notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
Want a good monitor light? See my photosAll times are UTC
This referral link gives you 10% off a account and gives me a discount on my Fastmail account.

Get notified when packages are built

A new feature has been added. FreshPorts already tracks package built by the FreeBSD project. This information is displayed on each port page. You can now get an email when FreshPorts notices a new package is available for something on one of your watch lists. However, you must opt into that. Click on Report Subscriptions on the right, and New Package Notification box, and click on Update.

Finally, under Watch Lists, click on ABI Package Subscriptions to select your ABI (e.g. FreeBSD:14:amd64) & package set (latest/quarterly) combination for a given watch list. This is what FreshPorts will look for.

non port: security/bro/distinfo

Number of commits found: 25

Tuesday, 17 Sep 2019
23:13 leres search for other commits by this committer
security/bro: Update to 2.6.4 and address a potential Denial of
Service vulnerability:

 - The NTLM analyzer did not properly handle AV Pair sequences that
   were either empty or unterminated, resulting in invalid memory
   access or heap buffer over-read.  The NTLM analyzer is enabled
   by default and used in the analysis of SMB, DCE/RPC, and GSSAPI

Approved by:	ler (mentor, implicit)
MFH:		2019Q3
Security:	55571619-454e-4769-b1e5-28354659e152
Original commitRevision:512245 
Friday, 9 Aug 2019
16:59 leres search for other commits by this committer
security/bro: Update to 2.6.3 and address potential denial of service

 - Null pointer dereference in the RPC analysis code. RPC analyzers
   (e.g. MOUNT or NFS) are not enabled in the default configuration.

 - Signed integer overflow in BinPAC-generated parser code.  The
   result of this is Undefined Behavior with respect to the array
   bounds checking conditions that BinPAC generates, so it's
   unpredictable what an optimizing compiler may actually do under
   the assumption that signed integer overlows should never happen.
   The specific symptom which lead to finding this issue was with
   the PE analyzer causing out-of-memory crashes due to large
   allocations that were otherwise prevented when the array bounds
   checking logic was changed to prevent any possible signed integer

Approved by:	matthew (mentor, implicit)
MFH:		2019Q3
Security:	f56669f5-d799-4ff5-9174-64a6d571c451
Original commitRevision:508458 
Friday, 31 May 2019
19:23 leres search for other commits by this committer
security/bro: Update to 2.6.2 and address several denial of service

 - Integer type mismatches in BinPAC-generated parser code and Bro
   analyzer code may allow for crafted packet data to cause
   unintentional code paths in the analysis logic to be taken due
   to unsafe integer conversions causing the parser and analysis
   logic to each expect different fields to have been parsed.  One
   such example, reported by Maksim Shudrak, causes the Kerberos
   analyzer to dereference a null pointer.  CVE-2019-12175 was
   assigned for this issue.

 - The Kerberos parser allows for several fields to be left
   uninitialized, but they were not marked with an &optional attribute
   and several usages lacked existence checks.  Crafted packet data
   could potentially cause an attempt to access such uninitialized
   fields, generate a runtime error/exception, and leak memory.
   Existence checks and &optional attributes have been added to the
   relevent Kerberos fields.

 - BinPAC-generated protocol parsers commonly contain fields whose
   length is derived from other packet input, and for those that
   allow for incremental parsing, BinPAC did not impose a limit on
   how large such a field could grow, allowing for remotely-controlled
   packet data to cause growth of BinPAC's flowbuffer bounded only
   by the numeric limit of an unsigned 64-bit integer, leading to
   memory exhaustion.  There is now a generalized limit for how
   large flowbuffers are allowed to grow, tunable by setting

Approved by:	ler (mentor, implicit)
MFH:		2019Q2
Security:	177fa455-48fc-4ded-ba1b-9975caa7f62a
Original commitRevision:503191 
Thursday, 20 Dec 2018
01:25 leres search for other commits by this committer
Update to 2.6.1:

 - Update the embedded SQLite library from 3.18.0 to 3.26.0 to
   address a remote code execution vulnerability ("Magellan").

 - Uses a bundled version of the actor-framework (caf) library so
   we can remove the port-local build for caf.

Replace absolute symlink with a relative one.

Approved by:	ler (mentor, implicit)
MFH:		2018Q4
Security:	b80f039d-579e-4b82-95ad-b534a709f220
Original commitRevision:487823 
Thursday, 30 Aug 2018
00:13 leres search for other commits by this committer
Update to 2.5.5 which addresses security issues:

    - Fix array bounds checking in BinPAC: for arrays that are
      fields within a record, the bounds check was based on a pointer
      to the start of the record rather than the start of the array
      field, potentially resulting in a buffer over-read.

    - Fix SMTP command string comparisons: the number of bytes
      compared was based on the user-supplied string length and can
      lead to incorrect matches. e.g. giving a command of "X"
      incorrectly matched "X-ANONYMOUSTLS" (and an empty commands
      match anything).

    - Weird" events are now generally suppressed/sampled by default
      according to some tunable parameters.

    - Improved handling of empty lines in several text protocol
      analyzers that can cause performance issues when seen in long

    - Add `smtp_excessive_pending_cmds' weird which serves as a
      notification for when the "pending command" queue has reached
      an upper limit and been cleared to prevent one from attempting
      to slowly exhaust memory.

Approved by: ler (mentor, implicit)
MFH: 2018Q3
Security: d0be41fe-2a20-4633-b057-4e8b25c41780
Original commitRevision:478427 
Friday, 8 Jun 2018
16:40 leres search for other commits by this committer
Update to 2.5.4 which fixes multiple memory allocation issues:

 - Multiple fixes and improvements to BinPAC generated code
   related to array parsing, with potential impact to all Bro's
   BinPAC-generated analyzers in the form of buffer over-reads
   or other invalid memory accesses depending on whether a
   particular analyzer incorrectly assumed that the
   evaulated-array-length expression is actually the number of
   elements that were parsed out from the input.

 - The NCP analyzer (not enabled by default and also updated
   to actually work with newer Bro APIs in the release) performed
   a memory allocation based directly on a field in the input
   packet and using signed integer storage. This could result
   in a signed integer overflow and memory allocations of
   negative or very large size, leading to a crash or memory
   exhaustion. The new NCP::max_frame_size tuning option now
   limits the maximum amount of memory that can be allocated.

Other fixes:

 - A memory leak in the SMBv1 analyzer.

 - The MySQL analyzer was generally not working as intended,
   for example, it now is able to parse responses that contain
   multiple results/rows.

Add gettext-runtime to USES to address a poudriere testport

Reviewed by:	matthew (mentor)
Approved by:	matthew (mentor)
MFH:		2018Q2
Security:	2f4fd3aa-32f8-4116-92f2-68f05398348e
Differential Revision:
Original commitRevision:472014 
Tuesday, 20 Feb 2018
22:29 leres search for other commits by this committer
Update to 2.5.3 which fixes an integer overflow:

Note that a CVE has not been assigned yet.

Reviewed by:	matthew (mentor)
Approved by:	matthew (mentor)
MFH:		2018Q1
Differential Revision:
Original commitRevision:462460 
Monday, 19 Feb 2018
22:04 leres search for other commits by this committer
Add a NETMAP option to build and install the bro netmap plugin.

PR: 224918
Reported by: Shane Peters
Reviewed by: matthew (mentor)
Approved by: matthew (mentor)
Differential Revision:
Original commitRevision:462351 
Sunday, 22 Oct 2017
00:00 leres search for other commits by this committer
Update to 2.5.2. Changes since 2.5.1:

 - Patch OOB write in content-line analyzer:

     A combination of packets can trigger an out of bound write of
     '0' byte in the content-line analyzer.

Reviewed by:	ler (mentor)
Approved by:	ler (mentor)
Differential Revision:
Original commitRevision:452618 
Monday, 21 Aug 2017
02:12 swills search for other commits by this committer
security/bro: Update to 2.5.1

Also, unbreak build with BROKER, add rc.d script

PR:		217656
Submitted by: (maintainer)
Original commitRevision:448446 
Friday, 23 Oct 2015
19:04 riggs search for other commits by this committer
Update to upstream version 2.4.1, add BROKER OPTION

PR:		203849
Submitted by: (maintainer)
Original commitRevision:400050 
Monday, 2 Feb 2015
22:25 pi search for other commits by this committer
security/bro, security/broccoli: 2.3 -> 2.3.2

This updates bro and broccoli from 2.3 and 2.3.2, which is a security

Changes to the bro port:
- Rework openssl option logic
- Remove obsolete
- pkgng related changes

Changes to the broccoli port:
- Remove unused DOCS option
- Enable PYTHON by default
- pkgng related changes
- Minor portlint changes

Changes in 2.3.2:
- DNP3: fix reachable assertion and buffer over-read/overflow.
  CVE number pending. (Travis Emmert, Jon Siwek)
- Update binpac: Fix potential out-of-bounds memory reads in
  generated code. CVE-2014-9586. (John Villamil and Chris Rohlf
  - Yahoo Paranoids, Jon Siwek)
- BIT-1234: Fix build on systems that already have ntohll/htonll.
  (Jon Siwek)
- BIT-1291: Delete prebuilt python bytecode files from git.  (Jon Siwek)
- Adding call to new binpac::init() function. (Robin Sommer)

Changes in 2.3.1:
- Fix a reference counting bug in ListVal ctor. (Jon Siwek)
- Fix possible buffer over-read in DNS TSIG parsing. (Jon Siwek)
- Change EDNS parsing code to use rdlength more cautiously.  (Jon Siwek)
- Fix null pointer dereference in OCSP verification code in
  case no certificate is sent as part as the ocsp reply. Addresses
  BIT-1212.  (Johanna Amann)
- Fix OCSP reply validation. Addresses BIT-1212 (Johanna Amann)
- Make links in documentation templates protocol relative. (Johanna Amann)

PR:		197107
Submitted by:	Craig Leres <> (maintainer)
Reviewed by:	koobs
Original commitRevision:378333 
Sunday, 10 Aug 2014
21:51 cs search for other commits by this committer
Update to 2.3

PR:		192105
Submitted by: (maintainer)
Original commitRevision:364576 
Friday, 22 Nov 2013
15:02 jadawin search for other commits by this committer
- Update to 2.2
- Support STAGE

PR:		ports/183940
Submitted by:	maintainer
Original commitRevision:334597 
Monday, 3 Dec 2012
05:20 kevlo search for other commits by this committer
Update to 2.1.

Feature safe:	yes

PR:	ports/174016
Submitted by:	Paul Schmehl <pauls at utdallas dot edu>
Original commitRevision:308122 
Wednesday, 12 Sep 2012
08:09 kevlo search for other commits by this committer
Update to 2.0; with some help from rm@

PR:	ports/169690
Submitted by:	Paul Dokas <paul at dokas dot name>
Original commitRevision:304137 
Saturday, 11 Feb 2012
22:27 pgollucci search for other commits by this committer
- Update to 1.5.3
- Remove < 7.0

PR:             ports/160897
Submitted by:   Dikshie <>
Approved by:    maintainer timeout (kevlo ; 141 days)
Original commit
Sunday, 3 Jul 2011
14:03 ohauer search for other commits by this committer
-remove MD5
Original commit
Friday, 15 Oct 2010
06:42 kevlo search for other commits by this committer
Update to 1.5.1

PR:     ports/150987
Submitted by:   dikshie <dikshie at sfc dot wide dot ad dot jp>
Original commit
Thursday, 18 Dec 2008
06:43 kevlo search for other commits by this committer
- Update to 1.4
- Take maintainership

PR: ports/129715
Submitted by: kevlo
Original commit
Monday, 10 Sep 2007
13:28 edwin search for other commits by this committer
security/bro, port upgrade to version 1.2.1, take over maintainership

        This is an upgrade of the security/bro port to the current
        stable version.  The port is very complex, so it needs to
        be tested carefully to make sure that I'm not screwing
        anything up or using wrong conventions. Also, I'm willing
        to take over maintainership of the port if it's accepted
        into the tree.

        Please note, there are several files that need to be removed
        from the port and quite a few that need to be added. All
        these files are in FILESDIR.  I have provided blank patches
        for the files that need to be removed, so the patches will
        create blank files.

Added IS_INTERACTIVE to the port
Left original freebsd header comments in it.
Next time please use one big patch-file instead of lots of little ones :-)

PR:             ports/114999
Submitted by:   Paul Schmehl <>
Original commit
Friday, 25 Nov 2005
18:01 pav search for other commits by this committer
- Add SHA256
Original commit
Thursday, 29 Jan 2004
16:13 trevor search for other commits by this committer
Original commit
Tuesday, 4 Nov 2003
16:00 osa search for other commits by this committer
Fix broken (checksum mismatch) by change suffix of distro
from "-current" to "a37".

No changes for MD5.
Original commit
Tuesday, 14 Oct 2003
14:50 osa search for other commits by this committer
Update to 0.8, fix RESTRICTED.
Original commit

Number of commits found: 25