From owner-svn-ports-all@freebsd.org Thu Aug 23 01:02:26 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9314B109B3D3; Thu, 23 Aug 2018 01:02:26 +0000 (UTC) (envelope-from dan@langille.org) Received: from clavin2.langille.org (clavin2.langille.org [199.233.228.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "clavin.langille.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 44476764DF; Thu, 23 Aug 2018 01:02:26 +0000 (UTC) (envelope-from dan@langille.org) Received: from (clavin2.int.langille.org (clavin2.int.unixathome.org [10.4.7.7]) (Authenticated sender: hidden) with ESMTPSA id EBFEB266F1 ; Thu, 23 Aug 2018 01:02:24 +0000 (UTC) From: Dan Langille Message-Id: <704C3473-BFEA-428F-9D80-C5EB1D97045A@langille.org> Content-Type: multipart/signed; boundary="Apple-Mail=_CE0AD4E9-F8F2-4DDB-8D70-CFEB81AF7AB3"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: svn commit: r477823 - head/security/vuxml Date: Wed, 22 Aug 2018 21:01:30 -0400 In-Reply-To: <1ffa5d29-bf88-b8bf-bf9a-773a68c50464@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org To: Matthew Seaman References: <201808222032.w7MKWoW9095587@repo.freebsd.org> <6F18B320-595D-4446-AF62-CDAAEA6CE923@langille.org> <1ffa5d29-bf88-b8bf-bf9a-773a68c50464@FreeBSD.org> X-Mailer: Apple Mail (2.3445.9.1) X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Aug 2018 01:02:26 -0000 --Apple-Mail=_CE0AD4E9-F8F2-4DDB-8D70-CFEB81AF7AB3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Aug 22, 2018, at 6:05 PM, Matthew Seaman = wrote: >=20 > On 22/08/2018 22:24, Dan Langille wrote: >>> On Aug 22, 2018, at 4:32 PM, Matthew Seaman = wrote: >>>=20 >>> Author: matthew >>> Date: Wed Aug 22 20:32:50 2018 >>> New Revision: 477823 >>> URL: https://svnweb.freebsd.org/changeset/ports/477823 >>>=20 >>> Log: >>> Document the latest phpMyAdmin security advisory PMASA-2018-5 >>>=20 >>> Modified: >>> head/security/vuxml/vuln.xml >>>=20 >>> Modified: head/security/vuxml/vuln.xml >>> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >>> --- head/security/vuxml/vuln.xml Wed Aug 22 20:32:03 2018 = (r477822) >>> +++ head/security/vuxml/vuln.xml Wed Aug 22 20:32:50 2018 = (r477823) >>> @@ -58,6 +58,37 @@ Notes: >>> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) >>> --> >>> >>> + >>> + phpmyadmin -- XSS in the import dialog >>> + >>> + >>> + phpmyadmin >>=20 >> I am not sure this will correctly flag the affected packages. >>=20 >> 1 - the package name is more like phpMyAdmin-PHP VERSION >>=20 >> It was once just phpMyAdmin which was easy for a vuxml entry. >>=20 >> Recently, it changed to include PKGNAMESUFFIX=3D = ${PHP_PKGNAMESUFFIX} (blame mat with revision 466558): >>=20 >> = https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annota= te=3D473096#l11 = >>=20 >> My idea for fixing: add name entries for: >>=20 >> * phpMyAdmin >> * phpMyAdmin-php56 >> * phpMyAdmin-php(all the other versions) >>=20 >> Does this make sense? >>=20 >> reference data below: >>=20 >> freshports.dev=3D# select package_name, element_pathname(element_id) = from ports_active where name =3D 'phpmyadmin'; >> package_name | element_pathname >> ------------------+--------------------------------------------- >> phpMyAdmin-php56 | /ports/head/databases/phpmyadmin >> phpMyAdmin | /ports/branches/2016Q4/databases/phpmyadmin >> phpMyAdmin | /ports/branches/2017Q1/databases/phpmyadmin >> phpMyAdmin | /ports/branches/2018Q1/databases/phpmyadmin >> phpMyAdmin-php56 | /ports/branches/2018Q2/databases/phpmyadmin >> (5 rows) >=20 > I've updated the vuxml to list all of the PKGNAMES in the currently > active branches in ports SVN. Anyone running a sufficiently old copy > of phpMyAdmin that it doesn't have a flavour suffix is would already = be > getting security flags from the previous crop of PMA vulns. FYI the only reason I noticed it was the box of Latest Vulnerabilities = at https://www.freshports.org/ It led me to think an online tool for checking name and range might be = useful. -- Dan Langille - BSDCan / PGCon dan@langille.org --Apple-Mail=_CE0AD4E9-F8F2-4DDB-8D70-CFEB81AF7AB3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQGTBAEBCgB9FiEEzqcJ4oeyf8sgTIEBIU09XU2nXtMFAlt+B2pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldENF QTcwOUUyODdCMjdGQ0IyMDRDODEwMTIxNEQzRDVENERBNzVFRDMACgkQIU09XU2n XtM1wgf/VBsK7Pwono4jea6GMsDpu1EjMt+GwviAi5DQDyBwIlql7l4bP6/3KqWU URLMu9km8Puph/x1No8i731Tx/EqFTOfJEmv776dckJZ52ljX1jU2nNFTmk3ySWP GXAp96JHPvyEJWtIPcBhgZi0TO/gb+2IXv20U7sKn900KFwSxkgLPQdvWy5KJGSr iMlRiqRfeybtyViuZMvLoK1ZPxh6IVuW+XC3Dcxv976C9WB3djVNG3jql5JooBKJ cyAs3gaejZoZzKeLV9XtRw6s9qLRVXL/e2wsSj3d6Rkk71zq6ocpdXxAJ0VnEULy /su8GJ7BJyvJPUIL/ejAo9Sv8QvvNQ== =IA5X -----END PGP SIGNATURE----- --Apple-Mail=_CE0AD4E9-F8F2-4DDB-8D70-CFEB81AF7AB3--