svn commit: r452336 - head/security/vuxml

Ben Woods woodsb02 at FreeBSD.org
Wed Oct 18 14:22:00 UTC 2017 

Author: woodsb02
Date: Wed Oct 18 14:21:58 2017
New Revision: 452336
URL: https://svnweb.freebsd.org/changeset/ports/452336

Log:
  Fix formatting (line length) in recent krb5 vulnerability entry

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Oct 18 14:17:39 2017	(r452335)
+++ head/security/vuxml/vuln.xml	Wed Oct 18 14:21:58 2017	(r452336)
@@ -72,12 +72,23 @@ Notes:
 	<p>MIT reports:</p>
 	<blockquote cite="http://krbdev.mit.edu/rt/Ticket/Display.html?id=8599">
 	  <p>CVE-2017-11368:</p>
-	  <p>In MIT krb5 1.7 and later, an authenticated attacker can cause an assertion failure in krb5kdc by sending an invalid S4U2Self or S4U2Proxy request.</p>
+	  <p>In MIT krb5 1.7 and later, an authenticated attacker can cause an
+	     assertion failure in krb5kdc by sending an invalid S4U2Self or
+	     S4U2Proxy request.</p>
 	</blockquote>
 	<blockquote cite="http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598">
 	  <p>CVE-2017-11462:</p>
-	  <p>RFC 2744 permits a GSS-API implementation to delete an existing security context on a second or subsequent call to gss_init_sec_context() or gss_accept_sec_context() if the call results in an error.  This API behavior has been found to be dangerous, leading to the possibility of memory errors in some callers.  For safety, GSS-API implementations should instead preserve existing security contexts on error until the caller deletes them.</p>
-	  <p>All versions of MIT krb5 prior to this change may delete acceptor contexts on error.  Versions 1.13.4 through 1.13.7, 1.14.1 through 1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on error.</p>
+	  <p>RFC 2744 permits a GSS-API implementation to delete an existing
+	     security context on a second or subsequent call to gss_init_sec_context()
+	     or gss_accept_sec_context() if the call results in an error.
+	     This API behavior has been found to be dangerous, leading to the
+	     possibility of memory errors in some callers.  For safety, GSS-API
+	     implementations should instead preserve existing security contexts
+	     on error until the caller deletes them.</p>
+	  <p>All versions of MIT krb5 prior to this change may delete acceptor
+	     contexts on error.  Versions 1.13.4 through 1.13.7, 1.14.1 through
+	     1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts
+	     on error.</p>
 	</blockquote>
       </body>
     </description>

More information about the svn-ports-all mailing list