From owner-svn-ports-all@FreeBSD.ORG Tue Apr 15 20:21:45 2014
Return-Path:
Delivered-To: svn-ports-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by hub.freebsd.org (Postfix) with ESMTPS id 637E1375;
Tue, 15 Apr 2014 20:21:45 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
[IPv6:2001:1900:2254:2068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4413E1897;
Tue, 15 Apr 2014 20:21:45 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3FKLjVw016958;
Tue, 15 Apr 2014 20:21:45 GMT (envelope-from swills@svn.freebsd.org)
Received: (from swills@localhost)
by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3FKLiOo016957;
Tue, 15 Apr 2014 20:21:44 GMT (envelope-from swills@svn.freebsd.org)
Message-Id: <201404152021.s3FKLiOo016957@svn.freebsd.org>
From: Steve Wills
Date: Tue, 15 Apr 2014 20:21:44 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
svn-ports-head@freebsd.org
Subject: svn commit: r351364 - head/security/vuxml
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SVN commit messages for the ports tree
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Tue, 15 Apr 2014 20:21:45 -0000
Author: swills
Date: Tue Apr 15 20:21:44 2014
New Revision: 351364
URL: http://svnweb.freebsd.org/changeset/ports/351364
QAT: https://qat.redports.org/buildarchive/r351364/
Log:
- Add multiple missing entries
PR: ports/188512
Submitted by: Pawel Biernacki
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Apr 15 19:40:30 2014 (r351363)
+++ head/security/vuxml/vuln.xml Tue Apr 15 20:21:44 2014 (r351364)
@@ -51,6 +51,160 @@ Note: Please add new entries to the beg
-->
+
+ OpenLDAP -- incorrect handling of NULL in certificate Common Name
+
+
+ openldap24-client
+ linux-f10-openldap
+ 2.4.18
+
+
+
+
+ Jan Lieskovsky reports:
+
+ OpenLDAP does not properly handle a '\0' character in a domain name
+ in the subject's Common Name (CN) field of an X.509 certificate,
+ which allows man-in-the-middle attackers to spoof arbitrary SSL
+ servers via a crafted certificate issued by a legitimate
+ Certification Authority
+
+
+
+
+ CVE-2009-3767
+ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3767
+
+
+ 2009-08-07
+ 2014-04-11
+
+
+
+
+ cURL -- inappropriate GSSAPI delegation
+
+
+ curl
+ linux-f10-curl
+ 7.10.67.21.6
+
+
+
+
+ cURL reports:
+
+ When doing GSSAPI authentication, libcurl unconditionally performs
+ credential delegation. This hands the server a copy of the client's
+ security credentials, allowing the server to impersonate the client
+ to any other using the same GSSAPI mechanism.
+
+
+
+
+ CVE-2011-2192
+ http://curl.haxx.se/docs/adv_20110623.html
+
+
+ 2011-06-23
+ 2014-04-11
+
+
+
+
+ dbus-glib -- privledge escalation
+
+
+ dbus-glib
+ linux-f10-dbus-glib
+ 0.100.1
+
+
+
+
+ Sebastian Krahmer reports:
+
+ A privilege escalation flaw was found in the way dbus-glib, the
+ D-Bus add-on library to integrate the standard D-Bus library with
+ the GLib thread abstraction and main loop, performed filtering of
+ the message sender (message source subject), when the
+ NameOwnerChanged signal was received. A local attacker could use
+ this flaw to escalate their privileges.
+
+
+
+
+ CVE-2013-0292
+ https://bugs.freedesktop.org/show_bug.cgi?id=60916
+
+
+ 2013-02-15
+ 2014-04-11
+
+
+
+
+ nas -- multiple vulnerabilities
+
+
+ nas
+ linux-f10-nas-libs
+ 1.9.4
+
+
+
+
+ Hamid Zamani reports:
+
+ multiple security problems (buffer overflows, format string
+ vulnerabilities and missing input sanitising), which could lead to
+ the execution of arbitrary code.
+
+
+
+
+ CVE-2013-4256
+ CVE-2013-4257
+ CVE-2013-4258
+ http://radscan.com/pipermail/nas/2013-August/001270.html
+
+
+ 2013-08-07
+ 2014-04-11
+
+
+
+
+ libaudiofile -- heap-based overflow in Microsoft ADPCM compression module
+
+
+ libaudiofile
+ linux-f10-libaudiofile
+ 0.2.7
+
+
+
+
+ Debian reports:
+
+ Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile
+ 0.2.6 allows context-dependent attackers to cause a denial of service
+ (application crash) or possibly execute arbitrary code via a crafted
+ WAV file.
+
+
+
+
+ CVE-2014-0159
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205
+
+
+ 2008-12-30
+ 2014-04-11
+
+
+
ChaSen -- buffer overflow
@@ -1120,6 +1274,7 @@ Note: Please add new entries to the beg
gnutls
+ linux-f10-gnutls
2.12.23_4
@@ -4680,6 +4835,7 @@ affected..
libgcrypt
+ linux-f10-libgcrypt
1.5.3
@@ -4696,6 +4852,7 @@ affected..