svn commit: r422582 - head/security/vuxml
Mark Felder
feld at FreeBSD.org
Thu Sep 22 12:57:24 UTC 2016
On Wed, Sep 21, 2016, at 17:00, Bryan Drewery wrote:
> On 9/21/16 1:59 PM, Mark Felder wrote:
> > Author: feld
> > Date: Wed Sep 21 20:59:52 2016
> > New Revision: 422582
> > URL: https://svnweb.freebsd.org/changeset/ports/422582
> >
> > Log:
> > Document irssi vulnerabilities
> >
> > PR: 212888
> > Security: CVE-2016-7044
> > Security: CVE-2016-7045
> >
> > Modified:
> > head/security/vuxml/vuln.xml
> >
> > Modified: head/security/vuxml/vuln.xml
> > ==============================================================================
> > --- head/security/vuxml/vuln.xml Wed Sep 21 20:59:25 2016 (r422581)
> > +++ head/security/vuxml/vuln.xml Wed Sep 21 20:59:52 2016 (r422582)
> > @@ -58,6 +58,34 @@ Notes:
> > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> > -->
> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> > + <vuln vid="e78261e4-803d-11e6-a590-14dae9d210b8">
> > + <topic>irssi -- heap corruption and missing boundary checks</topic>
> > + <affects>
> > + <package>
> > + <name>irssi</name>
> > + <range><lt>0.8.20</lt></range>
> > + </package>
>
> Only 0.8.17+ are affected. See
> https://irssi.org/security/irssi_sa_2016.txt "Affected versions". The
> irssi-devel port likely had vulnerable revisions too.
>
Fixed the range. I'm having a hard time figuring out the old irssi-devel
port's relationship with actual releases. Those snapshots aren't
available anymore for inspection :(
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the svn-ports-head
mailing list