Bug 276879

Comment 1 Yasuhiro Kimura 2024-02-08 07:49:33 UTC

Created attachment 248252 [details]
Patch file

Patch to add entry of the vulnerability to VuXML database.

Comment 2 Daniel Engberg 2024-02-09 00:54:10 UTC

Hi,

I have a mini-exp running, it'll likely take somewhere between 12 to 24h to complete.

Best regards,
Daniel

Comment 3 Daniel Engberg 2024-02-09 22:05:38 UTC

Looks fine, it would be nice if we could upstream our local patches...

Comment 4 Daniel Engberg 2024-02-21 18:50:23 UTC

Hi,

Since this will likely pass maintainer timeout and given it covers a CVE please consider requesting an exp-run.

Best regards,
Daniel

Comment 5 Yasuhiro Kimura 2024-02-22 05:29:42 UTC

Request exp-run by suggestion of diizzy@.

Comment 6 Antoine Brodin 2024-02-22 08:38:49 UTC

The patch fails to apply

Comment 7 Yasuhiro Kimura 2024-02-22 08:51:24 UTC

Created attachment 248678 [details]
Updated patch file

Chase update of ports tree.

Comment 8 Yasuhiro Kimura 2024-02-22 08:54:16 UTC

(In reply to Antoine Brodin from comment #6)

Patch is updated. Please try with it.

Regards.

Comment 9 Po-Chuan Hsieh 2024-02-23 01:59:37 UTC

(In reply to Yasuhiro Kimura from comment #7)

I'm OK with the updated patch. Thanks.

Comment 10 Antoine Brodin 2024-02-27 08:06:05 UTC

Exp-run looks fine

Comment 11 commit-hook 2024-02-28 00:54:03 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ed937bd9ad8fab202fbbc82fff0964eb7e715086

commit ed937bd9ad8fab202fbbc82fff0964eb7e715086
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2024-02-08 00:24:41 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2024-02-28 00:50:40 +0000

    ftp/curl: Update to 8.6.0

    ChangeLog:      https://curl.se/changes.html#8_6_0
    PR:             276879
    Approved by:    maintainer
    Exp-run bye:    antoine
    MFH:            2024Q1
    Security:       02e33cd1-c655-11ee-8613-08002784c58d

 ftp/curl/Makefile                |  6 ++++--
 ftp/curl/distinfo                |  8 +++++---
 ftp/curl/files/patch-Makefile.in | 11 -----------
 ftp/curl/files/patch-configure   | 41 ++++++++++++++++------------------------
 ftp/curl/pkg-plist               | 11 +++++++++++
 5 files changed, 36 insertions(+), 41 deletions(-)

Comment 12 commit-hook 2024-02-28 00:54:05 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=16f370e33f0cdd303de5a28f598d67b40091e307

commit 16f370e33f0cdd303de5a28f598d67b40091e307
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2024-02-08 07:45:33 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2024-02-28 00:50:29 +0000

    security/vuxml: Document OCSP verification bypass vulnerability in curl

    PR:             276879

 security/vuxml/vuln/2024.xml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

Comment 13 commit-hook 2024-02-28 01:10:08 UTC

A commit in branch 2024Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=85ae1dbb1a6e4bdfae53d745dbdba5af8db5e11a

commit 85ae1dbb1a6e4bdfae53d745dbdba5af8db5e11a
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2024-02-08 00:24:41 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2024-02-28 01:07:37 +0000

    ftp/curl: Update to 8.6.0

    ChangeLog:      https://curl.se/changes.html#8_6_0
    PR:             276879
    Approved by:    maintainer
    Exp-run bye:    antoine
    MFH:            2024Q1
    Security:       02e33cd1-c655-11ee-8613-08002784c58d

    (cherry picked from commit ed937bd9ad8fab202fbbc82fff0964eb7e715086)

 ftp/curl/Makefile                |  5 ++++-
 ftp/curl/distinfo                |  8 +++++---
 ftp/curl/files/patch-Makefile.in | 11 -----------
 ftp/curl/files/patch-configure   | 41 ++++++++++++++++------------------------
 ftp/curl/pkg-plist               | 11 +++++++++++
 5 files changed, 36 insertions(+), 40 deletions(-)