svn commit: r537897 - head/security/vuxml

Dan Langille dan at langille.org
Thu Jun 4 21:09:40 UTC 2020 

On Thu, Jun 4, 2020, at 10:25 AM, Wen Heping wrote:
> Author: wen
> Date: Thu Jun  4 14:25:13 2020
> New Revision: 537897
> URL: https://svnweb.freebsd.org/changeset/ports/537897
> 
> Log:
>   - Document Django multiple vulnerabilities
> 
> Modified:
>   head/security/vuxml/vuln.xml
> 
> Modified: head/security/vuxml/vuln.xml
> ==============================================================================
> --- head/security/vuxml/vuln.xml	Thu Jun  4 13:59:06 2020	(r537896)
> +++ head/security/vuxml/vuln.xml	Thu Jun  4 14:25:13 2020	(r537897)
> @@ -58,6 +58,49 @@ Notes:
>    * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>  -->
>  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> +  <vuln vid="597d02ce-a66c-11ea-af32-080027846a02">
> +    <topic>Django -- multiple vulnerabilities</topic>
> +    <affects>
> +      <package>
> +	<name>py36-django22</name>
> +	<name>py37-django22</name>
> +	<name>py38-django22</name>
> +	<range><lt>2.2.13</lt></range>
> +      </package>
> +      <package>
> +	<name>py36-django22</name>
> +	<name>py37-django22</name>
> +	<name>py38-django22</name>
> +	<range><lt>3.0.7</lt></range>

Are those the correct names for 3.0.7?

Should they be django30 not django22?

I ask because it seems to duplicate the previous names and makes my fixed
version vuln:

$ pkg audit
py37-django22-2.2.13 is vulnerable:
Django -- multiple vulnerabilities
CVE: CVE-2020-13596
CVE: CVE-2020-13254
WWW: https://vuxml.FreeBSD.org/freebsd/597d02ce-a66c-11ea-af32-080027846a02.html

1 problem(s) in 1 installed package(s) found.


> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">
> +	<p>Django security release reports:</p>
> +	<blockquote 
> cite="https://www.djangoproject.com/weblog/2020/jun/03/security-releases/">
> +	  <p>CVE-2020-13254: Potential data leakage via malformed memcached 
> keys</p>
> +	  <p>In cases where a memcached backend does not perform key 
> validation, passing
> +	  malformed cache keys could result in a key collision, and potential 
> data leakage.
> +	  In order to avoid this vulnerability, key validation is added to 
> the memcached
> +	  cache backends.</p>
> +	  <p>CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget</p>
> +	  <p>Query parameters for the admin ForeignKeyRawIdWidget were not 
> properly URL
> +	  encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now 
> ensures query
> +	  parameters are correctly URL encoded.</p>
> +	</blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      
> <url>https://www.djangoproject.com/weblog/2020/jun/03/security-releases/</url>
> +      <cvename>CVE-2020-13254</cvename>
> +      <cvename>CVE-2020-13596</cvename>
> +    </references>
> +    <dates>
> +      <discovery>2020-06-01</discovery>
> +      <entry>2020-06-04</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="ced2d47e-8469-11ea-a283-b42e99a1b9c3">
>      <topic>malicious URLs may present credentials to wrong 
> server</topic>
>      <affects>
>

-- 
  Dan Langille
  dan at langille.org

More information about the svn-ports-all mailing list