01:32 philip 

security/vuxml: Note FreeBSD 11.4 fix for CVE-2020-1971

 

14:49 sunpoet 

Document jasper vulnerability

 

00:28 dbaio 

security/vuxml: Document net-im/py-matrix-synapse issue

PR:		251768
Submitted by:	contact@evilham.com
Security:	CVE-2020-26257

 

18:37 brnrd 

security/vuxml: Document p11-kit vulnerabilities

 

16:23 brnrd 

security/vuxml: Document Unbound/NSD vuln

 

15:38 brnrd 

security/vuxml: Update LibreSSL vuln

 * for 2020Q4 branch which is on 3.1

 

10:38 brnrd 

security/vuxml: Document LibreSSL vulnerability

 

10:32 fluffy 

security/vuxml: add 19 CVE entries related to www/glpi

PR:		251754
Submitted by:	Mathias Monnerville

 

09:59 philip 

security/vuxml: FreeBSD 11.4 is vulnerable to CVE-2020-1971

As noted in FreeBSD-SA-20:33.openssl, this vulnerability is also known
to affect OpenSSL versions included in FreeBSD 11.4.  However, the
OpenSSL project is only giving patches for that version to premium
support contract holders.  The FreeBSD project does not have access to
these patches and recommends FreeBSD 11.4 users to either upgrade to
FreeBSD 12.x or leverage up to date versions of OpenSSL in the ports/pkg
system. The FreeBSD Project may update this advisory to include FreeBSD
11.4 should patches become publicly available.

 

06:02 philip 

security/vuxml: add FreeBSD SA to OpenSSL entry

Reference FreeBSD-SA-20:33.openssl and note the fixed patch releases in
the recent OpenSSL entry.

 

10:36 brnrd 

security/vuxml: cURL vulnerabilities

 

16:21 brnrd 

security/vuxml: Document OpenSSL NULL pointer dereference

 

23:53 mfechner 

Document gitlab-ce vulnerabilities.

 

22:01 swills 

Document consul issue

PR:		251418
Submitted by:	brd

 

11:43 rene 

Document new vulnerabilities in www/chromium < 87.0.4280.88

 

17:26 zi 

- Unbreak build after previous commit

 

16:56 adamw 

security/vuxml: Add entry for gitea < 1.13.0

PR:		251577
Submitted by:	maintainer

 

10:03 philip 

security/vuxml: add FreeBSD SA-20:32.rtsold

 

10:03 philip 

security/vuxml: add FreeBSD SA-20:31.icmp6

 

19:37 zeising 

vuxml: document xorg-server vulnerabilities

Document new vulnerabilities in xorg-server and sub ports:
CVE-2020-14360 and CVE-2020-25712

These issues can lead to privileges elevations for authorized clients
on systems where the X server is running privileged.

 

00:34 brd 

vuxml: Add entry for nomad < 0.12.6

 

15:48 adamw 

vuxml: Add entry for gitea < 1.12.6

 

22:14 bhughes 

security/vuxml: document Node.js November 2020 Security Releases

https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/

Sponsored by:	Miles AS

 

14:41 riggs 

Document CVE-2020-28896 for mutt 2.0.2.

PR:		251278
Submitted by:	dereks@lifeofadishwasher.com
Security:	CVE-2020-28896

 

11:13 fluffy 

VuXML: document mozjpeg and libjpeg-turbo recent vulnerabilities

PR:		250190
Submitted by:	daniel.engberg.lists@pyret.net

 

21:02 pi 

security/vuxml: add entries for databases/mantis

PR:		251141
Submitted by:	Zoltan Alexanderson Besse <zab@zltech.eu>

 

21:26 dmgk 

security/vuxml: Document lang/go vulnerabilities

 

06:14 rhurlin 

security/vuxml: New entry for sysutils/py-salt vulnerabilities

There are three security vulnerabilities described for sysutils/py-salt
in version 3002[1]: CVE-2020-16846, CVE-2020-17490, and VE-2020-25592.

[1] https://docs.saltstack.com/en/latest/topics/releases/3002.1.html

It is planned to update the port sysutils/py-salt soon, see PR 251013

Reported by:	michael.glaus@hostpoint.ch (in PR 251013)
Approved by:	tcberner (mentor)
Differential Revision:	https://reviews.freebsd.org/D27189

 

23:56 truckman 

Document vulnerability in editors/openoffice-4 < 4.1.8 and openoffice-devel

CVE-2020-13958 Unrestricted actions leads to arbitrary code execution
in crafted documents

A vulnerability in Apache OpenOffice scripting events allows an
attacker to construct documents containing hyperlinks pointing to
an executable on the target users file system. These hyperlinks can
be triggered unconditionally. In fixed versions no internal protocol
may be called from the document event handler and other hyperlinks
require a control-click.

<https://www.openoffice.org/security/cves/CVE-2020-13958.html>

 

14:05 lwhsu 

Fix CVE name for 07c7ae7a-224b-11eb-aa6e-e0d55e2a8bf9

Sponsored by:	The FreeBSD Foundation

 

05:28 tcberner 

Document vulnerability in textproc/raptor2

From [1], [2], [3]:
raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF
Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML
writer, leading to heap-based buffer overflows (sometimes seen in
raptor_qname_format_as_xml).

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18926
[2] https://www.debian.org/security/2020/dsa-4785
[3] https://www.openwall.com/lists/oss-security/2017/06/07/1

PR:		250971
Security:	CVE-2017-18926

 

12:47 dbaio 

security/vuxml: Document www/py-notebook issue

Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned).

 

17:40 brnrd 

security/vuxml: Document addl. MariaDB vulns

 

22:38 madpilot 

Document asterisk vulnerabilities.

 

19:50 rene 

Document new vulnerabilities in www/chromium < 86.0.4240.183

Obtained
from:	https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html

 

20:23 mfechner 

Document gitlab vulnerabilities.

 

19:07 joneum 

Add entry for wordpress

Sponsored by:	Netzkommune GmbH

 

21:26 timur 

Add an entry about recent Samba vulnerabilities

Security:	CVE-2020-14318
		CVE-2020-14323
		CVE-2020-14383

 

02:38 fluffy 

security/vuxml: Document stack overflow in tmux

PR:		250737

 

10:25 fernape 

security/vuxml: Add entry for multimedia/motion

Follow up commit for 553525.

For some reason, "Use MHD function for url decoding" actually means fixing
CVE-2020-26566

PR:	250660

 

08:38 tcberner 

print/freetype2: document vulnerability

PR:		250375
Security:	CVE-2020-15999

 

17:32 brnrd 

security/vuxml: Document 2020Q4 MySQL vulnerabilities

 

08:22 rene 

Document new vulnerabilities in www/chromium < 86.0.4240.111

Obtained
from:	https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html

 

09:24 dch 

security/vuxml: add powerdns-recursor

PR:		250318
Submitted by:	Ralf van der Enden <tremere@cainites.net>
Reported by:	michael.glaus@hostpoint.ch
Sponsored by:	SkunkWerks, GmbH

 

15:38 brnrd 

security/vuxml: Document MariaDB vulnerabilities

 

14:17 dbaio 

security/vuxml: Update entry date for the last issue added (r552574)

 

13:50 dbaio 

security/vuxml: Document net-im/py-matrix-synapse issue

PR:		249948
Submitted by:	Sascha Biberhofer <ports@skyforge.at>
Security:	CVE-2020-26891

 

13:08 joneum 

Add entry for drupal7

Sponsored by:	Netzkommune GmbH

 

22:35 jkim 

Document the latest Flash Player vulnerability.

https://helpx.adobe.com/security/products/flash-player/apsb20-58.html

 

18:01 sunpoet 

Document rails vulnerability

 

05:32 pi 

security/vuxml: add CVEs for www/payara

- CVE-2020-6950 Eclipse Mojarra vulnerable to path trasversal flaw
  via either loc/con parameters
- CVE-2019-12086 A Polymorphic Typing issue was discovered in
  FasterXML jackson-databind 2.x before 2.9.9
- some more

PR:		250207
Submitted by:	Dmytro Bilokha <dmytro@posteo.net>

 

21:21 leres 

security/vuxml: Mark zeek < 3.0.11 as vulnerable as per:

    https://github.com/zeek/zeek/releases/tag/v3.0.11

A memory leak in multipart MIME code has potential for remote
exploitation and cause for Denial of Service via resource exhaustion.

While we're here fix missing cite for "zeek < 3.0.10" entry.

 

10:53 rene 

Document new vulnerabilities in www/chromium < 86.0.4240.75

Obtained
from:	https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html

 

17:25 sunpoet 

Document libexif vulnerability

 

06:03 tcberner 

vuxml: fix version check in r551354

 

05:49 tcberner 

vuxml: document deskutils/kdeconnect-kde vulnerability

KDE Project Security Advisory
=============================

Title:           KDE Connect: packet manipulation can be exploited in a Denial
of Service attack
Risk Rating:     Important
CVE:             CVE-2020-26164
Versions:        kdeconnect <= 20.08.1
Author:          Albert Vaca Cintora <albertvaka@gmail.com>
Date:            2 October 2020

Overview
========

An attacker on your local network could send maliciously crafted packets to
other hosts running
kdeconnect on the network, causing them to use large amounts of CPU, memory or
network
connections, which could be used in a Denial of Service attack within the
network.

Impact
======

Computers that run kdeconnect are susceptible to DoS attacks from the local
network.

Workaround
==========

We advise you to stop KDE Connect when on untrusted networks like those on
airports or conferences.

Since kdeconnect is dbus activated it is relatively hard to make sure it stays
stopped so the brute
force approach is to uninstall the kdeconnect package from your system and then
run
    kquitapp5 kdeconnectd
Just install the package again once you're back in a trusted network.

Solution
========

KDE Connect 20.08.2 patches several code paths that could result in a DoS.
You can apply these patches on top of 20.08.1:
https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163
https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa
https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc
https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38
https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e
https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5
https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706
https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a
https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05
https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306

Credits
=======

Thanks Matthias Gerstner and the openSUSE security team for reporting the issue.
Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the patches.

Security:	CVE-2020-26164

 

17:21 tcberner 

vuxml: document vulnerability in devel/upnp

Security:	CVE-2020-13848

 

07:30 mfechner 

Document gitlab vulnerabilities.

 

20:29 thierry 

Add recent tt-rss issues.

PR:		249472
Submitted by:	Derek Schrock (tt-rss's maintainer)
MFC after:	1 day
Security:	https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799

 

11:23 pi 

security/vuxml: Add CVE-2020-1945: Apache Ant insecure temporary file
vulnerability

PR:		248098
Submitted by:	mikael

 

09:42 pi 

security/vuxml: add entry dns/powerdns below 4.3.1

- CVE-2020-17482

PR:		249560
Submitted by:	Ralf van der Enden <tremere@cainites.net>
Relnotes:	https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html

 

13:10 zeising 

vuxml: Update pango entry for CVE-2019-1010238

Update the pango entry for CVE-2019-1010238.
Since the fix to pango wasn't applied properly the first time around, the
pango version with the fix needed to be bumpt in the vuxml entry.

 

19:00 rene 

Document new vulnerabilities in www/chromium < 85.0.4183.121

Obtained
from:	https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html

 

17:23 tcberner 

security/vuxml: document libxml2 vulnerabilities

PR:		249386

 

21:07 dbaio 

security/vuxml: Document net-im/py-matrix-synapse issue

PR:		249375
Submitted by:	Denis Kasak <dkasak@termina.org.uk>
Submitted by:	Sascha Biberhofer <ports@skyforge.at> (earlier version)

 

11:36 fluffy 

- Document python35 multiple vulnerabilities

PR:		249187

 

00:36 timur 

Add an entry about CVE-2020-1472 - Unauthenticated domain takeover via netlogon
("ZeroLogon")

Security:	CVE-2020-1472

 

12:22 brnrd 

security/vuxml: Document Nextcloud 19.0.1 vuln

 

09:26 mandree 

www/webkit2-gtk3: Multiple Vulnerabilities (vuxml entry)

PR:		247892
Submitted by:	rob2g2 <spam123@bitbert.com>
Security:	CVE-2020-9802
Security:	CVE-2020-9803
Security:	CVE-2020-9805
Security:	CVE-2020-9806
Security:	CVE-2020-9807
Security:	CVE-2020-9843
Security:	CVE-2020-9850
Security:	CVE-2020-13753

 

20:47 bhughes 

security/vuxml: document Node.js September 2020 Security Releases

https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

Sponsored by:	Miles AS

 

06:44 philip 

security/vuxml: add FreeBSD SA-20:30.ftpd

 

06:44 philip 

security/vuxml: add FreeBSD SA-20:29.bhyve_svm

 

06:44 philip 

security/vuxml: add FreeBSD SA-20:28.bhyve_vmcs

 

06:44 philip 

security/vuxml: add FreeBSD SA-20:27.ure

 

12:11 sunpoet 

Document rails vulnerability

 

00:10 leres 

security/vuxml: Mark zeek < 3.0.10 as vulnerable as per:

    https://github.com/zeek/zeek/releases/tag/v3.0.10

Memory leak has potential for remote DOS via resource exhaustion.

 

16:01 rene 

Document new vulnerabilities in www/chromium < 85.0.4183.102

Obtained
from:	https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop.html

 

18:04 delphij 

Sigh, fix previous entry as it's already documented, combine the information
into previous entry.

 

18:02 delphij 

Document mpd multiple vulnerabilities.

 

20:03 eugen 

Document remotely exploitable crash in the mpd5.

Reported by:	chennan at SourceForge
Obtained from:	http://mpd.sourceforge.net/doc5/mpd4.html#4

 

10:49 tijl 

Document Mbed TLS 2020-09-1 and 2020-09-2.

Security:	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
Security:	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2

 

10:22 tijl 

Document GNUTLS-SA-2020-09-04.

Security:	https://gnutls.org/security-new.html#GNUTLS-SA-2020-09-04

 

21:44 sunpoet 

Update jasper vulnerability

 

21:35 sunpoet 

Document Django vulnerability

 

21:08 adamw 

security/vuxml: Fix gnupg version range specification

Thanks to swills for pointing me to the error here.

PR:		249110
Reported by:	jjuanino gmail

 

05:25 lwhsu 

Fix format

 

02:13 adamw 

vuxml: Add entry for gnupg 2.2.21 - 2.2.22

 

01:00 philip 

security/vuxml: add FreeBSD SA-20:26.dhclient

 

01:00 philip 

security/vuxml: add FreeBSD SA-20:25.sctp

 

01:00 philip 

security/vuxml: add FreeBSD SA-20:24.ipv6

 

19:39 mfechner 

Document gitlab vulnerabilities.

 

19:28 dmgk 

security/vuxml: Document lang/go vulnerability

 

05:15 tcberner 

security/vuxml: document vulnerability in ark

 

20:50 leres 

security/vuxml: Mark php72, php73, and php74 vulnerable as per:

    https://www.php.net/ChangeLog-7.php#PHP_7_4
    https://www.php.net/ChangeLog-7.php#PHP_7_3
    https://www.php.net/ChangeLog-7.php#PHP_7_2

The phar_parse_zipfile function had [a] use-after-free vulnerability
because of [a] mishandling of the actual_alias variable.

Security:	CVE-2020-7068

 

18:01 rene 

Document new vulnerabilities in www/chromium < 85.0.4183.83

 

19:00 sunpoet 

Document jasper vulnerability

 

17:26 zeising 

vuxml: Document xorg-server and libX11 vulns

Document newly announced vulnerabilities in libX11 and xorg-server.

 

13:12 mfechner 

Updated entry for gitlab to clarify that the previously reported version does
not fix the problem.
Please also see this upstream issue:
https://gitlab.com/gitlab-org/gitlab/-/issues/233881

 

10:08 mandree 

vuln.xml: add chrony < 3.5.1 pidfile symlink vulnerability

Security:	719f06af-e45e-11ea-95a1-c3b8167b8026
Security:	CVE-2020-14367

 

18:12 freqlabs 

security/vuxml: Document sysutils/openzfs-kmod issues

PR:		248787
Reported by:	Andrew Walker
Reviewed by:	wg
Approved by:	wg (ports)
Sponsored by:	iXsystems, Inc.
Differential Revision:	https://reviews.freebsd.org/D26121