Re: git: 05933df68ac7 - main - security/vuxml: Add record for net/keycloak

In reply to: Vladimir Druzenko : "git: 05933df68ac7 - main - security/vuxml: Add record for net/keycloak"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Renato Botelho <garga_at_FreeBSD.org>
Date: Tue, 14 Jan 2025 20:52:41 UTC
On 14/01/25 13:11, Vladimir Druzenko wrote:
> The branch main has been updated by vvd:
> 
> URL: https://cgit.FreeBSD.org/ports/commit/?id=05933df68ac7ae7752a8675eba10a0e0e16cfacb
> 
> commit 05933df68ac7ae7752a8675eba10a0e0e16cfacb
> Author:     Matthias Wolf <freebsd@rheinwolf.de>
> AuthorDate: 2025-01-14 16:05:52 +0000
> Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
> CommitDate: 2025-01-14 16:11:09 +0000
> 
>      security/vuxml: Add record for net/keycloak
>      
>      CVE-2024-11736 Unrestricted admin use of system and environment variables
>      CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers
>      
>      Security:       CVE-2024-11734
>      Security:       CVE-2024-11736
>      PR:             284058
> ---
>   security/vuxml/vuln/2025.xml | 30 ++++++++++++++++++++++++++++++
>   1 file changed, 30 insertions(+)
> 
> diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
> index e2bd8727d1c4..f202dc01a5e7 100644
> --- a/security/vuxml/vuln/2025.xml
> +++ b/security/vuxml/vuln/2025.xml
> @@ -1,3 +1,33 @@
> +  <vuln vid="7d7a28cd-7f5a-450a-852f-c49aaab3fa7e">
> +    <topic>keycloak -- Multiple security fixes</topic>
> +    <affects>
> +      <package>
> +        <name>keycloak</name>
> +        <range><lt>26.0.8</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">
> +        <p>Keycloak reports:</p>
> +        <blockquote cite="https://www.keycloak.org/2024/11/keycloak-2606-released.html">
> +          <p>This update includes 2 security fixes:</p>
> +          <ul>
> +            <li>CVE-2024-11734: Unrestricted admin use of system and environment variables</li>
> +            <li>CVE-2024-11736: Denial of Service in Keycloak Server via Security Headers</li>
> +          </ul>
> +        </blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2024-11734</cvename>
> +      <cvename>CVE-2024-11736</cvename>
> +    </references>
> +    <dates>
> +      <discovery>2025-01-13</discovery>
> +      <entry>2025-01-13</entry>
> +     </dates>
> +  </vuln>
> +
>     <vuln vid="7624c151-d116-11ef-b232-b42e991fc52e">
>       <topic>asterisk - path traversal</topic>
>       <affects>
> 
> 

`make validate` failed when I created new entry for git after this commit:

xmllint -noent 
/usr/home/garga/work/freebsd/ports/main/security/vuxml/vuln.xml > 
/usr/home/garga/work/freebsd/ports/main/security/vuxml/vuln-flat.xml
/bin/sh 
/usr/home/garga/work/freebsd/ports/main/security/vuxml/files/tidy.sh 
"/usr/home/garga/work/freebsd/ports/main/security/vuxml/files/tidy.xsl" 
"/usr/home/garga/work/freebsd/ports/main/security/vuxml/vuln-flat.xml" > 
"/usr/home/garga/work/freebsd/ports/main/security/vuxml/vuln.xml.tidy"
 >>> Validating...
/usr/local/bin/xmllint --valid --noout 
/usr/home/garga/work/freebsd/ports/main/security/vuxml/vuln-flat.xml
warning : xmlAddEntity: invalid redeclaration of predefined entity 'lt'
warning : xmlAddEntity: invalid redeclaration of predefined entity 'amp'
 >>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
--- /usr/home/garga/work/freebsd/ports/main/security/vuxml/vuln-flat.xml 
        2025-01-14 17:51:29.516064000 -0300
+++ 
/usr/home/garga/work/freebsd/ports/main/security/vuxml/vuln.xml.unexpanded 
  2025-01-14 17:51:32.615493000 -0300
@@ -124,20 +124,20 @@
      <topic>keycloak -- Multiple security fixes</topic>
      <affects>
        <package>
-        <name>keycloak</name>
-        <range><lt>26.0.8</lt></range>
+       <name>keycloak</name>
+       <range><lt>26.0.8</lt></range>
        </package>
      </affects>
      <description>
        <body xmlns="http://www.w3.org/1999/xhtml">
-        <p>Keycloak reports:</p>
-        <blockquote 
cite="https://www.keycloak.org/2024/11/keycloak-2606-released.html">
-          <p>This update includes 2 security fixes:</p>
-          <ul>
-            <li>CVE-2024-11734: Unrestricted admin use of system and 
environment variables</li>
-            <li>CVE-2024-11736: Denial of Service in Keycloak Server 
via Security Headers</li>
-          </ul>
-        </blockquote>
+       <p>Keycloak reports:</p>
+       <blockquote 
cite="https://www.keycloak.org/2024/11/keycloak-2606-released.html">
+         <p>This update includes 2 security fixes:</p>
+         <ul>
+           <li>CVE-2024-11734: Unrestricted admin use of system and 
environment variables</li>
+           <li>CVE-2024-11736: Denial of Service in Keycloak Server via 
Security Headers</li>
+         </ul>
+       </blockquote>
        </body>
      </description>
      <references>
... see above
Consider using 
/usr/home/garga/work/freebsd/ports/main/security/vuxml/vuln.xml.unexpanded 
for final commit
*** Error code 1

Stop.
make: stopped making "validate" in 
/usr/home/garga/work/freebsd/ports/main/security/vuxml

-- 
Renato Botelho