Bug 233896 - archivers/libmspack: Update to 0.9.1 (Fixes several security vulnerabilities)
Summary: archivers/libmspack: Update to 0.9.1 (Fixes several security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Ports Security Team
URL: https://www.cabextract.org.uk/libmspa...
Keywords: needs-patch, security
Depends on:
Reported: 2018-12-09 19:44 UTC by Henry
Modified: 2020-07-24 04:14 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (fjoe)
koobs: maintainer-feedback? (ports-secteam)

0.9.1 patch (1022 bytes, patch)
2018-12-09 19:44 UTC, Henry
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Henry 2018-12-09 19:44:06 UTC
Created attachment 199990 [details]
0.9.1 patch

CVEs fixed are the top 9 from https://www.cabextract.org.uk/libmspack/#vulns
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2018-12-10 04:42:44 UTC
Pending (requires) VuXML entry
Comment 2 Max Khon freebsd_committer 2018-12-11 08:44:14 UTC
Committed, thanks!
Comment 3 commit-hook freebsd_committer 2018-12-11 08:45:02 UTC
A commit references this bug:

Author: fjoe
Date: Tue Dec 11 08:44:00 UTC 2018
New revision: 487227
URL: https://svnweb.freebsd.org/changeset/ports/487227

  Update to 0.9.1alpha

  PR:		233896
  Submitted by:	Henry David Bartholomew

Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2018-12-14 03:42:09 UTC
Re-open for VuXML entry and MFH
Comment 5 Jochen Neumeister freebsd_committer 2019-02-15 18:36:17 UTC
what is the current status?
Does ports-secteam have to be active here?
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2019-04-24 05:44:50 UTC
VuXML entries were not added for this  (0.9.1) or previous releases

The last libsmpack VuXML entry was <vuln vid="cc7548ef-06e1-11e5-8fda-002590263bf5"> added <entry>2015-05-31</entry> for version < 0.5

This leaves 10 CVE's (security vulnerabilities) not reported to users (per https://www.cabextract.org.uk/libmspack/#vulns)
Comment 7 Jochen Neumeister freebsd_committer 2019-05-17 12:29:18 UTC
ping @fjoe
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2019-08-23 02:49:12 UTC
Over to ports-secteam, no maintainer response since 2018-12-14

VuXML entries for latest and previous version vulnerabilities (At least 10) remains to be added
Comment 9 Jochen Neumeister freebsd_committer 2020-07-23 15:30:11 UTC
After such a long time, I see no point in creating a vuxml entry. I'm closing here.
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-24 02:16:06 UTC
@Jochen I don't understand how the time it has been is related or relevant to documenting known security vulnerabilities in VuXML?

If this is a matter of limited available cycles at ports-secteam to document vulnerabilities (in this case > 10 of them), we can put a call out for others to contribute the change
Comment 11 Jochen Neumeister freebsd_committer 2020-07-24 04:14:10 UTC
@Kubilay, I made this decision as ports-secteam. If you want to add the entry, please reopen this PR. Otherwise I consider it done.