From owner-svn-ports-branches@FreeBSD.ORG Tue Oct 7 21:04:19 2014 Return-Path: Delivered-To: svn-ports-branches@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9CB2B27C; Tue, 7 Oct 2014 21:04:19 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 816FBEE1; Tue, 7 Oct 2014 21:04:19 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s97L4JUB015621; Tue, 7 Oct 2014 21:04:19 GMT (envelope-from ohauer@FreeBSD.org) Received: (from ohauer@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s97L4JRX015619; Tue, 7 Oct 2014 21:04:19 GMT (envelope-from ohauer@FreeBSD.org) Message-Id: <201410072104.s97L4JRX015619@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: ohauer set sender to ohauer@FreeBSD.org using -f From: Olli Hauer Date: Tue, 7 Oct 2014 21:04:19 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r370398 - branches/2014Q4/security/vuxml X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Oct 2014 21:04:19 -0000 Author: ohauer Date: Tue Oct 7 21:04:18 2014 New Revision: 370398 URL: https://svnweb.freebsd.org/changeset/ports/370398 QAT: https://qat.redports.org/buildarchive/r370398/ Log: MFH: r369765 Document the latest phpMyAdmin vulnerability. - while here fix the '>' breakage in the rsyslogd entry. Security: 3e8b7f8a-49b0-11e4-b711-6805ca0b3d42 MFH: r369772 - Document CVE-2014-7187 fixed in bash-4.3.27_1 MFH: r369780 Document CVE-2014-6277 and CVE-2014-6278 for bash. MFH: r369783 Fix bash entries to also mark bash-static vulnerable MFH: r369787 Document Jenkins vulnerabilities Security: CVE-2014-3661 Security: CVE-2014-3662 Security: CVE-2014-3663 Security: CVE-2014-3664 Security: CVE-2014-3680 Security: CVE-2014-3681 Security: CVE-2014-3666 Security: CVE-2014-3667 Security: CVE-2013-2186 Security: CVE-2014-1869 Security: CVE-2014-3678 Security: CVE-2014-3679 MFH: r369790 Fix Jenkins entry to note that XSS is an issue, not as compiler MFH: r369791 Update grammar of DoS in Jenkins entry MFH: r369793 Update Jenkins entry 549a2771-49cc-11e4-ae2c-c80aa9043978 to be readable. MFH: r369853 - Update the rsyslog entry to reflect the new versions Reviewed by: bdrewery MFH: r369859 www/rt42 < 4.2.8 is vulnerable to shellshock related exploits through its SMIME integration. Security: 81e2b308-4a6c-11e4-b711-6805ca0b3d42 MFH: r369863 Fix rsyslog entry for pkgname matching MFH: r370209 - document bugzilla security issues Approved by: portmgr (erwin) Modified: branches/2014Q4/security/vuxml/vuln.xml Directory Properties: branches/2014Q4/ (props changed) Modified: branches/2014Q4/security/vuxml/vuln.xml ============================================================================== --- branches/2014Q4/security/vuxml/vuln.xml Tue Oct 7 20:40:20 2014 (r370397) +++ branches/2014Q4/security/vuxml/vuln.xml Tue Oct 7 21:04:18 2014 (r370398) @@ -57,11 +57,296 @@ Notes: --> + + Bugzilla multiple security issues + + + bugzilla44 + 4.4.6 + + + + +

Bugzilla Security Advisory

+
+
Unauthorized Account Creation
+

An attacker creating a new Bugzilla account can override certain + parameters when finalizing the account creation that can lead to the + user being created with a different email address than originally + requested. The overridden login name could be automatically added + to groups based on the group's regular expression setting.

+
Cross-Site Scripting
+

During an audit of the Bugzilla code base, several places + were found where cross-site scripting exploits could occur which + could allow an attacker to access sensitive information.

+
Information Leak
+

If a new comment was marked private to the insider group, and a flag + was set in the same transaction, the comment would be visible to + flag recipients even if they were not in the insider group.

+
Social Engineering
+

Search results can be exported as a CSV file which can then be + imported into external spreadsheet programs. Specially formatted + field values can be interpreted as formulas which can be executed + and used to attack a user's computer.

+
+ + + + CVE-2014-1572 + CVE-2014-1573 + CVE-2014-1571 + https://bugzilla.mozilla.org/show_bug.cgi?id=1074812 + https://bugzilla.mozilla.org/show_bug.cgi?id=1075578 + https://bugzilla.mozilla.org/show_bug.cgi?id=1064140 + https://bugzilla.mozilla.org/show_bug.cgi?id=1054702 + + + 2014-10-06 + 2014-10-06 + + + + + rt42 -- vulnerabilities related to shellshock + + + rt42 + 4.2.04.2.8 + + + + +

Best Practical reports:

+
+

RT 4.2.0 and above may be vulnerable to arbitrary + execution of code by way of CVE-2014-7169, CVE-2014-7186, + CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- + collectively known as "Shellshock." This vulnerability + requires a privileged user with access to an RT instance + running with SMIME integration enabled; it applies to both + mod_perl and fastcgi deployments. If you have already + taken upgrades to bash to resolve "Shellshock," you are + protected from this vulnerability in RT, and there is no + need to apply this patch. This vulnerability has been + assigned CVE-2014-7227.

+
+ + + + http://blog.bestpractical.com/2014/10/security-vulnerability-in-rt-42x-cve-2014-7227.html + CVE-2014-7227 + + + 2014-10-02 + 2014-10-02 + + + + + jenkins -- remote execution, privilege escalation, XSS, password exposure, ACL hole, DoS + + + jenkins + 1.583 + + + jenkins-lts + 1.565.3 + + + + +

Jenkins Security Advisory:

+
+

Description

+
SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI + handshake)
+

This vulnerability allows unauthenticated users + with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on + Jenkins through thread exhaustion.

+ +
SECURITY-110/CVE-2014-3662 (User name discovery)
+

Anonymous users can test if the user of a specific name exists or + not through login attempts.

+ +
SECURITY-127&128/CVE-2014-3663 (privilege escalation in job + configuration permission)
+

An user with a permission limited + to Job/CONFIGURE can exploit this vulnerability to effectively + create a new job, which should have been only possible for users + with Job/CREATE permission, or to destroy jobs that he/she does not + have access otherwise.

+ +
SECURITY-131/CVE-2014-3664 (directory traversal attack)
+

Users with Overall/READ permission can access arbitrary files in + the file system readable by the Jenkins process, resulting in the + exposure of sensitive information, such as encryption keys.

+ +
SECURITY-138/CVE-2014-3680 (Password exposure in DOM)
+

If a parameterized job has a default value in a password field, + that default value gets exposed to users with Job/READ permission. +

+ +
SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins + core)
+

Reflected cross-site scripting vulnerability in Jenkins + core. An attacker can navigate the user to a carefully crafted URL + and have the user execute unintended actions.

+ +
SECURITY-150/CVE-2014-3666 (remote code execution from CLI)
+

Unauthenticated user can execute arbitrary code on Jenkins master + by sending carefully crafted packets over the CLI channel.

+ +
SECURITY-155/CVE-2014-3667 (exposure of plugin code)
+

Programs that constitute plugins can be downloaded by anyone with + the Overall/READ permission, resulting in the exposure of otherwise + sensitive information, such as hard-coded keys in plugins, if + any.

+ +
SECURITY-159/CVE-2013-2186 (arbitrary file system write)
+

Security vulnerability in commons fileupload allows + unauthenticated attacker to upload arbitrary files to Jenkins + master.

+ +
SECURITY-149/CVE-2014-1869 (XSS vulnerabilities in + ZeroClipboard)
+

reflective XSS vulnerability in one of the + library dependencies of Jenkins.

+ +
SECURITY-113/CVE-2014-3678 (XSS vulnerabilities in monitoring + plugin)

Monitoring plugin allows an attacker to cause a + victim into executing unwanted actions on Jenkins instance.

+ +
SECURITY-113/CVE-2014-3679 (hole in access control)
+

Certain pages in monitoring plugin are visible to anonymous users, + allowing them to gain information that they are not supposed to. +

+ +

Severity

+

SECURITY-87 is rated medium, as it results in the + loss of functionality.

+ +

SECURITY-110 is rated medium, as it results in a + limited amount of information exposure.

+ +

SECURITY-127 and SECURITY-128 are rated high. The + formed can be used to further escalate privileges, and the latter + results inloss of data.

+ +

SECURITY-131 and SECURITY-138 is rated critical. + This vulnerabilities results in exposure of sensitie information + and is easily exploitable.

+ +

SECURITY-143 is rated high. It is a passive + attack, but it can result in a compromise of Jenkins master or loss + of data.

+ +

SECURITY-150 is rated critical. This attack can + be mounted by any unauthenticated anonymous user with HTTP + reachability to Jenkins instance, and results in remote code + execution on Jenkins.

+ +

SECURITY-155 is rated medium. This only affects + users who have installed proprietary plugins on publicly accessible + instances, which is relatively uncommon.

+ +

SECURITY-159 is rated critical. This attack can + be mounted by any unauthenticated anonymous user with HTTP + reachability to Jenkins instance.

+ +

SECURITY-113 is rated high. It is a passive + attack, but it can result in a compromise of Jenkins master or loss + of data.

+
+ + + + https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01 + CVE-2014-3661 + CVE-2014-3662 + CVE-2014-3663 + CVE-2014-3664 + CVE-2014-3680 + CVE-2014-3681 + CVE-2014-3666 + CVE-2014-3667 + CVE-2013-2186 + CVE-2014-1869 + CVE-2014-3678 + CVE-2014-3679 + + + 2014-10-01 + 2014-10-01 + + + + + bash -- remote code execution + + + bash + bash-static + 4.3.25_2 + + + + +

Note that this is different than the public "Shellshock" + issue.

+

Specially crafted environment variables could lead to remote + arbitrary code execution. This was fixed in bash 4.3.27, however + the port was patched with a mitigation in 4.3.25_2.

+ + + + http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html + CVE-2014-6277 + CVE-2014-6278 + + + 2014-09-27 + 2014-10-01 + + + + + phpMyAdmin -- XSS vulnerabilities + + + phpMyAdmin + 4.2.04.2.9.1 + + + + +

The phpMyAdmin development team reports:

+
+

With a crafted ENUM value it is possible to trigger an + XSS in table search and table structure pages. This + vulnerability can be triggered only by someone who is + logged in to phpMyAdmin, as the usual token protection + prevents non-logged-in users from accessing the required + pages.

+
+ + + + http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php + CVE-2014-7217 + + + 2014-10-01 + 2014-10-01 + + + bash -- out-of-bounds memory access in parser bash + bash-static 4.3.27_1 @@ -74,11 +359,18 @@ Notes: possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code.

+
+

An off-by-one error was discovered in the way Bash was handling + deeply nested flow control constructs. Depending on the layout of + the .bss segment, this could allow arbitrary execution of code that + would not otherwise be executed by Bash.

+
https://access.redhat.com/security/cve/CVE-2014-7186 CVE-2014-7186 + CVE-2014-7187 2014-09-25 @@ -91,18 +383,22 @@ Notes: rsyslog - 7.6.6 - 8.4.1 + 7.6.7 + + + rsyslog8 + 8.4.2

The rsyslog project reports:

-

potential abort when a message with PRI > 191 was processed +

potential abort when a message with PRI > 191 was processed if the "pri-text" property was used in active templates, this could be abused to a remote denial of service from permitted senders

+

The original fix for CVE-2014-3634 was not adequate.

 @@ -113,6 +409,7 @@ Notes: 2014-09-30 2014-09-30 + 2014-10-02