From owner-svn-ports-all@FreeBSD.ORG  Thu Oct  2 01:06:44 2014
Return-Path: <owner-svn-ports-all@FreeBSD.ORG>
Delivered-To: svn-ports-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 5991D940;
 Thu,  2 Oct 2014 01:06:44 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3A6399FE;
 Thu,  2 Oct 2014 01:06:44 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9216iS6028919;
 Thu, 2 Oct 2014 01:06:44 GMT (envelope-from bdrewery@FreeBSD.org)
Received: (from bdrewery@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9216hXE028918;
 Thu, 2 Oct 2014 01:06:43 GMT (envelope-from bdrewery@FreeBSD.org)
Message-Id: <201410020106.s9216hXE028918@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: bdrewery set sender to
 bdrewery@FreeBSD.org using -f
From: Bryan Drewery <bdrewery@FreeBSD.org>
Date: Thu, 2 Oct 2014 01:06:43 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r369793 - head/security/vuxml
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 01:06:44 -0000

Author: bdrewery
Date: Thu Oct  2 01:06:43 2014
New Revision: 369793
URL: https://svnweb.freebsd.org/changeset/ports/369793
QAT: https://qat.redports.org/buildarchive/r369793/

Log:
  Update Jenkins entry 549a2771-49cc-11e4-ae2c-c80aa9043978 to be readable.

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Oct  2 01:05:56 2014	(r369792)
+++ head/security/vuxml/vuln.xml	Thu Oct  2 01:06:43 2014	(r369793)
@@ -73,60 +73,105 @@ Notes:
       <body xmlns="http://www.w3.org/1999/xhtml">
 	<p>Jenkins Security Advisory:</p>
 	<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01">
-	  <p>SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI
-	    handshake) This vulnerability allows unauthenticated users with
-	    access to Jenkins' HTTP/HTTPS port to mount a DoS attack on Jenkins
-	    through thread exhaustion.
-
-	    SECURITY-110/CVE-2014-3662 (User name discovery) Anonymous users
-	    can test if the user of a specific name exists or not through login
-	    attempts.
-
-	    SECURITY-127&amp;128/CVE-2014-3663 (privilege escalation in job
-	    configuration permission) An user with a permission limited to
-	    Job/CONFIGURE can exploit this vulnerability to effectively create
-	    a new job, which should have been only possible for users with
-	    Job/CREATE permission, or to destroy jobs that he/she does not have
-	    access otherwise.
-
-	    SECURITY-131/CVE-2014-3664 (directory traversal attack) Users with
-	    Overall/READ permission can access arbitrary files in the file
-	    system readable by the Jenkins process, resulting in the exposure
-	    of sensitive information, such as encryption keys.
-
-	    SECURITY-138/CVE-2014-3680 (Password exposure in DOM) If a
-	    parameterized job has a default value in a password field, that
-	    default value gets exposed to users with Job/READ permission.
-
-	    SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins core)
-	    Reflected cross-site scripting vulnerability in Jenkins core. An
-	    attacker can navigate the user to a carefully crafted URL and have
-	    the user execute unintended actions.
-
-	    SECURITY-150/CVE-2014-3666 (remote code execution from CLI)
-	    Unauthenticated user can execute arbitrary code on Jenkins master
-	    by sending carefully crafted packets over the CLI channel.
-
-	    SECURITY-155/CVE-2014-3667 (exposure of plugin code) Programs that
-	    constitute plugins can be downloaded by anyone with the
-	    Overall/READ permission, resulting in the exposure of otherwise
-	    sensitive information, such as hard-coded keys in plugins, if any.
-
-	    SECURITY-159/CVE-2013-2186 (arbitrary file system write) Security
-	    vulnerability in commons fileupload allows unauthenticated attacker
-	    to upload arbitrary files to Jenkins master.
-
-	    SECURITY-149/CVE-2014-1869 (XSS vulnerabilities in ZeroClipboard)
-	    reflective XSS vulnerability in one of the library dependencies of
-	    Jenkins.
-
-	    SECURITY-113/CVE-2014-3678 (XSS vulnerabilities in monitoring
-	    plugin) Monitoring plugin allows an attacker to cause a victim into
-	    executing unwanted actions on Jenkins instance.
-
-	    SECURITY-113/CVE-2014-3679 (hole in access control) Certain pages
-	    in monitoring plugin are visible to anonymous users, allowing them
-	    to gain information that they are not supposed to.</p>
+	  <h1>Description</h1>
+	  <h5>SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI
+	    handshake)</h5>
+	  <p>This vulnerability allows unauthenticated users
+	    with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on
+	    Jenkins through thread exhaustion.</p>
+
+	  <h5>SECURITY-110/CVE-2014-3662 (User name discovery)</h5>
+	  <p>Anonymous users can test if the user of a specific name exists or
+	    not through login attempts.</p>
+
+	  <h5>SECURITY-127&amp;128/CVE-2014-3663 (privilege escalation in job
+	    configuration permission)</h5>
+	  <p>An user with a permission limited
+	    to Job/CONFIGURE can exploit this vulnerability to effectively
+	    create a new job, which should have been only possible for users
+	    with Job/CREATE permission, or to destroy jobs that he/she does not
+	    have access otherwise.</p>
+
+	  <h5>SECURITY-131/CVE-2014-3664 (directory traversal attack)</h5>
+	  <p>Users with Overall/READ permission can access arbitrary files in
+	    the file system readable by the Jenkins process, resulting in the
+	    exposure of sensitive information, such as encryption keys.</p>
+
+	  <h5>SECURITY-138/CVE-2014-3680 (Password exposure in DOM)</h5>
+	  <p>If a parameterized job has a default value in a password field,
+	    that default value gets exposed to users with Job/READ permission.
+	  </p>
+
+	  <h5>SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins
+	    core)</h5>
+	  <p>Reflected cross-site scripting vulnerability in Jenkins
+	    core. An attacker can navigate the user to a carefully crafted URL
+	    and have the user execute unintended actions.</p>
+
+	  <h5>SECURITY-150/CVE-2014-3666 (remote code execution from CLI)</h5>
+	  <p>Unauthenticated user can execute arbitrary code on Jenkins master
+	    by sending carefully crafted packets over the CLI channel.</p>
+
+	  <h5>SECURITY-155/CVE-2014-3667 (exposure of plugin code)</h5>
+	  <p>Programs that constitute plugins can be downloaded by anyone with
+	    the Overall/READ permission, resulting in the exposure of otherwise
+	    sensitive information, such as hard-coded keys in plugins, if
+	    any.</p>
+
+	  <h5>SECURITY-159/CVE-2013-2186 (arbitrary file system write)</h5>
+	  <p>Security vulnerability in commons fileupload allows
+	    unauthenticated attacker to upload arbitrary files to Jenkins
+	    master.</p>
+
+	  <h5>SECURITY-149/CVE-2014-1869 (XSS vulnerabilities in
+	    ZeroClipboard)</h5>
+	  <p>reflective XSS vulnerability in one of the
+	    library dependencies of Jenkins.</p>
+
+	  <h5>SECURITY-113/CVE-2014-3678 (XSS vulnerabilities in monitoring
+	    plugin)</h5> <p>Monitoring plugin allows an attacker to cause a
+	    victim into executing unwanted actions on Jenkins instance.</p>
+
+	  <h5>SECURITY-113/CVE-2014-3679 (hole in access control)</h5>
+	  <p>Certain pages in monitoring plugin are visible to anonymous users,
+	    allowing them to gain information that they are not supposed to.
+	  </p>
+
+	  <h1>Severity</h1>
+	  <p>SECURITY-87 is rated <strong>medium</strong>, as it results in the
+	    loss of functionality.</p>
+
+	  <p>SECURITY-110 is rated <strong>medium</strong>, as it results in a
+	    limited amount of information exposure.</p>
+
+	  <p>SECURITY-127 and SECURITY-128 are rated <strong>high</strong>. The
+	    formed can be used to further escalate privileges, and the latter
+	    results inloss of data.</p>
+
+	  <p>SECURITY-131 and SECURITY-138 is rated <strong>critical</strong>.
+	    This vulnerabilities results in exposure of sensitie information
+	    and is easily exploitable.</p>
+
+	  <p>SECURITY-143 is rated <strong>high</strong>. It is a passive
+	    attack, but it can result in a compromise of Jenkins master or loss
+	    of data.</p>
+
+	  <p>SECURITY-150 is rated <strong>critical</strong>. This attack can
+	    be mounted by any unauthenticated anonymous user with HTTP
+	    reachability to Jenkins instance, and results in remote code
+	    execution on Jenkins.</p>
+
+	  <p>SECURITY-155 is rated <strong>medium</strong>. This only affects
+	    users who have installed proprietary plugins on publicly accessible
+	    instances, which is relatively uncommon.</p>
+
+	  <p>SECURITY-159 is rated <strong>critical</strong>. This attack can
+	    be mounted by any unauthenticated anonymous user with HTTP
+	    reachability to Jenkins instance.</p>
+
+	  <p>SECURITY-113 is rated <strong>high</strong>. It is a passive
+	    attack, but it can result in a compromise of Jenkins master or loss
+	    of data.</p>
 	</blockquote>
       </body>
     </description>