Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Sep 2019 13:29:40 +0200
From:      Tobias Kortkamp <tobik@freebsd.org>
To:        Kurt Jaeger <pi@freebsd.org>
Cc:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   Re: svn commit: r512164 - head/security/vuxml
Message-ID:  <20190916112940.GA41159@urd.tobik.me>
In-Reply-To: <201909161119.x8GBJp2J090730@repo.freebsd.org>
References:  <201909161119.x8GBJp2J090730@repo.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 16, 2019 at 11:19:51AM +0000, Kurt Jaeger wrote:
> Author: pi
> Date: Mon Sep 16 11:19:51 2019
> New Revision: 512164
> URL: https://svnweb.freebsd.org/changeset/ports/512164
>=20
> Log:
>   security/vuxml: document expat2 pre-2.2.7 vulnerability
>  =20
>   PR:		238864
>   Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com>
>=20
> Modified:
>   head/security/vuxml/vuln.xml
>=20
> Modified: head/security/vuxml/vuln.xml
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- head/security/vuxml/vuln.xml	Mon Sep 16 11:18:54 2019	(r512163)
> +++ head/security/vuxml/vuln.xml	Mon Sep 16 11:19:51 2019	(r512164)
> @@ -58,6 +58,36 @@ Notes:
>    * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>  -->
>  <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">;
> +  <vuln vid=3D"c5bd8a25-99a6-11e9-a598-f079596b62f9">
> +    <topic>expat2 -- Fix extraction of namespace prefixes from XML names=
</topic>
> +    <affects>
> +      <package>
> +	<name>expat2</name>
> +	<range><lt>2.2.7</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns=3D"http://www.w3.org/1999/xhtml">;
> +	<p>expat project reports:</p>
> +	<blockquote cite=3D"https://github.com/libexpat/libexpat/blob/R_2_2_7/e=
xpat/Changes">
> +	  <p>
> +	    XML names with multiple colons could end up in the
> +	    wrong namespace, and take a high amount of RAM and CPU
> +	    resources while processing, opening the door to
> +	    use for denial-of-service attacks
> +	  </p>
> +	</blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <url>https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Chang=
es</url>
> +    </references>
> +    <dates>
> +      <discovery>2019-06-19</discovery>
> +      <entry>2019-06-28</entry>

Wrong date and package name.  The entry has happened only today and
textproc/expat2 has a PKGBASE of just 'expat'.

--qMm9M+Fa2AknHoGS
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGTBAEBCgB9FiEElXvTEJc6ePgdQuobpPCftzzFH2EFAl1/ciFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk1
N0JEMzEwOTczQTc4RjgxRDQyRUExQkE0RjA5RkI3M0NDNTFGNjEACgkQpPCftzzF
H2HO8ggAl+AK3xFVSGRcPtpcOkmiKWE0AYZc5rLKt/QvDI09hgm8L9rGW8etHVLL
yZDls8x4jA7KzaYU53Qi2dLTRDvsquzpV3a1bbYGl9PW5BD9sA/XTjqmVKbIYoAj
l3Ujk+vtBSofMCYYxxzjsW+/FzSGZoTyPW80WPBTQr+OV3aUlUL+SkmpL7JJPP7G
6VYfFTh1U0yWmRGY6+XQZJSg+HaS4pk00RPQRo/7fdWtwZerJJ3VdYhg8ig2mteG
72WQq4I5mB3xh1w34nAsq1LM1rtxsWCj88x95+u5XKtRZOLZXivu5IGccr8RDqbY
tyDQajDcoSVxn450ohDk9DssGol2uQ==
=BGbk
-----END PGP SIGNATURE-----

--qMm9M+Fa2AknHoGS--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190916112940.GA41159>