svn commit: r545523 - head/security/vuxml
Niclas Zeising
zeising at FreeBSD.org
Thu Aug 20 10:39:16 UTC 2020
Author: zeising
Date: Thu Aug 20 10:39:15 2020
New Revision: 545523
URL: https://svnweb.freebsd.org/changeset/ports/545523
Log:
vuxml: Document dns/adns security issues
Document several securiy issues in dns/adns.
While here, fix whitespace in adjacent entries, as reported by make
validate.
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Aug 20 10:32:50 2020 (r545522)
+++ head/security/vuxml/vuln.xml Thu Aug 20 10:39:15 2020 (r545523)
@@ -58,24 +58,67 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="08de38d2-e2d0-11ea-9538-0c9d925bbbc0">
+ <topic>adns -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>adns</name>
+ <range><lt>1.5.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Ian Jackson and the adns project reports:</p>
+ <blockquote cite="https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html">
+ <p>Vulnerable applications: all adns callers.
+ Exploitable by: the local recursive resolver.
+ Likely worst case: Remote code execution.</p>
+ <p>Vulnerable applications: those that make SOA queries.
+ Exploitable by: upstream DNS data sources.
+ Likely worst case: DoS (crash of the adns-using application)</p>
+ <p>Vulnerable applications: those that use adns_qf_quoteok_query.
+ Exploitable by: sources of query domain names.
+ Likely worst case: DoS (crash of the adns-using application)</p>
+ <p>Vulnerable applications: adnshost.
+ Exploitable by: code responsible for framing the input.
+ Likely worst case: DoS (adnshost crashes at EOF).</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html</url>
+ <cvename>CVE-2017-9103</cvename>
+ <cvename>CVE-2017-9104</cvename>
+ <cvename>CVE-2017-9105</cvename>
+ <cvename>CVE-2017-9106</cvename>
+ <cvename>CVE-2017-9107</cvename>
+ <cvename>CVE-2017-9108</cvename>
+ <cvename>CVE-2017-9109</cvename>
+ </references>
+ <dates>
+ <discovery>2017-05-21</discovery>
+ <entry>2020-08-20</entry>
+ </dates>
+ </vuln>
+
<vuln vid="f60561e7-e23e-11ea-be64-507b9d01076a">
<topic>Icinga Web 2 -- directory traversal vulnerability</topic>
<affects>
<package>
- <name>icingaweb2</name>
- <range><le>2.8.1</le></range>
+ <name>icingaweb2</name>
+ <range><le>2.8.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Icinga development team reports:</p>
- <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368">
- <p>CVE-2020-24368</p>
+ <p>Icinga development team reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368">
+ <p>CVE-2020-24368</p>
<p>
- Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a
- Directory Traversal vulnerability which allows an attacker to access
- arbitrary files that are readable by the process running Icinga Web
- 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.
+ Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a
+ Directory Traversal vulnerability which allows an attacker to access
+ arbitrary files that are readable by the process running Icinga Web
+ 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.
</p>
</blockquote>
</body>
More information about the svn-ports-head
mailing list