svn commit: r412444 - head/security/vuxml
Jason Unovitch
junovitch at FreeBSD.org
Sun Apr 3 02:27:48 UTC 2016
Author: junovitch
Date: Sun Apr 3 02:27:46 2016
New Revision: 412444
URL: https://svnweb.freebsd.org/changeset/ports/412444
Log:
Document djblets vulnerability from the 0.9.2 release notes
Security: https://vuxml.FreeBSD.org/freebsd/df328fac-f942-11e5-92ce-002590263bf5.html
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Apr 3 02:20:14 2016 (r412443)
+++ head/security/vuxml/vuln.xml Sun Apr 3 02:27:46 2016 (r412444)
@@ -58,6 +58,40 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="df328fac-f942-11e5-92ce-002590263bf5">
+ <topic>py-djblets -- Self-XSS vulnerability</topic>
+ <affects>
+ <package>
+ <name>py27-djblets</name>
+ <name>py32-djblets</name>
+ <name>py33-djblets</name>
+ <name>py34-djblets</name>
+ <name>py35-djblets</name>
+ <range><lt>0.9.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Djblets Release Notes reports:</p>
+ <blockquote cite="https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/">
+ <p>A recently-discovered vulnerability in the datagrid templates allows an
+ attacker to generate a URL to any datagrid page containing malicious code
+ in a column sorting value. If the user visits that URL and then clicks
+ that column, the code will execute.</p>
+ <p>The cause of the vulnerability was due to a template not escaping
+ user-provided values.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/</url>
+ </references>
+ <dates>
+ <discovery>2016-03-01</discovery>
+ <entry>2016-04-03</entry>
+ </dates>
+ </vuln>
+
<vuln vid="a430e15d-f93f-11e5-92ce-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-head
mailing list