Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 May 2020 21:45:56 -0700
From:      Cy Schubert <Cy.Schubert@cschubert.com>
To:        Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org>
Cc:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   Re: svn commit: r535958 - head/security/vuxml
Message-ID:  <202005200445.04K4ju6w000409@slippy.cwsent.com>
In-Reply-To: <202005192335.04JNZHn3088504@repo.freebsd.org>
References:  <202005192335.04JNZHn3088504@repo.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
In message <202005192335.04JNZHn3088504@repo.freebsd.org>, Sunpoet Po-Chuan 
Hsi
eh writes:
> Author: sunpoet
> Date: Tue May 19 23:35:17 2020
> New Revision: 535958
> URL: https://svnweb.freebsd.org/changeset/ports/535958
>
> Log:
>   Document rails vulnerability
>
> Modified:
>   head/security/vuxml/vuln.xml
>
> Modified: head/security/vuxml/vuln.xml
> =============================================================================
> =
> --- head/security/vuxml/vuln.xml	Tue May 19 23:35:10 2020	(r53595
> 7)
> +++ head/security/vuxml/vuln.xml	Tue May 19 23:35:17 2020	(r53595
> 8)
> @@ -58,6 +58,57 @@ Notes:
>    * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>  -->
>  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
> +  <vuln vid="85fca718-99f6-11ea-bf1d-08002728f74c">
> +    <topic>Rails -- multiple vulnerabilities</topic>
> +    <affects>
> +      <package>
> +	<name>rubygem-actionpack52</name>
> +	<name>rubygem-actionview52</name>
> +	<name>rubygem-activestorage52</name>
> +	<name>rubygem-activesupport52</name>
> +	<range><lt>5.2.4.3</lt></range>
> +      </package>
> +      <package>
> +	<name>rubygem-actionpack60</name>
> +	<name>rubygem-actionview60</name>
> +	<name>rubygem-activestorage60</name>
> +	<name>rubygem-activesupport60</name>
> +	<range><lt>6.0.3.1</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">;
> +	<p>Ruby on Rails blog:</p>
> +	<blockquote cite="https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-
> 3-and-6-0-3-1-have-been-released/">
> +	  <p>Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These r
> eleases contain important security fixes, so please upgrade when you can.</p>

As this is displayed verbatim at www.vuxml.org, do we want the entry to say 
something like this instead?

<p>Rails 5.2.4.3 and 6.0.3.1 have been released to address the following 
CVEs:</p>

> +	  <p>Both releases contain the following fixes:</p>

And we can drop the above.

Thoughts?

> +	  <p>CVE-2020-8162: Circumvention of file size limits in ActiveStorage<
> /p>
> +	  <p>CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack</p>
> +	  <p>CVE-2020-8165: Potentially unintended unmarshalling of user-provid
> ed objects in MemCacheStore and RedisCacheStore</p>
> +	  <p>CVE-2020-8166: Ability to forge per-form CSRF tokens given a globa
> l CSRF token</p>
> +	  <p>CVE-2020-8167: CSRF Vulnerability in rails-ujs</p>
> +	</blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <url>https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-
> 1-have-been-released/</url>
> +      <url>https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3
> 946mreQ</url>
> +      <url>https://groups.google.com/forum/#!topic/rubyonrails-security/f6io
> e4sdpbY</url>
> +      <url>https://groups.google.com/forum/#!topic/rubyonrails-security/bv6f
> W4S0Y1c</url>
> +      <url>https://groups.google.com/forum/#!topic/rubyonrails-security/NOjK
> iGeXUgw</url>
> +      <url>https://groups.google.com/forum/#!topic/rubyonrails-security/x9Di
> xQDG9a0</url>
> +      <cvename>CVE-2020-8162</cvename>
> +      <cvename>CVE-2020-8164</cvename>
> +      <cvename>CVE-2020-8165</cvename>
> +      <cvename>CVE-2020-8166</cvename>
> +      <cvename>CVE-2020-8167</cvename>
> +    </references>
> +    <dates>
> +      <discovery>2020-05-18</discovery>
> +      <entry>2020-05-19</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="37d106a8-15a4-483e-8247-fcb68b16eaf8">
>      <topic>Dovecot -- Multiple vulnerabilities</topic>
>      <affects>
>


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

	The need of the many outweighs the greed of the few.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005200445.04K4ju6w000409>