Date: Wed, 6 Mar 2019 07:31:17 +0000 (UTC) From: Matthew Seaman <matthew@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r494780 - head/security/vuxml Message-ID: <201903060731.x267VHrJ058333@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: matthew Date: Wed Mar 6 07:31:17 2019 New Revision: 494780 URL: https://svnweb.freebsd.org/changeset/ports/494780 Log: Document a jQuery related XSS security fix in rt4.4.4 and rt4.2.16 Note: the release notes also mention 3 other security issues in perl modules depended on by these packages. Of those, vulnerabilities in the Email::Address and Email::Address::List perl modules have already been addressed in their respective ports, while the third: HTML::Gumbo is not currently in the ports at all. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Mar 6 06:55:59 2019 (r494779) +++ head/security/vuxml/vuln.xml Wed Mar 6 07:31:17 2019 (r494780) @@ -58,6 +58,46 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42"> + <topic>rt -- XSS via jQuery</topic> + <affects> + <package> + <name>rt42</name> + <range><ge>4.2.0</ge><lt>4.2.16</lt></range> + </package> + <package> + <name>rt44</name> + <range><ge>4.4.0</ge><lt>4.4.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>BestPractical reports:</p> + <blockquote cite="https://docs.bestpractical.com/release-notes/rt/4.4.4">; + + <p>The version of jQuery used in RT 4.2 and 4.4 has a + Cross-site Scripting (XSS) vulnerability when using + cross-domain Ajax requests. This vulnerability is assigned + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251">CVE-2015-9251</a>. RT + does not use this jQuery feature so it is not directly + vulnerable. jQuery version 1.12 no longer receives official + updates, however a fix was posted with recommendations for + applications to patch locally, so RT will follow this + recommendation and ship with a patched version.</p> + </blockquote> + </body> + </description> + <references> + <url>https://docs.bestpractical.com/release-notes/rt/4.4.4</url>; + <url>https://docs.bestpractical.com/release-notes/rt/4.2.16</url>; + <cvename>CVE-2015-9251</cvename> + </references> + <dates> + <discovery>2019-03-05</discovery> + <entry>2019-03-06</entry> + </dates> + </vuln> + <vuln vid="526d9642-3ae7-11e9-a669-8c164582fbac"> <topic>slixmpp -- improper access control</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903060731.x267VHrJ058333>