Re: Quarterly branch ports question

From: Pat <cli_junkie_at_protonmail.com>
Date: Sat, 20 Jul 2024 21:30:45 UTC
On Saturday, July 20th, 2024 at 19:15, Edward Sanford Sutton, III <mirror176@hotmail.com> wrote:

> 
> 
> On 7/20/24 11:43, Pat wrote:
> 
> > Hello all,
> > 
> > I maintain a FreeBSD 13 server that acts as an MTA on an
> > internal network. It rums Exim, and is configured to update
> > from the URL "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly".
> > 
> > Today pkg upgrade installed version exim-4.97.1_5. I do not
> > recall that version being available last week, so I assume this
> > is a security release?
> 
> 
> Changelog shows 4.95.1_5 was to bump to consumers of its dependency
> dns/libidn:
> https://cgit.freebsd.org/ports/commit/mail/exim?h=2024Q3&id=bae03bdd17b294e3354848e123f3ec4bd9b7592a
> . That change is a version bump just to guarantee that if rebuilding
> installed ports with tools like portupgrade/portmaster that exim will
> also get rebuilt. It does not change anything about the exim program's
> code/buildsteps. Refer to
> https://docs.freebsd.org/en/books/porters-handbook/makefiles/#makefile-portrevision
> for further clarification of the use of this variable that was modified
> in the port.
> 
> > How can I find the changes introduced since version
> > exim-4.97.1_4, which is what the server was at until the
> > upgrade?
> 
> 
> Easiest way I do it in a web browser is navigate to cgit.freebsd.org,
> click on ports, click on the branch you want (the newest quarterly
> branch), switch the view to 'tree', click the desired category (mail),
> click on the port (exim). From here you can click on log at the top for
> changes to the port as a whole or click on other links for log and
> changes to individual files.

OK, that was what I found, but I figured, since it was dated 02 May,
and I know I have updated since then, that I was missing something. But
it occurred to me that this is the Q3 quarterly branch, so that would
not have been released until 01 July at the earliest anyhow, eh?

I almost always update on Saturday mornings (US CDT), and since that
did not show up last week I figured this was a security update. But
perhaps my understanding is flawed? I see updates to that branch as
recent as a few hours ago, so does it continue to receive updates
that will be picked up when tracking quarterly?

> 
> > In particular I'm curious to know if this version addresses
> > CVE-2024-39929 (https://bugs.exim.org/show_bug.cgi?id=3099
> > https://bugs.exim.org/show_bug.cgi?id=3099) by any
> > chance. This is just an exercise in curiosity, and a chance to learn
> > more about FreeBSD ports and packages.
> 
> 
> Skimming over that bug report, it looks like fixes on 7/1 and 7/2
> went into exim's codebase but I only see notes of fixing it on 4.98.
> https://git.exim.org/exim.git/shortlog/refs/heads/exim-4.97+security was
> last updated 6 months ago so it does not look like the exim project has
> fixed 4.97 themselves.
> If this gets fixed for 4.97, I'd expect the change to the FreeBSD
> port to either include a distinfo change about the file it downloads to
> be for a fixed archive, download the patch separately, or have the
> ./files/ updated to include the patch or have the Makefile modified to
> include the patch.
> I don't follow how security is decided too well but I presume that
> the deswcription would apply to any platform running exim so it could be
> a candidate to maybe be a vuxml database entry.

Yeah, I was expecting the fix for the CVE that I mentioned to only show up
in 4.98, but having a lot of experience with Debian I have seen things
like that backported to the version that they maintain. I had no
reason to suspect that here but figured it can't hurt to ask.

On a side note, I did see my Poudriere jail pick up 4.98. I am in the
process of migrating everything to that, so I'll have that patched
version rolled out at some point.

Really appreciate the time you took to answer my questions.