mail/postfix-policyd-spf relies on vulnerable mail/libspf2-10
Uffe R. B. Andersen
urb at twe.net
Sun Aug 28 10:36:06 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Den 28-08-2011 02:00, Doug Barton skrev:
> I appreciate your responses, but I think you're missing one or
> more large'ish pieces of the puzzle. Here is what I'm seeing with
> an up to date portaudit db:
>
> portaudit -a Affected package: libspf2-1.0.4_1 Type of problem:
> libspf2 -- Buffer overflow. Reference:
> http://portaudit.FreeBSD.org/2ddbfd29-a455-11dd-a55e-00163e000016.html
>
> pkg_info -qo libspf2-1.0.4_1 mail/libspf2-10
>
> pkg_info -R libspf2-1.0.4_1 Information for libspf2-1.0.4_1:
>
> Required by: postfix-policyd-spf-1.0.1_3
>
> cd /usr/ports/mail/libspf2-10/ make -V PKGNAME libspf2-1.0.4_1
>
>
> The solution here is that postfix-policyd-spf needs to be updated
> to not rely on a vulnerable version of libspf2.
Indeed you're right. Googling the issue reveal that
postfix-policyd-spf apparently is rather unmaintained and people
suggest using the perl or python versions instead. I do remember
having this issue myself, some 2 years ago and nothing seems to have
happened since then. The Google result also show, that
postfix-policyd-spf doesn't compile with newer versions of libspf2.
Perhaps we should ask to have postfix-policyd-spf removed from the
ports tree altogether?
- --
Med venlig hilsen - Sincerely
Uffe R. B. Andersen - mailto:urb at twe.net
http://blog.andersen.nu/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
iEYEARECAAYFAk5aGfQACgkQxC95nUQcrpibUwCfUT5KUxfE/0Q+5AC5WKSDD4xY
IbIAoOPIJhDRXtr7OdQR008uUWVObd74
=6qj0
-----END PGP SIGNATURE-----
More information about the freebsd-ports
mailing list