git: 2c7d4d50c06a - main - security/vuxml: add net/mpd5 PPPoE Server remotely exploitable crash
Herbert J. Skuhra
herbert at gojira.at
Sun Sep 19 07:08:15 UTC 2021
On Thu, 09 Sep 2021 00:08:55 +0200, Eugene Grosbein wrote:
>
> The branch main has been updated by eugen:
>
> URL: https://cgit.FreeBSD.org/ports/commit/?id=2c7d4d50c06ac12410414813427604ee9af673dd
>
> commit 2c7d4d50c06ac12410414813427604ee9af673dd
> Author: Eugene Grosbein <eugen at FreeBSD.org>
> AuthorDate: 2021-09-08 21:55:19 +0000
> Commit: Eugene Grosbein <eugen at FreeBSD.org>
> CommitDate: 2021-09-08 22:02:51 +0000
>
> security/vuxml: add net/mpd5 PPPoE Server remotely exploitable crash
>
> Version 5.9_2 contains security fix for PPPoE servers.
> Insufficient validation of incoming PPPoE Discovery request
> specially crafted by unauthenticated user might lead to unexpected
> termination of the process. The problem affects mpd versions since 5.0.
> Installations not using PPPoE server configuration were not affected.
>
> Reported by: Yannick C at SourceForge
> Tested by: Yannick C at SourceForge, paul at SourceForge
> ---
> security/vuxml/vuln-2021.xml | 28 ++++++++++++++++++++++++++++
> 1 file changed, 28 insertions(+)
>
> diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
> index 09525e60d803..1b308b51ea74 100644
> --- a/security/vuxml/vuln-2021.xml
> +++ b/security/vuxml/vuln-2021.xml
> @@ -1,3 +1,31 @@
> + <vuln vid="f55921aa-10c9-11ec-8647-00e0670f2660">
> + <topic>MPD5 PPPoE Server remotely exploitable crash</topic>
> + <affects>
> + <package>
> + <name>mpd5</name>
> + <range><ge>5.0</ge></range>
> + <range><lt>5.9_2</lt></range>
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>Version 5.9_2 contains security fix for PPPoE servers.
> + Insufficient validation of incoming PPPoE Discovery request
> + specially crafted by unauthenticated user might lead to unexpected
> + termination of the process. The problem affects mpd versions
> + since 5.0. Installations not using PPPoE server configuration
> + were not affected.</p>
> + </body>
> + </description>
> + <references>
> + <url>http://mpd.sourceforge.net/doc5/mpd4.html#4</url>
> + </references>
> + <dates>
> + <discovery>2021-09-04</discovery>
> + <entry>2021-09-09</entry>
> + </dates>
> + </vuln>
> +
===> mpd5-5.9_4 has known vulnerabilities:
mpd5-5.9_4 is vulnerable:
MPD5 PPPoE Server remotely exploitable crash
WWW: https://vuxml.FreeBSD.org/freebsd/f55921aa-10c9-11ec-8647-00e0670f2660.html
1 problem(s) in 1 installed package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1
Stop.
make[1]: stopped in /usr/ports/net/mpd5
*** Error code 1
Stop.
make: stopped in /usr/ports/net/mpd5
--
Herbert
More information about the dev-commits-ports-all
mailing list