From nobody Fri Jun 30 15:20:13 2023
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QszXF5qDKz4ksS3;
	Fri, 30 Jun 2023 15:20:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QszXF5KZGz4HMX;
	Fri, 30 Jun 2023 15:20:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1688138413;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=7TcJgtXWbWzLf6vBhrA5IAeDIwUGlrWF8iQNs1Ek+J4=;
	b=jMiPVHhJCKqM6cGUR+Qd/1xUm9W8YIF3SXnA33jx6ngwHwepe0P5T7Q52K0MNZ9XXF0Yar
	LrVuFgazdU9fXRrGxmUB0O6ha2D3opMdNw/oyinjbNHUIVi8VoniW/3OZdRC3VJ6KvIwBO
	qxmBvbCBRggmaumelSR70WttgT0QhBYyqmDperCmOE/BUxL8BDfKhwQ/YbHhdufQb/v2kI
	yqk9QvfNu/jmfYilNhQX84S75EUcK1sWfYhneTLn1UMOkCulzK0hmho2mSVEWdGE5ER4x0
	T+HU67BM5MFrOariGLkfzqGrVS08PTV54kV5aJilnHhzkbpq+DavsR3kauT9rQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1688138413;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=7TcJgtXWbWzLf6vBhrA5IAeDIwUGlrWF8iQNs1Ek+J4=;
	b=jgb8s7+fB5fibRFv48i4nGV0DA1f7BmHfG7BVJyL5AdTQlc1CteqI/d723oIwiRu0mKtdk
	t6UyrfqnOn1ZBkSsLNRFo4UNpznfm+4k8yQ8Wy5DhfiiUgyRxsSc7UxbBzEqokhdOFX/wc
	W+fWoJKlVS/xgrQISaAyx7lmY0nuifhofI3S2Sxln8WHMVpkb6A49diZ0K50UzVG5uVPT3
	F3siCdSfsyrfZn90JyxVYXDwovSff09Pj2q84Pm29ooB+Y/8pkDtns6235XhRI8SWq1cfR
	9E44Ki4uMnceZtBfqxVB4M617sqIAIQXqQEJ8o5LX9qtQAVt8re/yvug2P/KxQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1688138413; a=rsa-sha256; cv=none;
	b=vK1TokdjgAGtq6UBJ7lZY5NSiXkUfnJ6cHaX1U+sNiDoAdar52dtgIZMgGFTe4aGBuAKfy
	Gl78LlJ5aLQe/jt9PsLpzaG/ExHjRMx6IcFXIjK91n07Xss3oYg/PUimCRes4WF1UBhpKr
	AwdIEN8mpJuAeBSzO3GphSBGqFhFSzI1fRlJ9ArcosXIxim7R/MZxoftkZmwDvg6TfjKqS
	JcgcpYzqxeT34xnFc4JxRxf2guomhWJSPRg755fCoamxbTZ9tipwyypdVnn21eCINa88oE
	wvp15PlRlotsveYpaFxF1xNhVa3skQCP+/yC6MejypnvhzxHrI0aY6vG9ItIZw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QszXF4MgVz13m8;
	Fri, 30 Jun 2023 15:20:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 35UFKDfb070996;
	Fri, 30 Jun 2023 15:20:13 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 35UFKDgt070985;
	Fri, 30 Jun 2023 15:20:13 GMT
	(envelope-from git)
Date: Fri, 30 Jun 2023 15:20:13 GMT
Message-Id: <202306301520.35UFKDgt070985@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Koichiro Iwao <meta@FreeBSD.org>
Subject: git: 5b6bc4cfbeae - main - security/vuxml: Document security/softether{,-devel} vulnerability
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-main@freebsd.org
X-BeenThere: dev-commits-ports-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: meta
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 5b6bc4cfbeae3449df9ee010e2f2c93f2ffa4b32
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by meta:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5b6bc4cfbeae3449df9ee010e2f2c93f2ffa4b32

commit 5b6bc4cfbeae3449df9ee010e2f2c93f2ffa4b32
Author:     Koichiro Iwao <meta@FreeBSD.org>
AuthorDate: 2023-06-30 15:16:43 +0000
Commit:     Koichiro Iwao <meta@FreeBSD.org>
CommitDate: 2023-06-30 15:19:27 +0000

    security/vuxml: Document security/softether{,-devel} vulnerability
    
    Security:       https://www.softether.org/9-about/News/904-SEVPN202301
---
 security/vuxml/vuln/2023.xml | 45 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 822d7481c29b..27cb1dce53ab 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,48 @@
+  <vuln vid="d821956f-1753-11ee-ad66-1c61b4739ac9">
+    <topic>SoftEtherVPN -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>softether</name>
+	<range><lt>4.42.9798</lt></range>
+      </package>
+      <package>
+	<name>softether-devel</name>
+	<range><lt>4.42.9798</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Daiyuu Nobori reports:</p>
+	<blockquote cite="https://www.softether.org/9-about/News/904-SEVPN202301">
+	  <p>The SoftEther VPN project received a high level code review and technical assistance from Cisco Systems, Inc. of the United States from April to June 2023 to fix several vulnerabilities in the SoftEther VPN code.</p>
+	  <p>The risk of exploitation of any of the fixed vulnerabilities is low under normal usage and environment, and actual attacks are very difficult. However, SoftEther VPN is now an open source VPN software used by 7.4 million unique users worldwide, and is used daily by many users to defend against the risk of blocking attacks by national censorship firewalls and attempts to eavesdrop on communications. Therefore, as long as the slightest attack possibility exists, there is great value in preventing vulnerabilities as much as possible in anticipation of the most sophisticated cyber attackers in the world, such as malicious ISPs and man-in-the-middle attackers on national Internet communication channels. These fixes are important and useful patches for users who use SoftEther VPN and the Internet for secure communications to prevent advanced attacks that can theoretically be triggered by malicious ISPs and man-in-the-middle attackers on national Internet communication pathways.</p>
+	  <p>The fixed vulnerabilities are CVE-2023-27395, CVE-2023-22325, CVE-2023-32275, CVE-2023-27516, CVE-2023-32634, and CVE-2023-31192. All of these were discovered in an outstanding code review of SoftEther VPN by Cisco Systems, Inc.</p>
+	  <ol>
+	    <li>CVE-2023-27395: Heap overflow in SoftEther VPN DDNS client functionality at risk of crashing and theoretically arbitrary code execution caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels</li>
+	    <li>CVE-2023-22325: Integer overflow in the SoftEther VPN DDNS client functionality could result in crashing caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels</li>
+	    <li>CVE-2023-32275: Vulnerability that allows the administrator himself of a 32-bit version of VPN Client or VPN Server to see the 32-bit value heap address of each of trusted CA's certificates in the VPN process</li>
+	    <li>CVE-2023-27516: If the user forget to set the administrator password of SoftEther VPN Client and enable remote administration with blank password, the administrator password of VPN Client can be changed remotely or VPN client can be used remotely by anonymouse third person</li>
+	    <li>CVE-2023-32634: If an attacker succeeds in launching a TCP relay program on the same port as the VPN Client on a local computer running the SoftEther VPN Client before the VPN Client process is launched, the TCP relay program can conduct a man-in-the-middle attack on communication between the administrator and the VPN Client process</li>
+	    <li>CVE-2023-31192: When SoftEther VPN Client connects to an untrusted VPN Server, an invalid redirection response for the clustering (load balancing) feature causes 20 bytes of uninitialized stack space to be read</li>
+	  </ol>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2023-27395</cvename>
+      <cvename>CVE-2023-22325</cvename>
+      <cvename>CVE-2023-32275</cvename>
+      <cvename>CVE-2023-27516</cvename>
+      <cvename>CVE-2023-32634</cvename>
+      <cvename>CVE-2023-31192</cvename>
+      <url>https://www.softether.org/9-about/News/904-SEVPN202301</url>
+    </references>
+    <dates>
+      <discovery>2023-06-30</discovery>
+      <entry>2023-06-30</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="06428d91-152e-11ee-8b14-dbdd62da85fb">
     <topic>OpenEXR -- heap buffer overflow in internal_huf_decompress</topic>
     <affects>