Bug 215587

Summary: www/h2o: patch CVE-2016-7835 & add security/vuxml entry
Product: Ports & Packages Reporter: Dave Cottlehuber <dch>
Component: Individual Port(s)Assignee: Bernard Spil <brnrd>
Status: Closed FIXED    
Severity: Affects Only Me CC: dch, junovitch, ports-secteam
Priority: --- Flags: junovitch: maintainer-feedback+
junovitch: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
v1 patch none

Description Dave Cottlehuber freebsd_committer freebsd_triage 2016-12-26 19:01:09 UTC 
Created attachment 178297 [details]
v1 patch

# summary

patch www/h2o for publically announced CVE-2016-7835

- 2.0.5 has too many changes to go into a backported security fix
- include a custom https://github.com/h2o/h2o/commit/1b2b6d7.patch

https://h2o.examp1e.net/vulnerabilities.html

# QA

- portlint OK
- builds against 11_amd64 11_i386 10_amd64 10_i386 9_amd64 9_i386
- vuxml changes passes `make validate`
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-12-29 13:08:56 UTC 
A commit references this bug:

Author: brnrd
Date: Thu Dec 29 13:08:33 UTC 2016
New revision: 429906
URL: https://svnweb.freebsd.org/changeset/ports/429906

Log:
  security/vuxml: Document h2o vulnerability

  PR:		215587
  Submitted by:	Dave Cottlehuber <dch@skunkwerks.at> (maintainer)

Changes:
  head/security/vuxml/vuln.xml
Comment 2 commit-hook freebsd_committer freebsd_triage 2016-12-29 13:24:11 UTC 
A commit references this bug:

Author: brnrd
Date: Thu Dec 29 13:24:01 UTC 2016
New revision: 429910
URL: https://svnweb.freebsd.org/changeset/ports/429910

Log:
  www/h2o: Fix Use-after-free vulnerability

    - Fix duplicate PORTREVISION assignment
    - Register OpenSSL dependency when LIBRESSL is OFF

  PR:		215587
  Submitted by:	Dave Cottlehuber <dch@skunkwerks.at> (maintainer)
  MFH:		2016Q4
  Security:	d0b12952-cb86-11e6-906f-0cc47a065786
  Security:	CVE-2016-7835

Changes:
  head/www/h2o/Makefile
  head/www/h2o/files/patch-lib_core_request.c
  head/www/h2o/files/patch-lib_http2_connection.c
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2017-01-06 03:35:39 UTC 
Sorry for the delay on MFH approval. This is fixed in the currently supported 2017Q1 branch, as such considering this merge-quarterly+ and assigning it to you Bernard as the actioning committer.