svn commit: r524814 - head/security/vuxml
Ben Woods
woodsb02 at FreeBSD.org
Sun Feb 2 07:15:44 UTC 2020
Author: woodsb02
Date: Sun Feb 2 07:15:43 2020
New Revision: 524814
URL: https://svnweb.freebsd.org/changeset/ports/524814
Log:
vuxml: Add entry for libssh CVE-2019-14889
Security: CVE-2019-14889
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Feb 2 06:41:59 2020 (r524813)
+++ head/security/vuxml/vuln.xml Sun Feb 2 07:15:43 2020 (r524814)
@@ -58,6 +58,43 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="1e7fa41b-f6ca-4fe8-bd46-0e176b42b14f">
+ <topic>libssh -- Unsanitized location in scp could lead to unwanted command execution</topic>
+ <affects>
+ <package>
+ <name>libssh</name>
+ <range><ge>0.4.0</ge><lt>0.8.8</lt></range>
+ <range><ge>0.9.0</ge><lt>0.9.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The libssh team reports:</p>
+ <blockquote cite="https://www.libssh.org/security/advisories/CVE-2019-14889.txt">
+ <p>In an environment where a user is only allowed to copy files and
+ not to execute applications, it would be possible to pass a location
+ which contains commands to be executed in additon.</p>
+ <p>When the libssh SCP client connects to a server, the scp
+ command, which includes a user-provided path, is executed
+ on the server-side. In case the library is used in a way
+ where users can influence the third parameter of
+ ssh_scp_new(), it would become possible for an attacker to
+ inject arbitrary commands, leading to a compromise of the
+ remote target.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.libssh.org/security/advisories/CVE-2019-14889.txt</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2019-14889</url>
+ <cvename>CVE-2019-14889</cvename>
+ </references>
+ <dates>
+ <discovery>2019-11-14</discovery>
+ <entry>2020-02-02</entry>
+ </dates>
+ </vuln>
+
<vuln vid="c86bfee3-4441-11ea-8be3-54e1ad3d6335">
<topic>spamassassin -- Nefarious rule configuration files can run system commands</topic>
<affects>
More information about the svn-ports-all
mailing list