Created attachment 178297 [details] v1 patch # summary patch www/h2o for publically announced CVE-2016-7835 - 2.0.5 has too many changes to go into a backported security fix - include a custom https://github.com/h2o/h2o/commit/1b2b6d7.patch https://h2o.examp1e.net/vulnerabilities.html # QA - portlint OK - builds against 11_amd64 11_i386 10_amd64 10_i386 9_amd64 9_i386 - vuxml changes passes `make validate`
A commit references this bug: Author: brnrd Date: Thu Dec 29 13:08:33 UTC 2016 New revision: 429906 URL: https://svnweb.freebsd.org/changeset/ports/429906 Log: security/vuxml: Document h2o vulnerability PR: 215587 Submitted by: Dave Cottlehuber <dch@skunkwerks.at> (maintainer) Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: brnrd Date: Thu Dec 29 13:24:01 UTC 2016 New revision: 429910 URL: https://svnweb.freebsd.org/changeset/ports/429910 Log: www/h2o: Fix Use-after-free vulnerability - Fix duplicate PORTREVISION assignment - Register OpenSSL dependency when LIBRESSL is OFF PR: 215587 Submitted by: Dave Cottlehuber <dch@skunkwerks.at> (maintainer) MFH: 2016Q4 Security: d0b12952-cb86-11e6-906f-0cc47a065786 Security: CVE-2016-7835 Changes: head/www/h2o/Makefile head/www/h2o/files/patch-lib_core_request.c head/www/h2o/files/patch-lib_http2_connection.c
Sorry for the delay on MFH approval. This is fixed in the currently supported 2017Q1 branch, as such considering this merge-quarterly+ and assigning it to you Bernard as the actioning committer.