Date: Sat, 26 Jan 2019 09:49:39 +0000 (UTC) From: Kubilay Kocak <koobs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r491255 - head/security/vuxml Message-ID: <201901260949.x0Q9ndQu025301@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: koobs Date: Sat Jan 26 09:49:38 2019 New Revision: 491255 URL: https://svnweb.freebsd.org/changeset/ports/491255 Log: security/vuxml: Add libzmq4 -- Remote Code Execution Vulnerability PR: 230575 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Jan 26 09:22:53 2019 (r491254) +++ head/security/vuxml/vuln.xml Sat Jan 26 09:49:38 2019 (r491255) @@ -58,6 +58,42 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="8e48365a-214d-11e9-9f8a-0050562a4d7b"> + <topic>libzmq4 -- Remote Code Execution Vulnerability</topic> + <affects> + <package> + <name>libzmq4</name> + <range><ge>4.2.0</ge><lt>4.3.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <blockquote cite="https://github.com/zeromq/libzmq/releases/tag/v4.3.1">; + <p>A vulnerability has been found that would allow attackers to direct a peer to + jump to and execute from an address indicated by the attacker. + This issue has been present since v4.2.0. Older releases are not affected. + + NOTE: The attacker needs to know in advance valid addresses in the peer's + memory to jump to, so measures like ASLR are effective mitigations. + + NOTE: this attack can only take place after authentication, so peers behind + CURVE/GSSAPI are not vulnerable to unauthenticated attackers.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2019-6250</cvename> + <url>https://github.com/zeromq/libzmq/issues/3351</url>; + <url>https://github.com/zeromq/libzmq/pull/3353</url>; + <url>https://nvd.nist.gov/vuln/detail/CVE-2019-6250</url>; + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250</url>; + </references> + <dates> + <discovery>2019-01-08</discovery> + <entry>2019-01-26</entry> + </dates> + </vuln> + <vuln vid="eb888ce5-1f19-11e9-be05-4c72b94353b5"> <topic>Apache -- vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201901260949.x0Q9ndQu025301>