Date: Mon, 16 Sep 2019 13:29:40 +0200 From: Tobias Kortkamp <tobik@freebsd.org> To: Kurt Jaeger <pi@freebsd.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r512164 - head/security/vuxml Message-ID: <20190916112940.GA41159@urd.tobik.me> In-Reply-To: <201909161119.x8GBJp2J090730@repo.freebsd.org> References: <201909161119.x8GBJp2J090730@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 16, 2019 at 11:19:51AM +0000, Kurt Jaeger wrote: > Author: pi > Date: Mon Sep 16 11:19:51 2019 > New Revision: 512164 > URL: https://svnweb.freebsd.org/changeset/ports/512164 >=20 > Log: > security/vuxml: document expat2 pre-2.2.7 vulnerability > =20 > PR: 238864 > Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> >=20 > Modified: > head/security/vuxml/vuln.xml >=20 > Modified: head/security/vuxml/vuln.xml > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/security/vuxml/vuln.xml Mon Sep 16 11:18:54 2019 (r512163) > +++ head/security/vuxml/vuln.xml Mon Sep 16 11:19:51 2019 (r512164) > @@ -58,6 +58,36 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid=3D"c5bd8a25-99a6-11e9-a598-f079596b62f9"> > + <topic>expat2 -- Fix extraction of namespace prefixes from XML names= </topic> > + <affects> > + <package> > + <name>expat2</name> > + <range><lt>2.2.7</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns=3D"http://www.w3.org/1999/xhtml">; > + <p>expat project reports:</p> > + <blockquote cite=3D"https://github.com/libexpat/libexpat/blob/R_2_2_7/e= xpat/Changes"> > + <p> > + XML names with multiple colons could end up in the > + wrong namespace, and take a high amount of RAM and CPU > + resources while processing, opening the door to > + use for denial-of-service attacks > + </p> > + </blockquote> > + </body> > + </description> > + <references> > + <url>https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Chang= es</url> > + </references> > + <dates> > + <discovery>2019-06-19</discovery> > + <entry>2019-06-28</entry> Wrong date and package name. The entry has happened only today and textproc/expat2 has a PKGBASE of just 'expat'. --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEElXvTEJc6ePgdQuobpPCftzzFH2EFAl1/ciFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk1 N0JEMzEwOTczQTc4RjgxRDQyRUExQkE0RjA5RkI3M0NDNTFGNjEACgkQpPCftzzF H2HO8ggAl+AK3xFVSGRcPtpcOkmiKWE0AYZc5rLKt/QvDI09hgm8L9rGW8etHVLL yZDls8x4jA7KzaYU53Qi2dLTRDvsquzpV3a1bbYGl9PW5BD9sA/XTjqmVKbIYoAj l3Ujk+vtBSofMCYYxxzjsW+/FzSGZoTyPW80WPBTQr+OV3aUlUL+SkmpL7JJPP7G 6VYfFTh1U0yWmRGY6+XQZJSg+HaS4pk00RPQRo/7fdWtwZerJJ3VdYhg8ig2mteG 72WQq4I5mB3xh1w34nAsq1LM1rtxsWCj88x95+u5XKtRZOLZXivu5IGccr8RDqbY tyDQajDcoSVxn450ohDk9DssGol2uQ== =BGbk -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190916112940.GA41159>