svn commit: r503236 - head/security/vuxml
Kubilay Kocak
koobs at FreeBSD.org
Sat Jun 1 13:49:00 UTC 2019
Author: koobs
Date: Sat Jun 1 13:48:59 2019
New Revision: 503236
URL: https://svnweb.freebsd.org/changeset/ports/503236
Log:
security/vuxml: Add buildbot -- OAuth Authentication Vulnerability
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Jun 1 13:27:32 2019 (r503235)
+++ head/security/vuxml/vuln.xml Sat Jun 1 13:48:59 2019 (r503236)
@@ -58,6 +58,43 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="ada8db8a-8471-11e9-8170-0050562a4d7b">
+ <topic>buildbot -- OAuth Authentication Vulnerability</topic>
+ <affects>
+ <package>
+ <name>py27-buildbot</name>
+ <name>py35-buildbot</name>
+ <name>py36-buildbot</name>
+ <name>py37-buildbot</name>
+ <range><lt>2.3.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <blockquote cite="https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication">
+ <p>Buildbot accepted user-submitted authorization token from OAuth and used
+ it to authenticate user.</p>
+ <p>The vulnerability can lead to malicious attackers to authenticate as legitimate users
+ of a Buildbot instance without knowledge of the victim's login credentials on certain
+ scenarios.</p>
+ <p>If an attacker has an application authorized to access data of another user at the
+ same Identity Provider as the used by the Buildbot instance, then he can acquire a token
+ to access the data of that user, supply the token to the Buildbot instance and successfully
+ login as the victim.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication</url>
+ <url>https://github.com/buildbot/buildbot/pull/4763</url>
+ <cvename>CVE-2019-12300</cvename>
+ </references>
+ <dates>
+ <discovery>2019-05-07</discovery>
+ <entry>2019-06-01</entry>
+ </dates>
+ </vuln>
+
<vuln vid="177fa455-48fc-4ded-ba1b-9975caa7f62a">
<topic>bro -- Unsafe integer conversions can cause unintentional code paths to be executed</topic>
<affects>
More information about the svn-ports-head
mailing list