Date: Sun, 29 Mar 2020 19:46:16 +0000 (UTC) From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r529828 - head/security/vuxml Message-ID: <202003291946.02TJkGtC066794@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: girgen Date: Sun Mar 29 19:46:16 2020 New Revision: 529828 URL: https://svnweb.freebsd.org/changeset/ports/529828 Log: Add vuxml entry for CVE-2020-1720 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Mar 29 19:41:23 2020 (r529827) +++ head/security/vuxml/vuln.xml Sun Mar 29 19:46:16 2020 (r529828) @@ -58,6 +58,55 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="d331f691-71f4-11ea-8bb5-6cc21735f730"> + <topic>PostgresSQL -- ALTER ... DEPENDS ON EXTENSION is missing authorization checks</topic> + <affects> + <package> + <name>postgresql12-server</name> + <range><lt>12.2</lt></range> + </package> + <package> + <name>postgresql11-server</name> + <range><lt>11.7</lt></range> + </package> + <package> + <name>postgresql10-server</name> + <range><lt>10.12</lt></range> + </package> + <package> + <name>postgresql96-server</name> + <range><lt>9.6.17</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The PostgreSQL project reports:</p> + <blockquote cite="https://www.postgresql.org/about/news/2011/"> + <p> + Versions Affected: 9.6 - 12 + </p> + <p> + The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform + authorization checks, which can allow an unprivileged user to drop + any function, procedure, materialized view, index, or trigger under + certain conditions. This attack is possible if an administrator has + installed an extension and an unprivileged user can CREATE, or an + extension owner either executes DROP EXTENSION predictably or can be + convinced to execute DROP EXTENSION. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://www.postgresql.org/about/news/1960/</url> + <cvename>CVE-2020-1720</cvename> + </references> + <dates> + <discovery>2020-02-13</discovery> + <entry>2020-03-29</entry> + </dates> + </vuln> + <vuln vid="090763f6-7030-11ea-93dd-080027846a02"> <topic>mediawiki -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202003291946.02TJkGtC066794>