Summary: | [exp-run] texproc/expat2: update to 2.4.1 (fixes CVE-2013-0340/CWE-776) | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Tobias C. Berner <tcberner> | ||||
Component: | Individual Port(s) | Assignee: | Tobias C. Berner <tcberner> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | bdrewery, desktop | ||||
Priority: | --- | Flags: | tcberner:
merge-quarterly+
antoine: exp-run+ |
||||
Version: | Latest | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Tobias C. Berner
2021-05-24 14:42:55 UTC
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4ff544422ffe21f039595fc312b2e4bff39a705c commit 4ff544422ffe21f039595fc312b2e4bff39a705c Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2021-05-24 15:02:45 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-05-24 15:02:45 +0000 security/vuxml: document vulnerability in texptroc/expat2 Security: CVE-2013-0340 PR: 256121 security/vuxml/vuln.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) Exp-run looks fine A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1454ab40206b85f94edb6390e0d96c9716a07399 commit 1454ab40206b85f94edb6390e0d96c9716a07399 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2021-05-24 14:38:28 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-05-27 08:56:26 +0000 textprox/expat2: update to 2.4.1 -- fixes CVE-2013-0340/CWE-776 See [1] for details: Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today (21-05-23). Release 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called Billion Laughs Attacks, a form of denial of service against applications accepting XML input, in all known variations, including recent flavor Parameter Laughs. [1] https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0 PR: 256121 Exp-run by: antoine textproc/expat2/Makefile | 4 +++- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 10 +++++----- 3 files changed, 11 insertions(+), 9 deletions(-) Committed - thanks for the exp-run. Any reason this shouldn't go into quarterly? (In reply to Bryan Drewery from comment #5) Moin moin It's a bigger step from 2.2.10 (instead of 2.3.0) to 2.4.1 there -- so I did not really want to risk breakage. But given the CVE that is probably a risk worth taking. I guess I will risk it :) mfg Tobias A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7735cbdd131003bbbb0c9238f1468db734b89bc4 commit 7735cbdd131003bbbb0c9238f1468db734b89bc4 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2021-05-24 14:38:28 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-06-14 15:50:41 +0000 textprox/expat2: update to 2.4.1 -- fixes CVE-2013-0340/CWE-776 See [1] for details: Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today (21-05-23). Release 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called Billion Laughs Attacks, a form of denial of service against applications accepting XML input, in all known variations, including recent flavor Parameter Laughs. [1] https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0 PR: 256121 Exp-run by: antoine (cherry picked from commit 1454ab40206b85f94edb6390e0d96c9716a07399) textproc/expat2/Makefile | 13 +++++++++---- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 8 ++++++-- 3 files changed, 18 insertions(+), 9 deletions(-) |