The version of minio in ports appears to be vulnerable to three issues: I attempted to report this privately via the ports security team email address for inclusion in VuXML, however it was not responded to - apologies if that email address, or if reporting the issues here is not the correct process to follow. The highest severity has a CVSS2 score of 8.8. Advisory: https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg CVE: CVE-2022-35919 Introduced: RELEASE.2020-07-24T22-43-05Z Fixed: RELEASE.2022-07-29T19-40-48Z Advisory: https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636 CVE: CVE-2022-31028 Introduced: RELEASE.2019-09-25T18-25-51Z Fixed: RELEASE.2022-06-02T02-11-04Z Advisory: https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q CVE: CVE-2022-24842 Introduced: RELEASE.2021-12-09T06-19-41Z Fixed: RELEASE.2022-04-12T06-55-35Z
Adam, thank you for mentioning this. I have opened a VuXML pull request for the most severe vulnerability at https://github.com/freebsd/freebsd-ports/pull/158. I note that this port's maintainer, swills@, has not made any commits since 2022-03-13 so I suspect someone else will need to update the port.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b16091e19db403fa19c514ec5ac4c15045e402ef commit b16091e19db403fa19c514ec5ac4c15045e402ef Author: Tom Hukins <tom@eborcom.com> AuthorDate: 2023-02-18 17:33:09 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-02-18 17:33:09 +0000 security/vuxml: Add www/minio vulnerability CVE-2022-24842: unprivileged users can create service accounts for admin users. PR: 268656 Reported by: adam@omega.org.uk Obtained from: https://github.com/freebsd/freebsd-ports/pull/158 security/vuxml/vuln/2023.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)
On it.
Created attachment 241097 [details] www/minio: update to 2023.03.22.06.36.24 www/minio: update to 2023.03.22.06.36.24 - convert from GH_TUPLE to letting Go fetch dependencies for us Changelog: https://github.com/minio/minio/releases Security: 8e20430d-a72b-11ed-a04f-40b03445555 PR: 268656
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9c8d15ebdbcbffbccd95fc92b4d596850f1ff896 commit 9c8d15ebdbcbffbccd95fc92b4d596850f1ff896 Author: Robert Clausecker <fuz@FreeBSD.org> AuthorDate: 2023-03-25 00:27:30 +0000 Commit: Robert Clausecker <fuz@FreeBSD.org> CommitDate: 2023-03-27 13:52:37 +0000 www/minio: update to 2023.03.22.06.36.24 This update fixes a number of open CVEs. Remove now obsolete patch. Changelog: https://github.com/minio/minio/releases Approved by: swills (implicit) Security: 8e20430d-a72b-11ed-a04f-40b03445555 PR: 268656 MFH: 2023Q1 www/minio/Makefile | 243 +---------- www/minio/distinfo | 448 +-------------------- ...b.com_minio_mc_pkg_disk_stat__freebsd.go (gone) | 20 - 3 files changed, 9 insertions(+), 702 deletions(-)
A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=62106cfcae99171e45d077f283a5cabb3249fe7e commit 62106cfcae99171e45d077f283a5cabb3249fe7e Author: Robert Clausecker <fuz@FreeBSD.org> AuthorDate: 2023-03-25 00:27:30 +0000 Commit: Robert Clausecker <fuz@FreeBSD.org> CommitDate: 2023-03-27 13:53:44 +0000 www/minio: update to 2023.03.22.06.36.24 This update fixes a number of open CVEs. Remove now obsolete patch. Changelog: https://github.com/minio/minio/releases Approved by: swills (implicit) Security: 8e20430d-a72b-11ed-a04f-40b03445555 PR: 268656 MFH: 2023Q1 (cherry picked from commit 9c8d15ebdbcbffbccd95fc92b4d596850f1ff896) www/minio/Makefile | 243 +---------- www/minio/distinfo | 448 +-------------------- ...b.com_minio_mc_pkg_disk_stat__freebsd.go (gone) | 20 - 3 files changed, 9 insertions(+), 702 deletions(-)