Date: Sun, 19 Sep 2021 09:04:53 +0200 From: "Herbert J. Skuhra" <herbert@gojira.at> To: Eugene Grosbein <eugen@FreeBSD.org> Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: Re: git: 2c7d4d50c06a - main - security/vuxml: add net/mpd5 PPPoE Server remotely exploitable crash Message-ID: <87v92xjbai.wl-herbert@gojira.at> In-Reply-To: <202109082208.188M8tVX016686@gitrepo.freebsd.org> References: <202109082208.188M8tVX016686@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 09 Sep 2021 00:08:55 +0200, Eugene Grosbein wrote: > > The branch main has been updated by eugen: > > URL: https://cgit.FreeBSD.org/ports/commit/?id=2c7d4d50c06ac12410414813427604ee9af673dd > > commit 2c7d4d50c06ac12410414813427604ee9af673dd > Author: Eugene Grosbein <eugen@FreeBSD.org> > AuthorDate: 2021-09-08 21:55:19 +0000 > Commit: Eugene Grosbein <eugen@FreeBSD.org> > CommitDate: 2021-09-08 22:02:51 +0000 > > security/vuxml: add net/mpd5 PPPoE Server remotely exploitable crash > > Version 5.9_2 contains security fix for PPPoE servers. > Insufficient validation of incoming PPPoE Discovery request > specially crafted by unauthenticated user might lead to unexpected > termination of the process. The problem affects mpd versions since 5.0. > Installations not using PPPoE server configuration were not affected. > > Reported by: Yannick C at SourceForge > Tested by: Yannick C at SourceForge, paul at SourceForge > --- > security/vuxml/vuln-2021.xml | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > > diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml > index 09525e60d803..1b308b51ea74 100644 > --- a/security/vuxml/vuln-2021.xml > +++ b/security/vuxml/vuln-2021.xml > @@ -1,3 +1,31 @@ > + <vuln vid="f55921aa-10c9-11ec-8647-00e0670f2660"> > + <topic>MPD5 PPPoE Server remotely exploitable crash</topic> > + <affects> > + <package> > + <name>mpd5</name> > + <range><ge>5.0</ge></range> > + <range><lt>5.9_2</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns="http://www.w3.org/1999/xhtml">; > + <p>Version 5.9_2 contains security fix for PPPoE servers. > + Insufficient validation of incoming PPPoE Discovery request > + specially crafted by unauthenticated user might lead to unexpected > + termination of the process. The problem affects mpd versions > + since 5.0. Installations not using PPPoE server configuration > + were not affected.</p> > + </body> > + </description> > + <references> > + <url>http://mpd.sourceforge.net/doc5/mpd4.html#4</url>; > + </references> > + <dates> > + <discovery>2021-09-04</discovery> > + <entry>2021-09-09</entry> > + </dates> > + </vuln> > + ===> mpd5-5.9_4 has known vulnerabilities: mpd5-5.9_4 is vulnerable: MPD5 PPPoE Server remotely exploitable crash WWW: https://vuxml.FreeBSD.org/freebsd/f55921aa-10c9-11ec-8647-00e0670f2660.html 1 problem(s) in 1 installed package(s) found. => Please update your ports tree and try again. => Note: Vulnerable ports are marked as such even if there is no update available. => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes' *** Error code 1 Stop. make[1]: stopped in /usr/ports/net/mpd5 *** Error code 1 Stop. make: stopped in /usr/ports/net/mpd5 -- Herbert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87v92xjbai.wl-herbert>