Date: Thu, 1 Mar 2018 13:48:59 +0000 (UTC) From: Renato Botelho <garga@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r463322 - head/security/vuxml Message-ID: <201803011348.w21Dmxih077095@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: garga Date: Thu Mar 1 13:48:59 2018 New Revision: 463322 URL: https://svnweb.freebsd.org/changeset/ports/463322 Log: Document strongswan vulnerability PR: 226043 Submitted by: strongswan@Nanoteq.com Security: CVE-2018-6459 Sponsored by: Rubicon Communications, LLC (Netgate) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Mar 1 13:47:10 2018 (r463321) +++ head/security/vuxml/vuln.xml Thu Mar 1 13:48:59 2018 (r463322) @@ -58,6 +58,39 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="6a449a37-1570-11e8-8e00-000c294a5758"> + <topic>strongswan - Insufficient input validation in RSASSA-PSS signature parser</topic> + <affects> + <package> + <name>strongswan</name> + <range><eq>5.6.1</eq></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Strongswan Release Notes reports:</p> + <blockquote cite="https://github.com/strongswan/strongswan/blob/master/NEWS"> + <p>Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that + was caused by insufficient input validation. One of the configurable + parameters in algorithm identifier structures for RSASSA-PSS signatures is the + mask generation function (MGF). Only MGF1 is currently specified for this + purpose. However, this in turn takes itself a parameter that specifies the + underlying hash function. strongSwan's parser did not correctly handle the + case of this parameter being absent, causing an undefined data read. + his vulnerability has been registered as CVE-2018-6459.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2018-6459</cvename> + <url>https://github.com/strongswan/strongswan/commit/40da179f28b768ffcf6ff7e2f68675eb44806668</url> + </references> + <dates> + <discovery>2018-01-31</discovery> + <entry>2018-02-19</entry> + </dates> + </vuln> + <vuln vid="004debf9-1d16-11e8-b6aa-4ccc6adda413"> <topic>libsndfile -- out-of-bounds read memory access</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803011348.w21Dmxih077095>