From nobody Sat Jul 20 21:30:45 2024 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WRKTq3m5Dz5QBVF for ; Sat, 20 Jul 2024 21:30:55 +0000 (UTC) (envelope-from cli_junkie@protonmail.com) Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WRKTn3GdKz5321 for ; Sat, 20 Jul 2024 21:30:53 +0000 (UTC) (envelope-from cli_junkie@protonmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=protonmail.com header.s=protonmail3 header.b="Qu8hfgt/"; dmarc=pass (policy=quarantine) header.from=protonmail.com; spf=pass (mx1.freebsd.org: domain of cli_junkie@protonmail.com designates 185.70.40.133 as permitted sender) smtp.mailfrom=cli_junkie@protonmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1721511050; x=1721770250; bh=3dfSEeMxY1QkFaKv/BylVC4x17FR5PYqciRzw/s30EA=; h=Date:To:From:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=Qu8hfgt/4fgfGL2je2mRpOjjoRwQC4/g5DNM9mXAQvdIWaEtBH79cPR98TepToUtm llLo+re2I9mH9TyvdFs9ncRRvWph0Hta14h/3aqQpalw3P83AyGwoCnxguuBgRnOwf 1W6hFIv/qN5AdT5WKdS0nfQmr1o6Sut0vF9oB7RLmDEjKvplaeoS77C5DYreDt7LFZ UnLZx1RaycPakEYJVyqUdVTvQ0cYcc/AGHTI0zZdBqI+HAE2Blf9C2egotgu0Xwsno R/MVh2YqG+ZV3EfZQ510i8vKl+sT1cmBKjgqw2s8P2SqMQ2EeH8/EEE/chYOCagSId huQ5yPjtssk6Q== Date: Sat, 20 Jul 2024 21:30:45 +0000 To: "questions@freebsd.org" From: Pat Subject: Re: Quarterly branch ports question Message-ID: In-Reply-To: References: Feedback-ID: 34340203:user:proton X-Pm-Message-ID: 4cb6227aa5b4dafd15b71b057716d6682dca9b36 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.30 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[protonmail.com,quarantine]; R_SPF_ALLOW(-0.20)[+ip4:185.70.40.0/24]; R_DKIM_ALLOW(-0.20)[protonmail.com:s=protonmail3]; RWL_MAILSPIKE_VERYGOOD(-0.20)[185.70.40.133:from]; RCVD_IN_DNSWL_LOW(-0.10)[185.70.40.133:from]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_ENVFROM(0.00)[protonmail.com]; MISSING_XM_UA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FREEMAIL_FROM(0.00)[protonmail.com]; ASN(0.00)[asn:62371, ipnet:185.70.40.0/24, country:CH]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; TO_DN_EQ_ADDR_ALL(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[protonmail.com:+] X-Rspamd-Queue-Id: 4WRKTn3GdKz5321 On Saturday, July 20th, 2024 at 19:15, Edward Sanford Sutton, III wrote: >=20 >=20 > On 7/20/24 11:43, Pat wrote: >=20 > > Hello all, > >=20 > > I maintain a FreeBSD 13 server that acts as an MTA on an > > internal network. It rums Exim, and is configured to update > > from the URL "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly". > >=20 > > Today pkg upgrade installed version exim-4.97.1_5. I do not > > recall that version being available last week, so I assume this > > is a security release? >=20 >=20 > Changelog shows 4.95.1_5 was to bump to consumers of its dependency > dns/libidn: > https://cgit.freebsd.org/ports/commit/mail/exim?h=3D2024Q3&id=3Dbae03bdd1= 7b294e3354848e123f3ec4bd9b7592a > . That change is a version bump just to guarantee that if rebuilding > installed ports with tools like portupgrade/portmaster that exim will > also get rebuilt. It does not change anything about the exim program's > code/buildsteps. Refer to > https://docs.freebsd.org/en/books/porters-handbook/makefiles/#makefile-po= rtrevision > for further clarification of the use of this variable that was modified > in the port. >=20 > > How can I find the changes introduced since version > > exim-4.97.1_4, which is what the server was at until the > > upgrade? >=20 >=20 > Easiest way I do it in a web browser is navigate to cgit.freebsd.org, > click on ports, click on the branch you want (the newest quarterly > branch), switch the view to 'tree', click the desired category (mail), > click on the port (exim). From here you can click on log at the top for > changes to the port as a whole or click on other links for log and > changes to individual files. OK, that was what I found, but I figured, since it was dated 02 May, and I know I have updated since then, that I was missing something. But it occurred to me that this is the Q3 quarterly branch, so that would not have been released until 01 July at the earliest anyhow, eh? I almost always update on Saturday mornings (US CDT), and since that did not show up last week I figured this was a security update. But perhaps my understanding is flawed? I see updates to that branch as recent as a few hours ago, so does it continue to receive updates that will be picked up when tracking quarterly? >=20 > > In particular I'm curious to know if this version addresses > > CVE-2024-39929 (https://bugs.exim.org/show_bug.cgi?id=3D3099 > > https://bugs.exim.org/show_bug.cgi?id=3D3099) by any > > chance. This is just an exercise in curiosity, and a chance to learn > > more about FreeBSD ports and packages. >=20 >=20 > Skimming over that bug report, it looks like fixes on 7/1 and 7/2 > went into exim's codebase but I only see notes of fixing it on 4.98. > https://git.exim.org/exim.git/shortlog/refs/heads/exim-4.97+security was > last updated 6 months ago so it does not look like the exim project has > fixed 4.97 themselves. > If this gets fixed for 4.97, I'd expect the change to the FreeBSD > port to either include a distinfo change about the file it downloads to > be for a fixed archive, download the patch separately, or have the > ./files/ updated to include the patch or have the Makefile modified to > include the patch. > I don't follow how security is decided too well but I presume that > the deswcription would apply to any platform running exim so it could be > a candidate to maybe be a vuxml database entry. Yeah, I was expecting the fix for the CVE that I mentioned to only show up in 4.98, but having a lot of experience with Debian I have seen things like that backported to the version that they maintain. I had no reason to suspect that here but figured it can't hurt to ask. On a side note, I did see my Poudriere jail pick up 4.98. I am in the process of migrating everything to that, so I'll have that patched version rolled out at some point. Really appreciate the time you took to answer my questions.