Date: Wed, 22 Aug 2018 21:01:30 -0400 From: Dan Langille <dan@langille.org> To: Matthew Seaman <matthew@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r477823 - head/security/vuxml Message-ID: <704C3473-BFEA-428F-9D80-C5EB1D97045A@langille.org> In-Reply-To: <1ffa5d29-bf88-b8bf-bf9a-773a68c50464@FreeBSD.org> References: <201808222032.w7MKWoW9095587@repo.freebsd.org> <6F18B320-595D-4446-AF62-CDAAEA6CE923@langille.org> <1ffa5d29-bf88-b8bf-bf9a-773a68c50464@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_CE0AD4E9-F8F2-4DDB-8D70-CFEB81AF7AB3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Aug 22, 2018, at 6:05 PM, Matthew Seaman <matthew@FreeBSD.org> = wrote: >=20 > On 22/08/2018 22:24, Dan Langille wrote: >>> On Aug 22, 2018, at 4:32 PM, Matthew Seaman <matthew@FreeBSD.org> = wrote: >>>=20 >>> Author: matthew >>> Date: Wed Aug 22 20:32:50 2018 >>> New Revision: 477823 >>> URL: https://svnweb.freebsd.org/changeset/ports/477823 >>>=20 >>> Log: >>> Document the latest phpMyAdmin security advisory PMASA-2018-5 >>>=20 >>> Modified: >>> head/security/vuxml/vuln.xml >>>=20 >>> Modified: head/security/vuxml/vuln.xml >>> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >>> --- head/security/vuxml/vuln.xml Wed Aug 22 20:32:03 2018 = (r477822) >>> +++ head/security/vuxml/vuln.xml Wed Aug 22 20:32:50 2018 = (r477823) >>> @@ -58,6 +58,37 @@ Notes: >>> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) >>> --> >>> <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">; >>> + <vuln vid=3D"9e205ef5-a649-11e8-b1f6-6805ca0b3d42"> >>> + <topic>phpmyadmin -- XSS in the import dialog</topic> >>> + <affects> >>> + <package> >>> + <name>phpmyadmin</name> >>=20 >> I am not sure this will correctly flag the affected packages. >>=20 >> 1 - the package name is more like phpMyAdmin-PHP VERSION >>=20 >> It was once just phpMyAdmin which was easy for a vuxml entry. >>=20 >> Recently, it changed to include PKGNAMESUFFIX=3D = ${PHP_PKGNAMESUFFIX} (blame mat with revision 466558): >>=20 >> = https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annota= te=3D473096#l11 = <https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annot= ate=3D473096#l11> >>=20 >> My idea for fixing: add name entries for: >>=20 >> * phpMyAdmin >> * phpMyAdmin-php56 >> * phpMyAdmin-php(all the other versions) >>=20 >> Does this make sense? >>=20 >> reference data below: >>=20 >> freshports.dev=3D# select package_name, element_pathname(element_id) = from ports_active where name =3D 'phpmyadmin'; >> package_name | element_pathname >> ------------------+--------------------------------------------- >> phpMyAdmin-php56 | /ports/head/databases/phpmyadmin >> phpMyAdmin | /ports/branches/2016Q4/databases/phpmyadmin >> phpMyAdmin | /ports/branches/2017Q1/databases/phpmyadmin >> phpMyAdmin | /ports/branches/2018Q1/databases/phpmyadmin >> phpMyAdmin-php56 | /ports/branches/2018Q2/databases/phpmyadmin >> (5 rows) >=20 > I've updated the vuxml to list all of the PKGNAMES in the currently > active branches in ports SVN. Anyone running a sufficiently old copy > of phpMyAdmin that it doesn't have a flavour suffix is would already = be > getting security flags from the previous crop of PMA vulns. FYI the only reason I noticed it was the box of Latest Vulnerabilities = at https://www.freshports.org/ It led me to think an online tool for checking name and range might be = useful. -- Dan Langille - BSDCan / PGCon dan@langille.org --Apple-Mail=_CE0AD4E9-F8F2-4DDB-8D70-CFEB81AF7AB3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQGTBAEBCgB9FiEEzqcJ4oeyf8sgTIEBIU09XU2nXtMFAlt+B2pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldENF QTcwOUUyODdCMjdGQ0IyMDRDODEwMTIxNEQzRDVENERBNzVFRDMACgkQIU09XU2n XtM1wgf/VBsK7Pwono4jea6GMsDpu1EjMt+GwviAi5DQDyBwIlql7l4bP6/3KqWU URLMu9km8Puph/x1No8i731Tx/EqFTOfJEmv776dckJZ52ljX1jU2nNFTmk3ySWP GXAp96JHPvyEJWtIPcBhgZi0TO/gb+2IXv20U7sKn900KFwSxkgLPQdvWy5KJGSr iMlRiqRfeybtyViuZMvLoK1ZPxh6IVuW+XC3Dcxv976C9WB3djVNG3jql5JooBKJ cyAs3gaejZoZzKeLV9XtRw6s9qLRVXL/e2wsSj3d6Rkk71zq6ocpdXxAJ0VnEULy /su8GJ7BJyvJPUIL/ejAo9Sv8QvvNQ== =IA5X -----END PGP SIGNATURE----- --Apple-Mail=_CE0AD4E9-F8F2-4DDB-8D70-CFEB81AF7AB3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?704C3473-BFEA-428F-9D80-C5EB1D97045A>