[Midnightbsd-cvs] mports [19593] trunk/security/vuxml: add template files and additonal vulnerabilities in x and mysql
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Wed Jul 15 18:01:46 EDT 2015
Revision: 19593
http://svnweb.midnightbsd.org/mports/?rev=19593
Author: laffer1
Date: 2015-07-15 18:01:45 -0400 (Wed, 15 Jul 2015)
Log Message:
-----------
add template files and additonal vulnerabilities in x and mysql
Modified Paths:
--------------
trunk/security/vuxml/Makefile
trunk/security/vuxml/vuln.xml
Added Paths:
-----------
trunk/security/vuxml/files/common.css
trunk/security/vuxml/files/html.xsl
Modified: trunk/security/vuxml/Makefile
===================================================================
--- trunk/security/vuxml/Makefile 2015-07-15 12:58:01 UTC (rev 19592)
+++ trunk/security/vuxml/Makefile 2015-07-15 22:01:45 UTC (rev 19593)
@@ -4,7 +4,7 @@
PORTNAME= vuxml
PORTVERSION= 1.1
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security textproc
MASTER_SITES= http://www.vuxml.org/dtd/vuxml-1/
DISTFILES= vuxml-10.dtd vuxml-model-10.mod \
@@ -96,4 +96,16 @@
newentry:
@${SH} ${FILESDIR}/newentry.sh "${VUXML_FILE}"
-.include <bsd.port.mk>
+.include <bsd.port.pre.mk>
+
+.if defined(VID) && !empty(VID)
+html: work/${VID}.html
+work/${VID}.html: ${FILESDIR}/html.xsl ${FILESDIR}/common.css ${VUXML_FILE}
+ ${MKDIR} work
+ xsltproc --stringparam vid "${VID}" \
+ --output ${.TARGET} \
+ ${FILESDIR}/html.xsl ${VUXML_FILE}
+ ${INSTALL_DATA} ${FILESDIR}/common.css work
+.endif
+
+.include <bsd.port.post.mk>
Added: trunk/security/vuxml/files/common.css
===================================================================
--- trunk/security/vuxml/files/common.css (rev 0)
+++ trunk/security/vuxml/files/common.css 2015-07-15 22:01:45 UTC (rev 19593)
@@ -0,0 +1,225 @@
+/*
+ * Copyright 2003-2009 Jacques Vidrine and contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+ * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+ * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+body {
+ background: #ffffff;
+ font-family: verdana, "bitstream vera sans", arial, helvetica, sans-serif;
+}
+h1.title {
+ color: #208020;
+}
+h2.section {
+ color: #208020;
+}
+
+h1.title0 {
+ margin-bottom: 0em;
+ color: #208020;
+}
+p.subtitle {
+ margin-top: 0em;
+ color: #208020;
+ font-size: small;
+ font-style: italic;
+ font-weight: bold;
+}
+
+/* The blurb in the upper-right corner. */
+.blurb {
+ color: #40A040;
+ font-size: small;
+ font-style: italic;
+ border: thin solid #40A040;
+ text-align: center;
+ width: 9em;
+ float: right;
+ padding: 2px;
+}
+div.blurb A:link, div.blurb A:visited, div.blurb A:hover {
+ text-decoration: none;
+ color: #40A040;
+}
+
+/* The link from the package page to FreshPorts.org. */
+div.freshportslink {
+ color: #AD0040;
+ font-size: small;
+ font-style: italic;
+ text-align: left;
+ padding: 0px 2px 2px 2px;
+}
+div.freshportslink a:link, div.freshportslink a:visited,
+div.freshportslink a:hover {
+ border: thin solid #AD0040;
+ text-decoration: none;
+ color: #AD0040;
+ padding: 2px;
+}
+
+/* The link from the CVE page to cve.mitre.org. */
+div.cvelink {
+ color: #AD0040;
+ font-size: small;
+ font-style: italic;
+ text-align: left;
+ padding: 0px 2px 2px 2px;
+}
+div.cvelink a:link, div.cvelink a:visited, div.cvelink a:hover {
+ border: thin solid #AD0040;
+ text-decoration: none;
+ color: #AD0040;
+ padding: 2px;
+}
+
+/* Most links are black unless the mouse is over them. */
+A:link, A:visited {
+ text-decoration: none;
+ color: #000000;
+}
+A:hover {
+ text-decoration: underline;
+ color: #802020;
+}
+
+/* Some links should be more visible. */
+A:link.vis, A:visited.vis {
+ text-decoration: none;
+ color: #0000ef;
+}
+
+/* Links in the ``embedded'' HTML look a bit different. */
+div.embed A:link {
+ text-decoration: underline;
+ color: #6b69ff;
+}
+div.embed A:visited {
+ text-decoration: underline;
+ color: #840084;
+}
+div.embed A:hover {
+ text-decoration: underline;
+ color: #ff0000;
+}
+div.citation A:link {
+ text-decoration: none;
+ color: #6b69ff;
+}
+div.citation A:visited {
+ text-decoration: none;
+ color: #840084;
+}
+div.citation A:hover {
+ text-decoration: none;
+ color: #ff0000;
+}
+
+/* Simple list tables */
+table.list {
+ border: thin solid #000000;
+}
+table.list thead td {
+ text-align: center;
+ background: #000000;
+ color: #ffffff;
+}
+
+/* Label/content tables */
+td.label {
+ font-weight: bold;
+ padding-right: 0.75em;
+ padding-left: 0.75em;
+ background-color: #c6d3de;
+ white-space: nowrap;
+}
+td.content {
+ padding-right: 0.75em;
+ padding-left: 0.75em;
+ background: #e5ffe5;
+}
+
+/* The navigation bar */
+tbody.nav td {
+ border: thin solid black;
+ padding: 3pt;
+}
+
+/* Our common table style */
+table.common thead th {
+ padding-right: 0.75em;
+ padding-left: 0.75em;
+ background-color: #c6d3de;
+ white-space: nowrap;
+}
+table.common tbody td {
+ padding-right: 0.75em;
+ padding-left: 0.75em;
+ background: #e5ffe5;
+}
+table.common tbody td.group {
+ background: #c5ffc5;
+ white-space: nowrap;
+}
+
+/* Blockquotes */
+blockquote {
+ background: #F0F0F0;
+ border-left: #CCCCCC 0.5em solid;
+ border-right: #CCCCCC 1px dashed;
+ border-top: #CCCCCC 1px dashed;
+ border-bottom: #CCCCCC 1px dashed;
+}
+div.citation {
+ font-size: small;
+ font-style: italic;
+ text-align: right;
+}
+
+/* Various attributes */
+.package {
+ font-family: "monaco", "andale mono", "courier new", monospace;
+}
+.vid {
+ font-family: "monaco", "andale mono", "courier new", monospace;
+}
+.copyright {
+ font-size: small;
+ font-style: italic;
+}
+.email {
+ font-family: "monaco", "andale mono", "courier new", monospace;
+}
+.hide {
+ display: none;
+}
+.note {
+ font-size: small;
+ font-style: italic;
+ color: #801010;
+}
+.date, .cvename {
+ white-space: nowrap;
+}
+
Property changes on: trunk/security/vuxml/files/common.css
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/security/vuxml/files/html.xsl
===================================================================
--- trunk/security/vuxml/files/html.xsl (rev 0)
+++ trunk/security/vuxml/files/html.xsl 2015-07-15 22:01:45 UTC (rev 19593)
@@ -0,0 +1,179 @@
+<?xml version="1.0"?>
+<!-- $FreeBSD$ -->
+<xsl:stylesheet
+ version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1"
+ xmlns:xhtml="http://www.w3.org/1999/xhtml"
+ xmlns:exsl="http://exslt.org/common"
+ extension-element-prefixes="exsl"
+ exclude-result-prefixes="xhtml vuxml">
+
+ <xsl:output method="xml" encoding="utf-8" indent="yes"
+ doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
+ doctype-public="-//W3C//DTD XHTML 1.0 Transitional//EN"/>
+
+ <xsl:param name="vid" select="'none'" />
+
+ <xsl:template match="/">
+ <xsl:apply-templates select="vuxml:vuxml/vuxml:vuln[@vid = $vid]" />
+ </xsl:template>
+
+ <xsl:template name="range-spec">
+ <xsl:param name="gt" />
+ <xsl:param name="ge" />
+ <xsl:param name="lt" />
+ <xsl:param name="le" />
+ <xsl:param name="eq" />
+ <xsl:param name="name" />
+
+ <tr valign="top">
+ <td class="version">
+ <xsl:choose>
+ <xsl:when test="$gt != ''"><xsl:value-of select="$gt" /></xsl:when>
+ <xsl:when test="$ge != ''"><xsl:value-of select="$ge" /></xsl:when>
+ <xsl:when test="$eq != ''"><xsl:value-of select="$eq" /></xsl:when>
+ </xsl:choose>
+ </td>
+ <td class="operator">
+ <xsl:choose>
+ <xsl:when test="$gt != ''"><</xsl:when>
+ <xsl:when test="$ge != ''"><=</xsl:when>
+ <xsl:when test="$eq != ''">=</xsl:when>
+ </xsl:choose>
+ </td>
+ <td class="package"><xsl:element name="a">
+ <xsl:attribute name="href">
+ <xsl:value-of select="concat('pkg-', $name, '.html')" />
+ </xsl:attribute>
+ <xsl:value-of select="$name" /></xsl:element></td>
+ <td class="operator">
+ <xsl:choose>
+ <xsl:when test="$lt != ''"><</xsl:when>
+ <xsl:when test="$le != ''"><=</xsl:when>
+ </xsl:choose>
+ </td>
+ <td class="version">
+ <xsl:choose>
+ <xsl:when test="$lt != ''"><xsl:value-of select="$lt" /></xsl:when>
+ <xsl:when test="$le != ''"><xsl:value-of select="$le" /></xsl:when>
+ </xsl:choose>
+ </td>
+ </tr>
+ </xsl:template>
+
+ <xsl:template name="vuln-range">
+ <xsl:param name="range" />
+ <xsl:param name="name" />
+
+ <xsl:for-each select="exsl:node-set($range)">
+ <xsl:call-template name="range-spec">
+ <xsl:with-param name="lt" select="vuxml:lt" />
+ <xsl:with-param name="le" select="vuxml:le" />
+ <xsl:with-param name="gt" select="vuxml:gt" />
+ <xsl:with-param name="ge" select="vuxml:ge" />
+ <xsl:with-param name="name" select="$name" />
+ </xsl:call-template>
+ </xsl:for-each>
+ </xsl:template>
+
+ <xsl:template name="stats" xmlns="http://www.w3.org/1999/xhtml">
+ <xsl:param name="id" />
+ <xsl:param name="label" />
+ <xsl:param name="content" />
+
+ <tr valign="top">
+ <td class="label"><xsl:value-of select="$label" /></td>
+ <td class="content">
+ <xsl:element name="span">
+ <xsl:attribute name="class"><xsl:value-of select="$id" /></xsl:attribute>
+ <xsl:value-of select="$content" /></xsl:element>
+ </td>
+ </tr>
+ </xsl:template>
+
+ <xsl:template match="vuxml:vuln">
+ <html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <title><xsl:value-of select="vuxml:topic" /></title>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8;" />
+ <link rel="stylesheet" type="text/css" href="common.css" />
+ </head>
+
+ <body>
+ <h1 class="title"><xsl:value-of select="vuxml:topic" /></h1>
+
+ <table cellspacing="12">
+ <tr valign="top">
+ <td><table class="list">
+ <thead><tr><td colspan="5">Affected packages</td></tr></thead>
+ <tbody>
+ <xsl:for-each select="vuxml:affects/vuxml:package">
+ <xsl:for-each select="vuxml:name">
+ <xsl:call-template name="vuln-range">
+ <xsl:with-param name="range" select="../vuxml:range" />
+ <xsl:with-param name="name" select="." />
+ </xsl:call-template>
+ </xsl:for-each>
+ </xsl:for-each>
+ </tbody>
+ </table></td></tr>
+ </table>
+
+ <h2 class="section">Details</h2>
+
+ <table class="stats">
+ <xsl:call-template name="stats">
+ <xsl:with-param name="id" select="'vid'" />
+ <xsl:with-param name="label" select="'VuXML ID'" />
+ <xsl:with-param name="content" select="$vid" />
+ </xsl:call-template>
+
+ <xsl:for-each select="
+ vuxml:dates/vuxml:discovery |
+ vuxml:dates/vuxml:entry |
+ vuxml:dates/vuxml:modified">
+ <xsl:call-template name="stats">
+ <xsl:with-param name="id" select="name()" />
+ <xsl:with-param name="label"
+ select="concat(translate(substring(name(), 1, 1),
+ 'abcdefghijllmnopqrstuvwxyz',
+ 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'),
+ substring(name(), 2))" />
+ <xsl:with-param name="content" select="." />
+ </xsl:call-template>
+ </xsl:for-each>
+ </table>
+
+ <div class="embed">
+ <xsl:for-each select="vuxml:description/xhtml:body">
+ <xsl:copy-of select="node()" />
+ </xsl:for-each>
+ </div>
+
+ <h2 class="section">References</h2>
+ <table class="reftab">
+ <xsl:for-each select="vuxml:references/vuxml:cvename">
+ <tr valign="top">
+ <td class="label">CVE Name</td>
+ <td class="content"><xsl:element name="a">
+ <xsl:attribute name="href"><xsl:value-of select="concat(., '.html')" /></xsl:attribute>
+ <xsl:value-of select="." />
+ </xsl:element></td>
+ </tr>
+ </xsl:for-each>
+ <xsl:for-each select="vuxml:references/vuxml:url">
+ <tr valign="top">
+ <td class="label">URL</td>
+ <td class="content"><xsl:element name="a">
+ <xsl:attribute name="href"><xsl:value-of select="." /></xsl:attribute>
+ <xsl:value-of select="." />
+ </xsl:element>
+ </td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ </body>
+ </html>
+ </xsl:template>
+</xsl:stylesheet>
Property changes on: trunk/security/vuxml/files/html.xsl
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/security/vuxml/vuln.xml
===================================================================
--- trunk/security/vuxml/vuln.xml 2015-07-15 12:58:01 UTC (rev 19592)
+++ trunk/security/vuxml/vuln.xml 2015-07-15 22:01:45 UTC (rev 19593)
@@ -28,7 +28,7 @@
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- $FreeBSD: head/security/vuxml/vuln.xml 391664 2015-07-09 16:42:32Z lwhsu $
+ $FreeBSD: head/security/vuxml/vuln.xml 392130 2015-07-15 12:46:08Z tijl $
QUICK GUIDE TO ADDING A NEW ENTRY
@@ -38,7 +38,8 @@
3. use 'make validate' to verify syntax correctness (you might need to install
textproc/libxml2 for parser, and this port for catalogs)
4. fix any errors
-5. profit!
+5. use 'make VID=xxx-yyy-zzz html' to emit the entry's html file for formatting review
+6. profit!
Additional tests can be done this way:
$ env PKG_DBDIR=/usr/ports/security/vuxml pkg audit py26-django-1.6
@@ -57,6 +58,1011 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="8d2d6bbd-2a02-11e5-a0af-bcaec565249c">
+ <topic>Adobe Flash Player -- critical vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>linux-c6-flashplugin</name>
+ <range><ge>0</ge></range>
+ </package>
+ <package>
+ <name>linux-f10-flashplugin</name>
+ <range><ge>0</ge></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsa15-18.html">
+ <p>Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have
+ been identified. Successful exploitation could cause a crash
+ and potentially allow an attacker to take control of the
+ affected system. Adobe is aware of reports that exploits
+ targeting these vulnerabilities have been published publicly.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-5122</cvename>
+ <cvename>CVE-2015-5123</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsa15-18.html</url>
+ </references>
+ <dates>
+ <discovery>2015-07-10</discovery>
+ <entry>2015-07-14</entry>
+ <modified>2015-07-15</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="3d39e927-29a2-11e5-86ff-14dae9d210b8">
+ <topic>php -- use-after-free vulnerability</topic>
+ <affects>
+ <package>
+ <name>php56-sqlite3</name>
+ <range><lt>5.6.11</lt></range>
+ </package>
+ <package>
+ <name>php55-sqlite3</name>
+ <range><lt>5.5.27</lt></range>
+ </package>
+ <package>
+ <name>php5-sqlite3</name>
+ <range><lt>5.4.43</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Symeon Paraschoudis reports:</p>
+ <blockquote cite="https://bugs.php.net/bug.php?id=69972">
+ <p>Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.php.net/bug.php?id=69972</url>
+ </references>
+ <dates>
+ <discovery>2015-06-30</discovery>
+ <entry>2015-07-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="af7fbd91-29a1-11e5-86ff-14dae9d210b8">
+ <topic>php -- use-after-free vulnerability</topic>
+ <affects>
+ <package>
+ <name>php56</name>
+ <range><lt>5.6.11</lt></range>
+ </package>
+ <package>
+ <name>php55</name>
+ <range><lt>5.5.27</lt></range>
+ </package>
+ <package>
+ <name>php5</name>
+ <range><lt>5.4.43</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Symeon Paraschoudis reports:</p>
+ <blockquote cite="https://bugs.php.net/bug.php?id=69970">
+ <p>Use-after-free vulnerability in spl_recursive_it_move_forward_ex()</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.php.net/bug.php?id=69970</url>
+ </references>
+ <dates>
+ <discovery>2015-06-30</discovery>
+ <entry>2015-07-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5a1d5d74-29a0-11e5-86ff-14dae9d210b8">
+ <topic>php -- arbitrary code execution</topic>
+ <affects>
+ <package>
+ <name>php56</name>
+ <range><lt>5.6.11</lt></range>
+ </package>
+ <package>
+ <name>php55</name>
+ <range><lt>5.5.27</lt></range>
+ </package>
+ <package>
+ <name>php5</name>
+ <range><lt>5.4.43</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>cmb reports:</p>
+ <blockquote cite="https://bugs.php.net/bug.php?id=69768">
+ <p>When delayed variable substitution is enabled (can be set in the
+ Registry, for instance), !ENV! works similar to %ENV%, and the
+ value of the environment variable ENV will be subsituted.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.php.net/bug.php?id=69768</url>
+ </references>
+ <dates>
+ <discovery>2015-06-07</discovery>
+ <entry>2015-07-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="36bd352d-299b-11e5-86ff-14dae9d210b8">
+ <topic>mysql -- SSL Downgrade</topic>
+ <affects>
+ <package>
+ <name>php56-mysql</name>
+ <name>php56-mysqli</name>
+ <range><lt>5.6.11</lt></range>
+ </package>
+ <package>
+ <name>php55-mysql</name>
+ <name>php55-mysqli</name>
+ <range><lt>5.5.27</lt></range>
+ </package>
+ <package>
+ <name>php5-mysql</name>
+ <name>php5-mysqli</name>
+ <range><lt>5.4.43</lt></range>
+ </package>
+ <package>
+ <name>mariadb-server</name>
+ <name>mysql51-server</name>
+ <name>mysql55-server</name>
+ <name>mysql56-server</name>
+ <name>percona55-server</name>
+ <name>percona56-server</name>
+ <range><ge>0</ge></range>
+ </package>
+ <package>
+ <name>mariadb55</name>
+ <range><lt>5.5.44</lt></range>
+ </package>
+ <package>
+ <name>mariadb10</name>
+ <range><lt>10.0.20</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Duo Security reports:</p>
+ <blockquote cite="https://www.duosecurity.com/blog/backronym-mysql-vulnerability">
+ <p>Researchers have identified a serious vulnerability in some
+ versions of Oracle’s MySQL database product that allows an attacker to
+ strip SSL/TLS connections of their security wrapping transparently.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.php.net/bug.php?id=69669</url>
+ <url>https://www.duosecurity.com/blog/backronym-mysql-vulnerability</url>
+ <url>http://www.ocert.org/advisories/ocert-2015-003.html</url>
+ <url>https://mariadb.atlassian.net/browse/MDEV-7937</url>
+ <url>https://mariadb.com/kb/en/mariadb/mariadb-10020-changelog/</url>
+ <url>https://mariadb.com/kb/en/mariadb/mariadb-5544-changelog/</url>
+ <cvename>CVE-2015-3152</cvename>
+ </references>
+ <dates>
+ <discovery>2015-03-20</discovery>
+ <entry>2015-07-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="81326883-2905-11e5-a4a5-002590263bf5">
+ <topic>devel/ipython -- CSRF possible remote execution vulnerability</topic>
+ <affects>
+ <package>
+ <name>ipython</name>
+ <range><ge>0.12</ge><lt>3.2.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Kyle Kelley reports:</p>
+ <blockquote cite="http://seclists.org/oss-sec/2015/q3/92">
+ <p>Summary: POST requests exposed via the IPython REST API are
+ vulnerable to cross-site request forgery (CSRF). Web pages on
+ different domains can make non-AJAX POST requests to known IPython
+ URLs, and IPython will honor them. The user's browser will
+ automatically send IPython cookies along with the requests. The
+ response is blocked by the Same-Origin Policy, but the request
+ isn't.</p>
+ <p>API paths with issues:</p>
+ <ul>
+ <li>POST /api/contents/<path>/<file></li>
+ <li>POST /api/contents/<path>/<file>/checkpoints</li>
+ <li>POST /api/contents/<path>/<file>/checkpoints/<checkpoint_id></li>
+ <li>POST /api/kernels</li>
+ <li>POST /api/kernels/<kernel_id>/<action></li>
+ <li>POST /api/sessions</li>
+ <li>POST /api/clusters/<cluster_id>/<action></li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://seclists.org/oss-sec/2015/q3/92</url>
+ <url>http://ipython.org/ipython-doc/3/whatsnew/version3.html#ipython-3-2-1</url>
+ </references>
+ <dates>
+ <discovery>2015-07-12</discovery>
+ <entry>2015-07-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="379788f3-2900-11e5-a4a5-002590263bf5">
+ <topic>freeradius -- insufficent CRL application vulnerability</topic>
+ <affects>
+ <package>
+ <name>freeradius2</name>
+ <range><lt>2.2.8</lt></range>
+ </package>
+ <package>
+ <name>freeradius3</name>
+ <range><lt>3.0.9</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>oCERT reports:</p>
+ <blockquote cite="http://www.ocert.org/advisories/ocert-2015-008.html">
+ <p>The FreeRADIUS server relies on OpenSSL to perform certificate
+ validation, including Certificate Revocation List (CRL) checks. The
+ FreeRADIUS usage of OpenSSL, in CRL application, limits the checks
+ to leaf certificates, therefore not detecting revocation of
+ intermediate CA certificates.</p>
+ <p>An unexpired client certificate, issued by an intermediate CA with
+ a revoked certificate, is therefore accepted by FreeRADIUS.</p>
+ <p>Specifically sets the X509_V_FLAG_CRL_CHECK flag for leaf
+ certificate CRL checks, but does not use X509_V_FLAG_CRL_CHECK_ALL
+ for CRL checks on the complete trust chain.</p>
+ <p>The FreeRADIUS project advises that the recommended configuration
+ is to use self-signed CAs for all EAP-TLS methods.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-4680</cvename>
+ <freebsdpr>ports/201058</freebsdpr>
+ <freebsdpr>ports/201059</freebsdpr>
+ <url>http://www.ocert.org/advisories/ocert-2015-008.html</url>
+ <url>http://freeradius.org/security.html</url>
+ </references>
+ <dates>
+ <discovery>2015-06-22</discovery>
+ <entry>2015-07-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f1deed23-27ec-11e5-a4a5-002590263bf5">
+ <topic>xen-tools -- xl command line config handling stack overflow</topic>
+ <affects>
+ <package>
+ <name>xen-tools</name>
+ <range><ge>4.1</ge><lt>4.5.0_8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-137.html">
+ <p>The xl command line utility mishandles long configuration values
+ when passed as command line arguments, with a buffer overrun.</p>
+ <p>A semi-trusted guest administrator or controller, who is intended
+ to be able to partially control the configuration settings for a
+ domain, can escalate their privileges to that of the whole host.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-3259</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-137.html</url>
+ </references>
+ <dates>
+ <discovery>2015-07-07</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8c31b288-27ec-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel -- vulnerability in the iret hypercall handler</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><ge>3.1</ge><lt>4.5.0_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-136.html">
+ <p>A buggy loop in Xen's compat_iret() function iterates the wrong way
+ around a 32-bit index. Any 32-bit PV guest kernel can trigger this
+ vulnerability by attempting a hypercall_iret with EFLAGS.VM set.</p>
+ <p>Given the use of __get/put_user(), and that the virtual addresses
+ in question are contained within the lower canonical half, the guest
+ cannot clobber any hypervisor data. Instead, Xen will take up to
+ 2^33 pagefaults, in sequence, effectively hanging the host.</p>
+ <p>Malicious guest administrators can cause a denial of service
+ affecting the whole system.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-4164</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-136.html</url>
+ </references>
+ <dates>
+ <discovery>2015-06-11</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="80e846ff-27eb-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><ge>4.2</ge><lt>4.5.0_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-134.html">
+ <p>With the introduction of version 2 grant table operations, a
+ version check became necessary for most grant table related
+ hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a
+ check. As a result, the subsequent code behaved as if version 2 was
+ in use, when a guest issued this hypercall without a prior
+ GNTTABOP_setup_table or GNTTABOP_set_version.</p>
+ <p>The effect is a possible NULL pointer dereferences. However, this
+ cannot be exploited to elevate privileges of the attacking domain,
+ as the maximum memory address that can be wrongly accessed this way
+ is bounded to far below the start of hypervisor memory.</p>
+ <p>Malicious or buggy guest domain kernels can mount a denial of
+ service attack which, if successful, can affect the whole system.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-4163</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-134.html</url>
+ </references>
+ <dates>
+ <discovery>2015-06-11</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ce658051-27ea-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel -- Information leak through XEN_DOMCTL_gettscinfo</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><ge>4.0</ge><lt>4.5.0_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-132.html">
+ <p>The handler for XEN_DOMCTL_gettscinfo failed to initialize a
+ padding field subsequently copied to guest memory.</p>
+ <p>A similar leak existed in XEN_SYSCTL_getdomaininfolist, which is
+ being addressed here regardless of that operation being declared
+ unsafe for disaggregation by XSA-77.</p>
+ <p>Malicious or buggy stub domain kernels or tool stacks otherwise
+ living outside of Domain0 may be able to read sensitive data
+ relating to the hypervisor or other guests not under the control of
+ that domain.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-3340</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-132.html</url>
+ </references>
+ <dates>
+ <discovery>2015-04-20</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3d657340-27ea-11e5-a4a5-002590263bf5">
+ <topic>xen-tools -- Unmediated PCI register access in qemu</topic>
+ <affects>
+ <package>
+ <name>xen-tools</name>
+ <range><ge>3.3</ge><lt>4.5.0_6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-131.html">
+ <p>Qemu allows guests to not only read, but also write all parts of
+ the PCI config space (but not extended config space) of passed
+ through PCI devices not explicitly dealt with for (partial)
+ emulation purposes.</p>
+ <p>Since the effect depends on the specific purpose of the the config
+ space field, it's not possbile to give a general statement about the
+ exact impact on the host or other guests. Privilege escalation,
+ host crash (Denial of Service), and leaked information all cannot be
+ excluded.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-4106</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-131.html</url>
+ </references>
+ <dates>
+ <discovery>2015-06-02</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="cbe1a0f9-27e9-11e5-a4a5-002590263bf5">
+ <topic>xen-tools -- Guest triggerable qemu MSI-X pass-through error messages</topic>
+ <affects>
+ <package>
+ <name>xen-tools</name>
+ <range><ge>3.3</ge><lt>4.5.0_6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-130.html">
+ <p>Device model code dealing with guest PCI MSI-X interrupt management
+ activities logs messages on certain (supposedly) invalid guest
+ operations.</p>
+ <p>A buggy or malicious guest repeatedly invoking such operations may
+ result in the host disk to fill up, possibly leading to a Denial of
+ Service.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-4105</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-130.html</url>
+ </references>
+ <dates>
+ <discovery>2015-06-02</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4db8a0f4-27e9-11e5-a4a5-002590263bf5">
+ <topic>xen-tools -- PCI MSI mask bits inadvertently exposed to guests</topic>
+ <affects>
+ <package>
+ <name>xen-tools</name>
+ <range><ge>3.3</ge><lt>4.5.0_6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-129.html">
+ <p>The mask bits optionally available in the PCI MSI capability
+ structure are used by the hypervisor to occasionally suppress
+ interrupt delivery. Unprivileged guests were, however, nevertheless
+ allowed direct control of these bits.</p>
+ <p>Interrupts may be observed by Xen at unexpected times, which may
+ lead to a host crash and therefore a Denial of Service.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-4104</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-129.html</url>
+ </references>
+ <dates>
+ <discovery>2015-06-02</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="af38cfec-27e7-11e5-a4a5-002590263bf5">
+ <topic>xen-tools -- Potential unintended writes to host MSI message data field via qemu</topic>
+ <affects>
+ <package>
+ <name>xen-tools</name>
+ <range><ge>3.3</ge><lt>4.5.0_6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-128.html">
+ <p>Logic is in place to avoid writes to certain host config space
+ fields when the guest must nevertheless be able to access their
+ virtual counterparts. A bug in how this logic deals with accesses
+ spanning multiple fields allows the guest to write to the host MSI
+ message data field.</p>
+ <p>While generally the writes write back the values previously read,
+ their value in config space may have got changed by the host between
+ the qemu read and write. In such a case host side interrupt handling
+ could become confused, possibly losing interrupts or allowing
+ spurious interrupt injection into other guests.</p>
+ <p>Certain untrusted guest administrators may be able to confuse host
+ side interrupt handling, leading to a Denial of Service.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-4103</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-128.html</url>
+ </references>
+ <dates>
+ <discovery>2015-06-02</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="103a47d5-27e7-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel -- Certain domctl operations may be abused to lock up the host</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><ge>4.3</ge><lt>4.5.0_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-127.html">
+ <p>XSA-77 put the majority of the domctl operations on a list
+ excepting them from having security advisories issued for them if
+ any effects their use might have could hamper security. Subsequently
+ some of them got declared disaggregation safe, but for a small
+ subset this was not really correct: Their (mis-)use may result in
+ host lockups.</p>
+ <p>As a result, the potential security benefits of toolstack
+ disaggregation are not always fully realised.</p>
+ <p>Domains deliberately given partial management control may be able
+ to deny service to the entire host.</p>
+ <p>As a result, in a system designed to enhance security by radically
+ disaggregating the management, the security may be reduced. But,
+ the security will be no worse than a non-disaggregated design.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-2751</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-127.html</url>
+ </references>
+ <dates>
+ <discovery>2015-03-31</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="79f401cd-27e6-11e5-a4a5-002590263bf5">
+ <topic>xen-tools -- Unmediated PCI command register access in qemu</topic>
+ <affects>
+ <package>
+ <name>xen-tools</name>
+ <range><ge>3.3</ge><lt>4.5.0_6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-126.html">
+ <p>HVM guests are currently permitted to modify the memory and I/O
+ decode bits in the PCI command register of devices passed through to
+ them. Unless the device is an SR-IOV virtual function, after
+ disabling one or both of these bits subsequent accesses to the MMIO
+ or I/O port ranges would - on PCI Express devices - lead to
+ Unsupported Request responses. The treatment of such errors is
+ platform specific.</p>
+ <p>Furthermore (at least) devices under control of the Linux pciback
+ driver in the host are handed to guests with the aforementioned bits
+ turned off. This means that such accesses can similarly lead to
+ Unsupported Request responses until these flags are set as needed by
+ the guest.</p>
+ <p>In the event that the platform surfaces aforementioned UR responses
+ as Non-Maskable Interrupts, and either the OS is configured to treat
+ NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to
+ treat these errors as fatal, the host would crash, leading to a
+ Denial of Service.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-2756</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-126.html</url>
+ </references>
+ <dates>
+ <discovery>2015-03-31</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d40c66cb-27e4-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><lt>4.5.0_3</lt></range>
+ </package>
+ <package>
+ <name>xen-tools</name>
+ <range><lt>4.5.0_6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-125.html">
+ <p>The XEN_DOMCTL_memory_mapping hypercall allows long running
+ operations without implementing preemption.</p>
+ <p>This hypercall is used by the device model as part of the emulation
+ associated with configuration of PCI devices passed through to HVM
+ guests and is therefore indirectly exposed to those guests.</p>
+ <p>This can cause a physical CPU to become busy for a significant
+ period, leading to a host denial of service in some cases.</p>
+ <p>If a host denial of service is not triggered then it may instead be
+ possible to deny service to the domain running the device model,
+ e.g. domain 0.</p>
+ <p>This hypercall is also exposed more generally to all toolstacks.
+ However the uses of it in libxl based toolstacks are not believed
+ to open up any avenue of attack from an untrusted guest. Other
+ toolstacks may be vulnerable however.</p>
+ <p>The vulnerability is exposed via HVM guests which have a PCI device
+ assigned to them. A malicious HVM guest in such a configuration can
+ mount a denial of service attack affecting the whole system via its
+ associated device model (qemu-dm).</p>
+ <p>A guest is able to trigger this hypercall via operations which it
+ is legitimately expected to perform, therefore running the device
+ model as a stub domain does not offer protection against the host
+ denial of service issue. However it does offer some protection
+ against secondary issues such as denial of service against dom0.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-2752</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-125.html</url>
+ </references>
+ <dates>
+ <discovery>2015-03-31</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="83a28417-27e3-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel -- Hypervisor memory corruption due to x86 emulator flaw</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><lt>4.5.0_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-123.html">
+ <p>Instructions with register operands ignore eventual segment
+ overrides encoded for them. Due to an insufficiently conditional
+ assignment such a bogus segment override can, however, corrupt a
+ pointer used subsequently to store the result of the instruction.</p>
+ <p>A malicious guest might be able to read sensitive data relating to
+ other guests, or to cause denial of service on the host. Arbitrary
+ code execution, and therefore privilege escalation, cannot be
+ excluded.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-2151</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-123.html</url>
+ </references>
+ <dates>
+ <discovery>2015-03-10</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ef9d041e-27e2-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel -- Information leak through version information hypercall</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><lt>4.5.0_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-122.html">
+ <p>The code handling certain sub-operations of the
+ HYPERVISOR_xen_version hypercall fails to fully initialize all
+ fields of structures subsequently copied back to guest memory. Due
+ to this hypervisor stack contents are copied into the destination of
+ the operation, thus becoming visible to the guest.</p>
+ <p>A malicious guest might be able to read sensitive data relating to
+ other guests.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-2045</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-122.html</url>
+ </references>
+ <dates>
+ <discovery>2015-03-05</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5023f559-27e2-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel -- Information leak via internal x86 system device emulation</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><lt>4.5.0_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-121.html">
+ <p>Emulation routines in the hypervisor dealing with certain system
+ devices check whether the access size by the guest is a supported
+ one. When the access size is unsupported these routines failed to
+ set the data to be returned to the guest for read accesses, so that
+ hypervisor stack contents are copied into the destination of the
+ operation, thus becoming visible to the guest.</p>
+ <p>A malicious HVM guest might be able to read sensitive data relating
+ to other guests.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-2044</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-121.html</url>
+ </references>
+ <dates>
+ <discovery>2015-03-05</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="0d732fd1-27e0-11e5-a4a5-002590263bf5">
+ <topic>xen-tools -- HVM qemu unexpectedly enabling emulated VGA graphics backends</topic>
+ <affects>
+ <package>
+ <name>xen-tools</name>
+ <range><lt>4.5.0_6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-119.html">
+ <p>When instantiating an emulated VGA device for an x86 HVM guest qemu
+ will by default enable a backend to expose that device, either SDL
+ or VNC depending on the version of qemu and the build time
+ configuration.</p>
+ <p>The libxl toolstack library does not explicitly disable these
+ default backends when they are not enabled, leading to an unexpected
+ backend running.</p>
+ <p>If either SDL or VNC is explicitly enabled in the guest
+ configuration then only the expected backends will be enabled.</p>
+ <p>This affects qemu-xen and qemu-xen-traditional differently.</p>
+ <p>If qemu-xen was compiled with SDL support then this would result in
+ an SDL window being opened if $DISPLAY is valid, or a failure to
+ start the guest if not.</p>
+ <p>If qemu-xen was compiled without SDL support then qemu would
+ instead start a VNC server listening on ::1 (IPv6 localhost) or
+ 127.0.0.1 (IPv4 localhost) with IPv6 preferred if available. A VNC
+ password will not be configured even if one is present in the guest
+ configuration.</p>
+ <p>qemu-xen-traditional will never start a vnc backend unless
+ explicitly configured. However by default it will start an SDL
+ backend if it was built with SDL support and $DISPLAY is valid.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-2152</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-119.html</url>
+ </references>
+ <dates>
+ <discovery>2015-03-13</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="912cb7f7-27df-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel -- arm: vgic: incorrect rate limiting of guest triggered logging</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><ge>4.4</ge><lt>4.5.0_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-118.html">
+ <p>On ARM systems the code which deals with virtualising the GIC
+ distributor would, under various circumstances, log messages on a
+ guest accessible code path without appropriate rate limiting.</p>
+ <p>A malicious guest could cause repeated logging to the hypervisor
+ console, leading to a Denial of Service attack.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-1563</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-118.html</url>
+ </references>
+ <dates>
+ <discovery>2015-01-29</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="785c86b1-27d6-11e5-a4a5-002590263bf5">
+ <topic>xen-kernel -- arm: vgic-v2: GICD_SGIR is not properly emulated</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><ge>4.5</ge><lt>4.5.0_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-117.html">
+ <p>When decoding a guest write to a specific register in the virtual
+ interrupt controller Xen would treat an invalid value as a critical
+ error and crash the host.</p>
+ <p>By writing an invalid value to the GICD.SGIR register a guest can
+ crash the host, resulting in a Denial of Service attack.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-0268</cvename>
+ <url>http://xenbits.xen.org/xsa/advisory-117.html</url>
+ </references>
+ <dates>
+ <discovery>2015-02-12</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7313b0e3-27b4-11e5-a15a-50af736ef1c0">
+ <topic>pivotx -- Multiple unrestricted file upload vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>pivotx</name>
+ <range><lt>2.3.9</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Pivotx reports:</p>
+ <blockquote cite="http://pivotx.net/page/security">
+ <p>Multiple unrestricted file upload vulnerabilities in fileupload.php
+ in PivotX before 2.3.9 allow remote authenticated users to execute
+ arbitrary PHP code by uploading a file with a (1) .php or (2) .php#
+ extension, and then accessing it via unspecified vectors.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-0341</cvename>
+ </references>
+ <dates>
+ <discovery>2014-04-15</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="14d846d6-27b3-11e5-a15a-50af736ef1c0">
+ <topic>pivotx -- cross-site scripting (XSS) vulnerability</topic>
+ <affects>
+ <package>
+ <name>pivotx</name>
+ <range><lt>2.3.9</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>pivotx reports:</p>
+ <blockquote cite="http://pivotx.net/page/security">
+ <p>cross-site scripting (XSS) vulnerability in the nickname (and
+ possibly the email) field. Mitigated by the fact that an attacker
+ must have a PivotX account.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-0341</cvename>
+ </references>
+ <dates>
+ <discovery>2014-04-15</discovery>
+ <entry>2015-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c93c9395-25e1-11e5-a4a5-002590263bf5">
+ <topic>wpa_supplicant -- WPS_NFC option payload length validation vulnerability</topic>
+ <affects>
+ <package>
+ <name>wpa_supplicant</name>
+ <range><lt>2.4_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jouni Malinen reports:</p>
+ <blockquote cite="http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt">
+ <p>Incomplete WPS and P2P NFC NDEF record payload length
+ validation. (2015-5)</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt</url>
+ </references>
+ <dates>
+ <discovery>2015-07-08</discovery>
+ <entry>2015-07-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="075952fe-267e-11e5-9d03-3c970e169bc2">
+ <topic>openssl -- alternate chains certificate forgery vulnerability</topic>
+ <affects>
+ <package>
+ <name>openssl</name>
+ <range><ge>1.0.2_2</ge><lt>1.0.2_4</lt></range>
+ </package>
+ <package>
+ <name>mingw32-openssl</name>
+ <range><ge>1.0.2b</ge><lt>1.0.2d</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>OpenSSL reports:</p>
+ <blockquote cite="https://www.openssl.org/news/secadv_20150709.txt">
+ <p>During certificate verification, OpenSSL (starting from version
+ 1.0.1n and 1.0.2b) will attempt to find an alternative certificate
+ chain if the first attempt to build such a chain fails. An error
+ in the implementation of this logic can mean that an attacker could
+ cause certain checks on untrusted certificates to be bypassed,
+ such as the CA flag, enabling them to use a valid leaf certificate
+ to act as a CA and "issue" an invalid certificate.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-1793</cvename>
+ <url>https://www.openssl.org/news/secadv_20150709.txt</url>
+ </references>
+ <dates>
+ <discovery>2015-07-09</discovery>
+ <entry>2015-07-09</entry>
+ </dates>
+ </vuln>
+
<vuln vid="37ed8e9c-2651-11e5-86ff-14dae9d210b8">
<topic>django -- multiple vulnerabilities</topic>
<affects>
@@ -157,11 +1163,11 @@
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
- <name>linux-c6-flashplugin11</name>
+ <name>linux-c6-flashplugin</name>
<range><lt>11.2r202.481</lt></range>
</package>
<package>
- <name>linux-f10-flashplugin11</name>
+ <name>linux-f10-flashplugin</name>
<range><lt>11.2r202.481</lt></range>
</package>
</affects>
@@ -340,37 +1346,33 @@
</vuln>
<vuln vid="150d1538-23fa-11e5-a4a5-002590263bf5">
- <topic>squid -- multiple vulnerabilities</topic>
+ <topic>squid -- Improper Protection of Alternate Path with CONNECT requests</topic>
<affects>
<package>
<name>squid</name>
- <range><ge>3.5</ge><lt>3.5.6</lt></range>
+ <range><lt>3.5.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Amos Jeffries, Squid-3 release manager, reports:</p>
- <blockquote cite="http://openwall.com/lists/oss-security/2015/07/06/8">
- <p>Due to incorrect handling of peer responses in a hierarchy of 2 or
- more proxies remote clients (or scripts run on a client) are able to
- gain unrestricted access through a gateway proxy to its backend
- proxy.</p>
- <p>If the two proxies have differing levels of security this could
- lead to authentication bypass or unprivileged access to supposedly
- secure resources.</p>
- <p>Squid up to and including 3.5.5 are apparently vulnerable to DoS
- attack from malicious clients using repeated TLS renegotiation
- messages. This has not been verified as it also seems to require
- outdated (0.9.8l and older) OpenSSL libraries.</p>
+ <p>Squid security advisory 2015:2 reports:</p>
+ <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2015_2.txt">
+ <p>Squid configured with cache_peer and operating on explicit proxy
+ traffic does not correctly handle CONNECT method peer responses.</p>
+ <p>The bug is important because it allows remote clients to bypass
+ security in an explicit gateway proxy.</p>
+ <p>However, the bug is exploitable only if you have configured
+ cache_peer to receive CONNECT requests.</p>
</blockquote>
</body>
</description>
<references>
- <mlist>http://openwall.com/lists/oss-security/2015/07/06/8</mlist>
+ <url>http://www.squid-cache.org/Advisories/SQUID-2015_2.txt</url>
</references>
<dates>
<discovery>2015-07-06</discovery>
<entry>2015-07-06</entry>
+ <modified>2015-07-10</modified>
</dates>
</vuln>
@@ -643,7 +1645,7 @@
</vuln>
<vuln vid="864e6f75-2372-11e5-86ff-14dae9d210b8">
- <topic>node -- denial of service</topic>
+ <topic>node, iojs, and v8 -- denial of service</topic>
<affects>
<package>
<name>node</name>
@@ -657,6 +1659,14 @@
<name>iojs</name>
<range><lt>2.3.3</lt></range>
</package>
+ <package>
+ <name>v8</name>
+ <range><le>3.18.5</le></range>
+ </package>
+ <package>
+ <name>v8-devel</name>
+ <range><le>3.27.7_2</le></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -673,12 +1683,13 @@
<url>http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/</url>
<url>https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6</url>
<url>https://github.com/nodejs/io.js/commit/030f8045c706a8c3925ec7cb3184fdfae4ba8676</url>
+ <url>https://codereview.chromium.org/1226493003</url>
<cvename>CVE-2015-5380</cvename>
</references>
<dates>
<discovery>2015-07-03</discovery>
<entry>2015-07-06</entry>
- <modified>2015-07-09</modified>
+ <modified>2015-07-10</modified>
</dates>
</vuln>
@@ -884,6 +1895,10 @@
<name>qemu-sbruno</name>
<range><lt>2.3.50.g20150618_1</lt></range>
</package>
+ <package>
+ <name>xen-tools</name>
+ <range><lt>4.5.0_6</lt></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -904,6 +1919,7 @@
<dates>
<discovery>2015-04-10</discovery>
<entry>2015-06-26</entry>
+ <modified>2015-07-11</modified>
</dates>
</vuln>
@@ -1238,11 +2254,11 @@
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
- <name>linux-c6-flashplugin11</name>
+ <name>linux-c6-flashplugin</name>
<range><lt>11.2r202.466</lt></range>
</package>
<package>
- <name>linux-f10-flashplugin11</name>
+ <name>linux-f10-flashplugin</name>
<range><lt>11.2r202.466</lt></range>
</package>
</affects>
@@ -1938,6 +2954,14 @@
<name>tomcat8</name>
<range><lt>8.0.9</lt></range>
</package>
+ <package>
+ <name>hadoop2</name>
+ <range><le>2.6.0</le></range>
+ </package>
+ <package>
+ <name>oozie</name>
+ <range><le>4.1.0</le></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -1969,6 +2993,7 @@
<dates>
<discovery>2015-05-12</discovery>
<entry>2015-06-16</entry>
+ <modified>2015-07-13</modified>
</dates>
</vuln>
@@ -2063,11 +3088,11 @@
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
- <name>linux-c6-flashplugin11</name>
+ <name>linux-c6-flashplugin</name>
<range><lt>11.2r202.466</lt></range>
</package>
<package>
- <name>linux-f10-flashplugin11</name>
+ <name>linux-f10-flashplugin</name>
<range><lt>11.2r202.466</lt></range>
</package>
</affects>
@@ -3859,11 +4884,11 @@
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
- <name>linux-c6-flashplugin11</name>
+ <name>linux-c6-flashplugin</name>
<range><le>11.2r202.457</le></range>
</package>
<package>
- <name>linux-f10-flashplugin11</name>
+ <name>linux-f10-flashplugin</name>
<range><le>11.2r202.457</le></range>
</package>
</affects>
@@ -4278,11 +5303,11 @@
<affects>
<package>
<name>powerdns</name>
- <range><lt>3.4.4</lt></range>
+ <range><lt>3.4.5</lt></range>
</package>
<package>
<name>powerdns-recursor</name>
- <range><lt>3.7.2</lt></range>
+ <range><lt>3.7.3</lt></range>
</package>
</affects>
<description>
@@ -4299,11 +5324,14 @@
</description>
<references>
<cvename>CVE-2015-1868</cvename>
+ <cvename>CVE-2015-5470</cvename>
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/</url>
+ <mlist>http://www.openwall.com/lists/oss-security/2015/07/10/8</mlist>
</references>
<dates>
<discovery>2015-04-23</discovery>
<entry>2015-05-01</entry>
+ <modified>2015-07-12</modified>
</dates>
</vuln>
@@ -4787,11 +5815,11 @@
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
- <name>linux-c6-flashplugin11</name>
+ <name>linux-c6-flashplugin</name>
<range><le>11.2r202.451</le></range>
</package>
<package>
- <name>linux-f10-flashplugin11</name>
+ <name>linux-f10-flashplugin</name>
<range><le>11.2r202.451</le></range>
</package>
</affects>
@@ -5778,9 +6806,13 @@
<range><lt>1.5.1</lt></range>
</package>
<package>
- <name>libXfont</name>
- <range><ge>1.4.99</ge><lt>1.5.1</lt></range>
+ <name>linux-c6-xorg-libs</name>
+ <range><ge>*</ge></range>
</package>
+ <package>
+ <name>linux-f10-xorg-libs</name>
+ <range><ge>*</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -5810,6 +6842,7 @@
<dates>
<discovery>2015-03-17</discovery>
<entry>2015-03-18</entry>
+ <modified>2015-07-15</modified>
</dates>
</vuln>
@@ -5817,11 +6850,11 @@
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
- <name>linux-c6-flashplugin11</name>
+ <name>linux-c6-flashplugin</name>
<range><le>11.2r202.442</le></range>
</package>
<package>
- <name>linux-f10-flashplugin11</name>
+ <name>linux-f10-flashplugin</name>
<range><le>11.2r202.442</le></range>
</package>
</affects>
@@ -7194,11 +8227,11 @@
<topic>Adobe Flash Player -- critical vulnerability</topic>
<affects>
<package>
- <name>linux-c6-flashplugin11</name>
+ <name>linux-c6-flashplugin</name>
<range><le>11.2r202.438</le></range>
</package>
<package>
- <name>linux-f10-flashplugin11</name>
+ <name>linux-f10-flashplugin</name>
<range><le>11.2r202.438</le></range>
</package>
</affects>
@@ -7409,11 +8442,11 @@
<topic>Adobe Flash Player -- multiple vulnerabilities</topic>
<affects>
<package>
- <name>linux-c6-flashplugin11</name>
+ <name>linux-c6-flashplugin</name>
<range><lt>11.2r202.429</lt></range>
</package>
<package>
- <name>linux-f10-flashplugin11</name>
+ <name>linux-f10-flashplugin</name>
<range><lt>11.2r202.429</lt></range>
</package>
</affects>
@@ -10140,11 +11173,11 @@
<topic>Flash player -- Multiple security vulnerabilities in www/linux-*-flashplugin11</topic>
<affects>
<package>
- <name>linux-f10-flashplugin11</name>
+ <name>linux-f10-flashplugin</name>
<range><lt>11.2r202.400</lt></range>
</package>
<package>
- <name>linux-c6-flashplugin11</name>
+ <name>linux-c6-flashplugin</name>
<range><lt>11.2r202.400</lt></range>
</package>
</affects>
@@ -12597,6 +13630,14 @@
<name>libXfont</name>
<range><lt>1.4.7_3</lt></range>
</package>
+ <package>
+ <name>linux-c6-xorg-libs</name>
+ <range><lt>7.4_2</lt></range>
+ </package>
+ <package>
+ <name>linux-f10-xorg-libs</name>
+ <range><ge>*</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -12628,6 +13669,7 @@
<dates>
<discovery>2014-05-13</discovery>
<entry>2014-05-13</entry>
+ <modified>2015-07-15</modified>
</dates>
</vuln>
More information about the Midnightbsd-cvs
mailing list