Bug 206756
| Summary: | ftp/curl: Update to 7.47.0 (Fixes CVE-2016-0755) | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Niclas Zeising <zeising> | ||||||||||
| Component: | Individual Port(s) | Assignee: | Niclas Zeising <zeising> | ||||||||||
| Status: | Closed FIXED | ||||||||||||
| Severity: | Affects Many People | CC: | holger, junovitch, lists, me, mi, miwi, pi, portmgr, ports-secteam, zeising | ||||||||||
| Priority: | --- | Keywords: | patch, patch-ready, security | ||||||||||
| Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(sunpoet) zeising: merge-quarterly+ |
||||||||||
| Hardware: | Any | ||||||||||||
| OS: | Any | ||||||||||||
| Attachments: |
|
||||||||||||
Created attachment 166297 [details]
Build log from poudriere
Build log for ftp/curl from poudriere.
Set merge-quarterly to + once committed in the branch Hi, I pass it over to portmgr for an exp-run, this is a security update, but 111 changes in the code are not consider as minor update. @portmgr can you please prioritize this exp-run. Thanks. Created attachment 166301 [details]
Patch to fix CVE-2016-0755
Attached patch fixes only the CVE. Might be more suitable to merge to the quarterly branch, for instance.
*** Bug 206759 has been marked as a duplicate of this bug. *** Created attachment 166303 [details]
patch-curl-wrong-versions
Comment on attachment 166303 [details]
patch-curl-wrong-versions
A similar fix to this for vuln.xml was comitted in r407535.
(In reply to Martin Wilke from comment #3) Thank you, miwi. Exp-run is required for safety. :) Exp-run results: 0 new failure on 93i386 and 102amd64 with this update. (In reply to Sunpoet Po-Chuan Hsieh from comment #8) > Exp-run is required for safety. :) Actually, no it is not. The proposed upgrade is very minor and, even if completely botched, would not have caused any new breakage because everything depending on curl is _already_ broken by the vuxml. Our clumsy way of handling these advisories means, even people who turn off the NTLM-option are affected, and the only way to sidestep the problem is the scary "DISABLE_VULNERABILITIES". Raising the requirement to performing an exp-run so often simply slows us down needlessly. While I may be accused of being too cavalier and erring on the dangerous side too often, there really is no additional danger in this particular case... A commit references this bug: Author: zeising Date: Mon Feb 1 17:04:14 UTC 2016 New revision: 407725 URL: https://svnweb.freebsd.org/changeset/ports/407725 Log: Update to 7.47.0 PR: 206756 Submitted by: zeising Approved by: ports-secteam (miwi) MFH: 2016Q1 Security: CVE-2016-0755 Changes: head/ftp/curl/Makefile head/ftp/curl/distinfo head/ftp/curl/files/patch-docs_examples_getredirect.c A commit references this bug: Author: zeising Date: Tue Feb 2 20:00:16 UTC 2016 New revision: 407840 URL: https://svnweb.freebsd.org/changeset/ports/407840 Log: MFH: r405919 r407725 - Simplify Makefile: - Use USES=localbase unconditionally - Use *_CONFIGURE_{ENABLE,WITH} - Bump PORTREVISION for package change Differential Revision: https://reviews.FreeBSD.org/D4757 PR: 205804 Exp-run by: antoine Accepted by: bapt (portmgr) Update to 7.47.0 PR: 206756 Submitted by: zeising Approved by: ports-secteam (miwi) Security: CVE-2016-0755 Approved by: portmgr (erwin) Apprived by: ports-secteam (feld) Changes: _U branches/2016Q1/ branches/2016Q1/ftp/curl/Makefile branches/2016Q1/ftp/curl/distinfo branches/2016Q1/ftp/curl/files/patch-docs_examples_getredirect.c Assign to Committer that is resolving |
Created attachment 166296 [details] Update ftp/curl to 7.47.0 Attached patch updates ftp/curl to 7.47.0, which is the latest version. The patch fixes CVE-2016-0755, which affects curl 7.46.0. This needs to be merged to the quarterly branch