Bug 209219 - devel/jansson: denial of service vulnerability (CVE-2016-4425)
Summary: devel/jansson: denial of service vulnerability (CVE-2016-4425)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Vanilla I. Shu
URL: http://www.openwall.com/lists/oss-sec...
Keywords: needs-patch, needs-qa, security
Depends on:
Blocks:
 
Reported: 2016-05-03 00:22 UTC by Jason Unovitch
Modified: 2016-05-20 01:40 UTC (History)
1 user (show)

See Also:
vanilla: maintainer-feedback+
junovitch: merge-quarterly+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2016-05-03 00:22:48 UTC
Maintainer of devel/jansson,
There is a report of an denial of service issue (CVE-2016-4425) in the library reported on oss-security (http://www.openwall.com/lists/oss-security/2016/05/02/1).  The report indicates this impacts jansson < 2.5 and the fix is still pending at https://github.com/akheron/jansson/issues/282.  When there is a resolution, this will need to filter down into the port and get a VuXML entry.
Comment 1 Jason Unovitch freebsd_committer 2016-05-03 13:50:19 UTC
It looks like the fix was applied upstream:
https://github.com/akheron/jansson/pull/284
Comment 2 commit-hook freebsd_committer 2016-05-04 06:25:48 UTC
A commit references this bug:

Author: vanilla
Date: Wed May  4 06:25:13 UTC 2016
New revision: 414586
URL: https://svnweb.freebsd.org/changeset/ports/414586

Log:
  Fix CVE-2016-4425.

  PR:		209219
  Submitted by:	junovitch@

Changes:
  head/devel/jansson/Makefile
  head/devel/jansson/files/patch-CVE-2016-4425
Comment 3 commit-hook freebsd_committer 2016-05-04 06:26:49 UTC
A commit references this bug:

Author: vanilla
Date: Wed May  4 06:25:53 UTC 2016
New revision: 414587
URL: https://svnweb.freebsd.org/changeset/ports/414587

Log:
  Add entry of devel/jansson

  PR:		209219
  Submitted by:	junovitch@

Changes:
  head/security/vuxml/vuln.xml