Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Jan 2017 16:49:59 +0000 (UTC)
From:      Mark Felder <feld@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r431401 - head/security/vuxml
Message-ID:  <201701131649.v0DGnxqf056012@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: feld
Date: Fri Jan 13 16:49:59 2017
New Revision: 431401
URL: https://svnweb.freebsd.org/changeset/ports/431401

Log:
  Consolidate duplicate openssh vuxml entries

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri Jan 13 16:25:58 2017	(r431400)
+++ head/security/vuxml/vuln.xml	Fri Jan 13 16:49:59 2017	(r431401)
@@ -208,6 +208,10 @@ Notes:
     <topic>FreeBSD -- OpenSSH multiple vulnerabilities</topic>
     <affects>
       <package>
+	<name>openssh-portable</name>
+	<range><lt>7.4.p1,1</lt></range>
+      </package>
+      <package>
 	<name>FreeBSD</name>
 	<range><ge>11.0</ge><lt>11.0_7</lt></range>
 	<range><ge>10.3</ge><lt>10.3_16</lt></range>
@@ -239,13 +243,14 @@ Notes:
       </body>
     </description>
     <references>
-      <cvename>CVE-2016-1000</cvename>
-      <cvename>CVE-2016-1001</cvename>
+      <cvename>CVE-2016-10009</cvename>
+      <cvename>CVE-2016-10010</cvename>
       <freebsdsa>SA-17:01.openssh</freebsdsa>
     </references>
     <dates>
       <discovery>2017-01-11</discovery>
       <entry>2017-01-11</entry>
+      <modified>2017-01-13</modified>
     </dates>
   </vuln>
 
@@ -1205,57 +1210,7 @@ Notes:
   </vuln>
 
   <vuln vid="2aedd15f-ca8b-11e6-a9a5-b499baebfeaf">
-    <topic>openssh -- multiple vulnerabilities</topic>
-    <affects>
-      <package>
-	<name>openssh-portable</name>
-	<range><lt>7.4.p1,1</lt></range>
-      </package>
-      <package>
-	<name>FreeBSD</name>
-	<range><ge>11.0</ge><lt>11.0_7</lt></range>
-	<range><ge>10.3</ge><lt>10.3_16</lt></range>
-	<range><ge>10.2</ge><lt>10.2_29</lt></range>
-	<range><ge>10.1</ge><lt>10.1_46</lt></range>
-	<range><ge>9.3</ge><lt>9.3_54</lt></range>
-      </package>
-    </affects>
-    <description>
-      <body xmlns="http://www.w3.org/1999/xhtml">;
-	<p>The OpenSSH project reports:</p>
-	<blockquote cite="https://www.openssh.com/txt/release-7.4">;
-	  <ul>
-	    <li>ssh-agent(1): Will now refuse to load PKCS#11 modules from
-	      paths outside a trusted whitelist (run-time configurable).
-	      Requests to load modules could be passed via agent forwarding
-	      and an attacker could attempt to load a hostile PKCS#11 module
-	      across the forwarded agent channel: PKCS#11 modules are shared
-	      libraries, so this would result in code execution on the system
-	      running the ssh-agent if the attacker has control of the
-	      forwarded agent-socket (on the host running the sshd server)
-	      and the ability to write to the filesystem of the host running
-	      ssh-agent (usually the host running the ssh client).
-	      (CVE-2016-10009)</li>
-	    <li>sshd(8): When privilege separation is disabled, forwarded
-	      Unix-domain sockets would be created by sshd(8) with the
-	      privileges of 'root' instead of the authenticated user. This
-	      release refuses Unix-domain socket forwarding when privilege
-	      separation is disabled (Privilege separation has been enabled by
-	      default for 14 years). CVE-2016-10010)</li>
-	  </ul>
-	</blockquote>
-      </body>
-    </description>
-    <references>
-      <url>https://www.openssh.com/txt/release-7.4</url>;
-      <cvename>CVE-2016-10009</cvename>
-      <cvename>CVE-2016-10010</cvename>
-    </references>
-    <dates>
-      <discovery>2016-12-25</discovery>
-      <entry>2016-12-25</entry>
-      <modified>2017-01-09</modified>
-    </dates>
+    <cancelled/>
   </vuln>
 
   <vuln vid="c40ca16c-4d9f-4d70-8b6c-4d53aeb8ead4">



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701131649.v0DGnxqf056012>