Bug 245010

Summary:

mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, mail/qmail-tls and mail/qmail: Update TLS patch

Product:

Ports & Packages

Reporter:

Dirk Engling <erdgeist>

Component:

Individual Port(s)

Assignee:

Kurt Jaeger <pi>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

crest, pi

Priority:

---

Flags:

pi: merge-quarterly+

Version:

Latest

Hardware:

Any

OS:

Any

Bug Depends on:

Bug Blocks:

244969

Attachments:

Description	Flags
patch to make qmail-tls work with most recent netqmail-tls patch	erdgeist: maintainer-approval+
Fixes three remotely exploitable CVE	erdgeist: maintainer-approval+
Fixes three remotely exploitable CVE	erdgeist: maintainer-approval+
Fixes three remotely exploitable CVE	erdgeist: maintainer-approval+
vuxml entries for the cve	erdgeist: maintainer-approval+
vuxml entries for the cve	none

Description Dirk Engling 2020-03-23 18:02:07 UTC

Created attachment 212650 [details]
patch to make qmail-tls work with most recent netqmail-tls patch

This incorporates upstream changes to netqmail-tls patch.

Comment 1 Kubilay Kocak freebsd_committer

2020-03-24 03:20:48 UTC

Does this resolve a build or run time fix?

^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval

Attachment -> Details -> maintainer-approval [+]

Comment 2 Dirk Engling 2020-03-24 03:22:42 UTC

Comment on attachment 212650 [details]
patch to make qmail-tls work with most recent netqmail-tls patch

Build and runtime fix

Comment 3 Dirk Engling 2020-04-18 09:51:31 UTC

Anything else I need to do?

Comment 4 Dirk Engling 2020-05-20 10:39:26 UTC

Created attachment 214688 [details]
Fixes three remotely exploitable CVE

Fixes qmail-cve-2005-151[3,4,5] as outlined in

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

Also includes:
former patch to make qmail-tls work with most recent netqmail-tls patch

Comment 5 Dirk Engling 2020-05-20 10:58:07 UTC

Created attachment 214689 [details]
Fixes three remotely exploitable CVE

Bumping PORTREVISION.

Fixes three remotely exploitable CVE

Fixes qmail-cve-2005-151[3,4,5] as outlined in

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

Also includes:
former patch to make qmail-tls work with most recent netqmail-tls patch

Comment 6 Dirk Engling 2020-05-20 11:11:27 UTC

Created attachment 214690 [details]
Fixes three remotely exploitable CVE

Bumping PORTREVISION of master and all slave ports.

Fixes qmail-cve-2005-151[3,4,5] as outlined in

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

Also includes:
former patch to make qmail-tls work with most recent netqmail-tls patch

Comment 7 Kurt Jaeger freebsd_committer

2020-05-24 12:43:13 UTC

testbuilds@work

Comment 8 commit-hook freebsd_committer

2020-05-24 12:59:59 UTC

A commit references this bug:

Author: pi
Date: Sun May 24 12:59:03 UTC 2020
New revision: 536399
URL: https://svnweb.freebsd.org/changeset/ports/536399

Log:
  mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, update TLS patch
  mail/qmail-tls: Update TLS patch

  See
  https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
  for details about the CVEs

  - now builds with openssl 1.1.1e from the ports

  PR:		244969, 245010
  Submitted by:	erdgeist@erdgeist.org (maintainer)
  Reported by:	klokanek@eldar.cz
  MFH:		2020Q2
  Security:	CVE-2005-1513, CVE-2005-1514, CVE-2005-1515

Changes:
  head/mail/qmail/Makefile
  head/mail/qmail/distinfo
  head/mail/qmail/files/patch-alloc.c
  head/mail/qmail/files/qmailsend.in
  head/mail/qmail-mysql/Makefile
  head/mail/qmail-tls/Makefile

Comment 9 Kurt Jaeger freebsd_committer

2020-05-24 13:01:18 UTC

(In reply to erdgeist from comment #3)
Can you provide vuxml entries for the CVEs ?

https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html

https://lists.freebsd.org/pipermail/freebsd-questions/2016-August/273034.html

Comment 10 commit-hook freebsd_committer

2020-05-24 13:05:02 UTC

A commit references this bug:

Author: pi
Date: Sun May 24 13:04:06 UTC 2020
New revision: 536400
URL: https://svnweb.freebsd.org/changeset/ports/536400

Log:
  MFH: r536399

  mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, update TLS patch
  mail/qmail-tls: Update TLS patch

  See
  https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
  for details about the CVEs

  - now builds with openssl 1.1.1e from the ports

  PR:		244969, 245010
  Submitted by:	erdgeist@erdgeist.org (maintainer)
  Reported by:	klokanek@eldar.cz
  Security:	CVE-2005-1513, CVE-2005-1514, CVE-2005-1515
  Approved by:	portmgr (security blanket)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/mail/qmail/Makefile
  branches/2020Q2/mail/qmail/distinfo
  branches/2020Q2/mail/qmail/files/patch-alloc.c
  branches/2020Q2/mail/qmail/files/qmailsend.in
  branches/2020Q2/mail/qmail-mysql/Makefile
  branches/2020Q2/mail/qmail-tls/Makefile

Comment 11 Dirk Engling 2020-05-24 23:18:12 UTC

Created attachment 214822 [details]
vuxml entries for the cve

This xml hopefully contains vuxml record for the CVEs

Comment 12 Dirk Engling 2020-05-24 23:25:39 UTC

Created attachment 214823 [details]
vuxml entries for the cve

This xml hopefully contains vuxml record for the CVEs

Comment 13 commit-hook freebsd_committer

2020-05-25 18:05:02 UTC

A commit references this bug:

Author: pi
Date: Mon May 25 18:04:41 UTC 2020
New revision: 536490
URL: https://svnweb.freebsd.org/changeset/ports/536490

Log:
  security/vuxml: add three CVEs for qmail

  PR:		245010
  Submitted by:	erdgeist@erdgeist.org

Changes:
  head/security/vuxml/vuln.xml

Comment 14 Kurt Jaeger freebsd_committer

2020-05-25 18:05:06 UTC

vuxml entries committed, thanks!