From nobody Mon Nov 17 00:59:04 2025
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d8qBd1h3gz6GBtT;
	Mon, 17 Nov 2025 00:59:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4d8qBd0kWJz3p3L;
	Mon, 17 Nov 2025 00:59:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1763341145;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=FBh8deI8HDvVuLUh6logRpbnBscB9qZ0RAw8ulTxjFw=;
	b=NFv9Q0vkzDguFlnAwDeVZ58qeQruS8tVFy5Bfx263ojsE01ECSslKnKUrCHZa6HHqZT2Bk
	Zs86kYDyr1x+dRYmPh94LYCnGSA5+PFyQZ4rdj6EjT2si4jfTjJSGd7cKn+0NKkeZzdcJk
	T2zkCS8+VpVC4qC82DMTvlQ2K+KTt/7VVwbvl5yii/gCOuB7Eb3Mk28qkSuFVmlElOFlpa
	B1wKGa7xcXeJJYlGb8Kv3ruaZA39JSki51PJimcKdTqEbKc4hR5S0iSDKQtLp4t71Z7Gf+
	1iIt0i4OIZIliUI12ijWoTkn7rJk4wIWbxJAf6bfTfyVp+EtI3tDmViQa4SNQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1763341145;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=FBh8deI8HDvVuLUh6logRpbnBscB9qZ0RAw8ulTxjFw=;
	b=R+kZIQdt1g5VArLxrLmCePgBivMt0KQgNvFljuOQEsvu2W4XrexMdEkbqyURPF6zYiws6K
	QK3EPaKapH5BIi8fVyl3RewL2miYWxSENV+VdrArXpR4ZuY9/MprPYEHNhRRhoidoCiBey
	23xbd5k4/Tc6kMUvFyYxeU9CWkLvwSGhney5DBQZeas/fKEZKMZm39fSoiuv6fLsu41C3Y
	XnLJ5XxA0jVldpSQ7ut2xP1UY+uGkudzxC25YJVCgvvXfVC772Kiinf7AE8MyizbgdE+LE
	UbBW+qILPy4+1HKPUO0FNygzNkMnFwTHjPtt94YM2TlsxJ98DlWIexGnth6iSQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1763341145; a=rsa-sha256; cv=none;
	b=t8rcRcwE8UdJp+KuzyH7L/pyre1DuyCU/LQ3poVQWGTP7r6BqARvk1jQXGjfF7Q/uSjygj
	cGi4XGz09EFMNdEGdCj0a4FR0CFq6KrtnBNpivM3PSCzZWHlbTWol7L7pamrE2fASVyQW/
	K1ROOvdZJ8uQfryUR8v9k60KWtAtlS/fzm2cYEc9UCEXKe5OSa/5/1IeCf97iN9QAG3RpC
	GmDZjTDEM+bFToGIrL0MT5stFf14S1R9Eu21kzUYfgqIYvdaCeRwl5AivOiuqSCquwq7/r
	vj6Z+JQSVn+qdmp9kEVez1zMXgTDDVcR2jbjT39YoKe2Fj3i75r+5EEkwIPtIg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d8qBd08znz12XN;
	Mon, 17 Nov 2025 00:59:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5AH0x4m5038448;
	Mon, 17 Nov 2025 00:59:04 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5AH0x4vv038445;
	Mon, 17 Nov 2025 00:59:04 GMT
	(envelope-from git)
Date: Mon, 17 Nov 2025 00:59:04 GMT
Message-Id: <202511170059.5AH0x4vv038445@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Koichiro Iwao <meta@FreeBSD.org>
Subject: git: b043c72cd362 - main - security/vuxml: Document sudo-rs
  < 0.2.10 vulnerabilites
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: meta
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: b043c72cd36217446610d9f24745120c5cc8f2d7
Auto-Submitted: auto-generated

The branch main has been updated by meta:

URL: https://cgit.FreeBSD.org/ports/commit/?id=b043c72cd36217446610d9f24745120c5cc8f2d7

commit b043c72cd36217446610d9f24745120c5cc8f2d7
Author:     Koichiro Iwao <meta@FreeBSD.org>
AuthorDate: 2025-11-16 13:13:09 +0000
Commit:     Koichiro Iwao <meta@FreeBSD.org>
CommitDate: 2025-11-17 00:57:07 +0000

    security/vuxml: Document sudo-rs < 0.2.10 vulnerabilites
    
    PR:             290945
---
 security/vuxml/vuln/2025.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index bc7d08dd1172..6fa3610be43d 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,70 @@
+  <vuln vid="bf6c9252-c2ec-11f0-8372-98b78501ef2a">
+    <topic>sudo-rs -- Authenticating user not recorded properly in timestamp</topic>
+    <affects>
+    <package>
+	<name>sudo-rs</name>
+	<range><ge>0.2.5</ge><lt>0.2.10</lt></range>
+	</package>
+	<package>
+	<name>sudo-rs-coexist</name>
+	<range><ge>0.2.5</ge><lt>0.2.10</lt></range>
+    </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Trifecta Tech Foundation reports:</p>
+	<blockquote cite="https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-q428-6v73-fc4q">
+	  <p>With Defaults targetpw (or Defaults rootpw) enabled, the password of the
+	  target account (or root account) instead of the invoking user is used for authentication.
+	  sudo-rs prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the
+	  authenticated-as user's UID in the authentication timestamp. Any later sudo invocation
+	  on the same terminal while the timestamp was still valid would use that timestamp,
+	  potentially bypassing new authentication even if the policy would have required it.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-64517</cvename>
+      <url>https://cveawg.mitre.org/api/cve/CVE-2025-64517</url>
+    </references>
+    <dates>
+      <discovery>2025-11-12</discovery>
+      <entry>2025-11-16</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="c1ceaaea-c2e7-11f0-8372-98b78501ef2a">
+    <topic>sudo-rs -- Partial password reveal when password timeout occurs</topic>
+    <affects>
+    <package>
+	<name>sudo-rs</name>
+	<range><ge>0.2.7</ge><lt>0.2.10</lt></range>
+    </package>
+    <package>
+	<name>sudo-rs-coexist</name>
+	<range><ge>0.2.7</ge><lt>0.2.10</lt></range>
+    </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Trifecta Tech Foundation reports:</p>
+	<blockquote cite="https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw">
+	  <p>When typing partial passwords but not pressing return for a long time,
+	  a password timeout can occur. When this happens, the keys pressed are
+	  replayed onto the console.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-64170</cvename>
+      <url>https://cveawg.mitre.org/api/cve/CVE-2025-64170</url>
+    </references>
+    <dates>
+      <discovery>2025-11-12</discovery>
+      <entry>2025-11-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="364e5fa4-c178-11f0-b614-b42e991fc52e">
     <topic>PostgreSQL -- Multiple vulnerabilities</topic>
     <affects>