Bug 213495

Summary: dns/c-ares: Update to 1.12.0 (CVE-2016-5180)
Product: Ports & Packages Reporter: Kurt Jaeger <pi>
Component: Individual Port(s)Assignee: Kurt Jaeger <pi>
Status: Closed FIXED    
Severity: Affects Many People CC: feld, junovitch, pi, ports-secteam
Priority: Normal Keywords: patch, security
Version: LatestFlags: zi: maintainer-feedback+
pi: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/
Bug Depends on:    
Bug Blocks: 213603    
Attachments:
Description Flags
patch koobs: maintainer-approval+

Description Kurt Jaeger freebsd_committer freebsd_triage 2016-10-15 05:43:42 UTC 
Created attachment 175777 [details]
patch

See 

https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/

for a nice writeup of the CVE.

Changes: https://c-ares.haxx.se/changelog.html
Security: CVE-2016-5180
MFH: 2016Q4

Testbuilds@work
Comment 1 Kurt Jaeger freebsd_committer freebsd_triage 2016-10-15 05:46:55 UTC 
testbuilds are ok on 12a, 11a, 10i. 9.3a is still busy with other stuff.
Comment 2 Bradley T. Hughes freebsd_committer freebsd_triage 2016-10-19 07:07:49 UTC 
Node.js just released v4.6.1 to address CVE-2016-5180, but since we build the port against the version in ports, I've set the www/node4 update as being blocked by this. Hope we can land this soon :)

Thanks!
Comment 3 Kurt Jaeger freebsd_committer freebsd_triage 2016-10-19 09:09:17 UTC 
It built without a hick on 9.3a, too, btw..
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2016-10-19 09:40:37 UTC 
This update blocks security updates for 3 node ports/packages.
Comment 5 Mark Felder freebsd_committer freebsd_triage 2016-10-19 14:32:41 UTC 
Please commit this change and MFH it as Approved by: ports-secteam (feld)
Comment 6 Ryan Steinmetz freebsd_committer freebsd_triage 2016-10-19 14:37:25 UTC 
Approved.
Comment 7 Kurt Jaeger freebsd_committer freebsd_triage 2016-10-19 14:40:53 UTC 
@work
Comment 8 commit-hook freebsd_committer freebsd_triage 2016-10-19 14:43:31 UTC 
A commit references this bug:

Author: pi
Date: Wed Oct 19 14:43:09 UTC 2016
New revision: 424257
URL: https://svnweb.freebsd.org/changeset/ports/424257

Log:
  dns/c-ares: update 1.11.0 -> 1.12.0

  - see
    https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/
    for a nice writeup of the CVE.

  PR:		213495
  Changes:	https://c-ares.haxx.se/changelog.html
  Security:	CVE-2016-5180
  Approved by:	zi (maintainer)
  MFH:		2016Q4

Changes:
  head/dns/c-ares/Makefile
  head/dns/c-ares/distinfo
  head/dns/c-ares/pkg-plist
Comment 9 commit-hook freebsd_committer freebsd_triage 2016-10-19 14:45:33 UTC 
A commit references this bug:

Author: pi
Date: Wed Oct 19 14:44:46 UTC 2016
New revision: 424258
URL: https://svnweb.freebsd.org/changeset/ports/424258

Log:
  dns/c-ares: update 1.11.0 -> 1.12.0

  - see
    https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/
    for a nice writeup of the CVE.

  PR:		213495
  MFH:		r424257
  Changes:	https://c-ares.haxx.se/changelog.html
  Security:	CVE-2016-5180
  Approved by:	zi (maintainer)
  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/dns/c-ares/Makefile
  branches/2016Q4/dns/c-ares/distinfo
  branches/2016Q4/dns/c-ares/pkg-plist
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2016-10-20 00:03:19 UTC 
Comment on attachment 175777 [details]
patch

Correctly record maintainer approval