From nobody Sat Feb 18 17:43:13 2023
X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PJx3H1fvRz3sp4n
	for <freebsd-ports@mlmmj.nyi.freebsd.org>; Sat, 18 Feb 2023 17:47:39 +0000 (UTC)
	(envelope-from fernando.apesteguia@gmail.com)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PJx3G0Bq5z4Ddb
	for <freebsd-ports@freebsd.org>; Sat, 18 Feb 2023 17:47:38 +0000 (UTC)
	(envelope-from fernando.apesteguia@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=SB9zuofT;
	spf=pass (mx1.freebsd.org: domain of fernando.apesteguia@gmail.com designates 2a00:1450:4864:20::132 as permitted sender) smtp.mailfrom=fernando.apesteguia@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
Received: by mail-lf1-x132.google.com with SMTP id i15so1326175lfp.12
        for <freebsd-ports@freebsd.org>; Sat, 18 Feb 2023 09:47:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=fDla3ynj3VyQ507S3G42dLhLfcwyfJMG1YViYUsQdK8=;
        b=SB9zuofTqu+e3Pvr1O/wscD7EJ2MphqCLxVQEc1YFNl+Yt2F2CbiHVs5cNY5XRnMSO
         /iiHbSZfy2YJdgAd0Wg7MVtyBFuL7D/+cTAXDT9yvKQCcGOmVyxxUyyTt68bNSiQV4Vq
         9MC9FvJ2OsE7WDq7S23aTWjWSJfH62pTV9bkSxrodAM8ZusY6vUjtNt+yLsbSbFZC17/
         /26AD36AT1cneJfez3TpeulzcGoVaiPiMFsnxtfNluERKRVDwQqoLZfdgvqAdi/k0x+I
         GAHz9h6N/Tt7Lfjt+s3WwcFSzS0kBK/hfgCkdzW8e9+cEOjLCrn++P7lctWP59mn/Kp1
         stLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=fDla3ynj3VyQ507S3G42dLhLfcwyfJMG1YViYUsQdK8=;
        b=R8U2XKVwMSl1nH9672oIBQzzBdKzbiuP7atYp/GFteBotKsGpkUiV4KCmCXqYbLi9O
         NAHRFVKfJsilY/7coMlCooJdrXtzzdOKFHgqa1N/oWpmWGlCNdjUdq43fcbHujGpy7S9
         zFCFd6bHO1zcqGSjNKmthPahuxpBaf2VEZOCllihO9y/5IZS5QdEWGtfgO0y0NwC1fWf
         uEwEjs6bzuNk4VUHEr/yisrwrvSHg0lEH8EZOMyPI0J3KtSKQi3fbETCZ0HURwRQTp1x
         OF1kj8l/nJ9szVN8j2OCaQmJsowHLeyLaVkTU2AK+BcQRa3hDZ6CaUcfyZRlOAbbkpkt
         u/ww==
X-Gm-Message-State: AO0yUKUMR6xA9DJRbP2884ovRlKjqmta+YlxBl+PjyRJKiCftRn9Z+v8
	yT6d1XiwCHVsH35Yt41w7DqJdlj3AnLi1sIrAdwppaAoFGE=
X-Google-Smtp-Source: AK7set/ZS84O/0E29sFRUnzA8826mmM+peQVsxTPNPpwgZ7zuQLjK60azLfCgLV7B+jfhI8qo5s78dxGTVxDqUSwNIo=
X-Received: by 2002:ac2:50ce:0:b0:4d5:ca42:aeeb with SMTP id
 h14-20020ac250ce000000b004d5ca42aeebmr1500658lfm.11.1676742454950; Sat, 18
 Feb 2023 09:47:34 -0800 (PST)
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-ports
List-Help: <mailto:ports+help@freebsd.org>
List-Post: <mailto:ports@freebsd.org>
List-Subscribe: <mailto:ports+subscribe@freebsd.org>
List-Unsubscribe: <mailto:ports+unsubscribe@freebsd.org>
Sender: owner-freebsd-ports@freebsd.org
X-BeenThere: freebsd-ports@freebsd.org
MIME-Version: 1.0
References: <Y/D2j7BiuTYRK2/d@eborcom.com>
In-Reply-To: <Y/D2j7BiuTYRK2/d@eborcom.com>
From: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= <fernando.apesteguia@gmail.com>
Date: Sat, 18 Feb 2023 18:43:13 +0100
Message-ID: <CAGwOe2YddCoC9dvX-LQNAnykSN-cc-4m5TjpqdbtuBo2sFZxkQ@mail.gmail.com>
Subject: Re: Security issues with www/minio
To: freebsd-ports@freebsd.org
Content-Type: multipart/alternative; boundary="000000000000683e8405f4fd0647"
X-Spamd-Result: default: False [-3.35 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.995];
	NEURAL_HAM_MEDIUM(-0.98)[-0.980];
	R_MIXED_CHARSET(0.63)[subject];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	RCPT_COUNT_ONE(0.00)[1];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-ports@freebsd.org];
	RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::132:from];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org];
	DKIM_TRACE(0.00)[gmail.com:+];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	TO_DN_NONE(0.00)[];
	ARC_NA(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	RCVD_TLS_LAST(0.00)[];
	TAGGED_FROM(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
	RCVD_COUNT_TWO(0.00)[2]
X-Rspamd-Queue-Id: 4PJx3G0Bq5z4Ddb
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N

--000000000000683e8405f4fd0647
Content-Type: text/plain; charset="UTF-8"

On Sat, Feb 18, 2023 at 5:02 PM Tom Hukins <tom@freebsd.org> wrote:

> Hi,
>
> The www/minio port provides an outdated, insecure version of MinIO.
>
> This issue was raised on 2022-12-30 in
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268656 and five days
> ago I provided a VuXML patch at
> https://github.com/freebsd/freebsd-ports/pull/158 which I have updated
> several times as security/vuxml/vuln/2023.xml has changed.
>

Thanks for the vuxml entry. It landed in
https://cgit.freebsd.org/ports/commit/?id=b16091e19db403fa19c514ec5ac4c15045e402ef

About the port itself, I'm quite unfamiliar with it but I see it is more
than a year behind upstream in terms of releases.


> I note that the www/minio maintainer, swills@, has not committed to the
> ports tree since 2022-03-13 so someone else might need to update the
> port.  However, it would help to apply the VuXML patch soon so that the
> port's users know of its security problems.
>
> Tom
>
>

--000000000000683e8405f4fd0647
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Sat, Feb 18, 2023 at 5:02 PM Tom H=
ukins &lt;<a href=3D"mailto:tom@freebsd.org">tom@freebsd.org</a>&gt; wrote:=
<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
The www/minio port provides an outdated, insecure version of MinIO.<br>
<br>
This issue was raised on 2022-12-30 in<br>
<a href=3D"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268656" rel=
=3D"noreferrer" target=3D"_blank">https://bugs.freebsd.org/bugzilla/show_bu=
g.cgi?id=3D268656</a> and five days<br>
ago I provided a VuXML patch at<br>
<a href=3D"https://github.com/freebsd/freebsd-ports/pull/158" rel=3D"norefe=
rrer" target=3D"_blank">https://github.com/freebsd/freebsd-ports/pull/158</=
a> which I have updated<br>
several times as security/vuxml/vuln/2023.xml has changed.<br></blockquote>=
<div><br></div><div>Thanks for the vuxml entry. It landed in <a href=3D"htt=
ps://cgit.freebsd.org/ports/commit/?id=3Db16091e19db403fa19c514ec5ac4c15045=
e402ef">https://cgit.freebsd.org/ports/commit/?id=3Db16091e19db403fa19c514e=
c5ac4c15045e402ef</a></div><div><br></div><div>About the port itself, I&#39=
;m quite unfamiliar with it but I see it is more than a year behind upstrea=
m in terms of releases. <br></div><div><br></div><blockquote class=3D"gmail=
_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204=
,204);padding-left:1ex">
<br>
I note that the www/minio maintainer, swills@, has not committed to the<br>
ports tree since 2022-03-13 so someone else might need to update the<br>
port.=C2=A0 However, it would help to apply the VuXML patch soon so that th=
e<br>
port&#39;s users know of its security problems.<br>
<br>
Tom<br>
<br>
</blockquote></div></div>

--000000000000683e8405f4fd0647--