From nobody Sun Dec 10 17:09:11 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SpBDm0k2zz546kX; Sun, 10 Dec 2023 17:09:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SpBDm08HKz3T6v; Sun, 10 Dec 2023 17:09:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702228152; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7WF7a/mBF+bJ+FDkttkBOVs15lMVRFS8/wjOo9mXGVw=; b=vj/giJG8p0uqzOLqoMldF9OEf/kz7hQ7B1FJmPKWWgYFdUdc/ndRs2lMZdNor8CaEUxiEF K+6gyz1UuegIIiDmCwzBWLNVr7lBit/++sDrWw06nkRTFaPLwzi/VzYoLAhsHtkSGu4nMV U0K0ENKDFSJu7IBKeVxAZN1D1gw/C5tRCbD+9HlV34uf0hN4a4X7hwlQmwmJB3Kj00J0wn BpUE+Z3zHjq0z4ltHGh2ipUMre2/kr8x+A3I2gPzwUNo18Fh3NlvNbyyS9TbgMon8GfGCH OnagPfNFlDVuydJkTyE85bQKidWEI2IlJih6Tr2rgPRTYBbRVbg0krVEJfLpPA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702228152; a=rsa-sha256; cv=none; b=WvgyzjIrqRyT06qCvHGfBFRthA9ClhukUSUmY7KvKfu3/yiei08fYIzLTzFyI6eFsjnzJ4 goepCp21Swhu/AO0CnUw+wFYn8+ha0LWZXI+yFLqLVvmEoCTW5tAn6HpITnaPvpJ94utf8 hyeQtE4EzL1hq4LYTapLIQ5SIQb5uZgxynE+ogI2f6F0nR7Yut3vCT59vxOt4r0lW/AgYt m1dPNKczqdPWPVkEtRfGYFKJUCtB3IxSy23TbJ8mijC8tvQtI5tafTuV0e49kXTCA19s5H A5amfhNdgnuZxM1vY+oRzUh3RGpRYKKsRPTYf8tbt2xE+p44wzneDMOwflet8w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702228152; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7WF7a/mBF+bJ+FDkttkBOVs15lMVRFS8/wjOo9mXGVw=; b=MsOoOn4Dv9L3zY6AVFk44i4JcUVJ+Dlwg+Gqb0pvFUA1RPV6cSlaT7BkYsYLMiZ7rhVUL9 eVKn3gQkPDhoqcoSp1pMSW77puqzuPJQ4kpTyOXQjsu6TaT1asq3siVLmd96TGZhXmqAE9 ExWr11gFYktC1vdHyrAUxwJKaDg/W9pOJ3npFGzrapsaYJRIgQFCFv3yXP3c8qCVSg4lhT 5D1hZd/YrEAkbIvBB3pSOHClDs4XODx9p1hws57VCEAW3WNTfQo/eK6RK7gDe+PGMNetQV BOq0IB3JBJAwVR00sloAjpBeVca0grjAU0/LlucUmU/B5GeGCW1trfvx/xPZRA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SpBDl6DhNzwS2; Sun, 10 Dec 2023 17:09:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3BAH9B88041976; Sun, 10 Dec 2023 17:09:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3BAH9BMM041973; Sun, 10 Dec 2023 17:09:11 GMT (envelope-from git) Date: Sun, 10 Dec 2023 17:09:11 GMT Message-Id: <202312101709.3BAH9BMM041973@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= Subject: git: a991db5e17fa - main - security/vuxml: Record kafka vulnerability List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a991db5e17fa496ec31e0416b8dd8ee357dbee0e Auto-Submitted: auto-generated The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=a991db5e17fa496ec31e0416b8dd8ee357dbee0e commit a991db5e17fa496ec31e0416b8dd8ee357dbee0e Author: Fernando ApesteguĂ­a AuthorDate: 2023-12-10 17:05:14 +0000 Commit: Fernando ApesteguĂ­a CommitDate: 2023-12-10 17:07:55 +0000 security/vuxml: Record kafka vulnerability Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. Note that this only affects SASL Quorum Peer authentication which is not enabled by default. Base Score: 9.1 CRITICAL Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N PR: 275611 --- security/vuxml/vuln/2023.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 790a48f245fd..4f32c6f80e04 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,45 @@ + + apache -- Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication + + + apache + 3.7.2 + + + + +

security@apache.org reports:

+
+

Authorization Bypass Through User-Controlled Key vulnerability in + Apache ZooKeeper. If SASL Quorum Peer authentication is enabled + in ZooKeeper (quorum.auth.enableSasl=true), the authorization is + done by verifying that the instance part in SASL authentication ID + is listed in zoo.cfg server list. The instance part in SASL auth + ID is optional and if it's missing, like 'eve@EXAMPLE.COM', + the authorization check will be skipped.As a result an arbitrary + endpoint could join the cluster and begin propagating counterfeit + changes to the leader, essentially giving it complete read-write + access to the data tree.Quorum Peer authentication is not enabled + by default. + Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, + which fixes the issue. + Alternately ensure the ensemble election/quorum communication is + protected by a firewall as this will mitigate the issue. + See the documentation for more details on correct cluster administration. +

+
+ +
+ + CVE-2023-44981 + https://nvd.nist.gov/vuln/detail/CVE-2023-44981 + + + 2023-10-11 + 2023-12-10 + +
+ strongswan -- buffer overflow