Re: Quarterly branch ports question

Reply: Pat : "Re: Quarterly branch ports question"
In reply to: Pat : "Quarterly branch ports question"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Edward Sanford Sutton, III <mirror176_at_hotmail.com>
Date: Sat, 20 Jul 2024 19:15:03 UTC

On 7/20/24 11:43, Pat wrote:
> Hello all,
> 
> I maintain a FreeBSD 13 server that acts as an MTA on an
> internal network. It rums Exim, and is configured to update
> from the URL "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly".
> 
> Today pkg upgrade installed version exim-4.97.1_5. I do not
> recall that version being available last week, so I assume this
> is a security release?

   Changelog shows 4.95.1_5 was to bump to consumers of its dependency 
dns/libidn: 
https://cgit.freebsd.org/ports/commit/mail/exim?h=2024Q3&id=bae03bdd17b294e3354848e123f3ec4bd9b7592a 
. That change is a version bump just to guarantee that if rebuilding 
installed ports with tools like portupgrade/portmaster that exim will 
also get rebuilt. It does not change anything about the exim program's 
code/buildsteps. Refer to 
https://docs.freebsd.org/en/books/porters-handbook/makefiles/#makefile-portrevision 
for further clarification of the use of this variable that was modified 
in the port.

> How can I find the changes introduced since version
> exim-4.97.1_4, which is what the server was at until the
> upgrade?

   Easiest way I do it in a web browser is navigate to cgit.freebsd.org, 
click on ports, click on the branch you want (the newest quarterly 
branch), switch the view to 'tree', click the desired category (mail), 
click on the port (exim). From here you can click on log at the top for 
changes to the port as a whole or click on other links for log and 
changes to individual files.

> In particular I'm curious to know if this version addresses
> CVE-2024-39929 (https://bugs.exim.org/show_bug.cgi?id=3099 
> <https://bugs.exim.org/show_bug.cgi?id=3099>) by any
> chance. This is just an exercise in curiosity, and a chance to learn
> more about FreeBSD ports and packages.

   Skimming over that bug report, it looks like fixes on 7/1 and 7/2 
went into exim's codebase but I only see notes of fixing it on 4.98. 
https://git.exim.org/exim.git/shortlog/refs/heads/exim-4.97+security was 
last updated 6 months ago so it does not look like the exim project has 
fixed 4.97 themselves.
   If this gets fixed for 4.97, I'd expect the change to the FreeBSD 
port to either include a distinfo change about the file it downloads to 
be for a fixed archive, download the patch separately, or have the 
./files/ updated to include the patch or have the Makefile modified to 
include the patch.
   I don't follow how security is decided too well but I presume that 
the deswcription would apply to any platform running exim so it could be 
a candidate to maybe be a vuxml database entry.

> Thanks!
> Pat