Created attachment 175777 [details] patch See https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/ for a nice writeup of the CVE. Changes: https://c-ares.haxx.se/changelog.html Security: CVE-2016-5180 MFH: 2016Q4 Testbuilds@work
testbuilds are ok on 12a, 11a, 10i. 9.3a is still busy with other stuff.
Node.js just released v4.6.1 to address CVE-2016-5180, but since we build the port against the version in ports, I've set the www/node4 update as being blocked by this. Hope we can land this soon :) Thanks!
It built without a hick on 9.3a, too, btw..
This update blocks security updates for 3 node ports/packages.
Please commit this change and MFH it as Approved by: ports-secteam (feld)
Approved.
@work
A commit references this bug: Author: pi Date: Wed Oct 19 14:43:09 UTC 2016 New revision: 424257 URL: https://svnweb.freebsd.org/changeset/ports/424257 Log: dns/c-ares: update 1.11.0 -> 1.12.0 - see https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/ for a nice writeup of the CVE. PR: 213495 Changes: https://c-ares.haxx.se/changelog.html Security: CVE-2016-5180 Approved by: zi (maintainer) MFH: 2016Q4 Changes: head/dns/c-ares/Makefile head/dns/c-ares/distinfo head/dns/c-ares/pkg-plist
A commit references this bug: Author: pi Date: Wed Oct 19 14:44:46 UTC 2016 New revision: 424258 URL: https://svnweb.freebsd.org/changeset/ports/424258 Log: dns/c-ares: update 1.11.0 -> 1.12.0 - see https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/ for a nice writeup of the CVE. PR: 213495 MFH: r424257 Changes: https://c-ares.haxx.se/changelog.html Security: CVE-2016-5180 Approved by: zi (maintainer) Approved by: ports-secteam (feld) Changes: _U branches/2016Q4/ branches/2016Q4/dns/c-ares/Makefile branches/2016Q4/dns/c-ares/distinfo branches/2016Q4/dns/c-ares/pkg-plist
Comment on attachment 175777 [details] patch Correctly record maintainer approval