Bug 196640

Summary: devel/libevent2: update to 2.0.22 (to fix CVE-2014-6272)
Product: Ports & Packages Reporter: Jan Beich <jbeich>
Component: Individual Port(s)Assignee: Martin Matuska <mm>
Status: Closed FIXED    
Severity: Affects Only Me Keywords: security
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Jan Beich freebsd_committer freebsd_triage 2015-01-12 18:25:22 UTC 
<vuln vid="8a78bd4b-1e88-43bd-9bfa-5aa29cb979c2">
    <topic>libevent -- integer overflow in evbuffers</topic>
    <affects>
      <package>
    <name>libevent</name>
    <range><lt>1.4.15</lt></range>
      </package>
      <package>
    <name>libevent2</name>
    <range><lt>2.0.22</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
    <p>A defect in the Libevent evbuffer API leaves some programs
      that pass insanely large inputs to evbuffers open to a
      possible heap overflow or infinite loop.
    </p>
      </body>
    </description>
    <references>
      <url>http://archives.seul.org/libevent/users/Jan-2015/msg00010.html</url>;
      <cvename>CVE-2014-6272</cvename>
    </references>
    <dates>
      <discovery>2015-01-05</discovery>
      <entry>2015-01-09</entry>
    </dates>
  </vuln>
Comment 1 Gavin Atkinson freebsd_committer freebsd_triage 2015-01-12 18:48:49 UTC 
Hi,

Due to an issue with the backend FreeBSD Bugzilla database, your original PR and any updates to it since have been lost.  I've recreated the original PR as best as I can, however any attachments and updates you submitted to the PR have been lost.  Please could you resubmit them?

Thanks, and apologies.
Comment 2 Jan Beich freebsd_committer freebsd_triage 2015-01-12 19:41:57 UTC 
The (vanished) patch landed together with bug 196639 as ports r376665.
VuXML entry in comment 0 added as ports r376799.