Date: Tue, 22 Dec 2020 14:16:44 +0000 (UTC) From: Juraj Lutter <otis@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r558911 - head/security/vuxml Message-ID: <202012221416.0BMEGihQ018829@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: otis Date: Tue Dec 22 14:16:43 2020 New Revision: 558911 URL: https://svnweb.freebsd.org/changeset/ports/558911 Log: Document vulns for powerdns and postsrsd Reviewed by: osa (mentor) Approved by: osa (mentor) Differential Revision: https://reviews.freebsd.org/D27706 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Dec 22 13:29:58 2020 (r558910) +++ head/security/vuxml/vuln.xml Tue Dec 22 14:16:43 2020 (r558911) @@ -58,6 +58,67 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="eb2845c4-43ce-11eb-aba5-00a09858faf5"> + <topic>postsrsd -- Denial of service vulnerability</topic> + <affects> + <package> + <name>postsrsd</name> + <range><lt>1.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>postsrsd developer reports:</p> + <blockquote cite="https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac">; + <p>PostSRSd could be tricked into consuming a lot of CPU time with + an SRS address that has an excessively long time stamp tag.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-35573</cvename> + <url>https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac</url>; + <url>https://github.com/roehling/postsrsd/releases/tag/1.10</url>; + </references> + <dates> + <discovery>2020-12-12</discovery> + <entry>2020-12-21</entry> + </dates> + </vuln> + + <vuln vid="61d89849-43cb-11eb-aba5-00a09858faf5"> + <topic>powerdns -- Various issues in GSS-TSIG support</topic> + <affects> + <package> + <name>powerdns</name> + <range><lt>4.4.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>PowerDNS developers report:</p> + <blockquote cite="https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html">; + <p>A remote, unauthenticated attacker can trigger a race condition + leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature.</p> + <p>A remote, unauthenticated attacker can cause a denial of service by + sending crafted queries with a GSS-TSIG signature.</p> + <p>A remote, unauthenticated attacker might be able to cause a double-free, + leading to a crash or possibly arbitrary code execution by sending crafted queries with a GSS-TSIG signature.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-24696</cvename> + <cvename>CVE-2020-24697</cvename> + <cvename>CVE-2020-24698</cvename> + <url>https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html</url>; + </references> + <dates> + <discovery>2020-08-27</discovery> + <entry>2020-12-21</entry> + </dates> + </vuln> + <vuln vid="cc1fd3da-b8fd-4f4d-a092-c38541c0f993"> <topic>vault -- User Enumeration via LDAP auth</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202012221416.0BMEGihQ018829>