svn commit: r512164 - head/security/vuxml

Tobias Kortkamp tobik at freebsd.org
Mon Sep 16 11:29:44 UTC 2019 

On Mon, Sep 16, 2019 at 11:19:51AM +0000, Kurt Jaeger wrote:
> Author: pi
> Date: Mon Sep 16 11:19:51 2019
> New Revision: 512164
> URL: https://svnweb.freebsd.org/changeset/ports/512164
> 
> Log:
>   security/vuxml: document expat2 pre-2.2.7 vulnerability
>   
>   PR:		238864
>   Submitted by:	Sergei Vyshenski <svysh.fbsd at gmail.com>
> 
> Modified:
>   head/security/vuxml/vuln.xml
> 
> Modified: head/security/vuxml/vuln.xml
> ==============================================================================
> --- head/security/vuxml/vuln.xml	Mon Sep 16 11:18:54 2019	(r512163)
> +++ head/security/vuxml/vuln.xml	Mon Sep 16 11:19:51 2019	(r512164)
> @@ -58,6 +58,36 @@ Notes:
>    * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>  -->
>  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> +  <vuln vid="c5bd8a25-99a6-11e9-a598-f079596b62f9">
> +    <topic>expat2 -- Fix extraction of namespace prefixes from XML names</topic>
> +    <affects>
> +      <package>
> +	<name>expat2</name>
> +	<range><lt>2.2.7</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">
> +	<p>expat project reports:</p>
> +	<blockquote cite="https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes">
> +	  <p>
> +	    XML names with multiple colons could end up in the
> +	    wrong namespace, and take a high amount of RAM and CPU
> +	    resources while processing, opening the door to
> +	    use for denial-of-service attacks
> +	  </p>
> +	</blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <url>https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes</url>
> +    </references>
> +    <dates>
> +      <discovery>2019-06-19</discovery>
> +      <entry>2019-06-28</entry>

Wrong date and package name.  The entry has happened only today and
textproc/expat2 has a PKGBASE of just 'expat'.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-ports-all/attachments/20190916/44037a4d/attachment.sig>

More information about the svn-ports-all mailing list