Bug 220797

Summary: net-mgmt/collectd5: update to 5.7.2 (Fixes security vulnerability)
Product: Ports & Packages Reporter: luca.pizzamiglio
Component: Individual Port(s)Assignee: Olivier Cochard <olivier>
Status: Closed FIXED    
Severity: Affects Only Me CC: koobs, olivier, ports-secteam, ports
Priority: --- Keywords: security
Version: LatestFlags: ports: maintainer-feedback+
koobs: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://collectd.org/news.shtml#news104
Attachments:
Description Flags
The updating patch
koobs: maintainer-approval+
poudriere build on FreeBSD 11 amd64
none
poudriere build on FreeBSD 10.3 i386 none

Description luca.pizzamiglio 2017-07-17 12:43:41 UTC
Created attachment 184429 [details]
The updating patch

net-mgmt/collectd5: update to 5.7.2

Updating collectd5 to the last version.
There are fixes on several plugins (https://collectd.org/news.shtml#news104)
Merge-querterly possible and advised.

testport: OK (poudriere: 10.3,11.0 on amd64,i386)
Comment 1 luca.pizzamiglio 2017-07-17 12:53:57 UTC
Created attachment 184430 [details]
poudriere build on FreeBSD 11 amd64
Comment 2 luca.pizzamiglio 2017-07-17 12:54:26 UTC
Created attachment 184431 [details]
poudriere build on FreeBSD 10.3 i386
Comment 3 commit-hook freebsd_committer 2017-07-17 13:38:47 UTC
A commit references this bug:

Author: olivier
Date: Mon Jul 17 13:38:04 UTC 2017
New revision: 446072
URL: https://svnweb.freebsd.org/changeset/ports/446072

Log:
  Update to 5.7.2

  PR:		220797
  Submitted by:	luca.pizzamiglio@gmail.com (maintainer)

Changes:
  head/net-mgmt/collectd5/Makefile
  head/net-mgmt/collectd5/distinfo
Comment 4 Olivier Cochard freebsd_committer 2017-07-17 13:52:16 UTC
thanks!
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-18 12:38:33 UTC
Re-open for MFH (as requested)

5.7.2 is a bug fix release (alone warranting a merge), but additionally, fixes a security vulnerability (with CVE)...

Network plugin: A potential endless-loop has been fixed. This can be triggered remotely by sending a signed network packet to a server which is not set up to check signatures. Thanks to Marcin Kozlowski and Pavel Rochnyack. #2174, #2233, CVE-2017-7401

Further, luca doesn't appear to be (or at least match) maintainer on record (ports @ bsdserwis com)
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-18 12:38:56 UTC
Additionally, pending VuXML
Comment 7 Olivier Cochard freebsd_committer 2017-07-18 13:03:41 UTC
I've mixed up the PR submitter and the port maintainer: When I've realized my mistake I've sent an email to the port maintainer for his instruction (should I revert my commit or not).
Comment 8 Krzysztof 2017-07-18 19:29:52 UTC
I was a liitle "confused" that bug was closed without waiting for my approval :-)))

I've installed new version on my servers and everything works corrctly so I think that commit should not be reverted - especially that new version resolves security issues.

So I approved this patch once again and I think this ticket could be closed.
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-19 03:43:13 UTC
Pending VuXML entry and MFH
Comment 10 commit-hook freebsd_committer 2017-07-19 10:14:47 UTC
A commit references this bug:

Author: olivier
Date: Wed Jul 19 10:13:46 UTC 2017
New revision: 446192
URL: https://svnweb.freebsd.org/changeset/ports/446192

Log:
  Document vulnerability in collectd5

  PR:		220797
  Reported by:	luca.pizzamiglio@gmail.com
  Security:	CVE-2017-7401

Changes:
  head/security/vuxml/vuln.xml
Comment 11 commit-hook freebsd_committer 2017-07-20 21:40:41 UTC
A commit references this bug:

Author: olivier
Date: Thu Jul 20 21:39:39 UTC 2017
New revision: 446296
URL: https://svnweb.freebsd.org/changeset/ports/446296

Log:
  MFH: r446072

  Update to 5.7.2

  PR:		220797
  Submitted by:	luca.pizzamiglio@gmail.com

  Approved by:	ports-secteam

Changes:
_U  branches/2017Q3/
  branches/2017Q3/net-mgmt/collectd5/Makefile
  branches/2017Q3/net-mgmt/collectd5/distinfo
Comment 12 Olivier Cochard freebsd_committer 2017-07-20 21:42:31 UTC
Merged to quarterly.