ports/161734: [vuxml] security/vuxml: PivotX -- Remote File Inclusion Vulnerability of TimThumb
Fumiyuki Shimizu
fumifumi at abacustech.jp
Mon Oct 17 07:40:08 UTC 2011
>Number: 161734
>Category: ports
>Synopsis: [vuxml] security/vuxml: PivotX -- Remote File Inclusion Vulnerability of TimThumb
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Oct 17 07:40:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Fumiyuki Shimizu
>Release: FreeBSD 8.1-RELEASE i386
>Organization:
Abacus Technologies, Inc.
>Environment:
System: FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010
>Description:
Currentry TimThumb.php remote file inclusion attack is in wild.
Port maintainer (secteam at FreeBSD.org) is cc'd.
Generated with FreeBSD Port Tools 0.99
>How-To-Repeat:
>Fix:
--- vuxml-1.1_1.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/security/vuxml/vuln.xml /usr/home/fumifumi/vuxml/vuln.xml
--- /usr/ports/security/vuxml/vuln.xml 2011-10-17 03:39:44.000000000 +0900
+++ /usr/home/fumifumi/vuxml/vuln.xml 2011-10-17 16:03:06.000000000 +0900
@@ -34,6 +34,40 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="e454ca2f-f88d-11e0-b566-00163e01a509">
+ <topic>PivotX -- Remote File Inclusion Vulnerability of TimThumb</topic>
+ <affects>
+ <package>
+ <name>pivotx</name>
+ <range><lt>2.3.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PivotX team reports:</p>
+ <blockquote cite="http://blog.pivotx.net/page/security">
+ <p>TimThumb domain name security bypass and insecure cache
+ handling. PivotX before 2.3.0 includes a vulnerable version
+ of TimThumb.</p>
+ </blockquote>
+ <blockquote cite="http://blog.pivotx.net/2011-10-14/timthumb-update-for-older-pivotx-installs">
+ <p>If you are still running PivotX 2.2.6, you might be
+ vulnerable to a security exploit, that was patched
+ previously. Version 2.3.0 doesn't have this issue, but any
+ older version of PivotX might be vulnerable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <bid>45416</bid>
+ <url>https://secunia.com/advisories/45416/</url>
+ </references>
+ <dates>
+ <discovery>2011-08-03</discovery>
+ <entry>2011-10-17</entry>
+ </dates>
+ </vuln>
+
<vuln vid="9bad5ab1-f3f6-11e0-8b5c-b482fe3f522d">
<topic>OpenTTD -- Multiple buffer overflows in validation of external data</topic>
<affects>
--- vuxml-1.1_1.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list