git: da7e737639a0 - main - security/vuxml: Document OpenSSL vulnerability

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Bernard Spil <brnrd_at_FreeBSD.org>
Date: Wed, 22 Jun 2022 09:01:05 UTC
The branch main has been updated by brnrd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=da7e737639a077e954426e5400c3ce15754f54da

commit da7e737639a077e954426e5400c3ce15754f54da
Author:     Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2022-06-22 08:29:39 +0000
Commit:     Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2022-06-22 08:29:39 +0000

    security/vuxml: Document OpenSSL vulnerability
    
     * Pet `make validate`
     * Fix spacing for 482456fb-e9af-11ec-93b6-318d1419ea39
     * Add discovery date for 482456fb-e9af-11ec-93b6-318d1419ea39
       using tor wiki page update date.
---
 .../files/patch-Configurations_10-main.conf        | 16 ---------
 security/openssl/files/patch-config                | 20 -----------
 security/vuxml/vuln-2022.xml                       | 40 ++++++++++++++++++++--
 3 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/security/openssl/files/patch-Configurations_10-main.conf b/security/openssl/files/patch-Configurations_10-main.conf
deleted file mode 100644
index 03be5801b885..000000000000
--- a/security/openssl/files/patch-Configurations_10-main.conf
+++ /dev/null
@@ -1,16 +0,0 @@
---- Configurations/10-main.conf.orig	2021-12-14 15:45:01 UTC
-+++ Configurations/10-main.conf
-@@ -988,6 +988,13 @@ my %targets = (
-         perlasm_scheme   => "elf",
-     },
- 
-+    "BSD-aarch64" => {
-+        inherit_from     => [ "BSD-generic64", asm("aarch64_asm") ],
-+        lib_cppflags     => add("-DL_ENDIAN"),
-+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
-+        perlasm_scheme   => "linux64",
-+    },
-+
-     "bsdi-elf-gcc" => {
-         inherit_from     => [ "BASE_unix", asm("x86_elf_asm") ],
-         CC               => "gcc",
diff --git a/security/openssl/files/patch-config b/security/openssl/files/patch-config
deleted file mode 100644
index d83edae81ff7..000000000000
--- a/security/openssl/files/patch-config
+++ /dev/null
@@ -1,20 +0,0 @@
---- config.orig	2021-08-24 13:38:47 UTC
-+++ config
-@@ -708,14 +708,9 @@ case "$GUESSOS" in
-   ia64-*-*bsd*)		OUT="BSD-ia64" ;;
-   x86_64-*-dragonfly*)  OUT="BSD-x86_64" ;;
-   amd64-*-*bsd*)	OUT="BSD-x86_64" ;;
--  *86*-*-*bsd*)		# mimic ld behaviour when it's looking for libc...
--			if [ -L /usr/lib/libc.so ]; then	# [Free|Net]BSD
--			    libc=/usr/lib/libc.so
--			else					# OpenBSD
--			    # ld searches for highest libc.so.* and so do we
--			    libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
--			fi
--			case "`(file -L $libc) 2>/dev/null`" in
-+  arm64-*-*bsd*)	OUT="BSD-aarch64" ;;
-+  *86*-*-*bsd*)	
-+			case "`(file -L /bin/sh) 2>/dev/null`" in
- 			*ELF*)	OUT="BSD-x86-elf" ;;
- 			*)	OUT="BSD-x86"; options="$options no-sse2" ;;
- 			esac ;;
diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 93de1ddaa75c..eb6d8c7f454d 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,39 @@
+  <vuln vid="4eeb93bf-f204-11ec-8fbd-d4c9ef517024">
+    <topic>OpenSSL -- Command injection vulnerability</topic>
+    <affects>
+      <package>
+	<name>openssl</name>
+	<range><lt>1.1.1p,1</lt></range>
+      </package>
+      <package>
+	<name>openssl-devel</name>
+	<range><lt>3.0.4</lt></range>
+      </package>
+      <package>
+	<name>openssl-quictls</name>
+	<range><lt>3.0.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The OpenSSL project reports:</p>
+	<blockquote cite="https://www.openssl.org/news/secadv/20220621.txt">
+	  <p>Circumstances where the c_rehash script does not properly
+	    sanitise shell metacharacters to prevent command injection were
+	    found by code review.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-2068</cvename>
+      <url>https://www.openssl.org/news/secadv/20220621.txt</url>
+    </references>
+    <dates>
+      <discovery>2022-06-21</discovery>
+      <entry>2022-06-22</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="b2a4c5f1-f1fe-11ec-bcd2-3065ec8fd3ec">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>
@@ -44,7 +80,7 @@
   </vuln>
 
   <vuln vid="482456fb-e9af-11ec-93b6-318d1419ea39">
-    <topic> Security Vulnerability found in ExifTool leading to RCE </topic>
+    <topic>Security Vulnerability found in ExifTool leading to RCE</topic>
     <affects>
       <package>
 	<name>p5-Image-ExifTool</name>
@@ -129,7 +165,7 @@
       <url>https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE</url>
     </references>
     <dates>
-      <discovery>TBD</discovery>
+      <discovery>2022-06-14</discovery>
       <entry>2022-06-17</entry>
     </dates>
   </vuln>