From owner-svn-ports-all@FreeBSD.ORG Sun Jan 11 19:39:46 2015 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DD57286B; Sun, 11 Jan 2015 19:39:46 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B01E8890; Sun, 11 Jan 2015 19:39:46 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t0BJdkQo004427; Sun, 11 Jan 2015 19:39:46 GMT (envelope-from mm@FreeBSD.org) Received: (from mm@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t0BJdkfB004426; Sun, 11 Jan 2015 19:39:46 GMT (envelope-from mm@FreeBSD.org) Message-Id: <201501111939.t0BJdkfB004426@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: mm set sender to mm@FreeBSD.org using -f From: Martin Matuska Date: Sun, 11 Jan 2015 19:39:46 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r376799 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2015 19:39:47 -0000 Author: mm Date: Sun Jan 11 19:39:45 2015 New Revision: 376799 URL: https://svnweb.freebsd.org/changeset/ports/376799 QAT: https://qat.redports.org/buildarchive/r376799/ Log: Add vuln.xml entry for libevent CVE-2014-6272 PR: ports/199640 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Jan 11 19:25:27 2015 (r376798) +++ head/security/vuxml/vuln.xml Sun Jan 11 19:39:45 2015 (r376799) @@ -57,6 +57,43 @@ Notes: --> + + libevent -- integer overflow in evbuffers + + + libevent + 1.4.15 + + + libevent2 + 2.0.22 + + + + +

Debian Security Team reports:

+
Andrew Bartlett of Catalyst reported a defect affecting certain + applications using the Libevent evbuffer API. This defect leaves + applications which pass insanely large inputs to evbuffers open + to a possible heap overflow or infinite loop. In order to exploit + this flaw, an attacker needs to be able to find a way to provoke + the program into trying to make a buffer chunk larger than what + will fit into a single size_t or off_t. +
+

+ + + + CVE-2014-6272 + https://www.debian.org/security/2015/dsa-3119 + + + 2015-01-05 + 2015-01-11 + + + cURL -- URL request injection vulnerability