From nobody Tue Feb 14 13:49:11 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PGMyN5yGcz3rypV;
	Tue, 14 Feb 2023 13:49:32 +0000 (UTC)
	(envelope-from dan@langille.org)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PGMyN3MLjz42Mh;
	Tue, 14 Feb 2023 13:49:32 +0000 (UTC)
	(envelope-from dan@langille.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
	by mailout.nyi.internal (Postfix) with ESMTP id EC11B5C0150;
	Tue, 14 Feb 2023 08:49:31 -0500 (EST)
Received: from imap42 ([10.202.2.92])
  by compute5.internal (MEProxy); Tue, 14 Feb 2023 08:49:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h=
	cc:content-type:date:date:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to; s=fm1; t=1676382571; x=1676468971; bh=xpuOhQvEWz
	VFScbSk1B8peBbXRrbAAGtFEha7ypNUfI=; b=AasyV+zINxfxdfIcCrcUFNVbN/
	8CiRkS8895SqK2vl4eRTPKZAZN6gfmKw54zuTZJXgu3VuUHuSNsx1pMtFxk/PeOF
	6FuFF+poleRm9qzpPEVRVo0sRL9QG4T+lXNEOyVaUnqHRss3ccYwczrBSsdGWroE
	0h46ch8L2xGZwH18SdqQmw9s3rTLs2AEVTzXaodkIh0HSxWrfNrZ84g8gjmfjJpu
	xpfPG5VA7Hih+IgiazdicwjnQ05R0KoFpuAeElbsErYMAQUu7N6pHprDtHebhVn8
	Yi74ISz5RkrOKrQ5/DKTY0rIlZI0wyCgkRS018C/KzFhYkbtUKMcm3rmIlhg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:date:feedback-id
	:feedback-id:from:from:in-reply-to:in-reply-to:message-id
	:mime-version:references:reply-to:sender:subject:subject:to:to
	:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm1; t=1676382571; x=1676468971; bh=xpuOhQvEWzVFScbSk1B8peBbXRrb
	AAGtFEha7ypNUfI=; b=Zf/U5/ePYTBvjj9iON7ES531cnQuIn3fEaZNNT3OE9HN
	njh+Tu5vgJROZCQqghaPf4jPIYlgvpUgTrli7a9fKKUHQSAdjTQGl3yjKogj9lFQ
	YoRLFwoUocXEVRL9i+2vl4Tg/ZiWOLG/x7l58p01fqphmrYPJ43wGN9POhUPuVcO
	7lVsiTbwzwPC6xTZN1rXNuw+N25nhmaMgc445AW8Nxg4JRuwxqcoDlJnoHITV6Wo
	OhW8HeX5kCjjs49Ci/O/WE6CyN5AJe8wSaDPoQJ/koXXUguND0r5zLdG56SUW7hb
	iMjozY2Jlmqi3s8ZblKD/1qOv80tEqcF7feOzTN+mQ==
X-ME-Sender: <xms:a5HrYyPKVj8I6yvQ-NzAnt2BCwLZAl2YGc6Yb4wf_gLpAtBXjKT6SA>
    <xme:a5HrYw-fyesZOxNSgLh3OgJHVtfSVy7uNvOUrt6U7PSbfbJ8z5JZrr6yq--a28Dl7
    1z3NjSyP3dLj6P9xQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudeifedggeelucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd
    ertderredtnecuhfhrohhmpedfffgrnhcunfgrnhhgihhllhgvfdcuoegurghnsehlrghn
    ghhilhhlvgdrohhrgheqnecuggftrfgrthhtvghrnhepudejfeetudeujeeuffekvdehle
    evffetvdeuhfeuueeuheffveehgfeghfdukedvnecuffhomhgrihhnpehfrhgvvggsshgu
    rdhorhhgpdiffedrohhrghdpughjrghnghhophhrohhjvggtthdrtghomhenucevlhhush
    htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegurghnsehlrghnghhi
    lhhlvgdrohhrgh
X-ME-Proxy: <xmx:a5HrY5SL9CT3gIQ1PUyw5o97eVPMZhkqmj6f5yqqa69_jX0ttUQHKQ>
    <xmx:a5HrYyvS2boUbkxdKZV-pzvrJNRUBvU1av_2RqXc6_dn7zHn8b_xrw>
    <xmx:a5HrY6fieIfXnpYvGJsAmvdwAHaC8_vKm1BLiqTiHZ5q1tSHhUEB1w>
    <xmx:a5HrY3GbcxlhJolKhDtQsSd6lay6_1r4QbHU9oJjDefyyCj7b7N1Dw>
Feedback-ID: ifbf9424e:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id BA305BC0078; Tue, 14 Feb 2023 08:49:31 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-156-g081acc5ed5-fm-20230206.001-g081acc5e
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
Mime-Version: 1.0
Message-Id: <62b4686d-491e-4224-9ddb-7935bbf7f129@app.fastmail.com>
In-Reply-To: <202302141204.31EC4H4m043168@gitrepo.freebsd.org>
References: <202302141204.31EC4H4m043168@gitrepo.freebsd.org>
Date: Tue, 14 Feb 2023 08:49:11 -0500
From: "Dan Langille" <dan@langille.org>
To: "Wen Heping" <wen@FreeBSD.org>, ports-committers@FreeBSD.org,
 dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject: Re: git: 7cd59a7b0d9c - main - security/vuxml: Document Django multiple
 vulnerabilities
Content-Type: text/plain
X-Rspamd-Queue-Id: 4PGMyN3MLjz42Mh
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N

On Tue, Feb 14, 2023, at 7:04 AM, Wen Heping wrote:
> The branch main has been updated by wen:
>
> URL: 
> https://cgit.FreeBSD.org/ports/commit/?id=7cd59a7b0d9c15b24dae177e6feafea107670ff5
>
> commit 7cd59a7b0d9c15b24dae177e6feafea107670ff5
> Author:     Wen Heping <wen@FreeBSD.org>
> AuthorDate: 2023-02-14 12:03:26 +0000
> Commit:     Wen Heping <wen@FreeBSD.org>
> CommitDate: 2023-02-14 12:03:59 +0000
>
>     security/vuxml: Document Django multiple vulnerabilities
> ---
>  security/vuxml/vuln/2023.xml | 41 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 41 insertions(+)
>
> diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
> index a3feb1c2e6d7..9cc6385ce320 100644
> --- a/security/vuxml/vuln/2023.xml
> +++ b/security/vuxml/vuln/2023.xml
> @@ -1,3 +1,44 @@
> +  <vuln vid="9c9ee9a6-ac5e-11ed-9323-080027d3a315">
> +    <topic>Django -- multiple vulnerabilities</topic>
> +    <affects>
> +      <package>
> +	<name>py37-django32</name>
> +	<name>py38-django32</name>
> +	<name>py39-django32</name>
> +	<name>py310-django32</name>
> +	<range><lt>3.2.18</lt></range>
> +      </package>
> +      <package>
> +	<name>py38-django40</name>
> +	<name>py39-django40</name>
> +	<name>py310-django40</name>
> +	<range><lt>4.0.10</lt></range>
> +      </package>
> +      <package>
> +	<name>py38-django41</name>
> +	<name>py39-django41</name>
> +	<name>py310-django41</name>
> +	<range><lt>4.1.7/range>

The above has incorrect tags.I think it might be:

	<range><lt>4.1.7</lt></range>

But I'm not sure.


> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">
> +	<p>Django reports:</p>
> +	<blockquote 
> cite="https://www.djangoproject.com/weblog/2023/feb/14/security-releases/">
> +	  <p>CVE-2023-24580: Potential denial-of-service vulnerability in 
> file uploads.</p>
> +	</blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2023-24580</cvename>
> +      
> <url>https://www.djangoproject.com/weblog/2023/feb/14/security-releases/</url>
> +    </references>
> +    <dates>
> +      <discovery>2023-02-01</discovery>
> +      <entry>2023-02-14</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="0a7a5dfb-aba4-11ed-be2c-001cc0382b2f">
>      <topic>GnuTLS -- timing sidechannel in RSA decryption</topic>
>      <affects>

-- 
  Dan Langille
  dan@langille.org