From owner-svn-ports-all@freebsd.org Thu Dec 10 01:08:30 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EBE6C9D4EF4; Thu, 10 Dec 2015 01:08:29 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C88371F2C; Thu, 10 Dec 2015 01:08:29 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tBA18S05095111; Thu, 10 Dec 2015 01:08:28 GMT (envelope-from junovitch@FreeBSD.org) Received: (from junovitch@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tBA18SuC095109; Thu, 10 Dec 2015 01:08:28 GMT (envelope-from junovitch@FreeBSD.org) Message-Id: <201512100108.tBA18SuC095109@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: junovitch set sender to junovitch@FreeBSD.org using -f From: Jason Unovitch Date: Thu, 10 Dec 2015 01:08:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r403438 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2015 01:08:30 -0000 Author: junovitch Date: Thu Dec 10 01:08:28 2015 New Revision: 403438 URL: https://svnweb.freebsd.org/changeset/ports/403438 Log: Catch up on documentation of Redmine vulnerabilities PR: 205110 Security: CVE-2015-8346 Security: CVE-2015-8473 Security: CVE-2015-8474 Security: https://vuxml.FreeBSD.org/freebsd/21bc4d71-9ed8-11e5-8f5c-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/3ec2e0bc-9ed7-11e5-8f5c-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/be63533c-9ed7-11e5-8f5c-002590263bf5.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Dec 10 00:15:36 2015 (r403437) +++ head/security/vuxml/vuln.xml Thu Dec 10 01:08:28 2015 (r403438) @@ -58,6 +58,256 @@ Notes: --> + + redmine -- information leak vulnerability + + + redmine + 2.6.9 + 3.0.03.0.7 + 3.1.03.1.3 + + + + +

Redmine reports:

+
+

Data disclosure in atom feed.

+
+ +
+ + http://www.redmine.org/projects/redmine/wiki/Security_Advisories + + + 2015-12-05 + 2015-12-10 + +
+ + + redmine -- multiple vulnerabilities + + + redmine + 2.6.8 + 3.0.03.0.6 + 3.1.03.1.2 + + + + +

Redmine reports:

+
+

Potential changeset message disclosure in issues API.

+

Data disclosure on the time logging form

+
+ +
+ + CVE-2015-8346 + CVE-2015-8473 + http://www.redmine.org/projects/redmine/wiki/Security_Advisories + http://www.openwall.com/lists/oss-security/2015/11/25/12 + http://www.openwall.com/lists/oss-security/2015/12/03/7 + + + 2015-11-14 + 2015-12-10 + +
+ + + redmine -- open redirect vulnerability + + + redmine + 2.5.12.6.7 + 3.0.03.0.5 + 3.1.0 + + + + +

Redmine reports:

+
+

Open Redirect vulnerability.

+
+ +
+ + CVE-2015-8474 + http://www.redmine.org/projects/redmine/wiki/Security_Advisories + http://www.openwall.com/lists/oss-security/2015/12/04/1 + + + 2015-09-20 + 2015-12-10 + +
+ + + redmine -- potential XSS vulnerability + + + redmine + 2.6.2 + + + + +

Redmine reports:

+
+

Potential XSS vulnerability when rendering some flash messages.

+
+ +
+ + CVE-2015-8477 + http://www.redmine.org/projects/redmine/wiki/Security_Advisories + http://www.openwall.com/lists/oss-security/2015/12/05/6 + + + 2015-02-19 + 2015-12-10 + +
+ + + redmine -- information leak vulnerability + + + redmine + 2.4.6 + 2.5.02.5.2 + + + + +

Redmine reports:

+
+

Potential data leak (project names) in the invalid form + authenticity token error screen.

+
+ +
+ + http://www.redmine.org/projects/redmine/wiki/Security_Advisories + + + 2014-07-06 + 2015-12-10 + +
+ + + redmine -- open redirect vulnerability + + + redmine + 2.4.5 + 2.5.0 + + + + +

Redmine reports:

+
+

Open Redirect vulnerability

+
+ +
+ + CVE-2014-1985 + http://www.redmine.org/projects/redmine/wiki/Security_Advisories + https://jvn.jp/en/jp/JVN93004610/index.html + + + 2014-03-29 + 2015-12-10 + +
+ + + redmine -- XSS vulnerability + + + redmine + 2.1.02.1.2 + + + + +

Redmine reports:

+
+

XSS vulnerability

+
+ +
+ + http://www.redmine.org/projects/redmine/wiki/Security_Advisories + + + 2012-09-30 + 2015-12-10 + +
+ + + redmine -- multiple vulnerabilities + + + redmine + 1.3.2 + + + + +

Redmine reports:

+
+

Mass-assignemnt vulnerability that would allow an attacker to + bypass part of the security checks.

+

Persistent XSS vulnerability

+
+ +
+ + CVE-2012-0327 + http://www.redmine.org/projects/redmine/wiki/Security_Advisories + http://jvn.jp/en/jp/JVN93406632/ + + + 2012-03-11 + 2015-12-10 + +
+ + + redmine -- CSRF protection bypass + + + redmine + 1.3.0 + + + + +

Redmine reports:

+
+

Vulnerability that would allow an attacker to bypass the CSRF + protection.

+
+ +
+ + http://www.redmine.org/projects/redmine/wiki/Security_Advisories + + + 2011-12-10 + 2015-12-10 + +
+ jenkins -- multiple vulnerabilities