Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Jun 2016 22:54:14 +0000 (UTC)
From:      Ryan Steinmetz <zi@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r416262 - branches/2016Q2/security/vuxml
Message-ID:  <201606012254.u51MsEat075363@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: zi
Date: Wed Jun  1 22:54:14 2016
New Revision: 416262
URL: https://svnweb.freebsd.org/changeset/ports/416262

Log:
  MFH: r416260
  
  - Get vuln.xml in sync with head
  
  Approved by:	ports-secteam (me)

Modified:
  branches/2016Q2/security/vuxml/vuln.xml
Directory Properties:
  branches/2016Q2/   (props changed)

Modified: branches/2016Q2/security/vuxml/vuln.xml
==============================================================================
--- branches/2016Q2/security/vuxml/vuln.xml	Wed Jun  1 22:50:28 2016	(r416261)
+++ branches/2016Q2/security/vuxml/vuln.xml	Wed Jun  1 22:54:14 2016	(r416262)
@@ -58,6 +58,2391 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="65bb1858-27de-11e6-b714-74d02b9a84d5">
+    <topic>h2o -- use after free on premature connection close</topic>
+    <affects>
+      <package>
+	<name>h2o</name>
+	<range><lt>1.7.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Tim Newsha reports:</p>
+	<blockquote cite="http://h2o.examp1e.net/vulnerabilities.html">;
+	  <p>When H2O tries to disconnect a premature HTTP/2 connection, it
+	    calls free(3) to release memory allocated for the connection and
+	    immediately after then touches the memory. No malloc-related
+	    operation is performed by the same thread between the time it calls
+	    free and the time the memory is touched. Fixed by Frederik
+	    Deweerdt.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://h2o.examp1e.net/vulnerabilities.html</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-17</discovery>
+      <entry>2016-06-01</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="36cf7670-2774-11e6-af29-f0def16c5c1b">
+    <topic>nginx -- a specially crafted request might result in worker process crash</topic>
+    <affects>
+      <package>
+	<name>nginx</name>
+	<range><ge>1.4.0</ge><lt>1.10.1</lt></range>
+      </package>
+      <package>
+	<name>nginx-devel</name>
+	<range><ge>1.3.9</ge><lt>1.11.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Maxim Dounin reports:</p>
+	<blockquote cite="http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html">;
+	  <p>A problem was identified in nginx code responsible for saving
+	    client request body to a temporary file.  A specially crafted
+	    request might result in worker process crash due to a NULL
+	    pointer dereference while writing client request body to a
+	    temporary file.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html</url>;
+      <cvename>CVE-2016-4450</cvename>
+    </references>
+    <dates>
+      <discovery>2016-05-31</discovery>
+      <entry>2016-05-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6167b341-250c-11e6-a6fb-003048f2e514">
+    <topic>cacti -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>cacti</name>
+	<range><lt>0.8.8h</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>The Cacti Group, Inc. reports:</p>
+	<blockquote cite="http://www.cacti.net/release_notes_0_8_8h.php">;
+	  <p>Changelog</p>
+	  <ul>
+	    <li>bug:0002667: Cacti SQL Injection Vulnerability</li>
+	    <li>bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection
+	     Vulnerability</li>
+	    <li>bug:0002656: Authentication using web authentication as a user
+	     not in the cacti database allows complete access (regression)</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-3659</cvename>
+      <url>http://www.cacti.net/release_notes_0_8_8h.php</url>;
+      <url>http://bugs.cacti.net/view.php?id=2673</url>;
+      <url>http://seclists.org/fulldisclosure/2016/Apr/4</url>;
+      <url>http://packetstormsecurity.com/files/136547/Cacti-0.8.8g-SQL-Injection.html</url>;
+    </references>
+    <dates>
+      <discovery>2016-04-04</discovery>
+      <entry>2016-05-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="b53bbf58-257f-11e6-9f4d-20cf30e32f6d">
+    <topic>openvswitch -- MPLS buffer overflow</topic>
+    <affects>
+      <package>
+	<name>openvswitch</name>
+	<range><le>2.3.2_1</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Open vSwitch reports:</p>
+	<blockquote cite="http://openvswitch.org/pipermail/announce/2016-March/000082.html">;
+	  <p>Multiple versions of Open vSwitch are vulnerable to remote buffer
+	    overflow attacks, in which crafted MPLS packets could overflow the
+	    buffer reserved for MPLS labels in an OVS internal data structure.
+	    The MPLS packets that trigger the vulnerability and the potential for
+	    exploitation vary depending on version:</p>
+	<p>Open vSwitch 2.1.x and earlier are not vulnerable.</p>
+	<p>In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
+	  exploited for arbitrary remote code execution.</p>
+	<p>In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead
+	  to a remote code execution exploit, but testing shows that it can allow a
+	  remote denial of service.  See the mitigation section for details.</p>
+	<p>Open vSwitch 2.5.x is not vulnerable.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-2074</cvename>
+    </references>
+    <dates>
+      <discovery>2016-03-28</discovery>
+      <entry>2016-05-29</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="1a6bbb95-24b8-11e6-bd31-3065ec8fd3ec">
+    <topic>chromium -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>chromium</name>
+	<name>chromium-npapi</name>
+	<name>chromium-pulse</name>
+	<range><lt>51.0.2704.63</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Google Chrome Releases reports:</p>
+	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html">;
+	  <p>42 security fixes in this release, including:</p>
+	  <ul>
+	    <li>[590118] High CVE-2016-1672: Cross-origin bypass in extension
+	      bindings. Credit to Mariusz Mlynski.</li>
+	    <li>[597532] High CVE-2016-1673: Cross-origin bypass in Blink.
+	      Credit to Mariusz Mlynski.</li>
+	    <li>[598165] High CVE-2016-1674: Cross-origin bypass in extensions.i
+	      Credit to Mariusz Mlynski.</li>
+	    <li>[600182] High CVE-2016-1675: Cross-origin bypass in Blink.
+	      Credit to Mariusz Mlynski.</li>
+	    <li>[604901] High CVE-2016-1676: Cross-origin bypass in extension
+	      bindings. Credit to Rob Wu.</li>
+	    <li>[602970] Medium CVE-2016-1677: Type confusion in V8. Credit to
+	      Guang Gong of Qihoo 360.</li>
+	    <li>[595259] High CVE-2016-1678: Heap overflow in V8. Credit to
+	      Christian Holler.</li>
+	    <li>[606390] High CVE-2016-1679: Heap use-after-free in V8
+	      bindings. Credit to Rob Wu.</li>
+	    <li>[589848] High CVE-2016-1680: Heap use-after-free in Skia.
+	      Credit to Atte Kettunen of OUSPG.</li>
+	    <li>[613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to
+	      Aleksandar Nikolic of Cisco Talos.</li>
+	    <li>[579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker.
+	      Credit to KingstonTime.</li>
+	    <li>[583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt.
+	      Credit to Nicolas Gregoire.</li>
+	    <li>[583171] Medium CVE-2016-1684: Integer overflow in libxslt.
+	      Credit to Nicolas Gregoire.</li>
+	    <li>[601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium.
+	      Credit to Ke Liu of Tencent's Xuanwu LAB.</li>
+	    <li>[603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium.
+	      Credit to Ke Liu of Tencent's Xuanwu LAB.</li>
+	    <li>[603748] Medium CVE-2016-1687: Information leak in extensions.
+	      Credit to Rob Wu.</li>
+	    <li>[604897] Medium CVE-2016-1688: Out-of-bounds read in V8.
+	      Credit to Max Korenko.</li>
+	    <li>[606185] Medium CVE-2016-1689: Heap buffer overflow in media.
+	      Credit to Atte Kettunen of OUSPG.</li>
+	    <li>[608100] Medium CVE-2016-1690: Heap use-after-free in Autofill.
+	      Credit to Rob Wu.</li>
+	    <li>[597926] Low CVE-2016-1691: Heap buffer-overflow in Skia.
+	      Credit to Atte Kettunen of OUSPG.</li>
+	    <li>[598077] Low CVE-2016-1692: Limited cross-origin bypass in
+	      ServiceWorker. Credit to Til Jasper Ullrich.</li>
+	    <li>[598752] Low CVE-2016-1693: HTTP Download of Software Removal
+	      Tool. Credit to Khalil Zhani.</li>
+	    <li>[603682] Low CVE-2016-1694: HPKP pins removed on cache
+	      clearance. Credit to Ryan Lester and Bryant Zadegan.</li>
+	    <li>[614767] CVE-2016-1695: Various fixes from internal audits,
+	      fuzzing and other initiatives.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-1672</cvename>
+      <cvename>CVE-2016-1673</cvename>
+      <cvename>CVE-2016-1674</cvename>
+      <cvename>CVE-2016-1675</cvename>
+      <cvename>CVE-2016-1672</cvename>
+      <cvename>CVE-2016-1677</cvename>
+      <cvename>CVE-2016-1678</cvename>
+      <cvename>CVE-2016-1679</cvename>
+      <cvename>CVE-2016-1680</cvename>
+      <cvename>CVE-2016-1681</cvename>
+      <cvename>CVE-2016-1682</cvename>
+      <cvename>CVE-2016-1683</cvename>
+      <cvename>CVE-2016-1684</cvename>
+      <cvename>CVE-2016-1685</cvename>
+      <cvename>CVE-2016-1686</cvename>
+      <cvename>CVE-2016-1687</cvename>
+      <cvename>CVE-2016-1688</cvename>
+      <cvename>CVE-2016-1689</cvename>
+      <cvename>CVE-2016-1690</cvename>
+      <cvename>CVE-2016-1691</cvename>
+      <cvename>CVE-2016-1692</cvename>
+      <cvename>CVE-2016-1693</cvename>
+      <cvename>CVE-2016-1694</cvename>
+      <cvename>CVE-2016-1695</cvename>
+      <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-25</discovery>
+      <entry>2016-05-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="4dfafa16-24ba-11e6-bd31-3065ec8fd3ec">
+    <topic>chromium -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>chromium</name>
+	<name>chromium-npapi</name>
+	<name>chromium-pulse</name>
+	<range><lt>50.0.2661.102</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Google Chrome Releases reports:</p>
+	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html">;
+	  <p>5 security fixes in this release, including:</p>
+	  <ul>
+	    <li>[605766] High CVE-2016-1667: Same origin bypass in DOM. Credit
+	      to Mariusz Mlynski.</li>
+	    <li>[605910] High CVE-2016-1668: Same origin bypass in Blink V8
+	      bindings. Credit to Mariusz Mlynski.</li>
+	    <li>[606115] High CVE-2016-1669: Buffer overflow in V8. Credit to
+	      Choongwoo Han.</li>
+	    <li>[578882] Medium CVE-2016-1670: Race condition in loader. Credit
+	      to anonymous.</li>
+	    <li>[586657] Medium CVE-2016-1671: Directory traversal using the
+	      file scheme on Android. Credit to Jann Horn.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-1667</cvename>
+      <cvename>CVE-2016-1668</cvename>
+      <cvename>CVE-2016-1669</cvename>
+      <cvename>CVE-2016-1670</cvename>
+      <cvename>CVE-2016-1671</cvename>
+      <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-11</discovery>
+      <entry>2016-05-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="7da1da96-24bb-11e6-bd31-3065ec8fd3ec">
+    <topic>chromium -- multiple vulnerablities</topic>
+    <affects>
+      <package>
+	<name>chromium</name>
+	<name>chromium-npapi</name>
+	<name>chromium-pulse</name>
+	<range><lt>50.0.2661.94</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Google Chrome Releases reports:</p>
+	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html">;
+	  <p>9 security fixes in this release, including:</p>
+	  <ul>
+	    <li>[574802] High CVE-2016-1660: Out-of-bounds write in Blink.
+	     Credit to Atte Kettunen of OUSPG.</li>
+	    <li>[601629] High CVE-2016-1661: Memory corruption in cross-process
+	     frames. Credit to Wadih Matar.</li>
+	    <li>[603732] High CVE-2016-1662: Use-after-free in extensions.
+	     Credit to Rob Wu.</li>
+	    <li>[603987] High CVE-2016-1663: Use-after-free in Blink's V8
+	     bindings. Credit to anonymous.</li>
+	    <li>[597322] Medium CVE-2016-1664: Address bar spoofing. Credit to
+	     Wadih Matar.</li>
+	    <li>[606181] Medium CVE-2016-1665: Information leak in V8. Credit
+	     to HyungSeok Han.</li>
+	    <li>[607652] CVE-2016-1666: Various fixes from internal audits,
+	     fuzzing and other initiatives.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-1660</cvename>
+      <cvename>CVE-2016-1661</cvename>
+      <cvename>CVE-2016-1662</cvename>
+      <cvename>CVE-2016-1663</cvename>
+      <cvename>CVE-2016-1664</cvename>
+      <cvename>CVE-2016-1665</cvename>
+      <cvename>CVE-2016-1666</cvename>
+      <url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html</url>;
+    </references>
+    <dates>
+      <discovery>2016-04-28</discovery>
+      <entry>2016-05-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6b110175-246d-11e6-8dd3-002590263bf5">
+    <topic>php -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>php70-gd</name>
+	<name>php70-intl</name>
+	<range><lt>7.0.7</lt></range>
+      </package>
+      <package>
+	<name>php56</name>
+	<name>php56-gd</name>
+	<range><lt>5.6.22</lt></range>
+      </package>
+      <package>
+	<name>php55</name>
+	<name>php55-gd</name>
+	<name>php55-phar</name>
+	<range><lt>5.5.36</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>The PHP Group reports:</p>
+	<blockquote cite="http://php.net/ChangeLog-5.php#5.5.36">;
+	  <ul><li>Core:
+	  <ul>
+	    <li>Fixed bug #72114 (Integer underflow / arbitrary null write in
+	      fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)</li>
+	    <li>Fixed bug #72135 (Integer Overflow in php_html_entities).
+	      (CVE-2016-5094) (PHP 5.5/5.6 only)</li>
+	  </ul></li>
+	  <li>GD:
+	  <ul>
+	    <li>Fixed bug #72227 (imagescale out-of-bounds read).
+	      (CVE-2013-7456)</li>
+	  </ul></li>
+	  <li>Intl:
+	  <ul>
+	    <li>Fixed bug #72241 (get_icu_value_internal out-of-bounds read).
+	      (CVE-2016-5093)</li>
+	  </ul></li>
+	  <li>Phar:
+	  <ul>
+	    <li>Fixed bug #71331 (Uninitialized pointer in
+	      phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only)</li>
+	  </ul></li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-5096</cvename>
+      <cvename>CVE-2016-5094</cvename>
+      <cvename>CVE-2013-7456</cvename>
+      <cvename>CVE-2016-5093</cvename>
+      <cvename>CVE-2016-4343</cvename>
+      <freebsdpr>ports/209779</freebsdpr>
+      <url>http://php.net/ChangeLog-7.php#7.0.7</url>;
+      <url>http://php.net/ChangeLog-5.php#5.6.22</url>;
+      <url>http://php.net/ChangeLog-5.php#5.5.36</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-26</discovery>
+      <entry>2016-05-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="00ec1be1-22bb-11e6-9ead-6805ca0b3d42">
+    <topic>phpmyadmin -- XSS and sensitive data leakage</topic>
+    <affects>
+      <package>
+	<name>phpmyadmin</name>
+	<range><ge>4.6.0</ge><lt>4.6.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>The phpmyadmin development team reports:</p>
+	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-14/">;
+	  <h2>Description</h2>
+	  <p>Because user SQL queries are part of the URL, sensitive
+	    information made as part of a user query can be exposed by
+	    clicking on external links to attackers monitoring user GET
+	    query parameters or included in the webserver logs.</p>
+	  <h2>Severity</h2>
+	  <p>We consider this to be non-critical.</p>
+	</blockquote>
+	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-16/">;
+	  <h2>Description</h2>
+	  <p>A specially crafted attack could allow for special HTML
+	    characters to be passed as URL encoded values and displayed
+	    back as special characters in the page.</p>
+	  <h2>Severity</h2>
+	  <p>We consider this to be non-critical.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://www.phpmyadmin.net/security/PMASA-2016-14/</url>;
+      <url>https://www.phpmyadmin.net/security/PMASA-2016-16/</url>;
+      <cvename>CVE-2016-5097</cvename>
+      <cvename>CVE-2016-5099</cvename>
+    </references>
+    <dates>
+      <discovery>2016-05-25</discovery>
+      <entry>2016-05-25</entry>
+      <modified>2016-05-26</modified>
+    </dates>
+  </vuln>
+
+  <vuln vid="b50f53ce-2151-11e6-8dd3-002590263bf5">
+    <topic>mediawiki -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>mediawiki123</name>
+	<range><lt>1.23.14</lt></range>
+      </package>
+      <package>
+	<name>mediawiki124</name>
+	<range><le>1.24.6</le></range>
+      </package>
+      <package>
+	<name>mediawiki125</name>
+	<range><lt>1.25.6</lt></range>
+      </package>
+      <package>
+	<name>mediawiki126</name>
+	<range><lt>1.26.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Mediawiki reports:</p>
+	<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html">;
+	  <p>Security fixes:</p>
+	    <p>T122056: Old tokens are remaining valid within a new session</p>
+	    <p>T127114: Login throttle can be tricked using non-canonicalized
+	      usernames</p>
+	    <p>T123653: Cross-domain policy regexp is too narrow</p>
+	    <p>T123071: Incorrectly identifying http link in a's href
+	      attributes, due to m modifier in regex</p>
+	    <p>T129506: MediaWiki:Gadget-popups.js isn't renderable</p>
+	    <p>T125283: Users occasionally logged in as different users after
+	      SessionManager deployment</p>
+	    <p>T103239: Patrol allows click catching and patrolling of any
+	      page</p>
+	    <p>T122807: [tracking] Check php crypto primatives</p>
+	    <p>T98313: Graphs can leak tokens, leading to CSRF</p>
+	    <p>T130947: Diff generation should use PoolCounter</p>
+	    <p>T133507: Careless use of $wgExternalLinkTarget is insecure</p>
+	    <p>T132874: API action=move is not rate limited</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-20</discovery>
+      <entry>2016-05-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="967b852b-1e28-11e6-8dd3-002590263bf5">
+    <topic>wpa_supplicant -- psk configuration parameter update allowing arbitrary data to be written</topic>
+    <affects>
+      <package>
+	<name>wpa_supplicant</name>
+	<range><lt>2.5_2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Jouni Malinen reports:</p>
+	<blockquote cite="http://w1.fi/security/2016-1/psk-parameter-config-update.txt">;
+	  <p>psk configuration parameter update allowing arbitrary data to be
+	    written (2016-1 - CVE-2016-4476/CVE-2016-4477).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-4476</cvename>
+      <cvename>CVE-2016-4477</cvename>
+      <freebsdpr>/ports/209564</freebsdpr>
+      <url>http://w1.fi/security/2016-1/psk-parameter-config-update.txt</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-02</discovery>
+      <entry>2016-05-20</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="57b3aba7-1e25-11e6-8dd3-002590263bf5">
+    <topic>expat -- denial of service vulnerability on malformed input</topic>
+    <affects>
+      <package>
+	<name>expat</name>
+	<range><lt>2.1.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Gustavo Grieco reports:</p>
+	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/17/12">;
+	  <p>The Expat XML parser mishandles certain kinds of malformed input
+	    documents, resulting in buffer overflows during processing and error
+	    reporting. The overflows can manifest as a segmentation fault or as
+	    memory corruption during a parse operation. The bugs allow for a
+	    denial of service attack in many applications by an unauthenticated
+	    attacker, and could conceivably result in remote code execution.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-0718</cvename>
+      <freebsdpr>ports/209360</freebsdpr>
+      <url>http://www.openwall.com/lists/oss-security/2016/05/17/12</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-17</discovery>
+      <entry>2016-05-20</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="036d6c38-1c5b-11e6-b9e0-20cf30e32f6d">
+    <topic>Bugzilla security issues</topic>
+    <affects>
+      <package>
+	<name>bugzilla44</name>
+	<range><lt>4.4.12</lt></range>
+      </package>
+      <package>
+	<name>bugzilla50</name>
+	<range><lt>5.0.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Bugzilla Security Advisory</p>
+	<blockquote cite="https://www.bugzilla.org/security/4.4.11/">;
+	  <p>A specially crafted bug summary could trigger XSS in dependency graphs.
+	  Due to an incorrect parsing of the image map generated by the dot script,
+	    a specially crafted bug summary could trigger XSS in dependency graphs.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-2803</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1253263</url>;
+    </references>
+    <dates>
+      <discovery>2016-03-03</discovery>
+      <entry>2016-05-17</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="0dc8be9e-19af-11e6-8de0-080027ef73ec">
+    <topic>OpenVPN -- Buffer overflow in PAM authentication and DoS through port sharing</topic>
+    <affects>
+      <package>
+	<name>openvpn</name>
+	<range><lt>2.3.11</lt></range>
+      </package>
+      <package>
+	<name>openvpn-polarssl</name>
+	<range><lt>2.3.11</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Samuli Seppänen reports:</p>
+	<blockquote cite="https://sourceforge.net/p/openvpn/mailman/message/35076507/">;
+	  <p>OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug
+	    with DoS potential and a buffer overflow by user supplied data when
+	    using pam authentication.[...]</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://sourceforge.net/p/openvpn/mailman/message/35076507/</url>;
+      <url>https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11</url>;
+    </references>
+    <dates>
+      <discovery>2016-03-03</discovery>
+      <entry>2016-05-14</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="82b702e0-1907-11e6-857b-00221503d280">
+    <topic>imagemagick -- buffer overflow</topic>
+    <affects>
+      <package>
+	<name>ImageMagick</name>
+	<name>ImageMagick-nox11</name>
+	<range><lt>6.9.4.1,1</lt></range>
+      </package>
+      <package>
+	<name>ImageMagick7</name>
+	<name>ImageMagick7-nox11</name>
+	<range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>ImageMagick reports:</p>
+	<blockquote cite="http://legacy.imagemagick.org/script/changelog.php">;
+	  <p>Fix a buffer overflow in magick/drag.c/DrawStrokePolygon().</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://legacy.imagemagick.org/script/changelog.php</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-09</discovery>
+      <entry>2016-05-13</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="e387834a-17ef-11e6-9947-7054d2909b71">
+    <topic>jenkins -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>jenkins</name>
+	<range><le>2.2</le></range>
+      </package>
+      <package>
+	<name>jenkins2</name>
+	<range><le>2.2</le></range>
+      </package>
+      <package>
+	<name>jenkins-lts</name>
+	<range><le>1.651.1</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Jenkins Security Advisory:</p>
+	<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11">;
+	  <h1>Description</h1>
+	  <h5>SECURITY-170 / CVE-2016-3721</h5>
+	  <p>Arbitrary build parameters are passed to build scripts as environment variables</p>
+	  <h5>SECURITY-243 / CVE-2016-3722</h5>
+	  <p>Malicious users with multiple user accounts can prevent other users from logging in</p>
+	  <h5>SECURITY-250 / CVE-2016-3723</h5>
+	  <p>Information on installed plugins exposed via API</p>
+	  <h5>SECURITY-266 / CVE-2016-3724</h5>
+	  <p>Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration</p>
+	  <h5>SECURITY-273 / CVE-2016-3725</h5>
+	  <p>Regular users can trigger download of update site metadata</p>
+	  <h5>SECURITY-276 / CVE-2016-3726</h5>
+	  <p>Open redirect to scheme-relative URLs</p>
+	  <h5>SECURITY-281 / CVE-2016-3727</h5>
+	  <p>Granting the permission to read node configurations allows access to overall system configuration</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-3721</cvename>
+      <cvename>CVE-2016-3722</cvename>
+      <cvename>CVE-2016-3723</cvename>
+      <cvename>CVE-2016-3724</cvename>
+      <cvename>CVE-2016-3725</cvename>
+      <cvename>CVE-2016-3726</cvename>
+      <cvename>CVE-2016-3727</cvename>
+      <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-11</discovery>
+      <entry>2016-05-12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="d9f99491-1656-11e6-94fa-002590263bf5">
+    <topic>perl5 -- taint mechanism bypass vulnerability</topic>
+    <affects>
+      <package>
+	<name>perl5</name>
+	<range><lt>5.18.4_21</lt></range>
+	<range><ge>5.20.0</ge><lt>5.20.3_12</lt></range>
+	<range><ge>5.22.0</ge><lt>5.22.1_8</lt></range>
+      </package>
+      <package>
+	<name>perl5.18</name>
+	<range><ge>5.18.0</ge><lt>5.18.4_21</lt></range>
+      </package>
+      <package>
+	<name>perl5.20</name>
+	<range><ge>5.20.0</ge><lt>5.20.3_12</lt></range>
+      </package>
+      <package>
+	<name>perl5.22</name>
+	<range><ge>5.22.0</ge><lt>5.22.1_8</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>MITRE reports:</p>
+	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2381">;
+	  <p>Perl might allow context-dependent attackers to bypass the taint
+	    protection mechanism in a child process via duplicate environment
+	    variables in envp.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-2381</cvename>
+      <freebsdpr>ports/208879</freebsdpr>
+    </references>
+    <dates>
+      <discovery>2016-04-08</discovery>
+      <entry>2016-05-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="3686917b-164d-11e6-94fa-002590263bf5">
+    <topic>wordpress -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>wordpress</name>
+	<range><lt>4.5.2,1</lt></range>
+      </package>
+      <package>
+	<name>de-wordpress</name>
+	<name>ja-wordpress</name>
+	<name>ru-wordpress</name>
+	<name>zh-wordpress-zh_CN</name>
+	<name>zh-wordpress-zh_TW</name>
+	<range><lt>4.5.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Helen Hou-Sandi reports:</p>
+	<blockquote cite="https://wordpress.org/news/2016/05/wordpress-4-5-2/">;
+	  <p>WordPress 4.5.2 is now available. This is a security release for
+	    all previous versions and we strongly encourage you to update your
+	    sites immediately.</p>
+	  <p>WordPress versions 4.5.1 and earlier are affected by a SOME
+	    vulnerability through Plupload, the third-party library WordPress
+	    uses for uploading files. WordPress versions 4.2 through 4.5.1 are
+	    vulnerable to reflected XSS using specially crafted URIs through
+	    MediaElement.js, the third-party library used for media players.
+	    MediaElement.js and Plupload have also released updates fixing
+	    these issues.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-4566</cvename>
+      <cvename>CVE-2016-4567</cvename>
+      <url>https://wordpress.org/news/2016/05/wordpress-4-5-2/</url>;
+      <url>http://www.openwall.com/lists/oss-security/2016/05/07/7</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-06</discovery>
+      <entry>2016-05-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="2b4c8e1f-1609-11e6-b55e-b499baebfeaf">
+    <topic>libarchive -- RCE vulnerability</topic>
+    <affects>
+      <package>
+	<name>libarchive</name>
+	<range><lt>3.2.0,1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>The libarchive project reports:</p>
+	<blockquote cite="https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7">;
+	  <p>Heap-based buffer overflow in the zip_read_mac_metadata function
+	    in archive_read_support_format_zip.c in libarchive before 3.2.0
+	    allows remote attackers to execute arbitrary code via crafted
+	    entry-size values in a ZIP archive.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-1541</cvename>
+      <url>https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-01</discovery>
+      <entry>2016-05-09</entry>
+      <modified>2016-05-10</modified>
+    </dates>
+  </vuln>
+
+  <vuln vid="25e5205b-1447-11e6-9ead-6805ca0b3d42">
+    <topic>squid -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>squid</name>
+	<range><ge>3.0.0</ge><lt>3.5.18</lt></range>
+      </package>
+      <package>
+	<name>squid-devel</name>
+	<range><ge>4.0.0</ge><lt>4.0.10</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>The squid development team reports:</p>
+	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_7.txt">;
+	  <dl>
+	    <dt>Problem Description:</dt>
+	    <dd>Due to incorrect data validation of intercepted HTTP
+	      Request messages Squid is vulnerable to clients bypassing
+	      the protection against CVE-2009-0801 related issues. This
+	      leads to cache poisoning.</dd>
+	    <dt>Severity:</dt>
+	    <dd>This problem is serious because it allows any client,
+	      including browser scripts, to bypass local security and
+	      poison the proxy cache and any downstream caches with
+	      content from an arbitrary source.</dd>
+	  </dl>
+	</blockquote>
+	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_8.txt">;
+	  <dl>
+	    <dt>Problem Description:</dt>
+	    <dd>Due to incorrect input validation Squid is vulnerable
+	      to a header smuggling attack leading to cache poisoning
+	      and to bypass of same-origin security policy in Squid and
+	      some client browsers.</dd>
+	    <dt>Severity:</dt>
+	    <dd>This problem allows a client to smuggle Host header
+	      value past same-origin security protections to cause Squid
+	      operating as interception or reverse-proxy to contact the
+	      wrong origin server. Also poisoning any downstream cache
+	      which stores the response.</dd>
+	    <dd>However, the cache poisoning is only possible if the
+	      caching agent (browser or explicit/forward proxy) is not
+	      following RFC 7230 processing guidelines and lets the
+	      smuggled value through.</dd>
+	  </dl>
+	</blockquote>
+	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_9.txt">;
+	  <dl>
+	    <dt>Problem Description:</dt>
+	    <dd>Due to incorrect pointer handling and reference
+	      counting Squid is vulnerable to a denial of service attack
+	      when processing ESI responses.</dd>
+	    <dt>Severity:</dt>
+	    <dd>These problems allow a remote server delivering
+	      certain ESI response syntax to trigger a denial of service
+	      for all clients accessing the Squid service.</dd>
+	    <dd>Due to unrelated changes Squid-3.5 has become
+	      vulnerable to some regular ESI server responses also
+	      triggering one or more of these issues.</dd>
+	  </dl>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-4553</cvename>
+      <cvename>CVE-2016-4554</cvename>
+      <cvename>CVE-2016-4555</cvename>
+      <cvename>CVE-2016-4556</cvename>
+      <url>http://www.squid-cache.org/Advisories/SQUID-2016_7.txt</url>;
+      <url>http://www.squid-cache.org/Advisories/SQUID-2016_8.txt</url>;
+      <url>http://www.squid-cache.org/Advisories/SQUID-2016_9.txt</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-06</discovery>
+      <entry>2016-05-07</entry>
+      <modified>2016-05-09</modified>
+    </dates>
+  </vuln>
+
+  <vuln vid="0d724b05-687f-4527-9c03-af34d3b094ec">
+    <topic>ImageMagick -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>ImageMagick</name>
+	<name>ImageMagick-nox11</name>
+	<range><lt>6.9.3.9_1,1</lt></range>
+      </package>
+      <package>
+	<name>ImageMagick7</name>
+	<name>ImageMagick7-nox11</name>
+	<range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.0_1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Openwall reports:</p>
+	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/03/18">;
+	  <p>Insufficient filtering for filename passed to delegate's command
+	    allows remote code execution during conversion of several file
+	    formats. Any service which uses ImageMagick to process user
+	    supplied images and uses default delegates.xml / policy.xml,
+	    may be vulnerable to this issue.</p>
+	  <p>It is possible to make ImageMagick perform a HTTP GET or FTP
+	    request</p>
+	  <p>It is possible to delete files by using ImageMagick's 'ephemeral'
+	    pseudo protocol which deletes files after reading.</p>
+	  <p>It is possible to move image files to file with any extension
+	    in any folder by using ImageMagick's 'msl' pseudo protocol.
+	    msl.txt and image.gif should exist in known location - /tmp/
+	    for PoC (in real life it may be web service written in PHP,
+	    which allows to upload raw txt files and process images with
+	    ImageMagick).</p>
+	  <p>It is possible to get content of the files from the server
+	    by using ImageMagick's 'label' pseudo protocol.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-3714</cvename>
+      <cvename>CVE-2016-3715</cvename>
+      <cvename>CVE-2016-3716</cvename>
+      <cvename>CVE-2016-3717</cvename>
+      <cvename>CVE-2016-3718</cvename>
+      <url>http://www.openwall.com/lists/oss-security/2016/05/03/18</url>;
+      <url>https://imagetragick.com/</url>;
+    </references>
+    <dates>
+      <discovery>2016-05-03</discovery>
+      <entry>2016-05-06</entry>
+      <modified>2016-05-07</modified>
+    </dates>
+  </vuln>
+
+  <vuln vid="a6cd01fa-11bd-11e6-bb3c-9cb654ea3e1c">
+    <topic>jansson -- local denial of service vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>jansson</name>
+	<range><lt>2.7_2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>QuickFuzz reports:</p>
+	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/01/5">;
+	  <p>A crash caused by stack exhaustion parsing a JSON was found.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.openwall.com/lists/oss-security/2016/05/01/5</url>;
+      <url>http://www.openwall.com/lists/oss-security/2016/05/02/1</url>;
+      <cvename>CVE-2016-4425</cvename>
+    </references>
+    <dates>
+      <discovery>2016-05-01</discovery>
+      <entry>2016-05-04</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="01d729ca-1143-11e6-b55e-b499baebfeaf">
+    <topic>OpenSSL -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>openssl</name>
+	<range><lt>1.0.2_11</lt></range>
+      </package>
+      <package>
+	<name>linux-c6-openssl</name>
+	<range><lt>1.0.1e_8</lt></range>
+      </package>

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606012254.u51MsEat075363>