Bug 236578

Summary: x11/libXdmcp: Update to 1.1.3
Product: Ports & Packages Reporter: pete
Component: Individual Port(s)Assignee: freebsd-x11 (Nobody) <x11>
Status: Closed FIXED    
Severity: Affects Some People CC: zeising
Priority: --- Flags: zeising: maintainer-feedback+
zeising: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch to bump version to 1.1.3 none

Description pete 2019-03-16 17:56:24 UTC 
Upstream release to address CVE-2017-2625:
https://lists.freedesktop.org/archives/xorg/2019-March/059690.html

libXdmcp is the X Display Manager Control Protocol library, used by both
X servers and display managers to handle both ends of the XDMCP connection.

This release provides a fix for CVE-2017-2625 for platforms which don't have
arc4random_buf() in their default libraries but do have getentropy(), such
as Linux platforms with a kernel version of 3.17 or newer and a glibc version
of 2.25 or newer.   (libXdmcp 1.1.2 already ensured that arc4random_buf()
is used on platforms that have it to provide sufficient entropy in XDMCP
key generation, but left other platforms with the weaker methods.  Linux
platforms could also have linked against libbsd to use arc4random_buf()
with libXdmcp 1.1.2 for stronger keys.)
Comment 1 pete 2019-03-16 17:59:07 UTC 
Created attachment 202918 [details]
patch to bump version to 1.1.3
Comment 2 commit-hook freebsd_committer freebsd_triage 2019-03-21 02:13:16 UTC 
A commit references this bug:

Author: zeising
Date: Thu Mar 21 02:12:38 UTC 2019
New revision: 496408
URL: https://svnweb.freebsd.org/changeset/ports/496408

Log:
  x11/libXdmcp: Update to 1.1.3

  Update x11/libXdmcp to 1.1.3.  This is a security update, fixing an issue
  where ther might be insufficient entropy generating session keys.  It is
  unknown if this issue affects FreeBSD.

  PR:		236578
  Submitted by:	pete@nomadlogic.org
  MFH:		2019Q1 (implicit approval, security fix)
  Security:	1b6a10e9-4b7b-11e9-9e89-54e1ad3d6335
  		CVE-2017-2625

Changes:
  head/x11/libXdmcp/Makefile
  head/x11/libXdmcp/distinfo
Comment 3 commit-hook freebsd_committer freebsd_triage 2019-03-21 02:15:20 UTC 
A commit references this bug:

Author: zeising
Date: Thu Mar 21 02:15:05 UTC 2019
New revision: 496409
URL: https://svnweb.freebsd.org/changeset/ports/496409

Log:
  MFH: r496408

  x11/libXdmcp: Update to 1.1.3

  Update x11/libXdmcp to 1.1.3.  This is a security update, fixing an issue
  where ther might be insufficient entropy generating session keys.  It is
  unknown if this issue affects FreeBSD.

  PR:		236578
  Submitted by:	pete@nomadlogic.org
  Security:	1b6a10e9-4b7b-11e9-9e89-54e1ad3d6335
  		CVE-2017-2625

  Approved by:	ports-secteam (implicit, security fix)

Changes:
_U  branches/2019Q1/
  branches/2019Q1/x11/libXdmcp/Makefile
  branches/2019Q1/x11/libXdmcp/distinfo
Comment 4 Niclas Zeising freebsd_committer freebsd_triage 2019-03-21 02:15:58 UTC 
Committed and MFH.  Thanks for the patch!