svn commit: r477823 - head/security/vuxml

Matthew Seaman matthew at FreeBSD.org
Wed Aug 22 22:06:13 UTC 2018 

On 22/08/2018 22:24, Dan Langille wrote:
>> On Aug 22, 2018, at 4:32 PM, Matthew Seaman <matthew at FreeBSD.org> wrote:
>>
>> Author: matthew
>> Date: Wed Aug 22 20:32:50 2018
>> New Revision: 477823
>> URL: https://svnweb.freebsd.org/changeset/ports/477823
>>
>> Log:
>>  Document the latest phpMyAdmin security advisory PMASA-2018-5
>>
>> Modified:
>>  head/security/vuxml/vuln.xml
>>
>> Modified: head/security/vuxml/vuln.xml
>> ==============================================================================
>> --- head/security/vuxml/vuln.xml	Wed Aug 22 20:32:03 2018	(r477822)
>> +++ head/security/vuxml/vuln.xml	Wed Aug 22 20:32:50 2018	(r477823)
>> @@ -58,6 +58,37 @@ Notes:
>>   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>> -->
>> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>> +  <vuln vid="9e205ef5-a649-11e8-b1f6-6805ca0b3d42">
>> +    <topic>phpmyadmin -- XSS in the import dialog</topic>
>> +    <affects>
>> +      <package>
>> +	<name>phpmyadmin</name>
> 
> I am not sure this will correctly flag the affected packages.
> 
> 1 - the package name is more like phpMyAdmin-PHP VERSION
> 
> It was once just phpMyAdmin which was easy for a vuxml entry.
> 
> Recently, it changed to include PKGNAMESUFFIX=  ${PHP_PKGNAMESUFFIX} (blame mat with revision 466558):
> 
>   https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annotate=473096#l11 <https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annotate=473096#l11>
> 
> My idea for fixing: add name entries for:
> 
> * phpMyAdmin
> * phpMyAdmin-php56
> * phpMyAdmin-php(all the other versions)
> 
> Does this make sense?
> 
> reference data below:
> 
> freshports.dev=# select package_name, element_pathname(element_id) from ports_active where name = 'phpmyadmin';
>    package_name   |              element_pathname
> ------------------+---------------------------------------------
>  phpMyAdmin-php56 | /ports/head/databases/phpmyadmin
>  phpMyAdmin       | /ports/branches/2016Q4/databases/phpmyadmin
>  phpMyAdmin       | /ports/branches/2017Q1/databases/phpmyadmin
>  phpMyAdmin       | /ports/branches/2018Q1/databases/phpmyadmin
>  phpMyAdmin-php56 | /ports/branches/2018Q2/databases/phpmyadmin
> (5 rows)

I've updated the vuxml to list all of the PKGNAMES in the currently
active branches in ports SVN.   Anyone running a sufficiently old copy
of phpMyAdmin that it doesn't have a flavour suffix is would already be
getting security flags from the previous crop of PMA vulns.

	Cheers,

	Matthew



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-ports-all/attachments/20180822/d1667e79/attachment.sig>

More information about the svn-ports-all mailing list