247089 – devel/json-c: update quarterly to 0.14

Bug 247089 - devel/json-c: update quarterly to 0.14

Summary: devel/json-c: update quarterly to 0.14

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Po-Chuan Hsieh

URL:
Keywords:	needs-qa, security

Depends on:	246389
Blocks:
	Show dependency tree / graph

Reported:	2020-06-08 18:46 UTC by Mike Kelly
Modified:	2020-11-20 04:38 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (sunpoet) joneum: merge-quarterly+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike Kelly 2020-06-08 18:46:59 UTC

The current release in the quarterly branch, 0.13.1_1, is marked as vulnerable by vuln.xml:

$ sudo pkg audit
json-c-0.13.1_1 is vulnerable:
json-c -- integer overflow and out-of-bounds write via a large JSON file
CVE: CVE-2020-12762
WWW: https://vuxml.FreeBSD.org/freebsd/abc3ef37-95d4-11ea-9004-25fadb81abf4.html

Can the version containing the fix for this, 0.14, be updated in the quarterly branch?

Comment 1 Jochen Neumeister freebsd_committer

2020-06-09 09:03:57 UTC

Approved for MFH with add a Vuxml entry

Jochen
(Ports-secteam)

Comment 2 Mike Kelly 2020-07-10 18:59:58 UTC

Seems this has now been merged to the current quarterly repo, so this can probably be closed.