Re: Multiple vulnerabilities

Most of these (maybe all) are fixed, often for some time.
> pkg info git\*
git-2.50.1
> pkg info perl\*
perl5-5.40.2_2
> pkg info xorg-serve\*
xorg-server-21.1.18,1


Try "pkg version -vL=" to find the ports that need updating. Use pkg
upgrade to install them. (This all assumes that you are using packages and
not building from ports.)

I should also mention that packages don't seem to be getting updated. None
for 14.2-latest since July 3. Not sure why, though I was about to ask if
this is being worked on or if I have messed up on my local systems. The
rebuilds are completed, but not distributed, as far as I can tell.

On Thu, Jul 10, 2025 at 2:56 PM Polarian <polarian@polarian.dev> wrote:

> Good evening,
>
> > There are many problems in ports, clamav so long but there are no any
> > updates in packages. How long is usual the time that ara packages
> > build, please or should I build them from ports.
> > I am running FreeBSD 14.3-RELEASE and using latest packages.
>
> Some packages can take a while to be updated due to patched versions
> being incompatible and require extra work to port. In these cases
> sometimes the security patch is backported to the old version if its
> been around for long enough.
>
> However there are other cases, so I will try to help you out.
>
> > git-2.50.0 is vulnerable:
> >   git -- multiple vulnerabilities
> >   CVE: CVE-2025-48386
> >   CVE: CVE-2025-48385
> >   CVE: CVE-2025-48384
> >   CVE: CVE-2025-46835
> >   CVE: CVE-2025-27614
> >   CVE: CVE-2025-27613
> >   WWW:
> https://vuxml.FreeBSD.org/freebsd/2a4472ed-5c0d-11f0-b991-291fce777db8.html
>
> The patch has been pushed on 8th July [1], however I believe there could
> be a build issue because I can't find any builds for git, nor can
> freshports. It has been backported to 2025Q3, and it appears you are
> using the quarterly, you could give it a shot at building it yourself.
>
> > clamav-1.4.2_4,1 is vulnerable:
> >   clamav -- ClamAV PDF Scanning Buffer Overflow Vulnerability
> >   CVE: CVE-2025-20260
> >   WWW:
> https://vuxml.FreeBSD.org/freebsd/3dcc0812-4da5-11f0-afcc-f02f7432cf97.html
>
> The patch has been pushed to the repository [3], however it is likely
> waiting in queue to be built and pushed to the pkg repos. I do not
> believe it has been backported to quarterly yet.
>
> > xorg-server-21.1.16,1 is vulnerable:
> >   xorg server -- Multiple vulnerabilities
> >   CVE: CVE-2025-49180
> >   CVE: CVE-2025-49179
> >   CVE: CVE-2025-49178
> >   CVE: CVE-2025-49177
> >   CVE: CVE-2025-49175
> >   WWW:
> https://vuxml.FreeBSD.org/freebsd/b14cabf7-5663-11f0-943a-18c04d5ea3dc.html
> >
> >   xorg server -- Multiple vulnerabilities
> >   CVE: CVE-2025-49176
> >   WWW:
> https://vuxml.FreeBSD.org/freebsd/8df49466-5664-11f0-943a-18c04d5ea3dc.html
>
> I was trying to tackle this one today, the patch has been committed
> back on the 1st [4], however it is likely waiting to be built, the last
> xorg cve took ~3-4 weeks to be built for latest, and quarterly came
> about a week later (some may have seen me complain on IRC about it :P)
>
> Where I attempted to compile it, it appeared there is dependency
> conflicts between latest and quarterly which may be preventing the
> backport. (don't hold me on that one, I am not a porter)
>
> The solution for both claimav and xorg-server is to migrate to latest,
> many people I know run -RELEASE base and then latest for ports as you
> tend to get the updates much quicker, however you also get feature
> updates much quicker which may have breaking changes.
>
> When you move to latest, xorg-server and claimav can be built manually
> from the port tree and *should* work.
>
> Personally I have considered such a move a few times when security
> patches have taken weeks to hit quarterly, sometimes you can ignore the
> warning and compile a latest port for quarterly, other times it breaks
> your system (hence the warning :P). Last time I considered the move one
> or two clients I use had substantial changes, which can be annoying to
> deal with on a regular basis (hence the reason quarterly is an option
> for some).
>
> However, I don't think anyone here will deny that quarterly can be
> slower getting security patches, and the backports can take some time,
> especially when it comes to being built for the pkg repos. It is up to
> you what you want, the stability of slower feature updates (similar to
> Debian Linux) but sometimes lacking behind on security patches, or
> having much faster updates but getting all the feature updates with the
> security patches.
>
> Edit: I have tried to compile devel/git (2025Q3 branch), and it seems
> the reason it likely isn't built looks like perl incompatibility:
>
> ===>  git-2.50.1 Invalid perl5 version 5.36.
> *** Error code 1
>
> Stop.
> make: stopped in /usr/ports/devel/git
>
> Maybe compiling this on latest might work, however I don't run latest
> so I can't verify this.
>
> TL;DR try migrating to latest, and building the ports manually to clear
> your audit list, anything which doesn't compile, check bugzilla [5], if
> there is nothing there report the port with the build log, and maybe
> patch it yourself if you want to, otherwise hope someone else patches
> it :)
>
> Sorry if this is not what you wanted to hear, there is not much you can
> do other than hope someone else fixes it soon, or contribute.
>
> If I have made any mistakes, feel free to correct me :D
>
> Take care,
> --
> Polarian
> Jabber/XMPP: polarian@icebound.dev
>
> [1]
> https://cgit.freebsd.org/ports/commit/devel/git/Makefile?id=d3f6c42d2f36989f583ea23cbbf14e5ae8665848
> [2]
> https://cgit.freebsd.org/ports/commit/?h=2025Q3&id=42ee0f7c8a66eec10efaf5f6e9609370eeb43a19
> [3]
> https://cgit.freebsd.org/ports/commit/?id=2c88607160fe6f0bf4e828f748c393f0cc6761fb
> [4]
> https://cgit.freebsd.org/ports/commit/?id=e0120d0e14ad22c119f50502b34f8e4e38e9b93e
> [5] https://bugs.freebsd.org/bugzilla/
>
>

-- 
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683