Security vulnerabilities in "quarterly" pkg repository

[TS]

I run a FreeBSD 11.2-RELEASE machine using binary packages only. It defaults to the "quarterly" repository because I prefer a stable setup, without too many headaches at inconvenient times.

However, I noticed that not all security fixes seem to appear in the quarterly branch in time. So does the "quarterly" branch currently have python27-2.7.15 from Feb-07, 2019, whereas "latest" has python27-2.7.16 March-12, 2019. It is now almost 3 weeks that a critical vulnerabilty in Python is still present in the default repository.

Is there a mechanism in place to report such issues that seem to have fallen between the cracks?

 

[SirDice]

Please check again, Q2 should have branched off now.

 

[TS]

This is all well and fine, but does not fix the underlying problem.

From what I have read, "quarterly" is now the default repository for packages-based installations. Despite being updated only 4 times a year, it should also receive all security fixes in time. I find it rather disturbing that this did not happen in the mentioned case.

 

[SirDice]

From what I have read, "quarterly" is now the default repository for packages-based installations.

To be exact, quarterly is the default repository on -RELEASE versions, on -STABLE latest is the default. Though it's the default you can easily change it to whichever one you want/need.

Despite being updated only 4 times a year, it should also receive all security fixes in time.

Yes, correct.

I find it rather disturbing that this did not happen in the mentioned case.

Python 2.7.16 was a bugfix release, not a security update. At least according to their own release notes. As such it didn't get updated in quarterly.

Python Release Python 2.7.16

The official home of the Python Programming Language

www.python.org

 

[SirDice]

Dug around some more, I assume you're talking about this one?

VuXML: Python -- NULL pointer dereference vulnerability

www.vuxml.org

I'm totally confused by that one now. The original mentions 2.7.11 as being vulnerable. I can imagine a patch taking some time to create but we're talking about 4 or 5 point releases here. I've been clicking around and come to this issue: https://github.com/python/cpython/pull/11574
But from that I can't really tell at what version it got merged in.

Judging by the confused state I'm in now I can very much imagine ports management sharing that same confused state. And perhaps that's the reason why it hasn't been applied to quarterly.

 

[TS]

Yes, this is it. It is listed as a recent vulnerability by freshports.org
My daily security run gave me the following warning since at least the 28th of March:

Checking for packages with security vulnerabilities:
Database fetched: Wed Apr 3 03:57:53 UTC 2019
python27-2.7.15
-- End of security output --

I understand that it may be difficult for the maintainer to keep track. However, your system database is correctly flagging the vulnerability, so there should be a way to feed this info back into the build process. And even if there is no easy way, I would gladly report it manually, if you tell me the correct channel.

 

[SirDice]

However, your system database is correctly flagging the vulnerability

I'm not so sure about that. As there's no mention in any of the advisories from Python which version has the fix. And if 2.7.16 would have included a fix for a known CVE I would have expected to see that in the release notes and/or changelog. But there's no mention of it anywhere.

And even if there is no easy way, I would gladly report it manually, if you tell me the correct channel.

Look at the top: https://www.vuxml.org/freebsd/

Please report security issues to the FreeBSD Security Team at <ports-secteam@FreeBSD.org>. Full contact details, including information handling policies and PGP key, can be found on the FreeBSD Security page.

I've contacted them in the past to report issues, they usually respond quite quickly.