From owner-svn-ports-all@freebsd.org  Mon Jul 13 20:46:05 2015
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 622B299CB9D;
 Mon, 13 Jul 2015 20:46:05 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 462631614;
 Mon, 13 Jul 2015 20:46:05 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6DKk5hR062948;
 Mon, 13 Jul 2015 20:46:05 GMT (envelope-from feld@FreeBSD.org)
Received: (from feld@localhost)
 by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6DKk4ak062946;
 Mon, 13 Jul 2015 20:46:04 GMT (envelope-from feld@FreeBSD.org)
Message-Id: <201507132046.t6DKk4ak062946@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: feld set sender to
 feld@FreeBSD.org using -f
From: Mark Felder <feld@FreeBSD.org>
Date: Mon, 13 Jul 2015 20:46:04 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r391952 - head/security/vuxml
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 20:46:05 -0000

Author: feld
Date: Mon Jul 13 20:46:04 2015
New Revision: 391952
URL: https://svnweb.freebsd.org/changeset/ports/391952

Log:
  Document CVE-2015-3152 "BACKRONYM" vulnerability
  
  PHP resolved in recent releases
  MySQL has fixed in 5.7 branch and did not backport to older branches
  MariaDB resolved in 5.5.44 and 10.0.20
  Percona has not included a fix in any release (5.1, 5.5, or 5.6)
  
  Security:	CVE-2015-3152

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Mon Jul 13 20:27:49 2015	(r391951)
+++ head/security/vuxml/vuln.xml	Mon Jul 13 20:46:04 2015	(r391952)
@@ -58,6 +58,67 @@ Notes:
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="36bd352d-299b-11e5-86ff-14dae9d210b8">
+    <topic>mysql -- SSL Downgrade</topic>
+    <affects>
+      <package>
+	<name>php56-mysql</name>
+	<name>php56-mysqli</name>
+	<range><lt>5.6.11</lt></range>
+      </package>
+      <package>
+	<name>php55-mysql</name>
+	<name>php55-mysqli</name>
+	<range><lt>5.5.27</lt></range>
+      </package>
+      <package>
+	<name>php54-mysql</name>
+	<name>php54-mysqli</name>
+	<range><lt>5.4.43</lt></range>
+      </package>
+      <package>
+	<name>mariadb-server</name>
+	<name>mysql51-server</name>
+	<name>mysql55-server</name>
+	<name>mysql56-server</name>
+	<name>percona55-server</name>
+	<name>percona56-server</name>
+	<range><ge>0</ge></range>
+      </package>
+      <package>
+	<name>mariadb55</name>
+	<range><lt>5.5.44</lt></range>
+      </package>
+      <package>
+	<name>mariadb10</name>
+	<range><lt>10.0.20</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Duo Security reports:</p>
+	<blockquote cite="INSERT URL HERE">
+	  <p>Researchers have identified a serious vulnerability in some
+	    versions of Oracle’s MySQL database product that allows an attacker to
+	    strip SSL/TLS connections of their security wrapping transparently.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://bugs.php.net/bug.php?id=69669</url>
+      <url>https://www.duosecurity.com/blog/backronym-mysql-vulnerability</url>
+      <url>http://www.ocert.org/advisories/ocert-2015-003.html</url>
+      <url>https://mariadb.atlassian.net/browse/MDEV-7937</url>
+      <url>https://mariadb.com/kb/en/mariadb/mariadb-10020-changelog/</url>
+      <url>https://mariadb.com/kb/en/mariadb/mariadb-5544-changelog/</url>
+      <cvename>CVE-2015-3152</cvename>
+    </references>
+    <dates>
+      <discovery>2015-03-20</discovery>
+      <entry>2015-07-13</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="81326883-2905-11e5-a4a5-002590263bf5">
     <topic>devel/ipython -- CSRF possible remote execution vulnerability</topic>
     <affects>