Date: Sat, 25 Aug 2012 00:36:04 +0400 (MSK) From: Eygene Ryabinkin <rea@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: fluffy@FreeBSD.org Subject: ports/171013: [vuxml][patch] news/inn: fix plaintext command injection Message-ID: <20120824203604.8E390DA81F@void.codelabs.ru> Resent-Message-ID: <201208242040.q7OKe1t1069218@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 171013 >Category: ports >Synopsis: [vuxml][patch] news/inn: fix plaintext command injection >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Aug 24 20:40:00 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 10.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 10.0-CURRENT amd64 >Description: INN developers report that version 2.5.3 fixes the plaintext command injection after the channel was TLSized, http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html >How-To-Repeat: Look at - http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html - https://www.isc.org/software/inn/2.5.3article >Fix: I had extracted the minimal patch from the full one that does upgrade from 2.5.2 to 2.5.3: http://codelabs.ru/fbsd/ports/inn/inn-2.5.2-fix-cve-2012-3523.diff I had checked only buildability of the patched port: see no problems. Have no INN setup at hand to test the functionality, sorry. If you'll take the route of adding this minimal patch, VuXML version specification in a7975581-ee26-11e1-8bd8-0022156e8794 must be changed from "2.5.3" to "2.5.2_2". >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120824203604.8E390DA81F>