From owner-svn-ports-head@freebsd.org  Thu Feb 27 10:23:35 2020
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B274A25BF78;
 Thu, 27 Feb 2020 10:23:35 +0000 (UTC)
 (envelope-from fluffy@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48Spfb3WlBz4BJM;
 Thu, 27 Feb 2020 10:23:34 +0000 (UTC)
 (envelope-from fluffy@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9DBFCF3C5;
 Thu, 27 Feb 2020 10:23:33 +0000 (UTC)
 (envelope-from fluffy@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 01RANXdR004806;
 Thu, 27 Feb 2020 10:23:33 GMT (envelope-from fluffy@FreeBSD.org)
Received: (from fluffy@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 01RANX1Y004805;
 Thu, 27 Feb 2020 10:23:33 GMT (envelope-from fluffy@FreeBSD.org)
Message-Id: <202002271023.01RANX1Y004805@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: fluffy set sender to
 fluffy@FreeBSD.org using -f
From: Dima Panov <fluffy@FreeBSD.org>
Date: Thu, 27 Feb 2020 10:23:33 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r527243 - head/security/vuxml
X-SVN-Group: ports-head
X-SVN-Commit-Author: fluffy
X-SVN-Commit-Paths: head/security/vuxml
X-SVN-Commit-Revision: 527243
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 10:23:36 -0000

Author: fluffy
Date: Thu Feb 27 10:23:32 2020
New Revision: 527243
URL: https://svnweb.freebsd.org/changeset/ports/527243

Log:
  security/vuxml: fix vuxml entries for OpenSMTPd, remove duplicates with wrong version and missed description
  
  Approved by:	ports-secteam (miwi)

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Feb 27 09:31:48 2020	(r527242)
+++ head/security/vuxml/vuln.xml	Thu Feb 27 10:23:32 2020	(r527243)
@@ -59,7 +59,7 @@ Notes:
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
   <vuln vid="f0683976-5779-11ea-8a77-1c872ccb1e42">
-    <topic>LPE and RCE in OpenSMTPD's default install</topic>
+    <topic>OpenSMTPd -- LPE and RCE in OpenSMTPD's default install</topic>
     <affects>
       <package>
 	<name>opensmtpd</name>
@@ -68,12 +68,16 @@ Notes:
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>OpenSMTPD developersreports:</p>
+	<p>OpenSMTPD developers reports:</p>
 	<blockquote cite="https://opensmtpd.org/security.html">
 	  <p>An out of bounds read in smtpd allows an attacker to inject arbitrary
 	    commands into the envelope file which are then executed as root.
 	    Separately, missing privilege revocation in smtpctl allows arbitrary
 	    commands to be run with the _smtpq group.</p>
+	  <p>An unprivileged local attacker can read the first line of an arbitrary
+	    file (for example, root's password hash in /etc/master.passwd) or the
+	    entire contents of another user's file (if this file and
+	    /var/spool/smtpd/ are on the same filesystem).</p>
 	</blockquote>
       </body>
     </description>
@@ -86,62 +90,7 @@ Notes:
     <dates>
       <discovery>2020-02-22</discovery>
       <entry>2020-02-24</entry>
-    </dates>
-  </vuln>
-
-  <vuln vid="40c75597-574a-11ea-bff8-c85b76ce9b5a">
-    <topic>OpenSMTPd -- LPE and RCE in OpenSMTPD's default install</topic>
-    <affects>
-      <package>
-	<name>opensmtpd</name>
-	<range><lt>6.6.5,1</lt></range>
-      </package>
-    </affects>
-    <description>
-      <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>Qualys reports:</p>
-	<blockquote cite="https://www.openwall.com/lists/oss-security/2020/02/24/5">
-	  <p>.</p>
-	</blockquote>
-      </body>
-    </description>
-    <references>
-      <url>https://www.openwall.com/lists/oss-security/2020/02/24/5</url>
-      <cvename>CVE-2020-8794</cvename>
-    </references>
-    <dates>
-      <discovery>2020-02-24</discovery>
-      <entry>2020-02-24</entry>
-    </dates>
-  </vuln>
-
-  <vuln vid="76f1ce19-5749-11ea-bff8-c85b76ce9b5a">
-    <topic>OpenSMTPd -- Local information disclosure</topic>
-    <affects>
-      <package>
-	<name>opensmtpd</name>
-	<range><lt>6.6.4,1</lt></range>
-      </package>
-    </affects>
-    <description>
-      <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>Qualys reports:</p>
-	<blockquote cite="https://www.openwall.com/lists/oss-security/2020/02/24/4">
-	  <p>We discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server:
-an unprivileged local attacker can read the first line of an arbitrary
-file (for example, root's password hash in /etc/master.passwd) or the
-entire contents of another user's file (if this file and
-/var/spool/smtpd/ are on the same filesystem).</p>
-	</blockquote>
-      </body>
-    </description>
-    <references>
-      <url>https://www.openwall.com/lists/oss-security/2020/02/24/4</url>
-      <cvename>CVE-2020-8793</cvename>
-    </references>
-    <dates>
-      <discovery>2020-02-24</discovery>
-      <entry>2020-02-24</entry>
+      <modified>2020-02-27</modified>
     </dates>
   </vuln>