From owner-svn-ports-all@FreeBSD.ORG Mon Feb 24 13:32:32 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A36FC10F; Mon, 24 Feb 2014 13:32:32 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8DC8E1666; Mon, 24 Feb 2014 13:32:32 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1ODWWSf032305; Mon, 24 Feb 2014 13:32:32 GMT (envelope-from rene@svn.freebsd.org) Received: (from rene@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1ODWWaj032304; Mon, 24 Feb 2014 13:32:32 GMT (envelope-from rene@svn.freebsd.org) Message-Id: <201402241332.s1ODWWaj032304@svn.freebsd.org> From: Rene Ladan Date: Mon, 24 Feb 2014 13:32:32 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r345840 - branches/2014Q1/security/vuxml X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2014 13:32:32 -0000 Author: rene Date: Mon Feb 24 13:32:31 2014 New Revision: 345840 URL: http://svnweb.freebsd.org/changeset/ports/345840 QAT: https://qat.redports.org/buildarchive/r345840/ Log: MFH: r345835 Document new vulnerabilities in www/chromium < 33.0.1750.117 Obtained from: http://googlechromereleases.blogspot.nl/ MFH r345256 (postgresql) MFH r344371 (phpmyadmin) Approved by: portmgr (antoine/bapt) Modified: branches/2014Q1/security/vuxml/vuln.xml Directory Properties: branches/2014Q1/ (props changed) Modified: branches/2014Q1/security/vuxml/vuln.xml ============================================================================== --- branches/2014Q1/security/vuxml/vuln.xml Mon Feb 24 13:31:31 2014 (r345839) +++ branches/2014Q1/security/vuxml/vuln.xml Mon Feb 24 13:32:31 2014 (r345840) @@ -51,6 +51,148 @@ Note: Please add new entries to the beg --> + + chromium -- multiple vulnerabilities + + + chromium + 33.0.1750.117 + + + + +

Google Chrome Releases reports:

+
28 security fixes in this release, including:
+
+
[334897] High CVE-2013-6652: Issue with relative paths in + Windows sandbox named pipe policy. Credit to tyranid.
+
[331790] High CVE-2013-6653: Use-after-free related to web + contents. Credit to Khalil Zhani.
+
[333176] High CVE-2013-6654: Bad cast in SVG. Credit to + TheShow3511.
+
[293534] High CVE-2013-6655: Use-after-free in layout. Credit + to cloudfuzzer.
+
[331725] High CVE-2013-6656: Information leak in XSS auditor. + Credit to NeexEmil.
+
[331060] Medium CVE-2013-6657: Information leak in XSS auditor. + Credit to NeexEmil.
+
[322891] Medium CVE-2013-6658: Use-after-free in layout. Credit + to cloudfuzzer.
+
[306959] Medium CVE-2013-6659: Issue with certificates + validation in TLS handshake. Credit to Antoine Delignat-Lavaud + and Karthikeyan Bhargavan from Prosecco, Inria Paris.
+
[332579] Low CVE-2013-6660: Information leak in drag and drop. + Credit to bishopjeffreys.
+
[344876] Low-High CVE-2013-6661: Various fixes from internal + audits, fuzzing and other initiatives. Of these, seven are fixes + for issues that could have allowed for sandbox escapes from + compromised renderers.
+
+

+ + + + CVE-2013-6652 + CVE-2013-6653 + CVE-2013-6654 + CVE-2013-6655 + CVE-2013-6656 + CVE-2013-6657 + CVE-2013-6658 + CVE-2013-6659 + CVE-2013-6660 + CVE-2013-6661 + http://googlechromereleases.blogspot.nl/ + + + 2014-02-20 + 2014-02-24 + + + + + PostgreSQL -- multiple privilege issues + + + postgresql-server + 8.4.20 + 9.0.09.0.16 + 9.1.09.1.12 + 9.2.09.2.7 + 9.3.09.3.3 + + + + +

PostgreSQL Project reports:

+
This update fixes CVE-2014-0060, in which PostgreSQL did not + properly enforce the WITH ADMIN OPTION permission for ROLE management. + Before this fix, any member of a ROLE was able to grant others access + to the same ROLE regardless if the member was given the WITH ADMIN + OPTION permission. It also fixes multiple privilege escalation issues, + including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, + CVE-2014-0065, and CVE-2014-0066. More information on these issues can + be found on our security page and the security issue detail wiki page. +
+
+ With this release, we are also alerting users to a known security hole + that allows other users on the same machine to gain access to an + operating system account while it is doing "make check": + CVE-2014-0067. "Make check" is normally part of building PostgreSQL + from source code. As it is not possible to fix this issue without + causing significant issues to our testing infrastructure, a patch will + be released separately and publicly. Until then, users are strongly + advised not to run "make check" on machines where untrusted users have + accounts.
+

+ + + + CVE-2014-0060 + CVE-2014-0061 + CVE-2014-0062 + CVE-2014-0063 + CVE-2014-0064 + CVE-2014-0065 + CVE-2014-0066 + CVE-2014-0067 + + + 2014-02-20 + 2014-02-20 + + + + + phpMyAdmin -- Self-XSS due to unescaped HTML output in import. + + + phpMyAdmin + 3.3.14.1.7 + + + + +

The phpMyAdmin development team reports:

+
When importing a file with crafted filename, it is + possible to trigger an XSS. We consider this vulnerability + to be non critical.
+

+ + + + http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php + CVE-2014-1879 + + + 2014-02-15 + 2014-02-15 + + + jenkins -- multiple vulnerabilities