Date: Mon, 20 Sep 2021 00:52:39 +0700 From: Eugene Grosbein <eugen@freebsd.org> To: "Herbert J. Skuhra" <herbert@gojira.at> Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: Re: git: 2c7d4d50c06a - main - security/vuxml: add net/mpd5 PPPoE Server remotely exploitable crash Message-ID: <b05541dd-2f66-6c0d-4878-907b7d66b92e@freebsd.org> In-Reply-To: <87v92xjbai.wl-herbert@gojira.at> References: <202109082208.188M8tVX016686@gitrepo.freebsd.org> <87v92xjbai.wl-herbert@gojira.at>
next in thread | previous in thread | raw e-mail | index | archive | help
19.09.2021 14:04, Herbert J. Skuhra wrote: > On Thu, 09 Sep 2021 00:08:55 +0200, Eugene Grosbein wrote: >> >> The branch main has been updated by eugen: >> >> URL: https://cgit.FreeBSD.org/ports/commit/?id=2c7d4d50c06ac12410414813427604ee9af673dd >> >> commit 2c7d4d50c06ac12410414813427604ee9af673dd >> Author: Eugene Grosbein <eugen@FreeBSD.org> >> AuthorDate: 2021-09-08 21:55:19 +0000 >> Commit: Eugene Grosbein <eugen@FreeBSD.org> >> CommitDate: 2021-09-08 22:02:51 +0000 >> >> security/vuxml: add net/mpd5 PPPoE Server remotely exploitable crash >> >> Version 5.9_2 contains security fix for PPPoE servers. >> Insufficient validation of incoming PPPoE Discovery request >> specially crafted by unauthenticated user might lead to unexpected >> termination of the process. The problem affects mpd versions since 5.0. >> Installations not using PPPoE server configuration were not affected. >> >> Reported by: Yannick C at SourceForge >> Tested by: Yannick C at SourceForge, paul at SourceForge >> --- >> security/vuxml/vuln-2021.xml | 28 ++++++++++++++++++++++++++++ >> 1 file changed, 28 insertions(+) >> >> diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml >> index 09525e60d803..1b308b51ea74 100644 >> --- a/security/vuxml/vuln-2021.xml >> +++ b/security/vuxml/vuln-2021.xml >> @@ -1,3 +1,31 @@ >> + <vuln vid="f55921aa-10c9-11ec-8647-00e0670f2660"> >> + <topic>MPD5 PPPoE Server remotely exploitable crash</topic> >> + <affects> >> + <package> >> + <name>mpd5</name> >> + <range><ge>5.0</ge></range> >> + <range><lt>5.9_2</lt></range> >> + </package> >> + </affects> >> + <description> >> + <body xmlns="http://www.w3.org/1999/xhtml">; >> + <p>Version 5.9_2 contains security fix for PPPoE servers. >> + Insufficient validation of incoming PPPoE Discovery request >> + specially crafted by unauthenticated user might lead to unexpected >> + termination of the process. The problem affects mpd versions >> + since 5.0. Installations not using PPPoE server configuration >> + were not affected.</p> >> + </body> >> + </description> >> + <references> >> + <url>http://mpd.sourceforge.net/doc5/mpd4.html#4</url>; >> + </references> >> + <dates> >> + <discovery>2021-09-04</discovery> >> + <entry>2021-09-09</entry> >> + </dates> >> + </vuln> >> + > > ===> mpd5-5.9_4 has known vulnerabilities: > mpd5-5.9_4 is vulnerable: > MPD5 PPPoE Server remotely exploitable crash > WWW: https://vuxml.FreeBSD.org/freebsd/f55921aa-10c9-11ec-8647-00e0670f2660.html That VuXML entry problem was fixed 17 September but pkg audit fetches http://vuxml.freebsd.org/freebsd/vuln.xml.xz and this file staled since 16 September for unknown reason.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b05541dd-2f66-6c0d-4878-907b7d66b92e>