diff options
Diffstat (limited to 'security')
31 files changed, 311 insertions, 80 deletions
diff --git a/security/Makefile b/security/Makefile index e7e0723847d3..b0d61213a16f 100644 --- a/security/Makefile +++ b/security/Makefile @@ -1113,6 +1113,7 @@ SUBDIR += qt-sudo SUBDIR += qtkeychain SUBDIR += quantis-kmod + SUBDIR += radamsa SUBDIR += rage-encryption SUBDIR += ratify SUBDIR += ratproxy diff --git a/security/fizz/Makefile b/security/fizz/Makefile index f87aff9814e8..394c49c4e445 100644 --- a/security/fizz/Makefile +++ b/security/fizz/Makefile @@ -1,6 +1,6 @@ PORTNAME= fizz DISTVERSIONPREFIX= v -DISTVERSION= 2025.11.10.00 +DISTVERSION= 2025.11.17.00 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/fizz/distinfo b/security/fizz/distinfo index cd7c2111385f..180810ffbb81 100644 --- a/security/fizz/distinfo +++ b/security/fizz/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1762937305 -SHA256 (facebookincubator-fizz-v2025.11.10.00_GH0.tar.gz) = ddfb59a15aac9b1091c5d7dfaaeba5690ae91d3e126194bc72d3bf7c5d7c27f7 -SIZE (facebookincubator-fizz-v2025.11.10.00_GH0.tar.gz) = 762135 +TIMESTAMP = 1763425426 +SHA256 (facebookincubator-fizz-v2025.11.17.00_GH0.tar.gz) = 5bbdb7131ffc6e0143964fda92bd5a5c86a6a07cfbd81672d8b1f69e70390b31 +SIZE (facebookincubator-fizz-v2025.11.17.00_GH0.tar.gz) = 764101 diff --git a/security/go-cve-dictionary/Makefile b/security/go-cve-dictionary/Makefile index dfc761802635..f8887295b62d 100644 --- a/security/go-cve-dictionary/Makefile +++ b/security/go-cve-dictionary/Makefile @@ -1,7 +1,6 @@ PORTNAME= go-cve-dictionary DISTVERSIONPREFIX=v -DISTVERSION= 0.11.0 -PORTREVISION= 10 +DISTVERSION= 0.14.0 CATEGORIES= security MAINTAINER= girgen@FreeBSD.org diff --git a/security/go-cve-dictionary/distinfo b/security/go-cve-dictionary/distinfo index 6418b261feb3..7955170c767e 100644 --- a/security/go-cve-dictionary/distinfo +++ b/security/go-cve-dictionary/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1727944145 -SHA256 (go/security_go-cve-dictionary/go-cve-dictionary-v0.11.0/v0.11.0.mod) = 219004d5befcf4c8021851d9f4ee96b6bd18be36fe899acd57637bff92cf49c0 -SIZE (go/security_go-cve-dictionary/go-cve-dictionary-v0.11.0/v0.11.0.mod) = 3436 -SHA256 (go/security_go-cve-dictionary/go-cve-dictionary-v0.11.0/v0.11.0.zip) = 46f1a8f6ebbbc5cec3e1e6bcc754ad657090bc3f0272b1f5e172268776d8f48f -SIZE (go/security_go-cve-dictionary/go-cve-dictionary-v0.11.0/v0.11.0.zip) = 369685 +TIMESTAMP = 1763314761 +SHA256 (go/security_go-cve-dictionary/go-cve-dictionary-v0.14.0/v0.14.0.mod) = ae2226a98d88dbf73d8ed137d9718097994394dc61037ec133658d8d4886c2e3 +SIZE (go/security_go-cve-dictionary/go-cve-dictionary-v0.14.0/v0.14.0.mod) = 3435 +SHA256 (go/security_go-cve-dictionary/go-cve-dictionary-v0.14.0/v0.14.0.zip) = 6b07e2c656dc71cc2907d99ca61cd666cf3b97db09cbb7c6bbc5f162c74f7ccd +SIZE (go/security_go-cve-dictionary/go-cve-dictionary-v0.14.0/v0.14.0.zip) = 131671 diff --git a/security/krb5-devel/Makefile b/security/krb5-devel/Makefile index 062309b55e51..9da27a0c8b3e 100644 --- a/security/krb5-devel/Makefile +++ b/security/krb5-devel/Makefile @@ -8,8 +8,8 @@ PKGNAME_X= -${FLAVOR:S/default//} .endif PKGNAMESUFFIX= ${PKGNAME_X:S/--/-/:C/-$//} -HASH= 3466589de -MIT_COMMIT_DATE= 2025.09.19 +HASH= 04816024a +MIT_COMMIT_DATE= 2025.11.11 PATCH_SITES= http://web.mit.edu/kerberos/advisories/ PATCH_DIST_STRIP= -p2 diff --git a/security/krb5-devel/distinfo b/security/krb5-devel/distinfo index 3dda3c4a799c..1a4048571649 100644 --- a/security/krb5-devel/distinfo +++ b/security/krb5-devel/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1758739087 -SHA256 (krb5-krb5-1.22.2025.09.19-3466589de_GH0.tar.gz) = 5e8f38dad09f3f9e0e486a28f55048634f95dbc4e967e15eb7d6eda222572df9 -SIZE (krb5-krb5-1.22.2025.09.19-3466589de_GH0.tar.gz) = 4679007 +TIMESTAMP = 1763397234 +SHA256 (krb5-krb5-1.22.2025.11.11-04816024a_GH0.tar.gz) = d144d4d447399ab033c36ea3b3ec761196684370069b9e1592a121371bd82170 +SIZE (krb5-krb5-1.22.2025.11.11-04816024a_GH0.tar.gz) = 4679824 diff --git a/security/nmap-devel/Makefile b/security/nmap-devel/Makefile index 42a289f1eac8..7cc72de61ad3 100644 --- a/security/nmap-devel/Makefile +++ b/security/nmap-devel/Makefile @@ -27,8 +27,8 @@ EXTRACT_AFTER_ARGS= --exclude ${GH_PROJECT_DEFAULT}-${GH_TAGNAME_EXTRACT}/mswin3 --no-same-owner --no-same-permissions USE_GITHUB= yes -GH_TAGNAME= 20e25e960 -NMAP_COMMIT_DATE= 20250520 +GH_TAGNAME= a74125aef +NMAP_COMMIT_DATE= 20251101 GNU_CONFIGURE= yes CONFIGURE_ARGS=--without-localdirs \ diff --git a/security/nmap-devel/distinfo b/security/nmap-devel/distinfo index 507e5b1a0aeb..d6c6415becfa 100644 --- a/security/nmap-devel/distinfo +++ b/security/nmap-devel/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1747801593 -SHA256 (nmap-nmap-7.95.20250520-20e25e960_GH0.tar.gz) = e4d4e971778a7238ae84a458ddb47cbd2402df36d8168e1b402352cd65c631cf -SIZE (nmap-nmap-7.95.20250520-20e25e960_GH0.tar.gz) = 16102182 +TIMESTAMP = 1763397793 +SHA256 (nmap-nmap-7.95.20251101-a74125aef_GH0.tar.gz) = a5bbdb5cadbb316012aa76672c6bab5c44f4585a66bf499be0c109a62a7c6391 +SIZE (nmap-nmap-7.95.20251101-a74125aef_GH0.tar.gz) = 15920785 diff --git a/security/openvpn-devel/Makefile b/security/openvpn-devel/Makefile index 3f24ec986421..1fa17d217cc5 100644 --- a/security/openvpn-devel/Makefile +++ b/security/openvpn-devel/Makefile @@ -1,5 +1,5 @@ PORTNAME= openvpn -DISTVERSION= g20251031 +DISTVERSION= g20251117 PORTREVISION= 0 # leave in even if 0 to avoid accidental PORTEPOCH bumps PORTEPOCH= 1 CATEGORIES= security net net-vpn @@ -21,7 +21,7 @@ LIB_DEPENDS+= liblzo2.so:archivers/lzo2 USES= autoreconf cpe libtool pkgconfig python:build shebangfix tar:xz IGNORE_SSL= libressl libressl-devel USE_GITLAB= yes -GL_TAGNAME= 4281449ba4db2de57375aa7087ef5920aeba10de +GL_TAGNAME= d6ee27b4ff31e4469d699f3bfd7b9998ab167230 USE_RC_SUBR= openvpn SHEBANG_FILES= sample/sample-scripts/auth-pam.pl \ diff --git a/security/openvpn-devel/distinfo b/security/openvpn-devel/distinfo index d9cc4a7e963d..6d2c15323da2 100644 --- a/security/openvpn-devel/distinfo +++ b/security/openvpn-devel/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1761983634 -SHA256 (openvpn-openvpn-4281449ba4db2de57375aa7087ef5920aeba10de_GL0.tar.gz) = 2e50b77994c1e589f86d772bd5f4a5d2e2f999b614e268b73c4672153e3028ae -SIZE (openvpn-openvpn-4281449ba4db2de57375aa7087ef5920aeba10de_GL0.tar.gz) = 1343555 +TIMESTAMP = 1763394774 +SHA256 (openvpn-openvpn-d6ee27b4ff31e4469d699f3bfd7b9998ab167230_GL0.tar.gz) = 8f57323446853027ed6140521b8485aff100d5858877083059dfaed64ff92edb +SIZE (openvpn-openvpn-d6ee27b4ff31e4469d699f3bfd7b9998ab167230_GL0.tar.gz) = 1347484 diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 4a04c1934186..f9c5ec8bcb81 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -1,5 +1,5 @@ PORTNAME= openvpn -DISTVERSION= 2.6.15 +DISTVERSION= 2.6.16 PORTREVISION?= 0 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo index 514208b4bb7b..c4a4b27d919d 100644 --- a/security/openvpn/distinfo +++ b/security/openvpn/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1758657418 -SHA256 (openvpn-2.6.15.tar.gz) = e35513ee15995e3c71adfd8891b9f33522896c70b3baa2ed9a23c7a42c4d7bde -SIZE (openvpn-2.6.15.tar.gz) = 1917742 +TIMESTAMP = 1763303120 +SHA256 (openvpn-2.6.16.tar.gz) = 05cb5fdf1ea33fcba719580b31a97feaa019c4a3050563e88bc3b34675e6fed4 +SIZE (openvpn-2.6.16.tar.gz) = 1933428 diff --git a/security/opkssh/files/pkg-message.in b/security/opkssh/files/pkg-message.in index 4d0922d78ef0..49cc063a10ae 100644 --- a/security/opkssh/files/pkg-message.in +++ b/security/opkssh/files/pkg-message.in @@ -15,6 +15,8 @@ following permissions: chmod 640 %%PREFIX%%/etc/opk/auth_id chown root:%%GROUP%% %%PREFIX%%/etc/opk/providers chmod 640 %%PREFIX%%/etc/opk/providers + +Users attempting to use opkssh from jails, please add "allow.mlock" or it will not run. EOM } ] diff --git a/security/radamsa/Makefile b/security/radamsa/Makefile new file mode 100644 index 000000000000..ddbd52cfc379 --- /dev/null +++ b/security/radamsa/Makefile @@ -0,0 +1,33 @@ +PORTNAME= radamsa +PORTVERSION= 0.7 +DISTVERSIONPREFIX= v +CATEGORIES= security + +MAINTAINER= arrowd@FreeBSD.org +COMMENT= General purpose fuzzer + +LICENSE= MIT +LICENSE_FILE= ${WRKSRC}/LICENCE + +BUILD_DEPENDS= ol:lang/owl-lisp + +USE_GITLAB= yes +GL_ACCOUNT= akihe +GL_TUPLE= owl-lisp:hex:e95ebd38e4f7ef8e3d4e653f432e43ce0a804ca6:hex_dep/lib/hex + +ALL_TARGET= everything + +PLIST_FILES= bin/radamsa \ + share/man/man1/radamsa.1.gz + +post-extract: + ${MKDIR} ${WRKSRC}/bin + ${LN} -s ${LOCALBASE}/bin/ol ${WRKSRC}/bin/ol + +post-patch: + ${REINPLACE_CMD} -e 's|PREFIX=/usr|PREFIX=${PREFIX}|' ${WRKSRC}/Makefile + +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/radamsa + +.include <bsd.port.mk> diff --git a/security/radamsa/distinfo b/security/radamsa/distinfo new file mode 100644 index 000000000000..f14d295b8eaf --- /dev/null +++ b/security/radamsa/distinfo @@ -0,0 +1,5 @@ +TIMESTAMP = 1763390628 +SHA256 (radamsa-v0.7.tar.bz2) = 6ead9c50c5e1da83d9f3b18e39a4a30adc0ec43c1061e178cd2e6d885cd71703 +SIZE (radamsa-v0.7.tar.bz2) = 49194 +SHA256 (owl-lisp-hex-e95ebd38e4f7ef8e3d4e653f432e43ce0a804ca6_GL0.tar.gz) = ee349b23a3426f46037174e78dd0dd3eb7f334da7f196f3a0d3279f9cba5879d +SIZE (owl-lisp-hex-e95ebd38e4f7ef8e3d4e653f432e43ce0a804ca6_GL0.tar.gz) = 1597 diff --git a/security/radamsa/pkg-descr b/security/radamsa/pkg-descr new file mode 100644 index 000000000000..03250b49855a --- /dev/null +++ b/security/radamsa/pkg-descr @@ -0,0 +1,4 @@ +Radamsa is a generic test case generator for robustness testing, aka a fuzzer. +It can be used to test how well a program can stand malformed and potentially +malicious inputs. It operates on given sample inputs and thus requires minimal +effort to set up. diff --git a/security/rkhunter/Makefile b/security/rkhunter/Makefile index cae399d7984a..cd7da12f552a 100644 --- a/security/rkhunter/Makefile +++ b/security/rkhunter/Makefile @@ -4,13 +4,16 @@ PORTREVISION= 3 CATEGORIES= security MASTER_SITES= SF -MAINTAINER= lukasz@wasikowski.net +MAINTAINER= ports@FreeBSD.org COMMENT= Rootkit detection tool WWW= https://rkhunter.sourceforge.net LICENSE= GPLv2+ LICENSE_FILE= ${WRKSRC}/files/LICENSE +DEPRECATED= Project abandoned in 2009 +EXPIRATION_DATE= 2025-12-31 + OPTIONS_DEFINE= LSOF NMAP DOCS OPTIONS_DEFAULT=LSOF diff --git a/security/rubygem-safety_net_attestation/Makefile b/security/rubygem-safety_net_attestation/Makefile index 72fca26ac950..1d817ba8c241 100644 --- a/security/rubygem-safety_net_attestation/Makefile +++ b/security/rubygem-safety_net_attestation/Makefile @@ -1,6 +1,5 @@ PORTNAME= safety_net_attestation -PORTVERSION= 0.4.0 -PORTREVISION= 1 +PORTVERSION= 0.5.0 CATEGORIES= security rubygems MASTER_SITES= RG @@ -10,7 +9,7 @@ WWW= https://github.com/bdewater/safety_net_attestation LICENSE= MIT -RUN_DEPENDS= rubygem-jwt2>=2.0<3:www/rubygem-jwt2 +RUN_DEPENDS= rubygem-jwt2>=2.0<4:www/rubygem-jwt2 USES= gem diff --git a/security/rubygem-safety_net_attestation/distinfo b/security/rubygem-safety_net_attestation/distinfo index 631b04aa5742..827b1f6a957f 100644 --- a/security/rubygem-safety_net_attestation/distinfo +++ b/security/rubygem-safety_net_attestation/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1600790365 -SHA256 (rubygem/safety_net_attestation-0.4.0.gem) = 96be2d74e7ed26453a51894913449bea0e072f44490021545ac2d1c38b0718ce -SIZE (rubygem/safety_net_attestation-0.4.0.gem) = 16896 +TIMESTAMP = 1763444971 +SHA256 (rubygem/safety_net_attestation-0.5.0.gem) = c8cd01dd550dbe8553862918af6355a04672db11d218ec96104ce3955293f2aa +SIZE (rubygem/safety_net_attestation-0.5.0.gem) = 17920 diff --git a/security/rubygem-webauthn/Makefile b/security/rubygem-webauthn/Makefile index b7801ff527e6..19c904016dee 100644 --- a/security/rubygem-webauthn/Makefile +++ b/security/rubygem-webauthn/Makefile @@ -1,5 +1,5 @@ PORTNAME= webauthn -PORTVERSION= 3.4.1 +PORTVERSION= 3.4.3 CATEGORIES= security rubygems MASTER_SITES= RG @@ -15,7 +15,7 @@ RUN_DEPENDS= rubygem-android_key_attestation>=0.3.0<0.4:security/rubygem-android rubygem-cbor>=0.5.9<0.6:devel/rubygem-cbor \ rubygem-cose>=1.1<2:security/rubygem-cose \ rubygem-openssl>=2.2:security/rubygem-openssl \ - rubygem-safety_net_attestation>=0.4.0<0.5:security/rubygem-safety_net_attestation \ + rubygem-safety_net_attestation>=0.5.0<0.6:security/rubygem-safety_net_attestation \ rubygem-tpm-key_attestation>=0.14.0<0.15:security/rubygem-tpm-key_attestation USES= gem diff --git a/security/rubygem-webauthn/distinfo b/security/rubygem-webauthn/distinfo index 418a36abaebf..2af5a754fbda 100644 --- a/security/rubygem-webauthn/distinfo +++ b/security/rubygem-webauthn/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1752212088 -SHA256 (rubygem/webauthn-3.4.1.gem) = f7c6f69178dd35dcc90313bc0d9b6558002336451d0c19d641ef1280624ac3ea -SIZE (rubygem/webauthn-3.4.1.gem) = 42496 +TIMESTAMP = 1763444979 +SHA256 (rubygem/webauthn-3.4.3.gem) = 9be6f5f838f3405b0226e560aa40b67cc8c15ec9154509b997caa7ec9a05e1fc +SIZE (rubygem/webauthn-3.4.3.gem) = 44032 diff --git a/security/sudo-rs/Makefile b/security/sudo-rs/Makefile index b3434a3a4f1f..94aacf9f499e 100644 --- a/security/sudo-rs/Makefile +++ b/security/sudo-rs/Makefile @@ -1,7 +1,6 @@ PORTNAME= sudo-rs DISTVERSIONPREFIX= v -DISTVERSION= 0.2.8 -PORTREVISION= 3 +DISTVERSION= 0.2.10 CATEGORIES= security MAINTAINER= marc@trifectatech.org diff --git a/security/sudo-rs/Makefile.crates b/security/sudo-rs/Makefile.crates index 7f1984c2311d..c52921cef59a 100644 --- a/security/sudo-rs/Makefile.crates +++ b/security/sudo-rs/Makefile.crates @@ -1,6 +1,6 @@ CARGO_CRATES= diff-0.1.13 \ - glob-0.3.2 \ - libc-0.2.174 \ - log-0.4.27 \ + glob-0.3.3 \ + libc-0.2.177 \ + log-0.4.28 \ pretty_assertions-1.4.1 \ yansi-1.0.1 diff --git a/security/sudo-rs/distinfo b/security/sudo-rs/distinfo index 639594b21790..3da488e01e77 100644 --- a/security/sudo-rs/distinfo +++ b/security/sudo-rs/distinfo @@ -1,15 +1,15 @@ -TIMESTAMP = 1754301726 +TIMESTAMP = 1762849173 SHA256 (rust/crates/diff-0.1.13.crate) = 56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8 SIZE (rust/crates/diff-0.1.13.crate) = 46216 -SHA256 (rust/crates/glob-0.3.2.crate) = a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2 -SIZE (rust/crates/glob-0.3.2.crate) = 22359 -SHA256 (rust/crates/libc-0.2.174.crate) = 1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776 -SIZE (rust/crates/libc-0.2.174.crate) = 779933 -SHA256 (rust/crates/log-0.4.27.crate) = 13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94 -SIZE (rust/crates/log-0.4.27.crate) = 48120 +SHA256 (rust/crates/glob-0.3.3.crate) = 0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280 +SIZE (rust/crates/glob-0.3.3.crate) = 22861 +SHA256 (rust/crates/libc-0.2.177.crate) = 2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976 +SIZE (rust/crates/libc-0.2.177.crate) = 792045 +SHA256 (rust/crates/log-0.4.28.crate) = 34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432 +SIZE (rust/crates/log-0.4.28.crate) = 51131 SHA256 (rust/crates/pretty_assertions-1.4.1.crate) = 3ae130e2f271fbc2ac3a40fb1d07180839cdbbe443c7a27e1e3c13c5cac0116d SIZE (rust/crates/pretty_assertions-1.4.1.crate) = 78952 SHA256 (rust/crates/yansi-1.0.1.crate) = cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049 SIZE (rust/crates/yansi-1.0.1.crate) = 75497 -SHA256 (trifectatechfoundation-sudo-rs-v0.2.8_GH0.tar.gz) = 5b3823cc60abc5d90dbf0ae3a37d92445215e2697e6997c56148f5d0ac371ece -SIZE (trifectatechfoundation-sudo-rs-v0.2.8_GH0.tar.gz) = 751775 +SHA256 (trifectatechfoundation-sudo-rs-v0.2.10_GH0.tar.gz) = c0f65665145da9aebc664013c426bff4eb55a1eb893ed0416e65de312b4a71e9 +SIZE (trifectatechfoundation-sudo-rs-v0.2.10_GH0.tar.gz) = 1173064 diff --git a/security/trufflehog/Makefile b/security/trufflehog/Makefile index 304cb6cbddc1..3305fb4a1019 100644 --- a/security/trufflehog/Makefile +++ b/security/trufflehog/Makefile @@ -1,7 +1,6 @@ PORTNAME= trufflehog DISTVERSIONPREFIX= v -DISTVERSION= 3.90.13 -PORTREVISION= 1 +DISTVERSION= 3.91.0 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/trufflehog/distinfo b/security/trufflehog/distinfo index aef3ef0819ef..c038dfeac0f0 100644 --- a/security/trufflehog/distinfo +++ b/security/trufflehog/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1762415653 -SHA256 (go/security_trufflehog/trufflehog-v3.90.13/v3.90.13.mod) = 220571e195c158ac29505c7f7d296539660859f95ca9fb02f65f7144e5027434 -SIZE (go/security_trufflehog/trufflehog-v3.90.13/v3.90.13.mod) = 16174 -SHA256 (go/security_trufflehog/trufflehog-v3.90.13/v3.90.13.zip) = 5b3611c69b124fd1905ad540797496c255412a64bbb6398c69276aaac0dce9d4 -SIZE (go/security_trufflehog/trufflehog-v3.90.13/v3.90.13.zip) = 7448829 +TIMESTAMP = 1763258051 +SHA256 (go/security_trufflehog/trufflehog-v3.91.0/v3.91.0.mod) = 220571e195c158ac29505c7f7d296539660859f95ca9fb02f65f7144e5027434 +SIZE (go/security_trufflehog/trufflehog-v3.91.0/v3.91.0.mod) = 16174 +SHA256 (go/security_trufflehog/trufflehog-v3.91.0/v3.91.0.zip) = b40092109aa25663bb2ad2c6570c10748b21e992a73dfa4b40507c511afa5d51 +SIZE (go/security_trufflehog/trufflehog-v3.91.0/v3.91.0.zip) = 7461161 diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index bc7d08dd1172..08b7d8e93540 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,190 @@ + <vuln vid="1a46e84d-c406-11f0-b513-0da7be77c170"> + <topic>pkcs11-helper -- deserialize buffer overflow</topic> + <affects> + <package> + <name>pkcs11-helper</name> + <range><lt>1.31.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Alon Bar-Lev reports:</p> + <blockquote cite="https://github.com/OpenSC/pkcs11-helper/releases/tag/pkcs11-helper-1.31.0"> + <p>util: fix deserialize buffer overflow. thanks to Aarnav Bos.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/OpenSC/pkcs11-helper/releases/tag/pkcs11-helper-1.31.0</url> + </references> + <dates> + <discovery>2025-11-10</discovery> + <entry>2025-11-17</entry> + </dates> + </vuln> + + <vuln vid="50a0c266-c3ff-11f0-b513-0da7be77c170"> + <topic>OpenVPN -- avoid buffer overread parsing routes or endpoints</topic> + <affects> + <package> + <name>openvpn-devel</name> + <range><lt>g20251117,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Mikhail Khachaiants reports:</p> + <blockquote cite="https://github.com/OpenVPN/openvpn/commit/f1b851dae60eb1e277315dfe6265e3a58660b16a"> + <p>socket: reject mismatched address family in get_addr_generic.</p> + <p>Add a family check to prevent copying address data of the wrong type, + which could cause buffer over-read when parsing routes or endpoints.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12106</cvename> + <url>https://github.com/OpenVPN/openvpn/commit/f1b851dae60eb1e277315dfe6265e3a58660b16a</url> + </references> + <dates> + <discovery>2025-10-18</discovery> + <entry>2025-11-17</entry> + </dates> + </vuln> + + <vuln vid="17a40d76-c3fd-11f0-b513-0da7be77c170"> + <topic>OpenVPN -- HMAC verification on source IP address ineffective</topic> + <affects> + <package> + <name>openvpn</name> + <range><lt>2.6.16</lt></range> + </package> + <package> + <name>openvpn-devel</name> + <range><lt>g20251117,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Arne Schwabe reports:</p> + <blockquote cite="https://github.com/OpenVPN/openvpn/commit/fa6a1824b0f37bff137204156a74ca28cf5b6f83"> + <p>Fix memcmp check for the hmac verification in the 3way handshake being inverted + This is a stupid mistake but causes all hmac cookies to be accepted, + thus breaking source IP address validation. As a consequence, TLS + sessions can be openend and state can be consumed in the server from + IP addresses that did not initiate an initial connection.</p> + <p>While at it, fix check to only allow [t-2;t] timeslots, disallowing + HMACs coming in from a future timeslot.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-13086</cvename> + <url>https://github.com/OpenVPN/openvpn/commit/fa6a1824b0f37bff137204156a74ca28cf5b6f83</url> + </references> + <dates> + <discovery>2025-10-27</discovery> + <entry>2025-11-17</entry> + </dates> + </vuln> + + <vuln vid="fa433f05-c217-11f0-82ac-901b0edee044"> + <topic>py-pdfminer.six -- Arbitrary Code Execution in pdfminer.six via Crafted PDF Input</topic> + <affects> + <package> + <name>py310-pdfminer.six</name> + <name>py311-pdfminer.six</name> + <name>py312-pdfminer.six</name> + <name>py313-pdfminer.six</name> + <name>py313t-pdfminer.six</name> + <name>py314-pdfminer.six</name> + <range><lt>20251107</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Pieter Marsman reports:</p> + <blockquote cite="https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp"> + <p>pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The CMapDB._load_data() function in pdfminer.six uses pickle.loads() to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the cmap/ directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in .pickle.gz. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-64512</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-64512</url> + </references> + <dates> + <discovery>2025-11-07</discovery> + <entry>2025-11-17</entry> + </dates> + </vuln> + + <vuln vid="bf6c9252-c2ec-11f0-8372-98b78501ef2a"> + <topic>sudo-rs -- Authenticating user not recorded properly in timestamp</topic> + <affects> + <package> + <name>sudo-rs</name> + <range><ge>0.2.5</ge><lt>0.2.10</lt></range> + </package> + <package> + <name>sudo-rs-coexist</name> + <range><ge>0.2.5</ge><lt>0.2.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Trifecta Tech Foundation reports:</p> + <blockquote cite="https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-q428-6v73-fc4q"> + <p>With Defaults targetpw (or Defaults rootpw) enabled, the password of the + target account (or root account) instead of the invoking user is used for authentication. + sudo-rs prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the + authenticated-as user's UID in the authentication timestamp. Any later sudo invocation + on the same terminal while the timestamp was still valid would use that timestamp, + potentially bypassing new authentication even if the policy would have required it.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-64517</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-64517</url> + </references> + <dates> + <discovery>2025-11-12</discovery> + <entry>2025-11-16</entry> + </dates> + </vuln> + + <vuln vid="c1ceaaea-c2e7-11f0-8372-98b78501ef2a"> + <topic>sudo-rs -- Partial password reveal when password timeout occurs</topic> + <affects> + <package> + <name>sudo-rs</name> + <range><ge>0.2.7</ge><lt>0.2.10</lt></range> + </package> + <package> + <name>sudo-rs-coexist</name> + <range><ge>0.2.7</ge><lt>0.2.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Trifecta Tech Foundation reports:</p> + <blockquote cite="https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw"> + <p>When typing partial passwords but not pressing return for a long time, + a password timeout can occur. When this happens, the keys pressed are + replayed onto the console.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-64170</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-64170</url> + </references> + <dates> + <discovery>2025-11-12</discovery> + <entry>2025-11-16</entry> + </dates> + </vuln> + <vuln vid="364e5fa4-c178-11f0-b614-b42e991fc52e"> <topic>PostgreSQL -- Multiple vulnerabilities</topic> <affects> diff --git a/security/wpa_supplicant-devel/Makefile b/security/wpa_supplicant-devel/Makefile index 537f5acf92a5..2d0be8a65644 100644 --- a/security/wpa_supplicant-devel/Makefile +++ b/security/wpa_supplicant-devel/Makefile @@ -1,6 +1,6 @@ PORTNAME= wpa_supplicant PORTVERSION= ${COMMIT_DATE} -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security net PKGNAMESUFFIX= -devel @@ -11,8 +11,8 @@ WWW= https://w1.fi/wpa_supplicant/ USE_GITHUB= yes GH_ACCOUNT= cschuber GH_PROJECT= hostap -GH_TAGNAME= 525bbfca3 -COMMIT_DATE= 2025.09.24 +GH_TAGNAME= 8990591d07 +COMMIT_DATE= 2025.11.07 LICENSE= BSD3CLAUSE LICENSE_FILE= ${WRKSRC}/README diff --git a/security/wpa_supplicant-devel/distinfo b/security/wpa_supplicant-devel/distinfo index 30838381c251..bd34d699411f 100644 --- a/security/wpa_supplicant-devel/distinfo +++ b/security/wpa_supplicant-devel/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1758740542 -SHA256 (cschuber-hostap-2025.09.24-525bbfca3_GH0.tar.gz) = 143cd4ca7e0328b52f2bb6e220f73155b57d4633cf2042d8ca95e01b217cecc7 -SIZE (cschuber-hostap-2025.09.24-525bbfca3_GH0.tar.gz) = 5335084 +TIMESTAMP = 1763398774 +SHA256 (cschuber-hostap-2025.11.07-8990591d07_GH0.tar.gz) = 41e3b309f1ac69aa97ac51d868d5ae750c9b40309e89146a1b74e013197abfe6 +SIZE (cschuber-hostap-2025.11.07-8990591d07_GH0.tar.gz) = 5369906 diff --git a/security/wpa_supplicant-devel/files/patch-wpa__supplicant_main.c b/security/wpa_supplicant-devel/files/patch-wpa__supplicant_main.c index 3042768f44d9..7d4545ce9657 100644 --- a/security/wpa_supplicant-devel/files/patch-wpa__supplicant_main.c +++ b/security/wpa_supplicant-devel/files/patch-wpa__supplicant_main.c @@ -1,6 +1,6 @@ ---- wpa_supplicant/main.c.orig 2016-11-05 20:56:30 UTC -+++ wpa_supplicant/main.c -@@ -66,7 +66,7 @@ static void usage(void) +--- wpa_supplicant/main.c.orig 2025-11-07 07:33:18.000000000 -0800 ++++ wpa_supplicant/main.c 2025-11-17 09:07:02.682216000 -0800 +@@ -67,7 +67,7 @@ " -c = Configuration file\n" " -C = ctrl_interface parameter (only used if -c is not)\n" " -d = increase debugging verbosity (-dd even more)\n" @@ -9,17 +9,17 @@ " -e = entropy file\n" #ifdef CONFIG_DEBUG_FILE " -f = log output to debug file instead of stdout\n" -@@ -105,8 +105,7 @@ static void usage(void) - " -W = wait for a control interface monitor before starting\n"); +@@ -107,8 +107,7 @@ + " -y = show configuration parsing details in debug log\n"); printf("example:\n" - " wpa_supplicant -D%s -iwlan0 -c/etc/wpa_supplicant.conf\n", - wpa_drivers[0] ? wpa_drivers[0]->name : "nl80211"); -+ " wpa_supplicant -Dbsd -iwlan0 -c/etc/wpa_supplicant.conf\n"); - #endif /* CONFIG_NO_STDOUT_DEBUG */ - } - -@@ -199,6 +198,11 @@ int main(int argc, char *argv[]) ++ " wpa_supplicant -Dbsd -iwlan0 -c/etc/wpa_supplicant.conf\n"); + printf("\nIf run without specifying a network interface or control interface, the a\n" + "configuration file is parsed without starting any operation.\n" + "This can be used to check whether a configuration file has valid contents.\n"); +@@ -204,6 +203,11 @@ wpa_supplicant_fd_workaround(1); @@ -30,4 +30,4 @@ + for (;;) { c = getopt(argc, argv, - "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuvW"); + "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuvWy"); |