Bug 211613 - net-mgmt/collectd5: Update to 5.5.2 (Fixes security vulnerability: CVE-2016-6254)
Summary: net-mgmt/collectd5: Update to 5.5.2 (Fixes security vulnerability: CVE-2016-6...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Brad Davis
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-08-05 21:29 UTC by Brad Davis
Modified: 2016-08-14 17:13 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (ports)
koobs: merge-quarterly+


Attachments
patch (2.75 KB, patch)
2016-08-05 21:29 UTC, Brad Davis
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brad Davis freebsd_committer 2016-08-05 21:29:28 UTC
This is a pretty important update because it fixes CVE-2016-6254.

I have also removed the reading of the stolen counter completely, since it is gone in 10.3 and later, but the builders run 10.1.  Most people should be moving off of 10.1 & 10.2 since they EoL later this year.
Comment 1 Brad Davis freebsd_committer 2016-08-05 21:29:54 UTC
Created attachment 173344 [details]
patch
Comment 2 Ruben Kerkhof 2016-08-06 10:15:05 UTC
Hey Brad, thanks for CC-ing me.

Any reason why you don't drop the complete patch-src_zfs__arc.c patch?
Comment 3 Brad Davis freebsd_committer 2016-08-06 13:51:52 UTC
Hi Ruben,

Because the pkg builders run 10.1, so the collectd package they build will still emit the error on >stable/10 after 10.2.  So this patch fixes the error message by unconditionally removing the counter.
Comment 4 Ruben Kerkhof 2016-08-08 10:59:10 UTC
(In reply to Brad Davis from comment #3)

Makes sense, of course. I must have been low on coffee when I wrote that, please ignore me ;) The patch can be dropped only when we release 5.6 next month.
Comment 5 Mark Felder freebsd_committer 2016-08-08 15:32:27 UTC
I approve this patch and MFH to 2016Q3 if applicable.
Comment 6 commit-hook freebsd_committer 2016-08-08 15:48:04 UTC
A commit references this bug:

Author: brd
Date: Mon Aug  8 15:47:23 UTC 2016
New revision: 419861
URL: https://svnweb.freebsd.org/changeset/ports/419861

Log:
  Document collectd security advisory.

  PR:		211613
  Security:	CVE-2016-6254

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2016-08-08 15:51:06 UTC
A commit references this bug:

Author: brd
Date: Mon Aug  8 15:50:18 UTC 2016
New revision: 419862
URL: https://svnweb.freebsd.org/changeset/ports/419862

Log:
  Update net-mgmt/collectd5 to 5.5.2

  PR:		211613
  Submitted by:	brd
  Approved by:	ports-secteam (feld)
  Security:	6da45e38-5b55-11e6-8859-000c292ee6b8

Changes:
  head/net-mgmt/collectd5/Makefile
  head/net-mgmt/collectd5/distinfo
  head/net-mgmt/collectd5/files/patch-src_zfs__arc.c
  head/net-mgmt/collectd5/files/patch-version-gen.sh
Comment 8 commit-hook freebsd_committer 2016-08-08 19:39:46 UTC
A commit references this bug:

Author: brd
Date: Mon Aug  8 19:38:45 UTC 2016
New revision: 419893
URL: https://svnweb.freebsd.org/changeset/ports/419893

Log:
  MFH: r419862 net-mgmt/collectd5: Update net-mgmt/collectd5 to 5.5.2

  PR:		211613
  Submitted by:	brd
  Approved by:	ports-secteam (feld)
  Security:	6da45e38-5b55-11e6-8859-000c292ee6b8

Changes:
_U  branches/2016Q3/
  branches/2016Q3/net-mgmt/collectd5/Makefile
  branches/2016Q3/net-mgmt/collectd5/distinfo
  branches/2016Q3/net-mgmt/collectd5/files/patch-src_zfs__arc.c
  branches/2016Q3/net-mgmt/collectd5/files/patch-version-gen.sh
Comment 9 Krzysztof 2016-08-08 20:06:00 UTC
Thank you for your work. I was on vacation and was not able to answer or discuss.
Comment 10 Krzysztof 2016-08-09 07:26:06 UTC
It seems, that latest version of collectd spoiled network plugin. I've made an upgrade of collectd5 and network plugin causes that collecd core dumps.

Aug  9 08:59:25 fw collectd[18731]: network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: General error
Aug  9 08:59:25 fw collectdmon[18718]: Warning: collectd was terminated by signal 6 (core dumped)
Aug  9 08:59:25 fw kernel: pid 18731 (collectd), uid 0: exited on signal 6 (core dumped)

I've found similiar issue on debian bugs: http://osdir.com/ml/general/2016-07/msg40034.html

So I think we should warn users about this issue. I'll check collectd bugs list if they are aware of this.
Comment 11 Krzysztof 2016-08-09 08:32:43 UTC
This problem with netwok plugin was just reported to collectd community:
https://github.com/collectd/collectd/issues/1870
Comment 12 Brad Davis freebsd_committer 2016-08-09 13:17:14 UTC
OK, lets work with them to resolve it.

FWIW, I am not seeing the same core dump and I use the network plugin as well.
Comment 13 Kubilay Kocak freebsd_committer freebsd_triage 2016-08-12 16:36:27 UTC
Correctly track merge (MFH)
Comment 14 commit-hook freebsd_committer 2016-08-14 17:13:12 UTC
A commit references this bug:

Author: junovitch
Date: Sun Aug 14 17:12:27 UTC 2016
New revision: 420194
URL: https://svnweb.freebsd.org/changeset/ports/420194

Log:
  Fix PKGNAME for collectd5

  PR:		211613

Changes:
  head/security/vuxml/vuln.xml