| non port: x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410 |
|
SVNWeb
|
Number of commits found: 2 |
|
Sun, 26 Mar 2017
|
[ 15:45 rakuco  ]   (Only the first 10 of 19 ports in this commit are shown above.  )
Update x11/kdelibs4 to 4.14.30.
This is the latest stable release, and contains many of the patches we kept in
files/. The exception is patch-mimetypes_kde.xml, which just did not seem
necessary any longer: area51 r8180 mentions it was working around issues in
shared-mime-info, which has since been updated. While here, add several
dependencies that were reported by Poudriere's checks.
Bump PORTREVISION in ports that use %%KDE4_KDELIBS_VERSION%% in pkg-plist.
Reviewed by: tcberner
|
|
Sat, 11 Mar 2017
|
[ 10:28 tcberner ]
Adress CVE-2017-6410 in devel/kf5-kio and x11/kdelibs4
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.
This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).
This attack can be carried out remotely (over the LAN) since proxy settings
allow ``Detect Proxy Configuration Automatically''
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
Reviewed by: mat, rakuco
Approved by: rakuco (mentor), mat (mentor)
Obtained from: https://marc.info/?l=kde-announce&m=148831226706885&w=2
MFH: 2017Q1
Security: CVE-2017-6410
Differential Revision: https://reviews.freebsd.org/D9908
|
Number of commits found: 2 |
As an Amazon Associate I earn from qualifying purchases.