FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  374986
Date:      2014-12-20
Time:      00:21:30Z
Committer: delphij

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
e135f0c9-375f-11e3-80b7-20cf30e32f6dbugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports:

Cross-Site Request Forgery

When a user submits changes to a bug right after another user did, a midair collision page is displayed to inform the user about changes recently made. This page contains a token which can be used to validate the changes if the user decides to submit his changes anyway. A regression in Bugzilla 4.4 caused this token to be recreated if a crafted URL was given, even when no midair collision page was going to be displayed, allowing an attacker to bypass the token check and abuse a user to commit changes on his behalf.

Cross-Site Request Forgery

When an attachment is edited, a token is generated to validate changes made by the user. Using a crafted URL, an attacker could force the token to be recreated, allowing him to bypass the token check and abuse a user to commit changes on his behalf.

Cross-Site Scripting

Some parameters passed to editflagtypes.cgi were not correctly filtered in the HTML page, which could lead to XSS.

Cross-Site Scripting

Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered field values in tabular reports could lead to XSS.


Discovery 2013-10-16
Entry 2013-10-17
Modified 2014-04-30
bugzilla
ge 4.0.0 lt 4.0.11

bugzilla40
ge 4.0.0 lt 4.0.11

bugzilla42
ge 4.2.0 lt 4.2.7

bugzilla44
ge 4.4 lt 4.4.1

CVE-2013-1733
https://bugzilla.mozilla.org/show_bug.cgi?id=911593
CVE-2013-1734
https://bugzilla.mozilla.org/show_bug.cgi?id=913904
CVE-2013-1742
https://bugzilla.mozilla.org/show_bug.cgi?id=924802
CVE-2013-1743
https://bugzilla.mozilla.org/show_bug.cgi?id=924932
608ed765-c700-11e3-848c-20cf30e32f6dbugzilla -- Cross-Site Request Forgery

A Bugzilla Security Advisory reports:

The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials. If the victim then reports a new security sensitive bug, the attacker would get immediate access to this bug.

Due to changes involved in the Bugzilla API, this fix is not backported to the 4.0 and 4.2 branches, meaning that Bugzilla 4.0.12 and older, and 4.2.8 and older, will remain vulnerable to this issue.


Discovery 2014-04-17
Entry 2014-04-18
Modified 2014-04-18
bugzilla40
ge 2.0.0 lt 4.4.3

bugzilla42
ge 2.0.0 lt 4.4.3

bugzilla44
ge 2.0.0 lt 4.4.3

CVE-2014-1517
https://bugzilla.mozilla.org/show_bug.cgi?id=713926
60bfa396-c702-11e3-848c-20cf30e32f6dbugzilla -- Social Engineering

A Bugzilla Security Advisory reports:

Dangerous control characters can be inserted into Bugzilla, notably into bug comments. If the text, which may look safe, is copied into a terminal such as xterm or gnome-terminal, then unexpected commands could be executed on the local machine.


Discovery 2014-04-17
Entry 2014-04-18
Modified 2014-04-18
bugzilla40
ge 2.0.0 lt 4.0.12

bugzilla42
ge 4.1.1 lt 4.2.8

bugzilla44
ge 4.4.0 lt 4.4.3

https://bugzilla.mozilla.org/show_bug.cgi?id=968576