mail/spamassassin: Update 3.4.4 --> 3.4.5, fixing CVE-2020-1946
According to https://s.apache.org/ng9u9, 3.4.5 fixes CVE-2020-1946.
The announce text:
Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue
of security note where malicious rule configuration (.cf) files can be
configured to run system commands.
In Apache SpamAssassin before 3.4.5, exploits can be injected in a number
of scenarios. In addition to upgrading to SA 3.4.5, users should only use
update channels or 3rd party .cf files from trusted places.
Apache SpamAssassin would like to thank Damian Lukowski at credativ for
ethically reporting this issue.
This issue has been assigned CVE id CVE-2020-1946 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the https://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]: https://s.apache.org/ng9u9
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946
PR: 254526
Submitted by: cy
Reported by: cy
Approved by: maintainer (zeising)
Security: https://s.apache.org/ng9u9https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946
- Update to version 4.4 and unforbid
- Add LZ4 and ZSTD compression support
- Improve or drop option descriptions
- Convert to option helpers while here
PR: ports/254316
Security: 317487c6-85ca-11eb-80fa-14dae938ec40
security/wpa_supplicant: fix for P2P provision vulnerability
Latest version available from: https://w1.fi/security/2021-1/
Vulnerability
A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.
Vulnerable versions/configurations
wpa_supplicant v1.0-v2.9 with CONFIG_P2P build option enabled
An attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a set of suitably
constructed management frames that trigger the corner case to be reached
in the management of the P2P peer table.
Note: The P2P option is not default.
Security: https://w1.fi/security/2021-1/\
wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt
security/libressl: Bugfix update to 3.2.4
* See errata 013 from OpenBSD 6.8
* Various interoperability issues and memory leaks were discovered in
libcrypto and libssl
security/libressl: Security fix for potential use-after-free
Security: eeca52dc-866c-11eb-b8d6-d4c9ef517024
Approved by: ports-secteam (blanket)
databases/postgresql-mysql_fdw: Upgrade from 2.5.4 to 2.5.5
Fix various bugs, compilation warnings, and server crashes.
Souce: https://github.com/EnterpriseDB/mysql_fdw/releases/tag/REL-2_5_5
Also make minimum PostgreSQL version 9.6. The last version 2.5.4 already
dropped the PostgreSQL 9.5 support. Also imcrease max supported PostgreSQL
version from 11 to 13. This was also introduced in the last version 2.5.4.
Take maintainership
Sponsored by: Bounce Experts
M postgresql-mysql_fdw/Makefile
M postgresql-mysql_fdw/distinfo
mail/dovecot-fts-xapian: Update to 1.4.8
- Update to 1.4.8
Reviewed by: osa (mentor)
Approved by: osa (mentor)
Differential Revision: https://reviews.freebsd.org/D29251
