Bug 247089

Summary: devel/json-c: update quarterly to 0.14
Product: Ports & Packages Reporter: Mike Kelly <pioto>
Component: Individual Port(s)Assignee: Po-Chuan Hsieh <sunpoet>
Status: Closed FIXED    
Severity: Affects Many People CC: hvtamcntt, ports-secteam
Priority: Normal Keywords: needs-qa, security
Version: LatestFlags: bugzilla: maintainer-feedback? (sunpoet)
joneum: merge-quarterly+
Hardware: Any   
OS: Any   
Bug Depends on: 246389    
Bug Blocks:    

Description Mike Kelly 2020-06-08 18:46:59 UTC 
The current release in the quarterly branch, 0.13.1_1, is marked as vulnerable by vuln.xml:

$ sudo pkg audit
json-c-0.13.1_1 is vulnerable:
json-c -- integer overflow and out-of-bounds write via a large JSON file
CVE: CVE-2020-12762
WWW: https://vuxml.FreeBSD.org/freebsd/abc3ef37-95d4-11ea-9004-25fadb81abf4.html

Can the version containing the fix for this, 0.14, be updated in the quarterly branch?
Comment 1 Jochen Neumeister freebsd_committer freebsd_triage 2020-06-09 09:03:57 UTC 
Approved for MFH with add a Vuxml entry

Jochen
(Ports-secteam)
Comment 2 Mike Kelly 2020-07-10 18:59:58 UTC 
Seems this has now been merged to the current quarterly repo, so this can probably be closed.