From owner-svn-ports-all@freebsd.org  Fri Dec 14 13:32:05 2018
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 85E7F1333CA6;
 Fri, 14 Dec 2018 13:32:05 +0000 (UTC)
 (envelope-from tijl@freebsd.org)
Received: from mailrelay117.isp.belgacom.be (mailrelay117.isp.belgacom.be
 [195.238.20.144])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "relay.skynet.be",
 Issuer "GlobalSign Organization Validation CA - SHA256 - G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9CE9674E98;
 Fri, 14 Dec 2018 13:32:04 +0000 (UTC)
 (envelope-from tijl@freebsd.org)
X-Belgacom-Dynamic: yes
IronPort-PHdr: =?us-ascii?q?9a23=3ArziSFBKd7LeDTPIpY9mcpTZWNBhigK39O0sv0r?=
 =?us-ascii?q?FitYgXKvr7rarrMEGX3/hxlliBBdydt6oUzbKO+4nbGkU4qa6bt34DdJEeHz?=
 =?us-ascii?q?Qksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPER?=
 =?us-ascii?q?vjKwV1Ov71GonPhMiryuy+4ZLebxlLiTanfb9+MAi9oBnMuMURnYZsMLs6xA?=
 =?us-ascii?q?HTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKH?=
 =?us-ascii?q?w65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz?=
 =?us-ascii?q?+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvd1Y6HTcs4ARW?=
 =?us-ascii?q?dZUMhfVzJPDJ6/YYQNAeoOMvpXoYbmqlsSrxayGRWgCP/zxjNWgHL9wK000/?=
 =?us-ascii?q?4mEQHDxAEuAdcMsHDJp9jrM6cSVvu1w7fNzTrZafNWwir25Y/UchAgo/GMWa?=
 =?us-ascii?q?l9f8rLyUYxCQzIk0iep4L/MzOSzOQNvHGW4ux9XuyhjG4nrht+ojmpxso0hI?=
 =?us-ascii?q?nJnJwaxU7f+iVi3Yk5P9q4SFR0YdK8HppduTuWN4xsQsMtW21opCY7yqUBuZ?=
 =?us-ascii?q?O1ZiQKz44nxxHHZ/yZboiJ7RfjVOKLLTd/nnJld7SyjAux/0i40uDxVcu53E?=
 =?us-ascii?q?xLoydKiNXBtHEA2wbN5sSZRPZw+Fqq1yyV2ADJ8O5EJFg5la/cK5E83LE9jo?=
 =?us-ascii?q?ETsUHfHi/un0X2kbOWel0k+ue27+TnZa3rppyGOI9wiwH+N7ohmta4AegiLg?=
 =?us-ascii?q?gOXmqb+eCm2LL/+k35R65KgeMzkqbDtpDaPt4XpqmjAw9ayooj6hC/ACm60N?=
 =?us-ascii?q?kAnnQKLkhJdROIgoTzOVzDIer0Aemhj1miiDtrwurJPrzlApXDNHjDl7LhcK?=
 =?us-ascii?q?5h605dygozyctS55xOCr4fPv38QVTxu8HCAh8+KQy0zP7rCM9h2YMGRWKPHq?=
 =?us-ascii?q?iZPbvJsV+W4OIjOvGMZIgPuDbhMPgp/v7ugmEjllAAZqSp04EXZ26mEft9OE?=
 =?us-ascii?q?WWfGDggtAbEWcFpgA+VvDliEWeUT5PYHa/R7k85i89CI6/FYfDQZqtgKCa3C?=
 =?us-ascii?q?uiBJJWYmRGB0uCEXfyaYqLRewDaDmPLcN7lTwET7ehQZc71R6yrA/616ZnLu?=
 =?us-ascii?q?3M9y0AspLjzsR15/bKmR4u8jx0CsGd02CRT2FogGwIXSQ20btxoUxn1FiMz7?=
 =?us-ascii?q?N3g+dFGtBJ4PNJSAg6P4bGz+NmE9DyRh7BftCRRVakRdWmBy8+Ts80w9IVbU?=
 =?us-ascii?q?Z9AcutgQ7Y0CqxHrAZjbuLBIY78vGU43+kBcF2y3vAnI8sklwrQ9BTOHfu0q?=
 =?us-ascii?q?x48QXOAqbniUiUvZ2GM6MG03ie2n2EyD+yW0UQewl3SqjAVHYELh/KrNb9zm?=
 =?us-ascii?q?3YQrKEMphhNRFOn53RYpBWY8Hk2A0VDMzoP87TNifowz+9?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2AHAABhrxNc/99MQFdkGQEBAQEBAQE?=
 =?us-ascii?q?BAQEBAQcBAQEBAQGBUwIBAQEBAQsBggNmcBIUE4x0ixcCggw1AYlUjU0UgWY?=
 =?us-ascii?q?yhEcCgwQjNgcNAQMBAQIBAQIBbBwMgjYkAYJiAQUnExwjEAsOBgQJDAEBFw8?=
 =?us-ascii?q?qHgYTCYMZggQLplYzhC0BAwQEAYRmgQ6MVYF/hCODBQ4LAQECgRovFj8JAoU?=
 =?us-ascii?q?TAolIJgOFW0eRBQmHDYNAgxCDciORUoMIiymMfQQtgUIMCE0wCIMnCYIeF4h?=
 =?us-ascii?q?ehUA+AzAMi2cNF4InAQE?=
X-IPAS-Result: =?us-ascii?q?A2AHAABhrxNc/99MQFdkGQEBAQEBAQEBAQEBAQcBAQEBA?=
 =?us-ascii?q?QGBUwIBAQEBAQsBggNmcBIUE4x0ixcCggw1AYlUjU0UgWYyhEcCgwQjNgcNA?=
 =?us-ascii?q?QMBAQIBAQIBbBwMgjYkAYJiAQUnExwjEAsOBgQJDAEBFw8qHgYTCYMZggQLp?=
 =?us-ascii?q?lYzhC0BAwQEAYRmgQ6MVYF/hCODBQ4LAQECgRovFj8JAoUTAolIJgOFW0eRB?=
 =?us-ascii?q?QmHDYNAgxCDciORUoMIiymMfQQtgUIMCE0wCIMnCYIeF4hehUA+AzAMi2cNF?=
 =?us-ascii?q?4InAQE?=
Received: from 223.76-64-87.adsl-dyn.isp.belgacom.be (HELO
 kalimero.tijl.coosemans.org) ([87.64.76.223])
 by relay.skynet.be with ESMTP; 14 Dec 2018 14:30:54 +0100
Received: from kalimero.tijl.coosemans.org (kalimero.tijl.coosemans.org
 [127.0.0.1])
 by kalimero.tijl.coosemans.org (8.15.2/8.15.2) with ESMTP id wBEDUqQD093442;
 Fri, 14 Dec 2018 14:30:53 +0100 (CET)
 (envelope-from tijl@FreeBSD.org)
Date: Fri, 14 Dec 2018 14:30:52 +0100
From: =?UTF-8?B?VMSzbA==?= Coosemans <tijl@FreeBSD.org>
To: Jochen Neumeister <joneum@FreeBSD.org>
Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: Re: svn commit: r487425 - head/security/vuxml
Message-ID: <20181214143052.2e098401@kalimero.tijl.coosemans.org>
In-Reply-To: <201812141157.wBEBvJvS010416@repo.freebsd.org>
References: <201812141157.wBEBvJvS010416@repo.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 9CE9674E98
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-5.93 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-0.998,0];
 NEURAL_HAM_SHORT(-0.93)[-0.935,0]; REPLY(-4.00)[]
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2018 13:32:05 -0000

On Fri, 14 Dec 2018 11:57:19 +0000 (UTC) Jochen Neumeister <joneum@FreeBSD.org> wrote:
> Author: joneum
> Date: Fri Dec 14 11:57:19 2018
> New Revision: 487425
> URL: https://svnweb.freebsd.org/changeset/ports/487425
> 
> Log:
>   Add entry for typo3-8 and typo3-9
>   
>   PR:		233935 233936
>   Sponsored by:	Netzkommune GmbH
> 
> Modified:
>   head/security/vuxml/vuln.xml
> 
> Modified: head/security/vuxml/vuln.xml
> ==============================================================================
> --- head/security/vuxml/vuln.xml	Fri Dec 14 11:28:43 2018	(r487424)
> +++ head/security/vuxml/vuln.xml	Fri Dec 14 11:57:19 2018	(r487425)
> @@ -58,6 +58,68 @@ Notes:
>    * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>  -->  
>  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> +  <vuln vid="bab29816-ff93-11e8-b05b-00e04c1ea73d">
> +    <topic>typo3 -- multiple vulnerabilities</topic>
> +    <affects>
> +      <package>
> +	<name>typo3-8</name>
> +	<range><lt>8.7.21</lt></range>
> +      </package>
> +      <package>
> +	<name>typo3-9</name>
> +	<range><lt>9.5.2</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">
> +	<p>Typo3 core team reports:</p>
> +	<blockquote cite="https://typo3.org/article/typo3-952-8721-and-7632-security-releases-published/">
> +	  <p>CKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported by maxarr.
> +	    The vulnerability stemmed from the fact that it was possible to execute XSS inside
> +	    the CKEditor source area after persuading the victim to: (i) switch CKEditor to
> +	    source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker,
> +	    into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.
> +	    Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.</p>
> +	  <p>Failing to properly encode user input, online media asset rendering
> +	    (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user
> +	    account or write access on the server system (e.g. SFTP) is needed in order to exploit this
> +	    vulnerability.</p>
> +	  <p>Failing to properly encode user input, notifications shown in modal windows in the TYPO3
> +	    backend are vulnerable to cross-site scripting. A valid backend user account is needed in
> +	    order to exploit this vulnerability.</p>
> +	  <p>Failing to properly encode user input, login status display is vulnerable to cross-site
> +	    scripting in the website frontend. A valid user account is needed in order to exploit this
> +	    vulnerability - either a backend user or a frontend user having the possibility to modify
> +	    their user profile.
> +	    Template patterns that are affected are:
> +	    ###FEUSER_[fieldName]### using system extension felogin
> +	    <!--###USERNAME###--> for regular frontend rendering (pattern can be 

I've HTML encoded the < and > here in r487432.