svn commit: r417842 - head/security/vuxml
Mark Felder
feld at FreeBSD.org
Thu Jun 30 21:29:00 UTC 2016
On Thu, Jun 30, 2016, at 16:16, Cy Schubert wrote:
> Cy Schubert writes:
> > In message <201606302052.u5UKqdNR025451 at repo.freebsd.org>, Mark Felder
> > writes:
> > > Author: feld
> > > Date: Thu Jun 30 20:52:39 2016
> > > New Revision: 417842
> > > URL: https://svnweb.freebsd.org/changeset/ports/417842
> > >
> > > Log:
> > > Document openssl vulnerability
> > >
> > > PR: 210550
> > > Security: CVE-2016-2177
> > >
> > > Modified:
> > > head/security/vuxml/vuln.xml
> > >
> > > Modified: head/security/vuxml/vuln.xml
> > > ===========================================================================
> > ==
> > > =
> > > --- head/security/vuxml/vuln.xml Thu Jun 30 20:38:36 2016 (r41784
> > > 1)
> > > +++ head/security/vuxml/vuln.xml Thu Jun 30 20:52:39 2016 (r41784
> > > 2)
> > > @@ -58,6 +58,38 @@ Notes:
> > > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> > > -->
> > > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> > > + <vuln vid="0ca24682-3f03-11e6-b3c8-14dae9d210b8">
> > > + <topic>openssl -- denial of service</topic>
> > > + <affects>
> > > + <package>
> > > + <name>openssl</name>
> > > + <range><lt>1.0.2_14</lt></range>
> >
> > Shouldn't this be <le>1.0.2_14</le> ?
>
> My mistake. The wording in the following is incorrect:
>
> > + <p>OpenSSL through 1.0.2h incorrectly uses pointer arithmetic
>
> The word "through" includes 1.0.2h, which it shouldn't. "To" excludes
> 1.0.2h. Or, simply replace 1.0.2h with 1.0.2g.
>
Yeah, I believe OpenSSL has not cut the 1.0.2g release so this is a
backported patch from their git.
So their official stance is correct, but it's confusing in the context
of how we triaged this in the ports tree.
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the svn-ports-head
mailing list