Date: Fri, 24 Apr 2020 10:27:45 -0400 From: "Dan Langille" <dan@langille.org> To: "Gordon Tetlow" <gordon@FreeBSD.org>, ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r532291 - head/security/vuxml Message-ID: <cd72f119-1e0f-44a4-baf2-717c27628db7@www.fastmail.com> In-Reply-To: <cee1f409-a1e9-4df7-ad2c-5550d527e5ee@www.fastmail.com> References: <202004211829.03LITxve044691@repo.freebsd.org> <cee1f409-a1e9-4df7-ad2c-5550d527e5ee@www.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 22, 2020, at 1:25 PM, Dan Langille wrote: > On Tue, Apr 21, 2020, at 2:29 PM, Gordon Tetlow wrote: > > Author: gordon (src committer) > > Date: Tue Apr 21 18:29:59 2020 > > New Revision: 532291 > > URL: https://svnweb.freebsd.org/changeset/ports/532291 > > > > Log: > > Add new entries for SA-20:10 and SA-20:11. > > > > Modified: > > head/security/vuxml/vuln.xml > > > > Modified: head/security/vuxml/vuln.xml > > ============================================================================== > > --- head/security/vuxml/vuln.xml Tue Apr 21 18:22:15 2020 (r532290) > > +++ head/security/vuxml/vuln.xml Tue Apr 21 18:29:59 2020 (r532291) > > @@ -58,6 +58,71 @@ Notes: > > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > > --> > > [snip] > > > + > > + <vuln vid="33edcc56-83f2-11ea-92ab-00163e433440"> > > + <topic>FreeBSD -- ipfw invalid mbuf handling</topic> > > + <affects> > > + <package> > > + <name>FreeBSD-kernel</name> > > + <range><ge>12.1</ge><lt>12.1_4</lt></range> > > + <range><ge>11.3</ge><lt>11.3_8</lt></range> > > + </package> > > + </affects> > > + <description> > > + <body xmlns="http://www.w3.org/1999/xhtml">; > > + <h1>Problem Description:</h1> > > + <p>Incomplete packet data validation may result in accessing > > + out-of-bounds memory (CVE-2019-5614) or may access memory after it has > > + been freed (CVE-2019-15874).</p> > > + <h1>Impact:</h1> > > + <p>Access to out of bounds or freed mbuf data can lead to a kernel panic or > > + other unpredictable results.</p> > > + </body> > > + </description> > > + <references> > > + <cvename>CVE-2019-5614</cvename> > > + <cvename>CVE-2019-15874</cvename> > > + <freebsdsa>SA-20:10.ipfw</freebsdsa> > > + </references> > > + <dates> > > + <discovery>2020-04-21</discovery> > > + <entry>2020-04-21</entry> > > + </dates> > > + </vuln> > > + > > <vuln vid="9fbaefb3-837e-11ea-b5b4-641c67a117d8"> > > <topic>py-twisted -- multiple vulnerabilities</topic> > > <affects> > > > > This entry is raising a false positive on patched systems. To reproduce: > > freebsd-update fetch install > reboot > pkg install base-audit > add security_status_baseaudit_enable="YES" to /etc/periodic.conf > pkg audit -F > /usr/local/etc/periodic/security/405.pkg-base-audit > > $ freebsd-version -uk > 12.1-RELEASE-p3 > 12.1-RELEASE-p4 > > $ /usr/local/etc/periodic/security/405.pkg-base-audit > > Checking for security vulnerabilities in base (userland & kernel): > Host system: > Database fetched: Wed Apr 22 11:30:00 UTC 2020 > FreeBSD-kernel-12.1_3 is vulnerable: > FreeBSD -- ipfw invalid mbuf handling > CVE: CVE-2019-15874 > CVE: CVE-2019-5614 > WWW: https://vuxml.FreeBSD.org/freebsd/33edcc56-83f2-11ea-92ab-00163e433440.html > > 1 problem(s) in 1 installed package(s) found. > 0 problem(s) in 0 installed package(s) found. PR raised: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245878 -- Dan Langille dan@langille.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cd72f119-1e0f-44a4-baf2-717c27628db7>