r439797 added security/libressl/files/patch-CVE-2017-8301 which doesn't apply cleanly to libressl 2.4.5.
As a result the security/libressl build build fails at the patch stage when using the 2017Q2 branch.
Backporting the libressl update to 2.5.3 (r438307) solved the problem for me,
therefore I haven't checked whether or not 2.4.5 is acutally affected by
*** Bug 219005 has been marked as a duplicate of this bug. ***
(In reply to Fabian Keil from comment #0)
I understand only 2.5.x is affected according to the following report:
I manually deleted the patch file in the SVN checkout to rebuild my Poudriere repo.
A commit references this bug:
Date: Tue May 2 14:31:54 UTC 2017
New revision: 439948
security/libressl: Revert previous commit
- Big fail on my part, required revert
- Version 2.4.5 not vulnerable to CVE-2017-8301
PR: 218988 219005
Reported by: Xavier Garcia <firstname.lastname@example.org>
Reported by: Fabian Keil <email@example.com>
Approved by: ports-secteam (broken quarterly blanket)
Wow, that was a stellar stupid commit of mine.
Sorry for the inconvenience!
Fabian: Please only mark maintainer-feedback if a patch is attached. Maintainers get automatic notifications when bugs are reported on ports they maintain (see Assignee field).
I don't remember setting the maintainer-feedback flag and suspect that it was
done automatically, just like the "Assignee" change supposedly done by myself.
Having said that, it's not obvious to me why you think the flag should only be
set for reports that contain patches.
BTW, did you intentionally revert the whole commit including the parts
that affect security/libressl-devel?
Shouldn't the commit only be reverted for security/libressl, but not security/libressl-devel, to which the CVE still applies?