Bug 270406

Summary: security/tailscale: update to 1.38.2
Product: Ports & Packages Reporter: Denton Gentry <denny>
Component: Individual Port(s)Assignee: Ashish SHUKLA <ashish>
Status: Closed FIXED    
Severity: Affects Many People CC: pat
Priority: --- Flags: bugzilla: maintainer-feedback? (ashish)
Version: Latest   
Hardware: Any   
OS: Any   

Description Denton Gentry 2023-03-22 18:36:54 UTC 
Tailscale 1.38.2 addresses an egid security issue with the use of setgroups() in tailscaled on FreeBSD.

OPNsense:/usr/ports/security/tailscale # git diff
diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index 420b20c88b4..6e8948aa6c1 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=      tailscale
-PORTVERSION=   1.38.1
+PORTVERSION=   1.38.2
 DISTVERSIONPREFIX=     v
 CATEGORIES=    security net-vpn

diff --git a/security/tailscale/distinfo b/security/tailscale/distinfo
index 8a50dfd3269..cec60f4ad72 100644
--- a/security/tailscale/distinfo
+++ b/security/tailscale/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1678860949
-SHA256 (go/security_tailscale/tailscale-v1.38.1/v1.38.1.mod) = 168dd90195ac5cb69746285d7e681e6d92142cba7254dd573291b6b83c1f2834
-SIZE (go/security_tailscale/tailscale-v1.38.1/v1.38.1.mod) = 16974
-SHA256 (go/security_tailscale/tailscale-v1.38.1/v1.38.1.zip) = 90fcbf25ad2601c625ea5db8510cdaccf9b4b758a651199b4b3502401fbfae85
-SIZE (go/security_tailscale/tailscale-v1.38.1/v1.38.1.zip) = 2147957
+TIMESTAMP = 1679507222
+SHA256 (go/security_tailscale/tailscale-v1.38.2/v1.38.2.mod) = 168dd90195ac5cb69746285d7e681e6d92142cba7254dd573291b6b83c1f2834
+SIZE (go/security_tailscale/tailscale-v1.38.2/v1.38.2.mod) = 16974
+SHA256 (go/security_tailscale/tailscale-v1.38.2/v1.38.2.zip) = 5f268883febfe650007ce2b8b05acba9440d6a60eb082b81354d969c16003e69
+SIZE (go/security_tailscale/tailscale-v1.38.2/v1.38.2.zip) = 2151847
Comment 1 Denton Gentry 2023-03-22 23:32:23 UTC 
This fixes CVE-2023-28436.

https://tailscale.com/security-bulletins/#ts-2023-003
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-03-23 13:54:30 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c8d192304d65f090cc851b79d156212fd37a4e80

commit c8d192304d65f090cc851b79d156212fd37a4e80
Author:     Ashish SHUKLA <ashish@FreeBSD.org>
AuthorDate: 2023-03-23 13:53:09 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2023-03-23 13:54:03 +0000

    security/vuxml: Document vulnerability for security/tailscale

    PR:             270406

 security/vuxml/vuln/2023.xml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
Comment 3 Ashish SHUKLA freebsd_committer freebsd_triage 2023-03-23 13:56:40 UTC 
Sorry, I missed this PR.

I've updated the port sometime ago (in main, and quarterly branches), and now just published VuXML as well, as I came to know about the security vulnerability.

Thanks for letting me know.