On Wed, Aug 29, 2012 at 09:34:22PM +0200, Patrick Lamaiziere wrote:
> Le Wed, 29 Aug 2012 09:59:46 +0200,
> Sebastien Marie <[email protected]> a écrit :
Hello,
>
> > I currently follow STABLE branch for openbsd (and so, for ports too),
> > which is OPENBSD_5_1.
> >
> > But, I saw that the last security updates for ports go to OPENBSD_5_2
> > and not to OPENBSD_5_1.
>
> Any examples ? The probleme may not be present in 5.1.
>
databases/postgresql
version 9.1.4 (in OPENBSD_5_1) is vulnerable to CVE-2012-3488 and
CVE-2012-3489
CVE-2012-3488 : insecure use of xslt (xslt is in contrib, so need
activation)
CVE-2012-3489 : insecure use of libxml2 (XXE possible)
OPENBSD_5_2 has upgraded from 9.1.4 to 9.1.5
editors/emacs23
same version in OPENBSD_5_1 (emacs-23.4) and OPENBSD_5_2 (emacs-23.4p2)
vulnerable to CVE-2012-3479 (GNU Emacs "enable-local-variables" Variable
Processing Vulnerability)
games/openttd
same version in OPENBSD_5_1 (openttd-1.1.5) and OPENBSD_5_2 (openttd-1.1.5p1)
vulnerable to CVE-2012-3436 (Denial of service (server) using ships on half
tiles and landscaping)
net/tor
same version in OPENBSD_5_1 (tor-0.2.2.37) and OPENBSD_5_2_BASE
OPENBSD_5_2 upgrade to tor-0.2.2.38
Tor 0.2.2.38 fixes a rare race condition that can crash exit relays;
fixes a remotely triggerable crash bug; and fixes a timing attack that
could in theory leak path information.
www/py-django
OPENBSD_5_1 has version 1.3p3
NIST reports version before 1.3.2 are vulnerable (for CVE-2012-3442 at least)
CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
Others ports that would need more investigation for determine if vulnerable or
not in OPENBSD_5_1:
graphics/GraphicsMagick CVE-2012-3438
graphics/ImageMagick CVE-2012-3437
mail/roundcubemail CVE-2012-3508
I not used all pervious ports, and some are used in "safe" usage (like using
postgresql ports, but not for server). It just a question to known what follow,
in order to keep updated...
Thanks.
--
Sebastien Marie
