Date: Sat, 7 Sep 2019 21:07:45 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r511427 - head/security/vuxml Message-ID: <201909072107.x87L7jBf083959@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Sat Sep 7 21:07:44 2019 New Revision: 511427 URL: https://svnweb.freebsd.org/changeset/ports/511427 Log: Document devel/oniguruma < 6.9.3 vulnerabilities. PR: 240368 Reported by: Pascal Christen Obtained from: MITRE Security: a8d87c7a-d1b1-11e9-a616-0992a4564e7c Security: CVE-2019-13224 Security: CVE-2019-13225 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Sep 7 20:53:37 2019 (r511426) +++ head/security/vuxml/vuln.xml Sat Sep 7 21:07:44 2019 (r511427) @@ -58,6 +58,41 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="a8d87c7a-d1b1-11e9-a616-0992a4564e7c"> + <topic>oniguruma -- multiple vulnerabilities</topic> + <affects> + <package> + <name>oniguruma</name> + <range><lt>6.9.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224">; + <p> + A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). + </p> + </blockquote> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225">; + <p>A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression.</p> + <p>Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2019-13224</cvename> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224</url>; + <url>https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55</url>; + <cvename>CVE-2019-13225</cvename> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225</url>; + <url>https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c</url>; + </references> + <dates> + <discovery>2019-07-03</discovery> + <entry>2019-09-07</entry> + </dates> + </vuln> + <vuln vid="10e1d580-d174-11e9-a87f-a4badb2f4699"> <topic>xymon-server -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201909072107.x87L7jBf083959>