Bug 197107 - [MAINTAINER] security/bro, security/broccoli: Update to 2.3.2 (includes two CVE fixes)
Summary: [MAINTAINER] security/bro, security/broccoli: Update to 2.3.2 (includes two C...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Kurt Jaeger
URL:
Keywords: patch, patch-ready
Depends on:
Blocks:
 
Reported: 2015-01-26 21:50 UTC by Craig Leres
Modified: 2015-02-02 22:28 UTC (History)
1 user (show)

See Also:


Attachments
Patchset for security/bro and security/broccoli (14.86 KB, text/plain)
2015-01-26 21:50 UTC, Craig Leres
leres: maintainer-approval+
Details
poudriere log for security/bro (934.78 KB, text/plain)
2015-01-26 21:51 UTC, Craig Leres
no flags Details
poudriere log for security/broccoli (92.92 KB, text/plain)
2015-01-26 21:51 UTC, Craig Leres
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Craig Leres freebsd_committer 2015-01-26 21:50:01 UTC
Created attachment 152209 [details]
Patchset for security/bro and security/broccoli

This updates bro and broccoli from 2.3 and 2.3.2, which is a security update.

Changes to the bro port:

    * Rework openssl option logic

    * Remove obsolete 

    * pkgng related changes

Changes to the broccoli port:

    * Remove unused DOCS option

    * Enable PYTHON by default

    * pkgng related changes

    * Minor portlint changes

Changes in 2.3.2:

    * DNP3: fix reachable assertion and buffer over-read/overflow.
    CVE number pending. (Travis Emmert, Jon Siwek)

    * Update binpac: Fix potential out-of-bounds memory reads in
    generated code. CVE-2014-9586. (John Villamil and Chris Rohlf
    - Yahoo Paranoids, Jon Siwek)

    * BIT-1234: Fix build on systems that already have ntohll/htonll.
    (Jon Siwek)

    * BIT-1291: Delete prebuilt python bytecode files from git.  (Jon Siwek)

    * Adding call to new binpac::init() function. (Robin Sommer)

Changes in 2.3.1:

    * Fix a reference counting bug in ListVal ctor. (Jon Siwek)

    * Fix possible buffer over-read in DNS TSIG parsing. (Jon Siwek)

    * Change EDNS parsing code to use rdlength more cautiously.  (Jon Siwek)

    * Fix null pointer dereference in OCSP verification code in
    case no certificate is sent as part as the ocsp reply. Addresses
    BIT-1212.  (Johanna Amann)

    * Fix OCSP reply validation. Addresses BIT-1212 (Johanna Amann)

    * Make links in documentation templates protocol relative. (Johanna Amann)
Comment 1 Craig Leres freebsd_committer 2015-01-26 21:51:17 UTC
Created attachment 152210 [details]
poudriere log for security/bro
Comment 2 Craig Leres freebsd_committer 2015-01-26 21:51:37 UTC
Created attachment 152211 [details]
poudriere log for security/broccoli
Comment 3 Kubilay Kocak freebsd_committer 2015-01-27 09:27:22 UTC
Q: Where does bug 193231 fit into this? Does this supersede the former?

Please update this or bug 193231 accordingly.

Q: Must security/bro and security/broccoli be updated in a single commit atomically?

If not please separate the patches (per port) and indicate which one must be committed first if required.

Given you are the maintainer for both, and both seem related to the same update, individual PR's ought not be necessary this time around.

For Bonus Points:

Write a VuXML entry [1] and add CPE information [2]

[1] https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#security-notify
[2] https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#uses

Otherwise a good issue report, good stuff!
Comment 4 Craig Leres freebsd_committer 2015-01-27 18:59:55 UTC
> Q: Where does bug 193231 fit into this? Does this supersede the former?
>
> Please update this or bug 193231 accordingly.

Done.

> Q: Must security/bro and security/broccoli be updated in a single commit atomically?
> 
> If not please separate the patches (per port) and indicate which one must be committed first if required.
>
> Given you are the maintainer for both, and both seem related to the same update, individual PR's ought not be necessary this time around.

In the case of a version upgrade I think it's better to insure both ports are at the same version. Certainly I test changes by upgrading both at the same time.

> For Bonus Points:
> 
> Write a VuXML entry [1] and add CPE information [2]

I sent a note to ports-secteam@freebsd.org yesterday after filing this PR.
Comment 6 commit-hook freebsd_committer 2015-02-02 22:25:39 UTC
A commit references this bug:

Author: pi
Date: Mon Feb  2 22:25:26 UTC 2015
New revision: 378333
URL: https://svnweb.freebsd.org/changeset/ports/378333

Log:
  security/bro, security/broccoli: 2.3 -> 2.3.2

  This updates bro and broccoli from 2.3 and 2.3.2, which is a security
  update.

  Changes to the bro port:
  - Rework openssl option logic
  - Remove obsolete
  - pkgng related changes

  Changes to the broccoli port:
  - Remove unused DOCS option
  - Enable PYTHON by default
  - pkgng related changes
  - Minor portlint changes

  Changes in 2.3.2:
  - DNP3: fix reachable assertion and buffer over-read/overflow.
    CVE number pending. (Travis Emmert, Jon Siwek)
  - Update binpac: Fix potential out-of-bounds memory reads in
    generated code. CVE-2014-9586. (John Villamil and Chris Rohlf
    - Yahoo Paranoids, Jon Siwek)
  - BIT-1234: Fix build on systems that already have ntohll/htonll.
    (Jon Siwek)
  - BIT-1291: Delete prebuilt python bytecode files from git.  (Jon Siwek)
  - Adding call to new binpac::init() function. (Robin Sommer)

  Changes in 2.3.1:
  - Fix a reference counting bug in ListVal ctor. (Jon Siwek)
  - Fix possible buffer over-read in DNS TSIG parsing. (Jon Siwek)
  - Change EDNS parsing code to use rdlength more cautiously.  (Jon Siwek)
  - Fix null pointer dereference in OCSP verification code in
    case no certificate is sent as part as the ocsp reply. Addresses
    BIT-1212.  (Johanna Amann)
  - Fix OCSP reply validation. Addresses BIT-1212 (Johanna Amann)
  - Make links in documentation templates protocol relative. (Johanna Amann)

  PR:		197107
  Submitted by:	Craig Leres <leres@ee.lbl.gov> (maintainer)
  Reviewed by:	koobs

Changes:
  head/security/bro/Makefile
  head/security/bro/distinfo
  head/security/bro/pkg-plist
  head/security/broccoli/Makefile
  head/security/broccoli/distinfo
  head/security/broccoli/pkg-plist
Comment 7 Kurt Jaeger freebsd_committer 2015-02-02 22:28:24 UTC
Committed, thanks.