Bug 235186 - security/keybase: Needs PORTREVISON bump and rebuild (CVE-2019-6486)
Summary: security/keybase: Needs PORTREVISON bump and rebuild (CVE-2019-6486)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Po-Chuan Hsieh
URL:
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2019-01-25 02:36 UTC by Dmitri Goutnik
Modified: 2019-01-28 18:59 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitri Goutnik freebsd_committer freebsd_triage 2019-01-25 02:36:24 UTC
Needs PORTREVISON bump and rebuild with Go 1.11.5 [1] to fix CVE-2019-6486 [2]  which affects software relying on 'crypto/elliptic' [3]

[1] https://golang.org/doc/devel/release.html#go1.11
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-6486
[3] https://github.com/golang/go/issues?q=milestone%3AGo1.11.5+label%3ACherryPickApproved
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-01-25 02:44:21 UTC
lang/go updated to 1.11.5 in ports r491092 by jlaffaye, but can't see it was marked for MFH, nor a VuXML entry

If this port needs a PORTREVISION bump after lang/go CVE update, what other ports need PORTREVISION bumps too?
Comment 2 Dmitri Goutnik freebsd_committer freebsd_triage 2019-01-25 14:50:34 UTC
As a security fix release lang/go 1.11.5 probably needs VuXML and should be MFH. 

I don't have an exhaustive list of port that are affected by CVE-2019-6486 and need rebuilding. I guess it's up to maintainers to check go list -deps ./... | grep "crypto\/elliptic" and decide if PORTREVISION bump would be warranted.
Comment 3 commit-hook freebsd_committer freebsd_triage 2019-01-28 18:58:49 UTC
A commit references this bug:

Author: sunpoet
Date: Mon Jan 28 18:58:30 UTC 2019
New revision: 491509
URL: https://svnweb.freebsd.org/changeset/ports/491509

Log:
  Bump PORTREVISION to force rebuild after golang 1.11.5 security update

  PR:		235186
  Reported by:	Dmitri Goutnik <dg@syrec.org>

Changes:
  head/security/keybase/Makefile
Comment 4 Po-Chuan Hsieh freebsd_committer freebsd_triage 2019-01-28 18:59:04 UTC
Committed. Thanks!