Date: Wed, 22 Aug 2018 17:24:18 -0400 From: Dan Langille <dan@langille.org> To: Matthew Seaman <matthew@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r477823 - head/security/vuxml Message-ID: <6F18B320-595D-4446-AF62-CDAAEA6CE923@langille.org> In-Reply-To: <201808222032.w7MKWoW9095587@repo.freebsd.org> References: <201808222032.w7MKWoW9095587@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_48BADC3C-04E4-4088-A55D-FACE38F8F577 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Aug 22, 2018, at 4:32 PM, Matthew Seaman <matthew@FreeBSD.org> = wrote: >=20 > Author: matthew > Date: Wed Aug 22 20:32:50 2018 > New Revision: 477823 > URL: https://svnweb.freebsd.org/changeset/ports/477823 >=20 > Log: > Document the latest phpMyAdmin security advisory PMASA-2018-5 >=20 > Modified: > head/security/vuxml/vuln.xml >=20 > Modified: head/security/vuxml/vuln.xml > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- head/security/vuxml/vuln.xml Wed Aug 22 20:32:03 2018 = (r477822) > +++ head/security/vuxml/vuln.xml Wed Aug 22 20:32:50 2018 = (r477823) > @@ -58,6 +58,37 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid=3D"9e205ef5-a649-11e8-b1f6-6805ca0b3d42"> > + <topic>phpmyadmin -- XSS in the import dialog</topic> > + <affects> > + <package> > + <name>phpmyadmin</name> I am not sure this will correctly flag the affected packages. 1 - the package name is more like phpMyAdmin-PHP VERSION It was once just phpMyAdmin which was easy for a vuxml entry. Recently, it changed to include PKGNAMESUFFIX=3D ${PHP_PKGNAMESUFFIX} = (blame mat with revision 466558): = https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annota= te=3D473096#l11 = <https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annot= ate=3D473096#l11> My idea for fixing: add name entries for: * phpMyAdmin * phpMyAdmin-php56 * phpMyAdmin-php(all the other versions) Does this make sense? reference data below: freshports.dev=3D# select package_name, element_pathname(element_id) = from ports_active where name =3D 'phpmyadmin'; package_name | element_pathname ------------------+--------------------------------------------- phpMyAdmin-php56 | /ports/head/databases/phpmyadmin phpMyAdmin | /ports/branches/2016Q4/databases/phpmyadmin phpMyAdmin | /ports/branches/2017Q1/databases/phpmyadmin phpMyAdmin | /ports/branches/2018Q1/databases/phpmyadmin phpMyAdmin-php56 | /ports/branches/2018Q2/databases/phpmyadmin (5 rows) freshports.dev=3D# > + <range><lt>4.8.3</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns=3D"http://www.w3.org/1999/xhtml">; > + <p>The phpMyAdmin development team reports:</p> > + <blockquote = cite=3D"https://www.phpmyadmin.net/security/PMASA-2018-5/">; > + <h3>Description</h3> > + <p>A Cross-Site Scripting vulnerability was found in the > + file import feature, where an attacker can deliver a payload > + to a user through importing a specially-crafted file.</p> > + <h3>Severity</h3> > + <p>We consider this attack to be of moderate severity.</p> > + </blockquote> > + </body> > + </description> > + <references> > + <url>https://www.phpmyadmin.net/security/PMASA-2018-5/</url>; > + <cvename>CVE-2018-15605</cvename> > + </references> > + <dates> > + <discovery>2018-08-21</discovery> > + <entry>2018-08-22</entry> > + </dates> > + </vuln> > + > <vuln vid=3D"fe99d3ca-a63a-11e8-a7c6-54e1ad3d6335"> > <topic>libX11 -- Multiple vulnerabilities</topic> > <affects> >=20 --Apple-Mail=_48BADC3C-04E4-4088-A55D-FACE38F8F577 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQGTBAEBCgB9FiEEzqcJ4oeyf8sgTIEBIU09XU2nXtMFAlt91IJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldENF QTcwOUUyODdCMjdGQ0IyMDRDODEwMTIxNEQzRDVENERBNzVFRDMACgkQIU09XU2n XtM+2gf+N7HtEfTCkLAwPFksMQIIFdhhNK7c6+YtyTwhSwnsWt1PKmo2uX/JyVLn jtBwlWnBn5WlLLpmE4dMEpdozY0VxrxxtiQuqcWBSDv2VF19kf8T44rQ17ihiqdK zjfpXy6eW54xyd3+t+mRLDvCi4NKKY7xbSCAByRi++xFXcNjpBon/afbXrFuBGZe hiSIYISbixQP+v4kAeg27XPA9/2pGWZMQaADv5e9SKrBBG/JLp4afMRU1+KqmK3V QPqqAio3HszbL6heuierQ3lzGApoWSXQRLhomgoB/QCa6A0/vopvvYc+x7cqJCk2 lgJpC092wdmKmm2yl/1YfvfOet5l5Q== =I/no -----END PGP SIGNATURE----- --Apple-Mail=_48BADC3C-04E4-4088-A55D-FACE38F8F577--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6F18B320-595D-4446-AF62-CDAAEA6CE923>