Date: Sat, 24 Dec 2016 08:38:12 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r429312 - head/security/vuxml Message-ID: <201612240838.uBO8cCXh017433@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Sat Dec 24 08:38:11 2016 New Revision: 429312 URL: https://svnweb.freebsd.org/changeset/ports/429312 Log: - Document cURL vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Dec 24 08:37:34 2016 (r429311) +++ head/security/vuxml/vuln.xml Sat Dec 24 08:38:11 2016 (r429312) @@ -58,6 +58,44 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="c40ca16c-4d9f-4d70-8b6c-4d53aeb8ead4"> + <topic>cURL -- uninitialized random vulnerability</topic> + <affects> + <package> + <name>curl</name> + <range><ge>7.52.0</ge><lt>7.52.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Project curl Security Advisory:</p> + <blockquote cite="https://curl.haxx.se/docs/adv_20161223.html">; + <p>libcurl's (new) internal function that returns a good 32bit + random value was implemented poorly and overwrote the pointer + instead of writing the value into the buffer the pointer + pointed to.</p> + <p>This random value is used to generate nonces for Digest and + NTLM authentication, for generating boundary strings in HTTP + formposts and more. Having a weak or virtually non-existent + random there makes these operations vulnerable.</p> + <p>This function is brand new in 7.52.0 and is the result of an + overhaul to make sure libcurl uses strong random as much as + possible - provided by the backend TLS crypto libraries when + present. The faulty function was introduced in this commit.</p> + <p>We are not aware of any exploit of this flaw.</p> + </blockquote> + </body> + </description> + <references> + <url>https://curl.haxx.se/docs/adv_20161223.html</url>; + <cvename>CVE-2016-9594</cvename> + </references> + <dates> + <discovery>2016-12-23</discovery> + <entry>2016-12-24</entry> + </dates> + </vuln> + <vuln vid="41f8af15-c8b9-11e6-ae1b-002590263bf5"> <topic>squid -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612240838.uBO8cCXh017433>