Bug 204044 - [MAINTAINER] net-mgmt/lldpd: Update to 0.7.19, Fixes security vulnerabilities
Summary: [MAINTAINER] net-mgmt/lldpd: Update to 0.7.19, Fixes security vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Mathieu Arnold
URL:
Keywords: needs-qa, patch, security
Depends on:
Blocks:
 
Reported: 2015-10-26 19:38 UTC by Mathieu Simon
Modified: 2015-12-02 12:57 UTC (History)
1 user (show)

See Also:
koobs: merge-quarterly?

Attachments
Updates lldpd to 0.7.19 (801 bytes, patch)
2015-10-26 19:38 UTC, Mathieu Simon 		koobs: maintainer-approval+
Details | Diff
Update vuln.xml (1.15 KB, patch)
2015-10-26 19:38 UTC, Mathieu Simon 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mathieu Simon 2015-10-26 19:38:15 UTC 
Created attachment 162481 [details]
Updates lldpd to 0.7.19

Dear port commiters

Here are 2 patches, one updating the port net-mgmt/lldpd to 0.7.19 which closed a buffer overflow that was introduced with version 0.5.6 but only if hardening was explicitely disabled. 

Hardening was explicitely enabled when I bumped the port to 0.7.16 thus even the current port as of writing shouldn't be vulnerable.

The second patch is an attempt after some RTFM to update vuln.xml, I'm not sure if that fits, though at least xmllint says it's valid XML. I hope this follows the process for vuxml.

The changes have passed a poudriere testport in 9.2 and 10.2 amd64 jail as well as a quick runtime check.

-- Mathieu
Comment 1 Mathieu Simon 2015-10-26 19:38:49 UTC 
Created attachment 162482 [details]
Update vuln.xml
Comment 2 commit-hook freebsd_committer freebsd_triage 2015-10-27 13:45:00 UTC 
A commit references this bug:

Author: mat
Date: Tue Oct 27 13:44:08 UTC 2015
New revision: 400236
URL: https://svnweb.freebsd.org/changeset/ports/400236

Log:
  Document lldpd security vunlnerability.

  PR:		204044
  Submitted by:	maintainer
  Sponsored by:	Absolight

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer freebsd_triage 2015-10-27 13:45:02 UTC 
A commit references this bug:

Author: mat
Date: Tue Oct 27 13:44:13 UTC 2015
New revision: 400237
URL: https://svnweb.freebsd.org/changeset/ports/400237

Log:
  Update to 0.7.19.

  Fixes a buffer overflow allowing arbitrary code execution.

  PR:		204044
  Submitted by:	maintainer
  MFH:		2015Q4
  Security:	2a4a112a-7c1b-11e5-bd77-0800275369e2
  Sponsored by:	Absolight

Changes:
  head/net-mgmt/lldpd/Makefile
  head/net-mgmt/lldpd/distinfo
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-10-27 13:58:13 UTC 
A commit references this bug:

Author: mat
Date: Tue Oct 27 13:57:40 UTC 2015
New revision: 400244
URL: https://svnweb.freebsd.org/changeset/ports/400244

Log:
  MFH: r398954 r398994 r400237

  net-mgmt/lldpd: update 0.7.16 -> 0.7.19

  - Add additional information to README on -I interface flag usage
  - Change formatting of pkg-message
  - net-mgmt/lldpd: Add maintainer's mirror to MASTER_SITES

  Fixes a buffer overflow allowing arbitrary code execution.

  PR:		203621 204044
  Submitted by:	maintainer
  Security:	2a4a112a-7c1b-11e5-bd77-0800275369e2
  Sponsored by:	Absolight

Changes:
_U  branches/2015Q4/
  branches/2015Q4/net-mgmt/lldpd/Makefile
  branches/2015Q4/net-mgmt/lldpd/distinfo
  branches/2015Q4/net-mgmt/lldpd/files/README.bsd
  branches/2015Q4/net-mgmt/lldpd/pkg-message
Comment 5 commit-hook freebsd_committer freebsd_triage 2015-11-10 03:19:48 UTC 
A commit references this bug:

Author: junovitch
Date: Tue Nov 10 03:18:50 UTC 2015
New revision: 401184
URL: https://svnweb.freebsd.org/changeset/ports/401184

Log:
  Revise lldpd entry to cover denial of service CVE and add references.

  PR:		204044
  Security:	CVE-2015-8012
  Security:	CVE-2015-8011
  Security:	https://vuxml.FreeBSD.org/freebsd/2a4a112a-7c1b-11e5-bd77-0800275369e2.html

Changes:
  head/security/vuxml/vuln.xml