Re: git: 3d4619833226 - main - security/vuxml: Document OpenSSH CVE-2021-41617
Date: Wed, 13 Oct 2021 17:06:36 UTC
On 10/12/21 11:07, Bryan Drewery wrote:
> The branch main has been updated by bdrewery:
>
> URL:https://cgit.FreeBSD.org/ports/commit/?id=3d461983322612b91c19bf5fc6455b91dec8d60b
>
> commit 3d461983322612b91c19bf5fc6455b91dec8d60b
> Author: Bryan Drewery<bdrewery@FreeBSD.org>
> AuthorDate: 2021-10-12 18:06:43 +0000
> Commit: Bryan Drewery<bdrewery@FreeBSD.org>
> CommitDate: 2021-10-12 18:06:43 +0000
>
> security/vuxml: Document OpenSSH CVE-2021-41617
> ---
> security/vuxml/vuln-2021.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 44 insertions(+)
>
> diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
> index 82095255b54d..ca46c8d2fcce 100644
> --- a/security/vuxml/vuln-2021.xml
> +++ b/security/vuxml/vuln-2021.xml
> @@ -1,3 +1,47 @@
> + <vuln vid="2a1b931f-2b86-11ec-8acd-c80aa9043978">
> + <topic>OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand</topic>
> + <affects>
> + <package>
> + <name>openssh-portable</name>
> + <name>openssh-portable-hpn</name>
> + <name>openssh-portable-gssapi</name>
> + <range><ge>6.2.p1,1</ge><lt>8.8.p1,1</lt></range>
On 10/12/21 14:15, Bryan Drewery wrote:
> diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
> index ca46c8d2fcce..42300253f921 100644
> --- a/security/vuxml/vuln-2021.xml
> +++ b/security/vuxml/vuln-2021.xml
> @@ -5,7 +5,7 @@
> <name>openssh-portable</name>
> <name>openssh-portable-hpn</name>
> <name>openssh-portable-gssapi</name>
> - <range><ge>6.2.p1,1</ge><lt>8.8.p1,1</lt></range>
> + <range><ge>6.2.p1,1</ge><lt>8.7.p1_2,1</lt></range>
> </package>
> </affects>
> <description>
What am I doing wrong? Why don't I see the new openssh-portable vuxml db
entry on my live systems by now? I believe pkg audit uses:
http://vuxml.freebsd.org/freebsd/vuln.xml.xz
in the past changes to the security/vuxml have been visible there fairly
quickly.
Craig
# pkg info | fgrep openssh
openssh-portable-8.7.p1_1,1 The portable version of OpenBSD's OpenSSH
# rm -v /var/db/pkg/vuln.xml
/var/db/pkg/vuln.xml
# pkg audit -F -f /var/db/pkg/vuln.xml
Fetching vuln.xml.xz: 100% 913 KiB 934.6kB/s 00:01
0 problem(s) in 0 installed package(s) found.
# fgrep 8.7.p1_2 /var/db/pkg/vuln.xml
#