Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 8 Jan 2014 11:15:21 +0000 (UTC)
From:      Baptiste Daroussin <bapt@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r339091 - in branches/2014Q1: security/vuxml www/openx
Message-ID:  <201401081115.s08BFLON034781@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: bapt
Date: Wed Jan  8 11:15:21 2014
New Revision: 339091
URL: http://svnweb.freebsd.org/changeset/ports/339091

Log:
  MFH: r337204
  
  - mark as FORBIDDEN (zero day SQL vuln)
  
  Security:	CVE-2013-7149

Modified:
  branches/2014Q1/security/vuxml/vuln.xml
  branches/2014Q1/www/openx/Makefile
Directory Properties:
  branches/2014Q1/   (props changed)

Modified: branches/2014Q1/security/vuxml/vuln.xml
==============================================================================
--- branches/2014Q1/security/vuxml/vuln.xml	Wed Jan  8 11:08:29 2014	(r339090)
+++ branches/2014Q1/security/vuxml/vuln.xml	Wed Jan  8 11:15:21 2014	(r339091)
@@ -51,6 +51,42 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="3e33a0bb-6b2f-11e3-b042-20cf30e32f6d">
+    <topic>OpenX -- SQL injection vulnerability</topic>
+    <affects>
+      <package>
+	<name>openx</name>
+	<range><lt>3.0.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Revive reports:</p>
+	<blockquote cite="http://www.revive-adserver.com/security/revive-sa-2013-001/">;
+	  <p>An SQL-injection vulnerability was recently discovered and reported
+	    to the Revive Adserver team by Florian Sander. The vulnerability is
+	    known to be already exploited to gain unauthorised access to the
+	    application using brute force mechanisms, however other kind of
+	    attacks might be possible and/or already in use. The risk is rated
+	    to be critical as the most common end goal of the attackers is to
+	    spread malware to the visitors of all the websites and ad networks
+	    that the ad server is being used on.</p>
+	  <p>The vulnerability is also present and exploitable in OpenX Source
+	    2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.revive-adserver.com/security/revive-sa-2013-001/</url>;
+      <url>http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/</url>;
+      <cvename>CVE-2013-7149</cvename>
+    </references>
+    <dates>
+      <discovery>2013-12-20</discovery>
+      <entry>2013-12-22</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="4e1f4abc-6837-11e3-9cda-3c970e169bc2">
     <topic>cURL library -- cert name check ignore with GnuTLS</topic>
     <affects>

Modified: branches/2014Q1/www/openx/Makefile
==============================================================================
--- branches/2014Q1/www/openx/Makefile	Wed Jan  8 11:08:29 2014	(r339090)
+++ branches/2014Q1/www/openx/Makefile	Wed Jan  8 11:15:21 2014	(r339091)
@@ -11,6 +11,8 @@ COMMENT=	Free, opensource ad server in P
 
 LICENSE=	GPLv2
 
+FORBIDDEN=	CVE-2013-7149
+
 USE_BZIP2=	yes
 NO_BUILD=	yes
 SUB_LIST+=	PKGNAME=${PKGNAME}



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401081115.s08BFLON034781>