From owner-svn-ports-all@freebsd.org  Sat Oct 29 08:49:03 2016
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12BD8C245F3;
 Sat, 29 Oct 2016 08:49:03 +0000 (UTC)
 (envelope-from cy.schubert@komquats.com)
Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.12])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "Client", Issuer "CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BE6F023D;
 Sat, 29 Oct 2016 08:49:02 +0000 (UTC)
 (envelope-from cy.schubert@komquats.com)
Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP
 id 0P5NcQam99tP30P5Oc46u3; Sat, 29 Oct 2016 02:33:56 -0600
X-Authority-Analysis: v=2.2 cv=Tp6WvHfh c=1 sm=1 tr=0
 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17
 a=kj9zAlcOel0A:10 a=CH0kA5CcgfcA:10 a=6I5d2MoRAAAA:8 a=5089wCahAAAA:8
 a=SSmOFEACAAAA:8 a=SETLuvH0AAAA:8 a=YxBL1-UpAAAA:8 a=xsP8TxWfmBOGavNYvWoA:9
 a=CjuIK1q_8ugA:10 a=Q0NrIuHwd20A:10 a=PJWull1LtTkA:10 a=-FEs8UIgK8oA:10
 a=NWVoK91CQyQA:10 a=IjZwj45LgO3ly-622nXo:22 a=2Bz7-_TpOoXYCbRQratn:22
 a=zjWhRoSqWz9hl55Hdlzg:22 a=K2dp-gY6hJjlCEVBUzYH:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
 by spqr.komquats.com (Postfix) with ESMTPS id B3F85285;
 Sat, 29 Oct 2016 01:33:53 -0700 (PDT)
Received: from slippy (localhost [127.0.0.1])
 by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id u9T8Xrk0004816;
 Sat, 29 Oct 2016 01:33:53 -0700 (PDT)
 (envelope-from Cy.Schubert@cschubert.com)
Message-Id: <201610290833.u9T8Xrk0004816@slippy.cwsent.com>
X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6
Reply-to: Cy Schubert <Cy.Schubert@komquats.com>
From: Cy Schubert <Cy.Schubert@komquats.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Mark Felder <feld@FreeBSD.org>
cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: Re: svn commit: r424859 - head/security/vuxml
In-Reply-To: Message from Mark Felder <feld@FreeBSD.org> of "Fri,
 28 Oct 2016 15:34:17 -0000." <201610281534.u9SFYHfg000507@repo.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 29 Oct 2016 01:33:53 -0700
X-CMAE-Envelope: MS4wfMIr8x8HISXLKYgHXXPUTmVxb3A/URX1lfXrr5DTmuWx83RJDtBenhi1SV4OTACCDJo9i//KnHI6C98WAXB0O/wkw1c1fFL+vvdKof4AvXKaqN7f2ifi
 iB6irLHZfH0jlrtt5ueZ6oTZvQkmbsW0Sc5/oRBMYRwNwhYZhW5rl0GeVMGLVBwm4yDcGNrKITomv2eAJGlb7GYAh1v1BGharcLiPrifNlujjzUrMdLzUKn3
 hlAzroXsl+9nXVGTm+IKGURksFMf68rvg91WZdrxkAjvM8fO1XxNjLjHiJhhQXfy
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Oct 2016 08:49:03 -0000

In message <201610281534.u9SFYHfg000507@repo.freebsd.org>, Mark Felder 
writes:
> Author: feld
> Date: Fri Oct 28 15:34:17 2016
> New Revision: 424859
> URL: https://svnweb.freebsd.org/changeset/ports/424859
> 
> Log:
>   Document sudo vulnerability
> 
> Modified:
>   head/security/vuxml/vuln.xml
> 
> Modified: head/security/vuxml/vuln.xml
> =============================================================================
> =
> --- head/security/vuxml/vuln.xml	Fri Oct 28 15:08:14 2016	(r42485
> 8)
> +++ head/security/vuxml/vuln.xml	Fri Oct 28 15:34:17 2016	(r42485
> 9)
> @@ -58,6 +58,35 @@ Notes:
>    * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>  -->
>  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> +  <vuln vid="2e4fbc9a-9d23-11e6-a298-14dae9d210b8">
> +    <topic>sudo -- Potential bypass of sudo_noexec.so via wordexp()</topic>
> +    <affects>
> +      <package>
> +	<name>sudo</name>
> +	<range><ge>1.6.8</ge><lt>1.8.18p1</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">
> +	<p>Todd C. Miller reports:</p>
> +	<blockquote cite="https://www.sudo.ws/alerts/noexec_wordexp.html">
> +	  <p>A flaw exists in sudo's noexec functionality that may allow
> +	    a user with sudo privileges to run additional commands even when th
> e
> +	    NOEXEC tag has been applied to a command that uses the wordexp()
> +	    function.</p>
> +	</blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <url>https://www.sudo.ws/alerts/noexec_wordexp.html</url>
> +      <cvename>CVE-2016-7076</cvename>
> +    </references>
> +    <dates>
> +      <discovery>2016-10-28</discovery>
> +      <entry>2016-10-28</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="ac18046c-9b08-11e6-8011-005056925db4">
>      <topic>Axis2 -- Security vulnerabilities on dependency Apache HttpClient
> </topic>
>      <affects>
> 
> 


Thanks.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org

	The need of the many outweighs the greed of the few.