svn commit: r477823 - head/security/vuxml
Dan Langille
dan at langille.org
Thu Aug 23 01:02:26 UTC 2018
> On Aug 22, 2018, at 6:05 PM, Matthew Seaman <matthew at FreeBSD.org> wrote:
>
> On 22/08/2018 22:24, Dan Langille wrote:
>>> On Aug 22, 2018, at 4:32 PM, Matthew Seaman <matthew at FreeBSD.org> wrote:
>>>
>>> Author: matthew
>>> Date: Wed Aug 22 20:32:50 2018
>>> New Revision: 477823
>>> URL: https://svnweb.freebsd.org/changeset/ports/477823
>>>
>>> Log:
>>> Document the latest phpMyAdmin security advisory PMASA-2018-5
>>>
>>> Modified:
>>> head/security/vuxml/vuln.xml
>>>
>>> Modified: head/security/vuxml/vuln.xml
>>> ==============================================================================
>>> --- head/security/vuxml/vuln.xml Wed Aug 22 20:32:03 2018 (r477822)
>>> +++ head/security/vuxml/vuln.xml Wed Aug 22 20:32:50 2018 (r477823)
>>> @@ -58,6 +58,37 @@ Notes:
>>> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
>>> -->
>>> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>>> + <vuln vid="9e205ef5-a649-11e8-b1f6-6805ca0b3d42">
>>> + <topic>phpmyadmin -- XSS in the import dialog</topic>
>>> + <affects>
>>> + <package>
>>> + <name>phpmyadmin</name>
>>
>> I am not sure this will correctly flag the affected packages.
>>
>> 1 - the package name is more like phpMyAdmin-PHP VERSION
>>
>> It was once just phpMyAdmin which was easy for a vuxml entry.
>>
>> Recently, it changed to include PKGNAMESUFFIX= ${PHP_PKGNAMESUFFIX} (blame mat with revision 466558):
>>
>> https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annotate=473096#l11 <https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annotate=473096#l11>
>>
>> My idea for fixing: add name entries for:
>>
>> * phpMyAdmin
>> * phpMyAdmin-php56
>> * phpMyAdmin-php(all the other versions)
>>
>> Does this make sense?
>>
>> reference data below:
>>
>> freshports.dev=# select package_name, element_pathname(element_id) from ports_active where name = 'phpmyadmin';
>> package_name | element_pathname
>> ------------------+---------------------------------------------
>> phpMyAdmin-php56 | /ports/head/databases/phpmyadmin
>> phpMyAdmin | /ports/branches/2016Q4/databases/phpmyadmin
>> phpMyAdmin | /ports/branches/2017Q1/databases/phpmyadmin
>> phpMyAdmin | /ports/branches/2018Q1/databases/phpmyadmin
>> phpMyAdmin-php56 | /ports/branches/2018Q2/databases/phpmyadmin
>> (5 rows)
>
> I've updated the vuxml to list all of the PKGNAMES in the currently
> active branches in ports SVN. Anyone running a sufficiently old copy
> of phpMyAdmin that it doesn't have a flavour suffix is would already be
> getting security flags from the previous crop of PMA vulns.
FYI the only reason I noticed it was the box of Latest Vulnerabilities at https://www.freshports.org/
It led me to think an online tool for checking name and range might be useful.
--
Dan Langille - BSDCan / PGCon
dan at langille.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/svn-ports-head/attachments/20180822/765d6875/attachment.sig>
More information about the svn-ports-head
mailing list