|Summary:||x11/sddm Please upgrade from 0.14.0 to 0.18.0 (address CVE-2018-14345)|
|Product:||Ports & Packages||Reporter:||Patrick McMunn <doctorwhoguy>|
|Severity:||Affects Only Me||CC:||adridg, me|
Description Patrick McMunn 2018-07-25 05:04:07 UTC
Comment 1 Adriaan de Groot 2018-09-08 10:33:52 UTC
I've just updated to 0.17 (from 0.14) and will pick this up later today.
Comment 2 commit-hook 2018-09-11 10:39:53 UTC
A commit references this bug: Author: adridg Date: Tue Sep 11 10:39:06 UTC 2018 New revision: 479521 URL: https://svnweb.freebsd.org/changeset/ports/479521 Log: The 0.18 release of x11/sddm contains a fix for a security error that allows unlocking a session without a password, if the ReuseSession configuration option is set to true. The default configuration sets it to false. I'm setting the version to < 0.17.0_1 here, because I'm going to update 0.17 with backports rather than pull in 0.18 (there's a lot more work in that update, because of reorganisation upstream and none of our patches apply anymore). PR: 230029 Reported by: firstname.lastname@example.org Changes: head/security/vuxml/vuln.xml
Comment 3 commit-hook 2018-09-11 10:39:55 UTC
A commit references this bug: Author: adridg Date: Tue Sep 11 10:39:37 UTC 2018 New revision: 479522 URL: https://svnweb.freebsd.org/changeset/ports/479522 Log: Backport security fixes for x11/sddm The 0.18 release of x11/sddm contains a fix for a security error that probably doesn't affect us: session-reuse. In any case our default configuration is not vulnerable. This doesn't update to 0.18 because there's a bunch of other changes that would need to be chased, further delaying this update. While here, pet portlint and Tijl, who asked for a pkg-message. PR: 230029 Reported by: email@example.com Security: f00acdec-b59f-11e8-805d-001e2a3f778d Changes: head/x11/sddm/Makefile head/x11/sddm/files/git-patch-147cec38d head/x11/sddm/files/git-patch-b02b00559 head/x11/sddm/pkg-message
Comment 4 Adriaan de Groot 2018-09-11 10:44:50 UTC
Fixed by backporting fixes, rather than updating wholesale to 0.18 because the latter is a lot more work (many upstream changes).