diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/boringssl/Makefile | 4 | ||||
| -rw-r--r-- | security/boringssl/distinfo | 6 | ||||
| -rw-r--r-- | security/libp11/Makefile | 6 | ||||
| -rw-r--r-- | security/libp11/distinfo | 6 | ||||
| -rw-r--r-- | security/libp11/files/patch-configure.ac | 4 | ||||
| -rw-r--r-- | security/libp11/files/patch-src_Makefile.am | 13 | ||||
| -rw-r--r-- | security/libp11/pkg-plist | 7 | ||||
| -rw-r--r-- | security/py-netbox-secrets/Makefile | 7 | ||||
| -rw-r--r-- | security/py-netbox-secrets/distinfo | 6 | ||||
| -rw-r--r-- | security/tpm2-tss/Makefile | 2 | ||||
| -rw-r--r-- | security/tpm2-tss/files/patch-src_tss2-esys_esys__context.c | 11 | ||||
| -rw-r--r-- | security/tpm2-tss/files/patch-src_tss2-tcti_tcti-device.c | 12 | ||||
| -rw-r--r-- | security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-dl.c | 16 | ||||
| -rw-r--r-- | security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-nodl.c | 11 | ||||
| -rw-r--r-- | security/tpm2-tss/files/patch-test_unit_tctildr-nodl.c | 14 | ||||
| -rw-r--r-- | security/vuxml/vuln/2025.xml | 169 |
16 files changed, 274 insertions, 20 deletions
diff --git a/security/boringssl/Makefile b/security/boringssl/Makefile index b427ea2ca43b..6605e0b5f37c 100644 --- a/security/boringssl/Makefile +++ b/security/boringssl/Makefile @@ -1,5 +1,5 @@ PORTNAME= boringssl -PORTVERSION= 0.0.0.0.2025.05.07.01 +PORTVERSION= 0.0.0.0.2025.05.13.01 CATEGORIES= security EXTRACT_ONLY= ${GH_ACCOUNT}-${PORTNAME}-${PORTVERSION}-${GH_TAGNAME}_GH0.tar.gz @@ -19,7 +19,7 @@ CPE_VENDOR= google USE_GITHUB= yes GH_ACCOUNT= google -GH_TAGNAME= 864a235 +GH_TAGNAME= 8997380 CMAKE_ARGS+= -DBUILD_SHARED_LIBS=1 CFLAGS_i386= -msse2 diff --git a/security/boringssl/distinfo b/security/boringssl/distinfo index 6e865c3421a2..170d821b0d5f 100644 --- a/security/boringssl/distinfo +++ b/security/boringssl/distinfo @@ -1,4 +1,4 @@ -TIMESTAMP = 1746707749 +TIMESTAMP = 1747212570 SHA256 (filippo.io/edwards25519/@v/v1.1.0.zip) = 9ac43a686d06fdebd719f7af3866c87eb069302272dfb131007adf471c308b65 SIZE (filippo.io/edwards25519/@v/v1.1.0.zip) = 55809 SHA256 (filippo.io/edwards25519/@v/v1.1.0.mod) = 099556fc4d7e6f5cb135efdd8b6bb4c0932e38ea058c53fc5fa5ce285572fb61 @@ -11,5 +11,5 @@ SHA256 (golang.org/x/sys/@v/v0.32.0.zip) = 85d47075d21fd7ef35d9a47fc73f2356fb3cd SIZE (golang.org/x/sys/@v/v0.32.0.zip) = 1991164 SHA256 (golang.org/x/sys/@v/v0.32.0.mod) = f67e3e18f4c08e60a7e80726ab36b691fdcea5b81ae1c696ff64caf518bcfe3d SIZE (golang.org/x/sys/@v/v0.32.0.mod) = 35 -SHA256 (google-boringssl-0.0.0.0.2025.05.07.01-864a235_GH0.tar.gz) = 5d35ccedd5ce74a11523ad4f08c1edb589697d22b11b644edae65f3592351f98 -SIZE (google-boringssl-0.0.0.0.2025.05.07.01-864a235_GH0.tar.gz) = 46144754 +SHA256 (google-boringssl-0.0.0.0.2025.05.13.01-8997380_GH0.tar.gz) = c385bc4309ecc58e04cf701d2e95a3dbc9c74e12cb3e5b9417b3df6cb2de790f +SIZE (google-boringssl-0.0.0.0.2025.05.13.01-8997380_GH0.tar.gz) = 46142079 diff --git a/security/libp11/Makefile b/security/libp11/Makefile index 1ac2909bf055..7575e9c2ed49 100644 --- a/security/libp11/Makefile +++ b/security/libp11/Makefile @@ -1,5 +1,5 @@ PORTNAME= libp11 -PORTVERSION= 0.4.13 +PORTVERSION= 0.4.14 DISTVERSIONPREFIX= ${PORTNAME}- CATEGORIES= security devel @@ -35,7 +35,9 @@ CONFIGURE_ENV= LTLIB_CFLAGS="-I${LOCALBASE}/include" \ OPENSSL_CFLAGS="-I${OPENSSLINC}" \ OPENSSL_LIBS="-L${OPENSSLLIB} -lssl -lcrypto" -CONFIGURE_ARGS= --with-enginesdir=${PREFIX}/lib/engines +CONFIGURE_ARGS= --with-enginesdir=${PREFIX}/lib/engines \ + --with-modulesdir=${PREFIX}/lib/ossl-modules \ + --enable-static-engine INSTALL_TARGET= install-strip diff --git a/security/libp11/distinfo b/security/libp11/distinfo index def41ebc82a5..15ac552b5724 100644 --- a/security/libp11/distinfo +++ b/security/libp11/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1734366816 -SHA256 (OpenSC-libp11-libp11-0.4.13_GH0.tar.gz) = 5e8e258c6a8e33155c3a2bd2bd7d12a758f82b7bda1f92e8b77075d16edc9889 -SIZE (OpenSC-libp11-libp11-0.4.13_GH0.tar.gz) = 148443 +TIMESTAMP = 1747212917 +SHA256 (OpenSC-libp11-libp11-0.4.14_GH0.tar.gz) = 99405d1b46bf48a990892676b7bc5597692adc53fc50f7bb19e83d03bd394b94 +SIZE (OpenSC-libp11-libp11-0.4.14_GH0.tar.gz) = 172631 diff --git a/security/libp11/files/patch-configure.ac b/security/libp11/files/patch-configure.ac index 42b316830aa1..d427d911cbc4 100644 --- a/security/libp11/files/patch-configure.ac +++ b/security/libp11/files/patch-configure.ac @@ -1,6 +1,6 @@ ---- configure.ac.orig 2024-12-13 18:13:57 UTC +--- configure.ac.orig 2025-05-13 21:17:57 UTC +++ configure.ac -@@ -208,7 +208,7 @@ fi +@@ -246,7 +246,7 @@ fi [Default PKCS#11 module.]) fi diff --git a/security/libp11/files/patch-src_Makefile.am b/security/libp11/files/patch-src_Makefile.am new file mode 100644 index 000000000000..f8e9be42f65a --- /dev/null +++ b/security/libp11/files/patch-src_Makefile.am @@ -0,0 +1,13 @@ +--- src/Makefile.am.orig 2025-05-14 13:58:16 UTC ++++ src/Makefile.am +@@ -4,8 +4,8 @@ EXTRA_DIST = Makefile.mak libp11.rc.in pkcs11.rc.in + CLEANFILES = libp11.pc + EXTRA_DIST = Makefile.mak libp11.rc.in pkcs11.rc.in + +-noinst_HEADERS= libp11-int.h pkcs11.h p11_pthread.h +-include_HEADERS= libp11.h p11_err.h util.h ++noinst_HEADERS= libp11-int.h pkcs11.h p11_pthread.h util.h ++include_HEADERS= libp11.h p11_err.h + if ENABLE_STATIC_ENGINE + lib_LTLIBRARIES = libp11.la libpkcs11.la + else diff --git a/security/libp11/pkg-plist b/security/libp11/pkg-plist index 73bea38f97d3..79526fa0f30a 100644 --- a/security/libp11/pkg-plist +++ b/security/libp11/pkg-plist @@ -2,10 +2,12 @@ include/libp11.h include/p11_err.h lib/engines/libpkcs11.so lib/engines/pkcs11.so +lib/ossl-modules/libpkcs11.so +lib/ossl-modules/pkcs11prov.so lib/libp11.a lib/libp11.so lib/libp11.so.3 -lib/libp11.so.3.6.0 +lib/libp11.so.3.7.0 lib/libpkcs11.a lib/libpkcs11.so lib/libpkcs11.so.0 @@ -15,6 +17,9 @@ libdata/pkgconfig/libp11.pc %%PORTEXAMPLES%%%%EXAMPLESDIR%%/README %%PORTEXAMPLES%%%%EXAMPLESDIR%%/auth.c %%PORTEXAMPLES%%%%EXAMPLESDIR%%/decrypt.c +%%PORTEXAMPLES%%%%EXAMPLESDIR%%/eckeygen.c %%PORTEXAMPLES%%%%EXAMPLESDIR%%/getrandom.c %%PORTEXAMPLES%%%%EXAMPLESDIR%%/listkeys.c %%PORTEXAMPLES%%%%EXAMPLESDIR%%/listkeys_ext.c +%%PORTEXAMPLES%%%%EXAMPLESDIR%%/rsakeygen.c +%%PORTEXAMPLES%%%%EXAMPLESDIR%%/storecert.c diff --git a/security/py-netbox-secrets/Makefile b/security/py-netbox-secrets/Makefile index 72e83b741b37..79466b639c92 100644 --- a/security/py-netbox-secrets/Makefile +++ b/security/py-netbox-secrets/Makefile @@ -1,6 +1,5 @@ PORTNAME= netbox-secrets -DISTVERSION= 2.2.0 -PORTREVISION= 1 +DISTVERSION= 2.2.1 CATEGORIES= security python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} @@ -13,10 +12,12 @@ WWW= https://github.com/Onemind-Services-LLC/netbox-secrets LICENSE= APACHE20 LICENSE_FILE= ${WRKSRC}/LICENSE.md +BUILD_DEPENDS= ${PY_SETUPTOOLS} \ + ${PYTHON_PKGNAMEPREFIX}wheel>0:devel/py-wheel@${PY_FLAVOR} RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pycryptodome>0:security/py-pycryptodome@${PY_FLAVOR} USES= python -USE_PYTHON= autoplist distutils +USE_PYTHON= autoplist pep517 NO_ARCH= yes diff --git a/security/py-netbox-secrets/distinfo b/security/py-netbox-secrets/distinfo index 2a6f2505f573..25c5b104549d 100644 --- a/security/py-netbox-secrets/distinfo +++ b/security/py-netbox-secrets/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1738929151 -SHA256 (netbox_secrets-2.2.0.tar.gz) = 6140dd46981c65a96bc174ac07905ae7355bdbdc3d144fc281a0cde0f6e096c8 -SIZE (netbox_secrets-2.2.0.tar.gz) = 57503 +TIMESTAMP = 1747310577 +SHA256 (netbox_secrets-2.2.1.tar.gz) = 26f817f9a9c03dcd34aaaa89d4744b2d15408d0e38f584aa6f2cb73bdd48958f +SIZE (netbox_secrets-2.2.1.tar.gz) = 57852 diff --git a/security/tpm2-tss/Makefile b/security/tpm2-tss/Makefile index f02c6c5417b2..8d60a2b418bc 100644 --- a/security/tpm2-tss/Makefile +++ b/security/tpm2-tss/Makefile @@ -1,6 +1,6 @@ PORTNAME= tpm2-tss DISTVERSION= 4.0.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= https://github.com/tpm2-software/tpm2-tss/releases/download/${DISTVERSION}/ diff --git a/security/tpm2-tss/files/patch-src_tss2-esys_esys__context.c b/security/tpm2-tss/files/patch-src_tss2-esys_esys__context.c new file mode 100644 index 000000000000..d613ac6e7e64 --- /dev/null +++ b/security/tpm2-tss/files/patch-src_tss2-esys_esys__context.c @@ -0,0 +1,11 @@ +--- src/tss2-esys/esys_context.c.orig 2025-02-22 22:43:21 UTC ++++ src/tss2-esys/esys_context.c +@@ -26,7 +26,7 @@ + * If not specified, load a TCTI in this order: + * Library libtss2-tcti-default.so (link to the preferred TCTI) + * Library libtss2-tcti-tabrmd.so (tabrmd) +- * Device /dev/tpmrm0 (kernel resident resource manager) ++ * Device /dev/tpmrm0 (kernel resident resource manager, SKIPPED on FreeBSD) + * Device /dev/tpm0 (hardware TPM) + * TCP socket localhost:2321 (TPM simulator) + * @param esys_context [out] The ESYS_CONTEXT. diff --git a/security/tpm2-tss/files/patch-src_tss2-tcti_tcti-device.c b/security/tpm2-tss/files/patch-src_tss2-tcti_tcti-device.c new file mode 100644 index 000000000000..52a165e2a191 --- /dev/null +++ b/security/tpm2-tss/files/patch-src_tss2-tcti_tcti-device.c @@ -0,0 +1,12 @@ +--- src/tss2-tcti/tcti-device.c.orig 2023-01-23 18:36:16.000000000 +0000 ++++ src/tss2-tcti/tcti-device.c 2025-05-08 08:40:29.255475000 +0000 +@@ -61,7 +61,9 @@ + #ifdef __VXWORKS__ + "/tpm0" + #else ++#ifndef __FreeBSD__ + "/dev/tpmrm0", ++#endif /* __FreeBSD__ */ + "/dev/tpm0", + #endif /* __VX_WORKS__ */ + }; diff --git a/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-dl.c b/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-dl.c new file mode 100644 index 000000000000..9353fa36c133 --- /dev/null +++ b/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-dl.c @@ -0,0 +1,16 @@ +--- src/tss2-tcti/tctildr-dl.c.orig 2025-02-22 22:43:21 UTC ++++ src/tss2-tcti/tctildr-dl.c +@@ -37,11 +37,13 @@ struct { + .file = "libtss2-tcti-tabrmd.so.0", + .description = "Access libtss2-tcti-tabrmd.so", + }, ++#if !defined(__FreeBSD__) + { + .file = "libtss2-tcti-device.so.0", + .conf = "/dev/tpmrm0", + .description = "Access libtss2-tcti-device.so.0 with /dev/tpmrm0", + }, ++#endif + { + .file = "libtss2-tcti-device.so.0", + .conf = "/dev/tpm0", diff --git a/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-nodl.c b/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-nodl.c new file mode 100644 index 000000000000..219dee0c0639 --- /dev/null +++ b/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-nodl.c @@ -0,0 +1,11 @@ +--- src/tss2-tcti/tctildr-nodl.c.orig 2025-02-22 22:43:21 UTC ++++ src/tss2-tcti/tctildr-nodl.c +@@ -67,7 +67,7 @@ struct { + .init = Tss2_Tcti_Tbs_Init, + .description = "Access to TBS", + }, +-#elif defined (__VXWORKS__) ++#elif defined (__VXWORKS__) || defined(__FreeBSD__) + { + .names = { + "libtss2-tcti-device.so.0", diff --git a/security/tpm2-tss/files/patch-test_unit_tctildr-nodl.c b/security/tpm2-tss/files/patch-test_unit_tctildr-nodl.c new file mode 100644 index 000000000000..99090001bd2b --- /dev/null +++ b/security/tpm2-tss/files/patch-test_unit_tctildr-nodl.c @@ -0,0 +1,14 @@ +--- test/unit/tctildr-nodl.c.orig 2025-02-22 22:43:21 UTC ++++ test/unit/tctildr-nodl.c +@@ -65,9 +65,11 @@ test_tctildr_get_default_all_fail (void **state) + /* device:/dev/tpm0 */ + will_return (__wrap_tcti_from_init, tcti_ctx); + will_return (__wrap_tcti_from_init, TEST_RC); ++#if !defined (__FreeBSD__) + /* device:/dev/tpmrm0 */ + will_return (__wrap_tcti_from_init, tcti_ctx); + will_return (__wrap_tcti_from_init, TEST_RC); ++#endif + /* swtpm */ + will_return (__wrap_tcti_from_init, tcti_ctx); + will_return (__wrap_tcti_from_init, TEST_RC); diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index 8bcfd16d2c2e..57231ad368f3 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,172 @@ + <vuln vid="79400d31-3166-11f0-8cb5-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>136.0.7103.113</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>136.0.7103.113</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html"> + <p>This update includes 4 security fixes:</p> + <ul> + <li>[415810136] High CVE-2025-4664: Insufficient policy enforcement in Loader. Source: X post from @slonser_ on 2025-05-05</li> + <li>[412578726] High CVE-2025-4609: Incorrect handle provided in unspecified circumstances in Mojo. Reported by Micky on 2025-04-22</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4664</cvename> + <cvename>CVE-2025-4609</cvename> + <url>https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html</url> + </references> + <dates> + <discovery>2025-05-14</discovery> + <entry>2025-05-15</entry> + </dates> + </vuln> + + <vuln vid="52efdd56-30bd-11f0-81be-b42e991fc52e"> + <topic>Mozilla -- memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>138.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>128.10</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>138.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1951161%2C1952105"> + <p>Memory safety bugs present in Firefox 137, Thunderbird 137, + Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs + showed evidence of memory corruption and we presume that + with enough effort some of these could have been exploited + to run arbitrary code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4091</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-4091</url> + </references> + <dates> + <discovery>2025-04-29</discovery> + <entry>2025-05-14</entry> + </dates> + </vuln> + + <vuln vid="4f17db64-30bd-11f0-81be-b42e991fc52e"> + <topic>Mozilla -- memory corruption</topic> + <affects> + <package> + <name>firefox-esr</name> + <range><lt>128.10</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>128.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1894100"> + <p>Memory safety bug present in Firefox ESR 128.9, and + Thunderbird 128.9. This bug showed evidence of memory + corruption and we presume that with enough effort this could + have been exploited to run arbitrary code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4093</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-4093</url> + </references> + <dates> + <discovery>2025-04-29</discovery> + <entry>2025-05-14</entry> + </dates> + </vuln> + + <vuln vid="6f10b49d-07b1-4be4-8abf-edf880b16ad2"> + <topic>vscode -- security feature bypass vulnerability</topic> + <affects> + <package> + <name>vscode</name> + <range><lt>1.100.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>VSCode developers report:</p> + <blockquote cite="https://github.com/microsoft/vscode/security/advisories/GHSA-742r-ggwg-vqxm"> + <p>A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the #fetch tool in Chat, this scenario would require the attacker to convince an LLM (via prompt injection) to fetch the maliciously crafted URL but when fetched, the user would have no moment to confirm the flighting of the request.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-21264</cvename> + <url>https://github.com/microsoft/vscode/security/advisories/GHSA-742r-ggwg-vqxm</url> + <url>https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21264</url> + </references> + <dates> + <discovery>2025-05-13</discovery> + <entry>2025-05-14</entry> + </dates> + </vuln> + + <vuln vid="a96cd659-303e-11f0-94b5-54ee755069b5"> + <topic>libxslt -- multiple vulnerabilities</topic> + <affects> + <package> + <name>libxslt</name> + <range><lt>1.1.43</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>[CVE-2024-55549] Fix UAF related to excluded namespaces</h1> + <blockquote cite="https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"> + <p>xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.</p> + </blockquote> + <h1>[CVE-2025-24855] Fix use-after-free of XPath context node</h1> + <blockquote cite="https://gitlab.gnome.org/GNOME/libxslt/-/issues/128"> + <p>numbers.c in libxslt before 1.1.43 has a use-after-free because + , in nested XPath evaluations, an XPath context node can be + modified but never restored. This is related to + xsltNumberFormatGetValue, xsltEvalXPathPredicate, + xsltEvalXPathStringNs, and xsltComputeSortResultInternal.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-55549</cvename> + <cvename>CVE-2025-24855</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2024-55549</url> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-24855</url> + </references> + <dates> + <discovery>2025-03-13</discovery> + <entry>2025-05-13</entry> + </dates> + </vuln> + <vuln vid="89c668d5-2f80-11f0-9632-641c67a117d8"> <topic>www/varnish7 -- Request Smuggling Attack</topic> <affects> |