Bug 235186

Summary:	security/keybase: Needs PORTREVISON bump and rebuild (CVE-2019-6486)
Product:	Ports & Packages	Reporter:	Dmitri Goutnik <dmgk>
Component:	Individual Port(s)	Assignee:	Po-Chuan Hsieh <sunpoet>
Status:	Closed FIXED
Severity:	Affects Many People	CC:	jlaffaye, ports-secteam
Priority:	---	Keywords:	needs-qa, security
Version:	Latest	Flags:	bugzilla: maintainer-feedback? (sunpoet)
Hardware:	Any
OS:	Any

Description Dmitri Goutnik freebsd_committer

2019-01-25 02:36:24 UTC

Needs PORTREVISON bump and rebuild with Go 1.11.5 [1] to fix CVE-2019-6486 [2]  which affects software relying on 'crypto/elliptic' [3]

[1] https://golang.org/doc/devel/release.html#go1.11
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-6486
[3] https://github.com/golang/go/issues?q=milestone%3AGo1.11.5+label%3ACherryPickApproved

Comment 1 Kubilay Kocak freebsd_committer

2019-01-25 02:44:21 UTC

lang/go updated to 1.11.5 in ports r491092 by jlaffaye, but can't see it was marked for MFH, nor a VuXML entry

If this port needs a PORTREVISION bump after lang/go CVE update, what other ports need PORTREVISION bumps too?

Comment 2 Dmitri Goutnik freebsd_committer

2019-01-25 14:50:34 UTC

As a security fix release lang/go 1.11.5 probably needs VuXML and should be MFH. 

I don't have an exhaustive list of port that are affected by CVE-2019-6486 and need rebuilding. I guess it's up to maintainers to check go list -deps ./... | grep "crypto\/elliptic" and decide if PORTREVISION bump would be warranted.

Comment 3 commit-hook freebsd_committer

2019-01-28 18:58:49 UTC

A commit references this bug:

Author: sunpoet
Date: Mon Jan 28 18:58:30 UTC 2019
New revision: 491509
URL: https://svnweb.freebsd.org/changeset/ports/491509

Log:
  Bump PORTREVISION to force rebuild after golang 1.11.5 security update

  PR:		235186
  Reported by:	Dmitri Goutnik <dg@syrec.org>

Changes:
  head/security/keybase/Makefile

Comment 4 Po-Chuan Hsieh freebsd_committer

2019-01-28 18:59:04 UTC

Committed. Thanks!