Request for help to address known security issues

Request for help to address known security issues

[Holger Hans Peter Freyther]

Hi all,

the following OE packages seem to be vulnerable to known security issues and I 
would like to get some help in updating these....

wget 1.9.1: http://www.FreeBSD.org/ports/portaudit/06f142ff-4df3-11d9-
a9e7-0001020eed82.html

perl 5.8.8: http://www.FreeBSD.org/ports/portaudit/4a99d61c-
f23a-11dd-9f55-0030843d3802.html

perl-native 5.8.8: Same as above

squid 2.6: probably deserves an update...
squid-native too..

faad2 2.0: http://www.FreeBSD.org/ports/portaudit/445ed958-b0d9-11dd-
a55e-00163e000016.html

cyrus-sasl 2.1.19: 
http://www.FreeBSD.org/ports/portaudit/14ab174c-40ef-11de-9fd5-001bd3385381.html

cscope 15.5: http://www.FreeBSD.org/ports/portaudit/c14aa48c-5ab7-11de-
bc9b-0030843d3802.html

freeciv 2.0.8: http://www.FreeBSD.org/ports/portaudit/2d9ad236-4d26-11db-
b48d-00508d6a62df.html

php-native and php should probably use the same versions...

lighttpd 1.4.18: 
http://www.FreeBSD.org/ports/portaudit/1ac77649-0908-11dd-974d-000fea2763ce.html, 
http://www.FreeBSD.org/ports/portaudit/fb911e31-8ceb-11dd-
bb29-000c6e274733.html, 
http://www.FreeBSD.org/ports/portaudit/1a3bd81f-1b25-11df-
bd1a-002170daae37.html

ipsec-tools 0.6.7: http://www.FreeBSD.org/ports/portaudit/abcacb5a-e7f1-11dd-
afcd-00e0815b8da8.html

cyrus-imapd 2.2.12: 
http://www.FreeBSD.org/ports/portaudit/012b495c-9d51-11de-8d20-001bd3385381.html, 

gallery 1.5.5: http://www.FreeBSD.org/ports/portaudit/fc9e73b2-8685-11dd-
bb64-0030843d3802.html

thunderbird 1.0.7... I don't list all....


vnc 3.3.7: http://www.FreeBSD.org/ports/portaudit/4645b98c-
e46e-11da-9ae7-00123fcc6e5c.html

findutils 4.2.29: 
http://www.FreeBSD.org/ports/portaudit/7ca2a709-103b-11dc-8e82-00001cd613f9.html

streamripper 1.61.10: http://www.FreeBSD.org/ports/portaudit/4d4caee0-
b939-11dd-a578-0030843d3802.html

libvorbis 1.2.3: Maybe we need an extra patch 
http://www.FreeBSD.org/ports/portaudit/94edff42-d93d-11de-
a434-0211d880e350.html

gftp 2.0.18: Maybe we need an extra patch 
http://www.FreeBSD.org/ports/portaudit/f8b0f83c-8bb3-11dc-
bffa-0016179b2dd5.html

gnupg 1.4.2.2: numerous issues... 
http://www.FreeBSD.org/ports/portaudit/f900bda8-0472-11db-
bbf7-000c6ec775d9.html, 
http://www.FreeBSD.org/ports/portaudit/ed529baa-21c6-11db-
b625-02e081235dab.html, 
http://www.FreeBSD.org/ports/portaudit/34c93ae8-7e6f-11db-
bf00-02e081235dab.html, 
http://www.FreeBSD.org/ports/portaudit/4db1669c-8589-11db-
ac4f-02e081235dab.html, 
http://www.FreeBSD.org/ports/portaudit/30394651-13e1-11dd-
bab7-0016179b2dd5.html


wv 1.2.0: http://www.FreeBSD.org/ports/portaudit/d29dc506-8aa6-11db-
bd0d-00123ffe8333.html

imlib 1.9.15: Maybe we need a patch 
http://www.FreeBSD.org/ports/portaudit/2001103a-6bbd-11d9-851d-000a95bc6fae.html

bogofilter 0.96.0: 
http://www.FreeBSD.org/ports/portaudit/b747b2a9-7be0-11da-8ec4-0002b3b60e4c.html

cdrtools-native 2.01: http://www.FreeBSD.org/ports/portaudit/fdbbed57-
f933-11d8-a776-00e081220a76.html

ez-upupdate 3.0.10: http://www.FreeBSD.org/ports/portaudit/e69ba632-326f-11d9-
b5b7-000854d03344.html

gzip 1.3.5: http://www.FreeBSD.org/ports/portaudit/11a84092-8f9f-11db-
ab33-000e0c2e438a.html

apr 1.3.5: http://www.FreeBSD.org/ports/portaudit/eb9212f7-526b-11de-
bbf2-001b77d09812.html

grip 3.2.0: http://www.FreeBSD.org/ports/portaudit/bcf27002-94c3-11d9-
a9e0-0001020eed82.html

socat 1.3.2.1:  http://www.FreeBSD.org/ports/portaudit/f3017ce1-32a4-11d9-
a9e7-0001020eed82.html

unrar 3.4.3: http://www.FreeBSD.org/ports/portaudit/94234e00-be8a-11db-
b2ec-000c6ec775d9.html

unrar-native: same thing..

dnsmasq 2.47: http://www.FreeBSD.org/ports/portaudit/80aa98e0-97b4-11de-
b946-0030843d3802.html

bitlbee 1.0. 4: 
http://www.FreeBSD.org/ports/portaudit/24ec781b-8c11-11dd-9923-0016d325a0ed.html

postgressql: http://www.FreeBSD.org/ports/portaudit/51436b4c-1250-11dd-
bab7-0016179b2dd5.html

ctorrent 3.3.1: http://www.FreeBSD.org/ports/portaudit/83d7d149-b965-11de-
a515-0022156e8794.html

nsd 2.0.0: http://www.FreeBSD.org/ports/portaudit/37a8603d-4494-11de-
bea7-000c29a67389.html

curl-sdk: It should match curl-native and curl... currently 
http://www.FreeBSD.org/ports/portaudit/5d433534-f41c-402e-ade5-
e0a2259a7cb6.html

gnome-screensaver: 2.28.0 
http://www.FreeBSD.org/ports/portaudit/0a82ac0c-1886-11df-
b0d1-0015f2db7bde.html

if everybody would randomly grab two/three recipes we could have all of this 
fixed in a day...

Re: Request for help to address known security issues

[Koen Kooi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15-03-10 06:05, Holger Hans Peter Freyther wrote:
> Hi all,
> 
> the following OE packages seem to be vulnerable to known security issues and I 
> would like to get some help in updating these....

> gnome-screensaver: 2.28.0 
> http://www.FreeBSD.org/ports/portaudit/0a82ac0c-1886-11df-
> b0d1-0015f2db7bde.html

Done, upgraded to 2.28.3. Took me longer than expected due to all the
autoconf 2.64 breakage that went in this morning :(

regards,

Koen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFLngLiMkyGM64RGpERAj9YAKCK1+4ujp6FLxflygD8mAzwf1by/wCfVe7I
4Hwx6S2DcoiW+GpbzFvooEw=
=sN2L
-----END PGP SIGNATURE-----

Re: Request for help to address known security issues

[Koen Kooi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15-03-10 06:05, Holger Hans Peter Freyther wrote:
> Hi all,
> 
> the following OE packages seem to be vulnerable to known security issues and I 
> would like to get some help in updating these....
> 
> wget 1.9.1: http://www.FreeBSD.org/ports/portaudit/06f142ff-4df3-11d9-
> a9e7-0001020eed82.html

Wget 1.11.x is in OE already, should be schedule 1.9.x for deletion?

> faad2 2.0: http://www.FreeBSD.org/ports/portaudit/445ed958-b0d9-11dd-
> a55e-00163e000016.html

Faad2 moved to http://www.audiocoding.com/ and is at 2.7 now. I'll try
to have a look at faad2 later today.

regards,

Koen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFLng7QMkyGM64RGpERAoVMAKCfqYTbsudSJXqU8YHiZyXuCbyudwCffhv+
7k3lgAd8ta1wZJN6vDklGTY=
=nZie
-----END PGP SIGNATURE-----

Re: Request for help to address known security issues

[Roman Khimov]

В сообщении от Понедельник 15 марта 2010 08:05:02 автор Holger Hans Peter 
Freyther написал:
> perl 5.8.8: http://www.FreeBSD.org/ports/portaudit/4a99d61c-
> f23a-11dd-9f55-0030843d3802.html
> 
> perl-native 5.8.8: Same as above

Using 5.10.0 internally and preparing 5.10.1 to push (along with other perl 
thingies)

> squid 2.6: probably deserves an update...
> squid-native too..

Using 2.7.STABLE6 internally, will try to bring in latest.

> ipsec-tools 0.6.7:
>  http://www.FreeBSD.org/ports/portaudit/abcacb5a-e7f1-11dd-
>  afcd-00e0815b8da8.html

Using 0.7.2, will try to prepare a patch.

Re: Request for help to address known security issues

[Holger Hans Peter Freyther]

On Monday 15 March 2010 11:41:20 Koen Kooi wrote:
> On 15-03-10 06:05, Holger Hans Peter Freyther wrote:
> > Hi all,
> > 
> > the following OE packages seem to be vulnerable to known security issues
> > and I would like to get some help in updating these....
> > 
> > wget 1.9.1: http://www.FreeBSD.org/ports/portaudit/06f142ff-4df3-11d9-
> > a9e7-0001020eed82.html
> 
> Wget 1.11.x is in OE already, should be schedule 1.9.x for deletion?

yes, but we default to 1.9.x. If you could make angstrom use 1.11 or remove 
the default preference of -1 from the wget recipe that would be awesome.

Re: Request for help to address known security issues

[Holger Hans Peter Freyther]

On Monday 15 March 2010 11:53:26 Roman Khimov wrote:

> Using 5.10.0 internally and preparing 5.10.1 to push (along with other perl
> thingies)

> Using 2.7.STABLE6 internally, will try to bring in latest.

> Using 0.7.2, will try to prepare a patch.


awesome!

Re: Request for help to address known security issues

[Koen Kooi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15-03-10 12:00, Holger Hans Peter Freyther wrote:
> On Monday 15 March 2010 11:41:20 Koen Kooi wrote:
>> On 15-03-10 06:05, Holger Hans Peter Freyther wrote:
>>> Hi all,
>>>
>>> the following OE packages seem to be vulnerable to known security issues
>>> and I would like to get some help in updating these....
>>>
>>> wget 1.9.1: http://www.FreeBSD.org/ports/portaudit/06f142ff-4df3-11d9-
>>> a9e7-0001020eed82.html
>>
>> Wget 1.11.x is in OE already, should be schedule 1.9.x for deletion?
> 
> yes, but we default to 1.9.x. If you could make angstrom use 1.11 or remove 
> the default preference of -1 from the wget recipe that would be awesome.

angstrom is now using 1.11.4

regards,

Koen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFLnh5/MkyGM64RGpERAkS8AJ9zn6S3sL5LnjGLqSU0yLNHM3+iigCgiZyN
UKecxxpsdA9XLRBa/U1CvkI=
=700W
-----END PGP SIGNATURE-----

Re: Request for help to address known security issues

[Michael Lippautz]

2010/3/15 Holger Hans Peter Freyther <holger+oe@freyther.de>:
> unrar 3.4.3: http://www.FreeBSD.org/ports/portaudit/94234e00-be8a-11db-
> b2ec-000c6ec775d9.html
>
> unrar-native: same thing..

Done. Fixed by bumping (... rewriting) to 3.9.9.

Regards,
Michael

Re: Request for help to address known security issues

[Holger Hans Peter Freyther]

On Monday 15 March 2010 13:44:59 Michael Lippautz wrote:
> 2010/3/15 Holger Hans Peter Freyther <holger+oe@freyther.de>:
> > unrar 3.4.3: http://www.FreeBSD.org/ports/portaudit/94234e00-be8a-11db-
> > b2ec-000c6ec775d9.html
> > 
> > unrar-native: same thing..
> 
> Done. Fixed by bumping (... rewriting) to 3.9.9.

Thanks!

Re: Request for help to address known security issues

[Martin Jansa]

> findutils 4.2.29: 
> http://www.FreeBSD.org/ports/portaudit/7ca2a709-103b-11dc-8e82-00001cd613f9.html

I'll send 4.5.5 after a bit of cleanup and moving to BBCLASSEXTEND.

Regards,

-- 
uin:136542059                jid:Martin.Jansa@gmail.com
Jansa Martin                 sip:jamasip@voip.wengo.fr 
JaMa                         

Re: Request for help to address known security issues

[Michael Lippautz]

Should get to fix lighttpd today or tomorrow.

Regards,
Michael