Summary: | devel/git - CVE-2016-2315 & CVE-2016-2324 | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Sevan Janiyan <venture37> |
Component: | Individual Port(s) | Assignee: | Renato Botelho <garga> |
Status: | Closed FIXED | ||
Severity: | Affects Many People | CC: | feld, junovitch, ports-secteam |
Priority: | --- | Keywords: | needs-patch, needs-qa, security |
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(garga) garga: merge-quarterly? |
Hardware: | Any | ||
OS: | Any |
Description
Sevan Janiyan
2016-03-16 22:36:30 UTC
A commit references this bug: Author: junovitch Date: Thu Mar 17 02:45:35 UTC 2016 New revision: 411251 URL: https://svnweb.freebsd.org/changeset/ports/411251 Log: Document possible code execution and integer overflow issue in git PR: 208074 Reported by: Sevan Janiyan <venture37@geeklan.co.uk> (via PR) Reported by: Tony Tung <tonytung@merly.org> (via email) Security: CVE-2016-2315 Security: CVE-2016-2324 Security: https://vuxml.FreeBSD.org/freebsd/93ee802e-ebde-11e5-92ce-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/d2a84feb-ebe0-11e5-92ce-002590263bf5.html Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: junovitch Date: Thu Mar 17 02:45:54 UTC 2016 New revision: 411252 URL: https://svnweb.freebsd.org/changeset/ports/411252 Log: MFH: r405346, r408063, r409422, r409430 r405346: Update devel/git to 2.7.0 r408063: Lighten up the Perl dependencies. git uses Perl for two things: Perl hooks into git, and the git-send-email(1) script. The Perl hooks only use p5-Error. The other modules dependencies, p5-Authen-SASL and p5-Net-SMTP-SSL (which bring in a number of other perl module dependencies) are only required for git-send-email(1). This commit adds a SEND_EMAIL option, defaulted to on, that auto-enables the PERL option and installs the git-send-email(1) script with the extra perl modules. With the PERL option on and SEND_EMAIL off, only the p5-Error module is required. No PORTREVISION bump as the default dependencies and plist haven't changed. PR: 206901 Approved by: garga (maintainer) Differential Revision: https://reviews.freebsd.org/D5179 r409422: Update devel/git to 2.7.2 r409430: Fix plist with NLS on after r409422. PR: 208074 Reported by: Sevan Janiyan <venture37@geeklan.co.uk> (via PR) Reported by: Tony Tung <tonytung@merly.org> (via email) Security: CVE-2016-2315 Security: https://vuxml.FreeBSD.org/freebsd/93ee802e-ebde-11e5-92ce-002590263bf5.html Approved by: ports-secteam (with hat) Changes: _U branches/2016Q1/ branches/2016Q1/devel/git/Makefile branches/2016Q1/devel/git/distinfo branches/2016Q1/devel/git/pkg-plist It looks like for CVE-2016-2324 they just merged a variant of the referenced commit to the maint branch (https://github.com/git/git/commit/d79db92483f78f0a750b6093432374fa1069b2ba). I'm thinking that means we'll see a 2.7.4 soon with that resolved. Let's get that into ports when it happens. In the meantime the current devel/git work has all been merged over to quarterly to at least resolve CVE-2016-2315 and both issues have been documented. I've updated package information on vuxml and updated git to 2.7.4. Just waiting the approval to get it merged into quarterly. (In reply to Renato Botelho from comment #4) I have not yet seen the request for the git MFH to quarterly, but I approve it. 2.7.4 is updated on quarterly now. Thanks! |