Date: Thu, 13 Sep 2012 03:35:09 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r304170 - in head: security/vuxml www/mod_pagespeed Message-ID: <201209130335.q8D3Z9kH008132@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills Date: Thu Sep 13 03:35:09 2012 New Revision: 304170 URL: http://svn.freebsd.org/changeset/ports/304170 Log: - Update to 0.10.22.6 which fixes two security issues - Document security issues in vuxml [1] Reviewed by: bdrewery [1] Security: 178ba4ea-fd40-11e1-b2ae-001fd0af1a4c Modified: head/security/vuxml/vuln.xml head/www/mod_pagespeed/Makefile head/www/mod_pagespeed/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Sep 13 02:03:41 2012 (r304169) +++ head/security/vuxml/vuln.xml Thu Sep 13 03:35:09 2012 (r304170) @@ -51,6 +51,56 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="178ba4ea-fd40-11e1-b2ae-001fd0af1a4c"> + <topic>mod_pagespeed -- multiple vulnerabilities</topic> + <affects> + <package> + <name>mod_pagespeed</name> + <range><lt>0.10.22.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Google Reports:</p> + <blockquote cite="https://developers.google.com/speed/docs/mod_pagespeed/announce-0.10.22.6">; + <p>mod_pagespeed 0.10.22.6 is a security update that fixes two + critical issues that affect earlier versions:</p> + <ul> + <li>CVE-2012-4001, a problem with validation of own host name.</li> + <li>CVE-2012-4360, a cross-site scripting attack, which affects versions starting from 0.10.19.1.</li> + </ul> + <p>The effect of the first problem is that it is possible to confuse + mod_pagespeed about its own host name, and to trick it into + fetching resources from other machines. This could be an issue if + the HTTP server has access to machines that are not otherwise + publicly visible.</p> + <p>The second problem would permit a hostile third party to execute + JavaScript in users' browsers in context of the domain running + mod_pagespeed, which could permit interception of users' cookies or + data on the site.</p> + <p>Because of the severity of the two problems, users are strongly + encouraged to update immediately.</p> + <p>Behavior Changes in the Update:</p> + <p>As part of the fix to the first issue, mod_pagespeed will not fetch + resources from machines other than localhost if they are not + explicitly mentioned in the configuration. This means that if you + need resources on the server's domain to be handled by some other + system, you'll need to explicitly use ModPagespeedMapOriginDomain + or ModPagespeedDomain to authorize that.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-4001</cvename> + <cvename>CVE-2012-4360</cvename> + <url>https://developers.google.com/speed/docs/mod_pagespeed/announce-0.10.22.6</url>; + </references> + <dates> + <discovery>2012-09-12</discovery> + <entry>2012-09-12</entry> + </dates> + </vuln> + <vuln vid="3bbbe3aa-fbeb-11e1-8bd8-0022156e8794"> <topic>freeradius -- arbitrary code execution for TLS-based authentication</topic> <affects> Modified: head/www/mod_pagespeed/Makefile ============================================================================== --- head/www/mod_pagespeed/Makefile Thu Sep 13 02:03:41 2012 (r304169) +++ head/www/mod_pagespeed/Makefile Thu Sep 13 03:35:09 2012 (r304170) @@ -6,8 +6,7 @@ # PORTNAME= mod_pagespeed -PORTVERSION= 0.10.22.4 -PORTREVISION= 1 +PORTVERSION= 0.10.22.6 PORTEPOCH= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_LOCAL} Modified: head/www/mod_pagespeed/distinfo ============================================================================== --- head/www/mod_pagespeed/distinfo Thu Sep 13 02:03:41 2012 (r304169) +++ head/www/mod_pagespeed/distinfo Thu Sep 13 03:35:09 2012 (r304170) @@ -1,2 +1,2 @@ -SHA256 (mod_pagespeed_source_0.10.22.4.tar.xz) = 4abb02fec78b20d2790e9f6bb7c454b14cccde9add4a0341d6e6779066d3a3a9 -SIZE (mod_pagespeed_source_0.10.22.4.tar.xz) = 14492376 +SHA256 (mod_pagespeed_source_0.10.22.6.tar.xz) = 58d983777727ebabbd576610129235bd39fbd025f1620bb2f6f3f176f600619f +SIZE (mod_pagespeed_source_0.10.22.6.tar.xz) = 11864872
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209130335.q8D3Z9kH008132>