Date: Thu, 4 Jul 2024 01:22:31 GMT From: Philip Paeps <philip@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 7ef5fde86867 - main - security/vuxml: document www/rt50 vulnerability Message-ID: <202407040122.4641MVpv069571@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by philip: URL: https://cgit.FreeBSD.org/ports/commit/?id=7ef5fde868674d353ee235c184a44e608bda733a commit 7ef5fde868674d353ee235c184a44e608bda733a Author: Philip Paeps <philip@FreeBSD.org> AuthorDate: 2024-07-04 01:20:50 +0000 Commit: Philip Paeps <philip@FreeBSD.org> CommitDate: 2024-07-04 01:21:48 +0000 security/vuxml: document www/rt50 vulnerability Obtained from: https://github.com/bestpractical/rt/releases/tag/rt-5.0.6 Reported by: Dan Mahoney <dmahoney@isc.org> --- security/vuxml/vuln/2024.xml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 5346463db642..5d8634f07714 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,32 @@ + <vuln vid="51498ee4-39a1-11ef-b609-002590c1f29c"> + <topic>Request Tracker -- information exposure vulnerability</topic> + <affects> + <package> + <name>rt50</name> + <range><lt>5.0.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Request Tracker reports:</p> + <p>CVE-2024-3262 describes previously viewed pages being stored in the + browser cache, which is the typical default behavior of most browsers to + enable the "back" button. Someone who gains access to a host computer could + potentially view ticket data using the back button, even after logging out + of RT. The CVE specifically references RT version 4.4.1, but this behavior + is present in most browsers viewing all versions of RT before 5.0.6.</p> + </body> + </description> + <references> + <cvename>CVE-2024-3262</cvename> + <url>https://github.com/advisories/GHSA-6426-p644-ffcf</url>; + </references> + <dates> + <discovery>2024-04-04</discovery> + <entry>2024-07-04</entry> + </dates> + </vuln> + <vuln vid="b0374722-3912-11ef-a77e-901b0e9408dc"> <topic>go -- net/http: denial of service due to improper 100-continue handling</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202407040122.4641MVpv069571>