Date: Mon, 22 Apr 2019 20:30:19 +0000 (UTC) From: Danilo Egea Gondolfo <danilo@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r499672 - head/security/vuxml Message-ID: <201904222030.x3MKUJns033194@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: danilo Date: Mon Apr 22 20:30:18 2019 New Revision: 499672 URL: https://svnweb.freebsd.org/changeset/ports/499672 Log: - Document istio vulnerabilities. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Apr 22 20:29:04 2019 (r499671) +++ head/security/vuxml/vuln.xml Mon Apr 22 20:30:18 2019 (r499672) @@ -58,6 +58,40 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="484d3f5e-653a-11e9-b0e3-1c39475b9f84"> + <topic>Istio -- Security vulnerabilities</topic> + <affects> + <package> + <name>istio</name> + <range><lt>1.1.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Istio reports:</p> + <blockquote cite="https://istio.io/blog/2019/announcing-1.1.2/#security-update"> + <p>Two security vulnerabilities have recently been identified in the Envoy proxy. + The vulnerabilities are centered on the fact that Envoy did not normalize + HTTP URI paths and did not fully validate HTTP/1.1 header values. These + vulnerabilities impact Istio features that rely on Envoy to enforce any of + authorization, routing, or rate limiting.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2019-9900</cvename> + <cvename>CVE-2019-9901</cvename> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900</url> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901</url> + <url>https://github.com/envoyproxy/envoy/issues/6434</url> + <url>https://github.com/envoyproxy/envoy/issues/6435</url> + </references> + <dates> + <discovery>2019-03-29</discovery> + <entry>2019-04-22</entry> + </dates> + </vuln> + <vuln vid="5ed7102e-6454-11e9-9a3a-001cc0382b2f"> <topic>Ghostscript -- Security bypass vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904222030.x3MKUJns033194>