Date: Tue, 7 Oct 2014 21:04:19 +0000 (UTC) From: Olli Hauer <ohauer@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r370398 - branches/2014Q4/security/vuxml Message-ID: <201410072104.s97L4JRX015619@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ohauer Date: Tue Oct 7 21:04:18 2014 New Revision: 370398 URL: https://svnweb.freebsd.org/changeset/ports/370398 QAT: https://qat.redports.org/buildarchive/r370398/ Log: MFH: r369765 Document the latest phpMyAdmin vulnerability. - while here fix the '>' breakage in the rsyslogd entry. Security: 3e8b7f8a-49b0-11e4-b711-6805ca0b3d42 MFH: r369772 - Document CVE-2014-7187 fixed in bash-4.3.27_1 MFH: r369780 Document CVE-2014-6277 and CVE-2014-6278 for bash. MFH: r369783 Fix bash entries to also mark bash-static vulnerable MFH: r369787 Document Jenkins vulnerabilities Security: CVE-2014-3661 Security: CVE-2014-3662 Security: CVE-2014-3663 Security: CVE-2014-3664 Security: CVE-2014-3680 Security: CVE-2014-3681 Security: CVE-2014-3666 Security: CVE-2014-3667 Security: CVE-2013-2186 Security: CVE-2014-1869 Security: CVE-2014-3678 Security: CVE-2014-3679 MFH: r369790 Fix Jenkins entry to note that XSS is an issue, not as compiler MFH: r369791 Update grammar of DoS in Jenkins entry MFH: r369793 Update Jenkins entry 549a2771-49cc-11e4-ae2c-c80aa9043978 to be readable. MFH: r369853 - Update the rsyslog entry to reflect the new versions Reviewed by: bdrewery MFH: r369859 www/rt42 < 4.2.8 is vulnerable to shellshock related exploits through its SMIME integration. Security: 81e2b308-4a6c-11e4-b711-6805ca0b3d42 MFH: r369863 Fix rsyslog entry for pkgname matching MFH: r370209 - document bugzilla security issues Approved by: portmgr (erwin) Modified: branches/2014Q4/security/vuxml/vuln.xml Directory Properties: branches/2014Q4/ (props changed) Modified: branches/2014Q4/security/vuxml/vuln.xml ============================================================================== --- branches/2014Q4/security/vuxml/vuln.xml Tue Oct 7 20:40:20 2014 (r370397) +++ branches/2014Q4/security/vuxml/vuln.xml Tue Oct 7 21:04:18 2014 (r370398) @@ -57,11 +57,296 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="b6587341-4d88-11e4-aef9-20cf30e32f6d"> + <topic>Bugzilla multiple security issues</topic> + <affects> + <package> + <name>bugzilla44</name> + <range><lt>4.4.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Bugzilla Security Advisory</p> + <blockquote cite="http://www.bugzilla.org/security/4.0.14/">; + <h5>Unauthorized Account Creation</h5> + <p>An attacker creating a new Bugzilla account can override certain + parameters when finalizing the account creation that can lead to the + user being created with a different email address than originally + requested. The overridden login name could be automatically added + to groups based on the group's regular expression setting.</p> + <h5>Cross-Site Scripting</h5> + <p>During an audit of the Bugzilla code base, several places + were found where cross-site scripting exploits could occur which + could allow an attacker to access sensitive information.</p> + <h5>Information Leak</h5> + <p>If a new comment was marked private to the insider group, and a flag + was set in the same transaction, the comment would be visible to + flag recipients even if they were not in the insider group.</p> + <h5>Social Engineering</h5> + <p>Search results can be exported as a CSV file which can then be + imported into external spreadsheet programs. Specially formatted + field values can be interpreted as formulas which can be executed + and used to attack a user's computer.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2014-1572</cvename> + <cvename>CVE-2014-1573</cvename> + <cvename>CVE-2014-1571</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1074812</url>; + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1075578</url>; + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1064140</url>; + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1054702</url>; + </references> + <dates> + <discovery>2014-10-06</discovery> + <entry>2014-10-06</entry> + </dates> + </vuln> + + <vuln vid="81e2b308-4a6c-11e4-b711-6805ca0b3d42"> + <topic>rt42 -- vulnerabilities related to shellshock</topic> + <affects> + <package> + <name>rt42</name> + <range><ge>4.2.0</ge><lt>4.2.8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Best Practical reports:</p> + <blockquote cite="http://blog.bestpractical.com/2014/10/security-vulnerability-in-rt-42x-cve-2014-7227.html">; + <p>RT 4.2.0 and above may be vulnerable to arbitrary + execution of code by way of CVE-2014-7169, CVE-2014-7186, + CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- + collectively known as "Shellshock." This vulnerability + requires a privileged user with access to an RT instance + running with SMIME integration enabled; it applies to both + mod_perl and fastcgi deployments. If you have already + taken upgrades to bash to resolve "Shellshock," you are + protected from this vulnerability in RT, and there is no + need to apply this patch. This vulnerability has been + assigned CVE-2014-7227.</p> + </blockquote> + </body> + </description> + <references> + <url>http://blog.bestpractical.com/2014/10/security-vulnerability-in-rt-42x-cve-2014-7227.html</url>; + <cvename>CVE-2014-7227</cvename> + </references> + <dates> + <discovery>2014-10-02</discovery> + <entry>2014-10-02</entry> + </dates> + </vuln> + + <vuln vid="549a2771-49cc-11e4-ae2c-c80aa9043978"> + <topic>jenkins -- remote execution, privilege escalation, XSS, password exposure, ACL hole, DoS</topic> + <affects> + <package> + <name>jenkins</name> + <range><lt>1.583</lt></range> + </package> + <package> + <name>jenkins-lts</name> + <range><lt>1.565.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Jenkins Security Advisory:</p> + <blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01">; + <h1>Description</h1> + <h5>SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI + handshake)</h5> + <p>This vulnerability allows unauthenticated users + with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on + Jenkins through thread exhaustion.</p> + + <h5>SECURITY-110/CVE-2014-3662 (User name discovery)</h5> + <p>Anonymous users can test if the user of a specific name exists or + not through login attempts.</p> + + <h5>SECURITY-127&128/CVE-2014-3663 (privilege escalation in job + configuration permission)</h5> + <p>An user with a permission limited + to Job/CONFIGURE can exploit this vulnerability to effectively + create a new job, which should have been only possible for users + with Job/CREATE permission, or to destroy jobs that he/she does not + have access otherwise.</p> + + <h5>SECURITY-131/CVE-2014-3664 (directory traversal attack)</h5> + <p>Users with Overall/READ permission can access arbitrary files in + the file system readable by the Jenkins process, resulting in the + exposure of sensitive information, such as encryption keys.</p> + + <h5>SECURITY-138/CVE-2014-3680 (Password exposure in DOM)</h5> + <p>If a parameterized job has a default value in a password field, + that default value gets exposed to users with Job/READ permission. + </p> + + <h5>SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins + core)</h5> + <p>Reflected cross-site scripting vulnerability in Jenkins + core. An attacker can navigate the user to a carefully crafted URL + and have the user execute unintended actions.</p> + + <h5>SECURITY-150/CVE-2014-3666 (remote code execution from CLI)</h5> + <p>Unauthenticated user can execute arbitrary code on Jenkins master + by sending carefully crafted packets over the CLI channel.</p> + + <h5>SECURITY-155/CVE-2014-3667 (exposure of plugin code)</h5> + <p>Programs that constitute plugins can be downloaded by anyone with + the Overall/READ permission, resulting in the exposure of otherwise + sensitive information, such as hard-coded keys in plugins, if + any.</p> + + <h5>SECURITY-159/CVE-2013-2186 (arbitrary file system write)</h5> + <p>Security vulnerability in commons fileupload allows + unauthenticated attacker to upload arbitrary files to Jenkins + master.</p> + + <h5>SECURITY-149/CVE-2014-1869 (XSS vulnerabilities in + ZeroClipboard)</h5> + <p>reflective XSS vulnerability in one of the + library dependencies of Jenkins.</p> + + <h5>SECURITY-113/CVE-2014-3678 (XSS vulnerabilities in monitoring + plugin)</h5> <p>Monitoring plugin allows an attacker to cause a + victim into executing unwanted actions on Jenkins instance.</p> + + <h5>SECURITY-113/CVE-2014-3679 (hole in access control)</h5> + <p>Certain pages in monitoring plugin are visible to anonymous users, + allowing them to gain information that they are not supposed to. + </p> + + <h1>Severity</h1> + <p>SECURITY-87 is rated <strong>medium</strong>, as it results in the + loss of functionality.</p> + + <p>SECURITY-110 is rated <strong>medium</strong>, as it results in a + limited amount of information exposure.</p> + + <p>SECURITY-127 and SECURITY-128 are rated <strong>high</strong>. The + formed can be used to further escalate privileges, and the latter + results inloss of data.</p> + + <p>SECURITY-131 and SECURITY-138 is rated <strong>critical</strong>. + This vulnerabilities results in exposure of sensitie information + and is easily exploitable.</p> + + <p>SECURITY-143 is rated <strong>high</strong>. It is a passive + attack, but it can result in a compromise of Jenkins master or loss + of data.</p> + + <p>SECURITY-150 is rated <strong>critical</strong>. This attack can + be mounted by any unauthenticated anonymous user with HTTP + reachability to Jenkins instance, and results in remote code + execution on Jenkins.</p> + + <p>SECURITY-155 is rated <strong>medium</strong>. This only affects + users who have installed proprietary plugins on publicly accessible + instances, which is relatively uncommon.</p> + + <p>SECURITY-159 is rated <strong>critical</strong>. This attack can + be mounted by any unauthenticated anonymous user with HTTP + reachability to Jenkins instance.</p> + + <p>SECURITY-113 is rated <strong>high</strong>. It is a passive + attack, but it can result in a compromise of Jenkins master or loss + of data.</p> + </blockquote> + </body> + </description> + <references> + <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01</url>; + <cvename>CVE-2014-3661</cvename> + <cvename>CVE-2014-3662</cvename> + <cvename>CVE-2014-3663</cvename> + <cvename>CVE-2014-3664</cvename> + <cvename>CVE-2014-3680</cvename> + <cvename>CVE-2014-3681</cvename> + <cvename>CVE-2014-3666</cvename> + <cvename>CVE-2014-3667</cvename> + <cvename>CVE-2013-2186</cvename> + <cvename>CVE-2014-1869</cvename> + <cvename>CVE-2014-3678</cvename> + <cvename>CVE-2014-3679</cvename> + </references> + <dates> + <discovery>2014-10-01</discovery> + <entry>2014-10-01</entry> + </dates> + </vuln> + + <vuln vid="512d1301-49b9-11e4-ae2c-c80aa9043978"> + <topic>bash -- remote code execution</topic> + <affects> + <package> + <name>bash</name> + <name>bash-static</name> + <range><lt>4.3.25_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Note that this is different than the public "Shellshock" + issue.</p> + <p>Specially crafted environment variables could lead to remote + arbitrary code execution. This was fixed in bash 4.3.27, however + the port was patched with a mitigation in 4.3.25_2.</p> + </body> + </description> + <references> + <url>http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html</url>; + <cvename>CVE-2014-6277</cvename> + <cvename>CVE-2014-6278</cvename> + </references> + <dates> + <discovery>2014-09-27</discovery> + <entry>2014-10-01</entry> + </dates> + </vuln> + + <vuln vid="3e8b7f8a-49b0-11e4-b711-6805ca0b3d42"> + <topic>phpMyAdmin -- XSS vulnerabilities</topic> + <affects> + <package> + <name>phpMyAdmin</name> + <range><ge>4.2.0</ge><lt>4.2.9.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The phpMyAdmin development team reports:</p> + <blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php">; + <p>With a crafted ENUM value it is possible to trigger an + XSS in table search and table structure pages. This + vulnerability can be triggered only by someone who is + logged in to phpMyAdmin, as the usual token protection + prevents non-logged-in users from accessing the required + pages.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php</url>; + <cvename>CVE-2014-7217</cvename> + </references> + <dates> + <discovery>2014-10-01</discovery> + <entry>2014-10-01</entry> + </dates> + </vuln> + <vuln vid="4a4e9f88-491c-11e4-ae2c-c80aa9043978"> <topic>bash -- out-of-bounds memory access in parser</topic> <affects> <package> <name>bash</name> + <name>bash-static</name> <range><lt>4.3.27_1</lt></range> </package> </affects> @@ -74,11 +359,18 @@ Notes: possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code.</p> </blockquote> + <blockquote cite="https://access.redhat.com/security/cve/CVE-2014-7187">; + <p>An off-by-one error was discovered in the way Bash was handling + deeply nested flow control constructs. Depending on the layout of + the .bss segment, this could allow arbitrary execution of code that + would not otherwise be executed by Bash.</p> + </blockquote> </body> </description> <references> <url>https://access.redhat.com/security/cve/CVE-2014-7186</url>; <cvename>CVE-2014-7186</cvename> + <cvename>CVE-2014-7187</cvename> </references> <dates> <discovery>2014-09-25</discovery> @@ -91,18 +383,22 @@ Notes: <affects> <package> <name>rsyslog</name> - <range><lt>7.6.6</lt></range> - <range><lt>8.4.1</lt></range> + <range><lt>7.6.7</lt></range> + </package> + <package> + <name>rsyslog8</name> + <range><lt>8.4.2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>The rsyslog project reports:</p> <blockquote cite="http://www.rsyslog.com/remote-syslog-pri-vulnerability/">; - <p>potential abort when a message with PRI > 191 was processed + <p>potential abort when a message with PRI > 191 was processed if the "pri-text" property was used in active templates, this could be abused to a remote denial of service from permitted senders</p> + <p>The original fix for CVE-2014-3634 was not adequate.</p> </blockquote> </body> </description> @@ -113,6 +409,7 @@ Notes: <dates> <discovery>2014-09-30</discovery> <entry>2014-09-30</entry> + <modified>2014-10-02</modified> </dates> </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410072104.s97L4JRX015619>