From nobody Thu Oct 14 23:52:23 2021
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5E56918068B9;
	Thu, 14 Oct 2021 23:52:25 +0000 (UTC)
	(envelope-from leres@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HVmRF1pKwz3w3j;
	Thu, 14 Oct 2021 23:52:25 +0000 (UTC)
	(envelope-from leres@freebsd.org)
Received: from [IPV6:2620:83:8000:102::cb] (hot.ee.lbl.gov [IPv6:2620:83:8000:102::cb])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client did not present a certificate)
	(Authenticated sender: leres)
	by smtp.freebsd.org (Postfix) with ESMTPSA id BB1F38312;
	Thu, 14 Oct 2021 23:52:24 +0000 (UTC)
	(envelope-from leres@freebsd.org)
Message-ID: <61fe3d1f-bea3-b247-f549-ac7422e5d753@freebsd.org>
Date: Thu, 14 Oct 2021 16:52:23 -0700
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101
 Thunderbird/91.2.0
Subject: Re: git: 3d4619833226 - main - security/vuxml: Document OpenSSH
 CVE-2021-41617
Content-Language: en-US
From: Craig Leres <leres@freebsd.org>
To: Bryan Drewery <bdrewery@FreeBSD.org>, ports-committers@FreeBSD.org,
 dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
References: <202110121807.19CI72HS040075@gitrepo.freebsd.org>
 <ec1f0830-502b-e245-292d-aeb8038c6b67@freebsd.org>
In-Reply-To: <ec1f0830-502b-e245-292d-aeb8038c6b67@freebsd.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-ThisMailContainsUnwantedMimeParts: N

On 10/13/21 10:06, Craig Leres wrote:
> On 10/12/21 11:07, Bryan Drewery wrote:
>> The branch main has been updated by bdrewery:
>>
>> URL:https://cgit.FreeBSD.org/ports/commit/?id=3d461983322612b91c19bf5fc6455b91dec8d60b 
>>
>>
>> commit 3d461983322612b91c19bf5fc6455b91dec8d60b
>> Author:     Bryan Drewery<bdrewery@FreeBSD.org>
>> AuthorDate: 2021-10-12 18:06:43 +0000
>> Commit:     Bryan Drewery<bdrewery@FreeBSD.org>
>> CommitDate: 2021-10-12 18:06:43 +0000
>>
>>      security/vuxml: Document OpenSSH CVE-2021-41617
>> ---
>>   security/vuxml/vuln-2021.xml | 44 
>> ++++++++++++++++++++++++++++++++++++++++++++
>>   1 file changed, 44 insertions(+)
>>
>> diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
>> index 82095255b54d..ca46c8d2fcce 100644
>> --- a/security/vuxml/vuln-2021.xml
>> +++ b/security/vuxml/vuln-2021.xml
>> @@ -1,3 +1,47 @@
>> +  <vuln vid="2a1b931f-2b86-11ec-8acd-c80aa9043978">
>> +    <topic>OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly 
>> initialise supplemental groups when executing an AuthorizedKeysCommand 
>> or AuthorizedPrincipalsCommand</topic>
>> +    <affects>
>> +      <package>
>> +    <name>openssh-portable</name>
>> +    <name>openssh-portable-hpn</name>
>> +    <name>openssh-portable-gssapi</name>
>> +    <range><ge>6.2.p1,1</ge><lt>8.8.p1,1</lt></range>
> 
> On 10/12/21 14:15, Bryan Drewery wrote:
>  > diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
>  > index ca46c8d2fcce..42300253f921 100644
>  > --- a/security/vuxml/vuln-2021.xml
>  > +++ b/security/vuxml/vuln-2021.xml
>  > @@ -5,7 +5,7 @@
>  >       <name>openssh-portable</name>
>  >       <name>openssh-portable-hpn</name>
>  >       <name>openssh-portable-gssapi</name>
>  > -    <range><ge>6.2.p1,1</ge><lt>8.8.p1,1</lt></range>
>  > +    <range><ge>6.2.p1,1</ge><lt>8.7.p1_2,1</lt></range>
>  >         </package>
>  >       </affects>
>  >       <description>
> 
> What am I doing wrong? Why don't I see the new openssh-portable vuxml db 
> entry on my live systems by now? I believe pkg audit uses:
> 
>      http://vuxml.freebsd.org/freebsd/vuln.xml.xz
> 
> in the past changes to the security/vuxml have been visible there fairly 
> quickly.
> 
>          Craig
> 
> # pkg info | fgrep openssh
> openssh-portable-8.7.p1_1,1    The portable version of OpenBSD's OpenSSH
> # rm -v /var/db/pkg/vuln.xml
> /var/db/pkg/vuln.xml
> # pkg audit -F -f /var/db/pkg/vuln.xml
> Fetching vuln.xml.xz: 100%  913 KiB 934.6kB/s    00:01
> 0 problem(s) in 0 installed package(s) found.
> # fgrep 8.7.p1_2 /var/db/pkg/vuln.xml
> #

About an hour after posting this the publicly visible vuln.xml picked up 
the new openssh-portable entry. But I suspect this was a coincidence 
since I never saw any email explaining the delay.

This afternoon I see a commit that has a <vuln> for Node.js (~18:31 UTC) 
but I don't see it in the public vuln.xml yet. Did something change or 
is my expectation that a commit to security/vuxml becomes publicly 
visible within minute/hours flawed?

		Craig