Date: Sun, 2 May 2004 01:57:16 +0800 From: Xin LI <delphij@frontfree.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: portmgr@FreeBSD.org Subject: Re: ports/66150: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity Message-ID: <20040501175716.GA697@frontfree.net> In-Reply-To: <20040501171456.0225511602@beastie.frontfree.net> References: <20040501171456.0225511602@beastie.frontfree.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Also, I hope the attached patch, which mitigates session table exhaustion which could be used in a DDoS attack after the above patch to get its way into phpbb/files so it will be automatically patched. I suggest to add the following item to be added into vuxml: <vuln vid=3D(A newly generated UUID?)> <topic>phpBB ession table exhaustion</topic> <affects> <package> <name>phpbb</name> <range><le>2.0.8_2</le></range> </package> </affects> <description> <body xmlns=3D"http://www.w3.org/1999/xhtml"> <p>The includes/sessions.php unnecessarily adds session item into session table and therefore vulnerable to a DDoS attacK.</p> </body> </description> <references> <url>http://www.securityfocus.com/archive/1/360931</url> <!-- <mlist msgid=3D"20040421011055.GA1448@frontfree.net"> http://www.securityfocus.com/archive/1/360931 </mlist> --> </references> <dates> <discovery>2004-03-05</discovery> <entry>2004-05-01</entry> </dates> </vuln> --=20 Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAk+T8OfuToMruuMARAoOhAJwNtNwkw7xNBVs4Ffvq0F8tKf+l0wCfTpln xifsBDeN5JGAYIFJf9pm/E8= =AQAo -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040501175716.GA697>