204237 – net/librsync: Security Vulnerability (CVE-2014-8242)

Bug 204237 - net/librsync: Security Vulnerability (CVE-2014-8242)

Summary: net/librsync: Security Vulnerability (CVE-2014-8242)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Ports Security Team

URL:
Keywords:	needs-patch, needs-qa, security

Depends on:
Blocks:

Reported:	2015-11-03 01:14 UTC by Sevan Janiyan
Modified:	2016-01-08 18:32 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	koobs: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sevan Janiyan 2015-11-03 01:14:57 UTC

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8242

Comment 1 Mark Felder freebsd_committer

2016-01-08 18:01:31 UTC

assigning to ports-secteam

Comment 2 commit-hook freebsd_committer

2016-01-08 18:23:30 UTC

A commit references this bug:

Author: feld
Date: Fri Jan  8 18:23:26 UTC 2016
New revision: 405583
URL: https://svnweb.freebsd.org/changeset/ports/405583

Log:
  Document net/librsync collision vulnerability

  PR:		204237
  Security:	CVE-2014-8242

Changes:
  head/security/vuxml/vuln.xml

Comment 3 Mark Felder freebsd_committer

2016-01-08 18:32:21 UTC

net/librsync is the pre 1.0.0 release and is not API compatible with 1.0.0+ because they moved from MD4 to BLAKE2. 

The fixed version is available in net/librsync1, but you need to port your software to it.

We should probably DEPRECATE net/librsync, but first the dependent ports need to be analyzed.

Notifying users via the vuxml entry should be good enough for now.