02:20 dbaio 

security/vuxml: Update CVE-2019-18348 and CVE-2020-8492 entries

CVE-2019-18348:	Add missing Python packages range
CVE-2020-8492:	Fix Python 3.7 entrie, it's currently affected.

After committing fixes, we'll need to change ranges again.

PR:		246984

 

10:51 rene 

Document new vulnerabilities in www/chromium < 83.0.4103.97

Obtained
from:	https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html

 

23:43 wen 

- Fix the name of py-django30 in my previous commit

Spotted by:	dan@langille.org

 

23:31 gjb 

Attempt to fix build.

Sponsored by:	Rubicon Communications, LLC (netgate.com)

 

22:49 acm 

- Update c5ec57a9-9c2b-11ea-82b8-4c72b94353b5 entry. Add drupal 8.8.6

 

17:51 mfechner 

Document gitlab-ce vulnerabilities.

 

14:25 wen 

- Document Django multiple vulnerabilities

 

12:41 garga 

vuxml: Document git vulnerability CVE-2020-5260

PR:		245821
Submitted by:	rob2g2 <spam123@bitbert.com>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

12:37 garga 

vuxml: Document git vulnerability CVE-2020-11008

PR:		245822
Submitted by:	rob2g2 <spam123@bitbert.com>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

12:14 tijl 

Add entry for GNUTLS-SA-2020-06-03 (flaw in TLS).
Add CVE reference to previous GnuTLS entry.

 

16:46 sunpoet 

Document rubygem-websocket-extensions vulnerability

 

16:44 sunpoet 

Document nghttp2 vulnerability

 

10:53 adamw 

VuXML: Add entry for gitea < 1.11.6

PR:		246892
Submitted by:	maintainer

 

06:51 tagattie 

Correct vulnerable version range of powerdns-recursor

PR:		246655
Submitted by:	Ralf van der Enden <tremere@cainites.net>
Approved by:	ehaupt (mentor)

 

02:07 sunpoet 

Fix r536871

 

01:59 sunpoet 

Document rubygem-kaminari-core vulnerability

 

10:20 cmt 

document sane-backend vulnerabilities

CVE-2020-12861, CVE-2020-12862, CVE-2020-12863, CVE-2020-12864,
CVE-2020-12865, CVE-2020-12866, CVE-2020-12867

PR:		246803

 

06:19 mfechner 

Document gitlab-ce vulnerabilities.

 

16:20 pi 

security/vuxml: add two entries for mail/sympa

PR:		246701
Submitted by:	Geoffroy Desvernay <dgeo@centrale-marseille.fr>

 

12:08 tagattie 

Document powerdns-recursor vulnerabilities

PR:		246655
Submitted by:	Ralf van der Enden <tremere@cainites.net>
Approved by:	ehaupt (mentor)

 

18:04 pi 

security/vuxml: add three CVEs for qmail

PR:		245010
Submitted by:	erdgeist@erdgeist.org

 

18:55 rene 

Document new vulnerabilities in www/chromium 83.0.4103.61.

The website is somewhat crippled and does not show the full text.

 

12:31 joneum 

Add entry for piwigo

PR:		245153
Sponsored by:	Netzkommune GmbH

 

09:22 joneum 

Add entry for tomcat

PR:		246657
Sponsored by:	Netzkommune GmbH

 

22:20 delphij 

Document unbound multiple vulnerabilities.

 

13:07 joneum 

Add entry for drual7

Sponsored by:	Netzkommune GmbH

 

11:41 dbaio 

security/vuxml: Document net-mgmt/zabbix3 issue

Security:	CVE-2020-11800

 

23:35 sunpoet 

Document rails vulnerability

 

14:18 wen 

- Document CVE-2019-18348, CVE-2020-8492 for python38

 

19:00 ler 

security/vuxml: Report multiple dovecot vulnerabilities.

 

20:42 zi 

- Document security/clamav vulnerabilities

 

20:18 sunpoet 

Update json-c vulnerability

- While I'm here, fix format

json-c 0.14 will land the ports tree along with the fix, thus I change it to
0.14.

PR:		246389

 

18:33 sunpoet 

Document rails vulnerability

 

09:17 brnrd 

security/vuxml: MariaDB vulnerabilities

 

06:45 woodsb02 

Add new sysutils/py-salt vulnerabilities

PR:		246061
Reported by:	Christer Edwards <christer.edwards@gmail.com>
Security:	CVE-2020-11651
Security:	CVE-2020-11652

 

11:29 mandree 

devel/json-c: CVE-2020-12762 integer overflow, out of bounds write

Reported by:	Daniel Engberg
Security:	abc3ef37-95d4-11ea-9004-25fadb81abf4
Security:	CVE-2020-12762

 

20:44 sunpoet 

Document typo3 vulnerability

 

18:37 gordon 

Add data for today's SA batch.

Approved by:	so

 

16:02 novel 

security/vuxml: log www/qutebrowser CVE-2020-11054

 

10:08 wen 

- Document python27 CVE-2019-18348

 

08:23 joneum 

add entry for www/glpi

PR:		244971
Sponsored by:	Netzkommune GmbH

 

19:56 mandree 

mail/mailman: extend content injection vuln via private archive login

This led up to mailman 2.1.33 today.
https://bugs.launchpad.net/mailman/+bug/1877379
https://launchpadlibrarian.net/478684932/private.diff
https://mail.python.org/archives/list/mailman-developers@python.org/thread/SYBIZ3MNSQZLKN6PVKO7ZKR7QMOBMS45/

Approved by:	ports-secteam@ (blanket for security fixes)
Security:	88760f4d-8ef7-11ea-a66d-4b2ef158be83

 

23:26 leres 

security/vuxml: Mark zeek < 3.0.6 as vulnerable as per:

    https://raw.githubusercontent.com/zeek/zeek/v3.0.6/NEWS

Various issues including buffer over-reads, uninitialized field
access, memory leak, and stack overflows.

 

15:02 salvadore 

security/vuxml: Update discovery date for CVE-2020-1730

Update discovery date for CVE-2020-1730 based on information obtained from
the libssh team.

Approved by:	gerald (mentor)

 

05:14 sunpoet 

Document wagtail vulnerability

 

22:55 mandree 

Permit mail/mailman vulnerability to be fixed in 2.1.30_3 already

...not in 2.1.31 only. We can't just easily backport 2.1.31 to 2020Q2.

Security:	88760f4d-8ef7-11ea-a66d-4b2ef158be83

 

17:51 mandree 

new mailman < 2.1.31 content injection vulnerability

similar to CVE-2018-13796 (not sure if they'll reuse that no. so
not including in Security: tags below)

https://bugs.launchpad.net/mailman/+bug/1873722

Security:	88760f4d-8ef7-11ea-a66d-4b2ef158be83

 

05:32 fjoe 

Fix version range for 97fcc60a-6ec0-11ea-a84a-4c72b94353b5:
phpMyAdmin 4.9.5 is not vulnerable

PR:		245096

 

23:23 dbaio 

security/vuxml: Document net-mgmt/cacti issue

PR:		246164
Submitted by:	Michael Muenz <m.muenz@gmail.com>
Security:	CVE-2020-7106

 

21:28 pi 

security/vuxml: add squid 4.10 CVEs

PR:		245433
Submitted by:	Michael Muenz <m.muenz@gmail.com>

 

07:46 tcberner 

Document audio/taglib vulnerability

 

09:44 mfechner 

Documented gitlab vulnerabilities.

 

22:31 dbaio 

security/vuxml: Add other flavors of py-yaml

 

18:48 tcberner 

Document multimedia/vlc vulnerabilities

Security:	CVE-2019-19721 CVE-2020-6071 CVE-2020-6072 CVE-2020-6073 CVE-2020-6077
CVE-2020-6078 CVE-2020-6079

 

15:03 timur 

Add an entry about CVE-2020-10700, CVE-2020-10704 in samba410 and 411.

Security:	CVE-2020-10700
		CVE-2020-10704

 

06:08 fluffy 

net/ceph14: document CVE-2020-1759, CVE-2020-1760

 

01:35 delphij 

Document OpenLDAP CVE-2020-12243.

PR:		213895
Submitted by:	rob2g2 <spam123 bitbert com>

 

19:47 jpaetzel 

Add entry for py-yaml vulnerability

 

17:39 dbaio 

security/vuxml: Document www/py-bleach issue

PR:		245943
Security:	CVE-2020-6817

 

12:25 brnrd 

security/vuxml: MySQL Server 2020Q2 vulnerabilities

 

12:23 brnrd 

security/vuxml: MySQL client 2020Q2 vulnerabilities

 

11:48 brnrd 

security/vuxml: Register Nextcloud vulnerabilities

 

01:17 dbaio 

security/vuxml: Document lang/python issue

PR:		245819
Security:	CVE-2020-8492

 

21:33 sunpoet 

Document wagtail vulnerability

 

20:29 gordon 

11.3 isn't vulenrable to the recent OpenSSL vulnerability.

Approved by:	so
X-Pointy-Hat to: gordon

 

20:02 leres 

security/vuxml: Restore openssl port version range to the 2020-04-21 entry

I tested that this passes "make validate" and correctly flags
openssl-1.1.1f,1 as vulnerable.

Approved by:	gjb

 

11:11 gjb 

Revert r532466, adding back 'FreeBSD' to the topic.

Sponsored by:	Rubicon Communications, LLC (netgate.com)

 

11:09 gjb 

The vuxml build is now fixed.  Remove the 'ignore' block and its
contents.

Sponsored by:	Rubicon Communications, LLC (netgate.com)

 

11:07 gjb 

Comment the second name tag, which I believe is what is causing the
vuxml build to fail.  If I am wrong, I will revert this commit.

Sponsored by:	Rubicon Communications, LLC (netgate.com)

 

11:03 gjb 

Um, ok.  Third attempt to try to fix the vuxml build.

Sponsored by:	Rubicon Communications, LLC (netgate.com)

 

10:44 gjb 

Attempt number 2 to fix the vuxml build.

Sponsored by:	Rubicon Communications, LLC (netgate.com)

 

10:36 gjb 

Fix vuxml build.

Sponsored by:	Rubicon Communications, LLC (netgate.com)

 

09:38 brnrd 

security/vuxml: Fix OpenSSL port commit

 

08:20 brnrd 

security/vuxml: Mark OpenSSL 1.1.1f from ports vulnerable too

 

19:48 sunpoet 

Document libntlm vulnerability

 

18:29 gordon 

Add new entries for SA-20:10 and SA-20:11.

 

12:25 dbaio 

security/vuxml: Document devel/py-twisted vulnerabilities

PR:		245252
Submitted by:	Sascha Biberhofer <ports@skyforge.at>
Reported by:	contact@evilham.com

 

12:58 salvadore 

security/vuxml: Add CVE-2020-1730 affecting security/libssh

Approved by:	gerald (mentor)
Differential Revision:	https://reviews.freebsd.org/D24377

 

11:35 kwm 

Document webkit2-gtk3 vulnability

 

04:13 acm 

- Add www/drupal8 entry

 

22:29 bofh 

sysutils/ansible*: Add multiple Vulnerabilities

- Add vuxml entry for CVE-2020-1737, CVE-2020-1739 and CVE-2020-1740

Security:       CVE-2020-1737
Security:       CVE-2020-1739
Security:       CVE-2020-1740

 

16:16 rene 

Document new vulnerabilities in www/chromium < 81.0.4044.113

Obtained from:	Google Chrome Releases

 

09:32 mandree 

document security/openvpn{,-mbedtls,-devel} illegal client float DoS

URL:		https://community.openvpn.net/openvpn/ticket/1272

Reported by:	Lev Stipakov
Security:	CVE-2020-11810
Security:	8604121c-7fc2-11ea-bcac-7781e90b0c8f

 

13:30 tijl 

Document Mbed TLS CVE-2020-10932.

Security:	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04

 

06:21 mfechner 

Document gitlab vulnerabilities.

 

20:53 leres 

security/vuxml: Mark zeek < 3.0.4 as vulnerable as per:

   
https://github.com/zeek/zeek/blob/e059d4ec2e689b3c8942f4aa08b272f24ed3f612/NEWS

An attacker can crash Zeek remotely via crafted packet sequence via
a stack overflow in POP3 analyzer.

 

10:06 rene 

Document new vulnerabilities in www/chromium < 81.0.4044.92

 

19:32 rene 

Document partial new vulnerabilities in www/chromium < 80.0.3987.162

 

18:12 flo 

Add an entry for the HAproxy vulnerability announced today. The ports have
already been fixed.

PR:		245282
Discussed with:	demon

 

12:21 sunpoet 

Fix rubygem-json entry (40194e1c-6d89-11ea-8082-80ee73419af3)

rubygem-json 2.3.0 was erroneously marked as vulnerable.

% cd /usr/ports/devel/rubygem-json
% make fetch
===>  rubygem-json-2.3.0 has known vulnerabilities:
rubygem-json-2.3.0 is vulnerable:
rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)
CVE: CVE-2020-10663
WWW: https://vuxml.FreeBSD.org/freebsd/40194e1c-6d89-11ea-8082-80ee73419af3.html

1 problem(s) in 1 installed package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update
available.
=> If you wish to ignore this vulnerability rebuild with 'make
DISABLE_VULNERABILITIES=yes'
*** Error code 1

Stop.
make: stopped in /usr/ports/devel/rubygem-json

 

07:23 joneum 

Add entry for Apache 2.4

Sponsored by:	Netzkommune GmbH

 

22:06 woodsb02 

Document multiple vulnerabilities in net-mgmt/cacti < 1.2.10

PR:		245205
Submitted by:	Michael Muenz <m.muenz@gmail.com>

 

15:52 tijl 

Add entry for GNUTLS-SA-2020-03-31 (flaw in DTLS).

Security:	https://gnutls.org/security-new.html#GNUTLS-SA-2020-03-31

 

19:50 girgen 

Fix validation error

 

19:46 girgen 

Add vuxml entry for CVE-2020-1720

 

13:48 wen 

- Document mediawiki's multiple vulnerabilities

 

20:43 gjb 

Fix vuxml build.

Sponsored by:	Rubicon Communications, LLC (netgate.com)

 

20:27 mfechner 

Document gitlab vulnerabilities.

 

04:40 meta 

security/vuxml: Document CVE-2020-10663 (devel/rubygem-json)

PR:		245023

 

18:25 lwhsu 

Document Jenkins Security Advisory 2020-03-25

Sponsored by:	The FreeBSD Foundation