From owner-svn-ports-all@FreeBSD.ORG Sun Dec 22 17:49:47 2013 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CE95012F; Sun, 22 Dec 2013 17:49:47 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A03B31D6C; Sun, 22 Dec 2013 17:49:47 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rBMHnl41056760; Sun, 22 Dec 2013 17:49:47 GMT (envelope-from ohauer@svn.freebsd.org) Received: (from ohauer@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id rBMHnlc0056758; Sun, 22 Dec 2013 17:49:47 GMT (envelope-from ohauer@svn.freebsd.org) Message-Id: <201312221749.rBMHnlc0056758@svn.freebsd.org> From: Olli Hauer Date: Sun, 22 Dec 2013 17:49:47 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r337204 - in head: security/vuxml www/openx X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 17:49:47 -0000 Author: ohauer Date: Sun Dec 22 17:49:46 2013 New Revision: 337204 URL: http://svnweb.freebsd.org/changeset/ports/337204 Log: - mark as FORBIDDEN (zero day SQL vuln) Security: CVE-2013-7149 Modified: head/security/vuxml/vuln.xml head/www/openx/Makefile Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Dec 22 17:40:01 2013 (r337203) +++ head/security/vuxml/vuln.xml Sun Dec 22 17:49:46 2013 (r337204) @@ -51,6 +51,42 @@ Note: Please add new entries to the beg --> + + OpenX -- SQL injection vulnerability + + + openx + 3.0.2 + + + + +

Revive reports:

+
An SQL-injection vulnerability was recently discovered and reported + to the Revive Adserver team by Florian Sander. The vulnerability is + known to be already exploited to gain unauthorised access to the + application using brute force mechanisms, however other kind of + attacks might be possible and/or already in use. The risk is rated + to be critical as the most common end goal of the attackers is to + spread malware to the visitors of all the websites and ad networks + that the ad server is being used on.
+
The vulnerability is also present and exploitable in OpenX Source + 2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.
+

+ + + + http://www.revive-adserver.com/security/revive-sa-2013-001/ + http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/ + CVE-2013-7149 + + + 2013-12-20 + 2013-12-22 + + + cURL library -- cert name check ignore with GnuTLS Modified: head/www/openx/Makefile ============================================================================== --- head/www/openx/Makefile Sun Dec 22 17:40:01 2013 (r337203) +++ head/www/openx/Makefile Sun Dec 22 17:49:46 2013 (r337204) @@ -11,6 +11,8 @@ COMMENT= Free, opensource ad server in P LICENSE= GPLv2 +FORBIDDEN= CVE-2013-7149 + USE_BZIP2= yes NO_BUILD= yes SUB_LIST+= PKGNAME=${PKGNAME}