From nobody Wed Oct 13 06:22:30 2021 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3FC8117F78E8 for ; Wed, 13 Oct 2021 06:22:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HTjBH16Tpz3JZ3 for ; Wed, 13 Oct 2021 06:22:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 077AD22AF0 for ; Wed, 13 Oct 2021 06:22:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 19D6MUKj048476 for ; Wed, 13 Oct 2021 06:22:30 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 19D6MUw8048475 for ports-bugs@FreeBSD.org; Wed, 13 Oct 2021 06:22:30 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 259127] net/libyang: Update to 2.0.97 and multiple CVE fixes Date: Wed, 13 Oct 2021 06:22:30 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: diizzy@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: olivier@freebsd.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_file_loc op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259127 Bug ID: 259127 Summary: net/libyang: Update to 2.0.97 and multiple CVE fixes Product: Ports & Packages Version: Latest Hardware: Any URL: https://github.com/CESNET/libyang/releases/tag/v2.0.97 OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: olivier@freebsd.org Reporter: diizzy@FreeBSD.org Flags: maintainer-feedback?(olivier@freebsd.org) Assignee: olivier@freebsd.org Created attachment 228647 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D228647&action= =3Dedit Patch for libyang Fixes mutiple CVEs however there's no support in FRR v7.x for libyang 2.x Connect unit testing to port 1.x branch is also deprecated by upstream as of 1.0.240, there's a tagged 1.0.255 release in repo but it's not listed on as a release on upstream's website CVE-2021-28902 CVE-2021-28903 CVE-2021-28904 CVE-2021-28905 CVE-2021-28906 References: https://git.alpinelinux.org/aports/commit/community/libyang/APKBUILD?id=3Dd= b25b534f847200f11649c31a3a0140775061704 https://github.com/CESNET/libyang/releases/tag/v1.0.240 https://github.com/CESNET/libyang/releases/tag/v1.0.225 --=20 You are receiving this mail because: You are the assignee for the bug.=