From owner-svn-ports-head@freebsd.org Mon Sep 16 11:29:44 2019 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 77EB9FD251; Mon, 16 Sep 2019 11:29:44 +0000 (UTC) (envelope-from tobik@freebsd.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46X3tc2PVKz4W9l; Mon, 16 Sep 2019 11:29:44 +0000 (UTC) (envelope-from tobik@freebsd.org) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 56D4F21B81; Mon, 16 Sep 2019 07:29:43 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Mon, 16 Sep 2019 07:29:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=HRFcZB 3P+LmYaxUvymNw/Wuuf/z36rxy3HnsLyg0Ue8=; b=EzSIJZtZu/mipZpEI7B99o 7AX0HHMOOaMFc4qxMo3n6I127nqN4OHahUFDeA94bBPfmIDm6tHjx1+NVM2PNiY7 1a8NeL5uhRdDzMv0KGWNzJ8HqpfXnVXiL4sC78E+mBAB638ZoWN7XQKkWdoXfLB2 STto+K5ENiUdX8O1hYdpEJi3wIpaQweF2AaMVhYVHtRNm3rVgeQ+1G8yHwxLQ+Zu TYWKZSQbW7FDG5lcGbYFfUkE1lWHBI8O7WuhKuqoePowwvOFCnYnqR2nDHTofQiC 6rhPSHFTPXOVPoLrvuUfO0iGA1ksYcJYa47/ToDa+OkQEOptVF+FoGLPgEUMgdMQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudefgdegvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjfgesghdtre ertdervdenucfhrhhomhepvfhosghirghsucfmohhrthhkrghmphcuoehtohgsihhksehf rhgvvggsshgurdhorhhgqeenucffohhmrghinhepfhhrvggvsghsugdrohhrghdpfiefrd horhhgpdhgihhthhhusgdrtghomhdpvhhugihmlhdrohhrghenucfkphepleehrdeltddr vddviedrhedvnecurfgrrhgrmhepmhgrihhlfhhrohhmpehtohgsihhksehfrhgvvggssh gurdhorhhgnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from urd.tobik.me (ip5f5ae234.dynamic.kabel-deutschland.de [95.90.226.52]) by mail.messagingengine.com (Postfix) with ESMTPA id 5FB35D6005B; Mon, 16 Sep 2019 07:29:42 -0400 (EDT) Date: Mon, 16 Sep 2019 13:29:40 +0200 From: Tobias Kortkamp To: Kurt Jaeger Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r512164 - head/security/vuxml Message-ID: <20190916112940.GA41159@urd.tobik.me> References: <201909161119.x8GBJp2J090730@repo.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline In-Reply-To: <201909161119.x8GBJp2J090730@repo.freebsd.org> User-Agent: Mutt/1.12.1 (2019-06-15) X-Rspamd-Queue-Id: 46X3tc2PVKz4W9l X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Sep 2019 11:29:44 -0000 --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 16, 2019 at 11:19:51AM +0000, Kurt Jaeger wrote: > Author: pi > Date: Mon Sep 16 11:19:51 2019 > New Revision: 512164 > URL: https://svnweb.freebsd.org/changeset/ports/512164 >=20 > Log: > security/vuxml: document expat2 pre-2.2.7 vulnerability > =20 > PR: 238864 > Submitted by: Sergei Vyshenski >=20 > Modified: > head/security/vuxml/vuln.xml >=20 > Modified: head/security/vuxml/vuln.xml > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/security/vuxml/vuln.xml Mon Sep 16 11:18:54 2019 (r512163) > +++ head/security/vuxml/vuln.xml Mon Sep 16 11:19:51 2019 (r512164) > @@ -58,6 +58,36 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > > + > + expat2 -- Fix extraction of namespace prefixes from XML names= > + > + > + expat2 > + 2.2.7 > + > + > + > + > +

expat project reports:

> +
> +

> + XML names with multiple colons could end up in the > + wrong namespace, and take a high amount of RAM and CPU > + resources while processing, opening the door to > + use for denial-of-service attacks > +

> +
> + > + > + > + https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Chang= es > + > + > + 2019-06-19 > + 2019-06-28 Wrong date and package name. The entry has happened only today and textproc/expat2 has a PKGBASE of just 'expat'. --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEElXvTEJc6ePgdQuobpPCftzzFH2EFAl1/ciFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk1 N0JEMzEwOTczQTc4RjgxRDQyRUExQkE0RjA5RkI3M0NDNTFGNjEACgkQpPCftzzF H2HO8ggAl+AK3xFVSGRcPtpcOkmiKWE0AYZc5rLKt/QvDI09hgm8L9rGW8etHVLL yZDls8x4jA7KzaYU53Qi2dLTRDvsquzpV3a1bbYGl9PW5BD9sA/XTjqmVKbIYoAj l3Ujk+vtBSofMCYYxxzjsW+/FzSGZoTyPW80WPBTQr+OV3aUlUL+SkmpL7JJPP7G 6VYfFTh1U0yWmRGY6+XQZJSg+HaS4pk00RPQRo/7fdWtwZerJJ3VdYhg8ig2mteG 72WQq4I5mB3xh1w34nAsq1LM1rtxsWCj88x95+u5XKtRZOLZXivu5IGccr8RDqbY tyDQajDcoSVxn450ohDk9DssGol2uQ== =BGbk -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS--