Summary: | deskutils/owncloudclient: Missing VUXML entry for CVE-2015-7298 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Sevan Janiyan <venture37> | ||||||
Component: | Individual Port(s) | Assignee: | Guido Falsi <madpilot> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Only Me | CC: | madpilot, ports-secteam, yonas | ||||||
Priority: | --- | Keywords: | security | ||||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(yonas) |
||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
Attachments: |
|
Description
Sevan Janiyan
2015-11-09 20:18:36 UTC
@Kubilay What needs to happen here? In general, how do we handle security issues? Is this suppose to be publicly viewable, or is it ok since the CVE is already published? Vulnerabilities not under embargo (public) are fine as public issues, and perhaps better as public issues for transparency/accountability Security issues require: * An entry in security/vuxml * A changeset (needs-patch) to address the vulnerability in HEAD and the quarterly branch if the version in ports is/remains vulnerable The issue summary at the moment only states a missing vuxml entry, but comment 0 eludes that there's still a vulnerability vector in the port. @Sevan please clarify. Created attachment 162999 [details]
Update owncloudclient from 2.0.1 to 2.0.2
I've attached a patch that will update this port from 2.0.1 to 2.0.2.
Created attachment 163000 [details]
Update owncloudclient from 2.0.1 to 2.0.2
A commit references this bug: Author: madpilot Date: Wed Nov 11 11:19:18 UTC 2015 New revision: 401235 URL: https://svnweb.freebsd.org/changeset/ports/401235 Log: Document owncloudclient vulnerability PR: 204407 Submitted by: Sevan Janiyan <venture37 at geeklan.co.uk> Security: CVE-2015-7298 Changes: head/security/vuxml/vuln.xml (In reply to Kubilay Kocak from comment #2) The reported entry in the CVE database and the vendor report state the vulnerability was against 2.0.0, so the port at 2.0.1 is not vulnerable. I'm now testing the update anyway. (In reply to Kubilay Kocak from comment #2) I was just clarifying in what scenario/component the issue is. While the version in ports may not be vulnerable, a vuxml entry is needed to indicate to users of previous versions that there is an issue & they need to upgrade. Otherwise, the issue may go undetected unless the user actively monitors the project and realises there is either an update in ports or realises from upstream or another source. (In reply to Guido Falsi from comment #6) Does the update (2.0.2) work for you? (In reply to Yonas Yanfa from comment #8) It's going through poudriere with other ports I'm testing, since its' got to rebuild many dependencies for all of them it still requires a little to finish for the various FreeBSD versions. It looks good though. I plan to commit it tomorrow if everything goes right. A few details abut your patch, please keep the plist sorted and PORTREVISION needs to be reset(removed in most cases) when updating version. Following these guidelines helps speeding patch management. Thanks for your work! Vuln entry added and update committed. Thanks all! A commit references this bug: Author: madpilot Date: Thu Nov 12 20:02:56 UTC 2015 New revision: 401393 URL: https://svnweb.freebsd.org/changeset/ports/401393 Log: Update to 2.0.2 PR: 204407 Submitted by: Sevan Janiyan <venture37 at geeklan.co.uk> Patch by: Yonas Yanfa <yonas at fizk.net> (maintainer) Changes: head/deskutils/owncloudclient/Makefile head/deskutils/owncloudclient/distinfo head/deskutils/owncloudclient/pkg-plist (In reply to Guido Falsi from comment #10) Awesome, and thanks for the tips. |