Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Aug 2019 21:22:36 +0000 (UTC)
From:      Kai Knoblich <kai@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r509055 - head/security/vuxml
Message-ID:  <201908152122.x7FLMaRr088275@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: kai
Date: Thu Aug 15 21:22:35 2019
New Revision: 509055
URL: https://svnweb.freebsd.org/changeset/ports/509055

Log:
  security/vuxml: Update entry for security/doas
  
  * Add a reference to OpenBSD's tech mailinglist that explains the issues
    with doas(1)'s environmetal security in further detail.
  * Clarify the origins of the reporting sources and fix a grammar nit.
  
  PR:		239629
  Reported by:	Sander Bos

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Aug 15 20:37:21 2019	(r509054)
+++ head/security/vuxml/vuln.xml	Thu Aug 15 21:22:35 2019	(r509055)
@@ -230,7 +230,7 @@ executed even without intentional action by the user.<
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">;
-	<p>Jesse Smith of Resonating Media reports:</p>
+	<p>Jesse Smith (upstream author of the doas program) reported:</p>
 	<blockquote cite="https://github.com/slicer69/doas/releases/tag/6.1">;
 	  <p>Previous versions of "doas" transferred most environment variables, such
 	    as USER, HOME, and PATH from the original user to the target user.
@@ -238,15 +238,19 @@ executed even without intentional action by the user.<
 	    Passing these variables could cause files in the wrong path or
 	    home directory to be read (or written to), which resulted in potential
 	    security problems.</p>
+	  <p>Many thanks to Sander Bos for reporting this issue and explaining
+	    how it can be exploited.</p>
 	</blockquote>
       </body>
     </description>
     <references>
+      <mlist msgid="2a5cda45ef35e885c9a8b1e@tedunangst.com">https://marc.info/?l=openbsd-tech&amp;m=156105665713340&amp;w=2</mlist>;
       <url>https://github.com/slicer69/doas/releases/tag/6.1</url>;
     </references>
     <dates>
       <discovery>2019-08-03</discovery>
       <entry>2019-08-09</entry>
+      <modified>2019-08-15</modified>
     </dates>
   </vuln>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908152122.x7FLMaRr088275>