Date: Tue, 27 Nov 2012 20:09:35 +0000 (UTC) From: Olli Hauer <ohauer@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r307861 - in head: security/vuxml www/yahoo-ui Message-ID: <201211272009.qARK9Z6c048158@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ohauer Date: Tue Nov 27 20:09:34 2012 New Revision: 307861 URL: http://svnweb.freebsd.org/changeset/ports/307861 Log: - document www/yahoo-ui security issue and mark port forbidden [1] pet portlint (maintainer is already notified) - adjust CVE entries for bugzilla (CVE-2012-5475 was rejected) [2] Feature safe: yes Security: CVE-2012-5881 [1][2] CVE-2012-5882 [1][2] CVE-2012-5883 [2] Approved by: glarkin (implicit) [1] Modified: head/security/vuxml/vuln.xml head/www/yahoo-ui/Makefile Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Nov 27 19:32:44 2012 (r307860) +++ head/security/vuxml/vuln.xml Tue Nov 27 20:09:34 2012 (r307861) @@ -51,6 +51,40 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="aa4f86af-3172-11e2-ad21-20cf30e32f6d"> + <topic>YUI JavaScript library -- JavaScript injection exploits in Flash components</topic> + <affects> + <package> + <name>yahoo-ui</name> + <range><lt>3.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The YUI team reports:</p> + <blockquote cite="http://yuilibrary.com/support/20121030-vulnerability/">; + <h1>Vulnerability in YUI 2.4.0 through YUI 2.9.0</h1> + <p>A XSS vulnerability has been discovered in some YUI 2 .swf files + from versions 2.4.0 through 2.9.0. This defect allows JavaScript + injection exploits to be created against domains that host affected + YUI .swf files.</p> + <p>If your site loads YUI 2 from a CDN (yui.yahooapis.com, + ajax.googleapis.com, etc.) and not from your own domain, you + are not affected. YUI 3 is not affected by this issue.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-5881</cvename> + <cvename>CVE-2012-5882</cvename> + <url>http://yuilibrary.com/support/20121030-vulnerability/</url>; + </references> + <dates> + <discovery>2012-10-30</discovery> + <entry>2012-12-27</entry> + </dates> + </vuln> + <vuln vid="4d64fc61-3878-11e2-a4eb-00262d5ed8ee"> <topic>chromium -- multiple vulnerabilities</topic> <affects> @@ -450,13 +484,16 @@ Note: Please add new entries to the beg <url>https://bugzilla.mozilla.org/show_bug.cgi?id=802204</url>; <cvename>CVE-2012-4189</cvename> <url>https://bugzilla.mozilla.org/show_bug.cgi?id=790296</url>; - <cvename>CVE-2012-5475</cvename> + <cvename>CVE-2012-5881</cvename> + <cvename>CVE-2012-5882</cvename> + <cvename>CVE-2012-5883</cvename> <url>https://bugzilla.mozilla.org/show_bug.cgi?id=808845</url>; <url>http://yuilibrary.com/support/20121030-vulnerability/</url>; </references> <dates> <discovery>2012-11-13</discovery> <entry>2012-11-14</entry> + <modified>2012-11-27</modified> </dates> </vuln> Modified: head/www/yahoo-ui/Makefile ============================================================================== --- head/www/yahoo-ui/Makefile Tue Nov 27 19:32:44 2012 (r307860) +++ head/www/yahoo-ui/Makefile Tue Nov 27 20:09:34 2012 (r307861) @@ -10,13 +10,15 @@ DISTNAME= yui_${PORTVERSION}r1 MAINTAINER= glarkin@FreeBSD.org COMMENT= The Yahoo! User Interface (YUI) Library +LICENSE= BSD + +FORBIDDEN= CVE-2012-5881 Cross-site scripting (XSS) vulnerability in the Flash component infrastructure + USE_ZIP= yes WRKSRC= ${WRKDIR}/yui NO_BUILD= yes -LICENSE= BSD - OPTIONS= APACHE "Configure for Apache-2.x" off \ MINIMAL "Do not install documentation and examples" off
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211272009.qARK9Z6c048158>