FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  368515
Date:      2014-09-18
Time:      19:53:09Z
Committer: madpilot

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
1c8a039b-7b23-11e2-b17b-20cf30e32f6dbugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports:

Cross-Site Scripting

When viewing a single bug report, which is the default, the bug ID is validated and rejected if it is invalid. But when viewing several bug reports at once, which is specified by the format=multiple parameter, invalid bug IDs can go through and are sanitized in the HTML page itself. But when an invalid page format is passed to the CGI script, the wrong HTML page is called and data are not correctly sanitized, which can lead to XSS.

Information Leak

When running a query in debug mode, the generated SQL query used to collect the data is displayed. The way this SQL query is built permits the user to determine if some confidential field value (such as a product name) exists. This problem only affects Bugzilla 4.0.9 and older. Newer releases are not affected by this issue.


Discovery 2013-02-19
Entry 2013-02-20
Modified 2013-03-31
bugzilla
de-bugzilla
ru-bugzilla
ja-bugzilla
ge 3.6.0 lt 3.6.13

ge 4.0.0 lt 4.0.10

ge 4.2.0 lt 4.2.5

CVE-2013-0785
https://bugzilla.mozilla.org/show_bug.cgi?id=842038
CVE-2013-0786
https://bugzilla.mozilla.org/show_bug.cgi?id=824399
6ad18fe5-f469-11e1-920d-20cf30e32f6dbugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports:

The following security issues have been discovered in Bugzilla:

LDAP Injection

When the user logs in using LDAP, the username is not escaped when building the uid=$username filter which is used to query the LDAP directory. This could potentially lead to LDAP injection.

Directory Browsing

Extensions are not protected against directory browsing and users can access the source code of the templates which may contain sensitive data. Directory browsing is blocked in Bugzilla 4.3.3 only, because it requires a configuration change in the Apache httpd.conf file to allow local .htaccess files to use Options -Indexes. To not break existing installations, this fix has not been backported to stable branches. The access to templates is blocked for all supported branches except the old 3.6 branch, because this branch doesn't have .htaccess in the bzr repository and cannot be fixed easily for existing installations without potentially conflicting with custom changes.


Discovery 2012-08-30
Entry 2012-09-01
bugzilla
ge 3.6.0 lt 3.6.11

ge 4.0.0 lt 4.0.8

ge 4.2.0 lt 4.2.3

CVE-2012-3981
https://bugzilla.mozilla.org/show_bug.cgi?id=785470
https://bugzilla.mozilla.org/show_bug.cgi?id=785522
https://bugzilla.mozilla.org/show_bug.cgi?id=785511
2b841f88-2e8d-11e2-ad21-20cf30e32f6dbugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports:

The following security issues have been discovered in Bugzilla:

Information Leak

If the visibility of a custom field is controlled by a product or a component of a product you cannot see, their names are disclosed in the JavaScript code generated for this custom field despite they should remain confidential.

Calling the User.get method with a 'groups' argument leaks the existence of the groups depending on whether an error is thrown or not. This method now also throws an error if the user calling this method does not belong to these groups (independently of whether the groups exist or not).

Trying to mark an attachment in a bug you cannot see as obsolete discloses its description in the error message. The description of the attachment is now removed from the error message.

Cross-Site Scripting

Due to incorrectly filtered field values in tabular reports, it is possible to inject code leading to XSS.

A vulnerability in swfstore.swf from YUI2 allows JavaScript injection exploits to be created against domains that host this affected YUI .swf file.


Discovery 2012-11-13
Entry 2012-11-14
Modified 2012-11-27
bugzilla
ge 3.6.0 lt 3.6.12

ge 4.0.0 lt 4.0.9

ge 4.2.0 lt 4.2.4

CVE-2012-4199
https://bugzilla.mozilla.org/show_bug.cgi?id=731178
CVE-2012-4198
https://bugzilla.mozilla.org/show_bug.cgi?id=781850
CVE-2012-4197
https://bugzilla.mozilla.org/show_bug.cgi?id=802204
CVE-2012-4189
https://bugzilla.mozilla.org/show_bug.cgi?id=790296
CVE-2012-5881
CVE-2012-5882
CVE-2012-5883
https://bugzilla.mozilla.org/show_bug.cgi?id=808845
http://yuilibrary.com/support/20121030-vulnerability/