From owner-svn-ports-all@freebsd.org  Mon Mar 23 17:34:42 2020
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4E66A269618;
 Mon, 23 Mar 2020 17:34:42 +0000 (UTC)
 (envelope-from romain@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48mM2V1G0Gz4BQ9;
 Mon, 23 Mar 2020 17:34:42 +0000 (UTC)
 (envelope-from romain@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 266971A175;
 Mon, 23 Mar 2020 17:34:42 +0000 (UTC)
 (envelope-from romain@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 02NHYgxs012514;
 Mon, 23 Mar 2020 17:34:42 GMT (envelope-from romain@FreeBSD.org)
Received: (from romain@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 02NHYfxE012513;
 Mon, 23 Mar 2020 17:34:41 GMT (envelope-from romain@FreeBSD.org)
Message-Id: <202003231734.02NHYfxE012513@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: romain set sender to
 romain@FreeBSD.org using -f
From: =?UTF-8?Q?Romain_Tarti=c3=a8re?= <romain@FreeBSD.org>
Date: Mon, 23 Mar 2020 17:34:41 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r528994 - head/security/vuxml
X-SVN-Group: ports-head
X-SVN-Commit-Author: romain
X-SVN-Commit-Paths: head/security/vuxml
X-SVN-Commit-Revision: 528994
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 17:34:42 -0000

Author: romain
Date: Mon Mar 23 17:34:41 2020
New Revision: 528994
URL: https://svnweb.freebsd.org/changeset/ports/528994

Log:
  Add details for two Puppet-related CVEs

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Mon Mar 23 17:32:22 2020	(r528993)
+++ head/security/vuxml/vuln.xml	Mon Mar 23 17:34:41 2020	(r528994)
@@ -58,6 +58,72 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="36def7ba-6d2b-11ea-b115-643150d3111d">
+    <topic>puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API</topic>
+    <affects>
+      <package>
+	<name>puppetdb5</name>
+	<range><lt>5.2.13</lt></range>
+      </package>
+      <package>
+	<name>puppetdb6</name>
+	<range><lt>6.9.1</lt></range>
+      </package>
+      <package>
+	<name>puppetserver5</name>
+	<range><lt>5.3.12</lt></range>
+      </package>
+      <package>
+	<name>puppetserver6</name>
+	<range><lt>6.9.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Puppetlabs reports:</p>
+	<blockquote cite="https://puppet.com/security/cve/CVE-2020-7943/">
+	  <p>Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.</p>
+	  <p>PE 2018.1.13 &amp; 2019.4.0, Puppet Server 6.9.1 &amp; 5.3.12, and PuppetDB 6.9.1 &amp; 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2020-7943</cvename>
+      <url>https://puppet.com/security/cve/CVE-2020-7943/</url>
+    </references>
+    <dates>
+      <discovery>2020-03-10</discovery>
+      <entry>2020-03-23</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="77687355-52aa-11ea-b115-643150d3111d">
+    <topic>puppet6 -- Arbitrary Catalog Retrieval</topic>
+    <affects>
+      <package>
+	<name>puppet6</name>
+	<range><lt>6.13.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Puppetlabs reports:</p>
+	<blockquote cite="https://puppet.com/security/cve/CVE-2020-7942/">
+	  <p>Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master.</p>
+	  <p>Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2020-7942</cvename>
+      <url>https://puppet.com/security/cve/CVE-2020-7942/</url>
+    </references>
+    <dates>
+      <discovery>2020-02-18</discovery>
+      <entry>2020-03-23</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="6b90acba-6a0a-11ea-92ab-00163e433440">
     <topic>FreeBSD -- Kernel memory disclosure with nested jails</topic>
     <affects>