Hi, I just noticed that portaudit considers www/nginx >=1.2.0,1 <1.4.1,1 to be affected by CVE-2013-2028, creating noise and preventing installation:
http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html According to the announcement on the nginx mailing list, only versions of nginx >= 1.3.9 < 1.4.1,1 should be affected: http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html and the fix in nginx trac http://trac.nginx.org/nginx/changeset/5189/nginx I just checked the source of 1.2.8 (the current version in ports, www/nginx) and it doesn't even contain the affected functionality, nor the affected function implementing it (ngx_http_parse_chunked). This is in line with additional media and bugtracker coverage: https://bugzilla.redhat.com/show_bug.cgi?id=960605 http://www.openwall.com/lists/oss-security/2013/05/07/3 http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html Long story short: I would kindly ask you to correct the entry in the portaudit database to match only affected versions of nginx. Cheers, Michael -- Michael Gmelin _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
