Bug 245010 - mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, mail/qmail-tls and mail/qmail: Update TLS patch
Summary: mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, mail/qmail-tls and mail/qma...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kurt Jaeger
URL:
Keywords:
Depends on:
Blocks: 244969
  Show dependency treegraph
 
Reported: 2020-03-23 18:02 UTC by erdgeist
Modified: 2020-05-26 13:50 UTC (History)
2 users (show)

See Also:
pi: merge-quarterly+


Attachments
patch to make qmail-tls work with most recent netqmail-tls patch (2.11 KB, patch)
2020-03-23 18:02 UTC, erdgeist
erdgeist: maintainer-approval+
Details | Diff
Fixes three remotely exploitable CVE (3.53 KB, patch)
2020-05-20 10:39 UTC, erdgeist
erdgeist: maintainer-approval+
Details | Diff
Fixes three remotely exploitable CVE (3.88 KB, patch)
2020-05-20 10:58 UTC, erdgeist
erdgeist: maintainer-approval+
Details | Diff
Fixes three remotely exploitable CVE (4.24 KB, patch)
2020-05-20 11:11 UTC, erdgeist
erdgeist: maintainer-approval+
Details | Diff
vuxml entries for the cve (4.94 KB, application/xml)
2020-05-24 23:18 UTC, erdgeist
erdgeist: maintainer-approval+
Details
vuxml entries for the cve (4.94 KB, text/plain)
2020-05-24 23:25 UTC, erdgeist
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description erdgeist 2020-03-23 18:02:07 UTC
Created attachment 212650 [details]
patch to make qmail-tls work with most recent netqmail-tls patch

This incorporates upstream changes to netqmail-tls patch.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-24 03:20:48 UTC
Does this resolve a build or run time fix?

^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval

Attachment -> Details -> maintainer-approval [+]
Comment 2 erdgeist 2020-03-24 03:22:42 UTC
Comment on attachment 212650 [details]
patch to make qmail-tls work with most recent netqmail-tls patch

Build and runtime fix
Comment 3 erdgeist 2020-04-18 09:51:31 UTC
Anything else I need to do?
Comment 4 erdgeist 2020-05-20 10:39:26 UTC
Created attachment 214688 [details]
Fixes three remotely exploitable CVE

Fixes qmail-cve-2005-151[3,4,5] as outlined in

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

Also includes:
former patch to make qmail-tls work with most recent netqmail-tls patch
Comment 5 erdgeist 2020-05-20 10:58:07 UTC
Created attachment 214689 [details]
Fixes three remotely exploitable CVE

Bumping PORTREVISION.

Fixes three remotely exploitable CVE

Fixes qmail-cve-2005-151[3,4,5] as outlined in

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

Also includes:
former patch to make qmail-tls work with most recent netqmail-tls patch
Comment 6 erdgeist 2020-05-20 11:11:27 UTC
Created attachment 214690 [details]
Fixes three remotely exploitable CVE

Bumping PORTREVISION of master and all slave ports.

Fixes qmail-cve-2005-151[3,4,5] as outlined in

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

Also includes:
former patch to make qmail-tls work with most recent netqmail-tls patch
Comment 7 Kurt Jaeger freebsd_committer 2020-05-24 12:43:13 UTC
testbuilds@work
Comment 8 commit-hook freebsd_committer 2020-05-24 12:59:59 UTC
A commit references this bug:

Author: pi
Date: Sun May 24 12:59:03 UTC 2020
New revision: 536399
URL: https://svnweb.freebsd.org/changeset/ports/536399

Log:
  mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, update TLS patch
  mail/qmail-tls: Update TLS patch

  See
  https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
  for details about the CVEs

  - now builds with openssl 1.1.1e from the ports

  PR:		244969, 245010
  Submitted by:	erdgeist@erdgeist.org (maintainer)
  Reported by:	klokanek@eldar.cz
  MFH:		2020Q2
  Security:	CVE-2005-1513, CVE-2005-1514, CVE-2005-1515

Changes:
  head/mail/qmail/Makefile
  head/mail/qmail/distinfo
  head/mail/qmail/files/patch-alloc.c
  head/mail/qmail/files/qmailsend.in
  head/mail/qmail-mysql/Makefile
  head/mail/qmail-tls/Makefile
Comment 9 Kurt Jaeger freebsd_committer 2020-05-24 13:01:18 UTC
(In reply to erdgeist from comment #3)
Can you provide vuxml entries for the CVEs ?

https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html

https://lists.freebsd.org/pipermail/freebsd-questions/2016-August/273034.html
Comment 10 commit-hook freebsd_committer 2020-05-24 13:05:02 UTC
A commit references this bug:

Author: pi
Date: Sun May 24 13:04:06 UTC 2020
New revision: 536400
URL: https://svnweb.freebsd.org/changeset/ports/536400

Log:
  MFH: r536399

  mail/qmail: Fixes CVE-2005-1513 to CVE-2005-1513, update TLS patch
  mail/qmail-tls: Update TLS patch

  See
  https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
  for details about the CVEs

  - now builds with openssl 1.1.1e from the ports

  PR:		244969, 245010
  Submitted by:	erdgeist@erdgeist.org (maintainer)
  Reported by:	klokanek@eldar.cz
  Security:	CVE-2005-1513, CVE-2005-1514, CVE-2005-1515
  Approved by:	portmgr (security blanket)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/mail/qmail/Makefile
  branches/2020Q2/mail/qmail/distinfo
  branches/2020Q2/mail/qmail/files/patch-alloc.c
  branches/2020Q2/mail/qmail/files/qmailsend.in
  branches/2020Q2/mail/qmail-mysql/Makefile
  branches/2020Q2/mail/qmail-tls/Makefile
Comment 11 erdgeist 2020-05-24 23:18:12 UTC
Created attachment 214822 [details]
vuxml entries for the cve

This xml hopefully contains vuxml record for the CVEs
Comment 12 erdgeist 2020-05-24 23:25:39 UTC
Created attachment 214823 [details]
vuxml entries for the cve

This xml hopefully contains vuxml record for the CVEs
Comment 13 commit-hook freebsd_committer 2020-05-25 18:05:02 UTC
A commit references this bug:

Author: pi
Date: Mon May 25 18:04:41 UTC 2020
New revision: 536490
URL: https://svnweb.freebsd.org/changeset/ports/536490

Log:
  security/vuxml: add three CVEs for qmail

  PR:		245010
  Submitted by:	erdgeist@erdgeist.org

Changes:
  head/security/vuxml/vuln.xml
Comment 14 Kurt Jaeger freebsd_committer 2020-05-25 18:05:06 UTC
vuxml entries committed, thanks!