Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 10 Feb 2018 13:43:06 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 225805] security/vuxml: Document multiple vulnerabilities in OpenJPEG
Message-ID:  <bug-225805-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225805

            Bug ID: 225805
           Summary: security/vuxml: Document multiple vulnerabilities in
                    OpenJPEG
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://github.com/uclouvain/openjpeg/issues?q=3Dis%3Ais
                    sue+CVE-2018-5727+OR+CVE-2018-5785+OR+CVE-2018-6616
                OS: Any
            Status: New
          Keywords: patch, security
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: vlad-fbsd@acheronmedia.com
                CC: sunpoet@FreeBSD.org
          Assignee: ports-secteam@FreeBSD.org
             Flags: maintainer-feedback?(ports-secteam@FreeBSD.org)

Created attachment 190481
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D190481&action=
=3Dedit
Document multiple vulns in OpenJPEG

Multiple vulnerabilities have been found in OpenJPEG.

* CVE-2017-17479 (V3: 9.8 critical!)
  https://nvd.nist.gov/vuln/detail/CVE-2017-17479

* CVE-2017-17480 (V3: 9.8 critical!)
  https://nvd.nist.gov/vuln/detail/CVE-2017-17480

* CVE-2018-5727
  https://nvd.nist.gov/vuln/detail/CVE-2018-5727

* CVE-2018-5785
  https://nvd.nist.gov/vuln/detail/CVE-2018-5785

* CVE-2018-6616
  https://nvd.nist.gov/vuln/detail/CVE-2018-6616

* Upstream reports:
=20
https://github.com/uclouvain/openjpeg/issues?q=3Dis%3Aissue+CVE-2018-5727+O=
R+CVE-2018-5785+OR+CVE-2018-6616

* Upstream for CVE-2017-17479 and 80:
  https://github.com/uclouvain/openjpeg/issues/1044

Note: The upstream reports state "in latest version, 2.3" and NVD/Mitre rep=
ort
"in OpenJPEG 2.3.0". I have, however, marked "up to and including" (le) 2.3=
.0.
Please correct me if that's wrong and only 2.3.0 (eq) should be listed.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225805-13>