RELEASE Date: Wed, 25 Dec 2024 14:34:38 -0800 In-Reply-To: Cc: "current@freebsd.org" To: Daniel Engberg References: X-Mailer: Apple Mail (2.3826.200.121) X-Spamd-Result: default: False [-6.10 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::62c:from]; MLMMJ_DEST(0.00)[current@freebsd.org]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; APPLE_MAILER_COMMON(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4YJRQh2VBnz439m X-Spamd-Bar: ------ --Apple-Mail=_3A6D1D54-56CF-4A84-8A5A-6636774CCBFD Content-Type: multipart/alternative; boundary="Apple-Mail=_9480A359-E9C0-45F7-B3AF-0531297D76BC" --Apple-Mail=_9480A359-E9C0-45F7-B3AF-0531297D76BC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Oct 23, 2024, at 12:26=E2=80=AFPM, Daniel Engberg = wrote: >=20 > Hi, >=20 > I just had a quick look at contrib and found the following: >=20 > OpenSSL should probably be updated due to = https://openssl-library.org/news/secadv/20241016.txt >=20 > Not imported as far as I can tell >=20 > expat(2) should probably be updated due to = https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes >=20 > Committed in main as of ffd294a1f4c23863c3e515d16dce31d5509bcb01 Hi Daniel, I see that you posted this over 2 months ago, but I wanted to = get back to you since no one did... - Xin Li took care of the 2.6.4 update / MFC of my changes. - CVE-2024-9143 is a low severity OpenSSL CVE (the CVE sounds = like it=E2=80=99s not likely to trigger in the wild due to a combination = of reasons). If I was re@, I=E2=80=99d personally like to see it rolled = into an actual OpenSSL release first before taking the change in to a = FreeBSD release so close to the actual FreeBSD release, or have it be = rolled in to main and get some wall time first. I=E2=80=99ll see if I can do something about the CVE, since my = group already tried addressing it [upstream]. Cheers, -Enji= --Apple-Mail=_9480A359-E9C0-45F7-B3AF-0531297D76BC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On Oct = 23, 2024, at 12:26=E2=80=AFPM, Daniel Engberg <diizzy@FreeBSD.org> = wrote:

Hi,

I= just had a quick look at contrib and found the = following:

OpenSSL should probably be updated due to = https://openssl-library.org/news/secadv/20241016.txt

Not imported = as far as I can tell

expat(2) should probably be updated due to = https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes

Com= mitted in main as of = ffd294a1f4c23863c3e515d16dce31d5509bcb01

Hi Daniel,
I see that you posted this over 2 = months ago, but I wanted to get back to you since no one = did...
= - Xin Li took care of the 2.6.4 update / MFC of my = changes.
CVE-2024-9143 is a low severity OpenSSL CVE (the CVE sounds like = it=E2=80=99s not likely to trigger in the wild due to a combination of = reasons). If I was re@, I=E2=80=99d personally like to see = it rolled into an actual OpenSSL release first before taking the change = in to a FreeBSD release so close to the actual FreeBSD release, or have = it be rolled in to main and get some wall time = first.
I=E2=80=99ll see if I can do = something about the CVE, since my group already tried addressing it = [upstream].
Cheers,
-Enji
= --Apple-Mail=_9480A359-E9C0-45F7-B3AF-0531297D76BC-- --Apple-Mail=_3A6D1D54-56CF-4A84-8A5A-6636774CCBFD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEkHfexGRJ3gYRdA2gGpE5DjPsNJgFAmdsiH8ACgkQGpE5DjPs NJi5nw/+LupWaI8lxF9KL7IEBPfQ31/crZUZ536M3ytfUaKL8pT/6cYBb5QE5tI6 LM1u0RC45fv9y1ICXpoZylBXFARcT+yDxnfx9n2sMwyuB6DvXfkXkZ92rPfgx/ph gbcwJmkQDLegzS/51r14DJJYublMhqCpaR2nY9HzW0XrMzNzY3L84WLVTTGxe8Kd Ud+o7arqnFtJLdDynnUhPW1rgtCJ07t4iy8BqBe9jknWDSjAvoa1kbcQBvCK7lkQ yBaLLTBIviI+Nb7WQLssNGI6AvlP+8byakEn4G/xZMvcaxsiB4BTtf3wNNnVwklN 17QcW6B2gGPXRP2nGT2s9BvzuuJULUtLNjm+trNFm9yyrDUB8hY8m+GfZ1xR6A4e KlTdEGZPjL0BTWzxGAgKzQUBGmJS+rQBy7mcS5RQidk/uzJU54Pj97eSFK2lcQkQ 3KgtNHNOnpqG3RqgYdXm/giUD2B/ZP4oGOw23rWnHyLRijrHijYywnS+gt69OOrw IGxy9Zxv8NJq9J4zsJfSkRlLvYjZmI/fLjtdr/1NstrpreDSDtGWqEiH9LpBixNU H5vWIjL3D31LmaBQLLs89rULK1eM2VYt9guu8k/eo5qBKB8zen21UcHeashQ94cf /XBKc8pe31O8L4Q9TATs5xvdb8g5xOl2ViZGaHH/hYmddusG8Q4= =7RQ1 -----END PGP SIGNATURE----- --Apple-Mail=_3A6D1D54-56CF-4A84-8A5A-6636774CCBFD--