Date: Mon, 23 Oct 2006 15:44:59 +0200 (CEST) From: "Remko Lodder" <remko@elvandar.org> To: "Martin Wilke" <miwi@FreeBSD.org> Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, ports-committers@freebsd.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <44815.194.74.82.3.1161611099.squirrel@webmail.evilcoder.org> In-Reply-To: <200610231315.k9NDFV0s002358@repoman.freebsd.org> References: <200610231315.k9NDFV0s002358@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you, our users will be aware now, we will fix any issues later
(if needed).
cheers,
remko
--
Kind regards,
Remko Lodder ** remko@elvandar.org
FreeBSD ** remko@FreeBSD.org
/* Quis Custodiet ipsos custodes */
<quote who="Martin Wilke">
> miwi 2006-10-23 13:15:31 UTC
>
> FreeBSD ports repository
>
> Modified files:
> security/vuxml vuln.xml
> Log:
> - Add entry for www/serendipity and www/serendipity-devel
>
> Reviewed by: markus@
> Approved by: portmgr (implicit VuXML), secteam (Remko (not
> reviewed yet))
>
> Revision Changes Path
> 1.1209 +36 -1 ports/security/vuxml/vuln.xml
> http://cvsweb.FreeBSD.org/ports/security/vuxml/vuln.xml.diff?r1=1.1208&r2=1.1209
> | ===================================================================
> | RCS file:
> /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v
> | retrieving revision 1.1208
> | retrieving revision 1.1209
> | diff -u -p -r1.1208 -r1.1209
> | --- ports/security/vuxml/vuln.xml 2006/10/23 11:15:11 1.1208
> | +++ ports/security/vuxml/vuln.xml 2006/10/23 13:15:30 1.1209
> | @@ -28,12 +28,47 @@ WHETHER IN CONTRACT, STRICT LIABILITY, O
> | OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
> DOCUMENTATION,
> | EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> |
> | - $FreeBSD:
> /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v 1.1208
> 2006/10/23 11:15:11 markus Exp $
> | + $FreeBSD:
> /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v 1.1209
> 2006/10/23 13:15:30 miwi Exp $
> |
> | Note: Please add new entries to the beginning of this file.
> |
> | -->
> | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
> | + <vuln vid="96ed277b-60e0-11db-ad2d-0016179b2dd5">
> | + <topic>Serendipity -- XSS Vulnerabilities</topic>
> | + <affects>
> | + <package>
> | + <name>serendipity</name>
> | + <range><lt>1.0.1</lt></range>
> | + </package>
> | + </affects>
> | + <description>
> | + <body xmlns="http://www.w3.org/1999/xhtml">;
> | + <p>The Serendipity Team reports:</p>
> | + <blockquote
> cite="http://blog.s9y.org/archives/147-Serendipity-1.0.2-and-1.1-beta5-released.html">;
> | + <p>Serendipity failed to correctly sanitize user input on the
> | + media manager administration page. The content of GET variables
> | + were written into JavaScript strings. By using standard string
> | + evasion techniques it was possible to execute arbitrary
> | + JavaScript.</p>
> | + <p>Additionally Serendipity dynamically created a HTML form on
> | + the media manager administration page that contained all
> | + variables found in the URL as hidden fields. While the variable
> | + values were correctly escaped it was possible to break out
> | + by specifying strange variable names.</p>
> | + </blockquote>
> | + </body>
> | + </description>
> | + <references>
> | +
> <url>http://www.hardened-php.net/advisory_112006.136.htmlSerendipity</url>;
> | + <url>http://secunia.com/advisories/22501/</url>;
> | + </references>
> | + <dates>
> | + <discovery>2006-10-19</discovery>
> | + <entry>2006-10-21</entry>
> | + </dates>
> | + </vuln>
> | +
> | <vuln vid="d8fbf13a-6215-11db-a59e-0211d85f11fb">
> | <topic>kdelibs -- integer overflow in khtml</topic>
> | <affects>
> _______________________________________________
> cvs-ports@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/cvs-ports
> To unsubscribe, send any mail to "cvs-ports-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44815.194.74.82.3.1161611099.squirrel>