From owner-cvs-all@FreeBSD.ORG  Sat Dec 12 11:02:45 2009
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 80ACB106566B;
	Sat, 12 Dec 2009 11:02:45 +0000 (UTC) (envelope-from miwi@bsdcrew.de)
Received: from bsdcrew.de (duro.unixfreunde.de [85.214.90.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 049818FC13;
	Sat, 12 Dec 2009 11:02:44 +0000 (UTC)
Received: by bsdcrew.de (Postfix, from userid 1001)
	id 477ED4AF8C; Sat, 12 Dec 2009 12:02:43 +0100 (CET)
Date: Sat, 12 Dec 2009 12:02:43 +0100
From: Martin Wilke <miwi@FreeBSD.org>
To: Wen Heping <wen@FreeBSD.org>
Message-ID: <20091212110243.GB93166@bsdcrew.de>
References: <200912121058.nBCAwx7F068788@repoman.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <200912121058.nBCAwx7F068788@repoman.freebsd.org>
User-Agent: Mutt/1.5.19 (2009-01-05)
Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org
Subject: Re: cvs commit: ports/security/vuxml vuln.xml
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: **OBSOLETE** CVS commit messages for the entire tree
	<cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2009 11:02:45 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This entry is wrong,

>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/home/miwi/dev/ports/security/vu=
xml/vuln.xml
/usr/home/miwi/dev/ports/security/vuxml/vuln.xml:51435: parser error : Prem=
ature end of data in tag vuxml line 37

^
>>> FAILED.
*** Error code 1

Please ask for review in next time.

- - Martin

On Sat, Dec 12, 2009 at 10:58:59AM +0000, Wen Heping wrote:
> wen         2009-12-12 10:58:59 UTC
>=20
>   FreeBSD ports repository
>=20
>   Modified files:
>     security/vuxml       vuln.xml=20
>   Log:
>   - Document pligg -- Cross-Site Scripting and Cross-Site Request Forgery
>  =20
>   Revision  Changes    Path
>   1.2083    +41 -1     ports/security/vuxml/vuln.xml
> http://cvsweb.FreeBSD.org/ports/security/vuxml/vuln.xml.diff?r1=3D1.2082&=
r2=3D1.2083
> | --- ports/security/vuxml/vuln.xml	2009/12/11 15:27:17	1.2082
> | +++ ports/security/vuxml/vuln.xml	2009/12/12 10:58:58	1.2083
> | @@ -28,13 +28,53 @@ WHETHER IN CONTRACT, STRICT LIABILITY, O
> |  OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
> |  EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> | =20
> | -  $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.x=
ml,v 1.2082 2009/12/11 15:27:17 miwi Exp $
> | +  $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.x=
ml,v 1.2083 2009/12/12 10:58:58 wen Exp $
> | =20
> |  Note:  Please add new entries to the beginning of this file.
> | =20
> |  -->
> | =20
> |  <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">
> | +  <vuln vid=3D"bec38383-e6cb-11de-bdd4-000c2930e89b">
> | +    <topic>pligg -- Cross-Site Scripting and Cross-Site Request Forger=
y</topic>
> | +    <affects>
> | +      <package>
> | +        <name>pligg</name>
> | +        <range><lt>1.0.3b</lt></range>
> | +      </package>
> | +    </affects>
> | +    <description>
> | +      <body xmlns=3D"http://www.w3.org/1999/xhtml">
> | +        <p>secunia reports:</p>
> | +        <blockquote cite=3D"http://secunia.com/advisories/37349">
> | +          <p>Russ McRee has discovered some vulnerabilities in Pligg, =
which can
> | +            be exploited by malicious people to conduct cross-site scr=
ipting and
> | +            request forgery attacks.</p>
> | +          <p>Input passed via the "Referer" HTTP header to various scr=
ipts (e.g.
> | +            admin/admin_config.php, admin/admin_modules.php, delete.ph=
p, editlink.php,
> | +            submit.php, submit_groups.php, user_add_remove_links.php, =
and
> | +            user_settings.php) is not properly sanitised before being =
returned to
> | +            the user. This can be exploited to execute arbitrary HTML =
and script
> | +            code in a user's browser session in context of an affected=
 site.</p>
> | +          <p>The application allows users to perform certain actions v=
ia HTTP
> | +            requests without performing any validity checks to verify =
the requests.
> | +            This can be exploited to e.g. create an arbitrary user wit=
h administrative
> | +            privileges if a logged-in administrative user visits a mal=
icious web
> | +            site.</p>
> | +        </blockquote>
> | +      </body>
> | +    </description>
> | +    <references>
> | +      <url>http://secunia.com/advisories/37349/</url>
> | +      <url>http://www.pligg.com/blog/775/pligg-cms-1-0-3-release/</url>
> | +    </references>
> | +    <dates>
> | +      <discovery>2009-12-02</discovery>
> | +      <entry>2009-12-12</entry>
> | +    </dates>
> | +  </vuln>
> | +
> | +<vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">
> |    <vuln vid=3D"fcbf56dd-e667-11de-920a-00248c9b4be7">
> |      <topic>piwik -- php code execution</topic>
> |      <affects>
>=20

- --=20

+-----------------------+-------------------------------+
|  PGP    : 0xB1E6FCE9  |  Jabber : miwi(at)BSDCrew.de  |
|  Skype  : splash_111  |  Mail   : miwi(at)FreeBSD.org |
+-----------------------+-------------------------------+
|	Mess with the Best, Die like the Rest!		|
+-----------------------+-------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEYEARECAAYFAksjeFIACgkQdLJIhLHm/OmenwCglMgug515F5bSMgia4Z0swuQp
Y4IAn3zIIu3xOxFMr/TLAkU5Ul7TqlXp
=3DPek7
-----END PGP SIGNATURE-----