From nobody Thu Jun 10 15:45:55 2021 X-Original-To: freebsd-pkg@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6BC8111D607F for ; Thu, 10 Jun 2021 15:46:01 +0000 (UTC) (envelope-from simon@kershaw.org.uk) Received: from know-smtprelay-omc-3.server.virginmedia.net (know-smtprelay-omc-3.server.virginmedia.net [80.0.253.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "Virgin Media Core Infrastructure Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G17c76Kp6z3M8G for ; Thu, 10 Jun 2021 15:45:59 +0000 (UTC) (envelope-from simon@kershaw.org.uk) Received: from moline3.kershaw.org.uk ([86.12.200.65]) by cmsmtp with ESMTP id rMsVlEdi1aYIbrMsVlVRwu; Thu, 10 Jun 2021 16:45:55 +0100 X-Originating-IP: [86.12.200.65] X-Authenticated-User: X-Authority: v=2.3 cv=YKKxNyOx c=1 sm=1 tr=0 cx=a_exe a=UHZHPi8UUTFgKrvCsVNJxQ==:117 a=UHZHPi8UUTFgKrvCsVNJxQ==:17 a=kj9zAlcOel0A:10 a=r6YtysWOX24A:10 a=6I5d2MoRAAAA:8 a=dmHQzXBwAAAA:8 a=S5l8Hkd_AAAA:8 a=3zwuI_RUslBLd_ldGK8A:9 a=CjuIK1q_8ugA:10 a=mZdVAiosS5YA:10 a=IjZwj45LgO3ly-622nXo:22 a=ZHTgszdjUGq-PTuYAr3K:22 a=VMk0XwvBM6Eh7nc9w1Sm:22 Received: from home.kershaw.org.uk (localhost [127.0.0.1]) by moline3.kershaw.org.uk (Postfix) with ESMTP id 6E04745D016 for ; Thu, 10 Jun 2021 15:45:55 +0000 (UTC) List-Id: Binary package management and package tools discussion List-Archive: https://lists.freebsd.org/archives/freebsd-pkg List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pkg@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 10 Jun 2021 16:45:55 +0100 From: Simon Kershaw To: freebsd-pkg@freebsd.org Subject: expat package Message-ID: <2b0f223315b7b0e6668563bdde887544@kershaw.org.uk> X-Sender: simon@kershaw.org.uk User-Agent: Roundcube Webmail/1.3.8 X-CMAE-Envelope: MS4wfCxcqprxq1bO63OOa/7WK1St3DDOGzy5Pq926/7J9Q3kwCjjdEwCwmr/+dv4xAlT5J3BxMIpfruU9NRYYo03PgWFXfmcb2Oj3UbEYMIerQPhAxl300el F8sQmoZroNK/px64X1MTQr4QrVTOC5UF4akvNyw4sG3ZRWjZ3xL+dxynxKN8y3Qxw4yI9RJq2iM8NQ== X-Rspamd-Queue-Id: 4G17c76Kp6z3M8G X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of simon@kershaw.org.uk has no SPF policy when checking 80.0.253.67) smtp.mailfrom=simon@kershaw.org.uk X-Spamd-Result: default: False [-1.17 / 15.00]; HAS_XOIP(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_SHORT(-0.53)[-0.532]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[80.0.253.67:from]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:5089, ipnet:80.0.0.0/16, country:GB]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[simon]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pkg@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[80.0.253.67:from:127.0.2.255]; DMARC_NA(0.00)[kershaw.org.uk]; RCVD_IN_DNSWL_NONE(0.00)[80.0.253.67:from]; NEURAL_HAM_MEDIUM(-0.53)[-0.534]; R_SPF_NA(0.00)[no SPF record]; RWL_MAILSPIKE_POSSIBLE(0.00)[80.0.253.67:from]; MAILMAN_DEST(0.00)[freebsd-pkg] X-ThisMailContainsUnwantedMimeParts: N Hi all, Not sure if this is the right forum for this question, apologies if not. Since 27 May, pkg audit tells me that there is a vulnerability in expat expat-2.2.10 is vulnerable: texproc/expat2 -- billion laugh attack CVE: CVE-2013-0340 WWW: https://vuxml.FreeBSD.org/freebsd/5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9.html But "pkg upgrade expat" does not yet do anything. Is someone responsible for maintaining the expat package and port? expat is currently at 2.4.1, so the FreebSD version is a bit behind. This vulnerability was fixed on 23 May. See https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/ which says > If you maintain Expat packaging or a bundled copy of Expat or a pinned > version of Expat > somewhere, please update to 2.4.1. Thank you! As I say, apologies if this is the wrong place for this. Thanks simon -- Simon Kershaw simon@kershaw.org.uk St Ives, Cambridgeshire