Date: Sun, 2 Feb 2020 07:15:44 +0000 (UTC) From: Ben Woods <woodsb02@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r524814 - head/security/vuxml Message-ID: <202002020715.0127Fi9A036568@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: woodsb02 Date: Sun Feb 2 07:15:43 2020 New Revision: 524814 URL: https://svnweb.freebsd.org/changeset/ports/524814 Log: vuxml: Add entry for libssh CVE-2019-14889 Security: CVE-2019-14889 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Feb 2 06:41:59 2020 (r524813) +++ head/security/vuxml/vuln.xml Sun Feb 2 07:15:43 2020 (r524814) @@ -58,6 +58,43 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="1e7fa41b-f6ca-4fe8-bd46-0e176b42b14f"> + <topic>libssh -- Unsanitized location in scp could lead to unwanted command execution</topic> + <affects> + <package> + <name>libssh</name> + <range><ge>0.4.0</ge><lt>0.8.8</lt></range> + <range><ge>0.9.0</ge><lt>0.9.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The libssh team reports:</p> + <blockquote cite="https://www.libssh.org/security/advisories/CVE-2019-14889.txt"> + <p>In an environment where a user is only allowed to copy files and + not to execute applications, it would be possible to pass a location + which contains commands to be executed in additon.</p> + <p>When the libssh SCP client connects to a server, the scp + command, which includes a user-provided path, is executed + on the server-side. In case the library is used in a way + where users can influence the third parameter of + ssh_scp_new(), it would become possible for an attacker to + inject arbitrary commands, leading to a compromise of the + remote target.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.libssh.org/security/advisories/CVE-2019-14889.txt</url> + <url>https://nvd.nist.gov/vuln/detail/CVE-2019-14889</url> + <cvename>CVE-2019-14889</cvename> + </references> + <dates> + <discovery>2019-11-14</discovery> + <entry>2020-02-02</entry> + </dates> + </vuln> + <vuln vid="c86bfee3-4441-11ea-8be3-54e1ad3d6335"> <topic>spamassassin -- Nefarious rule configuration files can run system commands</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002020715.0127Fi9A036568>