Re: git: 3d4619833226 - main - security/vuxml: Document OpenSSH CVE-2021-41617

In reply to: Craig Leres : "Re: git: 3d4619833226 - main - security/vuxml: Document OpenSSH CVE-2021-41617"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Craig Leres <leres_at_freebsd.org>
Date: Thu, 14 Oct 2021 23:52:23 UTC
On 10/13/21 10:06, Craig Leres wrote:
> On 10/12/21 11:07, Bryan Drewery wrote:
>> The branch main has been updated by bdrewery:
>>
>> URL:https://cgit.FreeBSD.org/ports/commit/?id=3d461983322612b91c19bf5fc6455b91dec8d60b 
>>
>>
>> commit 3d461983322612b91c19bf5fc6455b91dec8d60b
>> Author:     Bryan Drewery<bdrewery@FreeBSD.org>
>> AuthorDate: 2021-10-12 18:06:43 +0000
>> Commit:     Bryan Drewery<bdrewery@FreeBSD.org>
>> CommitDate: 2021-10-12 18:06:43 +0000
>>
>>      security/vuxml: Document OpenSSH CVE-2021-41617
>> ---
>>   security/vuxml/vuln-2021.xml | 44 
>> ++++++++++++++++++++++++++++++++++++++++++++
>>   1 file changed, 44 insertions(+)
>>
>> diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
>> index 82095255b54d..ca46c8d2fcce 100644
>> --- a/security/vuxml/vuln-2021.xml
>> +++ b/security/vuxml/vuln-2021.xml
>> @@ -1,3 +1,47 @@
>> +  <vuln vid="2a1b931f-2b86-11ec-8acd-c80aa9043978">
>> +    <topic>OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly 
>> initialise supplemental groups when executing an AuthorizedKeysCommand 
>> or AuthorizedPrincipalsCommand</topic>
>> +    <affects>
>> +      <package>
>> +    <name>openssh-portable</name>
>> +    <name>openssh-portable-hpn</name>
>> +    <name>openssh-portable-gssapi</name>
>> +    <range><ge>6.2.p1,1</ge><lt>8.8.p1,1</lt></range>
> 
> On 10/12/21 14:15, Bryan Drewery wrote:
>  > diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
>  > index ca46c8d2fcce..42300253f921 100644
>  > --- a/security/vuxml/vuln-2021.xml
>  > +++ b/security/vuxml/vuln-2021.xml
>  > @@ -5,7 +5,7 @@
>  >       <name>openssh-portable</name>
>  >       <name>openssh-portable-hpn</name>
>  >       <name>openssh-portable-gssapi</name>
>  > -    <range><ge>6.2.p1,1</ge><lt>8.8.p1,1</lt></range>
>  > +    <range><ge>6.2.p1,1</ge><lt>8.7.p1_2,1</lt></range>
>  >         </package>
>  >       </affects>
>  >       <description>
> 
> What am I doing wrong? Why don't I see the new openssh-portable vuxml db 
> entry on my live systems by now? I believe pkg audit uses:
> 
>      http://vuxml.freebsd.org/freebsd/vuln.xml.xz
> 
> in the past changes to the security/vuxml have been visible there fairly 
> quickly.
> 
>          Craig
> 
> # pkg info | fgrep openssh
> openssh-portable-8.7.p1_1,1    The portable version of OpenBSD's OpenSSH
> # rm -v /var/db/pkg/vuln.xml
> /var/db/pkg/vuln.xml
> # pkg audit -F -f /var/db/pkg/vuln.xml
> Fetching vuln.xml.xz: 100%  913 KiB 934.6kB/s    00:01
> 0 problem(s) in 0 installed package(s) found.
> # fgrep 8.7.p1_2 /var/db/pkg/vuln.xml
> #

About an hour after posting this the publicly visible vuln.xml picked up 
the new openssh-portable entry. But I suspect this was a coincidence 
since I never saw any email explaining the delay.

This afternoon I see a commit that has a <vuln> for Node.js (~18:31 UTC) 
but I don't see it in the public vuln.xml yet. Did something change or 
is my expectation that a commit to security/vuxml becomes publicly 
visible within minute/hours flawed?

		Craig