ports/138418: [PATCH] security/vuxml: add dns/dnsmasq entries CVE-2009-2957 and CVE-2009-2958

Matthias Andree matthias.andree at gmx.de
Mon Aug 31 19:20:04 UTC 2009 

>Number:         138418
>Category:       ports
>Synopsis:       [PATCH] security/vuxml: add dns/dnsmasq entries CVE-2009-2957 and CVE-2009-2958
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 31 19:20:04 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Matthias Andree
>Release:        FreeBSD 7.2-RELEASE-p2 i386
>Organization:
>Environment:
System: FreeBSD rho.emma.line.org 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #0: Wed Jun 24 00:57:44 UTC 2009
>Description:
Add entry for dns/dnsmasq CVE-2009-2957 and CVE-2009-2958, TFTP DoS and unprivileged code injection
(this was handled as one update by the upstream so it should be safe to merge them).

Port maintainer (secteam at FreeBSD.org) is cc'd.

Generated with FreeBSD Port Tools 0.77
>How-To-Repeat:
>Fix:

--- vuxml-1.1_1.patch begins here ---
Index: vuln.xml
===================================================================
RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v
retrieving revision 1.2015
diff -u -u -r1.2015 vuln.xml
--- vuln.xml	25 Aug 2009 08:20:28 -0000	1.2015
+++ vuln.xml	31 Aug 2009 19:10:41 -0000
@@ -34,6 +34,44 @@
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="325475da-9660-11de-96f7-080027a5e77e">
+    <topic>dnsmasq -- TFTP server remote code injection vulnerability</topic>
+    <affects>
+      <package>
+	<name>dnsmasq</name>
+	<range><lt>2.50</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Simon Kelley reports:</p>
+	<blockquote cite="http://www.thekelleys.org.uk/dnsmasq/CHANGELOG">
+	  <p>
+            Fix security problem which allowed any host permitted to
+            do TFTP to possibly compromise dnsmasq by remote buffer
+            overflow when TFTP enabled. Thanks to Core Security
+            Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro
+            Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
+            Pablo Annetta. This problem has Bugtraq id: 36121
+            and CVE: 2009-2957</p>
+	  <p>
+	    Fix a problem which allowed a malicious TFTP client to
+            crash dnsmasq. Thanks to Steve Grubb at Red Hat for
+            spotting this. This problem has Bugtraq id: 36120 and
+            CVE: 2009-2958</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>2009-2957</cvename>
+      <cvename>2009-2958</cvename>
+    </references>
+    <dates>
+      <discovery>2009-08-23</discovery>
+      <entry>2009-08-31</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="e15f2356-9139-11de-8f42-001aa0166822">
     <topic>apache22 -- several vulnerability</topic>
     <affects>
--- vuxml-1.1_1.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list