Page MenuHomeFreeBSD

security/libressl: Update to 2.2.5
ClosedPublic

Authored by brnrd on Dec 5 2015, 10:50 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Mar 7, 11:26 AM
Unknown Object (File)
Feb 7 2024, 1:17 PM
Unknown Object (File)
Feb 4 2024, 8:50 AM
Unknown Object (File)
Jan 13 2024, 5:49 PM
Unknown Object (File)
Jan 5 2024, 10:41 PM
Unknown Object (File)
Dec 31 2023, 11:48 PM
Unknown Object (File)
Dec 31 2023, 11:48 PM
Unknown Object (File)
Dec 25 2023, 8:21 PM
Subscribers

Details

Summary

Proposed commit log:

security/libressl: Update to 2.2.5

 - Version 2.2.5 addresses CVE-2015-2394
 - Refactor regression-test target to TEST_TARGET
 - Add LibreSSL < 2.2.5/2.3.1_1 vuxml entry

Reviewed_by:	koobs (mentor), feld (ports-secteam), delphij (ports-secteam)
Approved by:	koobs (mentor), delphij (ports-secteam)    
Security:	215e740e-9c56-11e5-90e7-b499baebfeaf
MFH:		2015Q4
Differential_Revision:	https://reviews.freebsd.org/D4393
Test Plan
  • portlint -AC (clean)
  • make check-plist (clean)
  • make test libressl (All OK)
  • make validate vuxml (All OK)
  • poudriere testport OK

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 1428
Build 1433: arc lint + arc unit

Event Timeline

brnrd updated this revision to Diff 10774.
brnrd retitled this revision from to security/libressl: Fix CVE-2015-3194 vulnerability.
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd added reviewers: koobs, vsevolod, feld.

Add the patch...

koobs updated this object.
brnrd updated this object.

Update vuxml entry to include libressl

koobs requested changes to this revision.Dec 5 2015, 10:56 AM
koobs edited edge metadata.
koobs added a subscriber: delphij.

I believe security/vuxml (4c8d1d72-9b38-11e5-aece-d050996490d0) needs to be updated to add the libressl package, no?

Maybe a separate entry be created given libressl was only affected by one CVE?

If the latter, Security: id in proposed changelog will need to change.

Adding @delphij to review

security/libressl/Makefile
38–39

Switch this to do-test, and i don't think the build bit or command below will be needed

This revision now requires changes to proceed.Dec 5 2015, 10:56 AM
brnrd updated this object.
brnrd edited edge metadata.

Add vuln for 2.3 <= 2.3.1 as well

brnrd edited edge metadata.

Remove duplicate test target

koobs edited edge metadata.
This revision is now accepted and ready to land.Dec 5 2015, 12:25 PM

@brnrd Missing make validate in the TEST PLAN :)

delphij edited edge metadata.

Small nit: I wonder if the OpenBSD patch can be used directly so that we don't keep another copy of the patch? (I don't have strong opinion here, though).

I think the vuxml part can go independently, just make sure you bump the <modified> time.

Small nit: I wonder if the OpenBSD patch can be used directly so that we don't keep another copy of the patch? (I don't have strong opinion here, though).

We probably could. I'm expecting a new release any time now, so the patch will be removed soon. The amount of change would be a lot bigger though, changes in Makefile and distinfo that need to be reverted later on. Can't use regular patching either, requires patch -p 4 to apply to port. In that same way, running signify on the current patch should fail. Perhaps better if I remove that from the patchfile!

I think the vuxml part can go independently, just make sure you bump the <modified> time.

Since only one of the 5 CVE's applies to LibreSSL, should it be added to the existing vuxml entry or should an additional vuxml entry for LibreSSL be created?

brnrd edited edge metadata.
brnrd edited edge metadata.

Separate the vuxml entry for LibreSSL

This revision now requires review to proceed.Dec 6 2015, 8:35 PM
brnrd edited the test plan for this revision. (Show Details)
brnrd edited edge metadata.
security/vuxml/vuln.xml
66

Don't use <le> unless you have to. The problem is that a PORTREVISION bump will cause the entry to no longer match.

security/vuxml/vuln.xml
67

actually both of these are supposed to be <lt> not <le>

feld requested changes to this revision.Dec 7 2015, 4:59 PM
feld edited edge metadata.
This revision now requires changes to proceed.Dec 7 2015, 4:59 PM
brnrd edited edge metadata.

Update to 2.2.5 including fixes

brnrd retitled this revision from security/libressl: Fix CVE-2015-3194 vulnerability to security/libressl: Update to 2.2.5.Dec 8 2015, 6:30 AM
brnrd updated this object.
brnrd edited edge metadata.
brnrd marked 2 inline comments as done.Dec 8 2015, 6:34 AM
brnrd added inline comments.
security/vuxml/vuln.xml
66

Noted!

67

Noted! This is only here for PC-BSD as they have 2.3

I'd have preferred the same version + backport commit, so it could be cleanly merged to quarterly without a version update, however that may have affected this version comparison <range><lt>2.2.5</lt></range> as we would have to stipulate that 2.2.3_X wasn't vulnerable (the version in quarterly)

@brnrd Before I accept, have you run through QA items in your test plan again, or not?

brnrd marked 2 inline comments as done.Dec 8 2015, 6:43 AM
In D4393#93429, @koobs wrote:

@brnrd Before I accept, have you run through QA items in your test plan again, or not?

Ran all of 'm
make check-plist test reinstall package ; portlint -AC ; cd ../vuxml ; make validate

koobs edited edge metadata.

LGTM, pending secondary approval (because prior diff requested changes)

delphij edited edge metadata.

Looks good to me, thanks!

brnrd edited edge metadata.
This revision was automatically updated to reflect the committed changes.