From owner-svn-ports-head@FreeBSD.ORG Mon Oct 15 16:02:13 2012 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ED50DF12; Mon, 15 Oct 2012 16:02:13 +0000 (UTC) (envelope-from swills@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id BC5318FC18; Mon, 15 Oct 2012 16:02:13 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q9FG2D5r022582; Mon, 15 Oct 2012 16:02:13 GMT (envelope-from swills@svn.freebsd.org) Received: (from swills@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q9FG2DEh022579; Mon, 15 Oct 2012 16:02:13 GMT (envelope-from swills@svn.freebsd.org) Message-Id: <201210151602.q9FG2DEh022579@svn.freebsd.org> From: Steve Wills Date: Mon, 15 Oct 2012 16:02:13 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r305918 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Oct 2012 16:02:14 -0000 Author: swills Date: Mon Oct 15 16:02:12 2012 New Revision: 305918 URL: http://svn.freebsd.org/changeset/ports/305918 Log: - Actually commit the VuXML entry PR: ports/172565 Feature safe: yes Pointyhat to: swills Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Oct 15 15:54:10 2012 (r305917) +++ head/security/vuxml/vuln.xml Mon Oct 15 16:02:12 2012 (r305918) @@ -51,6 +51,39 @@ Note: Please add new entries to the beg --> + + gitolite - path traversal vulnerability + + + gitolite + 3.013.04 + + + + +

Sitaram Chamarty reports:

+
I'm sorry to say there is a potential path traversal vulnerability in + v3. Thanks to Stephane Chazelas for finding it and alerting me.
+
Can it affect you? This can only affect you if you are using wild + card repos, *and* at least one of your patterns allows the string + "../" to match multiple times.
+
How badly can it affect you? A malicious user who *also* has the + ability to create arbitrary files in, say, /tmp (e.g., he has his own + userid on the same box), can compromise the entire "git" user. + Otherwise the worst he can do is create arbitrary repos in /tmp.
+

+ + + + https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion + + + 2012-10-09 + 2012-10-15 + + + phpMyAdmin -- Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages and Fetching the version information from a non-SSL site is vulnerable to a MITM attack