Re: Multiple vulnerabilities
- Reply: Kevin Oberman : "Re: Multiple vulnerabilities"
- Reply: Andrea Venturoli : "Re: Multiple vulnerabilities"
- Reply: LuMiWa : "Re: Multiple vulnerabilities"
- In reply to: LuMiWa : "Multiple vulnerabilities"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 10 Jul 2025 21:54:34 UTC
Good evening, > There are many problems in ports, clamav so long but there are no any > updates in packages. How long is usual the time that ara packages > build, please or should I build them from ports. > I am running FreeBSD 14.3-RELEASE and using latest packages. Some packages can take a while to be updated due to patched versions being incompatible and require extra work to port. In these cases sometimes the security patch is backported to the old version if its been around for long enough. However there are other cases, so I will try to help you out. > git-2.50.0 is vulnerable: > git -- multiple vulnerabilities > CVE: CVE-2025-48386 > CVE: CVE-2025-48385 > CVE: CVE-2025-48384 > CVE: CVE-2025-46835 > CVE: CVE-2025-27614 > CVE: CVE-2025-27613 > WWW: https://vuxml.FreeBSD.org/freebsd/2a4472ed-5c0d-11f0-b991-291fce777db8.html The patch has been pushed on 8th July [1], however I believe there could be a build issue because I can't find any builds for git, nor can freshports. It has been backported to 2025Q3, and it appears you are using the quarterly, you could give it a shot at building it yourself. > clamav-1.4.2_4,1 is vulnerable: > clamav -- ClamAV PDF Scanning Buffer Overflow Vulnerability > CVE: CVE-2025-20260 > WWW: https://vuxml.FreeBSD.org/freebsd/3dcc0812-4da5-11f0-afcc-f02f7432cf97.html The patch has been pushed to the repository [3], however it is likely waiting in queue to be built and pushed to the pkg repos. I do not believe it has been backported to quarterly yet. > xorg-server-21.1.16,1 is vulnerable: > xorg server -- Multiple vulnerabilities > CVE: CVE-2025-49180 > CVE: CVE-2025-49179 > CVE: CVE-2025-49178 > CVE: CVE-2025-49177 > CVE: CVE-2025-49175 > WWW: https://vuxml.FreeBSD.org/freebsd/b14cabf7-5663-11f0-943a-18c04d5ea3dc.html > > xorg server -- Multiple vulnerabilities > CVE: CVE-2025-49176 > WWW: https://vuxml.FreeBSD.org/freebsd/8df49466-5664-11f0-943a-18c04d5ea3dc.html I was trying to tackle this one today, the patch has been committed back on the 1st [4], however it is likely waiting to be built, the last xorg cve took ~3-4 weeks to be built for latest, and quarterly came about a week later (some may have seen me complain on IRC about it :P) Where I attempted to compile it, it appeared there is dependency conflicts between latest and quarterly which may be preventing the backport. (don't hold me on that one, I am not a porter) The solution for both claimav and xorg-server is to migrate to latest, many people I know run -RELEASE base and then latest for ports as you tend to get the updates much quicker, however you also get feature updates much quicker which may have breaking changes. When you move to latest, xorg-server and claimav can be built manually from the port tree and *should* work. Personally I have considered such a move a few times when security patches have taken weeks to hit quarterly, sometimes you can ignore the warning and compile a latest port for quarterly, other times it breaks your system (hence the warning :P). Last time I considered the move one or two clients I use had substantial changes, which can be annoying to deal with on a regular basis (hence the reason quarterly is an option for some). However, I don't think anyone here will deny that quarterly can be slower getting security patches, and the backports can take some time, especially when it comes to being built for the pkg repos. It is up to you what you want, the stability of slower feature updates (similar to Debian Linux) but sometimes lacking behind on security patches, or having much faster updates but getting all the feature updates with the security patches. Edit: I have tried to compile devel/git (2025Q3 branch), and it seems the reason it likely isn't built looks like perl incompatibility: ===> git-2.50.1 Invalid perl5 version 5.36. *** Error code 1 Stop. make: stopped in /usr/ports/devel/git Maybe compiling this on latest might work, however I don't run latest so I can't verify this. TL;DR try migrating to latest, and building the ports manually to clear your audit list, anything which doesn't compile, check bugzilla [5], if there is nothing there report the port with the build log, and maybe patch it yourself if you want to, otherwise hope someone else patches it :) Sorry if this is not what you wanted to hear, there is not much you can do other than hope someone else fixes it soon, or contribute. If I have made any mistakes, feel free to correct me :D Take care, -- Polarian Jabber/XMPP: polarian@icebound.dev [1] https://cgit.freebsd.org/ports/commit/devel/git/Makefile?id=d3f6c42d2f36989f583ea23cbbf14e5ae8665848 [2] https://cgit.freebsd.org/ports/commit/?h=2025Q3&id=42ee0f7c8a66eec10efaf5f6e9609370eeb43a19 [3] https://cgit.freebsd.org/ports/commit/?id=2c88607160fe6f0bf4e828f748c393f0cc6761fb [4] https://cgit.freebsd.org/ports/commit/?id=e0120d0e14ad22c119f50502b34f8e4e38e9b93e [5] https://bugs.freebsd.org/bugzilla/