回复: svn commit: r537897 - head/security/vuxml
wen heping
wenheping2000 at hotmail.com
Thu Jun 4 23:44:14 UTC 2020
Fixed in r537980.
Thank you !
wen
________________________________
发件人: Dan Langille <dan at langille.org>
发送时间: 2020年6月5日 5:09
收件人: Wen Heping <wen at FreeBSD.org>; ports-committers at freebsd.org <ports-committers at freebsd.org>; svn-ports-all at freebsd.org <svn-ports-all at freebsd.org>; svn-ports-head at freebsd.org <svn-ports-head at freebsd.org>
主题: Re: svn commit: r537897 - head/security/vuxml
On Thu, Jun 4, 2020, at 10:25 AM, Wen Heping wrote:
> Author: wen
> Date: Thu Jun 4 14:25:13 2020
> New Revision: 537897
> URL: https://svnweb.freebsd.org/changeset/ports/537897
>
> Log:
> - Document Django multiple vulnerabilities
>
> Modified:
> head/security/vuxml/vuln.xml
>
> Modified: head/security/vuxml/vuln.xml
> ==============================================================================
> --- head/security/vuxml/vuln.xml Thu Jun 4 13:59:06 2020 (r537896)
> +++ head/security/vuxml/vuln.xml Thu Jun 4 14:25:13 2020 (r537897)
> @@ -58,6 +58,49 @@ Notes:
> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> + <vuln vid="597d02ce-a66c-11ea-af32-080027846a02">
> + <topic>Django -- multiple vulnerabilities</topic>
> + <affects>
> + <package>
> + <name>py36-django22</name>
> + <name>py37-django22</name>
> + <name>py38-django22</name>
> + <range><lt>2.2.13</lt></range>
> + </package>
> + <package>
> + <name>py36-django22</name>
> + <name>py37-django22</name>
> + <name>py38-django22</name>
> + <range><lt>3.0.7</lt></range>
Are those the correct names for 3.0.7?
Should they be django30 not django22?
I ask because it seems to duplicate the previous names and makes my fixed
version vuln:
$ pkg audit
py37-django22-2.2.13 is vulnerable:
Django -- multiple vulnerabilities
CVE: CVE-2020-13596
CVE: CVE-2020-13254
WWW: https://vuxml.FreeBSD.org/freebsd/597d02ce-a66c-11ea-af32-080027846a02.html
1 problem(s) in 1 installed package(s) found.
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>Django security release reports:</p>
> + <blockquote
> cite="https://www.djangoproject.com/weblog/2020/jun/03/security-releases/">
> + <p>CVE-2020-13254: Potential data leakage via malformed memcached
> keys</p>
> + <p>In cases where a memcached backend does not perform key
> validation, passing
> + malformed cache keys could result in a key collision, and potential
> data leakage.
> + In order to avoid this vulnerability, key validation is added to
> the memcached
> + cache backends.</p>
> + <p>CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget</p>
> + <p>Query parameters for the admin ForeignKeyRawIdWidget were not
> properly URL
> + encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now
> ensures query
> + parameters are correctly URL encoded.</p>
> + </blockquote>
> + </body>
> + </description>
> + <references>
> +
> <url>https://www.djangoproject.com/weblog/2020/jun/03/security-releases/</url>
> + <cvename>CVE-2020-13254</cvename>
> + <cvename>CVE-2020-13596</cvename>
> + </references>
> + <dates>
> + <discovery>2020-06-01</discovery>
> + <entry>2020-06-04</entry>
> + </dates>
> + </vuln>
> +
> <vuln vid="ced2d47e-8469-11ea-a283-b42e99a1b9c3">
> <topic>malicious URLs may present credentials to wrong
> server</topic>
> <affects>
>
--
Dan Langille
dan at langille.org
More information about the svn-ports-head
mailing list