Ports and security issues

[fmc000]

I see that ungoogled-chromium is flagged with two security issues and with a bunch of CVEs. Currently the binary (insecure) release is 126 whilst the ports website shows that there is the 127 already available. So my question is: is there a "rule" for a case like this? Can a user expect a binary release for cases like this?

 

[SirDice]

It's been updated in main aka latest only. Security issues should be committed to the quarterly branch but this is left up to the maintainer. You could switch your packages to the latest branch.

 

[fmc000]

Does the FreeBSD netiquette allow poking the maintainer about this?

 

[fmc000]

I'll answer by myself: the listed maintainer in the port is actually a list on which I cannot post as I'm not subscribed. I guess I will wait...

 

[SirDice]

You could submit a PR for it. Security issues should get committed to quarterly too in my opinion. But there might be other reasons why the newer version can't be committed to quarterly (dependency issues for example).

 

[Cath O'Deray]

Iridium is based on currently based on Chromium 127.0.6533.88.

Neither www/linux-chrome nor www/iridium has a record of past or present vulnerability.

More generally

If Bugzilla is used, then triage should ensure that appropriate merges are not omitted. From the wiki:

---

Bugzilla allows private reports for base but not for ports.

 

[Cath O'Deray]

… Security issues should be committed to the quarterly branch but this is left up to the maintainer. …

ports-secteam should be informed; severity should be Affects Many People; priority should be raised to Normal (the highest); keyword security.

Bug 264426, for example.

 

[fmc000]

Call me confused but I'm not sure about what I should do (if I should do anything ...)

In case it's useful to anyone:

[06:00][fmc000@tu45b-freebsd][~]
 ⤷ $ sudo pkg audit -F
vulnxml file up-to-date
ungoogled-chromium-126.0.6478.126_1 is vulnerable:
  chromium -- multiple security fixes
  CVE: CVE-2024-7256
  CVE: CVE-2024-7255
  CVE: CVE-2024-6990
  WWW: https://vuxml.FreeBSD.org/freebsd/15d398ea-4f73-11ef-8a0f-a8a1599412c6.html

  chromium -- multiple security fixes
  CVE: CVE-2024-7005
  CVE: CVE-2024-7004
  CVE: CVE-2024-7003
  CVE: CVE-2024-7001
  CVE: CVE-2024-7000
  CVE: CVE-2024-6999
  CVE: CVE-2024-6998
  CVE: CVE-2024-6997
  CVE: CVE-2024-6996
  CVE: CVE-2024-6995
  CVE: CVE-2024-6994
  CVE: CVE-2024-6991
  CVE: CVE-2024-6989
  CVE: CVE-2024-6988
  WWW: https://vuxml.FreeBSD.org/freebsd/fb0b5574-4e64-11ef-8a0f-a8a1599412c6.html

2 problem(s) in 1 installed package(s) found.
[06:05][fmc000@tu45b-freebsd][~]
 ⤷ $

 

[SirDice]

Switch to latest packages if you really want the new version now.

Switching is simple, create a /usr/local/etc/pkg/repos/FreeBSD.conf:

FreeBSD: {
  url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest"
}

 

[fff2024g]

Switch to latest packages if you really want the new version now.

Switching is simple, create a /usr/local/etc/pkg/repos/FreeBSD.conf:

FreeBSD: {
  url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest"
}

Dear sirdice:
i have freebsd 14.1 production machine for daily work . do i need to change quarterly repos to latest ? thanks.

 

[fmc000]

Switch to latest packages if you really want the new version now.

Switching is simple, create a /usr/local/etc/pkg/repos/FreeBSD.conf:

FreeBSD: {
  url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest"
}

Yes, I know how to do it, thank you. I was using latest but I preferred to switch back to quarterly and I'm good with it. I thought that security updates would be ported to quarterly too but it looks like it's not (always) the case.

 

[Cath O'Deray]

i have freebsd 14.1 production machine for daily work . do i need to change quarterly repos to latest ? thanks.

I have used latest ports for years (with FreeBSD-CURRENT) for my daily work, production use.

If you'll refrain from using latest – and if you want quarterly to gain fixes for the security vulnerabilities, one of which is critical (issue access denied), in www/ungoogled-chromium and www/ungoogled-chromium – you should address either:

• the maintainer of those ports (the list)
• the person who committed to latest (Robert Nagy).

 

[fmc000]

I have used latest ports for years (with FreeBSD-CURRENT) for my daily work, production use.

If you'll refrain from using latest – and if you want quarterly to gain fixes for the security vulnerabilities, one of which is critical (issue access denied), in www/ungoogled-chromium and www/ungoogled-chromium – you should address either:

• the maintainer of those ports (the list)
• the person who committed to latest (Robert Nagy).

Yeah, I "surrended" to latest because of this in the end.

 

[fmc000]

...aaaand now pkg wants to uninstall vlc and obs-studio because of the new version of abseil. I knew it was a mistake to move to latest

 

[Cath O'Deray]

...aaaand now pkg wants to uninstall vlc and obs-studio because of the new version of abseil. I knew it was a mistake to move to latest

vlc and obs-studio are in latest for me (using FreeBSD-CURRENT).

 

[fmc000]

Yeah, also in 14.1 latest since two or three days.