-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
On 5/23/15 09:14, Jason Unovitch wrote:> On Sat, May 23, 2015 at 11:30 AM, Roger Marquis <marquis at
roble.com>
> wrote:
>> If you find a vulnerability such as a new CVE or mailing list
>> announcement please send it to the port maintainer and
>> <ports-secteam at FreeBSD.org> as quickly as possible. They are
>> whoefully understaffed and need our help. Though freebsd.org
>> indicates that security alerts should be sent to
>> <secteam at FreeBSD.org> this is incorrect. If the vulnerability
is
>> in a port or package send an alert to ports-secteam@ and NOT
>> secteam@ as the secteam will generally not reply to your email or
>> forward the alerts to ports-secteam.
>>
>> Roger
>>
>
> I've attempted to knock out a couple of these over the past 2
> days. There's certainly a non-trivial amount of PRs stuck in
> Bugzilla that mention security or CVE that need some care and
> attention. Here's a few that are now ready for the taking.
>
> vuxml patch ready: emulators/virtualbox-ose --
> https://bugs.freebsd.org/200311
I've added the information to the main entry and discarded virtualbox
specific text from Oracle. Since Xen is also affected I have applied
the fix to xen-tools; the 2015Q2 branch version is not affected as
Dom0 support is not there so I haven't merged the change there.
> databases/cassandra -- https://bugs.freebsd.org/199091
Committed, thanks! I've assigned the PR to the maintainer for the
port update.
> databases/cassandra2 -- https://bugs.freebsd.org/200414 (refers to
> vuxml patch in PR 199091)
I've assigned the PR to the maintainer.
We should probably mark the above two ports as FORBIDDEN and/or
DEPRECATED.
> sysutils/py-salt -- https://bugs.freebsd.org/200172
This was already done by xmj at . This one seems serious, can the fix be
backported or should the port merged to 2015Q2 branch?
> vuxml previously done and update patch ready: net/chrony --
> https://bugs.freebsd.org/199508
The vuxml entry was committed by jbeich@ and port updated by pi at . I
think the update should be merged to quarterly branch.
> both vuxml and update patch ready: mail/davmail --
> https://bugs.freebsd.org/198297
This was done by pi at . I think this fix should also go to 2015Q2 branch?
Thanks everyone working on these issues and thanks for taking time
preparing the patches.
Cheers,
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVYYOGAAoJEJW2GBstM+nsmeoP+wVfw1Uw7YYGqhLXMEsFgQ/E
CtWD9LfDgia9ffQIANXi61nUKJ8ex0QZHEFborUMoUMGxPMic5fILFIsKY/FeaLq
Rq6jkVfHlelvHgi4XXf4v9u9JWFISu0jnYqafQiiOc4CK5a3d/JiouC9DJX74fau
jaDZ2snv4VjVnbZHwO35hWTQiN5iCJFt9bkdMV5iQkd/jU1waSDTVuzv9zstaVcQ
jJadqLCNX8ENhNwTZt0SbBBsRNL9mwRMEKbdYcCtxLJoKyQ+GYjbd5UEERajGSLv
H8TaO/wYIrMdeOMFjBe1ppNp+2mX8pn1AnxZx//N9am8dKhTiI+itV2FGonRluzs
aJJmzOHFYUSxwmSkyrcEm/XC0+BEAsTq24fxggJWNKFpD8brCd5ENt8oiA/uOkPR
fkCr1wG8dCW3OV2TYeiFW1XWGmA41J57wP/9WRRLmYTbBqUGTmLsNtnFT0KcdJwQ
G7tbd86xiHQjeF+Al1XAwL/9WgzIsrwjjQ7NO4737yNqvlAMyME30qtmCTwv1beX
3VQWqxJQ82FzI2x7OZgX5NAwyp0InaEI3j+cgTuJY5a6uMd49IMj+Wj+u3E52G/U
wTtp4D3FzaxH4ZCs9pxLM8glvmoCmH6E11+G/WPESFxOXbxw/mkjD+wus5HyCsa7
M7b0T5Y6hN425BmaPaeA
=tvL9
-----END PGP SIGNATURE-----