From owner-cvs-all@FreeBSD.ORG Tue May 24 22:22:53 2011 Return-Path: Delivered-To: cvs-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7D611065673; Tue, 24 May 2011 22:22:53 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from exhub015-2.exch015.msoutlookonline.net (exhub015-2.exch015.msoutlookonline.net [207.5.72.94]) by mx1.freebsd.org (Postfix) with ESMTP id 8E13B8FC08; Tue, 24 May 2011 22:22:53 +0000 (UTC) Received: from [192.168.248.86] (173.51.214.58) by smtpx15.msoutlookonline.net (207.5.72.103) with Microsoft SMTP Server (TLS) id 8.2.254.0; Tue, 24 May 2011 15:22:53 -0700 Message-ID: <4DDC2FBD.2020607@p6m7g8.com> Date: Tue, 24 May 2011 15:22:53 -0700 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: Brooks Davis References: <201105232304.p4NN4fC3090700@repoman.freebsd.org> In-Reply-To: <201105232304.p4NN4fC3090700@repoman.freebsd.org> Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml ports/www/mod_pubcookie Makefile ports/www/pubcookie-login-server Makefile X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: **OBSOLETE** CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2011 22:22:53 -0000 Thank lord, these pubcookie ports were quite complex! On 5/23/2011 4:04 PM, Brooks Davis wrote: > brooks 2011-05-23 23:04:41 UTC > > FreeBSD ports repository > > Modified files: > security/vuxml vuln.xml > www/mod_pubcookie Makefile > www/pubcookie-login-server Makefile > Log: > Partially address several years of neglect of pubcookie. Indicate the > security issues in two two ports. > > I've not use pubcookie in several year and given the lack of complaint > about the deprication of mod_pubcookie, I doubt anyone else uses it from > ports. The mod_pubcookie port has already expired and I've set a two > week expriation for pubcookie-login-server. If not maintainer > appears I will send both to the Attic on June 6th. > > While I'm here, address the use of CONF_FILES and CONF_DIRS in > pubcookie-login-server to avoid getting in the way of progress. [0] > > PR: ports/157164 [0] > Security: vuxml:115a1389-858e-11e0-a76c-000743057ca2 > vuxml:1ca8228f-858d-11e0-a76c-000743057ca2 > > Revision Changes Path > 1.2365 +67 -1 ports/security/vuxml/vuln.xml > 1.8 +1 -0 ports/www/mod_pubcookie/Makefile > 1.8 +11 -6 ports/www/pubcookie-login-server/Makefile > > http://cvsweb.FreeBSD.org/ports/security/vuxml/vuln.xml.diff?r1=1.2364&r2=1.2365&f=h > | --- ports/security/vuxml/vuln.xml 2011/05/23 22:22:43 1.2364 > | +++ ports/security/vuxml/vuln.xml 2011/05/23 23:04:41 1.2365 > | @@ -28,12 +28,78 @@ WHETHER IN CONTRACT, STRICT LIABILITY, O > | OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, > | EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > | > | - $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v 1.2364 2011/05/23 22:22:43 ohauer Exp $ > | + $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v 1.2365 2011/05/23 23:04:41 brooks Exp $ > | > | Note: Please add new entries to the beginning of this file. > | > | --> > | > | + > | + Pubcookie Login Server -- XSS Vulnerability > | + > | + > | + pubcookie-login-server > | + 3.3.2d > | + > | + > | + > | + > | +

Nathan Dors, Pubcookie Project reports:

> | +
> | +

A new non-persistent XSS vulnerability was found in the > | + Pubcookie login server's compiled binary "index.cgi" CGI > | + program. The CGI program mishandles untrusted data when > | + printing responses to the browser. This makes the program > | + vulnerable to carefully crafted requests containing script > | + or HTML. If an attacker can lure an unsuspecting user to > | + visit carefully staged content, the attacker can use it to > | + redirect the user to his or her local Pubcookie login page > | + and attempt to exploit the XSS vulnerability.

> | +
> | + > | + > | + > | + http://pubcookie.org/news/20070606-login-secadv.html > | + > | + > | + 2007-05-25 > | + 2011-05-23 > | + > | + > | + > | + > | + mod_pubcookie -- Empty Authentication Security Advisory > | + > | + > | + ap*-mod_pubcookie > | + >3.1.03.3.2b > | + > | + > | + > | + > | +

Nathan Dors, Pubcookie Project reports:

> | +
> | +

An Abuse of Functionality vulnerability in the Pubcookie > | + authentication process was found. This vulnerability > | + allows an attacker to appear as if he or she were > | + authenticated using an empty userid when such a userid > | + isn't expected. Unauthorized access to web content and > | + applications may result where access is restricted to > | + users who can authenticate successfully but where no > | + additional authorization is performed after > | + authentication.

> | +
> | + > | + > | + > | + http://pubcookie.org/news/20061106-empty-auth-secadv.html > | + > | + > | + 2006-10-04 > | + 2011-05-23 > | + > | + > | + > | > | ViewVC -- user-reachable override of cvsdb row limit > | > http://cvsweb.FreeBSD.org/ports/www/mod_pubcookie/Makefile.diff?r1=1.7&r2=1.8&f=h > | --- ports/www/mod_pubcookie/Makefile 2010/12/12 08:44:49 1.7 > | +++ ports/www/mod_pubcookie/Makefile 2011/05/23 23:04:41 1.8 > | @@ -2,7 +2,7 @@ > | # Date created: Sat Jan 21, 2006 > | # Whom: Brooks Davis > | # > | -# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/mod_pubcookie/Makefile,v 1.7 2010/12/12 08:44:49 pgollucci Exp $ > | +# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/mod_pubcookie/Makefile,v 1.8 2011/05/23 23:04:41 brooks Exp $ > | # > | > | PORTNAME= pubcookie > | @@ -17,6 +17,7 @@ COMMENT= A single sign-on system for web > | > | MAKE_JOBS_UNSAFE= yes > | > | +FORBIDDEN= vuxml:1ca8228f-858d-11e0-a76c-000743057ca2 > | DEPRECATED= will be unsupported by ASF when 2.4.0 is release, migrate to 2.2.x+ now > | EXPIRATION_DATE= 2011-05-01 > | > http://cvsweb.FreeBSD.org/ports/www/pubcookie-login-server/Makefile.diff?r1=1.7&r2=1.8&f=h > | --- ports/www/pubcookie-login-server/Makefile 2011/02/25 01:32:11 1.7 > | +++ ports/www/pubcookie-login-server/Makefile 2011/05/23 23:04:41 1.8 > | @@ -2,7 +2,7 @@ > | # Date created: Sat Jan 21, 2006 > | # Whom: Brooks Davis > | # > | -# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/pubcookie-login-server/Makefile,v 1.7 2011/02/25 01:32:11 delphij Exp $ > | +# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/pubcookie-login-server/Makefile,v 1.8 2011/05/23 23:04:41 brooks Exp $ > | # > | > | PORTNAME= pubcookie > | @@ -16,6 +16,10 @@ DISTNAME= ${PORTNAME}-3.3.0a > | MAINTAINER= brooks@FreeBSD.org > | COMMENT= A single sign-on system for websites (login server) > | > | +FORBIDDEN= vuxml:115a1389-858e-11e0-a76c-000743057ca2 > | +DEPRECATED= Unused by maintiner, needs updates. > | +EXPIRATION_DATE= 2011-06-06 > | + > | CONFLICTS= mod_pubcookie-[0-9]* > | > | OPTIONS= LDAP "Enable LDAP verifier" on \ > | @@ -35,15 +39,16 @@ PC_BASE?= ${PORTNAME} > | PC_DIR= ${PREFIX}/${PC_BASE} > | > | SUB_FILES+= pkg-install > | -SUB_LIST+= CONF_FILES="${CONF_FILES}" CONF_DIRS="${CONF_DIRS}" > | +SUB_LIST+= CONF_FILES="${PUBCOOKIE_CONF_FILES}" \ > | + CONF_DIRS="${PUBCOOKIE_CONF_DIRS}" > | PKGINSTALL= ${WRKDIR}/pkg-install > | PKGDEINSTALL= ${PKGINSTALL} > | .include "${.CURDIR}/Makefile.templates" > | -CONF_FILES+= ${LOGIN_TEMPLATES:C|(.*)|${PC_BASE}/login_templates.default/\1:${PC_BASE}/login_templates/\1|} > | -CONF_DIRS+= ${PC_BASE}/login_templates > | -CONF_FILES+= ${LOGIN_IMAGES:C|(.*)|${PC_BASE}/login_templates.default/images/\1:${PC_BASE}/login/images/\1|} > | -CONF_DIRS+= ${PC_BASE}/login/images > | -CONF_FILES+= ${PC_BASE}/config.login.sample:${PC_BASE}/config > | +PUBCOOKIE_CONF_FILES+= ${LOGIN_TEMPLATES:C|(.*)|${PC_BASE}/login_templates.default/\1:${PC_BASE}/login_templates/\1|} > | +PUBCOOKIE_CONF_DIRS+= ${PC_BASE}/login_templates > | +PUBCOOKIE_CONF_FILES+= ${LOGIN_IMAGES:C|(.*)|${PC_BASE}/login_templates.default/images/\1:${PC_BASE}/login/images/\1|} > | +PUBCOOKIE_PUBCOOKIE_CONF_DIRS+= ${PC_BASE}/login/images > | +PUBCOOKIE_CONF_FILES+= ${PC_BASE}/config.login.sample:${PC_BASE}/config > | > | # XXX Add Kerberos > | -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching.