Bug 209594 - security/botan110: CVE-2016-2849
Summary: security/botan110: CVE-2016-2849
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jason Unovitch
URL:
Keywords: needs-qa
Depends on:
Blocks:
 
Reported: 2016-05-18 02:10 UTC by Sevan Janiyan
Modified: 2016-06-14 01:50 UTC (History)
3 users (show)

See Also:
vlad-fbsd: maintainer-feedback+
junovitch: merge-quarterly+


Attachments
Upgrade to 1.10.13 (1.60 KB, patch)
2016-06-13 15:00 UTC, Lapo Luchini
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2016-05-18 02:10:19 UTC
Version in ports is vulnerable to a side channel attack addressed in 1.10.13
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2849
Comment 1 Lapo Luchini 2016-05-18 10:59:01 UTC
The 1.10.13 port is ready (it's actually just a bump), but I'm waiting for the formal upstream release in order to have an official source of the fixed bugs:
https://botan.randombit.net/news.html
Comment 2 Sevan Janiyan 2016-05-18 11:30:34 UTC
(In reply to Lapo Luchini from comment #1)
There was a announcement on the list
https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html
Comment 3 VK freebsd_triage 2016-06-09 14:55:46 UTC
Guys, what's the status on this? Lapo, could you perhaps do the vuxml entry patch if the port update is not ready yet?
Comment 4 Lapo Luchini 2016-06-13 15:00:17 UTC
Created attachment 171388 [details]
Upgrade to 1.10.13
Comment 5 Lapo Luchini 2016-06-13 15:01:15 UTC
The port itself has been long ready, it's the VuXML which isn't yet.
Comment 6 commit-hook freebsd_committer 2016-06-14 01:49:47 UTC
A commit references this bug:

Author: junovitch
Date: Tue Jun 14 01:49:13 UTC 2016
New revision: 416873
URL: https://svnweb.freebsd.org/changeset/ports/416873

Log:
  security/botan110: update 1.10.12 -> 1.10.13

  PR:		209594
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Submitted by:	Lapo Luchini <lapo@lapo.it> (maintainer)
  Security:	CVE-2015-7827
  Security:	CVE-2016-2849
  Security:	https://vuxml.FreeBSD.org/freebsd/ac0900df-31d0-11e6-8e82-002590263bf5.html
  MFH:		2016Q2

Changes:
  head/security/botan110/Makefile
  head/security/botan110/distinfo
Comment 7 Jason Unovitch freebsd_committer 2016-06-14 01:50:18 UTC
Committed. Thanks!
Comment 8 commit-hook freebsd_committer 2016-06-14 01:50:49 UTC
A commit references this bug:

Author: junovitch
Date: Tue Jun 14 01:50:34 UTC 2016
New revision: 416874
URL: https://svnweb.freebsd.org/changeset/ports/416874

Log:
  MFH: r416873

  security/botan110: update 1.10.12 -> 1.10.13

  PR:		209594
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Submitted by:	Lapo Luchini <lapo@lapo.it> (maintainer)
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2015-7827
  Security:	CVE-2016-2849
  Security:	https://vuxml.FreeBSD.org/freebsd/ac0900df-31d0-11e6-8e82-002590263bf5.html

Changes:
_U  branches/2016Q2/
  branches/2016Q2/security/botan110/Makefile
  branches/2016Q2/security/botan110/distinfo