Bug 204237

Summary:	net/librsync: Security Vulnerability (CVE-2014-8242)
Product:	Ports & Packages	Reporter:	Sevan Janiyan <venture37>
Component:	Individual Port(s)	Assignee:	Ports Security Team <ports-secteam>
Status:	Closed FIXED
Severity:	Affects Only Me	CC:	feld, ports-secteam
Priority:	---	Keywords:	needs-patch, needs-qa, security
Version:	Latest	Flags:	koobs: merge-quarterly?
Hardware:	Any
OS:	Any

Description Sevan Janiyan 2015-11-03 01:14:57 UTC

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8242

Comment 1 Mark Felder freebsd_committer

2016-01-08 18:01:31 UTC

assigning to ports-secteam

Comment 2 commit-hook freebsd_committer

2016-01-08 18:23:30 UTC

A commit references this bug:

Author: feld
Date: Fri Jan  8 18:23:26 UTC 2016
New revision: 405583
URL: https://svnweb.freebsd.org/changeset/ports/405583

Log:
  Document net/librsync collision vulnerability

  PR:		204237
  Security:	CVE-2014-8242

Changes:
  head/security/vuxml/vuln.xml

Comment 3 Mark Felder freebsd_committer

2016-01-08 18:32:21 UTC

net/librsync is the pre 1.0.0 release and is not API compatible with 1.0.0+ because they moved from MD4 to BLAKE2. 

The fixed version is available in net/librsync1, but you need to port your software to it.

We should probably DEPRECATE net/librsync, but first the dependent ports need to be analyzed.

Notifying users via the vuxml entry should be good enough for now.