From owner-svn-ports-all@freebsd.org Wed May 20 04:46:01 2020 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CFF8A2FDFD8; Wed, 20 May 2020 04:46:01 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49RgDm2M69z4fb7; Wed, 20 May 2020 04:46:00 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id bGc9jLkkc62brbGcAj8ONH; Tue, 19 May 2020 22:45:59 -0600 X-Authority-Analysis: v=2.3 cv=LKf9vKe9 c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=xqWC_Br6kY4A:10 a=kj9zAlcOel0A:10 a=sTwFKg_x9MkA:10 a=6I5d2MoRAAAA:8 a=5089wCahAAAA:8 a=SSmOFEACAAAA:8 a=mAfMTu9_AAAA:8 a=1XWaLZrsAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=l8whPLr3JWUIWnGB18QA:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=2Bz7-_TpOoXYCbRQratn:22 a=_TFuK5Zpjvw18ArVKvsC:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [IPv6:fc00:1:1:1::5b]) by spqr.komquats.com (Postfix) with ESMTPS id 05462388; Tue, 19 May 2020 21:45:56 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id 04K4ju2H000441; Tue, 19 May 2020 21:45:56 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id 04K4ju6w000409; Tue, 19 May 2020 21:45:56 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <202005200445.04K4ju6w000409@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Sunpoet Po-Chuan Hsieh cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r535958 - head/security/vuxml In-reply-to: <202005192335.04JNZHn3088504@repo.freebsd.org> References: <202005192335.04JNZHn3088504@repo.freebsd.org> Comments: In-reply-to Sunpoet Po-Chuan Hsieh message dated "Tue, 19 May 2020 23:35:17 -0000." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 19 May 2020 21:45:56 -0700 X-CMAE-Envelope: MS4wfAS+qujO0Faa0Lh9IPpecmGymMvmOYgokz2hosWtVRqkj0Vajfbr1HjvW1CREyKfBQX1CCDPZXXS9uZQGuDWd+HsK4DNUoDjBIAGTuUYDpG1U+r3cdIt lCOV+3kym23G8THwoWwXCjqNrIRC6e0kZgnvpH3IosLrpzHQpzvsHWB/DFPl1X06bsNjpYf3w0FmLb0llN8d41/PUYUsK03qbB67iJ05tN52QEWWvFLegx2j 6Fl70CbjCuBxkfcwZXtMJiokIbRtusupv0x/PhEY5qEAKDZc2UFdGbDrkmTfg/oK X-Rspamd-Queue-Id: 49RgDm2M69z4fb7 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 64.59.134.12) smtp.mailfrom=cy.schubert@cschubert.com X-Spamd-Result: default: False [0.77 / 15.00]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; DMARC_NA(0.00)[cschubert.com: no valid DMARC record]; AUTH_NA(1.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[70.67.125.17:received]; RWL_MAILSPIKE_GOOD(0.00)[64.59.134.12:from]; NEURAL_SPAM_MEDIUM(0.18)[0.175]; NEURAL_HAM_SHORT(-0.71)[-0.709]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[64.59.134.12:from] X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 May 2020 04:46:01 -0000 In message <202005192335.04JNZHn3088504@repo.freebsd.org>, Sunpoet Po-Chuan Hsi eh writes: > Author: sunpoet > Date: Tue May 19 23:35:17 2020 > New Revision: 535958 > URL: https://svnweb.freebsd.org/changeset/ports/535958 > > Log: > Document rails vulnerability > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================= > = > --- head/security/vuxml/vuln.xml Tue May 19 23:35:10 2020 (r53595 > 7) > +++ head/security/vuxml/vuln.xml Tue May 19 23:35:17 2020 (r53595 > 8) > @@ -58,6 +58,57 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > > + > + Rails -- multiple vulnerabilities > + > + > + rubygem-actionpack52 > + rubygem-actionview52 > + rubygem-activestorage52 > + rubygem-activesupport52 > + 5.2.4.3 > + > + > + rubygem-actionpack60 > + rubygem-actionview60 > + rubygem-activestorage60 > + rubygem-activesupport60 > + 6.0.3.1 > + > + > + > + > +

Ruby on Rails blog:

> +
> +

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These r > eleases contain important security fixes, so please upgrade when you can.

As this is displayed verbatim at www.vuxml.org, do we want the entry to say something like this instead?

Rails 5.2.4.3 and 6.0.3.1 have been released to address the following CVEs:

> +

Both releases contain the following fixes:

And we can drop the above. Thoughts? > +

CVE-2020-8162: Circumvention of file size limits in ActiveStorage< > /p> > +

CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack

> +

CVE-2020-8165: Potentially unintended unmarshalling of user-provid > ed objects in MemCacheStore and RedisCacheStore

> +

CVE-2020-8166: Ability to forge per-form CSRF tokens given a globa > l CSRF token

> +

CVE-2020-8167: CSRF Vulnerability in rails-ujs

> +
> + > + > + > + https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3- > 1-have-been-released/ > + https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3 > 946mreQ > + https://groups.google.com/forum/#!topic/rubyonrails-security/f6io > e4sdpbY > + https://groups.google.com/forum/#!topic/rubyonrails-security/bv6f > W4S0Y1c > + https://groups.google.com/forum/#!topic/rubyonrails-security/NOjK > iGeXUgw > + https://groups.google.com/forum/#!topic/rubyonrails-security/x9Di > xQDG9a0 > + CVE-2020-8162 > + CVE-2020-8164 > + CVE-2020-8165 > + CVE-2020-8166 > + CVE-2020-8167 > + > + > + 2020-05-18 > + 2020-05-19 > + > + > + > > Dovecot -- Multiple vulnerabilities > > -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few.