svn commit: r509055 - head/security/vuxml
Kai Knoblich
kai at FreeBSD.org
Thu Aug 15 21:22:37 UTC 2019
Author: kai
Date: Thu Aug 15 21:22:35 2019
New Revision: 509055
URL: https://svnweb.freebsd.org/changeset/ports/509055
Log:
security/vuxml: Update entry for security/doas
* Add a reference to OpenBSD's tech mailinglist that explains the issues
with doas(1)'s environmetal security in further detail.
* Clarify the origins of the reporting sources and fix a grammar nit.
PR: 239629
Reported by: Sander Bos
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Aug 15 20:37:21 2019 (r509054)
+++ head/security/vuxml/vuln.xml Thu Aug 15 21:22:35 2019 (r509055)
@@ -230,7 +230,7 @@ executed even without intentional action by the user.<
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Jesse Smith of Resonating Media reports:</p>
+ <p>Jesse Smith (upstream author of the doas program) reported:</p>
<blockquote cite="https://github.com/slicer69/doas/releases/tag/6.1">
<p>Previous versions of "doas" transferred most environment variables, such
as USER, HOME, and PATH from the original user to the target user.
@@ -238,15 +238,19 @@ executed even without intentional action by the user.<
Passing these variables could cause files in the wrong path or
home directory to be read (or written to), which resulted in potential
security problems.</p>
+ <p>Many thanks to Sander Bos for reporting this issue and explaining
+ how it can be exploited.</p>
</blockquote>
</body>
</description>
<references>
+ <mlist msgid="2a5cda45ef35e885c9a8b1e at tedunangst.com">https://marc.info/?l=openbsd-tech&m=156105665713340&w=2</mlist>
<url>https://github.com/slicer69/doas/releases/tag/6.1</url>
</references>
<dates>
<discovery>2019-08-03</discovery>
<entry>2019-08-09</entry>
+ <modified>2019-08-15</modified>
</dates>
</vuln>
More information about the svn-ports-head
mailing list