Date: Tue, 24 May 2011 15:22:53 -0700 From: "Philip M. Gollucci" <pgollucci@p6m7g8.com> To: Brooks Davis <brooks@FreeBSD.org> Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml ports/www/mod_pubcookie Makefile ports/www/pubcookie-login-server Makefile Message-ID: <4DDC2FBD.2020607@p6m7g8.com> In-Reply-To: <201105232304.p4NN4fC3090700@repoman.freebsd.org> References: <201105232304.p4NN4fC3090700@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank lord, these pubcookie ports were quite complex! On 5/23/2011 4:04 PM, Brooks Davis wrote: > brooks 2011-05-23 23:04:41 UTC > > FreeBSD ports repository > > Modified files: > security/vuxml vuln.xml > www/mod_pubcookie Makefile > www/pubcookie-login-server Makefile > Log: > Partially address several years of neglect of pubcookie. Indicate the > security issues in two two ports. > > I've not use pubcookie in several year and given the lack of complaint > about the deprication of mod_pubcookie, I doubt anyone else uses it from > ports. The mod_pubcookie port has already expired and I've set a two > week expriation for pubcookie-login-server. If not maintainer > appears I will send both to the Attic on June 6th. > > While I'm here, address the use of CONF_FILES and CONF_DIRS in > pubcookie-login-server to avoid getting in the way of progress. [0] > > PR: ports/157164 [0] > Security: vuxml:115a1389-858e-11e0-a76c-000743057ca2 > vuxml:1ca8228f-858d-11e0-a76c-000743057ca2 > > Revision Changes Path > 1.2365 +67 -1 ports/security/vuxml/vuln.xml > 1.8 +1 -0 ports/www/mod_pubcookie/Makefile > 1.8 +11 -6 ports/www/pubcookie-login-server/Makefile > > http://cvsweb.FreeBSD.org/ports/security/vuxml/vuln.xml.diff?r1=1.2364&r2=1.2365&f=h > | --- ports/security/vuxml/vuln.xml 2011/05/23 22:22:43 1.2364 > | +++ ports/security/vuxml/vuln.xml 2011/05/23 23:04:41 1.2365 > | @@ -28,12 +28,78 @@ WHETHER IN CONTRACT, STRICT LIABILITY, O > | OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, > | EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > | > | - $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v 1.2364 2011/05/23 22:22:43 ohauer Exp $ > | + $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v 1.2365 2011/05/23 23:04:41 brooks Exp $ > | > | Note: Please add new entries to the beginning of this file. > | > | --> > | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> > | + <vuln vid="115a1389-858e-11e0-a76c-000743057ca2"> > | + <topic>Pubcookie Login Server -- XSS Vulnerability</topic> > | + <affects> > | + <package> > | + <name>pubcookie-login-server</name> > | + <range><lt>3.3.2d</lt></range> > | + </package> > | + </affects> > | + <description> > | + <body xmlns="http://www.w3.org/1999/xhtml"> > | + <p>Nathan Dors, Pubcookie Project reports:</p> > | + <blockquote cite="http://pubcookie.org/news/20070606-login-secadv.html"> > | + <p>A new non-persistent XSS vulnerability was found in the > | + Pubcookie login server's compiled binary "index.cgi" CGI > | + program. The CGI program mishandles untrusted data when > | + printing responses to the browser. This makes the program > | + vulnerable to carefully crafted requests containing script > | + or HTML. If an attacker can lure an unsuspecting user to > | + visit carefully staged content, the attacker can use it to > | + redirect the user to his or her local Pubcookie login page > | + and attempt to exploit the XSS vulnerability.</p> > | + </blockquote> > | + </body> > | + </description> > | + <references> > | + <url>http://pubcookie.org/news/20070606-login-secadv.html</url> > | + </references> > | + <dates> > | + <discovery>2007-05-25</discovery> > | + <entry>2011-05-23</entry> > | + </dates> > | + </vuln> > | + > | + <vuln vid="1ca8228f-858d-11e0-a76c-000743057ca2"> > | + <topic>mod_pubcookie -- Empty Authentication Security Advisory</topic> > | + <affects> > | + <package> > | + <name>ap*-mod_pubcookie</name> > | + <range>><ge>3.1.0</ge><lt>3.3.2b</lt></range> > | + </package> > | + </affects> > | + <description> > | + <body xmlns="http://www.w3.org/1999/xhtml"> > | + <p>Nathan Dors, Pubcookie Project reports:</p> > | + <blockquote cite="http://pubcookie.org/news/20061106-empty-auth-secadv.html"> > | + <p>An Abuse of Functionality vulnerability in the Pubcookie > | + authentication process was found. This vulnerability > | + allows an attacker to appear as if he or she were > | + authenticated using an empty userid when such a userid > | + isn't expected. Unauthorized access to web content and > | + applications may result where access is restricted to > | + users who can authenticate successfully but where no > | + additional authorization is performed after > | + authentication.</p> > | + </blockquote> > | + </body> > | + </description> > | + <references> > | + <url>http://pubcookie.org/news/20061106-empty-auth-secadv.html</url> > | + </references> > | + <dates> > | + <discovery>2006-10-04</discovery> > | + <entry>2011-05-23</entry> > | + </dates> > | + </vuln> > | + > | <vuln vid="7af2fb85-8584-11e0-96b7-00300582f9fc"> > | <topic>ViewVC -- user-reachable override of cvsdb row limit</topic> > | <affects> > http://cvsweb.FreeBSD.org/ports/www/mod_pubcookie/Makefile.diff?r1=1.7&r2=1.8&f=h > | --- ports/www/mod_pubcookie/Makefile 2010/12/12 08:44:49 1.7 > | +++ ports/www/mod_pubcookie/Makefile 2011/05/23 23:04:41 1.8 > | @@ -2,7 +2,7 @@ > | # Date created: Sat Jan 21, 2006 > | # Whom: Brooks Davis <brooks@freebsd.org> > | # > | -# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/mod_pubcookie/Makefile,v 1.7 2010/12/12 08:44:49 pgollucci Exp $ > | +# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/mod_pubcookie/Makefile,v 1.8 2011/05/23 23:04:41 brooks Exp $ > | # > | > | PORTNAME= pubcookie > | @@ -17,6 +17,7 @@ COMMENT= A single sign-on system for web > | > | MAKE_JOBS_UNSAFE= yes > | > | +FORBIDDEN= vuxml:1ca8228f-858d-11e0-a76c-000743057ca2 > | DEPRECATED= will be unsupported by ASF when 2.4.0 is release, migrate to 2.2.x+ now > | EXPIRATION_DATE= 2011-05-01 > | > http://cvsweb.FreeBSD.org/ports/www/pubcookie-login-server/Makefile.diff?r1=1.7&r2=1.8&f=h > | --- ports/www/pubcookie-login-server/Makefile 2011/02/25 01:32:11 1.7 > | +++ ports/www/pubcookie-login-server/Makefile 2011/05/23 23:04:41 1.8 > | @@ -2,7 +2,7 @@ > | # Date created: Sat Jan 21, 2006 > | # Whom: Brooks Davis <brooks@freebsd.org> > | # > | -# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/pubcookie-login-server/Makefile,v 1.7 2011/02/25 01:32:11 delphij Exp $ > | +# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/pubcookie-login-server/Makefile,v 1.8 2011/05/23 23:04:41 brooks Exp $ > | # > | > | PORTNAME= pubcookie > | @@ -16,6 +16,10 @@ DISTNAME= ${PORTNAME}-3.3.0a > | MAINTAINER= brooks@FreeBSD.org > | COMMENT= A single sign-on system for websites (login server) > | > | +FORBIDDEN= vuxml:115a1389-858e-11e0-a76c-000743057ca2 > | +DEPRECATED= Unused by maintiner, needs updates. > | +EXPIRATION_DATE= 2011-06-06 > | + > | CONFLICTS= mod_pubcookie-[0-9]* > | > | OPTIONS= LDAP "Enable LDAP verifier" on \ > | @@ -35,15 +39,16 @@ PC_BASE?= ${PORTNAME} > | PC_DIR= ${PREFIX}/${PC_BASE} > | > | SUB_FILES+= pkg-install > | -SUB_LIST+= CONF_FILES="${CONF_FILES}" CONF_DIRS="${CONF_DIRS}" > | +SUB_LIST+= CONF_FILES="${PUBCOOKIE_CONF_FILES}" \ > | + CONF_DIRS="${PUBCOOKIE_CONF_DIRS}" > | PKGINSTALL= ${WRKDIR}/pkg-install > | PKGDEINSTALL= ${PKGINSTALL} > | .include "${.CURDIR}/Makefile.templates" > | -CONF_FILES+= ${LOGIN_TEMPLATES:C|(.*)|${PC_BASE}/login_templates.default/\1:${PC_BASE}/login_templates/\1|} > | -CONF_DIRS+= ${PC_BASE}/login_templates > | -CONF_FILES+= ${LOGIN_IMAGES:C|(.*)|${PC_BASE}/login_templates.default/images/\1:${PC_BASE}/login/images/\1|} > | -CONF_DIRS+= ${PC_BASE}/login/images > | -CONF_FILES+= ${PC_BASE}/config.login.sample:${PC_BASE}/config > | +PUBCOOKIE_CONF_FILES+= ${LOGIN_TEMPLATES:C|(.*)|${PC_BASE}/login_templates.default/\1:${PC_BASE}/login_templates/\1|} > | +PUBCOOKIE_CONF_DIRS+= ${PC_BASE}/login_templates > | +PUBCOOKIE_CONF_FILES+= ${LOGIN_IMAGES:C|(.*)|${PC_BASE}/login_templates.default/images/\1:${PC_BASE}/login/images/\1|} > | +PUBCOOKIE_PUBCOOKIE_CONF_DIRS+= ${PC_BASE}/login/images > | +PUBCOOKIE_CONF_FILES+= ${PC_BASE}/config.login.sample:${PC_BASE}/config > | > | # XXX Add Kerberos > | -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DDC2FBD.2020607>