Date: Thu, 20 Aug 2020 10:39:16 +0000 (UTC) From: Niclas Zeising <zeising@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r545523 - head/security/vuxml Message-ID: <202008201039.07KAdGDq061142@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zeising Date: Thu Aug 20 10:39:15 2020 New Revision: 545523 URL: https://svnweb.freebsd.org/changeset/ports/545523 Log: vuxml: Document dns/adns security issues Document several securiy issues in dns/adns. While here, fix whitespace in adjacent entries, as reported by make validate. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Aug 20 10:32:50 2020 (r545522) +++ head/security/vuxml/vuln.xml Thu Aug 20 10:39:15 2020 (r545523) @@ -58,24 +58,67 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="08de38d2-e2d0-11ea-9538-0c9d925bbbc0"> + <topic>adns -- multiple vulnerabilities</topic> + <affects> + <package> + <name>adns</name> + <range><lt>1.5.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Ian Jackson and the adns project reports:</p> + <blockquote cite="https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html"> + <p>Vulnerable applications: all adns callers. + Exploitable by: the local recursive resolver. + Likely worst case: Remote code execution.</p> + <p>Vulnerable applications: those that make SOA queries. + Exploitable by: upstream DNS data sources. + Likely worst case: DoS (crash of the adns-using application)</p> + <p>Vulnerable applications: those that use adns_qf_quoteok_query. + Exploitable by: sources of query domain names. + Likely worst case: DoS (crash of the adns-using application)</p> + <p>Vulnerable applications: adnshost. + Exploitable by: code responsible for framing the input. + Likely worst case: DoS (adnshost crashes at EOF).</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html</url> + <cvename>CVE-2017-9103</cvename> + <cvename>CVE-2017-9104</cvename> + <cvename>CVE-2017-9105</cvename> + <cvename>CVE-2017-9106</cvename> + <cvename>CVE-2017-9107</cvename> + <cvename>CVE-2017-9108</cvename> + <cvename>CVE-2017-9109</cvename> + </references> + <dates> + <discovery>2017-05-21</discovery> + <entry>2020-08-20</entry> + </dates> + </vuln> + <vuln vid="f60561e7-e23e-11ea-be64-507b9d01076a"> <topic>Icinga Web 2 -- directory traversal vulnerability</topic> <affects> <package> - <name>icingaweb2</name> - <range><le>2.8.1</le></range> + <name>icingaweb2</name> + <range><le>2.8.1</le></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>Icinga development team reports:</p> - <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368"> - <p>CVE-2020-24368</p> + <p>Icinga development team reports:</p> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368"> + <p>CVE-2020-24368</p> <p> - Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a - Directory Traversal vulnerability which allows an attacker to access - arbitrary files that are readable by the process running Icinga Web - 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2. + Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a + Directory Traversal vulnerability which allows an attacker to access + arbitrary files that are readable by the process running Icinga Web + 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2. </p> </blockquote> </body>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008201039.07KAdGDq061142>