From owner-svn-ports-head@FreeBSD.ORG  Sun Dec  1 15:10:20 2013
Return-Path: <owner-svn-ports-head@FreeBSD.ORG>
Delivered-To: svn-ports-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E75789BD;
 Sun,  1 Dec 2013 15:10:19 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id D2F54193C;
 Sun,  1 Dec 2013 15:10:19 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rB1FAJfC082466;
 Sun, 1 Dec 2013 15:10:19 GMT (envelope-from ohauer@svn.freebsd.org)
Received: (from ohauer@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id rB1FAJDV082459;
 Sun, 1 Dec 2013 15:10:19 GMT (envelope-from ohauer@svn.freebsd.org)
Message-Id: <201312011510.rB1FAJDV082459@svn.freebsd.org>
From: Olli Hauer <ohauer@FreeBSD.org>
Date: Sun, 1 Dec 2013 15:10:19 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r335393 - in head: security/vuxml sysutils/monitorix
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Dec 2013 15:10:20 -0000

Author: ohauer
Date: Sun Dec  1 15:10:18 2013
New Revision: 335393
URL: http://svnweb.freebsd.org/changeset/ports/335393

Log:
  - security update to 3.3.1
  
  This is a maintenance release that fixes a serious bug in the built-in HTTP
  server. It was discovered that the handle_request() routine did not properly
  perform input sanitization which led into a number of security
  vulnerabilities.
  
  An unauthenticated, remote attacker could exploit this flaw to execute
  arbitrary commands on the remote host.
  
  All users still using older versions are advised to upgrade to this version,
  which resolves this issue.
  
  Approved by:	crees (maintainer, per PM)
  Security:	620cf713-5a99-11e3-878d-20cf30e32f6d

Modified:
  head/security/vuxml/vuln.xml
  head/sysutils/monitorix/Makefile
  head/sysutils/monitorix/distinfo

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Dec  1 15:10:15 2013	(r335392)
+++ head/security/vuxml/vuln.xml	Sun Dec  1 15:10:18 2013	(r335393)
@@ -51,6 +51,37 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="620cf713-5a99-11e3-878d-20cf30e32f6d">
+    <topic>monitorix -- serious bug in the built-in HTTP server</topic>
+    <affects>
+      <package>
+	<name>monitorix</name>
+	<range><lt>3.3.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Monitorix Project reports:</p>
+	<blockquote cite="http://www.monitorix.org/news.html#N331">
+	  <p>A serious bug in the built-in HTTP server. It was discovered that the
+	    handle_request() routine did not properly perform input sanitization
+	    which led into a number of security vulnerabilities.  An unauthenticated,
+	    remote attacker could exploit this flaw to execute arbitrary commands on
+	    the remote host.  All users still using older versions are advised to
+	    upgrade to this version, which resolves this issue.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.monitorix.org/news.html#N331</url>
+      <url>https://github.com/mikaku/Monitorix/issues/30</url>
+    </references>
+    <dates>
+      <discovery>2013-11-21</discovery>
+      <entry>2013-12-01</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="e3244a7b-5603-11e3-878d-20cf30e32f6d">
     <topic>subversion -- multiple vulnerabilities</topic>
     <affects>

Modified: head/sysutils/monitorix/Makefile
==============================================================================
--- head/sysutils/monitorix/Makefile	Sun Dec  1 15:10:15 2013	(r335392)
+++ head/sysutils/monitorix/Makefile	Sun Dec  1 15:10:18 2013	(r335393)
@@ -1,8 +1,7 @@
-# Created by: Olli Hauer <ohauer@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=	monitorix
-PORTVERSION=	3.3.0
+PORTVERSION=	3.3.1
 CATEGORIES=	sysutils
 MASTER_SITES=	http://www.monitorix.org/ \
 		http://www.monitorix.org/old_versions/ \

Modified: head/sysutils/monitorix/distinfo
==============================================================================
--- head/sysutils/monitorix/distinfo	Sun Dec  1 15:10:15 2013	(r335392)
+++ head/sysutils/monitorix/distinfo	Sun Dec  1 15:10:18 2013	(r335393)
@@ -1,2 +1,2 @@
-SHA256 (monitorix-3.3.0.tar.gz) = 9578d79121034cfee94ebcdcec3a1c55fddd0ff022cdd8184d1d5109f813d29a
-SIZE (monitorix-3.3.0.tar.gz) = 186782
+SHA256 (monitorix-3.3.1.tar.gz) = b308cc300bba52ba2b8a8d6e613ddac042c9a27aa6f38dbf24c7e9358a70447d
+SIZE (monitorix-3.3.1.tar.gz) = 186779