svn commit: r512164 - head/security/vuxml
Tobias Kortkamp
tobik at freebsd.org
Mon Sep 16 11:29:44 UTC 2019
On Mon, Sep 16, 2019 at 11:19:51AM +0000, Kurt Jaeger wrote:
> Author: pi
> Date: Mon Sep 16 11:19:51 2019
> New Revision: 512164
> URL: https://svnweb.freebsd.org/changeset/ports/512164
>
> Log:
> security/vuxml: document expat2 pre-2.2.7 vulnerability
>
> PR: 238864
> Submitted by: Sergei Vyshenski <svysh.fbsd at gmail.com>
>
> Modified:
> head/security/vuxml/vuln.xml
>
> Modified: head/security/vuxml/vuln.xml
> ==============================================================================
> --- head/security/vuxml/vuln.xml Mon Sep 16 11:18:54 2019 (r512163)
> +++ head/security/vuxml/vuln.xml Mon Sep 16 11:19:51 2019 (r512164)
> @@ -58,6 +58,36 @@ Notes:
> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> + <vuln vid="c5bd8a25-99a6-11e9-a598-f079596b62f9">
> + <topic>expat2 -- Fix extraction of namespace prefixes from XML names</topic>
> + <affects>
> + <package>
> + <name>expat2</name>
> + <range><lt>2.2.7</lt></range>
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>expat project reports:</p>
> + <blockquote cite="https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes">
> + <p>
> + XML names with multiple colons could end up in the
> + wrong namespace, and take a high amount of RAM and CPU
> + resources while processing, opening the door to
> + use for denial-of-service attacks
> + </p>
> + </blockquote>
> + </body>
> + </description>
> + <references>
> + <url>https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes</url>
> + </references>
> + <dates>
> + <discovery>2019-06-19</discovery>
> + <entry>2019-06-28</entry>
Wrong date and package name. The entry has happened only today and
textproc/expat2 has a PKGBASE of just 'expat'.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-ports-all/attachments/20190916/44037a4d/attachment.sig>
More information about the svn-ports-all
mailing list