Bug 213495 - dns/c-ares: Update to 1.12.0 (CVE-2016-5180)
Summary: dns/c-ares: Update to 1.12.0 (CVE-2016-5180)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Kurt Jaeger
URL: https://daniel.haxx.se/blog/2016/10/1...
Keywords: patch, security
Depends on:
Blocks: 213603
  Show dependency treegraph
 
Reported: 2016-10-15 05:43 UTC by Kurt Jaeger
Modified: 2016-10-20 00:03 UTC (History)
4 users (show)

See Also:
zi: maintainer-feedback+
pi: merge-quarterly+


Attachments
patch (1.38 KB, patch)
2016-10-15 05:43 UTC, Kurt Jaeger
koobs: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kurt Jaeger freebsd_committer 2016-10-15 05:43:42 UTC
Created attachment 175777 [details]
patch

See 

https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/

for a nice writeup of the CVE.

Changes: https://c-ares.haxx.se/changelog.html
Security: CVE-2016-5180
MFH: 2016Q4

Testbuilds@work
Comment 1 Kurt Jaeger freebsd_committer 2016-10-15 05:46:55 UTC
testbuilds are ok on 12a, 11a, 10i. 9.3a is still busy with other stuff.
Comment 2 Bradley T. Hughes freebsd_committer 2016-10-19 07:07:49 UTC
Node.js just released v4.6.1 to address CVE-2016-5180, but since we build the port against the version in ports, I've set the www/node4 update as being blocked by this. Hope we can land this soon :)

Thanks!
Comment 3 Kurt Jaeger freebsd_committer 2016-10-19 09:09:17 UTC
It built without a hick on 9.3a, too, btw..
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2016-10-19 09:40:37 UTC
This update blocks security updates for 3 node ports/packages.
Comment 5 Mark Felder freebsd_committer 2016-10-19 14:32:41 UTC
Please commit this change and MFH it as Approved by: ports-secteam (feld)
Comment 6 Ryan Steinmetz freebsd_committer freebsd_triage 2016-10-19 14:37:25 UTC
Approved.
Comment 7 Kurt Jaeger freebsd_committer 2016-10-19 14:40:53 UTC
@work
Comment 8 commit-hook freebsd_committer 2016-10-19 14:43:31 UTC
A commit references this bug:

Author: pi
Date: Wed Oct 19 14:43:09 UTC 2016
New revision: 424257
URL: https://svnweb.freebsd.org/changeset/ports/424257

Log:
  dns/c-ares: update 1.11.0 -> 1.12.0

  - see
    https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/
    for a nice writeup of the CVE.

  PR:		213495
  Changes:	https://c-ares.haxx.se/changelog.html
  Security:	CVE-2016-5180
  Approved by:	zi (maintainer)
  MFH:		2016Q4

Changes:
  head/dns/c-ares/Makefile
  head/dns/c-ares/distinfo
  head/dns/c-ares/pkg-plist
Comment 9 commit-hook freebsd_committer 2016-10-19 14:45:33 UTC
A commit references this bug:

Author: pi
Date: Wed Oct 19 14:44:46 UTC 2016
New revision: 424258
URL: https://svnweb.freebsd.org/changeset/ports/424258

Log:
  dns/c-ares: update 1.11.0 -> 1.12.0

  - see
    https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/
    for a nice writeup of the CVE.

  PR:		213495
  MFH:		r424257
  Changes:	https://c-ares.haxx.se/changelog.html
  Security:	CVE-2016-5180
  Approved by:	zi (maintainer)
  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/dns/c-ares/Makefile
  branches/2016Q4/dns/c-ares/distinfo
  branches/2016Q4/dns/c-ares/pkg-plist
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2016-10-20 00:03:19 UTC
Comment on attachment 175777 [details]
patch

Correctly record maintainer approval