Bug 206808

Summary:

net/samba36: security/vuxml: ineffective vuxml entry

Product:

Ports & Packages

Reporter:

Marcin Gryszkalis <mg>

Component:

Individual Port(s)

Assignee:

Jason Unovitch <junovitch>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

junovitch, ports-secteam, takefu, timur

Priority:

Normal

Keywords:

needs-qa, patch, security

Version:

Latest

Flags:

koobs: maintainer-feedback? (timur)
junovitch: merge-quarterly+

Hardware:

Any

OS:

Any

URL:

https://www.samba.org/samba/ftp/patches/security/samba-3.6.25-security-2015-12-16.patch

Attachments:

Description	Flags
samba-3.6.35_2.patch	none
samba42-4.2.8.patch	none
samba43-4.3.4.patch	none
ldb-1.1.25.patch	none

Description Marcin Gryszkalis 2016-01-31 22:34:53 UTC

timur@freebsd added an entry in vuxml for all samba ports
http://www.freshports.org/vuxml.php?vid=ef434839-a6a4-11e5-8275-000c292e4fd8
with "le 3.6.25" but it seems that port already had PORTREVISION=1 so it seems the entry is noop.

Comment 1 takefu 2016-02-04 06:37:33 UTC

Created attachment 166536 [details]
samba-3.6.35_2.patch

Comment 2 takefu 2016-02-04 06:43:08 UTC

Corresponding to the patches have been released.
https://www.samba.org/samba/ftp/patches/security/samba-3.6.25-security-2015-12-16.patch

Fix
  strip binary
  makepatch

Comment 3 Marcin Gryszkalis 2016-02-04 21:48:55 UTC

patch applied, samba rebuilt and seems to be operational.

Comment 4 commit-hook freebsd_committer

2016-02-05 20:04:17 UTC

A commit references this bug:

Author: junovitch
Date: Fri Feb  5 20:04:06 UTC 2016
New revision: 408264
URL: https://svnweb.freebsd.org/changeset/ports/408264

Log:
  Update version of net/samba36 package to reflect it is still unpatched

  PR:		206808
  Reported by:	Marcin Gryszkalis <mg@fork.pl>
  Security:	CVE-2015-5252
  Security:	CVE-2015-5296
  Security:	CVE-2015-5299
  Security:	https://vuxml.FreeBSD.org/freebsd/ef434839-a6a4-11e5-8275-000c292e4fd8.html

Changes:
  head/security/vuxml/vuln.xml

Comment 5 Jason Unovitch freebsd_committer

2016-02-05 21:21:58 UTC

Timur,
Poudriere on the following is all good:
9.3-RELEASE-p34      amd64
9.3-RELEASE-p34      i386
10.1-RELEASE-p27     amd64
10.1-RELEASE-p27     i386
10.2-RELEASE-p10     amd64
10.2-RELEASE-p10     i386
11.0-CURRENT r294191 amd64
11.0-CURRENT r294191 i386

We've got the buildtime QA here and the runtime QA from Marcin in comment 3. I'd be glad to go ahead and commit this with your approval if you are busy.

Comment 6 Timur I. Bakeyev freebsd_committer

2016-02-06 00:33:12 UTC

(In reply to Jason Unovitch from comment #5)

I've looked into the provided patch and, while patch to Makefile looks good, the rest of the changes are excessive and only misleading. Also, I'm not certain, that stripping the binary unconditionally is a good idea in general, taking into account that this info is helpful for debugging.

To summarize that - if you willing to commit the changes ASAP, then, please only take changes to Makefile and distfile.

Otherwise I'll that next week, together with the rest of upgrades of Samba 4.2/4.3.

WBR,
Timur.

Comment 7 takefu 2016-02-08 08:36:53 UTC

Created attachment 166734 [details]
samba42-4.2.8.patch

Comment 8 takefu 2016-02-08 08:37:22 UTC

Created attachment 166735 [details]
samba43-4.3.4.patch

Comment 9 takefu 2016-02-08 08:38:59 UTC

Created attachment 166736 [details]
ldb-1.1.25.patch

Update
  samba42 4.2.8
  samba43 4.3.4
  ldb 1.1.25

Comment 10 commit-hook freebsd_committer

2016-02-27 23:51:00 UTC

A commit references this bug:

Author: junovitch
Date: Sat Feb 27 23:50:55 UTC 2016
New revision: 409703
URL: https://svnweb.freebsd.org/changeset/ports/409703

Log:
  net/samba36: add patches corresponding to 16 Dec 2015 security releases

  PR:		206808
  Reported by:	Marcin Gryszkalis <mg@fork.pl>
  Submitted by:	takefu@airport.fm (original patch)
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2015-5252
  Security:	CVE-2015-5296
  Security:	CVE-2015-5299
  Security:	https://vuxml.FreeBSD.org/freebsd/ef434839-a6a4-11e5-8275-000c292e4fd8.html
  MFH:		2016Q1

Changes:
  head/net/samba36/Makefile
  head/net/samba36/distinfo

Comment 11 commit-hook freebsd_committer

2016-02-27 23:54:04 UTC

A commit references this bug:

Author: junovitch
Date: Sat Feb 27 23:53:15 UTC 2016
New revision: 409704
URL: https://svnweb.freebsd.org/changeset/ports/409704

Log:
  MFH: r406862, r409126, r409127, r409703

  r406862 (net/samba36 only):
  Remove deprecated @dirrm's from pkg-plist of samba ports.
  Note that net/samba4 got it's PORTVERSION bumped as stage-qa found
  one file not included in pkg-plist.

  PR:             205950
  Submitted by:   myself
  Approved by:    maintainer timeout

  r409126:
  net/samba36: Mark DEPRECATED

  This Samba port was not yet marked deprecated. It has been EoL since 2015-03-04

  r409127:
  net/samba36: Extend expiration date

  I intended this to align with the next quarterly release.

  r409703:
  net/samba36: add patches corresponding to 16 Dec 2015 security releases

  PR:             206808
  Reported by:    Marcin Gryszkalis <mg@fork.pl>
  Submitted by:   takefu@airport.fm (original patch)
  Approved by:    ports-secteam (with hat)
  Security:       CVE-2015-5252
  Security:       CVE-2015-5296
  Security:       CVE-2015-5299
  Security:       https://vuxml.FreeBSD.org/freebsd/ef434839-a6a4-11e5-8275-000c292e4fd8.html

Changes:
_U  branches/2016Q1/
  branches/2016Q1/net/samba36/Makefile
  branches/2016Q1/net/samba36/distinfo
  branches/2016Q1/net/samba36/pkg-plist.swat

Comment 12 Jason Unovitch freebsd_committer

2016-02-27 23:57:48 UTC

Only required changes for the security update have been committed.

takefu, please open a new PR for the updates.  They are outside the scope of the "net/samba36: security/vuxml: ineffective vuxml entry" that this PR was opened for.  Also, FYI, Samba 4.3.5 is out.

Marcin, thank you for the report.

Take, close, and set merge-quarterly+