Re: git: 307e28238343 - main - sysutils/screen49: Fix fetch

Reply: Cy Schubert : "Re: git: 307e28238343 - main - sysutils/screen49: Fix fetch"
In reply to: Cy Schubert : "Re: git: 307e28238343 - main - sysutils/screen49: Fix fetch"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Alexey Dokuchaev <danfe_at_freebsd.org>
Date: Tue, 13 May 2025 15:43:09 UTC

On Tue, May 13, 2025 at 07:54:17AM -0700, Cy Schubert wrote:
> In message <aCNYd_lIrbSJVRzC@FreeBSD.org>, Alexey Dokuchaev writes:
> > On Mon, May 12, 2025 at 03:48:27PM -0700, Cy Schubert wrote:
> > > In message <cb102568-0820-487d-9afe-f9d47cb28849@FreeBSD.org>, Daniel Engberg writes:
> > > > ...
> > > >
> > > > Please undo this hack as upstream provides a tarball since 2023-08-17
> > > 
> > > Their tarball doesn't include security patches. Security patches are
> > > included in their 4.9.1 branch but not in the tarball.
> > > 
> > > Do you still want me to undo and mark the port FORBIDDEN?
> >
> > Please don't, it's okay.  I use this port and have no intention to move
> > to 5.x branch.  Thanks!
> 
> It suffers multiple CVEs. I don't see upstream releasing tagging 4.9.2. Are
> we willing to have a virtually unmaintained (by upstream) screen in ports?

With the recent CVE-2025-23395 and unsafe strncpy() being introduced in 5.x
branch only, I'd rather stay with 4.9 at least until the dust settles with
that new code.  I'll try to reach out to devs about releasing 4.9.2.

./danfe