Bug 206808 - net/samba36: security/vuxml: ineffective vuxml entry
Summary: net/samba36: security/vuxml: ineffective vuxml entry
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Jason Unovitch
URL: https://www.samba.org/samba/ftp/patch...
Keywords: needs-qa, patch, security
Depends on:
Blocks:
 
Reported: 2016-01-31 22:34 UTC by Marcin Gryszkalis
Modified: 2016-02-27 23:57 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback? (timur)
junovitch: merge-quarterly+


Attachments
samba-3.6.35_2.patch (24.83 KB, patch)
2016-02-04 06:37 UTC, takefu
no flags Details | Diff
samba42-4.2.8.patch (40.38 KB, patch)
2016-02-08 08:36 UTC, takefu
no flags Details | Diff
samba43-4.3.4.patch (38.88 KB, patch)
2016-02-08 08:37 UTC, takefu
no flags Details | Diff
ldb-1.1.25.patch (2.50 KB, patch)
2016-02-08 08:38 UTC, takefu
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Gryszkalis 2016-01-31 22:34:53 UTC
timur@freebsd added an entry in vuxml for all samba ports
http://www.freshports.org/vuxml.php?vid=ef434839-a6a4-11e5-8275-000c292e4fd8
with "le 3.6.25" but it seems that port already had PORTREVISION=1 so it seems the entry is noop.
Comment 1 takefu 2016-02-04 06:37:33 UTC
Created attachment 166536 [details]
samba-3.6.35_2.patch
Comment 2 takefu 2016-02-04 06:43:08 UTC
Corresponding to the patches have been released.
https://www.samba.org/samba/ftp/patches/security/samba-3.6.25-security-2015-12-16.patch

Fix
  strip binary
  makepatch
Comment 3 Marcin Gryszkalis 2016-02-04 21:48:55 UTC
patch applied, samba rebuilt and seems to be operational.
Comment 4 commit-hook freebsd_committer 2016-02-05 20:04:17 UTC
A commit references this bug:

Author: junovitch
Date: Fri Feb  5 20:04:06 UTC 2016
New revision: 408264
URL: https://svnweb.freebsd.org/changeset/ports/408264

Log:
  Update version of net/samba36 package to reflect it is still unpatched

  PR:		206808
  Reported by:	Marcin Gryszkalis <mg@fork.pl>
  Security:	CVE-2015-5252
  Security:	CVE-2015-5296
  Security:	CVE-2015-5299
  Security:	https://vuxml.FreeBSD.org/freebsd/ef434839-a6a4-11e5-8275-000c292e4fd8.html

Changes:
  head/security/vuxml/vuln.xml
Comment 5 Jason Unovitch freebsd_committer 2016-02-05 21:21:58 UTC
Timur,
Poudriere on the following is all good:
9.3-RELEASE-p34      amd64
9.3-RELEASE-p34      i386
10.1-RELEASE-p27     amd64
10.1-RELEASE-p27     i386
10.2-RELEASE-p10     amd64
10.2-RELEASE-p10     i386
11.0-CURRENT r294191 amd64
11.0-CURRENT r294191 i386

We've got the buildtime QA here and the runtime QA from Marcin in comment 3. I'd be glad to go ahead and commit this with your approval if you are busy.
Comment 6 Timur I. Bakeyev freebsd_committer 2016-02-06 00:33:12 UTC
(In reply to Jason Unovitch from comment #5)

I've looked into the provided patch and, while patch to Makefile looks good, the rest of the changes are excessive and only misleading. Also, I'm not certain, that stripping the binary unconditionally is a good idea in general, taking into account that this info is helpful for debugging.

To summarize that - if you willing to commit the changes ASAP, then, please only take changes to Makefile and distfile.

Otherwise I'll that next week, together with the rest of upgrades of Samba 4.2/4.3.

WBR,
Timur.
Comment 7 takefu 2016-02-08 08:36:53 UTC
Created attachment 166734 [details]
samba42-4.2.8.patch
Comment 8 takefu 2016-02-08 08:37:22 UTC
Created attachment 166735 [details]
samba43-4.3.4.patch
Comment 9 takefu 2016-02-08 08:38:59 UTC
Created attachment 166736 [details]
ldb-1.1.25.patch

Update
  samba42 4.2.8
  samba43 4.3.4
  ldb 1.1.25
Comment 10 commit-hook freebsd_committer 2016-02-27 23:51:00 UTC
A commit references this bug:

Author: junovitch
Date: Sat Feb 27 23:50:55 UTC 2016
New revision: 409703
URL: https://svnweb.freebsd.org/changeset/ports/409703

Log:
  net/samba36: add patches corresponding to 16 Dec 2015 security releases

  PR:		206808
  Reported by:	Marcin Gryszkalis <mg@fork.pl>
  Submitted by:	takefu@airport.fm (original patch)
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2015-5252
  Security:	CVE-2015-5296
  Security:	CVE-2015-5299
  Security:	https://vuxml.FreeBSD.org/freebsd/ef434839-a6a4-11e5-8275-000c292e4fd8.html
  MFH:		2016Q1

Changes:
  head/net/samba36/Makefile
  head/net/samba36/distinfo
Comment 11 commit-hook freebsd_committer 2016-02-27 23:54:04 UTC
A commit references this bug:

Author: junovitch
Date: Sat Feb 27 23:53:15 UTC 2016
New revision: 409704
URL: https://svnweb.freebsd.org/changeset/ports/409704

Log:
  MFH: r406862, r409126, r409127, r409703

  r406862 (net/samba36 only):
  Remove deprecated @dirrm's from pkg-plist of samba ports.
  Note that net/samba4 got it's PORTVERSION bumped as stage-qa found
  one file not included in pkg-plist.

  PR:             205950
  Submitted by:   myself
  Approved by:    maintainer timeout

  r409126:
  net/samba36: Mark DEPRECATED

  This Samba port was not yet marked deprecated. It has been EoL since 2015-03-04

  r409127:
  net/samba36: Extend expiration date

  I intended this to align with the next quarterly release.

  r409703:
  net/samba36: add patches corresponding to 16 Dec 2015 security releases

  PR:             206808
  Reported by:    Marcin Gryszkalis <mg@fork.pl>
  Submitted by:   takefu@airport.fm (original patch)
  Approved by:    ports-secteam (with hat)
  Security:       CVE-2015-5252
  Security:       CVE-2015-5296
  Security:       CVE-2015-5299
  Security:       https://vuxml.FreeBSD.org/freebsd/ef434839-a6a4-11e5-8275-000c292e4fd8.html

Changes:
_U  branches/2016Q1/
  branches/2016Q1/net/samba36/Makefile
  branches/2016Q1/net/samba36/distinfo
  branches/2016Q1/net/samba36/pkg-plist.swat
Comment 12 Jason Unovitch freebsd_committer 2016-02-27 23:57:48 UTC
Only required changes for the security update have been committed.

takefu, please open a new PR for the updates.  They are outside the scope of the "net/samba36: security/vuxml: ineffective vuxml entry" that this PR was opened for.  Also, FYI, Samba 4.3.5 is out.

Marcin, thank you for the report.

Take, close, and set merge-quarterly+