From owner-svn-ports-all@freebsd.org  Fri Jan 31 18:17:09 2020
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1C4EC1E8560;
 Fri, 31 Jan 2020 18:17:09 +0000 (UTC)
 (envelope-from cy.schubert@cschubert.com)
Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.12])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "Client", Issuer "CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 488QRR6yX7z43FH;
 Fri, 31 Jan 2020 18:17:07 +0000 (UTC)
 (envelope-from cy.schubert@cschubert.com)
Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA
 id xaqliXk0DnCigxaqniqEi4; Fri, 31 Jan 2020 11:17:06 -0700
X-Authority-Analysis: v=2.3 cv=cZisUULM c=1 sm=1 tr=0
 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17
 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=IkcTkHD0fZMA:10 a=Jdjhy38mL1oA:10
 a=6I5d2MoRAAAA:8 a=5089wCahAAAA:8 a=SSmOFEACAAAA:8 a=mV9VRH-2AAAA:8
 a=YxBL1-UpAAAA:8 a=RyEav7sPu86H0u6yF58A:9 a=QEXdDO2ut3YA:10
 a=IjZwj45LgO3ly-622nXo:22 a=2Bz7-_TpOoXYCbRQratn:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from Resas-iPad.esitwifi.local (S0106788a207e2972.gv.shawcable.net
 [70.66.154.233])
 by spqr.komquats.com (Postfix) with ESMTPSA id B27EC353;
 Fri, 31 Jan 2020 10:16:58 -0800 (PST)
Date: Fri, 31 Jan 2020 10:16:38 -0800
User-Agent: K-9 Mail for Android
In-Reply-To: <202001311602.00VG2jBq029161@repo.freebsd.org>
References: <202001311602.00VG2jBq029161@repo.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: svn commit: r524719 - head/security/vuxml
To: Niclas Zeising <zeising@FreeBSD.org>, ports-committers@freebsd.org,
 svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
From: Cy Schubert <Cy.Schubert@cschubert.com>
Message-ID: <54342EF2-60B5-462E-A243-6E2BA9D3B216@cschubert.com>
X-CMAE-Envelope: MS4wfGXkVlk9IJ9mkwUTOJq7L6vMPYNVz7hXbeNCb6tviWhoR0qphBosCcpm5wJunh77DEyAHiwamQCj7GnvuKLAyx3dodM+wHhIqGYLbK4bwFfFtarDFTcO
 KTbR7IQFnyeNPJ2ouf5mawuDJm2fHHCrRNR3SMkBCk1Lt9Ji3WgMILgeU2bQHTfOAClKGBYLS5hOPsWuMBZuX2pf4tjKQzPmk9GR03cteRoLWjwUssUtnGkV
 KTwlnn5TjAdmPH7nnW1e2wcyqcRQ46t+wVisLyomZk3/x0JhJ0G8Bfl8BeoGJfni
X-Rspamd-Queue-Id: 488QRR6yX7z43FH
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org; dkim=none;
 spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF
 policy when checking 64.59.134.12) smtp.mailfrom=cy.schubert@cschubert.com
X-Spamd-Result: default: False [-4.68 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 RECEIVED_SPAMHAUS_PBL(0.00)[17.125.67.70.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.11,233.154.66.70.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net :
 127.0.0.11]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RWL_MAILSPIKE_GOOD(0.00)[12.134.59.64.rep.mailspike.net : 127.0.0.18];
 RCVD_COUNT_THREE(0.00)[3];
 IP_SCORE(-2.48)[ip: (-6.64), ipnet: 64.59.128.0/20(-3.19), asn: 6327(-2.48),
 country: CA(-0.09)]; NEURAL_HAM_MEDIUM(-1.00)[-0.997,0];
 R_SPF_NA(0.00)[];
 RCVD_IN_DNSWL_LOW(-0.10)[12.134.59.64.list.dnswl.org : 127.0.5.1];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA];
 MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 18:17:09 -0000

On January 31, 2020 8:02:45 AM PST, Niclas Zeising <zeising@FreeBSD=2Eorg> =
wrote:
>Author: zeising
>Date: Fri Jan 31 16:02:45 2020
>New Revision: 524719
>URL: https://svnweb=2Efreebsd=2Eorg/changeset/ports/524719
>
>Log:
>  vuxml: Add entries for spamassasin vulnerabilities=2E
>
>Modified:
>  head/security/vuxml/vuln=2Exml
>
>Modified: head/security/vuxml/vuln=2Exml
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
>--- head/security/vuxml/vuln=2Exml	Fri Jan 31 15:50:23 2020	(r524718)
>+++ head/security/vuxml/vuln=2Exml	Fri Jan 31 16:02:45 2020	(r524719)
>@@ -58,6 +58,42 @@ Notes:
>   * Do not forget port variants (linux-f10-libxml2, libxml2, etc=2E)
> -->
> <vuxml xmlns=3D"http://www=2Evuxml=2Eorg/apps/vuxml-1">
>+  <vuln vid=3D"c86bfee3-4441-11ea-8be3-54e1ad3d6335">
>+    <topic>spamassassin -- Nefarious rule configuration files can run
>system commands</topic>
>+    <affects>
>+      <package>
>+	<name>spamassassin</name>
>+	<range><lt>3=2E4=2E4</lt></range>
>+      </package>
>+    </affects>
>+    <description>
>+      <body xmlns=3D"http://www=2Ew3=2Eorg/1999/xhtml">
>+	<p>The Apache SpamAssassin project reports:</p>
>+	<blockquote
>cite=3D"ihttps://mail-archives=2Eapache=2Eorg/mod_mbox/spamassassin-annou=
nce/202001=2Embox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache=2Eorg%3e">
>+	  <p>A nefarious rule configuration (=2Ecf) files can be configured to
>+	    run system commands=2E  This issue is less stealthy and attempts to
>+	    exploit the issue will throw warnings=2E</p>
>+	  <p>Thanks to Damian Lukowski at credativ for reporting the issue
>+            ethically=2E  With this bug unpatched, exploits can be
>injected in a
>+	    number of scenarios though doing so remotely is difficult=2E  In
>+	    addition to upgrading to SA 3=2E4=2E4, we again recommend that user=
s
>+	    should only use update channels or 3rd party =2Ecf files from
>trusted
>+	    places=2E</p>
>+	</blockquote>
>+      </body>
>+    </description>
>+    <references>
>+    =20
><url>https://mail-archives=2Eapache=2Eorg/mod_mbox/spamassassin-announce/=
202001=2Embox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache=2Eorg%3e</url>
>+    =20
><url>https://mail-archives=2Eapache=2Eorg/mod_mbox/spamassassin-announce/=
202001=2Embox/%3ccdae17ce-acde-6060-148a-6dc5f45ee728@apache=2Eorg%3e</url>
>+      <cvename>CVE-2020-1930</cvename>
>+      <cvename>CVE-2020-1931</cvename>
>+    </references>
>+    <dates>
>+      <discovery>2020-01-28</discovery>
>+      <entry>2020-01-31</entry>
>+    </dates>
>+  </vuln>
>+
>   <vuln vid=3D"b4e5f782-442d-11ea-9ba9-206a8a720317">
>     <topic>sudo -- Potential bypass of Runas user restrictions</topic>
>     <affects>

Can you remove the entry I added yesterday, please? Or, I can do that at n=
oon my time=2E


--=20
Pardon the typos and autocorrect, small keyboard in use=2E=20
Cy Schubert <Cy=2ESchubert@cschubert=2Ecom>
FreeBSD UNIX: <cy@FreeBSD=2Eorg> Web: https://www=2EFreeBSD=2Eorg

The need of the many outweighs the greed of the few=2E

Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E