Re: Quarterly branch ports question
- In reply to: Edward Sanford Sutton, III: "Re: Quarterly branch ports question"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 20 Jul 2024 21:30:45 UTC
On Saturday, July 20th, 2024 at 19:15, Edward Sanford Sutton, III <mirror176@hotmail.com> wrote: > > > On 7/20/24 11:43, Pat wrote: > > > Hello all, > > > > I maintain a FreeBSD 13 server that acts as an MTA on an > > internal network. It rums Exim, and is configured to update > > from the URL "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly". > > > > Today pkg upgrade installed version exim-4.97.1_5. I do not > > recall that version being available last week, so I assume this > > is a security release? > > > Changelog shows 4.95.1_5 was to bump to consumers of its dependency > dns/libidn: > https://cgit.freebsd.org/ports/commit/mail/exim?h=2024Q3&id=bae03bdd17b294e3354848e123f3ec4bd9b7592a > . That change is a version bump just to guarantee that if rebuilding > installed ports with tools like portupgrade/portmaster that exim will > also get rebuilt. It does not change anything about the exim program's > code/buildsteps. Refer to > https://docs.freebsd.org/en/books/porters-handbook/makefiles/#makefile-portrevision > for further clarification of the use of this variable that was modified > in the port. > > > How can I find the changes introduced since version > > exim-4.97.1_4, which is what the server was at until the > > upgrade? > > > Easiest way I do it in a web browser is navigate to cgit.freebsd.org, > click on ports, click on the branch you want (the newest quarterly > branch), switch the view to 'tree', click the desired category (mail), > click on the port (exim). From here you can click on log at the top for > changes to the port as a whole or click on other links for log and > changes to individual files. OK, that was what I found, but I figured, since it was dated 02 May, and I know I have updated since then, that I was missing something. But it occurred to me that this is the Q3 quarterly branch, so that would not have been released until 01 July at the earliest anyhow, eh? I almost always update on Saturday mornings (US CDT), and since that did not show up last week I figured this was a security update. But perhaps my understanding is flawed? I see updates to that branch as recent as a few hours ago, so does it continue to receive updates that will be picked up when tracking quarterly? > > > In particular I'm curious to know if this version addresses > > CVE-2024-39929 (https://bugs.exim.org/show_bug.cgi?id=3099 > > https://bugs.exim.org/show_bug.cgi?id=3099) by any > > chance. This is just an exercise in curiosity, and a chance to learn > > more about FreeBSD ports and packages. > > > Skimming over that bug report, it looks like fixes on 7/1 and 7/2 > went into exim's codebase but I only see notes of fixing it on 4.98. > https://git.exim.org/exim.git/shortlog/refs/heads/exim-4.97+security was > last updated 6 months ago so it does not look like the exim project has > fixed 4.97 themselves. > If this gets fixed for 4.97, I'd expect the change to the FreeBSD > port to either include a distinfo change about the file it downloads to > be for a fixed archive, download the patch separately, or have the > ./files/ updated to include the patch or have the Makefile modified to > include the patch. > I don't follow how security is decided too well but I presume that > the deswcription would apply to any platform running exim so it could be > a candidate to maybe be a vuxml database entry. Yeah, I was expecting the fix for the CVE that I mentioned to only show up in 4.98, but having a lot of experience with Debian I have seen things like that backported to the version that they maintain. I had no reason to suspect that here but figured it can't hurt to ask. On a side note, I did see my Poudriere jail pick up 4.98. I am in the process of migrating everything to that, so I'll have that patched version rolled out at some point. Really appreciate the time you took to answer my questions.