Date: Wed, 26 Sep 2018 18:09:07 +0000 (UTC) From: Niclas Zeising <zeising@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r480751 - head/security/vuxml Message-ID: <201809261809.w8QI97Kh020420@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zeising Date: Wed Sep 26 18:09:07 2018 New Revision: 480751 URL: https://svnweb.freebsd.org/changeset/ports/480751 Log: Document spamassassin - multiple vulnerabilities Document spamassassin vulnerabilities, as found in this announcement: https://seclists.org/oss-sec/2018/q3/242 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Sep 26 17:31:28 2018 (r480750) +++ head/security/vuxml/vuln.xml Wed Sep 26 18:09:07 2018 (r480751) @@ -58,6 +58,49 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="613193a0-c1b4-11e8-ae2d-54e1ad3d6335"> + <topic>spamassassin -- multiple vulnerabilities</topic> + <affects> + <package> + <name>spamassassin</name> + <range><lt>3.4.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>the Apache Spamassassin project reports:</p> + <blockquote cite="https://seclists.org/oss-sec/2018/q3/242">; + <p>In Apache SpamAssassin, using HTML::Parser, we setup an object and + hook into the begin and end tag event handlers In both cases, the + "open" event is immediately followed by a "close" event - even if + the tag *does not* close in the HTML being parsed.</p> + <p>Because of this, we are missing the "text" event to deal with + the object normally. This can cause carefully crafted emails that + might take more scan time than expected leading to a Denial of + Service.</p> + <p>Fix a reliance on "." in @INC in one configuration script. Whether + this can be exploited in any way is uncertain.</p> + <p>Fix a potential Remote Code Execution bug with the PDFInfo plugin. + Thanks to cPanel Security Team for their report of this issue.</p> + <p> Fourth, this release fixes a local user code injection in the + meta rule syntax. Thanks again to cPanel Security Team for their + report of this issue.</p> + </blockquote> + </body> + </description> + <references> + <url>https://seclists.org/oss-sec/2018/q3/242</url>; + <cvename>CVE-2017-15705</cvename> + <cvename>CVE-2016-1238</cvename> + <cvename>CVE-2018-11780</cvename> + <cvename>CVE-2018-11781</cvename> + </references> + <dates> + <discovery>2018-09-16</discovery> + <entry>2018-09-26</entry> + </dates> + </vuln> + <vuln vid="bad59128-c188-11e8-9d40-f0def10dca57"> <topic>wesnoth -- Code Injection vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201809261809.w8QI97Kh020420>