Site Navigation

Date:      Wed, 22 Aug 2018 23:05:53 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        Dan Langille <dan@langille.org>
Cc:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   Re: svn commit: r477823 - head/security/vuxml
Message-ID:  <1ffa5d29-bf88-b8bf-bf9a-773a68c50464@FreeBSD.org>
In-Reply-To: <6F18B320-595D-4446-AF62-CDAAEA6CE923@langille.org>
References:  <201808222032.w7MKWoW9095587@repo.freebsd.org> <6F18B320-595D-4446-AF62-CDAAEA6CE923@langille.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--P8OrSQ2vVkYUtK8ywizgdakg1G9o5UODz
Content-Type: multipart/mixed; boundary="4XButa8Z2iZPSE25ASqQw1k7qzsYdMTSi";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: Dan Langille <dan@langille.org>
Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Message-ID: <1ffa5d29-bf88-b8bf-bf9a-773a68c50464@FreeBSD.org>
Subject: Re: svn commit: r477823 - head/security/vuxml
References: <201808222032.w7MKWoW9095587@repo.freebsd.org>
 <6F18B320-595D-4446-AF62-CDAAEA6CE923@langille.org>
In-Reply-To: <6F18B320-595D-4446-AF62-CDAAEA6CE923@langille.org>

--4XButa8Z2iZPSE25ASqQw1k7qzsYdMTSi
Content-Type: text/plain; charset=windows-1252
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

On 22/08/2018 22:24, Dan Langille wrote:
>> On Aug 22, 2018, at 4:32 PM, Matthew Seaman <matthew@FreeBSD.org> wrot=
e:
>>
>> Author: matthew
>> Date: Wed Aug 22 20:32:50 2018
>> New Revision: 477823
>> URL: https://svnweb.freebsd.org/changeset/ports/477823
>>
>> Log:
>>  Document the latest phpMyAdmin security advisory PMASA-2018-5
>>
>> Modified:
>>  head/security/vuxml/vuln.xml
>>
>> Modified: head/security/vuxml/vuln.xml
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
>> --- head/security/vuxml/vuln.xml	Wed Aug 22 20:32:03 2018	(r477822)
>> +++ head/security/vuxml/vuln.xml	Wed Aug 22 20:32:50 2018	(r477823)
>> @@ -58,6 +58,37 @@ Notes:
>>   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>> -->
>> <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">;
>> +  <vuln vid=3D"9e205ef5-a649-11e8-b1f6-6805ca0b3d42">
>> +    <topic>phpmyadmin -- XSS in the import dialog</topic>
>> +    <affects>
>> +      <package>
>> +	<name>phpmyadmin</name>
>=20
> I am not sure this will correctly flag the affected packages.
>=20
> 1 - the package name is more like phpMyAdmin-PHP VERSION
>=20
> It was once just phpMyAdmin which was easy for a vuxml entry.
>=20
> Recently, it changed to include PKGNAMESUFFIX=3D  ${PHP_PKGNAMESUFFIX} =
(blame mat with revision 466558):
>=20
>   https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?a=
nnotate=3D473096#l11 <https://svnweb.freebsd.org/ports/head/databases/php=
myadmin/Makefile?annotate=3D473096#l11>
>=20
> My idea for fixing: add name entries for:
>=20
> * phpMyAdmin
> * phpMyAdmin-php56
> * phpMyAdmin-php(all the other versions)
>=20
> Does this make sense?
>=20
> reference data below:
>=20
> freshports.dev=3D# select package_name, element_pathname(element_id) fr=
om ports_active where name =3D 'phpmyadmin';
>    package_name   |              element_pathname
> ------------------+---------------------------------------------
>  phpMyAdmin-php56 | /ports/head/databases/phpmyadmin
>  phpMyAdmin       | /ports/branches/2016Q4/databases/phpmyadmin
>  phpMyAdmin       | /ports/branches/2017Q1/databases/phpmyadmin
>  phpMyAdmin       | /ports/branches/2018Q1/databases/phpmyadmin
>  phpMyAdmin-php56 | /ports/branches/2018Q2/databases/phpmyadmin
> (5 rows)

I've updated the vuxml to list all of the PKGNAMES in the currently
active branches in ports SVN.   Anyone running a sufficiently old copy
of phpMyAdmin that it doesn't have a flavour suffix is would already be
getting security flags from the previous crop of PMA vulns.

	Cheers,

	Matthew




--4XButa8Z2iZPSE25ASqQw1k7qzsYdMTSi--

--P8OrSQ2vVkYUtK8ywizgdakg1G9o5UODz
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAlt93kFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDE5
RjE1NEVDQkYxMTJFNTA1NDRFM0YzMDAwNTEzRjEwRTBBOUU0RTcACgkQAFE/EOCp
5OfOxRAAhTNnGPJykJrpBUnEbkgkzzctTdyA3dN1kCDxsIM5Rdf04d5l2YBP4Q2S
uNX/KjnVP37vM+5TAI11u6RCkvVW/Tdbcs14tEQE/E3rNfPeRz4Vb9IusMkbP91M
whe+00+ww8D3fiBXNwdL3EOlMINVNDdeN+N0akVmtGyKEhdMOi78zMuWkbOHBk8O
NMMYQh5d5jyfKxE6oBmtiHZKmtZdqlF2jqt2WThhTv7KDWU0PGLU8cgHfbi6Rkbe
U9VdlX3bp0y32V8YslejxLlXeK3fVyEv7fo9awUNbnwK5cspeoeoVJhLyUIf0p9X
gCD43MGJgKNHq3RpduKJ6eI9oQQC5nZRBKNY6QhMQobVp7+Me/Jv44n9K4PHezV6
Q82JlETHodcsWtdIrt8+GWmrvwhvSOBhdlBFdTuI00lp8xczBEyv+prGmJrCMHSm
XO+tDdpxWuaPN6mKabdc+r1A+yDfD/eUYocVmqq6w2beXnpC0ebIP1+3bUdTqATk
Uk9Ymj/qOSDZO6zOLM7uOwVGsWmlpS8N3WEI5do5NxNBPAzx9aDKVl3oG/isn83M
+w6crvMmmWklnkBTwkEh24yAGWnxA+D12OcnEuLKRbHsIwUoCfW7Yq7dM+b8qHfQ
uDq6884Oy8hkMtBoKx/h+SVQ+ZzbZOl9AnhZ5ojtV4ew0AvywL0=
=fIwI
-----END PGP SIGNATURE-----

--P8OrSQ2vVkYUtK8ywizgdakg1G9o5UODz--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1ffa5d29-bf88-b8bf-bf9a-773a68c50464>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact