Date: Sat, 29 Oct 2016 01:33:53 -0700 From: Cy Schubert <Cy.Schubert@komquats.com> To: Mark Felder <feld@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r424859 - head/security/vuxml Message-ID: <201610290833.u9T8Xrk0004816@slippy.cwsent.com> In-Reply-To: Message from Mark Felder <feld@FreeBSD.org> of "Fri, 28 Oct 2016 15:34:17 -0000." <201610281534.u9SFYHfg000507@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <201610281534.u9SFYHfg000507@repo.freebsd.org>, Mark Felder writes: > Author: feld > Date: Fri Oct 28 15:34:17 2016 > New Revision: 424859 > URL: https://svnweb.freebsd.org/changeset/ports/424859 > > Log: > Document sudo vulnerability > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================= > = > --- head/security/vuxml/vuln.xml Fri Oct 28 15:08:14 2016 (r42485 > 8) > +++ head/security/vuxml/vuln.xml Fri Oct 28 15:34:17 2016 (r42485 > 9) > @@ -58,6 +58,35 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid="2e4fbc9a-9d23-11e6-a298-14dae9d210b8"> > + <topic>sudo -- Potential bypass of sudo_noexec.so via wordexp()</topic> > + <affects> > + <package> > + <name>sudo</name> > + <range><ge>1.6.8</ge><lt>1.8.18p1</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns="http://www.w3.org/1999/xhtml">; > + <p>Todd C. Miller reports:</p> > + <blockquote cite="https://www.sudo.ws/alerts/noexec_wordexp.html">; > + <p>A flaw exists in sudo's noexec functionality that may allow > + a user with sudo privileges to run additional commands even when th > e > + NOEXEC tag has been applied to a command that uses the wordexp() > + function.</p> > + </blockquote> > + </body> > + </description> > + <references> > + <url>https://www.sudo.ws/alerts/noexec_wordexp.html</url>; > + <cvename>CVE-2016-7076</cvename> > + </references> > + <dates> > + <discovery>2016-10-28</discovery> > + <entry>2016-10-28</entry> > + </dates> > + </vuln> > + > <vuln vid="ac18046c-9b08-11e6-8011-005056925db4"> > <topic>Axis2 -- Security vulnerabilities on dependency Apache HttpClient > </topic> > <affects> > > Thanks. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610290833.u9T8Xrk0004816>