From luke at foolishgames.com  Sat Mar 30 10:15:12 2024
From: luke at foolishgames.com (Lucas Holt)
Date: Sat, 30 Mar 2024 10:15:12 -0400
Subject: [Midnightbsd-users] xz vulnerabilities
Message-ID: <1592b5c2-7081-46d4-82cd-46a72152f4c8@foolishgames.com>

There is an xz vulnerability in 5.6.0 and 5.6.1 that was caused by a 
malicious payload added via a commit. 
https://boehs.org/node/everything-i-know-about-the-xz-backdoor

At this time, I am unaware of anything in libarchive that is considered 
dangerous as mentioned on that website.? MidnightBSD does not use the 
affected versions of xz in base. We have 5.2.9 right now.

-- 
Lucas Holt
Luke at FoolishGames.com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.midnightbsd.org/pipermail/midnightbsd-users/attachments/20240330/c1a936e7/attachment.htm>

From luke at foolishgames.com  Sat Mar 30 10:16:27 2024
From: luke at foolishgames.com (Lucas Holt)
Date: Sat, 30 Mar 2024 10:16:27 -0400
Subject: [Midnightbsd-users] unbound CVEs
Message-ID: <1e5d3a53-1294-4162-a2df-72a19f971033@foolishgames.com>

There's two security vulnerabilities in the base system unbound.

We've updated unbound to 1.19.1 in 3.2 CURRENT and 1.19.3 in mports.

We have not patched the 3.1 stable branch yet.? That is running 1.17.x 
unbound and it's recommended not to use that version in base at all and 
stick to mports versions for now.

-- 
Lucas Holt
Luke at FoolishGames.com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.midnightbsd.org/pipermail/midnightbsd-users/attachments/20240330/44af1a38/attachment-0001.htm>

From luke at foolishgames.com  Sat Mar 30 16:03:46 2024
From: luke at foolishgames.com (Lucas Holt)
Date: Sat, 30 Mar 2024 16:03:46 -0400
Subject: [Midnightbsd-users] mport 2.6.2
Message-ID: <56acbd71-1d82-4365-9c0f-7aeb280847ac@foolishgames.com>

We just released mport 2.6.2; it fixes two bugs with mport list and 
mport list updates that would cause no output to display.

This has been imported into current and stable/3.1 branches

-- 
Lucas Holt
Luke at FoolishGames.com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.midnightbsd.org/pipermail/midnightbsd-users/attachments/20240330/5e697bcc/attachment.htm>

From luke at foolishgames.com  Sun Mar 31 17:53:54 2024
From: luke at foolishgames.com (Lucas Holt)
Date: Sun, 31 Mar 2024 17:53:54 -0400
Subject: [Midnightbsd-users] xz update / unbound
Message-ID: <35d89181-8369-4efe-ae35-fc17db169753@foolishgames.com>

I've just updated lzma / xz to 2.4.5.? It's much newer than 2.2.9 that 
we used previously, but below the recent vulnerable versions in 3.2 
current.

I've also updated unbound to 1.19.3 in current.? (from 1.19.1)

-- 
Lucas Holt
Luke at FoolishGames.com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)