diff options
Diffstat (limited to 'security')
40 files changed, 419 insertions, 48 deletions
diff --git a/security/Makefile b/security/Makefile index 34fc30166872..205c732e5678 100644 --- a/security/Makefile +++ b/security/Makefile @@ -197,6 +197,7 @@ SUBDIR += gosec SUBDIR += gost-engine SUBDIR += gostsum + SUBDIR += govulncheck SUBDIR += gpa SUBDIR += gpg-gui SUBDIR += gpg-tui diff --git a/security/R-cran-openssl/Makefile b/security/R-cran-openssl/Makefile index ee4683304723..31882d609237 100644 --- a/security/R-cran-openssl/Makefile +++ b/security/R-cran-openssl/Makefile @@ -1,11 +1,11 @@ PORTNAME= openssl -DISTVERSION= 2.3.2 +DISTVERSION= 2.3.3 CATEGORIES= security DISTNAME= ${PORTNAME}_${DISTVERSION} MAINTAINER= eduardo@FreeBSD.org COMMENT= Toolkit for Encryption, Signatures and Certificates Based on OpenSSL -WWW= https://cran.r-project.org/web/packages/openssl/ +WWW= https://cran.r-project.org/package=openssl LICENSE= MIT diff --git a/security/R-cran-openssl/distinfo b/security/R-cran-openssl/distinfo index ae69dfff9a27..c28d46c50229 100644 --- a/security/R-cran-openssl/distinfo +++ b/security/R-cran-openssl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1738686768 -SHA256 (openssl_2.3.2.tar.gz) = 9925ca6abc3c55809322e12458a15c49cccc01b85f9cac9475a64e9d1e6584db -SIZE (openssl_2.3.2.tar.gz) = 1204775 +TIMESTAMP = 1748336768 +SHA256 (openssl_2.3.3.tar.gz) = b6b709a98dc3de47ec59adc234d8f0864c4f5b31c5e65478ec5e49c80ba7bf59 +SIZE (openssl_2.3.3.tar.gz) = 1206720 diff --git a/security/agave/Makefile b/security/agave/Makefile index c23f02587c7c..b6fc26a9c13a 100644 --- a/security/agave/Makefile +++ b/security/agave/Makefile @@ -1,6 +1,6 @@ PORTNAME= agave DISTVERSIONPREFIX= v -DISTVERSION= 2.2.10 +DISTVERSION= 2.2.14 CATEGORIES= security PKGNAMESUFFIX= -blockchain @@ -653,7 +653,7 @@ CARGO_CRATES= Inflector-0.11.4 \ solana-reserved-account-keys-2.2.1 \ solana-reward-info-2.2.1 \ solana-sanitize-2.2.1 \ - solana-sbpf-0.10.0 \ + solana-sbpf-0.10.1 \ solana-sdk-2.2.2 \ solana-sdk-ids-2.2.1 \ solana-sdk-macro-2.2.1 \ diff --git a/security/agave/distinfo b/security/agave/distinfo index 3efe7f5d17ae..1d57ba0c8a39 100644 --- a/security/agave/distinfo +++ b/security/agave/distinfo @@ -1,4 +1,4 @@ -TIMESTAMP = 1744998301 +TIMESTAMP = 1747742789 SHA256 (rust/crates/Inflector-0.11.4.crate) = fe438c63458706e03479442743baae6c88256498e6431708f6dfc520a26515d3 SIZE (rust/crates/Inflector-0.11.4.crate) = 17438 SHA256 (rust/crates/addr2line-0.20.0.crate) = f4fa78e18c64fce05e902adecd7a5eed15a5e0a3439f7b0e169f0252214865e3 @@ -1253,8 +1253,8 @@ SHA256 (rust/crates/solana-reward-info-2.2.1.crate) = 18205b69139b1ae0ab8f6e11cd SIZE (rust/crates/solana-reward-info-2.2.1.crate) = 4139 SHA256 (rust/crates/solana-sanitize-2.2.1.crate) = 61f1bc1357b8188d9c4a3af3fc55276e56987265eb7ad073ae6f8180ee54cecf SIZE (rust/crates/solana-sanitize-2.2.1.crate) = 1565 -SHA256 (rust/crates/solana-sbpf-0.10.0.crate) = 66a3ce7a0f4d6830124ceb2c263c36d1ee39444ec70146eb49b939e557e72b96 -SIZE (rust/crates/solana-sbpf-0.10.0.crate) = 167288 +SHA256 (rust/crates/solana-sbpf-0.10.1.crate) = 8e6aed9fa0b4791538896be288fb5ccb2ab9f558ca0fe1ff28dfd3046fbdb5c5 +SIZE (rust/crates/solana-sbpf-0.10.1.crate) = 167277 SHA256 (rust/crates/solana-sdk-2.2.2.crate) = e8af90d2ce445440e0548fa4a5f96fe8b265c22041a68c942012ffadd029667d SIZE (rust/crates/solana-sdk-2.2.2.crate) = 28048 SHA256 (rust/crates/solana-sdk-ids-2.2.1.crate) = 5c5d8b9cc68d5c88b062a33e23a6466722467dde0035152d8fb1afbcdf350a5f @@ -1727,5 +1727,5 @@ SHA256 (rust/crates/zstd-sys-2.0.13+zstd.1.5.6.crate) = 38ff0f21cfee8f97d94cef41 SIZE (rust/crates/zstd-sys-2.0.13+zstd.1.5.6.crate) = 749090 SHA256 (anza-xyz-crossbeam-fd279d707025f0e60951e429bf778b4813d1b6bf_GH0.tar.gz) = c997bc77438ef12fbddf0a4e3fe1d8665dbd479980bab65cda3bfe2dbfda32ea SIZE (anza-xyz-crossbeam-fd279d707025f0e60951e429bf778b4813d1b6bf_GH0.tar.gz) = 254980 -SHA256 (anza-xyz-agave-v2.2.10_GH0.tar.gz) = b4dd7d82f93959b9c055dac85436928cf3aa47d24c8f3cd55c0b9253f5feec80 -SIZE (anza-xyz-agave-v2.2.10_GH0.tar.gz) = 18448115 +SHA256 (anza-xyz-agave-v2.2.14_GH0.tar.gz) = 210e181762c217e3c16b3747c32526d61bda70a0c1a97ebb2ec72941df82e7d9 +SIZE (anza-xyz-agave-v2.2.14_GH0.tar.gz) = 49456937 diff --git a/security/agave/files/patch-rust-1.87.0 b/security/agave/files/patch-rust-1.87.0 new file mode 100644 index 000000000000..cc2162774154 --- /dev/null +++ b/security/agave/files/patch-rust-1.87.0 @@ -0,0 +1,42 @@ +https://github.com/anza-xyz/agave/pull/5323 + +https://github.com/anza-xyz/agave/pull/5323/commits/b8444343075a96f7472dd3b18490233cd0aeb9a2 +https://github.com/anza-xyz/agave/pull/5323/commits/28ec738e2282958f5b85bf6fd515ac31b099f95e + +--- unified-scheduler-pool/src/lib.rs.orig 2025-05-20 14:31:43.222181000 +0200 ++++ unified-scheduler-pool/src/lib.rs 2025-05-20 14:31:51.894607000 +0200 +@@ -12,6 +12,8 @@ + //! Refer to [`PooledScheduler`] doc comment for general overview of scheduler state transitions + //! regarding to pooling and the actual use. + ++use std::ops::DerefMut; ++ + #[cfg(feature = "dev-context-only-utils")] + use qualifier_attr::qualifiers; + use { +@@ -326,10 +328,10 @@ where + // + // Note that this critical section could block the latency-sensitive replay + // code-path via ::take_scheduler(). +- #[allow(unstable_name_collisions)] +- idle_inners.extend(scheduler_inners.extract_if(|(_inner, pooled_at)| { +- now.duration_since(*pooled_at) > max_pooling_duration +- })); ++ idle_inners.extend(MakeExtractIf::extract_if( ++ scheduler_inners.deref_mut(), ++ |(_inner, pooled_at)| now.duration_since(*pooled_at) > max_pooling_duration, ++ )); + drop(scheduler_inners); + + let idle_inner_count = idle_inners.len(); +@@ -357,8 +359,8 @@ where + let Ok(mut timeout_listeners) = scheduler_pool.timeout_listeners.lock() else { + break; + }; +- #[allow(unstable_name_collisions)] +- expired_listeners.extend(timeout_listeners.extract_if( ++ expired_listeners.extend(MakeExtractIf::extract_if( ++ timeout_listeners.deref_mut(), + |(_callback, registered_at)| { + now.duration_since(*registered_at) > timeout_duration + }, diff --git a/security/fizz/Makefile b/security/fizz/Makefile index 58cb52d68aeb..696aa320c8f8 100644 --- a/security/fizz/Makefile +++ b/security/fizz/Makefile @@ -1,6 +1,6 @@ PORTNAME= fizz DISTVERSIONPREFIX= v -DISTVERSION= 2025.05.19.00 +DISTVERSION= 2025.05.26.00 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/fizz/distinfo b/security/fizz/distinfo index 74e44fafe591..8f7d8fec9996 100644 --- a/security/fizz/distinfo +++ b/security/fizz/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1747730518 -SHA256 (facebookincubator-fizz-v2025.05.19.00_GH0.tar.gz) = 83ce2e22c993cad1c5cbc5f3ee1aff4c44af99eeeb3dd3d539f1017a7af18647 -SIZE (facebookincubator-fizz-v2025.05.19.00_GH0.tar.gz) = 754906 +TIMESTAMP = 1748334332 +SHA256 (facebookincubator-fizz-v2025.05.26.00_GH0.tar.gz) = 3a4bdd1b61c44c12047136796c70ee4d9b78076358855367d976acf99c22bf1d +SIZE (facebookincubator-fizz-v2025.05.26.00_GH0.tar.gz) = 755400 diff --git a/security/gnupg-pkcs11-scd/Makefile b/security/gnupg-pkcs11-scd/Makefile index 0a75d8a76601..759009670932 100644 --- a/security/gnupg-pkcs11-scd/Makefile +++ b/security/gnupg-pkcs11-scd/Makefile @@ -3,7 +3,7 @@ DISTVERSION= 0.11.0 CATEGORIES= security MASTER_SITES= https://github.com/alonbl/${PORTNAME}/releases/download/${DISTNAME}/ -MAINTAINER= mat@FreeBSD.org +MAINTAINER= ports@FreeBSD.org COMMENT= PKCS\#11 enabled gnupg scd WWW= https://github.com/alonbl/gnupg-pkcs11-scd diff --git a/security/govulncheck/Makefile b/security/govulncheck/Makefile new file mode 100644 index 000000000000..421e87f037bf --- /dev/null +++ b/security/govulncheck/Makefile @@ -0,0 +1,37 @@ +PORTNAME= govulncheck +DISTVERSIONPREFIX= v +DISTVERSION= 1.1.4 +CATEGORIES= security + +MAINTAINER= einar@isnic.is +COMMENT= Database client and tools for the Go vulnerability database +WWW= https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck + +LICENSE= BSD3CLAUSE +LICENSE_FILE= ${WRKSRC}/LICENSE + +USES= go:modules,run + +GO_MODULE= golang.org/x/vuln +GO_TARGET= ./cmd/govulncheck + +PLIST_FILES= bin/govulncheck + +post-patch: + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/scan/util.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/all_test.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/scan/run.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/test/packages.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/test/testenv.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/testenv/testenv.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/vulncheck/packages.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/telemetry/internal/configstore/download.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/telemetry/internal/telemetry/dir.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/go/packages/packagestest/export.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/internal/gcimporter/exportdata.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/internal/gocommand/invoke.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/internal/goroot/importcfg.go + @${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/internal/testenv/testenv.go + +.include <bsd.port.mk> diff --git a/security/govulncheck/distinfo b/security/govulncheck/distinfo new file mode 100644 index 000000000000..ab0dd596680a --- /dev/null +++ b/security/govulncheck/distinfo @@ -0,0 +1,5 @@ +TIMESTAMP = 1742556049 +SHA256 (go/security_govulncheck/govulncheck-v1.1.4/v1.1.4.mod) = 40e5fa329adbfd7dad2476465ba340d2531b4d33640b82c81c34ac90f36cbd2a +SIZE (go/security_govulncheck/govulncheck-v1.1.4/v1.1.4.mod) = 387 +SHA256 (go/security_govulncheck/govulncheck-v1.1.4/v1.1.4.zip) = 115ff76fba8f73b27106eb2e59e3f30696f4f7faaeed55471b5b65c3994b503d +SIZE (go/security_govulncheck/govulncheck-v1.1.4/v1.1.4.zip) = 853384 diff --git a/security/govulncheck/files/patch-all__test.go b/security/govulncheck/files/patch-all__test.go new file mode 100644 index 000000000000..e6186df4baba --- /dev/null +++ b/security/govulncheck/files/patch-all__test.go @@ -0,0 +1,11 @@ +--- all_test.go.orig 2025-05-08 09:17:55 UTC ++++ all_test.go +@@ -84,7 +84,7 @@ func rungo(t *testing.T, args ...string) { + t.Helper() + testenv.NeedsGoBuild(t) + +- cmd := exec.Command("go", args...) ++ cmd := exec.Command("%%GO_CMD%%", args...) + if output, err := cmd.CombinedOutput(); err != nil { + if ee := (*exec.ExitError)(nil); errors.As(err, &ee) && len(ee.Stderr) > 0 { + t.Fatalf("%v: %v\n%s", cmd, err, ee.Stderr) diff --git a/security/govulncheck/files/patch-internal_buildinfo_additions__scan__test.go b/security/govulncheck/files/patch-internal_buildinfo_additions__scan__test.go new file mode 100644 index 000000000000..8de5b3027e68 --- /dev/null +++ b/security/govulncheck/files/patch-internal_buildinfo_additions__scan__test.go @@ -0,0 +1,11 @@ +--- internal/buildinfo/additions_scan_test.go.orig 2025-05-08 09:20:20 UTC ++++ internal/buildinfo/additions_scan_test.go +@@ -145,7 +145,7 @@ func Vuln() { + }) + defer e.Cleanup() + +- cmd := exec.Command("go", "build", "-o", "entry") ++ cmd := exec.Command("%%GO_CMD%%", "build", "-o", "entry") + cmd.Dir = e.Config.Dir + cmd.Env = e.Config.Env + out, err := cmd.CombinedOutput() diff --git a/security/govulncheck/files/patch-internal_scan_run.go b/security/govulncheck/files/patch-internal_scan_run.go new file mode 100644 index 000000000000..4af9d3301b41 --- /dev/null +++ b/security/govulncheck/files/patch-internal_scan_run.go @@ -0,0 +1,11 @@ +--- internal/scan/run.go.orig 2025-05-08 09:21:10 UTC ++++ internal/scan/run.go +@@ -87,7 +87,7 @@ func prepareConfig(ctx context.Context, cfg *config, c + } + } + if cfg.GoVersion == "" { +- if out, err := exec.Command("go", "env", "GOVERSION").Output(); err == nil { ++ if out, err := exec.Command("%%GO_CMD%%", "env", "GOVERSION").Output(); err == nil { + cfg.GoVersion = strings.TrimSpace(string(out)) + } + } diff --git a/security/govulncheck/files/patch-internal_scan_util.go b/security/govulncheck/files/patch-internal_scan_util.go new file mode 100644 index 000000000000..607c11164eed --- /dev/null +++ b/security/govulncheck/files/patch-internal_scan_util.go @@ -0,0 +1,11 @@ +--- internal/scan/util.go.orig 1979-11-30 00:00:00 UTC ++++ internal/scan/util.go +@@ -50,7 +50,7 @@ func gomodExists(dir string) bool { + } + + func gomodExists(dir string) bool { +- cmd := exec.Command("go", "env", "GOMOD") ++ cmd := exec.Command("%%GO_CMD%%", "env", "GOMOD") + cmd.Dir = dir + out, err := cmd.Output() + output := strings.TrimSpace(string(out)) diff --git a/security/govulncheck/files/patch-internal_test_packages.go b/security/govulncheck/files/patch-internal_test_packages.go new file mode 100644 index 000000000000..3cc85bdd22a6 --- /dev/null +++ b/security/govulncheck/files/patch-internal_test_packages.go @@ -0,0 +1,11 @@ +--- internal/test/packages.go.orig 2025-05-08 09:19:24 UTC ++++ internal/test/packages.go +@@ -13,7 +13,7 @@ func VerifyImports(t *testing.T, allowed ...string) { + ) + + func VerifyImports(t *testing.T, allowed ...string) { +- if _, err := exec.LookPath("go"); err != nil { ++ if _, err := exec.LookPath("%%GO_CMD%%"); err != nil { + t.Skipf("skipping: %v", err) + } + cfg := &packages.Config{Mode: packages.NeedImports | packages.NeedDeps} diff --git a/security/govulncheck/files/patch-internal_test_testenv.go b/security/govulncheck/files/patch-internal_test_testenv.go new file mode 100644 index 000000000000..f28ee2f16524 --- /dev/null +++ b/security/govulncheck/files/patch-internal_test_testenv.go @@ -0,0 +1,11 @@ +--- internal/test/testenv.go.orig 2025-05-08 09:18:33 UTC ++++ internal/test/testenv.go +@@ -14,7 +14,7 @@ func NeedsGoEnv(t testing.TB) { + func NeedsGoEnv(t testing.TB) { + t.Helper() + +- if _, err := exec.LookPath("go"); err != nil { ++ if _, err := exec.LookPath("%%GO_CMD%%"); err != nil { + t.Skip("skipping test: can't run go env") + } + } diff --git a/security/govulncheck/files/patch-internal_testenv_testenv.go b/security/govulncheck/files/patch-internal_testenv_testenv.go new file mode 100644 index 000000000000..634a4a23fe50 --- /dev/null +++ b/security/govulncheck/files/patch-internal_testenv_testenv.go @@ -0,0 +1,11 @@ +--- internal/testenv/testenv.go.orig 2025-05-08 09:21:55 UTC ++++ internal/testenv/testenv.go +@@ -100,7 +100,7 @@ func NeedsGoBuild(t testing.TB) { + if err := os.WriteFile(mainGo, []byte("package main\nfunc main() {}\n"), 0644); err != nil { + t.Fatal(err) + } +- cmd := exec.Command("go", "build", "-o", os.DevNull, mainGo) ++ cmd := exec.Command("%%GO_CMD%%", "build", "-o", os.DevNull, mainGo) + cmd.Dir = dir + if err := cmd.Run(); err != nil { + goBuildErr = fmt.Errorf("%v: %v", cmd, err) diff --git a/security/govulncheck/files/patch-internal_vulncheck_packages.go b/security/govulncheck/files/patch-internal_vulncheck_packages.go new file mode 100644 index 000000000000..d9e7038ebc9c --- /dev/null +++ b/security/govulncheck/files/patch-internal_vulncheck_packages.go @@ -0,0 +1,11 @@ +--- internal/vulncheck/packages.go.orig 2025-05-08 09:26:39 UTC ++++ internal/vulncheck/packages.go +@@ -34,7 +34,7 @@ func NewPackageGraph(goVersion string) *PackageGraph { + } + + goRoot := "" +- if out, err := exec.Command("go", "env", "GOROOT").Output(); err == nil { ++ if out, err := exec.Command("%%GO_CMD%%", "env", "GOROOT").Output(); err == nil { + goRoot = strings.TrimSpace(string(out)) + } + stdlibModule := &packages.Module{ diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_configstore_download.go b/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_configstore_download.go new file mode 100644 index 000000000000..19f5c34ba0cc --- /dev/null +++ b/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_configstore_download.go @@ -0,0 +1,11 @@ +--- vendor/golang.org/x/telemetry/internal/configstore/download.go.orig 2025-05-08 09:35:28 UTC ++++ vendor/golang.org/x/telemetry/internal/configstore/download.go +@@ -36,7 +36,7 @@ func Download(version string, envOverlay []string) (*t + } + modVer := ModulePath + "@" + version + var stdout, stderr bytes.Buffer +- cmd := exec.Command("go", "mod", "download", "-json", modVer) ++ cmd := exec.Command("%%GO_CMD%%", "mod", "download", "-json", modVer) + cmd.Env = append(os.Environ(), envOverlay...) + cmd.Stdout = &stdout + cmd.Stderr = &stderr diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_telemetry_dir.go b/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_telemetry_dir.go new file mode 100644 index 000000000000..b8ea9e633a94 --- /dev/null +++ b/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_telemetry_dir.go @@ -0,0 +1,11 @@ +--- vendor/golang.org/x/telemetry/internal/telemetry/dir.go.orig 2025-05-08 09:35:02 UTC ++++ vendor/golang.org/x/telemetry/internal/telemetry/dir.go +@@ -52,7 +52,7 @@ func init() { + if err != nil { + return + } +- Default = NewDir(filepath.Join(cfgDir, "go", "telemetry")) ++ Default = NewDir(filepath.Join(cfgDir, "%%GO_CMD%%", "telemetry")) + } + + func (d Dir) Dir() string { diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_gcexportdata_gcexportdata.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_gcexportdata_gcexportdata.go new file mode 100644 index 000000000000..4dcb9c703a59 --- /dev/null +++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_gcexportdata_gcexportdata.go @@ -0,0 +1,11 @@ +--- vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go.orig 2025-05-08 09:27:42 UTC ++++ vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go +@@ -87,7 +87,7 @@ func Find(importPath, srcDir string) (filename, path s + // Deprecated: Use the higher-level API in golang.org/x/tools/go/packages, + // which is more efficient. + func Find(importPath, srcDir string) (filename, path string) { +- cmd := exec.Command("go", "list", "-json", "-export", "--", importPath) ++ cmd := exec.Command("%%GO_CMD%%", "list", "-json", "-export", "--", importPath) + cmd.Dir = srcDir + out, err := cmd.Output() + if err != nil { diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_packages_packagestest_export.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_packages_packagestest_export.go new file mode 100644 index 000000000000..86b3c18a17ed --- /dev/null +++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_packages_packagestest_export.go @@ -0,0 +1,11 @@ +--- vendor/golang.org/x/tools/go/packages/packagestest/export.go.orig 2025-05-08 09:28:42 UTC ++++ vendor/golang.org/x/tools/go/packages/packagestest/export.go +@@ -37,7 +37,7 @@ the 'go list' command on the specified modules: + }) + defer e.Cleanup() + +- cmd := exec.Command("go", "list", "gopher.example/...") ++ cmd := exec.Command("%%GO_CMD%%", "list", "gopher.example/...") + cmd.Dir = e.Config.Dir + cmd.Env = e.Config.Env + out, err := cmd.Output() diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gcimporter_exportdata.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gcimporter_exportdata.go new file mode 100644 index 000000000000..64a057ceea2d --- /dev/null +++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gcimporter_exportdata.go @@ -0,0 +1,11 @@ +--- vendor/golang.org/x/tools/internal/gcimporter/exportdata.go.orig 2025-05-08 09:32:45 UTC ++++ vendor/golang.org/x/tools/internal/gcimporter/exportdata.go +@@ -392,7 +392,7 @@ func lookupGorootExport(pkgDir string) (string, error) + ) + f, _ = exportMap.LoadOrStore(pkgDir, func() (string, error) { + listOnce.Do(func() { +- cmd := exec.Command(filepath.Join(build.Default.GOROOT, "bin", "go"), "list", "-export", "-f", "{{.Export}}", pkgDir) ++ cmd := exec.Command(filepath.Join(build.Default.GOROOT, "bin", "%%GO_CMD%%"), "list", "-export", "-f", "{{.Export}}", pkgDir) + cmd.Dir = build.Default.GOROOT + cmd.Env = append(os.Environ(), "PWD="+cmd.Dir, "GOROOT="+build.Default.GOROOT) + var output []byte diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gocommand_invoke.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gocommand_invoke.go new file mode 100644 index 000000000000..447c512d1811 --- /dev/null +++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gocommand_invoke.go @@ -0,0 +1,11 @@ +--- vendor/golang.org/x/tools/internal/gocommand/invoke.go.orig 2025-05-08 09:34:03 UTC ++++ vendor/golang.org/x/tools/internal/gocommand/invoke.go +@@ -245,7 +245,7 @@ func (i *Invocation) run(ctx context.Context, stdout, + appendOverlayFlag() + goArgs = append(goArgs, i.Args...) + } +- cmd := exec.Command("go", goArgs...) ++ cmd := exec.Command("%%GO_CMD%%", goArgs...) + cmd.Stdout = stdout + cmd.Stderr = stderr + diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_goroot_importcfg.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_goroot_importcfg.go new file mode 100644 index 000000000000..92a3260e8b51 --- /dev/null +++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_goroot_importcfg.go @@ -0,0 +1,11 @@ +--- vendor/golang.org/x/tools/internal/goroot/importcfg.go.orig 2025-05-08 09:33:18 UTC ++++ vendor/golang.org/x/tools/internal/goroot/importcfg.go +@@ -47,7 +47,7 @@ func PkgfileMap() (map[string]string, error) { + func PkgfileMap() (map[string]string, error) { + once.Do(func() { + m := make(map[string]string) +- output, err := exec.Command("go", "list", "-export", "-e", "-f", "{{.ImportPath}} {{.Export}}", "std", "cmd").Output() ++ output, err := exec.Command("%%GO_CMD%%", "list", "-export", "-e", "-f", "{{.ImportPath}} {{.Export}}", "std", "cmd").Output() + if err != nil { + stdlibPkgfileErr = err + } diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_testenv_testenv.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_testenv_testenv.go new file mode 100644 index 000000000000..3c8c09262b38 --- /dev/null +++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_testenv_testenv.go @@ -0,0 +1,38 @@ +--- vendor/golang.org/x/tools/internal/testenv/testenv.go.orig 2025-05-08 09:30:00 UTC ++++ vendor/golang.org/x/tools/internal/testenv/testenv.go +@@ -115,7 +115,7 @@ func HasTool(tool string) error { + checkGoBuild.err = err + return + } +- cmd := exec.Command("go", "build", "-o", os.DevNull, mainGo) ++ cmd := exec.Command("%%GO_CMD%%", "build", "-o", os.DevNull, mainGo) + cmd.Dir = dir + if out, err := cmd.CombinedOutput(); err != nil { + if len(out) > 0 { +@@ -145,7 +145,7 @@ func cgoEnabled(bypassEnvironment bool) (bool, error) + } + + func cgoEnabled(bypassEnvironment bool) (bool, error) { +- cmd := exec.Command("go", "env", "CGO_ENABLED") ++ cmd := exec.Command("%%GO_CMD%%", "env", "CGO_ENABLED") + if bypassEnvironment { + cmd.Env = append(append([]string(nil), os.Environ()...), "CGO_ENABLED=") + } +@@ -444,7 +444,7 @@ func findGOROOT() (string, error) { + return + } + +- cmd := exec.Command("go", "env", "GOROOT") ++ cmd := exec.Command("%%GO_CMD%%", "env", "GOROOT") + out, err := cmd.Output() + if err != nil { + gorootErr = fmt.Errorf("%v: %v", cmd, err) +@@ -480,7 +480,7 @@ func NeedsLocalXTools(t testing.TB) { + + NeedsTool(t, "go") + +- cmd := Command(t, "go", "list", "-f", "{{with .Replace}}{{.Dir}}{{end}}", "-m", "golang.org/x/tools") ++ cmd := Command(t, "%%GO_CMD%%", "list", "-f", "{{with .Replace}}{{.Dir}}{{end}}", "-m", "golang.org/x/tools") + out, err := cmd.Output() + if err != nil { + if ee, ok := err.(*exec.ExitError); ok && len(ee.Stderr) > 0 { diff --git a/security/govulncheck/pkg-descr b/security/govulncheck/pkg-descr new file mode 100644 index 000000000000..5759881efc1c --- /dev/null +++ b/security/govulncheck/pkg-descr @@ -0,0 +1,19 @@ +Govulncheck reports known vulnerabilities that affect Go code. +It uses static analysis of source code or a binary's symbol table +to narrow down reports to only those that could affect the +application. + +By default, govulncheck makes requests to the Go vulnerability +database at https://vuln.go.dev. Requests to the vulnerability +database contain only module paths with vulnerabilities already +known to the database, not code or other properties of your +program. See https://vuln.go.dev/privacy.html for more. +Use the -db flag to specify a different database, which must +implement the specification at https://go.dev/security/vuln/database. + +Govulncheck looks for vulnerabilities in Go programs using a specific +build configuration. For analyzing source code, that configuration is +the Go version specified by the "go" command found on the PATH. For +binaries, the build configuration is the one used to build the binary. +Note that different build configurations may have different known +vulnerabilities. diff --git a/security/node-sqlcipher/Makefile b/security/node-sqlcipher/Makefile index 5ade2847365e..28c25c052618 100644 --- a/security/node-sqlcipher/Makefile +++ b/security/node-sqlcipher/Makefile @@ -1,5 +1,5 @@ PORTNAME= node-sqlcipher -DISTVERSION= 2.0.0 +DISTVERSION= 2.0.1 CATEGORIES= security MASTER_SITES= https://github.com/signalapp/node-sqlcipher/archive/refs/tags/v${DISTVERSION}/:sqlcipher \ https://registry.npmjs.org/@esbuild/freebsd-arm64/-/:esbuildarm64 \ @@ -26,7 +26,7 @@ USES= nodejs:20,build PLIST_FILES= lib/node_sqlcipher.node -ESBUILD_VERS= 0.25.3 +ESBUILD_VERS= 0.25.4 ESBUILD_ARCH= ${ARCH:S/aarch64/arm64/:S/amd64/x64/} MAKE_ENV+= ESBUILD_BINARY_PATH=${WRKDIR}/esbuild-freebsd-64/package/bin/esbuild diff --git a/security/node-sqlcipher/distinfo b/security/node-sqlcipher/distinfo index 0e85aa5b51c8..851591c935a6 100644 --- a/security/node-sqlcipher/distinfo +++ b/security/node-sqlcipher/distinfo @@ -1,9 +1,9 @@ -TIMESTAMP = 1745482082 -SHA256 (freebsd-arm64-0.25.3.tgz) = 66cd941c96ed8b27d2e319c442eea96becbb99374d830795508279b68ce02124 -SIZE (freebsd-arm64-0.25.3.tgz) = 4001403 -SHA256 (freebsd-x64-0.25.3.tgz) = e895510cb1cd3c194792ab1bc6976e5f4f3b1899c790aaa8deff2c801fb07760 -SIZE (freebsd-x64-0.25.3.tgz) = 4351370 -SHA256 (node-sqlcipher-2.0.0.tar.gz) = fa5ebc0ae37cc40800305b117f3f5008036309043d85cdfb6dcfeb3adea2d56b -SIZE (node-sqlcipher-2.0.0.tar.gz) = 2711493 -SHA256 (node-sqlcipher-2.0.0-npm-cache.tar.gz) = bc2d77eeb74dbed95327ef46be2309e2a6a102628172800b196a1d11022a398a -SIZE (node-sqlcipher-2.0.0-npm-cache.tar.gz) = 66671541 +TIMESTAMP = 1747319143 +SHA256 (freebsd-arm64-0.25.4.tgz) = 0072915465631a1bc954ec539e0f2bb0dbdfcf6cea1073d7d1d6deb7b5008156 +SIZE (freebsd-arm64-0.25.4.tgz) = 4002815 +SHA256 (freebsd-x64-0.25.4.tgz) = 56e4cd53e81c443d2ad85812f8582fe5628fcf1eebc1d7b5b541b4c81862df9e +SIZE (freebsd-x64-0.25.4.tgz) = 4354424 +SHA256 (node-sqlcipher-2.0.1.tar.gz) = 33822ea0eff715acb00d2bcc27d1ea9470e1312aa4f5ddbdbd79b195d20b1a81 +SIZE (node-sqlcipher-2.0.1.tar.gz) = 2711520 +SHA256 (node-sqlcipher-2.0.1-npm-cache.tar.gz) = 3d9021adbf6853d9726577862c6cf471cb6edefb5aff4a1d1fdc74a506e26d36 +SIZE (node-sqlcipher-2.0.1-npm-cache.tar.gz) = 68950580 diff --git a/security/nss/Makefile b/security/nss/Makefile index 95cf763e709b..cd09fec5a081 100644 --- a/security/nss/Makefile +++ b/security/nss/Makefile @@ -1,5 +1,5 @@ PORTNAME= nss -PORTVERSION= 3.111 +PORTVERSION= 3.112 CATEGORIES= security MASTER_SITES= MOZILLA/security/${PORTNAME}/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src diff --git a/security/nss/distinfo b/security/nss/distinfo index 62ed0eddbcaa..4363042d1944 100644 --- a/security/nss/distinfo +++ b/security/nss/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1746465088 -SHA256 (nss-3.111.tar.gz) = 5a4d5a44e91ef03cdc0c4897cf616e3c92f4e590ea835d3e0ccad8b005bd73c6 -SIZE (nss-3.111.tar.gz) = 76617947 +TIMESTAMP = 1748343929 +SHA256 (nss-3.112.tar.gz) = 33ae72d43b275957252adc8639e84229d3ae692a57b6191b059d9456b8568a68 +SIZE (nss-3.112.tar.gz) = 76620428 diff --git a/security/p5-CSP/Makefile b/security/p5-CSP/Makefile index 168133d07658..350902446199 100644 --- a/security/p5-CSP/Makefile +++ b/security/p5-CSP/Makefile @@ -6,7 +6,7 @@ MASTER_SITES= ftp://ftp.it.su.se/pub/users/leifj/ \ http://redundancy.redundancy.org/mirror/ PKGNAMEPREFIX= p5- -MAINTAINER= ports@FreeBSD.org +MAINTAINER= perl@FreeBSD.org COMMENT= Perl tool for managing Certificate Authorities WWW= http://devel.it.su.se/projects/CSP/ diff --git a/security/p5-dicewaregen/Makefile b/security/p5-dicewaregen/Makefile index 7041b806298a..0c495d9a2760 100644 --- a/security/p5-dicewaregen/Makefile +++ b/security/p5-dicewaregen/Makefile @@ -3,7 +3,7 @@ PORTVERSION= 1.4 CATEGORIES= security PKGNAMEPREFIX= p5- -MAINTAINER= ports@FreeBSD.org +MAINTAINER= perl@FreeBSD.org COMMENT= Perl script to generate Diceware dictionaries for passwords WWW= https://github.com/graudeejs/dicewaregen.pl diff --git a/security/py-passhole/Makefile b/security/py-passhole/Makefile index d5e96346f923..98d49592b793 100644 --- a/security/py-passhole/Makefile +++ b/security/py-passhole/Makefile @@ -1,6 +1,5 @@ PORTNAME= passhole -DISTVERSION= 1.10.0 -PORTREVISION= 1 +DISTVERSION= 1.10.1 CATEGORIES= security python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-passhole/distinfo b/security/py-passhole/distinfo index b1651305de2e..8f23f10ef29a 100644 --- a/security/py-passhole/distinfo +++ b/security/py-passhole/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1710386646 -SHA256 (passhole-1.10.0.tar.gz) = de937186a9a4c3cb4ed30541b999ee6bae0726b129c9e35200a88032c338a156 -SIZE (passhole-1.10.0.tar.gz) = 57522 +TIMESTAMP = 1748278992 +SHA256 (passhole-1.10.1.tar.gz) = e71f110391f40f100023475e2d78544b2faae6f1a2c4258753877d1585d171d1 +SIZE (passhole-1.10.1.tar.gz) = 65435 diff --git a/security/signify/Makefile b/security/signify/Makefile index 2abfda5cad9f..a2998eca08b3 100644 --- a/security/signify/Makefile +++ b/security/signify/Makefile @@ -1,6 +1,6 @@ PORTNAME= signify DISTVERSIONPREFIX= v -DISTVERSION= 0.13 +DISTVERSION= 0.14 PORTEPOCH= 1 CATEGORIES= security diff --git a/security/signify/distinfo b/security/signify/distinfo index 7ecea46f0457..0626f7ec7175 100644 --- a/security/signify/distinfo +++ b/security/signify/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1698320458 -SHA256 (leahneukirchen-outils-v0.13_GH0.tar.gz) = 49d46211fe84a5b96cf55d689696d190b7aba7d3e043c8c8dc9f5ff9af8f927a -SIZE (leahneukirchen-outils-v0.13_GH0.tar.gz) = 281834 +TIMESTAMP = 1748271343 +SHA256 (leahneukirchen-outils-v0.14_GH0.tar.gz) = e4dcbd92b25bbb371216b0fad5aa80cdff19f466f7ec8b5e145111fb348c91eb +SIZE (leahneukirchen-outils-v0.14_GH0.tar.gz) = 281863 diff --git a/security/vuls/files/patch-vendor_gorm.io_gorm_internal_stmt_store_stmt_store.go b/security/vuls/files/patch-vendor_gorm.io_gorm_internal_stmt_store_stmt_store.go new file mode 100644 index 000000000000..a249bd5099ae --- /dev/null +++ b/security/vuls/files/patch-vendor_gorm.io_gorm_internal_stmt_store_stmt_store.go @@ -0,0 +1,29 @@ +commit 8c4e8e2d2a63ef019048bd988a2016948605920b +Author: iTanken <23544702+iTanken@users.noreply.github.com> +Date: Sun Apr 27 14:05:16 2025 +0800 + + fix: int type variable defaultMaxSize overflows in 32-bit environment (#7439) + + Refs: #7435 + +diff --git a/internal/stmt_store/stmt_store.go b/internal/stmt_store/stmt_store.go +index 7068419..a82b2cf 100644 +--- vendor/gorm.io/gorm/internal/stmt_store/stmt_store.go ++++ vendor/gorm.io/gorm/internal/stmt_store/stmt_store.go +@@ -3,6 +3,7 @@ package stmt_store + import ( + "context" + "database/sql" ++ "math" + "sync" + "time" + +@@ -73,7 +74,7 @@ type Store interface { + // the cache can theoretically store as many elements as possible. + // (1 << 63) - 1 is the maximum value that an int64 type can represent. + const ( +- defaultMaxSize = (1 << 63) - 1 ++ defaultMaxSize = math.MaxInt + // defaultTTL defines the default time-to-live (TTL) for each cache entry. + // When the TTL for cache entries is not specified, each cache entry will expire after 24 hours. + defaultTTL = time.Hour * 24 diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index 0c4d3ccee4af..14393c4e4738 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,21 +1,57 @@ + <vuln vid="45eb98d6-3b13-11f0-97f7-b42e991fc52e"> + <topic>grafana -- XSS vulnerability</topic> + <affects> + <package> + <name>grafana</name> + <range><lt>12.0.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@grafana.com reports:</p> + <blockquote cite="https://grafana.com/security/security-advisories/cve-2025-4123/"> + <p>A cross-site scripting (XSS) vulnerability exists in Grafana caused + by combining a client path traversal and open redirect. This allows + attackers to redirect users to a website that hosts a frontend + plugin that will execute arbitrary JavaScript. This vulnerability + does not require editor permissions and if anonymous access is + enabled, the XSS will work. If the Grafana Image Renderer plugin + is installed, it is possible to exploit the open redirect to achieve + a full read SSRF. + + The default Content-Security-Policy (CSP) in Grafana will block the + XSS though the `connect-src` directive.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4123</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-4123</url> + </references> + <dates> + <discovery>2025-05-22</discovery> + <entry>2025-05-27</entry> + </dates> + </vuln> + <vuln vid="e587b52d-38ac-11f0-b7b6-dcfe074bd614"> <topic>cpython -- Use-after-free in "unicode_escape" decoder with error handler</topic> <affects> <package> <name>python39</name> - <range><lt>3.9.22</lt></range> + <range><lt>3.9.22_1</lt></range> </package> <package> <name>python310</name> - <range><lt>3.10.17</lt></range> + <range><lt>3.10.17_1</lt></range> </package> <package> <name>python311</name> - <range><lt>3.11.12</lt></range> + <range><lt>3.11.12_1</lt></range> </package> <package> <name>python312</name> - <range><lt>3.12.10</lt></range> + <range><lt>3.12.10_1</lt></range> </package> </affects> <description> @@ -5576,7 +5612,7 @@ <affects> <package> <name>asterisk18</name> - <range><lt>18.26.20</lt></range> + <range><lt>18.26.2</lt></range> </package> <package> <name>asterisk20</name> |