svn commit: r491255 - head/security/vuxml
Kubilay Kocak
koobs at FreeBSD.org
Sat Jan 26 09:49:40 UTC 2019
Author: koobs
Date: Sat Jan 26 09:49:38 2019
New Revision: 491255
URL: https://svnweb.freebsd.org/changeset/ports/491255
Log:
security/vuxml: Add libzmq4 -- Remote Code Execution Vulnerability
PR: 230575
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Jan 26 09:22:53 2019 (r491254)
+++ head/security/vuxml/vuln.xml Sat Jan 26 09:49:38 2019 (r491255)
@@ -58,6 +58,42 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="8e48365a-214d-11e9-9f8a-0050562a4d7b">
+ <topic>libzmq4 -- Remote Code Execution Vulnerability</topic>
+ <affects>
+ <package>
+ <name>libzmq4</name>
+ <range><ge>4.2.0</ge><lt>4.3.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <blockquote cite="https://github.com/zeromq/libzmq/releases/tag/v4.3.1">
+ <p>A vulnerability has been found that would allow attackers to direct a peer to
+ jump to and execute from an address indicated by the attacker.
+ This issue has been present since v4.2.0. Older releases are not affected.
+
+ NOTE: The attacker needs to know in advance valid addresses in the peer's
+ memory to jump to, so measures like ASLR are effective mitigations.
+
+ NOTE: this attack can only take place after authentication, so peers behind
+ CURVE/GSSAPI are not vulnerable to unauthenticated attackers.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2019-6250</cvename>
+ <url>https://github.com/zeromq/libzmq/issues/3351</url>
+ <url>https://github.com/zeromq/libzmq/pull/3353</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2019-6250</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250</url>
+ </references>
+ <dates>
+ <discovery>2019-01-08</discovery>
+ <entry>2019-01-26</entry>
+ </dates>
+ </vuln>
+
<vuln vid="eb888ce5-1f19-11e9-be05-4c72b94353b5">
<topic>Apache -- vulnerability</topic>
<affects>
More information about the svn-ports-all
mailing list