Bug 233109 - security/vuxml: exclude LibreSSL 2.7 from CVE-2018-0734 / CVE-2018-0735
Summary: security/vuxml: exclude LibreSSL 2.7 from CVE-2018-0734 / CVE-2018-0735
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-10 12:54 UTC by Franco Fichtner
Modified: 2018-11-10 14:37 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments
exclude LibreSSL smaller than 2.8 (474 bytes, patch)
2018-11-10 12:54 UTC, Franco Fichtner
brnrd: maintainer-approval-
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Franco Fichtner 2018-11-10 12:54:51 UTC
Created attachment 199109 [details]
exclude LibreSSL smaller than 2.8

Hi,

# libressl-2.7.4 is vulnerable:
# OpenSSL -- Multiple vulnerabilities in 1.1 branch
# CVE: CVE-2018-0734
# CVE: CVE-2018-0735
# WWW: https://vuxml.FreeBSD.org/freebsd/238ae7de-dba2-11e8-b713-b499baebfeaf.html

This is incorrect.  Alleged is 2.8 is affected because it shares the same qualities as OpenSSL 1.1.x.  LibreSSL 2.7 is still a 1.0.x equivalent.

To me it is unclear why LibreSSL was pulled into this entry due to apparent hearsay.  LibreSSL has been officially silent about this issue and has not even issued / announced "2.8.3" so the entry is completely bogus.

https://www.libressl.org/releases.html

For now, just exclude versions < 2.8 and let this be figured out by ports-secteam@


Cheers,
Franco
Comment 1 commit-hook freebsd_committer freebsd_triage 2018-11-10 14:02:26 UTC
A commit references this bug:

Author: brnrd
Date: Sat Nov 10 14:02:01 UTC 2018
New revision: 484612
URL: https://svnweb.freebsd.org/changeset/ports/484612

Log:
  security/vuxml: Update latest openssl entry

   - LibreSSL prior to 2.8 not vulnerable
   - LibreSSL likely not vulnerable to CVE-2018-0735

  PR:		233109
  Submitted by:	Franco Fichtner <franco opnsense org>

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Franco Fichtner 2018-11-10 14:02:58 UTC
Thank you.
Comment 3 Bernard Spil freebsd_committer freebsd_triage 2018-11-10 14:03:29 UTC
Comment on attachment 199109 [details]
exclude LibreSSL smaller than 2.8

security/libressl in FreeBSD's ports tree is 2.8.2 and is vulnerable.
Comment 4 Franco Fichtner 2018-11-10 14:06:51 UTC
PS: I don't get the "-" maintainer approval. The commit you pushed is the same. You can use multiple names in <package/> ;)
Comment 5 Bernard Spil freebsd_committer freebsd_triage 2018-11-10 14:37:53 UTC
(In reply to Franco Fichtner from comment #4)
Didn't spot that in the diff, you're right.

For the record (from IRC, 2018-10-27)

User: "is libressl affected by CVE-2018-0735? https://www.openssl.org/news/secadv/20181029.txt"
LibreSSL dev: "yes, we're going to be starting on it soon"(In reply to Franco Fichtner from comment #4)