Forbidden due to CVE-2014-8298: nvidia-driver-173, nvidia-driver-96, nvidia-driver-71

[Jean-Sébastien Pédron]

On 14.12.2014 12:42, Alexey Dokuchaev wrote:
> I've marked these ports FORBIDDEN for now, but their fate yet to be decided.
> Last update to -173 legacy branch, 173.14.39 added support for X.org xserver
> ABI 15 (xorg-server 1.15), and it was confirmed to work with upcoming v1.14
> update (PR 195781), so it would be unfortunate to lose it just because NVidia
> does not care about it anymore and won't provide a fix CVE-2014-8298.

I agree, there's no need to remove -173 for now, as it works.

> So perhaps instead of forbidding them and subsequently removing, we can
> provide pkg-message that tells users what are they facing and how to stay
> safe (with an legal bla-bla about that FreeBSD cannot guarantee anything
> if you use this vulnerable, unmaintained upstream port)?
> 
> I wonder what other people think.

If the problem is well documented and workarounds are described, I
believe it's fine. Making the user's life easier is more important to me
than this security issue; it's not like we're talking about OpenSSL
here. We already live with the hole for 9 months, it can stay a bit
longer. However, I have no strong opinion on that matter, I'll accept
the decision of more experienced ports/security people :)

-- 
Jean-Sébastien Pédron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-x11/attachments/20141214/8e71d30e/attachment.sig>