From owner-svn-ports-all@freebsd.org Fri Oct 11 17:36:38 2019 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 230021565FA; Fri, 11 Oct 2019 17:36:38 +0000 (UTC) (envelope-from pi@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46qZrQ03mRz3Mxb; Fri, 11 Oct 2019 17:36:38 +0000 (UTC) (envelope-from pi@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D500E1D991; Fri, 11 Oct 2019 17:36:37 +0000 (UTC) (envelope-from pi@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x9BHabbD016340; Fri, 11 Oct 2019 17:36:37 GMT (envelope-from pi@FreeBSD.org) Received: (from pi@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x9BHabF8016339; Fri, 11 Oct 2019 17:36:37 GMT (envelope-from pi@FreeBSD.org) Message-Id: <201910111736.x9BHabF8016339@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: pi set sender to pi@FreeBSD.org using -f From: Kurt Jaeger Date: Fri, 11 Oct 2019 17:36:37 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r514293 - head/security/vuxml X-SVN-Group: ports-head X-SVN-Commit-Author: pi X-SVN-Commit-Paths: head/security/vuxml X-SVN-Commit-Revision: 514293 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Oct 2019 17:36:38 -0000 Author: pi Date: Fri Oct 11 17:36:37 2019 New Revision: 514293 URL: https://svnweb.freebsd.org/changeset/ports/514293 Log: security/vuxml: mongodb vulnerabilities - CVE-2019-2386, CVE-2019-2389, CVE-2019-2390 PR: 239717 Submitted by: Ronald Klop Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Oct 11 17:27:20 2019 (r514292) +++ head/security/vuxml/vuln.xml Fri Oct 11 17:36:37 2019 (r514293) @@ -58,6 +58,108 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + mongodb -- Bump Windows package dependencies + + + mongodb34 + 3.4.22 + + + mongodb36 + 3.6.14 + + + mongodb40 + 4.0.11 + + + + +

Rich Mirch reports:

+
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility.
+

+ + + + CVE-2019-2390 + https://jira.mongodb.org/browse/SERVER-42233 + + + 2019-08-06 + 2019-09-30 + + + + + mongodb -- Our init scripts check /proc/[pid]/stat should validate that `(${procname})` is the process' command name. + + + mongodb34 + 3.4.22 + + + mongodb36 + 3.6.14 + + + mongodb40 + 4.0.11 + + + + +

Sicheng Liu of Beijing DBSEC Technology Co., Ltd reports:

+
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.
+

+ + + + CVE-2019-2389 + https://jira.mongodb.org/browse/SERVER-40563 + + + 2019-08-06 + 2019-09-30 + + + + + mongodb -- Attach IDs to users + + + mongodb34 + 3.4.22 + + + mongodb36 + 3.6.13 + + + mongodb40 + 4.0.9 + + + + +

Mitch Wasson of Cisco's Advanced Malware Protection Group reports:

+
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.
+

+ + + + CVE-2019-2386 + https://jira.mongodb.org/browse/SERVER-38984 + + + 2019-08-06 + 2019-09-28 + + + mod_perl2 -- execute arbitrary Perl code