I've just updated to 0.17 (from 0.14) and will pick this up later today.
A commit references this bug: Author: adridg Date: Tue Sep 11 10:39:06 UTC 2018 New revision: 479521 URL: https://svnweb.freebsd.org/changeset/ports/479521 Log: The 0.18 release of x11/sddm contains a fix for a security error that allows unlocking a session without a password, if the ReuseSession configuration option is set to true. The default configuration sets it to false. I'm setting the version to < 0.17.0_1 here, because I'm going to update 0.17 with backports rather than pull in 0.18 (there's a lot more work in that update, because of reorganisation upstream and none of our patches apply anymore). PR: 230029 Reported by: doctorwhoguy@gmail.com Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: adridg Date: Tue Sep 11 10:39:37 UTC 2018 New revision: 479522 URL: https://svnweb.freebsd.org/changeset/ports/479522 Log: Backport security fixes for x11/sddm The 0.18 release of x11/sddm contains a fix for a security error that probably doesn't affect us: session-reuse. In any case our default configuration is not vulnerable. This doesn't update to 0.18 because there's a bunch of other changes that would need to be chased, further delaying this update. While here, pet portlint and Tijl, who asked for a pkg-message. PR: 230029 Reported by: doctorwhoguy@gmail.com Security: f00acdec-b59f-11e8-805d-001e2a3f778d Changes: head/x11/sddm/Makefile head/x11/sddm/files/git-patch-147cec38d head/x11/sddm/files/git-patch-b02b00559 head/x11/sddm/pkg-message
Fixed by backporting fixes, rather than updating wholesale to 0.18 because the latter is a lot more work (many upstream changes).