From nobody Tue Apr 25 13:25:54 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q5N6q1Vwkz47C9K; Tue, 25 Apr 2023 13:25:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q5N6q0y3Kz3C2K; Tue, 25 Apr 2023 13:25:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1682429155; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TcaixA+BbcMtTZmeWOM07AyX79iL/UB2zEn4KlKZ4B4=; b=Iof4ElN29It8Ztra3dna8C/Ney0gYs1JTOmWaYt7dGEovzYrdHUccb4Ch47cmCf8YGrdbr KlUgD6ANnnxd7ElyHIWy3aDy+zjKY4VhOXM2VZaHU2hA1RD2LbrLhysQot6h7xH3krd/xG ASSOUq6p1RIwE+GmdgXkYnDXUDiI6v2CYWrGG2IYpJaIyuzqpyOq+gY5Hyb4T35bHmBoiz gYbRqZJJzAaCFcLSDkFt0I+tTDb1UsNyzgQru1OQpEj+D7ER7qJeXnGv2JrnIyLleh81n+ Q+30KilzJoG5BzCN0Rx+OQHzn9pLJ2PAMDwLMCE8xJhdVvRK9dIA6mDv8VyUZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1682429155; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TcaixA+BbcMtTZmeWOM07AyX79iL/UB2zEn4KlKZ4B4=; b=o+xdE7kFzm4tfz8l+EAN9D1vSOWcviN3dLLEolPsCkCTZMGXFov18Ui9nPPpEMyRKWoZnr fAxLnfZ/preRYwsoKcd6SHH+/MDxLlU7BGYtV+9uAEGeGFfA6MCqkwjrKAGybq6GKro8Il vV5Lj3HGobv6amPeZ5uYb48Ytd//eDYnAbT02vBiDeXaiep8QOhNnDNyUM0LMaz7OSmJ0T pEbGIXKQz3XtFGs7vfjkJLij5+QH7HuWti6k0eemVof1dwEZyPQvlvhRVJZbUvEKtQ7s+t BzUwwSpoH5v+ecoSQSmEmWAuLdHwkqewYywBfAJFptcINBDONkdi/atOk3W4Qg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1682429155; a=rsa-sha256; cv=none; b=fqHAY7DT+zVqlhsVsQO4rw8ouOJ9fnmNXZYuRXauzd7Tpr560vYXGVd3ZnlK8sECqaQI/J 5LL+VM1QTW1VNrylybVkr1DuM2SuxXjhwVINrMfdqfzo34Nw0kLQa+FuwvzR1zAZ6H09PK G4n6KPK3anioiLjTpMFmMktXZfubsXf9xlRwgBaxzy3RKuAvYQ7F/xTCjniMDxhx6iEfhn ccQ4bipEoZD4pDhwROgvPTwTSEiFu1qYptqsUwFZjSxH39ch39PvB+m2Tspbqdoc81KPv2 ZquYwdxGwBUpzJ+Fj2ablzTYsbyMAFm9iN/qdeSFhd1NuTZweZlInst5wwrVGg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Q5N6q01YQz18Jp; Tue, 25 Apr 2023 13:25:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33PDPsfb027346; Tue, 25 Apr 2023 13:25:54 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33PDPshs027345; Tue, 25 Apr 2023 13:25:54 GMT (envelope-from git) Date: Tue, 25 Apr 2023 13:25:54 GMT Message-Id: <202304251325.33PDPshs027345@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: =?utf-8?Q?Fernando=20Apestegu=C3=ADa?= Subject: git: f06a561fd29c - main - security/vuxml: jellyfin multiple vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f06a561fd29c851169fa8aad89494429c6efb9ba Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=f06a561fd29c851169fa8aad89494429c6efb9ba commit f06a561fd29c851169fa8aad89494429c6efb9ba Author: Fernando ApesteguĂ­a AuthorDate: 2023-04-25 12:20:24 +0000 Commit: Fernando ApesteguĂ­a CommitDate: 2023-04-25 13:20:40 +0000 security/vuxml: jellyfin multiple vulnerabilities CVE-2023-30626 - directory traversal vulnerability CVE-2023-30627 - XSS vulnerability PR: 271041 Reported by: debdrup@ --- security/vuxml/vuln/2023.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 0e927db1df71..ada4bd3fd240 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,37 @@ + + jellyfin -- Multiple vulnerabilities + + + jellyfin + 10.8.10 + + + + +

security-advisories@github.com reports:

+
+

Jellyfin is a free-software media system. Versions starting with + 10.8.0 and prior to 10.8.10 and prior have a directory traversal + vulnerability inside the `ClientLogController`, specifically + `/ClientLog/Document`. When combined with a cross-site scripting + vulnerability (CVE-2023-30627), this can result in file write and + arbitrary code execution. Version 10.8.10 has a patch for this + issue. There are no known workarounds.

+
+ + + + CVE-2023-30626 + https://nvd.nist.gov/vuln/detail/CVE-2023-30626 + CVE-2023-30627 + https://nvd.nist.gov/vuln/detail/CVE-2023-30627 + + + 2023-04-24 + 2023-04-25 + + + phpmyfaq -- multiple vulnerabilities