From owner-svn-ports-branches@FreeBSD.ORG Wed Jan 8 11:15:22 2014 Return-Path: Delivered-To: svn-ports-branches@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5392F54A; Wed, 8 Jan 2014 11:15:22 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2548F1D72; Wed, 8 Jan 2014 11:15:22 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s08BFMcj034783; Wed, 8 Jan 2014 11:15:22 GMT (envelope-from bapt@svn.freebsd.org) Received: (from bapt@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id s08BFLON034781; Wed, 8 Jan 2014 11:15:21 GMT (envelope-from bapt@svn.freebsd.org) Message-Id: <201401081115.s08BFLON034781@svn.freebsd.org> From: Baptiste Daroussin Date: Wed, 8 Jan 2014 11:15:21 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r339091 - in branches/2014Q1: security/vuxml www/openx X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jan 2014 11:15:22 -0000 Author: bapt Date: Wed Jan 8 11:15:21 2014 New Revision: 339091 URL: http://svnweb.freebsd.org/changeset/ports/339091 Log: MFH: r337204 - mark as FORBIDDEN (zero day SQL vuln) Security: CVE-2013-7149 Modified: branches/2014Q1/security/vuxml/vuln.xml branches/2014Q1/www/openx/Makefile Directory Properties: branches/2014Q1/ (props changed) Modified: branches/2014Q1/security/vuxml/vuln.xml ============================================================================== --- branches/2014Q1/security/vuxml/vuln.xml Wed Jan 8 11:08:29 2014 (r339090) +++ branches/2014Q1/security/vuxml/vuln.xml Wed Jan 8 11:15:21 2014 (r339091) @@ -51,6 +51,42 @@ Note: Please add new entries to the beg --> + + OpenX -- SQL injection vulnerability + + + openx + 3.0.2 + + + + +

Revive reports:

+
An SQL-injection vulnerability was recently discovered and reported + to the Revive Adserver team by Florian Sander. The vulnerability is + known to be already exploited to gain unauthorised access to the + application using brute force mechanisms, however other kind of + attacks might be possible and/or already in use. The risk is rated + to be critical as the most common end goal of the attackers is to + spread malware to the visitors of all the websites and ad networks + that the ad server is being used on.
+
The vulnerability is also present and exploitable in OpenX Source + 2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.
+

+ + + + http://www.revive-adserver.com/security/revive-sa-2013-001/ + http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/ + CVE-2013-7149 + + + 2013-12-20 + 2013-12-22 + + + cURL library -- cert name check ignore with GnuTLS Modified: branches/2014Q1/www/openx/Makefile ============================================================================== --- branches/2014Q1/www/openx/Makefile Wed Jan 8 11:08:29 2014 (r339090) +++ branches/2014Q1/www/openx/Makefile Wed Jan 8 11:15:21 2014 (r339091) @@ -11,6 +11,8 @@ COMMENT= Free, opensource ad server in P LICENSE= GPLv2 +FORBIDDEN= CVE-2013-7149 + USE_BZIP2= yes NO_BUILD= yes SUB_LIST+= PKGNAME=${PKGNAME}