Date: Sat, 1 Jun 2019 13:48:59 +0000 (UTC) From: Kubilay Kocak <koobs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r503236 - head/security/vuxml Message-ID: <201906011348.x51DmxOh099709@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: koobs Date: Sat Jun 1 13:48:59 2019 New Revision: 503236 URL: https://svnweb.freebsd.org/changeset/ports/503236 Log: security/vuxml: Add buildbot -- OAuth Authentication Vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Jun 1 13:27:32 2019 (r503235) +++ head/security/vuxml/vuln.xml Sat Jun 1 13:48:59 2019 (r503236) @@ -58,6 +58,43 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="ada8db8a-8471-11e9-8170-0050562a4d7b"> + <topic>buildbot -- OAuth Authentication Vulnerability</topic> + <affects> + <package> + <name>py27-buildbot</name> + <name>py35-buildbot</name> + <name>py36-buildbot</name> + <name>py37-buildbot</name> + <range><lt>2.3.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <blockquote cite="https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication">; + <p>Buildbot accepted user-submitted authorization token from OAuth and used + it to authenticate user.</p> + <p>The vulnerability can lead to malicious attackers to authenticate as legitimate users + of a Buildbot instance without knowledge of the victim's login credentials on certain + scenarios.</p> + <p>If an attacker has an application authorized to access data of another user at the + same Identity Provider as the used by the Buildbot instance, then he can acquire a token + to access the data of that user, supply the token to the Buildbot instance and successfully + login as the victim.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication</url>; + <url>https://github.com/buildbot/buildbot/pull/4763</url>; + <cvename>CVE-2019-12300</cvename> + </references> + <dates> + <discovery>2019-05-07</discovery> + <entry>2019-06-01</entry> + </dates> + </vuln> + <vuln vid="177fa455-48fc-4ded-ba1b-9975caa7f62a"> <topic>bro -- Unsafe integer conversions can cause unintentional code paths to be executed</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906011348.x51DmxOh099709>