From nobody Thu Dec 29 12:59:58 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NjT570GFyz1Ldh8; Thu, 29 Dec 2022 13:00:11 +0000 (UTC) (envelope-from eduardo@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NjT566ZkWz40fL; Thu, 29 Dec 2022 13:00:10 +0000 (UTC) (envelope-from eduardo@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672318810; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2FqlSqlLFITcyTXRT/hueGGFiiUvEYQUj2LcFrGOG5c=; b=L0nqOcumKJ/3HGbc98IPVO7a6gTa2Xu4BD8gSv8rL9ns/0ufF8vHeIdkcFqo8oYYBqrwEr oprmXix3ESoHlBrItOPKBOhXGLNvEyMuJHz7p8cq9D3HxCsCnUVJWriEZyUMLAsjyjFpQH hDxzHmK1zprZnOO4dp73F6f8FJ2hm4pkwS1qgXsM3PN7sKKvHXW7YVt4xwajBDgY05W10O 90+ndyYJlK2v1cUmd9fxKtNWq4yu2i4oLiqfCJNAcWTeXlqAgZM40nXPA3r+XhW5mtac7d 7gTlf1kWe6amQ70Um7X8OaiXdYr2tIs+tGY40Ydy+y9GafViZQz9wmDtoDjMNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1672318810; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2FqlSqlLFITcyTXRT/hueGGFiiUvEYQUj2LcFrGOG5c=; b=wkHbyFZuzXQiLdBFUFG5rZbhWx00DdVKNKUbnRbtmalJBq0xiNSwOpYmDUyZFcaGzXoVjp Gc/UrzNA/YMXYTLfu9sf+8fMSyO/ZXbsiUdeyqJuwDdtmg8J8pU+6uFAJEiezq/iZytm38 G2DYMRWL7lJiYbvrzsEmaEL2C5LcWzcdOJaYn2HxDAbG/W7a2wlG2YhVFFuUTTFihOvZsj PcCooO1Dar3Q/hhBbFClbo3vhAIsruy5c+tm3F0t5dyI0fi/2ijYpnnM42zsbjgGEa4Onz tC0GlqTPIPt4pBSaxcZI0mAnb7PdGnIALARxfDdV39cLYqcsbELT5Ci/khK0FA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1672318810; a=rsa-sha256; cv=none; b=L9qzhaf24WRJn0JwZXhrozHHB+Gm6xcz8w9i9IzLsfjucEr+pFV1EZuOVrAH8cSPmwypGn 2Difkzb7nEX0KkNy8S2pamoKHBJ8WlJug9BnbV9JKE7IcP46FeX+o+3k+9ivyX548eKu8W OXLtLPU3xyTp/rxDuXJludH+g+zvOSd+8z19yMj5BKVFRn4vu8gVisQ1skOZxjE6QiHHK1 7B3s3hLqnO4xP9epBSxE1UEcnCJ7GRsdGgWc284asn6ojX5WUhy5/nHNtVwkIfOYkZhvAO 7Id0CJkuari2HlI7r0RAGgx4klrLZ6B/v3ijf6RZje9Q/8mcNqRivTEv5hyDFA== Received: from mail-ua1-f43.google.com (mail-ua1-f43.google.com [209.85.222.43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) (Authenticated sender: eduardo) by smtp.freebsd.org (Postfix) with ESMTPSA id 4NjT565HWXzsqX; Thu, 29 Dec 2022 13:00:10 +0000 (UTC) (envelope-from eduardo@freebsd.org) Received: by mail-ua1-f43.google.com with SMTP id n9so4160973uao.13; Thu, 29 Dec 2022 05:00:10 -0800 (PST) X-Gm-Message-State: AFqh2ko38ZTZMFnaAt6mAhrx1bm0FU6PInIMJ2cEb2Wn0eJZhRbnUj9G 3JF2RlPtL5dnXxv6imk5WPCOS0qIQUFuFoITnYg= X-Google-Smtp-Source: AMrXdXunA1ItjRiEsu+65ptzuelSFq290HnaHk48bRTngr0ilbGYaVvc60cifvrki6uDyXicUOXfiHg8qP2U7dnak1w= X-Received: by 2002:ab0:279a:0:b0:415:65dc:4733 with SMTP id t26-20020ab0279a000000b0041565dc4733mr2869744uap.87.1672318810068; Thu, 29 Dec 2022 05:00:10 -0800 (PST) List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 References: <202212290345.2BT3jXRg070492@gitrepo.freebsd.org> In-Reply-To: <202212290345.2BT3jXRg070492@gitrepo.freebsd.org> From: Nuno Teixeira Date: Thu, 29 Dec 2022 12:59:58 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: git: 9169d8e03708 - main - security/vuxml: Document mediawiki multiple vulnerabilities To: Wen Heping Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Content-Type: multipart/alternative; boundary="000000000000a01cac05f0f7101b" X-ThisMailContainsUnwantedMimeParts: N --000000000000a01cac05f0f7101b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Wen, Have you noticed that vuxml are stoped at 2022-12-27? I suspect of CVE-2022-PENDING because it's not in correct format. It should be CVE-NNNN-NNNN I don't know how to access vuxml build logs but it is that for sure. Cheers Wen Heping escreveu no dia quinta, 29/12/2022 =C3=A0(s) 0= 3:45: > The branch main has been updated by wen: > > URL: > https://cgit.FreeBSD.org/ports/commit/?id=3D9169d8e03708ca0fe85c6889ab9ce= 18c5f08d4ab > > commit 9169d8e03708ca0fe85c6889ab9ce18c5f08d4ab > Author: Wen Heping > AuthorDate: 2022-12-29 03:42:17 +0000 > Commit: Wen Heping > CommitDate: 2022-12-29 03:42:17 +0000 > > security/vuxml: Document mediawiki multiple vulnerabilities > --- > security/vuxml/vuln/2022.xml | 34 ++++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > > diff --git a/security/vuxml/vuln/2022.xml b/security/vuxml/vuln/2022.xml > index 7f45e9e5fb06..8ab153950f0d 100644 > --- a/security/vuxml/vuln/2022.xml > +++ b/security/vuxml/vuln/2022.xml > @@ -1,3 +1,37 @@ > + > + mediawiki -- multiple vulnerabilities > + > + > + mediawiki135 > + 1.35.9 > + > + > + mediawiki138 > + 1.38.5 > + > + > + mediawiki139 > + 1.39.1 > + > + > + > + > +

Mediawikwi reports:

> +
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wiki= media.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/ > "> > +

(T322637, CVE-2022-PENDING) SECURITY: Make sqlite DB files > not world readable.

> +
> + > +
> + > + CVE-2022-PENDING > + > https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wiki= media.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/ > > + > + > + 2022-12-01 > + 2022-12-29 > + > +
> + > > netdata -- multiple vulnerabilities with streaming > > --=20 Nuno Teixeira FreeBSD Committer (ports) --000000000000a01cac05f0f7101b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Wen,

Have you noticed = that vuxml are stoped at 2022-12-27?

I suspect of = <cvename>CVE-2022-PENDING</cvename> because it's not in cor= rect format. It should be CVE-NNNN-NNNN

I don'= t know how to access vuxml build logs but it is that for sure.
Cheers

Wen Heping <wen@freebsd.org> escreveu no dia quinta, 29/12/2022 = =C3=A0(s) 03:45:
The branch main has been updated by wen:

URL: https://cgi= t.FreeBSD.org/ports/commit/?id=3D9169d8e03708ca0fe85c6889ab9ce18c5f08d4ab

commit 9169d8e03708ca0fe85c6889ab9ce18c5f08d4ab
Author:=C2=A0 =C2=A0 =C2=A0Wen Heping <wen@FreeBSD.org>
AuthorDate: 2022-12-29 03:42:17 +0000
Commit:=C2=A0 =C2=A0 =C2=A0Wen Heping <wen@FreeBSD.org>
CommitDate: 2022-12-29 03:42:17 +0000

=C2=A0 =C2=A0 security/vuxml: Document mediawiki multiple vulnerabilities ---
=C2=A0security/vuxml/vuln/2022.xml | 34 ++++++++++++++++++++++++++++++++++<= br> =C2=A01 file changed, 34 insertions(+)

diff --git a/security/vuxml/vuln/2022.xml b/security/vuxml/vuln/2022.xml index 7f45e9e5fb06..8ab153950f0d 100644
--- a/security/vuxml/vuln/2022.xml
+++ b/security/vuxml/vuln/2022.xml
@@ -1,3 +1,37 @@
+=C2=A0 <vuln vid=3D"d379aa14-8729-11ed-b988-080027d3a315">=
+=C2=A0 =C2=A0 <topic>mediawiki -- multiple vulnerabilities</topic= >
+=C2=A0 =C2=A0 <affects>
+=C2=A0 =C2=A0 =C2=A0 <package>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0<name>mediawiki135</name>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0<range><lt>1.35.9</lt></ra= nge>
+=C2=A0 =C2=A0 =C2=A0 </package>
+=C2=A0 =C2=A0 =C2=A0 <package>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0<name>mediawiki138</name>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0<range><lt>1.38.5</lt></ra= nge>
+=C2=A0 =C2=A0 =C2=A0 </package>
+=C2=A0 =C2=A0 =C2=A0 <package>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0<name>mediawiki139</name>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0<range><lt>1.39.1</lt></ra= nge>
+=C2=A0 =C2=A0 =C2=A0 </package>
+=C2=A0 =C2=A0 </affects>
+=C2=A0 =C2=A0 <description>
+=C2=A0 =C2=A0 =C2=A0 <body xmlns=3D"
http://www.w3.org/1999/xhtm= l">
+=C2=A0 =C2=A0 =C2=A0 =C2=A0<p>Mediawikwi reports:</p>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0<blockquote cite=3D"https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.w= ikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/">
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<p>(T322637, CVE-2022-PENDING) SEC= URITY: Make sqlite DB files not world readable.</p>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0</blockquote>
+=C2=A0 =C2=A0 =C2=A0 </body>
+=C2=A0 =C2=A0 </description>
+=C2=A0 =C2=A0 <references>
+=C2=A0 =C2=A0 =C2=A0 <cvename>CVE-2022-PENDING</cvename>
+=C2=A0 =C2=A0 =C2=A0 <url>https://lists.wiki= media.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UE= MW64LVEH3BEXCJV43CVS6XPYURKWU3/</url>
+=C2=A0 =C2=A0 </references>
+=C2=A0 =C2=A0 <dates>
+=C2=A0 =C2=A0 =C2=A0 <discovery>2022-12-01</discovery>
+=C2=A0 =C2=A0 =C2=A0 <entry>2022-12-29</entry>
+=C2=A0 =C2=A0 </dates>
+=C2=A0 </vuln>
+
=C2=A0 =C2=A0<vuln vid=3D"4b60c3d9-8640-11ed-a762-482ae324f959"= ;>
=C2=A0 =C2=A0 =C2=A0<topic>netdata -- multiple vulnerabilities with s= treaming</topic>
=C2=A0 =C2=A0 =C2=A0<affects>


--
Nun= o Teixeira
FreeBSD Committer (ports)
--000000000000a01cac05f0f7101b--