diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/arti/files/patch-powerpc64le | 20 | ||||
| -rw-r--r-- | security/liboqs/Makefile | 3 | ||||
| -rw-r--r-- | security/nuclei/Makefile | 2 | ||||
| -rw-r--r-- | security/nuclei/distinfo | 10 | ||||
| -rw-r--r-- | security/py-pwntools/Makefile | 11 | ||||
| -rw-r--r-- | security/rustls-ffi/files/patch-powerpc64le | 38 | ||||
| -rw-r--r-- | security/snort3/Makefile | 2 | ||||
| -rw-r--r-- | security/snort3/distinfo | 6 | ||||
| -rw-r--r-- | security/snort3/pkg-plist | 1 | ||||
| -rw-r--r-- | security/vuxml/vuln/2025.xml | 143 |
10 files changed, 222 insertions, 14 deletions
diff --git a/security/arti/files/patch-powerpc64le b/security/arti/files/patch-powerpc64le new file mode 100644 index 000000000000..c70aea7304f9 --- /dev/null +++ b/security/arti/files/patch-powerpc64le @@ -0,0 +1,20 @@ +Obtained from: https://cgit.FreeBSD.org/ports/commit/?id=f08b67611f0b19c0ee8d9053ee4d22e09b03f2b1 + +--- cargo-crates/aws-lc-sys-0.29.0/aws-lc/crypto/fipsmodule/cpucap/cpu_ppc64le.c.orig 2024-07-03 21:50:24 UTC ++++ cargo-crates/aws-lc-sys-0.29.0/aws-lc/crypto/fipsmodule/cpucap/cpu_ppc64le.c +@@ -69,10 +69,15 @@ void OPENSSL_cpuid_setup(void) { + + void OPENSSL_cpuid_setup(void) { + #if defined(AT_HWCAP2) ++#if defined(__linux__) + OPENSSL_ppc64le_hwcap2 = getauxval(AT_HWCAP2); ++#elif defined(__FreeBSD__) ++ elf_aux_info(AT_HWCAP2, &OPENSSL_ppc64le_hwcap2, sizeof(OPENSSL_ppc64le_hwcap2)); ++#endif + #else + OPENSSL_ppc64le_hwcap2 = 0; + #endif ++ + OPENSSL_cpucap_initialized = 1; + + // OPENSSL_ppccap is a 64-bit hex string which may start with "0x". diff --git a/security/liboqs/Makefile b/security/liboqs/Makefile index dd3ff28871c0..2a53bfa1bb1b 100644 --- a/security/liboqs/Makefile +++ b/security/liboqs/Makefile @@ -1,5 +1,6 @@ PORTNAME= liboqs DISTVERSION= 0.13.0 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org @@ -31,7 +32,7 @@ BINARY_ALIAS= python3=${PYTHON_CMD} .include <bsd.port.options.mk> -.if ${ARCH} == amd64 || ${ARCH} == aarch64 || ${ARCH} == risc64 +.if ${ARCH} == amd64 || ${ARCH} == aarch64 || ${ARCH} == risc64 || ${ARCH} == powerpc64le PLIST_SUB+= KEM_BIKE="" # BIKE algorithm is limited by architecture in .CMake/alg_support.cmake .else PLIST_SUB+= KEM_BIKE="@comment " diff --git a/security/nuclei/Makefile b/security/nuclei/Makefile index bf4fd87882ba..ff4ce951c803 100644 --- a/security/nuclei/Makefile +++ b/security/nuclei/Makefile @@ -1,6 +1,6 @@ PORTNAME= nuclei DISTVERSIONPREFIX= v -DISTVERSION= 3.4.5 +DISTVERSION= 3.4.6 CATEGORIES= security MAINTAINER= dutra@FreeBSD.org diff --git a/security/nuclei/distinfo b/security/nuclei/distinfo index e4cf46444ae0..fb33bee95717 100644 --- a/security/nuclei/distinfo +++ b/security/nuclei/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1750899492 -SHA256 (go/security_nuclei/nuclei-v3.4.5/v3.4.5.mod) = 5afbb1c8d97f83b0d2b11bd9bf677f5b88043b95241def65c6cdf11d290bbdbe -SIZE (go/security_nuclei/nuclei-v3.4.5/v3.4.5.mod) = 17916 -SHA256 (go/security_nuclei/nuclei-v3.4.5/v3.4.5.zip) = d88771513264794e0f2acb6c03682492363addc36b92c80330fb25ff747462ac -SIZE (go/security_nuclei/nuclei-v3.4.5/v3.4.5.zip) = 12383461 +TIMESTAMP = 1751730063 +SHA256 (go/security_nuclei/nuclei-v3.4.6/v3.4.6.mod) = 95c7844c02f7c9c24a53544e7bcdfd252a11c8fb61a80f555fbffd6dfaf402a6 +SIZE (go/security_nuclei/nuclei-v3.4.6/v3.4.6.mod) = 18995 +SHA256 (go/security_nuclei/nuclei-v3.4.6/v3.4.6.zip) = 6ea753633305e332bcfd8af6b0e6f7042ebf6a1751bc27c3536f535c4b4c3c40 +SIZE (go/security_nuclei/nuclei-v3.4.6/v3.4.6.zip) = 12374607 diff --git a/security/py-pwntools/Makefile b/security/py-pwntools/Makefile index 6451f8ce529e..187252876f64 100644 --- a/security/py-pwntools/Makefile +++ b/security/py-pwntools/Makefile @@ -1,5 +1,6 @@ PORTNAME= pwntools -PORTVERSION= 4.14.1 +DISTVERSION= 4.14.1 +PORTREVISION= 2 CATEGORIES= security python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} @@ -13,7 +14,6 @@ LICENSE_COMB= multi RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}capstone>=3.0.5rc2:devel/py-capstone@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}colored-traceback>0:devel/py-colored-traceback@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}python-dateutil>0:devel/py-python-dateutil@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}intervaltree>=3.0:devel/py-intervaltree@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}mako>=1.0.0:textproc/py-mako@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}packaging>=0:devel/py-packaging@${PY_FLAVOR} \ @@ -24,6 +24,7 @@ RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}capstone>=3.0.5rc2:devel/py-capstone@${PY_FL ${PYTHON_PKGNAMEPREFIX}pygments>=2.9:textproc/py-pygments@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}pyserial>=2.7:comms/py-pyserial@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}pysocks>0:net/py-pysocks@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}python-dateutil>0:devel/py-python-dateutil@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}requests>=2.0:www/py-requests@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}ropgadget>0:security/py-ropgadget@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}rpyc>0:devel/py-RPyC@${PY_FLAVOR} \ @@ -35,4 +36,8 @@ USES= cpe python CPE_VENDOR= pwntools_project USE_PYTHON= autoplist concurrent distutils -.include <bsd.port.mk> +.include <bsd.port.pre.mk> + +PYDISTUTILS_INSTALLARGS+= --only-use-pwn-command + +.include <bsd.port.post.mk> diff --git a/security/rustls-ffi/files/patch-powerpc64le b/security/rustls-ffi/files/patch-powerpc64le new file mode 100644 index 000000000000..213395b8e26c --- /dev/null +++ b/security/rustls-ffi/files/patch-powerpc64le @@ -0,0 +1,38 @@ +Obtained from: https://cgit.FreeBSD.org/ports/commit/?id=f08b67611f0b19c0ee8d9053ee4d22e09b03f2b1 + +--- cargo-crates/aws-lc-fips-sys-0.13.0/aws-lc/crypto/fipsmodule/cpucap/cpu_ppc64le.c.orig 2024-07-03 21:50:24 UTC ++++ cargo-crates/aws-lc-fips-sys-0.13.0/aws-lc/crypto/fipsmodule/cpucap/cpu_ppc64le.c +@@ -69,10 +69,15 @@ void OPENSSL_cpuid_setup(void) { + + void OPENSSL_cpuid_setup(void) { + #if defined(AT_HWCAP2) ++#if defined(__linux__) + OPENSSL_ppc64le_hwcap2 = getauxval(AT_HWCAP2); ++#elif defined(__FreeBSD__) ++ elf_aux_info(AT_HWCAP2, &OPENSSL_ppc64le_hwcap2, sizeof(OPENSSL_ppc64le_hwcap2)); ++#endif + #else + OPENSSL_ppc64le_hwcap2 = 0; + #endif ++ + OPENSSL_cpucap_initialized = 1; + + // OPENSSL_ppccap is a 64-bit hex string which may start with "0x". +--- cargo-crates/aws-lc-sys-0.24.0/aws-lc/crypto/fipsmodule/cpucap/cpu_ppc64le.c.orig 2024-07-03 21:50:24 UTC ++++ cargo-crates/aws-lc-sys-0.24.0/aws-lc/crypto/fipsmodule/cpucap/cpu_ppc64le.c +@@ -69,10 +69,15 @@ void OPENSSL_cpuid_setup(void) { + + void OPENSSL_cpuid_setup(void) { + #if defined(AT_HWCAP2) ++#if defined(__linux__) + OPENSSL_ppc64le_hwcap2 = getauxval(AT_HWCAP2); ++#elif defined(__FreeBSD__) ++ elf_aux_info(AT_HWCAP2, &OPENSSL_ppc64le_hwcap2, sizeof(OPENSSL_ppc64le_hwcap2)); ++#endif + #else + OPENSSL_ppc64le_hwcap2 = 0; + #endif ++ + OPENSSL_cpucap_initialized = 1; + + // OPENSSL_ppccap is a 64-bit hex string which may start with "0x". diff --git a/security/snort3/Makefile b/security/snort3/Makefile index 833bdf00cb11..59912933c61c 100644 --- a/security/snort3/Makefile +++ b/security/snort3/Makefile @@ -1,5 +1,5 @@ PORTNAME= snort -DISTVERSION= 3.9.0.0 +DISTVERSION= 3.9.1.0 PORTEPOCH= 1 CATEGORIES= security PKGNAMESUFFIX= 3 diff --git a/security/snort3/distinfo b/security/snort3/distinfo index 043da5daa3cb..948c3a03b335 100644 --- a/security/snort3/distinfo +++ b/security/snort3/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1751444666 -SHA256 (snort3-snort3-3.9.0.0_GH0.tar.gz) = a294be2921440ec39a265e770c15dc52ab011918c6fd288d99e442ceb12f961d -SIZE (snort3-snort3-3.9.0.0_GH0.tar.gz) = 3484705 +TIMESTAMP = 1751623929 +SHA256 (snort3-snort3-3.9.1.0_GH0.tar.gz) = fc19f20cd34192eb78f28d7f128c79c5d0096733277f2b630a8cf892b10f33ce +SIZE (snort3-snort3-3.9.1.0_GH0.tar.gz) = 3501016 diff --git a/security/snort3/pkg-plist b/security/snort3/pkg-plist index 67291c403269..ac9338536bea 100644 --- a/security/snort3/pkg-plist +++ b/security/snort3/pkg-plist @@ -86,6 +86,7 @@ include/snort/helpers/infractions.h include/snort/helpers/json_stream.h include/snort/helpers/literal_search.h include/snort/helpers/memcap_allocator.h +include/snort/helpers/ring2.h include/snort/helpers/scratch_allocator.h include/snort/helpers/sigsafe.h include/snort/helpers/utf.h diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index 6bc7dd3de85f..32a7a8a7559a 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,146 @@ + <vuln vid="a55d2120-58cf-11f0-b4ad-b42e991fc52e"> + <topic>firefox -- multiple vulnerabilities</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>140.0,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1941377%2C1960948%2C1966187%2C1966505%2C1970764"> + <p>An attacker was able to bypass the `connect-src` + directive of a Content Security Policy by manipulating + subdocuments. This would have also hidden the connections + from the Network tab in Devtools.</p> + <p>When Multi-Account Containers was enabled, DNS requests + could have bypassed a SOCKS proxy when the domain name was + invalid or the SOCKS proxy was not responding.</p> + <p>If a user visited a webpage with an invalid TLS + certificate, and granted an exception, the webpage was able to + provide a WebAuthn challenge that the user would be prompted + to complete. This is in violation of the WebAuthN spec which + requires "a secure transport established without + errors".</p> + <p>The exception page for the HTTPS-Only feature, displayed + when a website is opened via HTTP, lacked an anti-clickjacking + delay, potentially allowing an attacker to trick a user into + granting an exception and loading a webpage over HTTP.</p> + <p>If a user saved a response from the Network tab in Devtools + using the Save As context menu option, that file may not have + been saved with the `.download` file extension. + This could have led to the user inadvertently running a + malicious executable.</p> + <p>Memory safety bugs present in Firefox 139 and Thunderbird + 139. Some of these bugs showed evidence of memory corruption + and we presume that with enough effort some of these could + have been exploited to run arbitrary code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-6427</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-6427</url> + <cvename>CVE-2025-6432</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-6432</url> + <cvename>CVE-2025-6433</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-6433</url> + <cvename>CVE-2025-6434</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-6434</url> + <cvename>CVE-2025-6435</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-6435</url> + <cvename>CVE-2025-6436</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-6436</url> + </references> + <dates> + <discovery>2025-06-24</discovery> + <entry>2025-07-04</entry> + </dates> + </vuln> + + <vuln vid="9bad6f79-58cf-11f0-b4ad-b42e991fc52e"> + <topic>firefox -- multiple vulnerabilities</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>128.12.0,2</lt></range> + <range><lt>140.0,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1971140"> + <p>Firefox could have incorrectly parsed a URL and rewritten + it to the youtube.com domain when parsing the URL specified + in an `embed` tag. This could have bypassed website security + checks that restricted which domains users were allowed to + embed.</p> + <p>When a file download is specified via the + `Content-Disposition` header, that directive would be ignored + if the file was included via a `&lt;embed&gt;` or + `&lt;object&gt;` tag, potentially making a website + vulnerable to a cross-site scripting attack.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-6429</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-6429</url> + <cvename>CVE-2025-6430</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-6430</url> + </references> + <dates> + <discovery>2025-06-24</discovery> + <entry>2025-07-04</entry> + </dates> + </vuln> + + <vuln vid="9320590b-58cf-11f0-b4ad-b42e991fc52e"> + <topic>Mozilla -- persistent UUID that identifies browser</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>140.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>115.25.0</lt></range> + <range><lt>128.12</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>140.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>128.12</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1717672"> + <p>An attacker who enumerated resources from the WebCompat extension + could have obtained a persistent UUID that identified the browser, + and persisted between containers and normal/private browsing mode, + but not profiles. This vulnerability affects Firefox < 140, + Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < + 140, and Thunderbird < 128.12.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-6425</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-6425</url> + </references> + <dates> + <discovery>2025-06-24</discovery> + <entry>2025-07-04</entry> + </dates> + </vuln> + <vuln vid="d607b12c-5821-11f0-ab92-f02f7497ecda"> <topic>php -- Multiple vulnerabilities</topic> <affects> |