svn commit: r344334 - head/security/vuxml
Li-Wen Hsu
lwhsu at FreeBSD.org
Sat Feb 15 09:07:34 UTC 2014
Author: lwhsu
Date: Sat Feb 15 09:07:33 2014
New Revision: 344334
URL: http://svnweb.freebsd.org/changeset/ports/344334
QAT: https://qat.redports.org/buildarchive/r344334/
Log:
whitespace
Notified by: remko
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Feb 15 09:04:16 2014 (r344333)
+++ head/security/vuxml/vuln.xml Sat Feb 15 09:07:33 2014 (r344334)
@@ -73,48 +73,48 @@ Note: Please add new entries to the beg
<li>
<p>iSECURITY-105</p>
<p>In some places, Jenkins XML API uses XStream to deserialize
- arbitrary content, which is affected by CVE-2013-7285 reported
- against XStream. This allows malicious users of Jenkins with
- a limited set of permissions to execute arbitrary code inside
- Jenkins master.</p>
+ arbitrary content, which is affected by CVE-2013-7285 reported
+ against XStream. This allows malicious users of Jenkins with
+ a limited set of permissions to execute arbitrary code inside
+ Jenkins master.</p>
</li>
<li>
<p>SECURITY-76 & SECURITY-88 / CVE-2013-5573</p>
<p>Restrictions of HTML tags for user-editable contents are too
- lax. This allows malicious users of Jenkins to trick other
- unsuspecting users into providing sensitive information.</p>
+ lax. This allows malicious users of Jenkins to trick other
+ unsuspecting users into providing sensitive information.</p>
</li>
<li>
<p>SECURITY-109</p>
<p>Plugging a hole in the earlier fix to SECURITY-55. Under some
- circimstances, a malicious user of Jenkins can configure job
- X to trigger another job Y that the user has no access to.</p>
+ circimstances, a malicious user of Jenkins can configure job
+ X to trigger another job Y that the user has no access to.</p>
</li>
<li>
<p>SECURITY-108</p>
<p>CLI job creation had a directory traversal vulnerability. This
- allows a malicious user of Jenkins with a limited set of
- permissions to overwrite files in the Jenkins master and
- escalate privileges.</p>
+ allows a malicious user of Jenkins with a limited set of
+ permissions to overwrite files in the Jenkins master and
+ escalate privileges.</p>
</li>
<li>
<p>SECURITY-106</p>
<p>The embedded Winstone servlet container is susceptive to
- session hijacking attack.</p>
+ session hijacking attack.</p>
</li>
<li>
<p>SECURITY-93</p>
<p>The password input control in the password parameter
- definition in the Jenkins UI was serving the actual value of
- the password in HTML, not an encrypted one. If a sensitive
- value is set as the default value of such a parameter
- definition, it can be exposed to unintended audience.</p>
+ definition in the Jenkins UI was serving the actual value of
+ the password in HTML, not an encrypted one. If a sensitive
+ value is set as the default value of such a parameter
+ definition, it can be exposed to unintended audience.</p>
</li>
<li>
<p>SECURITY-89</p>
<p>Deleting the user was not invalidating the API token,
- allowing users to access Jenkins when they shouldn't be
- allowed to do so.</p>
+ allowing users to access Jenkins when they shouldn't be
+ allowed to do so.</p>
</li>
<li>
<p>SECURITY-80</p>
@@ -123,52 +123,52 @@ Note: Please add new entries to the beg
<li>
<p>SECURITY-79</p>
<p>"Jenkins' own user database" was revealing the
- presence/absence of users when login attempts fail.</p>
+ presence/absence of users when login attempts fail.</p>
</li>
<li>
<p>SECURITY-77</p>
<p>Jenkins had a cross-site scripting vulnerability in one of its
- cookies. If Jenkins is deployed in an environment that allows
- an attacker to override Jenkins cookies in victim's browser,
- this vulnerability can be exploited.</p>
+ cookies. If Jenkins is deployed in an environment that allows
+ an attacker to override Jenkins cookies in victim's browser,
+ this vulnerability can be exploited.</p>
</li>
<li>
<p>SECURITY-75</p>
<p>Jenkins was vulnerable to session fixation attack. If Jenkins
- is deployed in an environment that allows an attacker to
- override Jenkins cookies in victim's browser, this
- vulnerability can be exploited.</p>
+ is deployed in an environment that allows an attacker to
+ override Jenkins cookies in victim's browser, this
+ vulnerability can be exploited.</p>
</li>
<li>
<p>SECURITY-74</p>
<p>Stored XSS vulnerability. A malicious user of Jenkins with a
- certain set of permissions can cause Jenkins to store
- arbitrary HTML fragment.</p>
+ certain set of permissions can cause Jenkins to store
+ arbitrary HTML fragment.</p>
</li>
<li>
<p>SECURITY-73</p>
<p>Some of the system diagnostic functionalities were checking a
- lesser permission than it should have. In a very limited
- circumstances, this can cause an attacker to gain information
- that he shouldn't have access to.</p>
+ lesser permission than it should have. In a very limited
+ circumstances, this can cause an attacker to gain information
+ that he shouldn't have access to.</p>
</li>
</ol>
<p>Severity</p>
<ol>
<li>SECURITY-106, and SECURITY-80 are rated <strong>high</strong>. An attacker only
- needs direct HTTP access to the server to mount this attack.</li>
+ needs direct HTTP access to the server to mount this attack.</li>
<li>SECURITY-105, SECURITY-109, SECURITY-108, and SECURITY-74 are
- rated <strong>high</strong>. These vulnerabilities allow attackes with valid
- Jenkins user accounts to escalate privileges in various ways.</li>
+ rated <strong>high</strong>. These vulnerabilities allow attackes with valid
+ Jenkins user accounts to escalate privileges in various ways.</li>
<li>SECURITY-76, SECURIT-88, and SECURITY-89 are rated <strong>medium.</strong>
- These vulnerabilities requires an attacker to be an user of
- Jenkins, and the mode of the attack is limited.</li>
+ These vulnerabilities requires an attacker to be an user of
+ Jenkins, and the mode of the attack is limited.</li>
<li>SECURITY-93, and SECURITY-79 are <strong>rated</strong> low. These
- vulnerabilities only affect a small part of Jenkins and has
- limited impact.</li>
+ vulnerabilities only affect a small part of Jenkins and has
+ limited impact.</li>
<li>SECURITY-77, SECURITY-75, and SECURITY-73 are <strong>rated</strong> low. These
- vulnerabilities are hard to exploit unless combined with other
- exploit in the network.</li>
+ vulnerabilities are hard to exploit unless combined with other
+ exploit in the network.</li>
</ol>
</blockquote>
</body>
More information about the svn-ports-head
mailing list