From owner-dev-commits-ports-all@freebsd.org  Wed Sep 22 22:10:56 2021
Return-Path: <owner-dev-commits-ports-all@freebsd.org>
Delivered-To: dev-commits-ports-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 14FE5672DE6;
 Wed, 22 Sep 2021 22:10:56 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4HFCDH71GVz3hkN;
 Wed, 22 Sep 2021 22:10:55 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C7C061F4B9;
 Wed, 22 Sep 2021 22:10:55 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 18MMAtpp041356;
 Wed, 22 Sep 2021 22:10:55 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 18MMAt1j041355;
 Wed, 22 Sep 2021 22:10:55 GMT (envelope-from git)
Date: Wed, 22 Sep 2021 22:10:55 GMT
Message-Id: <202109222210.18MMAt1j041355@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
 dev-commits-ports-main@FreeBSD.org
From: Craig Leres <leres@FreeBSD.org>
Subject: git: 1d63728bf1f6 - main - security/vuxml: Mark zeek < 4.0.4 as
 vulnerable as per:
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: leres
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 1d63728bf1f6d2710841f5d6bee89a7905fbc7a8
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-ports-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the ports repository
 <dev-commits-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-ports-all>, 
 <mailto:dev-commits-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-ports-all/>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Help: <mailto:dev-commits-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-ports-all>, 
 <mailto:dev-commits-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2021 22:10:56 -0000

The branch main has been updated by leres:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1d63728bf1f6d2710841f5d6bee89a7905fbc7a8

commit 1d63728bf1f6d2710841f5d6bee89a7905fbc7a8
Author:     Craig Leres <leres@FreeBSD.org>
AuthorDate: 2021-09-22 22:09:30 +0000
Commit:     Craig Leres <leres@FreeBSD.org>
CommitDate: 2021-09-22 22:09:30 +0000

    security/vuxml: Mark zeek < 4.0.4 as vulnerable as per:
    
        https://github.com/zeek/zeek/releases/tag/v4.0.4
    
     - Paths from log stream make it into system() unchecked, potentially
       leading to commands being run on the system unintentionally.
       This requires either bad scripting or a malicious package to be
       installed, and is considered low severity.
    
     - Fix potential unbounded state growth in the PIA analyzer when
       receiving a connection with either a large number of zero-length
       packets, or one which continues ack-ing unseen segments. It is
       possible to run Zeek out of memory in these instances and cause
       it to crash. Due to the possibility of this happening with packets
       received from the network, this is a potential DoS vulnerability.
---
 security/vuxml/vuln-2021.xml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index f36c9d6900f2..b79e50b7a119 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -1,3 +1,40 @@
+  <vuln vid="d4d21998-bdc4-4a09-9849-2898d9b41459">
+    <topic>zeek -- several vulnerabilities</topic>
+    <affects>
+      <package>
+	<name></name>
+	<range><lt>4.0.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Tim Wojtulewicz of Corelight reports:</p>
+	<blockquote cite="https://github.com/zeek/zeek/releases/tag/v4.0.4">
+	  <p> Paths from log stream make it into system() unchecked,
+	  potentially leading to commands being run on the system
+	  unintentionally. This requires either bad scripting or a
+	  malicious package to be installed, and is considered low
+	  severity. </p>
+	  <p> Fix potential unbounded state growth in the PIA
+	  analyzer when receiving a connection with either a large
+	  number of zero-length packets, or one which continues
+	  ack-ing unseen segments. It is possible to run Zeek out
+	  of memory in these instances and cause it to crash. Due
+	  to the possibility of this happening with packets received
+	  from the network, this is a potential DoS vulnerability.
+	  </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/zeek/zeek/releases/tag/v4.0.4</url>
+    </references>
+    <dates>
+      <discovery>2021-08-26</discovery>
+      <entry>2021-09-22</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="7bba5b3b-1b7f-11ec-b335-d4c9ef517024">
     <topic>mod_auth_mellon -- Redirect URL validation bypass</topic>
     <affects>