From nobody Fri Jul 11 10:31:01 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bdp0G2Dl3z618JP for ; Fri, 11 Jul 2025 10:31:10 +0000 (UTC) (envelope-from lumiwa@dismail.de) Received: from mx1.dismail.de (mx1.dismail.de [78.46.223.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4bdp0D3FxSz3Lxq for ; Fri, 11 Jul 2025 10:31:08 +0000 (UTC) (envelope-from lumiwa@dismail.de) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dismail.de header.s=20190914 header.b=dBThIl9M; spf=pass (mx1.freebsd.org: domain of lumiwa@dismail.de designates 78.46.223.134 as permitted sender) smtp.mailfrom=lumiwa@dismail.de; dmarc=pass (policy=reject) header.from=dismail.de Received: from mx1.dismail.de (localhost [127.0.0.1]) by mx1.dismail.de (OpenSMTPD) with ESMTP id aa62c250 for ; Fri, 11 Jul 2025 12:31:05 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=date:from :to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=20190914; bh=k/t1fAhx eV94NT2+Fy5jxfAlBGiKJl1HI/Q1rT4vxZc=; b=dBThIl9MxMGh8CBzCEN8L5Ei 96nZtHUw+TVXZnXsPhfVoSaXLZgA7AJYjS1zDRTWzySvGw5HS3f9VbYaH7qM7Llq anIME5DUrPlH8mziQiMRqWDLo+DOaoHfxyq1COkRjhfzX09AWg+hlLQrgAQIBpQB V9CAgXofoQz+OgnrRZw2+wwJJnUAtJfOCSK8KgKHOBk3emY1sj3HiWMcfuYPfmcB uyVEWxbetJcHMhrBmU7Y/12uaHUerVjmczu1fnApEaiFkRuCMQTDfOhFQ8+buu+l CPMT1qWkzzQdAvmguEO8Ch1WVzBd7A3XQtVmFatOWz1gCWwIyO+kJRwD9cO8hA== Received: from smtp1.dismail.de ( [10.240.26.11]) by mx1.dismail.de (OpenSMTPD) with ESMTP id 7e1270a8 for ; Fri, 11 Jul 2025 12:31:05 +0200 (CEST) Received: from smtp1.dismail.de (localhost [127.0.0.1]) by smtp1.dismail.de (OpenSMTPD) with ESMTP id 21cf5eb3 for ; Fri, 11 Jul 2025 12:31:05 +0200 (CEST) Received: by dismail.de (OpenSMTPD) with ESMTPSA id 90672414 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Fri, 11 Jul 2025 12:31:04 +0200 (CEST) Date: Fri, 11 Jul 2025 06:31:01 -0400 From: LuMiWa To: questions@freebsd.org Subject: Re: Multiple vulnerabilities Message-ID: <20250711063101.0e2e1979@dismail.de> In-Reply-To: <20250710225434.36739f77@Hydrogen> References: <20250710152947.53f8ed37@dismail.de> <20250710225434.36739f77@Hydrogen> X-Mailer: Claws Mail 3.21.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-1.06 / 15.00]; DWL_DNSWL_LOW(-1.00)[dismail.de:dkim]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_HAM_SHORT(-0.96)[-0.955]; DMARC_POLICY_ALLOW(-0.50)[dismail.de,reject]; R_DKIM_ALLOW(-0.20)[dismail.de:s=20190914]; R_SPF_ALLOW(-0.20)[+ip4:78.46.223.134]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[78.46.223.134:from]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:78.46.0.0/15, country:DE]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCVD_COUNT_THREE(0.00)[4]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[dismail.de:+] X-Rspamd-Queue-Id: 4bdp0D3FxSz3Lxq X-Spamd-Bar: - On Thu, 10 Jul 2025 22:54:34 +0100 Polarian wrote: > Good evening, >=20 > > There are many problems in ports, clamav so long but there are no > > any updates in packages. How long is usual the time that ara > > packages build, please or should I build them from ports. > > I am running FreeBSD 14.3-RELEASE and using latest packages. >=20 > Some packages can take a while to be updated due to patched versions > being incompatible and require extra work to port. In these cases > sometimes the security patch is backported to the old version if its > been around for long enough. >=20 > However there are other cases, so I will try to help you out. >=20 > > git-2.50.0 is vulnerable: > > git -- multiple vulnerabilities > > CVE: CVE-2025-48386 > > CVE: CVE-2025-48385 > > CVE: CVE-2025-48384 > > CVE: CVE-2025-46835 > > CVE: CVE-2025-27614 > > CVE: CVE-2025-27613 > > WWW: https://vuxml.FreeBSD.org/freebsd/2a4472ed-5c0d-11f0-b991-291fce= 777db8.html >=20 > The patch has been pushed on 8th July [1], however I believe there > could be a build issue because I can't find any builds for git, nor > can freshports. It has been backported to 2025Q3, and it appears you > are using the quarterly, you could give it a shot at building it > yourself. >=20 > > clamav-1.4.2_4,1 is vulnerable: > > clamav -- ClamAV PDF Scanning Buffer Overflow Vulnerability > > CVE: CVE-2025-20260 > > WWW: https://vuxml.FreeBSD.org/freebsd/3dcc0812-4da5-11f0-afcc-f02f74= 32cf97.html >=20 > The patch has been pushed to the repository [3], however it is likely > waiting in queue to be built and pushed to the pkg repos. I do not > believe it has been backported to quarterly yet. >=20 > > xorg-server-21.1.16,1 is vulnerable: > > xorg server -- Multiple vulnerabilities > > CVE: CVE-2025-49180 > > CVE: CVE-2025-49179 > > CVE: CVE-2025-49178 > > CVE: CVE-2025-49177 > > CVE: CVE-2025-49175 > > WWW: https://vuxml.FreeBSD.org/freebsd/b14cabf7-5663-11f0-943a-18c04d= 5ea3dc.html > >=20 > > xorg server -- Multiple vulnerabilities > > CVE: CVE-2025-49176 > > WWW: https://vuxml.FreeBSD.org/freebsd/8df49466-5664-11f0-943a-18c04d= 5ea3dc.html >=20 > I was trying to tackle this one today, the patch has been committed > back on the 1st [4], however it is likely waiting to be built, the > last xorg cve took ~3-4 weeks to be built for latest, and quarterly > came about a week later (some may have seen me complain on IRC about > it :P) >=20 > Where I attempted to compile it, it appeared there is dependency > conflicts between latest and quarterly which may be preventing the > backport. (don't hold me on that one, I am not a porter) >=20 > The solution for both claimav and xorg-server is to migrate to latest, > many people I know run -RELEASE base and then latest for ports as you > tend to get the updates much quicker, however you also get feature > updates much quicker which may have breaking changes. >=20 > When you move to latest, xorg-server and claimav can be built manually > from the port tree and *should* work. >=20 > Personally I have considered such a move a few times when security > patches have taken weeks to hit quarterly, sometimes you can ignore > the warning and compile a latest port for quarterly, other times it > breaks your system (hence the warning :P). Last time I considered the > move one or two clients I use had substantial changes, which can be > annoying to deal with on a regular basis (hence the reason quarterly > is an option for some). >=20 > However, I don't think anyone here will deny that quarterly can be > slower getting security patches, and the backports can take some time, > especially when it comes to being built for the pkg repos. It is up to > you what you want, the stability of slower feature updates (similar to > Debian Linux) but sometimes lacking behind on security patches, or > having much faster updates but getting all the feature updates with > the security patches. >=20 > Edit: I have tried to compile devel/git (2025Q3 branch), and it seems > the reason it likely isn't built looks like perl incompatibility: >=20 > =3D=3D=3D> git-2.50.1 Invalid perl5 version 5.36. > *** Error code 1 >=20 > Stop. > make: stopped in /usr/ports/devel/git >=20 > Maybe compiling this on latest might work, however I don't run latest > so I can't verify this. >=20 > TL;DR try migrating to latest, and building the ports manually to > clear your audit list, anything which doesn't compile, check bugzilla > [5], if there is nothing there report the port with the build log, > and maybe patch it yourself if you want to, otherwise hope someone > else patches it :) >=20 > Sorry if this is not what you wanted to hear, there is not much you > can do other than hope someone else fixes it soon, or contribute. >=20 > If I have made any mistakes, feel free to correct me :D >=20 > Take care, Thank you very much to everyone. --=20 =E2=80=9CI=E2=80=99ve entered the world of wine without any professional tr= aining, but a definite appetite for good bottles.=E2=80=9D =E2=80=95 Sidonie-Gabrielle Colette