From owner-dev-commits-ports-all@freebsd.org  Sun Aug  1 21:52:47 2021
Return-Path: <owner-dev-commits-ports-all@freebsd.org>
Delivered-To: dev-commits-ports-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 290E66676E4;
 Sun,  1 Aug 2021 21:52:47 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4GdFHM0gCYz3rsV;
 Sun,  1 Aug 2021 21:52:47 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F358314286;
 Sun,  1 Aug 2021 21:52:46 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 171LqkAp095900;
 Sun, 1 Aug 2021 21:52:46 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 171LqkmC095899;
 Sun, 1 Aug 2021 21:52:46 GMT (envelope-from git)
Date: Sun, 1 Aug 2021 21:52:46 GMT
Message-Id: <202108012152.171LqkmC095899@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
 dev-commits-ports-main@FreeBSD.org
From: Kevin Bowling <kbowling@FreeBSD.org>
Subject: git: 9c1924450f57 - main - security/vuxml: document tomcat
 CVE-2021-30640
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kbowling
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 9c1924450f57ec143cd6f72aa1c9a48f30f755ee
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-ports-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the ports repository
 <dev-commits-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-ports-all>, 
 <mailto:dev-commits-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-ports-all/>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Help: <mailto:dev-commits-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-ports-all>, 
 <mailto:dev-commits-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2021 21:52:47 -0000

The branch main has been updated by kbowling:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9c1924450f57ec143cd6f72aa1c9a48f30f755ee

commit 9c1924450f57ec143cd6f72aa1c9a48f30f755ee
Author:     Kevin Bowling <kbowling@FreeBSD.org>
AuthorDate: 2021-08-01 21:51:39 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 21:52:40 +0000

    security/vuxml: document tomcat CVE-2021-30640
    
    PR:             257153
---
 security/vuxml/vuln-2021.xml | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index f99ceeea1d96..901b873ac212 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -1,3 +1,42 @@
+  <vuln vid="8b571fb2-f311-11eb-b12b-fc4dd43e2b6a">
+    <topic>tomcat -- JNDI Realm Authentication Weakness in multiple versions</topic>
+    <affects>
+      <package>
+	<name>tomcat7</name>
+	<range><ge>7.0.0</ge><le>7.0.108</le></range>
+      </package>
+      <package>
+	<name>tomcat85</name>
+	<range><ge>8.5.0</ge><le>8.5.65</le></range>
+      </package>
+      <package>
+	<name>tomcat9</name>
+	<range><ge>9.0.0</ge><le>9.0.45</le></range>
+      </package>
+      <package>
+	<name>tomcat10</name>
+	<range><ge>10.0.0</ge><le>10.0.5</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>ilja.farber reports:</p>
+	<blockquote cite="https://tomcat.apache.org/security.html">
+	  <p>Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator.
+In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-30640</cvename>
+      <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640</url>
+    </references>
+    <dates>
+      <discovery>2021-04-08</discovery>
+      <entry>2021-08-01</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="cc7c85d9-f30a-11eb-b12b-fc4dd43e2b6a">
     <topic>tomcat -- Remote Denial of Service in multiple versions</topic>
     <affects>
@@ -28,7 +67,7 @@
       <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639</url>
     </references>
     <dates>
-      <discovery>2021-07-12</discovery>
+      <discovery>2021-03-24</discovery>
       <entry>2021-08-01</entry>
     </dates>
   </vuln>