Forbidden due to CVE-2014-8298: nvidia-driver-173, nvidia-driver-96, nvidia-driver-71
Alexey Dokuchaev
danfe at FreeBSD.org
Sun Dec 14 11:42:44 UTC 2014
On Sun, Dec 14, 2014 at 11:21:54AM +0000, Alexey Dokuchaev wrote:
> New Revision: 374697
> URL: https://svnweb.freebsd.org/changeset/ports/374697
> QAT: https://qat.redports.org/buildarchive/r374697/
>
> Log:
> Mark legacy branches -173, -96, and -71 as FORBIDDEN: they are
> unsupported by NVidia and no security updates for them were issued
> to fix CVE-2014-8298.
>
> Security: fdf72a0e-8371-11e4-bc20-001636d274f3
I've marked these ports FORBIDDEN for now, but their fate yet to be decided.
Last update to -173 legacy branch, 173.14.39 added support for X.org xserver
ABI 15 (xorg-server 1.15), and it was confirmed to work with upcoming v1.14
update (PR 195781), so it would be unfortunate to lose it just because NVidia
does not care about it anymore and won't provide a fix CVE-2014-8298.
On the other hand, NVidia did provide mitigation techniques:
- Configure the X server to prohibit X connections from the local area
network (by passing the "-nolisten tcp" command line option to the X.Org
X server) -- which we also default to, or
- Disable GLX indirect contexts. With any of the fixed NVIDIA driver
versions mentioned above, indirect GLX contexts can be prohibited by
setting the "AllowIndirectGLXProtocol" X configuration option to False,
or setting the "-iglx" X server command line option on X.Org 1.16 or
newer.
So perhaps instead of forbidding them and subsequently removing, we can
provide pkg-message that tells users what are they facing and how to stay
safe (with an legal bla-bla about that FreeBSD cannot guarantee anything
if you use this vulnerable, unmaintained upstream port)?
I wonder what other people think.
./danfe
More information about the svn-ports-head
mailing list