Bug 209594

Summary: security/botan110: CVE-2016-2849
Product: Ports & Packages Reporter: Sevan Janiyan <venture37>
Component: Individual Port(s)Assignee: Jason Unovitch <junovitch>
Status: Closed FIXED    
Severity: Affects Only Me CC: junovitch, lapo, ports-secteam
Priority: --- Keywords: needs-qa
Version: LatestFlags: vlad-fbsd: maintainer-feedback+
junovitch: merge-quarterly+
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209595
Attachments:
Description Flags
Upgrade to 1.10.13 none

Description Sevan Janiyan 2016-05-18 02:10:19 UTC
Version in ports is vulnerable to a side channel attack addressed in 1.10.13
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2849
Comment 1 Lapo Luchini 2016-05-18 10:59:01 UTC
The 1.10.13 port is ready (it's actually just a bump), but I'm waiting for the formal upstream release in order to have an official source of the fixed bugs:
https://botan.randombit.net/news.html
Comment 2 Sevan Janiyan 2016-05-18 11:30:34 UTC
(In reply to Lapo Luchini from comment #1)
There was a announcement on the list
https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html
Comment 3 VK freebsd_triage 2016-06-09 14:55:46 UTC
Guys, what's the status on this? Lapo, could you perhaps do the vuxml entry patch if the port update is not ready yet?
Comment 4 Lapo Luchini 2016-06-13 15:00:17 UTC
Created attachment 171388 [details]
Upgrade to 1.10.13
Comment 5 Lapo Luchini 2016-06-13 15:01:15 UTC
The port itself has been long ready, it's the VuXML which isn't yet.
Comment 6 commit-hook freebsd_committer 2016-06-14 01:49:47 UTC
A commit references this bug:

Author: junovitch
Date: Tue Jun 14 01:49:13 UTC 2016
New revision: 416873
URL: https://svnweb.freebsd.org/changeset/ports/416873

Log:
  security/botan110: update 1.10.12 -> 1.10.13

  PR:		209594
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Submitted by:	Lapo Luchini <lapo@lapo.it> (maintainer)
  Security:	CVE-2015-7827
  Security:	CVE-2016-2849
  Security:	https://vuxml.FreeBSD.org/freebsd/ac0900df-31d0-11e6-8e82-002590263bf5.html
  MFH:		2016Q2

Changes:
  head/security/botan110/Makefile
  head/security/botan110/distinfo
Comment 7 Jason Unovitch freebsd_committer 2016-06-14 01:50:18 UTC
Committed. Thanks!
Comment 8 commit-hook freebsd_committer 2016-06-14 01:50:49 UTC
A commit references this bug:

Author: junovitch
Date: Tue Jun 14 01:50:34 UTC 2016
New revision: 416874
URL: https://svnweb.freebsd.org/changeset/ports/416874

Log:
  MFH: r416873

  security/botan110: update 1.10.12 -> 1.10.13

  PR:		209594
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Submitted by:	Lapo Luchini <lapo@lapo.it> (maintainer)
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2015-7827
  Security:	CVE-2016-2849
  Security:	https://vuxml.FreeBSD.org/freebsd/ac0900df-31d0-11e6-8e82-002590263bf5.html

Changes:
_U  branches/2016Q2/
  branches/2016Q2/security/botan110/Makefile
  branches/2016Q2/security/botan110/distinfo