cvs commit: ports/security/vuxml vuln.xml ports/www/mod_pubcookie Makefile ports/www/pubcookie-login-server Makefile

Philip M. Gollucci pgollucci at p6m7g8.com
Tue May 24 22:22:53 UTC 2011


Thank lord, these pubcookie ports were quite complex!


On 5/23/2011 4:04 PM, Brooks Davis wrote:
> brooks      2011-05-23 23:04:41 UTC
> 
>   FreeBSD ports repository
> 
>   Modified files:
>     security/vuxml       vuln.xml 
>     www/mod_pubcookie    Makefile 
>     www/pubcookie-login-server Makefile 
>   Log:
>   Partially address several years of neglect of pubcookie.  Indicate the
>   security issues in two two ports.
>   
>   I've not use pubcookie in several year and given the lack of complaint
>   about the deprication of mod_pubcookie, I doubt anyone else uses it from
>   ports.  The mod_pubcookie port has already expired and I've set a two
>   week expriation for pubcookie-login-server.  If not maintainer
>   appears I will send both to the Attic on June 6th.
>   
>   While I'm here, address the use of CONF_FILES and CONF_DIRS in
>   pubcookie-login-server to avoid getting in the way of progress. [0]
>   
>   PR:             ports/157164 [0]
>   Security:       vuxml:115a1389-858e-11e0-a76c-000743057ca2
>                   vuxml:1ca8228f-858d-11e0-a76c-000743057ca2
>   
>   Revision  Changes    Path
>   1.2365    +67 -1     ports/security/vuxml/vuln.xml
>   1.8       +1 -0      ports/www/mod_pubcookie/Makefile
>   1.8       +11 -6     ports/www/pubcookie-login-server/Makefile
> 
> http://cvsweb.FreeBSD.org/ports/security/vuxml/vuln.xml.diff?r1=1.2364&r2=1.2365&f=h
> | --- ports/security/vuxml/vuln.xml	2011/05/23 22:22:43	1.2364
> | +++ ports/security/vuxml/vuln.xml	2011/05/23 23:04:41	1.2365
> | @@ -28,12 +28,78 @@ WHETHER IN CONTRACT, STRICT LIABILITY, O
> |  OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
> |  EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> |  
> | -  $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v 1.2364 2011/05/23 22:22:43 ohauer Exp $
> | +  $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v 1.2365 2011/05/23 23:04:41 brooks Exp $
> |  
> |  Note:  Please add new entries to the beginning of this file.
> |  
> |  -->
> |  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> | +  <vuln vid="115a1389-858e-11e0-a76c-000743057ca2">
> | +    <topic>Pubcookie Login Server -- XSS Vulnerability</topic>
> | +    <affects>
> | +      <package>
> | +	<name>pubcookie-login-server</name>
> | +	<range><lt>3.3.2d</lt></range>
> | +      </package>
> | +    </affects>
> | +    <description>
> | +      <body xmlns="http://www.w3.org/1999/xhtml">
> | +	<p>Nathan Dors, Pubcookie Project reports:</p>
> | +	<blockquote cite="http://pubcookie.org/news/20070606-login-secadv.html">
> | +	  <p>A  new non-persistent XSS vulnerability was found in the
> | +            Pubcookie login server's compiled binary "index.cgi" CGI
> | +            program. The CGI program mishandles untrusted data when
> | +            printing responses to the browser. This makes the program
> | +            vulnerable to carefully crafted requests containing script
> | +            or HTML. If an attacker can lure an unsuspecting user to
> | +            visit carefully staged content, the attacker can use it to
> | +            redirect the user to his or her local Pubcookie login page
> | +            and attempt to exploit the XSS vulnerability.</p>
> | +	</blockquote>
> | +      </body>
> | +    </description>
> | +    <references>
> | +      <url>http://pubcookie.org/news/20070606-login-secadv.html</url>
> | +    </references>
> | +    <dates>
> | +      <discovery>2007-05-25</discovery>
> | +      <entry>2011-05-23</entry>
> | +    </dates>
> | +  </vuln>
> | +
> | +  <vuln vid="1ca8228f-858d-11e0-a76c-000743057ca2">
> | +    <topic>mod_pubcookie -- Empty Authentication Security Advisory</topic>
> | +    <affects>
> | +      <package>
> | +	<name>ap*-mod_pubcookie</name>
> | +	<range>><ge>3.1.0</ge><lt>3.3.2b</lt></range>
> | +      </package>
> | +    </affects>
> | +    <description>
> | +      <body xmlns="http://www.w3.org/1999/xhtml">
> | +	<p>Nathan Dors, Pubcookie Project reports:</p>
> | +	<blockquote cite="http://pubcookie.org/news/20061106-empty-auth-secadv.html">
> | +	  <p>An Abuse of Functionality vulnerability in the Pubcookie
> | +	     authentication process was found. This vulnerability
> | +	     allows an attacker to appear as if he or she were
> | +	     authenticated using an empty userid when such a userid
> | +	     isn't expected. Unauthorized access to web content and
> | +	     applications may result where access is restricted to
> | +	     users who can authenticate successfully but where no
> | +	     additional authorization is performed after
> | +	     authentication.</p>
> | +	</blockquote>
> | +      </body>
> | +    </description>
> | +    <references>
> | +      <url>http://pubcookie.org/news/20061106-empty-auth-secadv.html</url>
> | +    </references>
> | +    <dates>
> | +      <discovery>2006-10-04</discovery>
> | +      <entry>2011-05-23</entry>
> | +    </dates>
> | +  </vuln>
> | +
> |    <vuln vid="7af2fb85-8584-11e0-96b7-00300582f9fc">
> |      <topic>ViewVC -- user-reachable override of cvsdb row limit</topic>
> |      <affects>
> http://cvsweb.FreeBSD.org/ports/www/mod_pubcookie/Makefile.diff?r1=1.7&r2=1.8&f=h
> | --- ports/www/mod_pubcookie/Makefile	2010/12/12 08:44:49	1.7
> | +++ ports/www/mod_pubcookie/Makefile	2011/05/23 23:04:41	1.8
> | @@ -2,7 +2,7 @@
> |  # Date created:				Sat Jan 21, 2006
> |  # Whom:					Brooks Davis <brooks at freebsd.org>
> |  #
> | -# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/mod_pubcookie/Makefile,v 1.7 2010/12/12 08:44:49 pgollucci Exp $
> | +# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/mod_pubcookie/Makefile,v 1.8 2011/05/23 23:04:41 brooks Exp $
> |  #
> |  
> |  PORTNAME=	pubcookie
> | @@ -17,6 +17,7 @@ COMMENT=	A single sign-on system for web
> |  
> |  MAKE_JOBS_UNSAFE=	yes
> |  
> | +FORBIDDEN=	vuxml:1ca8228f-858d-11e0-a76c-000743057ca2
> |  DEPRECATED=	will be unsupported by ASF when 2.4.0 is release, migrate to 2.2.x+ now
> |  EXPIRATION_DATE=	2011-05-01
> |  
> http://cvsweb.FreeBSD.org/ports/www/pubcookie-login-server/Makefile.diff?r1=1.7&r2=1.8&f=h
> | --- ports/www/pubcookie-login-server/Makefile	2011/02/25 01:32:11	1.7
> | +++ ports/www/pubcookie-login-server/Makefile	2011/05/23 23:04:41	1.8
> | @@ -2,7 +2,7 @@
> |  # Date created:				Sat Jan 21, 2006
> |  # Whom:					Brooks Davis <brooks at freebsd.org>
> |  #
> | -# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/pubcookie-login-server/Makefile,v 1.7 2011/02/25 01:32:11 delphij Exp $
> | +# $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/www/pubcookie-login-server/Makefile,v 1.8 2011/05/23 23:04:41 brooks Exp $
> |  #
> |  
> |  PORTNAME=	pubcookie
> | @@ -16,6 +16,10 @@ DISTNAME=	${PORTNAME}-3.3.0a
> |  MAINTAINER=	brooks at FreeBSD.org
> |  COMMENT=	A single sign-on system for websites (login server)
> |  
> | +FORBIDDEN=      vuxml:115a1389-858e-11e0-a76c-000743057ca2
> | +DEPRECATED=	Unused by maintiner, needs updates.
> | +EXPIRATION_DATE=	2011-06-06
> | +
> |  CONFLICTS=      mod_pubcookie-[0-9]*
> |  
> |  OPTIONS=	LDAP "Enable LDAP verifier" on \
> | @@ -35,15 +39,16 @@ PC_BASE?=	${PORTNAME}
> |  PC_DIR=		${PREFIX}/${PC_BASE}
> |  
> |  SUB_FILES+=	pkg-install
> | -SUB_LIST+=	CONF_FILES="${CONF_FILES}" CONF_DIRS="${CONF_DIRS}"
> | +SUB_LIST+=	CONF_FILES="${PUBCOOKIE_CONF_FILES}" \
> | +		CONF_DIRS="${PUBCOOKIE_CONF_DIRS}"
> |  PKGINSTALL=	${WRKDIR}/pkg-install
> |  PKGDEINSTALL=	${PKGINSTALL}
> |  .include "${.CURDIR}/Makefile.templates"
> | -CONF_FILES+=	${LOGIN_TEMPLATES:C|(.*)|${PC_BASE}/login_templates.default/\1:${PC_BASE}/login_templates/\1|}
> | -CONF_DIRS+=	${PC_BASE}/login_templates
> | -CONF_FILES+=	${LOGIN_IMAGES:C|(.*)|${PC_BASE}/login_templates.default/images/\1:${PC_BASE}/login/images/\1|}
> | -CONF_DIRS+=	${PC_BASE}/login/images
> | -CONF_FILES+=	${PC_BASE}/config.login.sample:${PC_BASE}/config
> | +PUBCOOKIE_CONF_FILES+=	${LOGIN_TEMPLATES:C|(.*)|${PC_BASE}/login_templates.default/\1:${PC_BASE}/login_templates/\1|}
> | +PUBCOOKIE_CONF_DIRS+=	${PC_BASE}/login_templates
> | +PUBCOOKIE_CONF_FILES+=	${LOGIN_IMAGES:C|(.*)|${PC_BASE}/login_templates.default/images/\1:${PC_BASE}/login/images/\1|}
> | +PUBCOOKIE_PUBCOOKIE_CONF_DIRS+=	${PC_BASE}/login/images
> | +PUBCOOKIE_CONF_FILES+=	${PC_BASE}/config.login.sample:${PC_BASE}/config
> |  
> |  # XXX Add Kerberos
> |  


-- 
------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollucci at p6m7g8.com) c: 703.336.9354
Member,                           Apache Software Foundation
Committer,                        FreeBSD Foundation
Consultant,                       P6M7G8 Inc.
Sr. System Admin,                 Ridecharge Inc.

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.


More information about the cvs-all mailing list