From nobody Tue Dec 21 23:41:45 2021
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C39771905A0E;
	Tue, 21 Dec 2021 23:41:46 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JJXzZ0My1z3vKS;
	Tue, 21 Dec 2021 23:41:46 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C6D6F130E5;
	Tue, 21 Dec 2021 23:41:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BLNfjhP061337;
	Tue, 21 Dec 2021 23:41:45 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BLNfj07061336;
	Tue, 21 Dec 2021 23:41:45 GMT
	(envelope-from git)
Date: Tue, 21 Dec 2021 23:41:45 GMT
Message-Id: <202112212341.1BLNfj07061336@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Don Lewis <truckman@FreeBSD.org>
Subject: git: 49ba7b28f0d0 - main - security/vuxml: Document opengrok RCE CVE-2021-2322
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: truckman
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 49ba7b28f0d0c74eaca815b6c54efc115d66b0d4
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1640130106;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=QdgO3/htQgS2jFvzlNAAWfDMr++IWHVzxpvXWZCPHIY=;
	b=DkDgaTmYhwcX5lOecSvq3hMZaIj9pke8xV2gOeQAAIfXqY5xSxE8uCRlLSCX4gqJcSXWmc
	ub/4gRKmb9P/jdB1R5mqHOrm36eErsc2A9qQV/Cl2euwoXHI0Vijjq18WkvKyey6e6rCrf
	SDoJWovM3y8qJ0OZ9f7RJFVZDklUTrhbqFMwr5aTxSwX5inwgtgbFisyUGotuEqVuwl6DG
	hA1w9aOuyjOcsZmIEjRtiYXuf1hyUFEgZhJqbVTLMYpFE6ZUKc3PyCnpjfgXmObzWVZsnf
	yNoS8tlsF4LHBWG2mud7OKeelqsnLm0JeIk/sD9Z3TIk2E6mT4hHdNjuSe1XXA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640130106; a=rsa-sha256; cv=none;
	b=imZsdz7JCNr4HrV563faTblaJgIT+8Mxn33cn/+FpFYrcP6L9el0GArQnBSq1eVuWSO95n
	1BUC7YvRE51AMNnPk/e+CdVErxVwX34BtVxQFB+9I7R0VawnU5U9vYM2gOgQhJ6qIRKgg4
	bCgZhh7J2R5ueZA3lK7BCI3Uk9TDI/24ywMgMU8zGRYzS/pxXzwFOgxxzo3T10rM9p50gk
	WCBBqH5mooxqr+MBnHxgOkhmJGOIembFY0hWuOC/bJ6Ul6BIb8piQhH9oroPyYbxpmtRXE
	nf/rnOPu/zfgA4QZPVCarULBS5BDBopu16SDnz6mQkimSDh0q8TmIsJb3B4HgQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by truckman:

URL: https://cgit.FreeBSD.org/ports/commit/?id=49ba7b28f0d0c74eaca815b6c54efc115d66b0d4

commit 49ba7b28f0d0c74eaca815b6c54efc115d66b0d4
Author:     Don Lewis <truckman@FreeBSD.org>
AuthorDate: 2021-12-21 23:39:08 +0000
Commit:     Don Lewis <truckman@FreeBSD.org>
CommitDate: 2021-12-21 23:41:14 +0000

    security/vuxml: Document opengrok RCE CVE-2021-2322
---
 security/vuxml/vuln-2021.xml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index 05b88cde90cf..cf52dabf0dcd 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -1,3 +1,31 @@
+  <vuln vid="1135e939-62b4-11ec-b8e2-1c1b0d9ea7e6">
+    <topic>opengrok -- Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok.</topic>
+    <affects>
+      <package>
+	<name>opengrok</name>
+	<range><le>1.6.7</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Bobby Rauch of Accenture reports:</p>
+	<blockquote cite="https://medium.com/@bobbyrsec/oracle-opengrok-rce-cve-2021-2322-a284e5621bfe">
+	  <p>I ended up finding OpenGrok, and after careful testing, discovered that OpenGrok insecurely deserializes XML input, which can lead to Remote Code Execution. This vulnerability was found in all versions of OpenGrok &lt;1.6.8 and was reported to Oracle. The vulnerability has now been patched in OpenGrok 1.6.9, and has been issued a CVE. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2322)</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-2322</cvename>
+      <url>https://www.oracle.com/security-alerts/oracle-open-source-cves-outside-other-oracle-public-documents.html</url>
+      <url>https://www.oracle.com/security-alerts/oracle-open-source-cves-outside-other-oracle-public-documents.html</url>
+      <url>https://github.com/oracle/opengrok/pull/3528</url>
+    </references>
+    <dates>
+      <discovery>2021-04-07</discovery>
+      <entry>2021-12-21</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="0a50bb48-625f-11ec-a1fb-080027cb2f6f">
     <topic>mediawiki -- multiple vulnerabilities</topic>
     <affects>