Bug 215587 - www/h2o: patch CVE-2016-7835 & add security/vuxml entry
Summary: www/h2o: patch CVE-2016-7835 & add security/vuxml entry
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Bernard Spil
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-26 19:01 UTC by Dave Cottlehuber
Modified: 2017-01-06 03:35 UTC (History)
3 users (show)

See Also:
junovitch: maintainer-feedback+
junovitch: merge-quarterly+


Attachments
v1 patch (10.55 KB, text/plain)
2016-12-26 19:01 UTC, Dave Cottlehuber
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dave Cottlehuber freebsd_committer 2016-12-26 19:01:09 UTC
Created attachment 178297 [details]
v1 patch

# summary

patch www/h2o for publically announced CVE-2016-7835

- 2.0.5 has too many changes to go into a backported security fix
- include a custom https://github.com/h2o/h2o/commit/1b2b6d7.patch

https://h2o.examp1e.net/vulnerabilities.html

# QA

- portlint OK
- builds against 11_amd64 11_i386 10_amd64 10_i386 9_amd64 9_i386
- vuxml changes passes `make validate`
Comment 1 commit-hook freebsd_committer 2016-12-29 13:08:56 UTC
A commit references this bug:

Author: brnrd
Date: Thu Dec 29 13:08:33 UTC 2016
New revision: 429906
URL: https://svnweb.freebsd.org/changeset/ports/429906

Log:
  security/vuxml: Document h2o vulnerability

  PR:		215587
  Submitted by:	Dave Cottlehuber <dch@skunkwerks.at> (maintainer)

Changes:
  head/security/vuxml/vuln.xml
Comment 2 commit-hook freebsd_committer 2016-12-29 13:24:11 UTC
A commit references this bug:

Author: brnrd
Date: Thu Dec 29 13:24:01 UTC 2016
New revision: 429910
URL: https://svnweb.freebsd.org/changeset/ports/429910

Log:
  www/h2o: Fix Use-after-free vulnerability

    - Fix duplicate PORTREVISION assignment
    - Register OpenSSL dependency when LIBRESSL is OFF

  PR:		215587
  Submitted by:	Dave Cottlehuber <dch@skunkwerks.at> (maintainer)
  MFH:		2016Q4
  Security:	d0b12952-cb86-11e6-906f-0cc47a065786
  Security:	CVE-2016-7835

Changes:
  head/www/h2o/Makefile
  head/www/h2o/files/patch-lib_core_request.c
  head/www/h2o/files/patch-lib_http2_connection.c
Comment 3 Jason Unovitch freebsd_committer 2017-01-06 03:35:39 UTC
Sorry for the delay on MFH approval. This is fixed in the currently supported 2017Q1 branch, as such considering this merge-quarterly+ and assigning it to you Bernard as the actioning committer.