r439797 added security/libressl/files/patch-CVE-2017-8301 which doesn't apply cleanly to libressl 2.4.5. As a result the security/libressl build build fails at the patch stage when using the 2017Q2 branch. Backporting the libressl update to 2.5.3 (r438307) solved the problem for me, therefore I haven't checked whether or not 2.4.5 is acutally affected by CVE-2017-8301.
*** Bug 219005 has been marked as a duplicate of this bug. ***
(In reply to Fabian Keil from comment #0) I understand only 2.5.x is affected according to the following report: http://seclists.org/oss-sec/2017/q2/145 I manually deleted the patch file in the SVN checkout to rebuild my Poudriere repo.
A commit references this bug: Author: brnrd Date: Tue May 2 14:31:54 UTC 2017 New revision: 439948 URL: https://svnweb.freebsd.org/changeset/ports/439948 Log: security/libressl: Revert previous commit - Big fail on my part, required revert - Version 2.4.5 not vulnerable to CVE-2017-8301 PR: 218988 219005 Reported by: Xavier Garcia <vi.garcia@gmail.com> Reported by: Fabian Keil <fk@fabiankeil.de> Approved by: ports-secteam (broken quarterly blanket) Changes: branches/2017Q2/security/libressl/Makefile branches/2017Q2/security/libressl/files/patch-CVE-2017-8301 branches/2017Q2/security/libressl-devel/Makefile branches/2017Q2/security/libressl-devel/files/patch-CVE-2017-8301
Wow, that was a stellar stupid commit of mine. Sorry for the inconvenience! Fabian: Please only mark maintainer-feedback if a patch is attached. Maintainers get automatic notifications when bugs are reported on ports they maintain (see Assignee field).
I don't remember setting the maintainer-feedback flag and suspect that it was done automatically, just like the "Assignee" change supposedly done by myself. Having said that, it's not obvious to me why you think the flag should only be set for reports that contain patches. BTW, did you intentionally revert the whole commit including the parts that affect security/libressl-devel?
Shouldn't the commit only be reverted for security/libressl, but not security/libressl-devel, to which the CVE still applies?