From owner-svn-ports-head@FreeBSD.ORG Thu Oct 2 19:59:03 2014 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3AF539C0; Thu, 2 Oct 2014 19:59:03 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D4F3982; Thu, 2 Oct 2014 19:59:03 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s92Jx2OR072091; Thu, 2 Oct 2014 19:59:02 GMT (envelope-from matthew@FreeBSD.org) Received: (from matthew@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s92Jx2IY072089; Thu, 2 Oct 2014 19:59:02 GMT (envelope-from matthew@FreeBSD.org) Message-Id: <201410021959.s92Jx2IY072089@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: matthew set sender to matthew@FreeBSD.org using -f From: Matthew Seaman Date: Thu, 2 Oct 2014 19:59:02 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r369859 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 19:59:03 -0000 Author: matthew Date: Thu Oct 2 19:59:02 2014 New Revision: 369859 URL: https://svnweb.freebsd.org/changeset/ports/369859 QAT: https://qat.redports.org/buildarchive/r369859/ Log: www/rt42 < 4.2.8 is vulnerable to shellshock related exploits through its SMIME integration. Security: 81e2b308-4a6c-11e4-b711-6805ca0b3d42 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Oct 2 19:57:26 2014 (r369858) +++ head/security/vuxml/vuln.xml Thu Oct 2 19:59:02 2014 (r369859) @@ -57,6 +57,42 @@ Notes: --> + + rt42 -- vulnerabilities related to shellshock + + + rt42 + 4.2.04.2.8 + + + + +

Best Practical reports:

+
RT 4.2.0 and above may be vulnerable to arbitrary + execution of code by way of CVE-2014-7169, CVE-2014-7186, + CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- + collectively known as "Shellshock." This vulnerability + requires a privileged user with access to an RT instance + running with SMIME integration enabled; it applies to both + mod_perl and fastcgi deployments. If you have already + taken upgrades to bash to resolve "Shellshock," you are + protected from this vulnerability in RT, and there is no + need to apply this patch. This vulnerability has been + assigned CVE-2014-7227.
+

+ + + + http://blog.bestpractical.com/2014/10/security-vulnerability-in-rt-42x-cve-2014-7227.html + CVE-2014-7227 + + + 2014-10-02 + 2014-10-02 + + + jenkins -- remote execution, privilege escalation, XSS, password exposure, ACL hole, DoS