Created attachment 237796 [details] Patch Would appreciate if this can also be backported to quarterly: CVE-2020-25691 Thanks!
Maintainer informed via mail
Thank you for the update Henrich. Is the MAINTAINER email address in the current port incorrect? It appears to be typo'd. Could you confirm/clarify? ^Triage: - If there is a changelog or release notes URL available for this version, please add it to the URL field - This change needs a security/vuxml entry
Created attachment 237799 [details] Patch with maintainer fix
You are right! I got my email wrong. Thank you for noticing. What do you mean by the URL field? How would I update vuxml? Thanks!
(In reply to Henrich Hartzer from comment #4) Here: https://docs.freebsd.org/en/books/porters-handbook/security/#security-notify-vuxml-intro
^Triage: Yes, the URL field. Q/A: PORTREVISION should be removed. NO NEED to update a new patch for that, though. Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=bbe3b93c5dcb484cef6ecf4fdabfeff7e64d3737 commit bbe3b93c5dcb484cef6ecf4fdabfeff7e64d3737 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2022-11-08 16:29:21 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2022-11-08 16:30:57 +0000 security/vuxml: register darkhttpd DoS vulnerability PR: 267507 Reported by: Henrich Hartzer <henrichhartzer@tuta.io> Security: CVE-2020-25691 security/vuxml/vuln-2022.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1de880e0f6277e22d81d68cba532656dc58b207a commit 1de880e0f6277e22d81d68cba532656dc58b207a Author: Henrich Hartzer <henrichhartzer@tuta.io> AuthorDate: 2022-11-07 19:17:19 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2022-11-08 16:31:41 +0000 www/darkhttpd: Update to 1.14 (Fixes CVE-2020-25691) ChangeLog: https://github.com/emikulic/darkhttpd/releases/tag/v1.14 * Add support for logging with syslog. * Fix hung connection from consecutive keep-alive requests. * Fix high CPU usage when timeout is disabled. * Add --forward-https. * Make header parsing case insensitive, to work behind an HTTP2 reverse proxy. * Add trailing slash to links for directories. * Fix crash when a file has a large (year 10,000+) mtime. A flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability. PR: 267507 Reported by: henrichhartzer@tuta.io MFH: 2022Q4 (security update) Security: CVE-2020-25691 www/darkhttpd/Makefile | 5 ++--- www/darkhttpd/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 6 deletions(-)
A commit in branch 2022Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2f5b21e40a831efb7e7e276fcb3de1a50bf8fc24 commit 2f5b21e40a831efb7e7e276fcb3de1a50bf8fc24 Author: Henrich Hartzer <henrichhartzer@tuta.io> AuthorDate: 2022-11-07 19:17:19 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2022-11-08 16:34:05 +0000 www/darkhttpd: Update to 1.14 (Fixes CVE-2020-25691) ChangeLog: https://github.com/emikulic/darkhttpd/releases/tag/v1.14 * Add support for logging with syslog. * Fix hung connection from consecutive keep-alive requests. * Fix high CPU usage when timeout is disabled. * Add --forward-https. * Make header parsing case insensitive, to work behind an HTTP2 reverse proxy. * Add trailing slash to links for directories. * Fix crash when a file has a large (year 10,000+) mtime. A flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability. PR: 267507 Reported by: henrichhartzer@tuta.io MFH: 2022Q4 (security update) Security: CVE-2020-25691 (cherry picked from commit 1de880e0f6277e22d81d68cba532656dc58b207a) www/darkhttpd/Makefile | 4 ++-- www/darkhttpd/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-)
Committed, merged to 2022Q4 and vuxml entry added. Thanks!