notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
All times are UTC
The safest procedure: change your FreshPorts password. Anything you had set before Friday March 24 2023 09:49:20 UTC should be changed. You can read more here: SQL inejection issues fixed and FreshSource code fixes Sorry about the extra work for you.
All known SQL injection issues patched. There is no evidence it was exploited. That doesn’t mean it wasn’t. Please change your password.
non port: x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410

Number of commits found: 2

Sun, 26 Mar 2017
[ 15:45 rakuco search for other commits by this committer ] Original commit   Revision:436971 (Only the first 10 of 19 ports in this commit are shown above. View all ports for this commit)
Update x11/kdelibs4 to 4.14.30.

This is the latest stable release, and contains many of the patches we kept in
files/. The exception is patch-mimetypes_kde.xml, which just did not seem
necessary any longer: area51 r8180 mentions it was working around issues in
shared-mime-info, which has since been updated. While here, add several
dependencies that were reported by Poudriere's checks.

Bump PORTREVISION in ports that use %%KDE4_KDELIBS_VERSION%% in pkg-plist.

Reviewed by:	tcberner
Sat, 11 Mar 2017
[ 10:28 tcberner search for other commits by this committer ] Original commit   Revision:435896
Adress CVE-2017-6410 in devel/kf5-kio and x11/kdelibs4

Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow ``Detect Proxy Configuration Automatically''
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.

Reviewed by:	mat, rakuco
Approved by:	rakuco (mentor), mat (mentor)
Obtained from:
MFH:		2017Q1
Security:	CVE-2017-6410
Differential Revision:

Number of commits found: 2