From nobody Tue Oct 12 13:17:08 2021
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EF8C217FA158;
	Tue, 12 Oct 2021 13:17:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HTGR92pTYz4WsL;
	Tue, 12 Oct 2021 13:17:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D42451540B;
	Tue, 12 Oct 2021 13:17:08 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 19CDH8XR049841;
	Tue, 12 Oct 2021 13:17:08 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 19CDH84S049840;
	Tue, 12 Oct 2021 13:17:08 GMT
	(envelope-from git)
Date: Tue, 12 Oct 2021 13:17:08 GMT
Message-Id: <202110121317.19CDH84S049840@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Dave Cottlehuber <dch@FreeBSD.org>
Subject: git: e349d6c6c522 - main - security/vuxml: add CouchDB CVE details
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-main@freebsd.org
X-BeenThere: dev-commits-ports-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: dch
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: e349d6c6c52214a48c57142cf6223d55d75e5b76
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by dch:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e349d6c6c52214a48c57142cf6223d55d75e5b76

commit e349d6c6c52214a48c57142cf6223d55d75e5b76
Author:     Dave Cottlehuber <dch@FreeBSD.org>
AuthorDate: 2021-10-12 12:40:10 +0000
Commit:     Dave Cottlehuber <dch@FreeBSD.org>
CommitDate: 2021-10-12 13:16:54 +0000

    security/vuxml: add CouchDB CVE details
    
    while here, appease `make validate` indentation
    
    Security:       https://docs.couchdb.org/en/stable/cve/2021-38295.html
    Sponsored by:   SkunkWerks, GmbH
---
 security/vuxml/vuln-2021.xml | 43 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index 1f31be2f4016..82095255b54d 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -1,3 +1,36 @@
+  <vuln vid="a7dd4c2d-77e4-46de-81a2-c453c317f9de">
+    <topic>couchdb -- user privilege escalation</topic>
+    <affects>
+      <package>
+	<name>couchdb</name>
+	<range><lt>3.1.2,2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Cory Sabol reports:</p>
+    <blockquote cite="https://docs.couchdb.org/en/stable/cve/2021-38295.html">
+      <p>A malicious user with permission to create documents in a
+       database is able to attach a HTML attachment to a document.
+       If a CouchDB admin opens that attachment in a browser, e.g.
+       via the CouchDB admin interface Fauxton, any JavaScript code
+       embedded in that HTML attachment will be executed within the
+       security context of that admin. A similar route is available
+       with the already deprecated _show and _list functionality.
+	  </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-39205</cvename>
+      <url>https://docs.couchdb.org/en/stable/cve/2021-38295.html</url>
+    </references>
+    <dates>
+      <discovery>2021-08-09</discovery>
+      <entry>2021-10-12</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="9a8514f3-2ab8-11ec-b3a1-8c164582fbac">
     <topic>Ansible -- Ansible user credentials disclosure in ansible-connection module</topic>
     <affects>
@@ -38,11 +71,11 @@
       <body xmlns="http://www.w3.org/1999/xhtml">
 	<p>Red Hat reports:</p>
 	<blockquote cite="">
-          <p>A flaw was found in Ansible Engine's ansible-connection
-            module, where sensitive information such as the Ansible
-            user credentials is disclosed by default in the traceback
-            error message. The highest threat from this vulnerability
-            is to confidentiality.</p>
+       <p>A flaw was found in Ansible Engine's ansible-connection
+       module, where sensitive information such as the Ansible
+       user credentials is disclosed by default in the traceback
+       error message. The highest threat from this vulnerability
+       is to confidentiality.</p>
 	</blockquote>
       </body>
     </description>