Date: Tue, 19 May 2020 21:45:56 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r535958 - head/security/vuxml Message-ID: <202005200445.04K4ju6w000409@slippy.cwsent.com> In-Reply-To: <202005192335.04JNZHn3088504@repo.freebsd.org> References: <202005192335.04JNZHn3088504@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <202005192335.04JNZHn3088504@repo.freebsd.org>, Sunpoet Po-Chuan Hsi eh writes: > Author: sunpoet > Date: Tue May 19 23:35:17 2020 > New Revision: 535958 > URL: https://svnweb.freebsd.org/changeset/ports/535958 > > Log: > Document rails vulnerability > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================= > = > --- head/security/vuxml/vuln.xml Tue May 19 23:35:10 2020 (r53595 > 7) > +++ head/security/vuxml/vuln.xml Tue May 19 23:35:17 2020 (r53595 > 8) > @@ -58,6 +58,57 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid="85fca718-99f6-11ea-bf1d-08002728f74c"> > + <topic>Rails -- multiple vulnerabilities</topic> > + <affects> > + <package> > + <name>rubygem-actionpack52</name> > + <name>rubygem-actionview52</name> > + <name>rubygem-activestorage52</name> > + <name>rubygem-activesupport52</name> > + <range><lt>5.2.4.3</lt></range> > + </package> > + <package> > + <name>rubygem-actionpack60</name> > + <name>rubygem-actionview60</name> > + <name>rubygem-activestorage60</name> > + <name>rubygem-activesupport60</name> > + <range><lt>6.0.3.1</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns="http://www.w3.org/1999/xhtml">; > + <p>Ruby on Rails blog:</p> > + <blockquote cite="https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4- > 3-and-6-0-3-1-have-been-released/"> > + <p>Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These r > eleases contain important security fixes, so please upgrade when you can.</p> As this is displayed verbatim at www.vuxml.org, do we want the entry to say something like this instead? <p>Rails 5.2.4.3 and 6.0.3.1 have been released to address the following CVEs:</p> > + <p>Both releases contain the following fixes:</p> And we can drop the above. Thoughts? > + <p>CVE-2020-8162: Circumvention of file size limits in ActiveStorage< > /p> > + <p>CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack</p> > + <p>CVE-2020-8165: Potentially unintended unmarshalling of user-provid > ed objects in MemCacheStore and RedisCacheStore</p> > + <p>CVE-2020-8166: Ability to forge per-form CSRF tokens given a globa > l CSRF token</p> > + <p>CVE-2020-8167: CSRF Vulnerability in rails-ujs</p> > + </blockquote> > + </body> > + </description> > + <references> > + <url>https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3- > 1-have-been-released/</url> > + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3 > 946mreQ</url> > + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/f6io > e4sdpbY</url> > + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/bv6f > W4S0Y1c</url> > + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/NOjK > iGeXUgw</url> > + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/x9Di > xQDG9a0</url> > + <cvename>CVE-2020-8162</cvename> > + <cvename>CVE-2020-8164</cvename> > + <cvename>CVE-2020-8165</cvename> > + <cvename>CVE-2020-8166</cvename> > + <cvename>CVE-2020-8167</cvename> > + </references> > + <dates> > + <discovery>2020-05-18</discovery> > + <entry>2020-05-19</entry> > + </dates> > + </vuln> > + > <vuln vid="37d106a8-15a4-483e-8247-fcb68b16eaf8"> > <topic>Dovecot -- Multiple vulnerabilities</topic> > <affects> > -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005200445.04K4ju6w000409>