Page MenuHomeFreeBSD

security/libressl: Update to 2.2.5
ClosedPublic

Authored by brnrd on Dec 5 2015, 10:50 AM.

Details

Summary

Proposed commit log:

security/libressl: Update to 2.2.5

 - Version 2.2.5 addresses CVE-2015-2394
 - Refactor regression-test target to TEST_TARGET
 - Add LibreSSL < 2.2.5/2.3.1_1 vuxml entry

Reviewed_by:	koobs (mentor), feld (ports-secteam), delphij (ports-secteam)
Approved by:	koobs (mentor), delphij (ports-secteam)    
Security:	215e740e-9c56-11e5-90e7-b499baebfeaf
MFH:		2015Q4
Differential_Revision:	https://reviews.freebsd.org/D4393
Test Plan
  • portlint -AC (clean)
  • make check-plist (clean)
  • make test libressl (All OK)
  • make validate vuxml (All OK)
  • poudriere testport OK

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

brnrd retitled this revision from to security/libressl: Fix CVE-2015-3194 vulnerability.Dec 5 2015, 10:50 AM
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd added reviewers: koobs, vsevolod, feld.
brnrd updated this revision to Diff 10773.
brnrd updated this revision to Diff 10774.

Add the patch...

koobs updated this object.Dec 5 2015, 10:52 AM
koobs updated this object.
brnrd updated this object.Dec 5 2015, 10:56 AM
brnrd updated this revision to Diff 10776.

Update vuxml entry to include libressl

koobs edited edge metadata.Dec 5 2015, 10:56 AM
koobs added a subscriber: delphij.
koobs requested changes to this revision.

I believe security/vuxml (4c8d1d72-9b38-11e5-aece-d050996490d0) needs to be updated to add the libressl package, no?

Maybe a separate entry be created given libressl was only affected by one CVE?

If the latter, Security: id in proposed changelog will need to change.

Adding @delphij to review

security/libressl/Makefile
39 ↗(On Diff #10774)

Switch this to do-test, and i don't think the build bit or command below will be needed

This revision now requires changes to proceed.Dec 5 2015, 10:56 AM
brnrd updated this object.Dec 5 2015, 11:01 AM
brnrd updated this object.
brnrd edited edge metadata.Dec 5 2015, 11:04 AM
brnrd updated this revision to Diff 10777.

Add vuln for 2.3 <= 2.3.1 as well

brnrd edited edge metadata.Dec 5 2015, 11:05 AM
brnrd updated this revision to Diff 10778.

Remove duplicate test target

koobs edited edge metadata.Dec 5 2015, 12:25 PM
koobs accepted this revision.
This revision is now accepted and ready to land.Dec 5 2015, 12:25 PM
koobs added a comment.Dec 5 2015, 12:26 PM

@brnrd Missing make validate in the TEST PLAN :)

delphij edited edge metadata.Dec 6 2015, 4:33 AM
delphij accepted this revision.

Small nit: I wonder if the OpenBSD patch can be used directly so that we don't keep another copy of the patch? (I don't have strong opinion here, though).

I think the vuxml part can go independently, just make sure you bump the <modified> time.

brnrd added a comment.Dec 6 2015, 11:16 AM

Small nit: I wonder if the OpenBSD patch can be used directly so that we don't keep another copy of the patch? (I don't have strong opinion here, though).

We probably could. I'm expecting a new release any time now, so the patch will be removed soon. The amount of change would be a lot bigger though, changes in Makefile and distinfo that need to be reverted later on. Can't use regular patching either, requires patch -p 4 to apply to port. In that same way, running signify on the current patch should fail. Perhaps better if I remove that from the patchfile!

I think the vuxml part can go independently, just make sure you bump the <modified> time.

Since only one of the 5 CVE's applies to LibreSSL, should it be added to the existing vuxml entry or should an additional vuxml entry for LibreSSL be created?

brnrd edited the test plan for this revision. (Show Details)Dec 6 2015, 11:18 AM
brnrd edited edge metadata.
brnrd edited edge metadata.Dec 6 2015, 8:35 PM
brnrd updated this revision to Diff 10828.

Separate the vuxml entry for LibreSSL

This revision now requires review to proceed.Dec 6 2015, 8:35 PM
brnrd updated this object.Dec 6 2015, 8:40 PM
brnrd edited the test plan for this revision. (Show Details)
brnrd edited edge metadata.
feld added inline comments.Dec 7 2015, 4:40 PM
security/vuxml/vuln.xml
66 ↗(On Diff #10828)

Don't use <le> unless you have to. The problem is that a PORTREVISION bump will cause the entry to no longer match.

feld added inline comments.Dec 7 2015, 4:59 PM
security/vuxml/vuln.xml
67 ↗(On Diff #10828)

actually both of these are supposed to be <lt> not <le>

feld edited edge metadata.Dec 7 2015, 4:59 PM
feld requested changes to this revision.
This revision now requires changes to proceed.Dec 7 2015, 4:59 PM
brnrd edited edge metadata.Dec 8 2015, 6:30 AM
brnrd updated this revision to Diff 10898.

Update to 2.2.5 including fixes

brnrd retitled this revision from security/libressl: Fix CVE-2015-3194 vulnerability to security/libressl: Update to 2.2.5.Dec 8 2015, 6:30 AM
brnrd updated this object.
brnrd edited edge metadata.
brnrd updated this revision to Diff 10900.Dec 8 2015, 6:33 AM

Fix version in vuxml

brnrd marked 2 inline comments as done.Dec 8 2015, 6:34 AM
brnrd added inline comments.
security/vuxml/vuln.xml
66 ↗(On Diff #10900)

Noted!

67 ↗(On Diff #10900)

Noted! This is only here for PC-BSD as they have 2.3

koobs added a comment.Dec 8 2015, 6:38 AM

I'd have preferred the same version + backport commit, so it could be cleanly merged to quarterly without a version update, however that may have affected this version comparison <range><lt>2.2.5</lt></range> as we would have to stipulate that 2.2.3_X wasn't vulnerable (the version in quarterly)

@brnrd Before I accept, have you run through QA items in your test plan again, or not?

brnrd marked 2 inline comments as done.Dec 8 2015, 6:43 AM
In D4393#93429, @koobs wrote:

@brnrd Before I accept, have you run through QA items in your test plan again, or not?

Ran all of 'm
make check-plist test reinstall package ; portlint -AC ; cd ../vuxml ; make validate

koobs edited edge metadata.Dec 8 2015, 6:45 AM
koobs accepted this revision.

LGTM, pending secondary approval (because prior diff requested changes)

delphij edited edge metadata.Dec 8 2015, 8:24 AM
delphij accepted this revision.

Looks good to me, thanks!

brnrd updated this object.Dec 8 2015, 9:48 AM
brnrd edited edge metadata.
This revision was automatically updated to reflect the committed changes.