svn commit: r527243 - head/security/vuxml
Dima Panov
fluffy at FreeBSD.org
Thu Feb 27 10:23:35 UTC 2020
Author: fluffy
Date: Thu Feb 27 10:23:32 2020
New Revision: 527243
URL: https://svnweb.freebsd.org/changeset/ports/527243
Log:
security/vuxml: fix vuxml entries for OpenSMTPd, remove duplicates with wrong version and missed description
Approved by: ports-secteam (miwi)
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Feb 27 09:31:48 2020 (r527242)
+++ head/security/vuxml/vuln.xml Thu Feb 27 10:23:32 2020 (r527243)
@@ -59,7 +59,7 @@ Notes:
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="f0683976-5779-11ea-8a77-1c872ccb1e42">
- <topic>LPE and RCE in OpenSMTPD's default install</topic>
+ <topic>OpenSMTPd -- LPE and RCE in OpenSMTPD's default install</topic>
<affects>
<package>
<name>opensmtpd</name>
@@ -68,12 +68,16 @@ Notes:
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>OpenSMTPD developersreports:</p>
+ <p>OpenSMTPD developers reports:</p>
<blockquote cite="https://opensmtpd.org/security.html">
<p>An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.</p>
+ <p>An unprivileged local attacker can read the first line of an arbitrary
+ file (for example, root's password hash in /etc/master.passwd) or the
+ entire contents of another user's file (if this file and
+ /var/spool/smtpd/ are on the same filesystem).</p>
</blockquote>
</body>
</description>
@@ -86,62 +90,7 @@ Notes:
<dates>
<discovery>2020-02-22</discovery>
<entry>2020-02-24</entry>
- </dates>
- </vuln>
-
- <vuln vid="40c75597-574a-11ea-bff8-c85b76ce9b5a">
- <topic>OpenSMTPd -- LPE and RCE in OpenSMTPD's default install</topic>
- <affects>
- <package>
- <name>opensmtpd</name>
- <range><lt>6.6.5,1</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Qualys reports:</p>
- <blockquote cite="https://www.openwall.com/lists/oss-security/2020/02/24/5">
- <p>.</p>
- </blockquote>
- </body>
- </description>
- <references>
- <url>https://www.openwall.com/lists/oss-security/2020/02/24/5</url>
- <cvename>CVE-2020-8794</cvename>
- </references>
- <dates>
- <discovery>2020-02-24</discovery>
- <entry>2020-02-24</entry>
- </dates>
- </vuln>
-
- <vuln vid="76f1ce19-5749-11ea-bff8-c85b76ce9b5a">
- <topic>OpenSMTPd -- Local information disclosure</topic>
- <affects>
- <package>
- <name>opensmtpd</name>
- <range><lt>6.6.4,1</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Qualys reports:</p>
- <blockquote cite="https://www.openwall.com/lists/oss-security/2020/02/24/4">
- <p>We discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server:
-an unprivileged local attacker can read the first line of an arbitrary
-file (for example, root's password hash in /etc/master.passwd) or the
-entire contents of another user's file (if this file and
-/var/spool/smtpd/ are on the same filesystem).</p>
- </blockquote>
- </body>
- </description>
- <references>
- <url>https://www.openwall.com/lists/oss-security/2020/02/24/4</url>
- <cvename>CVE-2020-8793</cvename>
- </references>
- <dates>
- <discovery>2020-02-24</discovery>
- <entry>2020-02-24</entry>
+ <modified>2020-02-27</modified>
</dates>
</vuln>
More information about the svn-ports-all
mailing list