svn commit: r339828 - branches/2014Q1/security/vuxml
Remko Lodder
remko at FreeBSD.org
Wed Jan 15 22:19:39 UTC 2014
On 15 Jan 2014, at 23:18, Rene Ladan <rene at FreeBSD.org> wrote:
> Author: rene
> Date: Wed Jan 15 22:18:00 2014
> New Revision: 339828
> URL: http://svnweb.freebsd.org/changeset/ports/339828
> QAT: https://qat.redports.org/buildarchive/r339828/
>
> Log:
> MFH: r339825
>
> Document new vulnerabilities in www/chromium < 32.0.1700.77
>
> Obtained from: http://googlechromereleases.blogspot.nl/
>
> MFH: r339721
>
> Merge latest ntpd entry from remko@ which came in as a merge conflict.
>
> Approved by: portmgr (erwin)
Thank you!
>
> Modified:
> branches/2014Q1/security/vuxml/vuln.xml
> Directory Properties:
> branches/2014Q1/ (props changed)
>
> Modified: branches/2014Q1/security/vuxml/vuln.xml
> ==============================================================================
> --- branches/2014Q1/security/vuxml/vuln.xml Wed Jan 15 22:11:43 2014 (r339827)
> +++ branches/2014Q1/security/vuxml/vuln.xml Wed Jan 15 22:18:00 2014 (r339828)
> @@ -51,6 +51,87 @@ Note: Please add new entries to the beg
>
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> + <vuln vid="5acf4638-7e2c-11e3-9fba-00262d5ed8ee">
> + <topic>chromium -- multiple vulnerabilities</topic>
> + <affects>
> + <package>
> + <name>chromium</name>
> + <range><lt>32.0.1700.77</lt></range>
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>Google Chrome Releases reports:</p>
> + <blockquote cite="http://googlechromereleases.blogspot.nl/">
> + <p>11 security fixes in this release, including:</p>
> + <ul>
> + <li>[249502] High CVE-2013-6646: Use-after-free in web workers.
> + Credit to Collin Payne.</li>
> + <li>[326854] High CVE-2013-6641: Use-after-free related to forms.
> + Credit to Atte Kettunen of OUSPG.</li>
> + <li>[324969] High CVE-2013-6642: Address bar spoofing in Chrome for
> + Android. Credit to lpilorz.</li>
> + <li>[321940] High CVE-2013-6643: Unprompted sync with an attacker’s
> + Google account. Credit to Joao Lucas Melo Brasio.</li>
> + <li>[318791] Medium CVE-2013-6645 Use-after-free related to speech
> + input elements. Credit to Khalil Zhani.</li>
> + <li>[333036] CVE-2013-6644: Various fixes from internal audits,
> + fuzzing and other initiatives.</li>
> + </ul>
> + </blockquote>
> + </body>
> + </description>
> + <references>
> + <cvename>CVE-2013-6641</cvename>
> + <cvename>CVE-2013-6642</cvename>
> + <cvename>CVE-2013-6643</cvename>
> + <cvename>CVE-2013-6644</cvename>
> + <cvename>CVE-2013-6645</cvename>
> + <cvename>CVE-2013-6646</cvename>
> + <url>http://googlechromereleases.blogspot.nl/</url>
> + </references>
> + <dates>
> + <discovery>2014-01-14</discovery>
> + <entry>2014-01-15</entry>
> + </dates>
> + </vuln>
> +
> + <vuln vid="3d95c9a7-7d5c-11e3-a8c1-206a8a720317">
> + <topic>ntpd DRDoS / Amplification Attack using ntpdc monlist command</topic>
> + <affects>
> + <package>
> + <name>ntp</name>
> + <range><lt>4.2.7p26</lt></range>
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>ntp.org reports:</p>
> + <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using">
> + <p>Unrestricted access to the monlist feature in
> + ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote
> + attackers to cause a denial of service (traffic
> + amplification) via forged (1) REQ_MON_GETLIST or (2)
> + REQ_MON_GETLIST_1 requests, as exploited in the wild in
> + December 2013</p>
> + <p>Use noquery to your default restrictions to block all
> + status queries.</p>
> + <p>Use disable monitor to disable the ``ntpdc -c monlist''
> + command while still allowing other status queries.</p>
> + </blockquote>
> + </body>
> + </description>
> + <references>
> + <cvename>CVE-2013-5211</cvename>
> + <freebsdsa>SA-14:02.ntpd</freebsdsa>
> + <url>http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using</url>
> + </references>
> + <dates>
> + <discovery>2014-01-01</discovery>
> + <entry>2014-01-14</entry>
> + </dates>
> + </vuln>
> +
> <vuln vid="ba04a373-7d20-11e3-8992-00132034b086">
> <topic>nagios -- denial of service vulnerability</topic>
> <affects>
> _______________________________________________
> svn-ports-all at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/svn-ports-all
> To unsubscribe, send any mail to "svn-ports-all-unsubscribe at freebsd.org"
--
/"\ Best regards, | remko at FreeBSD.org
\ / Remko Lodder | remko at EFnet
X http://www.evilcoder.org/ |
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/svn-ports-branches/attachments/20140115/e7018a11/attachment-0001.sig>
More information about the svn-ports-branches
mailing list