Date: Tue, 17 Sep 2019 22:50:11 +0000 (UTC) From: Craig Leres <leres@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r512243 - head/security/vuxml Message-ID: <201909172250.x8HMoBH0099782@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: leres Date: Tue Sep 17 22:50:11 2019 New Revision: 512243 URL: https://svnweb.freebsd.org/changeset/ports/512243 Log: security/vuxml: Mark bro < 2.6.4 as vulnerable as per: https://raw.githubusercontent.com/zeek/zeek/3b5a9f88ece1d274edee897837e280ef751bde94/NEWS The issue is inproper data handling of data that is either either empty or unterminated, resulting in invalid memory access or heap buffer over-read. Approved by: matthew (mentor, implicit) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Sep 17 22:06:29 2019 (r512242) +++ head/security/vuxml/vuln.xml Tue Sep 17 22:50:11 2019 (r512243) @@ -58,6 +58,40 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="55571619-454e-4769-b1e5-28354659e152"> + <topic>bro -- invalid memory access or heap buffer over-read</topic> + <affects> + <package> + <name>bro</name> + <range><lt>2.6.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Jon Siwek of Corelight reports:</p> + <blockquote cite="https://raw.githubusercontent.com/zeek/zeek/3b5a9f88ece1d274edee897837e280ef751bde94/NEWS">; + <p>This is a security patch release to address a potential + Denial of Service vulnerability:</p> + <ul> + <li> + The NTLM analyzer did not properly handle AV Pair sequences + that were either empty or unterminated, resulting in + invalid memory access or heap buffer over-read. The NTLM + analyzer is enabled by default and used in the analysis + of SMB, DCE/RPC, and GSSAPI protocols.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <url>https://raw.githubusercontent.com/zeek/zeek/3b5a9f88ece1d274edee897837e280ef751bde94/NEWS</url>; + </references> + <dates> + <discovery>2019-08-28</discovery> + <entry>2019-09-17</entry> + </dates> + </vuln> + <vuln vid="c5bd8a25-99a6-11e9-a598-f079596b62f9"> <topic>expat2 -- Fix extraction of namespace prefixes from XML names</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201909172250.x8HMoBH0099782>