[Bug 233123] security/openssh-portable vuxml incorrect reporting of vulnerabilities

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233123

            Bug ID: 233123
           Summary: security/openssh-portable vuxml incorrect reporting of
                    vulnerabilities
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: bdrewery at FreeBSD.org
          Reporter: dewayne at heuristicsystems.com.au
          Assignee: bdrewery at FreeBSD.org
             Flags: maintainer-feedback?(bdrewery at FreeBSD.org)

I don't think that this "belongs" with openssh-portable but...

Doing 
make /usr/ports/security/openssh-portable extract; # messages are generated
...
openssh-portable-7.9.p1 is vulnerable:
FreeBSD -- OpenSSH multiple vulnerabilities
CVE: CVE-2016-10010
CVE: CVE-2016-10009
WWW:
https://vuxml.FreeBSD.org/freebsd/2c948527-d823-11e6-9171-14dae9d210b8.html

Please note: I have built openssh-portable-7.9p1 on FreeBSD11.2Stable with
openssl-1.1.1 by removing the following patch files:
 patch-341727df910e12e26ef161508ed76d91c40a61eb
 patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b
 patch-868afa68469de50d8a43e5daf867d7c624a34d20
 patch-auth2.c
 patch-b81b2d120e9c8a83489e241620843687758925ad
 patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6
 patch-misc.c
 patch-session.c
and commenting out from the Makefile
#EXTRA_PATCHES+=              ${FILESDIR}/extra-patch-hpn-compat
#EXTRA_PATCHES+=              ${FILESDIR}/extra-patch-version-addendum

This is all purely experimental, the issue is the incorrect vulnerability
reporting.

-- 
You are receiving this mail because:
You are the assignee for the bug.