svn commit: r393962 - head/security/vuxml
Jan Beich
jbeich at FreeBSD.org
Thu Aug 13 14:03:16 UTC 2015
Mark Felder <feld at feld.me> writes:
> On Tue, Aug 11, 2015, at 14:03, Jan Beich wrote:
>> Author: jbeich
>> Date: Tue Aug 11 19:03:36 2015
>> New Revision: 393962
>> URL: https://svnweb.freebsd.org/changeset/ports/393962
>>
>> Log:
>> Move libvpx vulnerability into its own entry
[...]
>> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>> + <vuln vid="34e60332-2448-4ed6-93f0-12713749f250">
>> + <topic>libvpx -- multiple buffer overflows</topic>
>> + <affects>
>> + <package>
>> + <name>libvpx</name>
>> + <range><lt>1.5.0</lt></range>
>> + </package>
>> + </affects>
>
> This should probably be <le>1.4.0</le> as although
<le> would be deceptive. The package is vulnerable. Whether there's a
known fix is less important. Current range is just a rough guess and can
be updated as the affected port is fixed.
On the downside maintainers may not be aware of a vulnerability. It'd be
nice if there were periodic mails about (still) vulnerable ports similar
to porstscout. For one, multimedia/ffmpeg0 haven't been updated yet
despite how trivial it should be -> too few users to notice?
> their release process seems obvious, they could release 1.4.1 or we
> could backport security fixes to 1.4.0_1
Depending on PORTREVISION in advance is unreliable as it can be
bumped for an unrelated reason.
Upstream doesn't have a good track record for patch releases. For one,
CVE-2014-1578 was never fixed in 1.3.x and Debian still carries around
the patch for it in their package.
> I'll try to keep an eye on this too.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202270
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 602 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-ports-all/attachments/20150812/317fdd39/attachment.bin>
More information about the svn-ports-all
mailing list