Bug 247089 - devel/json-c: update quarterly to 0.14
Summary: devel/json-c: update quarterly to 0.14
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Sunpoet Po-Chuan Hsieh
Keywords: needs-qa, security
Depends on: 246389
  Show dependency treegraph
Reported: 2020-06-08 18:46 UTC by Mike Kelly
Modified: 2020-11-20 04:38 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)
joneum: merge-quarterly+


Note You need to log in before you can comment on or make changes to this bug.
Description Mike Kelly 2020-06-08 18:46:59 UTC
The current release in the quarterly branch, 0.13.1_1, is marked as vulnerable by vuln.xml:

$ sudo pkg audit
json-c-0.13.1_1 is vulnerable:
json-c -- integer overflow and out-of-bounds write via a large JSON file
CVE: CVE-2020-12762
WWW: https://vuxml.FreeBSD.org/freebsd/abc3ef37-95d4-11ea-9004-25fadb81abf4.html

Can the version containing the fix for this, 0.14, be updated in the quarterly branch?
Comment 1 Jochen Neumeister freebsd_committer 2020-06-09 09:03:57 UTC
Approved for MFH with add a Vuxml entry

Comment 2 Mike Kelly 2020-07-10 18:59:58 UTC
Seems this has now been merged to the current quarterly repo, so this can probably be closed.