From owner-svn-ports-all@FreeBSD.ORG Mon Aug 11 20:07:25 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7BD2B89A for ; Mon, 11 Aug 2014 20:07:25 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 686FF2C99 for ; Mon, 11 Aug 2014 20:07:25 +0000 (UTC) Received: from ohauer (uid 1234) (envelope-from ohauer@FreeBSD.org) id 2ca1 by svn.freebsd.org (DragonFly Mail Agent v0.9+); Mon, 11 Aug 2014 20:07:25 +0000 From: Olli Hauer Date: Mon, 11 Aug 2014 20:07:25 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r364651 - branches/2014Q3/security/vuxml X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Message-Id: <53e9227d.2ca1.41dd1ebe@svn.freebsd.org> X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2014 20:07:25 -0000 Author: ohauer Date: Mon Aug 11 20:07:24 2014 New Revision: 364651 URL: http://svnweb.freebsd.org/changeset/ports/364651 QAT: https://qat.redports.org/buildarchive/r364651/ Log: MFH: r364230 Document OpenSSL multiple vulnerabilities. MFH: r364456 Document nginx vulnerability. MFH: r364494 Fix typo. Found by: rene MFH: r364637 - document subversion CVE-2014-3522, CVE-2014-3528 MFH: r364638 - document serf CVE-2014-3504 MFH: r364641 - INSERT URL HERE Approved by: portmgr (erwin) Modified: branches/2014Q3/security/vuxml/vuln.xml Directory Properties: branches/2014Q3/ (props changed) Modified: branches/2014Q3/security/vuxml/vuln.xml ============================================================================== --- branches/2014Q3/security/vuxml/vuln.xml Mon Aug 11 20:05:02 2014 (r364650) +++ branches/2014Q3/security/vuxml/vuln.xml Mon Aug 11 20:07:24 2014 (r364651) @@ -57,6 +57,193 @@ Notes: --> + + serf -- SSL Certificate Null Byte Poisoning + + + serf + 1.3.7 + + + + +

serf Development list reports:

+
+

Serf provides APIs to retrieve information about a certificate. These + APIs return the information as NUL terminated strings (commonly called C + strings). X.509 uses counted length strings which may include a NUL byte. + This means that a library user will interpret any information as ending + upon seeing this NUL byte and will only see a partial value for that field. +

+

Attackers could exploit this vulnerability to create a certificate that a + client will accept for a different hostname than the full certificate is + actually for by embedding a NUL byte in the certificate.

+

This can lead to a man-in-the-middle attack. There are no known instances + of this problem being exploited in the wild and in practice it should be + difficult to actually exploit this vulnerability.

+
+ +
+ + CVE-2014-3504 + + + 2014-08-06 + 2014-08-11 + +
+ + + subversion -- several vulnerabilities + + + subversion17 + 1.7.01.7.18 + + + subversion18 + 1.8.01.8.10 + + + + +

Subversion Project reports:

+
+

Using the Serf RA layer of Subversion for HTTPS uses the apr_fnmatch API + to handle matching wildcards in certificate Common Names and Subject + Alternate Names. However, apr_fnmatch is not designed for this purpose. + Instead it is designed to behave like common shell globbing. In particular + this means that '*' is not limited to a single label within a hostname + (i.e. it will match '.'). But even further apr_fnmatch supports '?' and + character classes (neither of which are part of the RFCs defining how + certificate validation works).

+

Subversion stores cached credentials by an MD5 hash based on the URL and + the authentication realm of the server the credentials are cached for. + MD5 has been shown to be subject to chosen plaintext hash collisions. + This means it may be possible to generate an authentication realm which + results in the same MD5 hash for a different URL.

+
+ +
+ + CVE-2014-3522 + CVE-2014-3528 + http://subversion.apache.org/security/CVE-2014-3522-advisory.txt + http://subversion.apache.org/security/CVE-2014-3528-advisory.txt + + + 2014-08-06 + 2014-08-11 + +
+ + + nginx -- inject commands into SSL session vulnerability + + + nginx + 1.6.0,21.6.1,2 + + + nginx-devel + 1.5.61.7.4 + + + + +

The nginx project reports:

+
+

Security: pipelined commands were not discarded after STARTTLS + command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.

+
+ +
+ + CVE-2014-3556 + http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html + + + 2014-08-05 + 2014-08-09 + +
+ + + OpenSSL -- multiple vulnerabilities + + + openssl + 1.0.11.0.1_14 + + + mingw32-openssl + 1.0.11.0.1i + + + + +

The OpenSSL Project reports:

+
+

A flaw in OBJ_obj2txt may cause pretty printing functions + such as X509_name_oneline, X509_name_print_ex et al. to leak + some information from the stack. [CVE-2014-3508]

+

The issue affects OpenSSL clients and allows a malicious + server to crash the client with a null pointer dereference + (read) by specifying an SRP ciphersuite even though it was + not properly negotiated with the client. [CVE-2014-5139]

+

If a multithreaded client connects to a malicious server + using a resumed session and the server sends an ec point + format extension it could write up to 255 bytes to freed + memory. [CVE-2014-3509]

+

An attacker can force an error condition which causes + openssl to crash whilst processing DTLS packets due to + memory being freed twice. This can be exploited through + a Denial of Service attack. [CVE-2014-3505]

+

An attacker can force openssl to consume large amounts + of memory whilst processing DTLS handshake messages. + This can be exploited through a Denial of Service + attack. [CVE-2014-3506]

+

By sending carefully crafted DTLS packets an attacker + could cause openssl to leak memory. This can be exploited + through a Denial of Service attack. [CVE-2014-3507]

+

OpenSSL DTLS clients enabling anonymous (EC)DH + ciphersuites are subject to a denial of service attack. + A malicious server can crash the client with a null pointer + dereference (read) by specifying an anonymous (EC)DH + ciphersuite and sending carefully crafted handshake + messages. [CVE-2014-3510]

+

A flaw in the OpenSSL SSL/TLS server code causes the + server to negotiate TLS 1.0 instead of higher protocol + versions when the ClientHello message is badly + fragmented. This allows a man-in-the-middle attacker + to force a downgrade to TLS 1.0 even if both the server + and the client support a higher protocol version, by + modifying the client's TLS records. [CVE-2014-3511]

+

A malicious client or server can send invalid SRP + parameters and overrun an internal buffer. Only + applications which are explicitly set up for SRP + use are affected. [CVE-2014-3512]

+
+ +
+ + https://www.openssl.org/news/secadv_20140806.txt + CVE-2014-3505 + CVE-2014-3506 + CVE-2014-3507 + CVE-2014-3508 + CVE-2014-3509 + CVE-2014-3510 + CVE-2014-3511 + CVE-2014-3512 + CVE-2014-5139 + + + 2014-08-06 + 2014-08-06 + +
+ krfb -- Possible Denial of Service or code execution via integer overflow