Date: Thu, 04 Jun 2020 17:09:16 -0400 From: "Dan Langille" <dan@langille.org> To: "Wen Heping" <wen@FreeBSD.org>, ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r537897 - head/security/vuxml Message-ID: <245b0bdf-1e62-4ae4-b89d-6a7440d13915@www.fastmail.com> In-Reply-To: <202006041425.054EPDUN035365@repo.freebsd.org> References: <202006041425.054EPDUN035365@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 4, 2020, at 10:25 AM, Wen Heping wrote: > Author: wen > Date: Thu Jun 4 14:25:13 2020 > New Revision: 537897 > URL: https://svnweb.freebsd.org/changeset/ports/537897 > > Log: > - Document Django multiple vulnerabilities > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================== > --- head/security/vuxml/vuln.xml Thu Jun 4 13:59:06 2020 (r537896) > +++ head/security/vuxml/vuln.xml Thu Jun 4 14:25:13 2020 (r537897) > @@ -58,6 +58,49 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid="597d02ce-a66c-11ea-af32-080027846a02"> > + <topic>Django -- multiple vulnerabilities</topic> > + <affects> > + <package> > + <name>py36-django22</name> > + <name>py37-django22</name> > + <name>py38-django22</name> > + <range><lt>2.2.13</lt></range> > + </package> > + <package> > + <name>py36-django22</name> > + <name>py37-django22</name> > + <name>py38-django22</name> > + <range><lt>3.0.7</lt></range> Are those the correct names for 3.0.7? Should they be django30 not django22? I ask because it seems to duplicate the previous names and makes my fixed version vuln: $ pkg audit py37-django22-2.2.13 is vulnerable: Django -- multiple vulnerabilities CVE: CVE-2020-13596 CVE: CVE-2020-13254 WWW: https://vuxml.FreeBSD.org/freebsd/597d02ce-a66c-11ea-af32-080027846a02.html 1 problem(s) in 1 installed package(s) found. > + </package> > + </affects> > + <description> > + <body xmlns="http://www.w3.org/1999/xhtml">; > + <p>Django security release reports:</p> > + <blockquote > cite="https://www.djangoproject.com/weblog/2020/jun/03/security-releases/">; > + <p>CVE-2020-13254: Potential data leakage via malformed memcached > keys</p> > + <p>In cases where a memcached backend does not perform key > validation, passing > + malformed cache keys could result in a key collision, and potential > data leakage. > + In order to avoid this vulnerability, key validation is added to > the memcached > + cache backends.</p> > + <p>CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget</p> > + <p>Query parameters for the admin ForeignKeyRawIdWidget were not > properly URL > + encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now > ensures query > + parameters are correctly URL encoded.</p> > + </blockquote> > + </body> > + </description> > + <references> > + > <url>https://www.djangoproject.com/weblog/2020/jun/03/security-releases/</url>; > + <cvename>CVE-2020-13254</cvename> > + <cvename>CVE-2020-13596</cvename> > + </references> > + <dates> > + <discovery>2020-06-01</discovery> > + <entry>2020-06-04</entry> > + </dates> > + </vuln> > + > <vuln vid="ced2d47e-8469-11ea-a283-b42e99a1b9c3"> > <topic>malicious URLs may present credentials to wrong > server</topic> > <affects> > -- Dan Langille dan@langille.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?245b0bdf-1e62-4ae4-b89d-6a7440d13915>