Date: Sat, 23 May 2015 08:38:18 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r387118 - head/security/vuxml Message-ID: <201505230838.t4N8cIoU013242@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Sat May 23 08:38:18 2015 New Revision: 387118 URL: https://svnweb.freebsd.org/changeset/ports/387118 Log: Document dnsmasq and -devel vulnerabilities (CVE-2015-3294 and one other in rc). Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat May 23 08:36:11 2015 (r387117) +++ head/security/vuxml/vuln.xml Sat May 23 08:38:18 2015 (r387118) @@ -57,6 +57,71 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="7927165a-0126-11e5-9d98-080027ef73ec"> + <topic>dnsmasq -- remotely exploitable buffer overflow in release candidate</topic> + <affects> + <package> + <name>dnsmasq-devel</name> + <range><ge>2.73rc6</ge><lt>2.73rc8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Simon Kelley reports:</p> + <blockquote cite="http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009529.html">; + <p>Anyone running 2.[73]rc6 or 2.[73]rc7 should be aware that there's a + remotely exploitable buffer overflow in those trees. I just tagged + 2.[73]rc8, which includes the fix. + </p> + </blockquote> + <p>(Corrections from second URL.)</p> + </body> + </description> + <references> + <url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009529.html</url>; + <url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009535.html</url>; + </references> + <dates> + <discovery>2015-05-15</discovery> + <entry>2015-05-23</entry> + </dates> + </vuln> + + <vuln vid="37569eb7-0125-11e5-9d98-080027ef73ec"> + <topic>dnsmasq -- data exposure and denial of service</topic> + <affects> + <package> + <name>dnsmasq</name> + <range><lt>2.72_1</lt></range> + </package> + <package> + <name>dnsmasq-devel</name> + <range><lt>2.73rc4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Nick Sampanis reported a potential memory exposure and denial of service vulnerability against dnsmasq 2.72. The CVE entry summarizes this as: + </p> + <blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3294"><p>The tcp_request function in Dnsmasq before 2.73rc4 + does not properly handle the return value of the setup_reply function, + which allows remote attackers to read process memory and cause a + denial of service (out-of-bounds read and crash) via a malformed DNS + request."</p> + </blockquote> + </body> + </description> + <references> + <url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html</url>; + <cvename>CVE-2015-3294</cvename> + <url>http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=ad4a8ff7d9097008d7623df8543df435bfddeac8</url>; + </references> + <dates> + <discovery>2015-04-07</discovery> + <entry>2015-05-23</entry> + </dates> + </vuln> + <vuln vid="4a88e3ed-00d3-11e5-a072-d050996490d0"> <topic>pcre -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505230838.t4N8cIoU013242>