Date: Sun, 1 Dec 2013 15:10:19 +0000 (UTC) From: Olli Hauer <ohauer@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r335393 - in head: security/vuxml sysutils/monitorix Message-ID: <201312011510.rB1FAJDV082459@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ohauer Date: Sun Dec 1 15:10:18 2013 New Revision: 335393 URL: http://svnweb.freebsd.org/changeset/ports/335393 Log: - security update to 3.3.1 This is a maintenance release that fixes a serious bug in the built-in HTTP server. It was discovered that the handle_request() routine did not properly perform input sanitization which led into a number of security vulnerabilities. An unauthenticated, remote attacker could exploit this flaw to execute arbitrary commands on the remote host. All users still using older versions are advised to upgrade to this version, which resolves this issue. Approved by: crees (maintainer, per PM) Security: 620cf713-5a99-11e3-878d-20cf30e32f6d Modified: head/security/vuxml/vuln.xml head/sysutils/monitorix/Makefile head/sysutils/monitorix/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Dec 1 15:10:15 2013 (r335392) +++ head/security/vuxml/vuln.xml Sun Dec 1 15:10:18 2013 (r335393) @@ -51,6 +51,37 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="620cf713-5a99-11e3-878d-20cf30e32f6d"> + <topic>monitorix -- serious bug in the built-in HTTP server</topic> + <affects> + <package> + <name>monitorix</name> + <range><lt>3.3.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Monitorix Project reports:</p> + <blockquote cite="http://www.monitorix.org/news.html#N331">; + <p>A serious bug in the built-in HTTP server. It was discovered that the + handle_request() routine did not properly perform input sanitization + which led into a number of security vulnerabilities. An unauthenticated, + remote attacker could exploit this flaw to execute arbitrary commands on + the remote host. All users still using older versions are advised to + upgrade to this version, which resolves this issue.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.monitorix.org/news.html#N331</url>; + <url>https://github.com/mikaku/Monitorix/issues/30</url>; + </references> + <dates> + <discovery>2013-11-21</discovery> + <entry>2013-12-01</entry> + </dates> + </vuln> + <vuln vid="e3244a7b-5603-11e3-878d-20cf30e32f6d"> <topic>subversion -- multiple vulnerabilities</topic> <affects> Modified: head/sysutils/monitorix/Makefile ============================================================================== --- head/sysutils/monitorix/Makefile Sun Dec 1 15:10:15 2013 (r335392) +++ head/sysutils/monitorix/Makefile Sun Dec 1 15:10:18 2013 (r335393) @@ -1,8 +1,7 @@ -# Created by: Olli Hauer <ohauer@FreeBSD.org> # $FreeBSD$ PORTNAME= monitorix -PORTVERSION= 3.3.0 +PORTVERSION= 3.3.1 CATEGORIES= sysutils MASTER_SITES= http://www.monitorix.org/ \ http://www.monitorix.org/old_versions/ \ Modified: head/sysutils/monitorix/distinfo ============================================================================== --- head/sysutils/monitorix/distinfo Sun Dec 1 15:10:15 2013 (r335392) +++ head/sysutils/monitorix/distinfo Sun Dec 1 15:10:18 2013 (r335393) @@ -1,2 +1,2 @@ -SHA256 (monitorix-3.3.0.tar.gz) = 9578d79121034cfee94ebcdcec3a1c55fddd0ff022cdd8184d1d5109f813d29a -SIZE (monitorix-3.3.0.tar.gz) = 186782 +SHA256 (monitorix-3.3.1.tar.gz) = b308cc300bba52ba2b8a8d6e613ddac042c9a27aa6f38dbf24c7e9358a70447d +SIZE (monitorix-3.3.1.tar.gz) = 186779
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201312011510.rB1FAJDV082459>