mail/postfix-policyd-spf relies on vulnerable mail/libspf2-10
Chris Rees
crees at freebsd.org
Sun Aug 28 10:44:50 UTC 2011
On 28 August 2011 11:35, Uffe R. B. Andersen <urb at twe.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Den 28-08-2011 02:00, Doug Barton skrev:
>> I appreciate your responses, but I think you're missing one or
>> more large'ish pieces of the puzzle. Here is what I'm seeing with
>> an up to date portaudit db:
>>
>> portaudit -a Affected package: libspf2-1.0.4_1 Type of problem:
>> libspf2 -- Buffer overflow. Reference:
>> http://portaudit.FreeBSD.org/2ddbfd29-a455-11dd-a55e-00163e000016.html
>>
>> pkg_info -qo libspf2-1.0.4_1 mail/libspf2-10
>>
>> pkg_info -R libspf2-1.0.4_1 Information for libspf2-1.0.4_1:
>>
>> Required by: postfix-policyd-spf-1.0.1_3
>>
>> cd /usr/ports/mail/libspf2-10/ make -V PKGNAME libspf2-1.0.4_1
>>
>>
>> The solution here is that postfix-policyd-spf needs to be updated
>> to not rely on a vulnerable version of libspf2.
>
> Indeed you're right. Googling the issue reveal that
> postfix-policyd-spf apparently is rather unmaintained and people
> suggest using the perl or python versions instead. I do remember
> having this issue myself, some 2 years ago and nothing seems to have
> happened since then. The Google result also show, that
> postfix-policyd-spf doesn't compile with newer versions of libspf2.
>
> Perhaps we should ask to have postfix-policyd-spf removed from the
> ports tree altogether?
Hm, perhaps:
FORBIDDEN= depends on forbidden software (libspf2)
DEPRECATED= dead upstream, depends on forbidden software (libspf2)
EXPIRATION_DATE= 2011-10-28
Maintainer added back to the CC list.
Chris
More information about the freebsd-ports
mailing list