Page MenuHomeFreeBSD

security/libressl: Update to 2.2.5
ClosedPublic

Authored by brnrd on Dec 5 2015, 10:50 AM.

Details

Summary

Proposed commit log:

security/libressl: Update to 2.2.5

 - Version 2.2.5 addresses CVE-2015-2394
 - Refactor regression-test target to TEST_TARGET
 - Add LibreSSL < 2.2.5/2.3.1_1 vuxml entry

Reviewed_by:	koobs (mentor), feld (ports-secteam), delphij (ports-secteam)
Approved by:	koobs (mentor), delphij (ports-secteam)    
Security:	215e740e-9c56-11e5-90e7-b499baebfeaf
MFH:		2015Q4
Differential_Revision:	https://reviews.freebsd.org/D4393
Test Plan
  • portlint -AC (clean)
  • make check-plist (clean)
  • make test libressl (All OK)
  • make validate vuxml (All OK)
  • poudriere testport OK

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

brnrd updated this revision to Diff 10773.Dec 5 2015, 10:50 AM
brnrd updated this revision to Diff 10774.
brnrd retitled this revision from to security/libressl: Fix CVE-2015-3194 vulnerability.
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd added reviewers: koobs, vsevolod, feld.

Add the patch...

koobs updated this object.Dec 5 2015, 10:52 AM
koobs updated this object.
brnrd updated this revision to Diff 10776.Dec 5 2015, 10:56 AM
brnrd updated this object.

Update vuxml entry to include libressl

koobs requested changes to this revision.Dec 5 2015, 10:56 AM
koobs edited edge metadata.
koobs added a subscriber: delphij.

I believe security/vuxml (4c8d1d72-9b38-11e5-aece-d050996490d0) needs to be updated to add the libressl package, no?

Maybe a separate entry be created given libressl was only affected by one CVE?

If the latter, Security: id in proposed changelog will need to change.

Adding @delphij to review

security/libressl/Makefile
39 ↗(On Diff #10774)

Switch this to do-test, and i don't think the build bit or command below will be needed

This revision now requires changes to proceed.Dec 5 2015, 10:56 AM
brnrd updated this object.Dec 5 2015, 11:01 AM
brnrd updated this object.
brnrd updated this revision to Diff 10777.Dec 5 2015, 11:04 AM
brnrd edited edge metadata.

Add vuln for 2.3 <= 2.3.1 as well

brnrd updated this revision to Diff 10778.Dec 5 2015, 11:05 AM
brnrd edited edge metadata.

Remove duplicate test target

koobs accepted this revision.Dec 5 2015, 12:25 PM
koobs edited edge metadata.
This revision is now accepted and ready to land.Dec 5 2015, 12:25 PM
koobs added a comment.Dec 5 2015, 12:26 PM

@brnrd Missing make validate in the TEST PLAN :)

delphij accepted this revision.Dec 6 2015, 4:33 AM
delphij edited edge metadata.

Small nit: I wonder if the OpenBSD patch can be used directly so that we don't keep another copy of the patch? (I don't have strong opinion here, though).

I think the vuxml part can go independently, just make sure you bump the <modified> time.

brnrd added a comment.Dec 6 2015, 11:16 AM

Small nit: I wonder if the OpenBSD patch can be used directly so that we don't keep another copy of the patch? (I don't have strong opinion here, though).

We probably could. I'm expecting a new release any time now, so the patch will be removed soon. The amount of change would be a lot bigger though, changes in Makefile and distinfo that need to be reverted later on. Can't use regular patching either, requires patch -p 4 to apply to port. In that same way, running signify on the current patch should fail. Perhaps better if I remove that from the patchfile!

I think the vuxml part can go independently, just make sure you bump the <modified> time.

Since only one of the 5 CVE's applies to LibreSSL, should it be added to the existing vuxml entry or should an additional vuxml entry for LibreSSL be created?

brnrd edited the test plan for this revision. (Show Details)Dec 6 2015, 11:18 AM
brnrd edited edge metadata.
brnrd updated this revision to Diff 10828.Dec 6 2015, 8:35 PM
brnrd edited edge metadata.

Separate the vuxml entry for LibreSSL

This revision now requires review to proceed.Dec 6 2015, 8:35 PM
brnrd updated this object.Dec 6 2015, 8:40 PM
brnrd edited the test plan for this revision. (Show Details)
brnrd edited edge metadata.
feld added inline comments.Dec 7 2015, 4:40 PM
security/vuxml/vuln.xml
66 ↗(On Diff #10828)

Don't use <le> unless you have to. The problem is that a PORTREVISION bump will cause the entry to no longer match.

feld added inline comments.Dec 7 2015, 4:59 PM
security/vuxml/vuln.xml
67 ↗(On Diff #10828)

actually both of these are supposed to be <lt> not <le>

feld requested changes to this revision.Dec 7 2015, 4:59 PM
feld edited edge metadata.
This revision now requires changes to proceed.Dec 7 2015, 4:59 PM
brnrd updated this revision to Diff 10898.Dec 8 2015, 6:30 AM
brnrd edited edge metadata.

Update to 2.2.5 including fixes

brnrd retitled this revision from security/libressl: Fix CVE-2015-3194 vulnerability to security/libressl: Update to 2.2.5.Dec 8 2015, 6:30 AM
brnrd updated this object.
brnrd edited edge metadata.
brnrd updated this revision to Diff 10900.Dec 8 2015, 6:33 AM

Fix version in vuxml

brnrd marked 2 inline comments as done.Dec 8 2015, 6:34 AM
brnrd added inline comments.
security/vuxml/vuln.xml
66 ↗(On Diff #10900)

Noted!

67 ↗(On Diff #10900)

Noted! This is only here for PC-BSD as they have 2.3

koobs added a comment.Dec 8 2015, 6:38 AM

I'd have preferred the same version + backport commit, so it could be cleanly merged to quarterly without a version update, however that may have affected this version comparison <range><lt>2.2.5</lt></range> as we would have to stipulate that 2.2.3_X wasn't vulnerable (the version in quarterly)

@brnrd Before I accept, have you run through QA items in your test plan again, or not?

brnrd marked 2 inline comments as done.Dec 8 2015, 6:43 AM
In D4393#93429, @koobs wrote:

@brnrd Before I accept, have you run through QA items in your test plan again, or not?

Ran all of 'm
make check-plist test reinstall package ; portlint -AC ; cd ../vuxml ; make validate

koobs accepted this revision.Dec 8 2015, 6:45 AM
koobs edited edge metadata.

LGTM, pending secondary approval (because prior diff requested changes)

delphij accepted this revision.Dec 8 2015, 8:24 AM
delphij edited edge metadata.

Looks good to me, thanks!

brnrd updated this object.Dec 8 2015, 9:48 AM
brnrd edited edge metadata.
This revision was automatically updated to reflect the committed changes.