Date: Sun, 20 Sep 2009 19:15:58 +0200 (CEST) From: olli hauer <ohauer@gmx.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ohauer@gmx.de Subject: ports/138995: [patch] port security/vuxml vuln.xml, neon's CVE issues Message-ID: <20090920171558.815F526145@u18-124.dsl.vianetworks.de> Resent-Message-ID: <200909201720.n8KHK1Zh023453@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 138995 >Category: ports >Synopsis: [patch] port security/vuxml vuln.xml, neon's CVE issues >Confidential: no >Severity: non-critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Sep 20 17:20:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: olli hauer <ohauer@gmx.de> >Release: FreeBSD 7.2-RELEASE i386 >Organization: >Environment: >Description: Document neon CVE-2009-2473 and CVE-2009-2474 entry. Update for neon ports are send to freebsd-ports-bugs and lev@FreeBSD See PR: - ports/138991: [patch] port neon26 CVE-2009-2474 and CVE-2009-2474 - ports/138337: [patch] port neon28 update to 28.6 There is a note on the vuxml site which points to http://security.freebsd.org/ and here is a note to send issues to the address at http://www.vuxml.org/freebsd/. A first note was send end of Aug 2009 to secteam_(at)_FreeBSD.org and security-team_(at)FreeBSD.org but I guess it is gone to /dev/null. Maybe someone can make this proof with a note like send issues to secteam-($RND replace like the officer one) _(at)_FreeBSD ? I set prio to high, since I got no answer from lev since the last 20 days. >How-To-Repeat: >Fix: --- patch_security_vuxml.txt begins here --- --- vuln.xml 2009-09-20 18:32:04.000000000 +0200 +++ vuln.xml 2009-09-20 18:47:13.000000000 +0200 @@ -35,6 +35,40 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="b718fdb5-a603-11de-89cb-00300582f91e"> + <topic>neon28 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>neon28</name> + <range><lt>28.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>neon ChangeLog reports:</p> + <blockquote cite="http://www.webdav.org/neon/">; + <p>SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat; + could allow a Denial of Service attack by a malicious server.</p> + <p>SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in a + certificate subject name; could allow an undetected MITM attack against + an SSL server if a trusted CA issues such a cert.</p> + <p>Note: CVE-2009-2474 does affect GnuTLS as well as OpenSSL, + contrary to previous announcement.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2009-2473</cvename> + <cvename>CVE-2009-2474</cvename> + <url>http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.html</url>; + <url>http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html</url>; + </references> + <dates> + <discovery>2009-08-18</discovery> + <entry>2009-09-20</entry> + </dates> + </vuln> + <vuln vid="113cd7e9-a4e2-11de-84af-001195e39404"> <topic>fwbuilder -- security issue in temporary file handling</topic> <affects> --- patch_security_vuxml.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090920171558.815F526145>