On 27/11/2019 12:53 am, Wall, Stephen wrote:> Attempting to build dns/libidn2 in 2019Q4 results in this error:
>
>
> libidn2-2.2.0 is vulnerable:
> libidn2 -- roundtrip check vulnerability
> CVE: CVE-2019-12290
> WWW:
https://vuxml.FreeBSD.org/freebsd/f04f840d-0840-11ea-8d66-75d3253ef913.html
>
>
> The cited link says "libidn2 before 2.2.0", as does the CVE. Is
2.2.0 actually vulnerable? Either the vulnerability database needs to be fixed,
or version 2.3.0 should be ported from head.
>
> Thanks.
>
The vuxml entry, added in ports r517921 [1] for libidn2 currently declares:
libidn2 < 2.3.0
If 2.2.0 fixed the vulnerability (and is not vulnerable), this should
have been 'lt 2.2.0' instead. This appears to be the case.
Note however, that the 2.2.0 update [2], which fixed the vulnerability
was *not* marked for MFH (merging to the quarterly branch).
The 2.3.0 update [3], which doesn't fix a vulnerability, just announces
the CVE ID for the 2.2.0 fix, *has* been marked for MFH
I agree that this is confusing.
What I would do is:
- Fix the vuxml entry (lt 2.2.0)
- Merge the 2.2.0 update (ports r502513)
- Also merge the 2.3.0 update (ports r517883) as its a bugfix release
libidn2 maintainer (sunpoet) is CC'd
[1] https://svnweb.freebsd.org/changeset/ports/517921
[2] http://svnweb.freebsd.org/changeset/ports/502513
[3] http://svnweb.freebsd.org/changeset/ports/517883
[4] https://gitlab.com/libidn/libidn2/blob/master/NEWS