Bug 245010 - mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, mail/qmail-tls and mail/qmail: Update TLS patch
Summary: mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, mail/qmail-tls and mail/qma...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kurt Jaeger
URL:
Keywords:
Depends on:
Blocks: 244969
  Show dependency treegraph
 
Reported: 2020-03-23 18:02 UTC by erdgeist
Modified: 2020-05-26 13:50 UTC (History)
2 users (show)

See Also:
pi: merge-quarterly+

Attachments
patch to make qmail-tls work with most recent netqmail-tls patch (2.11 KB, patch)
2020-03-23 18:02 UTC, erdgeist 		erdgeist: maintainer-approval+
Details | Diff
Fixes three remotely exploitable CVE (3.53 KB, patch)
2020-05-20 10:39 UTC, erdgeist 		erdgeist: maintainer-approval+
Details | Diff
Fixes three remotely exploitable CVE (3.88 KB, patch)
2020-05-20 10:58 UTC, erdgeist 		erdgeist: maintainer-approval+
Details | Diff
Fixes three remotely exploitable CVE (4.24 KB, patch)
2020-05-20 11:11 UTC, erdgeist 		erdgeist: maintainer-approval+
Details | Diff
vuxml entries for the cve (4.94 KB, application/xml)
2020-05-24 23:18 UTC, erdgeist 		erdgeist: maintainer-approval+
Details
vuxml entries for the cve (4.94 KB, text/plain)
2020-05-24 23:25 UTC, erdgeist 		no flags Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description erdgeist 2020-03-23 18:02:07 UTC 
Created attachment 212650 [details]
patch to make qmail-tls work with most recent netqmail-tls patch

This incorporates upstream changes to netqmail-tls patch.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-24 03:20:48 UTC 
Does this resolve a build or run time fix?

^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval

Attachment -> Details -> maintainer-approval [+]
Comment 2 erdgeist 2020-03-24 03:22:42 UTC 
Comment on attachment 212650 [details]
patch to make qmail-tls work with most recent netqmail-tls patch

Build and runtime fix
Comment 3 erdgeist 2020-04-18 09:51:31 UTC 
Anything else I need to do?
Comment 4 erdgeist 2020-05-20 10:39:26 UTC 
Created attachment 214688 [details]
Fixes three remotely exploitable CVE

Fixes qmail-cve-2005-151[3,4,5] as outlined in

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

Also includes:
former patch to make qmail-tls work with most recent netqmail-tls patch
Comment 5 erdgeist 2020-05-20 10:58:07 UTC 
Created attachment 214689 [details]
Fixes three remotely exploitable CVE

Bumping PORTREVISION.

Fixes three remotely exploitable CVE

Fixes qmail-cve-2005-151[3,4,5] as outlined in

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

Also includes:
former patch to make qmail-tls work with most recent netqmail-tls patch
Comment 6 erdgeist 2020-05-20 11:11:27 UTC 
Created attachment 214690 [details]
Fixes three remotely exploitable CVE

Bumping PORTREVISION of master and all slave ports.

Fixes qmail-cve-2005-151[3,4,5] as outlined in

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

Also includes:
former patch to make qmail-tls work with most recent netqmail-tls patch
Comment 7 Kurt Jaeger freebsd_committer freebsd_triage 2020-05-24 12:43:13 UTC 
testbuilds@work
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-05-24 12:59:59 UTC 
A commit references this bug:

Author: pi
Date: Sun May 24 12:59:03 UTC 2020
New revision: 536399
URL: https://svnweb.freebsd.org/changeset/ports/536399

Log:
  mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, update TLS patch
  mail/qmail-tls: Update TLS patch

  See
  https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
  for details about the CVEs

  - now builds with openssl 1.1.1e from the ports

  PR:		244969, 245010
  Submitted by:	erdgeist@erdgeist.org (maintainer)
  Reported by:	klokanek@eldar.cz
  MFH:		2020Q2
  Security:	CVE-2005-1513, CVE-2005-1514, CVE-2005-1515

Changes:
  head/mail/qmail/Makefile
  head/mail/qmail/distinfo
  head/mail/qmail/files/patch-alloc.c
  head/mail/qmail/files/qmailsend.in
  head/mail/qmail-mysql/Makefile
  head/mail/qmail-tls/Makefile
Comment 9 Kurt Jaeger freebsd_committer freebsd_triage 2020-05-24 13:01:18 UTC 
(In reply to erdgeist from comment #3)
Can you provide vuxml entries for the CVEs ?

https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html

https://lists.freebsd.org/pipermail/freebsd-questions/2016-August/273034.html
Comment 10 commit-hook freebsd_committer freebsd_triage 2020-05-24 13:05:02 UTC 
A commit references this bug:

Author: pi
Date: Sun May 24 13:04:06 UTC 2020
New revision: 536400
URL: https://svnweb.freebsd.org/changeset/ports/536400

Log:
  MFH: r536399

  mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, update TLS patch
  mail/qmail-tls: Update TLS patch

  See
  https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
  for details about the CVEs

  - now builds with openssl 1.1.1e from the ports

  PR:		244969, 245010
  Submitted by:	erdgeist@erdgeist.org (maintainer)
  Reported by:	klokanek@eldar.cz
  Security:	CVE-2005-1513, CVE-2005-1514, CVE-2005-1515
  Approved by:	portmgr (security blanket)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/mail/qmail/Makefile
  branches/2020Q2/mail/qmail/distinfo
  branches/2020Q2/mail/qmail/files/patch-alloc.c
  branches/2020Q2/mail/qmail/files/qmailsend.in
  branches/2020Q2/mail/qmail-mysql/Makefile
  branches/2020Q2/mail/qmail-tls/Makefile
Comment 11 erdgeist 2020-05-24 23:18:12 UTC 
Created attachment 214822 [details]
vuxml entries for the cve

This xml hopefully contains vuxml record for the CVEs
Comment 12 erdgeist 2020-05-24 23:25:39 UTC 
Created attachment 214823 [details]
vuxml entries for the cve

This xml hopefully contains vuxml record for the CVEs
Comment 13 commit-hook freebsd_committer freebsd_triage 2020-05-25 18:05:02 UTC 
A commit references this bug:

Author: pi
Date: Mon May 25 18:04:41 UTC 2020
New revision: 536490
URL: https://svnweb.freebsd.org/changeset/ports/536490

Log:
  security/vuxml: add three CVEs for qmail

  PR:		245010
  Submitted by:	erdgeist@erdgeist.org

Changes:
  head/security/vuxml/vuln.xml
Comment 14 Kurt Jaeger freebsd_committer freebsd_triage 2020-05-25 18:05:06 UTC 
vuxml entries committed, thanks!