Bug 255102
| Summary: | net/libzmq4: Update to 4.3.4 (Fixes security vulnerabilities) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Thomas Petig <thomas> | ||||||
| Component: | Individual Port(s) | Assignee: | Danilo G. Baio <dbaio> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Many People | CC: | dbaio, diizzy, koobs, ports-secteam | ||||||
| Priority: | Normal | Keywords: | security | ||||||
| Version: | Latest | Flags: | dbaio:
maintainer-feedback+
dbaio: merge-quarterly+ |
||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
Hi Thomas! Looks good overall however PORTREVISION needs to go when bumping version :-) Did you try this on any OS and/or in Poudriere? Best regards, Daniel Created attachment 225258 [details]
patch with incremented portrevision
The same as before but PORTREVISION is incremented
(In reply to Daniel Engberg from comment #1) Hi Daniel, thanks for your input, i adjusted the patch to have an incremented PORTREVISION. I have tested it on a FreeBSD13 machine. With this version, all my unit tests (of some library we develop that uses zmq) pass. Best regards, Thomas (In reply to Thomas Petig from comment #3) And reverse dependents are building fine. Thank you Danilo <3 A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b48ef2625f60a360d0c7618d1650a7dd9155b89b commit b48ef2625f60a360d0c7618d1650a7dd9155b89b Author: Danilo G. Baio <dbaio@FreeBSD.org> AuthorDate: 2021-05-25 23:05:22 +0000 Commit: Danilo G. Baio <dbaio@FreeBSD.org> CommitDate: 2021-05-26 00:33:57 +0000 security/vuxml: Document net/libzmq4 issues PR: 255102 Reported by: Thomas Petig <thomas@petig.eu> Security: CVE-2019-13132 Security: CVE-2020-15166 security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f3f486e42206887b05bcca9675087b976b8eb27c commit f3f486e42206887b05bcca9675087b976b8eb27c Author: Thomas Petig <thomas@petig.eu> AuthorDate: 2021-05-25 23:16:19 +0000 Commit: Danilo G. Baio <dbaio@FreeBSD.org> CommitDate: 2021-05-26 00:34:15 +0000 net/libzmq4: Update to 4.3.4, Fix security issues - Patches removed were incorporated upstream. Changelog: https://github.com/zeromq/libzmq/releases/tag/v4.3.2 https://github.com/zeromq/libzmq/releases/tag/v4.3.3 https://github.com/zeromq/libzmq/releases/tag/v4.3.4 PR: 255102 Approved by: koobs (maintainer, implicit) MFH: 2021Q2 Security: 21ec4428-bdaa-11eb-a04e-641c67a117d8 Security: 6954a2b0-bda8-11eb-a04e-641c67a117d8 Co-authored-by: Danilo G. Baio <dbaio@FreeBSD.org> net/libzmq4/Makefile | 4 +- net/libzmq4/distinfo | 6 +- net/libzmq4/files/patch-PR3358 (gone) | 179 ----------------------- net/libzmq4/files/patch-PR3359 (gone) | 45 ------ net/libzmq4/files/patch-tests_testutil.hpp (new) | 11 ++ net/libzmq4/pkg-plist | 5 +- 6 files changed, 19 insertions(+), 231 deletions(-) (In reply to Thomas Petig from comment #0) Hi Thomas. Thanks for your patch, I did just some small changes in the pkg-plist, PORTREVISION and the patch name. More details here: https://docs.freebsd.org/en/books/porters-handbook/makefiles/#makefile-portrevision https://docs.freebsd.org/en/books/porters-handbook/slow-porting/#slow-patch And about the security vulnerabilities, we also include those information in the VuXML. https://docs.freebsd.org/en/books/porters-handbook/security/#security-notify For now I'll trigger a build test in the quarterly branch 2021Q2, if it's ok, we will merge ports f3f486e42206887b05bcca9675087b976b8eb27c into it. Regards. A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2c7f2928f3eeebf2c17a168c5182137faea9b837 commit 2c7f2928f3eeebf2c17a168c5182137faea9b837 Author: Thomas Petig <thomas@petig.eu> AuthorDate: 2021-05-25 23:16:19 +0000 Commit: Danilo G. Baio <dbaio@FreeBSD.org> CommitDate: 2021-05-26 00:54:29 +0000 net/libzmq4: Update to 4.3.4, Fix security issues - Patches removed were incorporated upstream. Changelog: https://github.com/zeromq/libzmq/releases/tag/v4.3.2 https://github.com/zeromq/libzmq/releases/tag/v4.3.3 https://github.com/zeromq/libzmq/releases/tag/v4.3.4 PR: 255102 Approved by: koobs (maintainer, implicit) Security: 21ec4428-bdaa-11eb-a04e-641c67a117d8 Security: 6954a2b0-bda8-11eb-a04e-641c67a117d8 Co-authored-by: Danilo G. Baio <dbaio@FreeBSD.org> (cherry picked from commit f3f486e42206887b05bcca9675087b976b8eb27c) net/libzmq4/Makefile | 4 +- net/libzmq4/distinfo | 6 +- net/libzmq4/files/patch-PR3358 (gone) | 179 ----------------------- net/libzmq4/files/patch-PR3359 (gone) | 45 ------ net/libzmq4/files/patch-tests_testutil.hpp (new) | 11 ++ net/libzmq4/pkg-plist | 5 +- 6 files changed, 19 insertions(+), 231 deletions(-) Committed on both branches, thanks! |
Created attachment 224144 [details] patch for the update libzmq4 in version 4.3.1 is outdated, 4.3.2 and 4.3.3 include fixes for several vulnerabilities. Tried my best to provide a patch. Old patches to the source tree does not seem to be necessary, but apparently I need to fix some includes to get it to compile. I would be glad to here some feedback on my patch. For instance where do the patch numbers come from? I just filled 1111 for now.