svn commit: r499855 - head/security/vuxml
Jochen Neumeister
joneum at FreeBSD.org
Wed Apr 24 18:33:12 UTC 2019
On 24.04.19 20:28, Jochen Neumeister wrote:
>
> On 24.04.19 17:30, Josh Paetzel wrote:
>> Author: jpaetzel
>> Date: Wed Apr 24 15:30:40 2019
>> New Revision: 499855
>> URL: https://svnweb.freebsd.org/changeset/ports/499855
>>
>> Log:
>> Document py-yaml vulnerability
>> PR: 237501
>> Submitted by: sergey at akhmatov.ru
>> Security: CVE-2017-18342
>
>
> Where is:
>
> Security: f6ea18bb-65b9-11e9-8b31-002590045d9c
> MFH: 2019Q2
>
>
> Greetings
Wrong Mail. I mean this commit:
https://svnweb.freebsd.org/changeset/ports/499857
Pls commit it to MFH2019Q2 with my Approved
Greetings
>
>
>>
>> Modified:
>> head/security/vuxml/vuln.xml
>>
>> Modified: head/security/vuxml/vuln.xml
>> ==============================================================================
>>
>> --- head/security/vuxml/vuln.xml Wed Apr 24 15:13:52 2019 (r499854)
>> +++ head/security/vuxml/vuln.xml Wed Apr 24 15:30:40 2019 (r499855)
>> @@ -58,6 +58,37 @@ Notes:
>> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>> -->
>> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>> + <vuln vid="f6ea18bb-65b9-11e9-8b31-002590045d9c">
>> + <topic>py-yaml -- arbitrary code execution</topic>
>> + <affects>
>> + <package>
>> + <name>py27-yaml</name>
>> + <name>py35-yaml</name>
>> + <name>py36-yaml</name>
>> + <name>py37-yaml</name>
>> + <range><lt>4.1</lt></range>
>> + </package>
>> + </affects>
>> + <description>
>> + <body xmlns="http://www.w3.org/1999/xhtml">
>> + <p>pyyaml reports:</p>
>> + <blockquote
>> cite="https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation">
>> + <p>the PyYAML.load function could be easily exploited to call
>> any Python
>> + function. That means it could call any system command using
>> os.system()</p>
>> + </blockquote>
>> + </body>
>> + </description>
>> + <references>
>> + <cvename>CVE-2017-18342</cvename>
>> +
>> <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342</url>
>> + <url>https://github.com/yaml/pyyaml/pull/74</url>
>> + </references>
>> + <dates>
>> + <discovery>2018-06-27</discovery>
>> + <entry>2019-04-23</entry>
>> + </dates>
>> + </vuln>
>> +
>> <vuln vid="a207bbd8-6572-11e9-8e67-206a8a720317">
>> <topic>FreeBSD -- EAP-pwd message reassembly issue with
>> unexpected fragment</topic>
>> <affects>
>>
>
More information about the svn-ports-all
mailing list