Bug 220797

Summary:

net-mgmt/collectd5: update to 5.7.2 (Fixes security vulnerability)

Product:

Ports & Packages

Reporter:

luca.pizzamiglio

Component:

Individual Port(s)

Assignee:

Olivier Cochard <olivier>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

koobs, olivier, ports-secteam, ports

Priority:

---

Keywords:

security

Version:

Latest

Flags:

ports: maintainer-feedback+
koobs: merge-quarterly+

Hardware:

Any

OS:

Any

URL:

https://collectd.org/news.shtml#news104

Attachments:

Description	Flags
The updating patch	koobs: maintainer-approval+
poudriere build on FreeBSD 11 amd64	none
poudriere build on FreeBSD 10.3 i386	none

Description luca.pizzamiglio 2017-07-17 12:43:41 UTC

Created attachment 184429 [details]
The updating patch

net-mgmt/collectd5: update to 5.7.2

Updating collectd5 to the last version.
There are fixes on several plugins (https://collectd.org/news.shtml#news104)
Merge-querterly possible and advised.

testport: OK (poudriere: 10.3,11.0 on amd64,i386)

Comment 1 luca.pizzamiglio 2017-07-17 12:53:57 UTC

Created attachment 184430 [details]
poudriere build on FreeBSD 11 amd64

Comment 2 luca.pizzamiglio 2017-07-17 12:54:26 UTC

Created attachment 184431 [details]
poudriere build on FreeBSD 10.3 i386

Comment 3 commit-hook freebsd_committer

2017-07-17 13:38:47 UTC

A commit references this bug:

Author: olivier
Date: Mon Jul 17 13:38:04 UTC 2017
New revision: 446072
URL: https://svnweb.freebsd.org/changeset/ports/446072

Log:
  Update to 5.7.2

  PR:		220797
  Submitted by:	luca.pizzamiglio@gmail.com (maintainer)

Changes:
  head/net-mgmt/collectd5/Makefile
  head/net-mgmt/collectd5/distinfo

Comment 4 Olivier Cochard freebsd_committer

2017-07-17 13:52:16 UTC

thanks!

Comment 5 Kubilay Kocak freebsd_committer

2017-07-18 12:38:33 UTC

Re-open for MFH (as requested)

5.7.2 is a bug fix release (alone warranting a merge), but additionally, fixes a security vulnerability (with CVE)...

Network plugin: A potential endless-loop has been fixed. This can be triggered remotely by sending a signed network packet to a server which is not set up to check signatures. Thanks to Marcin Kozlowski and Pavel Rochnyack. #2174, #2233, CVE-2017-7401

Further, luca doesn't appear to be (or at least match) maintainer on record (ports @ bsdserwis com)

Comment 6 Kubilay Kocak freebsd_committer

2017-07-18 12:38:56 UTC

Additionally, pending VuXML

Comment 7 Olivier Cochard freebsd_committer

2017-07-18 13:03:41 UTC

I've mixed up the PR submitter and the port maintainer: When I've realized my mistake I've sent an email to the port maintainer for his instruction (should I revert my commit or not).

Comment 8 Krzysztof 2017-07-18 19:29:52 UTC

I was a liitle "confused" that bug was closed without waiting for my approval :-)))

I've installed new version on my servers and everything works corrctly so I think that commit should not be reverted - especially that new version resolves security issues.

So I approved this patch once again and I think this ticket could be closed.

Comment 9 Kubilay Kocak freebsd_committer

2017-07-19 03:43:13 UTC

Pending VuXML entry and MFH

Comment 10 commit-hook freebsd_committer

2017-07-19 10:14:47 UTC

A commit references this bug:

Author: olivier
Date: Wed Jul 19 10:13:46 UTC 2017
New revision: 446192
URL: https://svnweb.freebsd.org/changeset/ports/446192

Log:
  Document vulnerability in collectd5

  PR:		220797
  Reported by:	luca.pizzamiglio@gmail.com
  Security:	CVE-2017-7401

Changes:
  head/security/vuxml/vuln.xml

Comment 11 commit-hook freebsd_committer

2017-07-20 21:40:41 UTC

A commit references this bug:

Author: olivier
Date: Thu Jul 20 21:39:39 UTC 2017
New revision: 446296
URL: https://svnweb.freebsd.org/changeset/ports/446296

Log:
  MFH: r446072

  Update to 5.7.2

  PR:		220797
  Submitted by:	luca.pizzamiglio@gmail.com

  Approved by:	ports-secteam

Changes:
_U  branches/2017Q3/
  branches/2017Q3/net-mgmt/collectd5/Makefile
  branches/2017Q3/net-mgmt/collectd5/distinfo

Comment 12 Olivier Cochard freebsd_committer

2017-07-20 21:42:31 UTC

Merged to quarterly.