Created attachment 239724 [details] port patch Update the port
From the release notes: > [KAFKA-14320] - Upgrade Jackson for CVE fix <https://issues.apache.org/jira/browse/KAFKA-14320> refers to <https://nvd.nist.gov/vuln/detail/CVE-2020-36518>. A broader list of vulnerabilities: <https://kafka.apache.org/cve-list> Re: <https://docs.freebsd.org/en/books/porters-handbook/book/#security-notify> we should have VuXML entries. Thanks
(In reply to Graham Perrin from comment #1) Hello Graham, I can do the vuxml entry. Is the following info correct? --- - Affected packages: kafka < 3.3.2 - Apache Kafka reports: "jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects." ---
(In reply to Nuno Teixeira from comment #2) Yes, thanks
Committed and merged to 2023Q1. Entry to VuXML added. Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=37508462426c3674c0b32cc7e8cb38dbafc2ecd5 commit 37508462426c3674c0b32cc7e8cb38dbafc2ecd5 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-02-04 19:24:09 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-02-04 19:27:58 +0000 security/vuxml: Register net/kafka stack overflow vulnerability CVE-2020-36518 PR: 269170 security/vuxml/vuln/2023.xml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)
Sorry, the commit is https://cgit.freebsd.org/ports/commit/?id=dbde71f335327288f1342260fba1d34f224fcdc8
If I understand correctly, links out from <https://issues.apache.org/jira/browse/KAFKA-14320> show: a) 3.3.2 as a fixed version, where 3.3.1 was vulnerable b) 3.4.0 as both affected and fixed, which puzzles me. (In reply to commit-hook from comment #5) <https://www.freshports.org/net/kafka/> shows 3.3.2 as vulnerable. Given (a) above, is this correct? Also puzzling: CVE-2020-36518 is not listed at <https://kafka.apache.org/cve-list>.
(In reply to Graham Perrin from comment #7) from https://issues.apache.org/jira/browse/KAFKA-14320 Affects Version/s: 3.2.0 Fix Version/s: 3.4.0, 3.3.2 vuxml should be fixed to: Affected packages: kafka < 3.3.2 3.4.0 version is confusing me too.
(In reply to Nuno Teixeira from comment #8) (...) also, 3.4.0 may be related to a different branch (3.4.x) and it's not present in ports tree, so affected versions should be < 3.3.2
Yes 3.4.x is a different branch. This problem affected several branches. VuXML changed to 3.3.2 Graham, do not set Open to already closed PRs. That should be In Progress. Please read https://wiki.freebsd.org/Bugzilla/TriageTraining under "Basics".
(In reply to Fernando Apesteguía from comment #10) That was a slip of the finger on a trackball wheel after using the menu, sorry. Do we need VuXML entries for any of the other vulnerabilities?
(In reply to Graham Perrin from comment #11) Ideally we would. For instance for https://nvd.nist.gov/vuln/detail/CVE-2022-34917 The thing is that we are always behind in adding vulnerabilities to VuXML.