Re: Multiple vulnerabilities

In reply to: Polarian : "Re: Multiple vulnerabilities"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: LuMiWa <lumiwa_at_dismail.de>
Date: Fri, 11 Jul 2025 10:31:01 UTC
On Thu, 10 Jul 2025 22:54:34 +0100
Polarian <polarian@polarian.dev> wrote:

> Good evening,
> 
> > There are many problems in ports, clamav so long but there are no
> > any updates in packages. How long is usual the time that ara
> > packages build, please or should I build them from ports.
> > I am running FreeBSD 14.3-RELEASE and using latest packages.
> 
> Some packages can take a while to be updated due to patched versions
> being incompatible and require extra work to port. In these cases
> sometimes the security patch is backported to the old version if its
> been around for long enough.
> 
> However there are other cases, so I will try to help you out.
> 
> > git-2.50.0 is vulnerable:
> >   git -- multiple vulnerabilities
> >   CVE: CVE-2025-48386
> >   CVE: CVE-2025-48385
> >   CVE: CVE-2025-48384
> >   CVE: CVE-2025-46835
> >   CVE: CVE-2025-27614
> >   CVE: CVE-2025-27613
> >   WWW: https://vuxml.FreeBSD.org/freebsd/2a4472ed-5c0d-11f0-b991-291fce777db8.html
> 
> The patch has been pushed on 8th July [1], however I believe there
> could be a build issue because I can't find any builds for git, nor
> can freshports. It has been backported to 2025Q3, and it appears you
> are using the quarterly, you could give it a shot at building it
> yourself.
> 
> > clamav-1.4.2_4,1 is vulnerable:
> >   clamav -- ClamAV PDF Scanning Buffer Overflow Vulnerability
> >   CVE: CVE-2025-20260
> >   WWW: https://vuxml.FreeBSD.org/freebsd/3dcc0812-4da5-11f0-afcc-f02f7432cf97.html
> 
> The patch has been pushed to the repository [3], however it is likely
> waiting in queue to be built and pushed to the pkg repos. I do not
> believe it has been backported to quarterly yet.
> 
> > xorg-server-21.1.16,1 is vulnerable:
> >   xorg server -- Multiple vulnerabilities
> >   CVE: CVE-2025-49180
> >   CVE: CVE-2025-49179
> >   CVE: CVE-2025-49178
> >   CVE: CVE-2025-49177
> >   CVE: CVE-2025-49175
> >   WWW: https://vuxml.FreeBSD.org/freebsd/b14cabf7-5663-11f0-943a-18c04d5ea3dc.html
> > 
> >   xorg server -- Multiple vulnerabilities
> >   CVE: CVE-2025-49176
> >   WWW: https://vuxml.FreeBSD.org/freebsd/8df49466-5664-11f0-943a-18c04d5ea3dc.html
> 
> I was trying to tackle this one today, the patch has been committed
> back on the 1st [4], however it is likely waiting to be built, the
> last xorg cve took ~3-4 weeks to be built for latest, and quarterly
> came about a week later (some may have seen me complain on IRC about
> it :P)
> 
> Where I attempted to compile it, it appeared there is dependency
> conflicts between latest and quarterly which may be preventing the
> backport. (don't hold me on that one, I am not a porter)
> 
> The solution for both claimav and xorg-server is to migrate to latest,
> many people I know run -RELEASE base and then latest for ports as you
> tend to get the updates much quicker, however you also get feature
> updates much quicker which may have breaking changes.
> 
> When you move to latest, xorg-server and claimav can be built manually
> from the port tree and *should* work.
> 
> Personally I have considered such a move a few times when security
> patches have taken weeks to hit quarterly, sometimes you can ignore
> the warning and compile a latest port for quarterly, other times it
> breaks your system (hence the warning :P). Last time I considered the
> move one or two clients I use had substantial changes, which can be
> annoying to deal with on a regular basis (hence the reason quarterly
> is an option for some).
> 
> However, I don't think anyone here will deny that quarterly can be
> slower getting security patches, and the backports can take some time,
> especially when it comes to being built for the pkg repos. It is up to
> you what you want, the stability of slower feature updates (similar to
> Debian Linux) but sometimes lacking behind on security patches, or
> having much faster updates but getting all the feature updates with
> the security patches.
> 
> Edit: I have tried to compile devel/git (2025Q3 branch), and it seems
> the reason it likely isn't built looks like perl incompatibility:
> 
> ===>  git-2.50.1 Invalid perl5 version 5.36.
> *** Error code 1
> 
> Stop.
> make: stopped in /usr/ports/devel/git
> 
> Maybe compiling this on latest might work, however I don't run latest
> so I can't verify this.
> 
> TL;DR try migrating to latest, and building the ports manually to
> clear your audit list, anything which doesn't compile, check bugzilla
> [5], if there is nothing there report the port with the build log,
> and maybe patch it yourself if you want to, otherwise hope someone
> else patches it :)
> 
> Sorry if this is not what you wanted to hear, there is not much you
> can do other than hope someone else fixes it soon, or contribute.
> 
> If I have made any mistakes, feel free to correct me :D
> 
> Take care,

Thank you very much to everyone.


-- 
“I’ve entered the world of wine without any professional training,
 but a definite appetite for good bottles.”

― Sidonie-Gabrielle Colette