Comment 1 Kubilay Kocak 2014-08-11 00:42:40 UTC

Thanks for the report Christian.

Could you please add:

- Your FreeBSD version (`uname -a` output)
- The bull build log (including failure) as an attachment

Please also confirm that you are running the latest revision of the ports tree, either via portsnap or svn.

OS Version:

FreeBSD delta_web 10.0-RELEASE-p7 FreeBSD 10.0-RELEASE-p7 #0: Tue Jul  8 06:37:44 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

Build Log:

root@machine:[/usr/ports/www/nginx]: make


*** Error code 1

Stop.
make[1]: stopped in /basejail/usr/ports/www/nginx
*** Error code 1

Stop.
make: stopped in /basejail/usr/ports/www/nginx


I use ezjail and ran `ezjail-admin update -P` just before `make`.

I can confirm on a similar machine:

FreeBSD positron.dckd.nl 10.0-RELEASE-p7 FreeBSD 10.0-RELEASE-p7 #0: Tue Jul  8 06:37:44 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64


sudo make

*** Error code 1

Stop.
make[1]: stopped in /usr/ports/www/nginx
*** Error code 1

Stop.
make: stopped in /usr/ports/www/nginx

This is also problematic because of a security issue that exists with previous versions of nginx:


A bug in nginx SMTP proxy was found, which allows an attacker in a
privileged network position to inject commands into SSL sessions started
with the STARTTLS command, potentially making it possible to steal
sensitive information sent by clients (CVE-2014-3556).

The problem affects nginx 1.5.6 - 1.7.3.

The problem is fixed in nginx 1.7.4, 1.6.1.

http://vuxml.freebsd.org/freebsd/ad747a01-1fee-11e4-8ff1-f0def16c5c1b.html
http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html

The vulnerability also seems to be the root of the problem:

sudo make -d e

*** Failed target:  check-vulnerable
*** Failed command: if [ -f "/var/db/pkg/vuln.xml" ]; then if [ -n "YES" ]; then if [ -x "/usr/local/sbin/pkg-static" ]; then vlist=`/usr/local/sbin/pkg-static audit "nginx-1.6.1,2"`; if [ "${vlist}" = "0 problem(s) in the installed packages found." ]; then vlist=""; fi; elif [ "nginx" = "pkg" ]; then vlist=""; fi; elif [ -x "/usr/local/sbin/portaudit" ]; then vlist=`/usr/local/sbin/portaudit -X 14 "nginx-1.6.1,2" 2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' || true`; if [ -n "$vlist" ]; then vlist=`/usr/local/sbin/portaudit -X 14 "nginx-1.6.1,2" 2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' || true`; fi ; else echo "===> portaudit database exists, however, portaudit is not installed!"; fi; if [ -n "$vlist" ]; then echo "===> nginx-1.6.1,2 has known vulnerabilities:"; echo "$vlist"; echo "=> Please update your ports tree and try again."; echo "=> Note: Vulnerable ports are marked as such even if there is no update available."; echo "=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'"; exit 1; fi; fi
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/www/nginx

*** Failed target:  stage
*** Failed command: cd /usr/ports/www/nginx && make CONFIG_DONE_NGINX=1 /usr/ports/www/nginx/work/.stage_done.nginx._usr_local
*** Error code 1

Stop.
make: stopped in /usr/ports/www/nginx


jeroen:nginx/ $ /usr/local/sbin/pkg-static audit "nginx-1.6.1,2"
nginx-1.6.1,2
 is vulnerable:
nginx -- inject commands into SSL session vulnerability
CVE: CVE-2014-3556
WWW: http://portaudit.FreeBSD.org/ad747a01-1fee-11e4-8ff1-f0def16c5c1b.html

1 problem(s) in the installed packages found.

There are two problems here:
1) Something seems to go wrong with the vulnerability checking, finding a vulnerability and not giving proper feedback
2) According to the vuxml page above the version nginx-1.6.1,2 should actually not be vulnerable anymore.

With the new version of nginx (1.6.1-1) now at least builds again.

If the audit check is not fixed this will pop up again with a new vulnerability of nginx though.

So when will we see an updated port?

There has been an update to the ports file in the meantime which seems to have already solved the problem. So the bug can be closed.

Comment 9 Sergey A. Osokin 2015-04-27 22:13:20 UTC

Done.