Project

General

Profile

Bug #64746

Security update: pango 1.42.0 should be updated to newest (or at least 1.42.4)

Added by Sean McBride almost 2 years ago. Updated almost 2 years ago.

Status:
Done
Priority:
No priority
Assignee:
Alexander Motin
Category:
OS
Seen in:
Severity:
Low
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

With the current nightly build, pkg audit -F reports:

pango-1.42.0 is vulnerable:
pango -- remote DoS vulnerability
CVE: CVE-2018-15120
WWW: https://vuxml.FreeBSD.org/freebsd/5a757a31-f98e-4bd4-8a85-f1c0f3409769.html

Would be nice to have security updates backported to 11.2 also...

Associated revisions

Revision 452be805 (diff)
Added by Alexander Motin almost 2 years ago

Update pango to 1.42.4_1. This is a part of much bigger FreeBSD commit. Ticket: #64746

History

#1 Updated by Dru Lavigne almost 2 years ago

  • Assignee changed from Release Council to Alexander Motin

#6 Updated by Alexander Motin almost 2 years ago

  • Status changed from Unscreened to Screened
  • Seen in changed from Master - FreeNAS Nightlies to 11.2-RELEASE
  • Severity changed from New to Low

It was updated in master (11.3) branch yesterday together with other ports. We do not believe it is exploitable on 11.2, but we'll take a look on updating it just to calm people. ;)

#7 Updated by Bug Clerk almost 2 years ago

  • Status changed from Screened to In Progress

#8 Updated by Alexander Motin almost 2 years ago

#9 Updated by Bug Clerk almost 2 years ago

  • Status changed from In Progress to Ready for Testing

#10 Updated by Bug Clerk almost 2 years ago

  • Target version changed from Backlog to 11.2-U2

#11 Updated by Alexander Motin almost 2 years ago

  • Status changed from Ready for Testing to Closed
  • Target version changed from 11.2-U2 to N/A
  • Reason for Closing set to Not to be fixed
  • Needs QA changed from Yes to No
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

Closer look shown that pango in FreeBSD was updated as part of large Gnome update. I don't want to merge too much, while single port update does not build. I don't see a reason to spend more time on digging this deeper.

#12 Updated by Sean McBride almost 2 years ago

So fixed in 11.3, but won't be in 11.2.x, do I understand right?

#13 Updated by Alexander Motin almost 2 years ago

  • Status changed from Closed to Done
  • Target version changed from N/A to Master - FreeNAS Nightlies
  • Reason for Closing deleted (Not to be fixed)

Right. Status updated.

Also available in: Atom PDF