Please review: New vuln.xml entry for ports/mail/fetchmail

Simon L. Nielsen simon at FreeBSD.org
Sun Oct 30 21:37:43 UTC 2005 

On 2005.10.30 20:50:07 +0100, Simon Barner wrote:

> could you please review the attached patch?

Looks good, except for a few minor issues (see below).

> Index: vuln.xml
> ===================================================================
> RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v
> retrieving revision 1.868
> diff -u -r1.868 vuln.xml
> --- vuln.xml	27 Oct 2005 19:40:24 -0000	1.868
> +++ vuln.xml	30 Oct 2005 19:47:37 -0000
> @@ -34,6 +34,36 @@
>  
>  -->
>  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> +  <vuln vid="baf74e0b-497a-11da-a4f4-0060084a00e5">
> +    <topic>fetchmailconf -- password exposure through insecure file creation</topic>

This first part is the portname by convention.  I would suggest the
following to avoid getting the topic too long.

<topic>fetchmail -- fetchmailconf local password exposure</topic>

> +    <affects>
> +      <package>
> +	<name>fetchmail</name>
> +	<range><lt>6.2.5.2_1</lt></range>
> +      </package>
> +    </affects>
> +    <description> 
                    ^ EOL whitespace
> +      <body xmlns="http://www.w3.org/1999/xhtml">
> +	<p>From the fetchmail home page:</p>
> +	<blockquote cite="http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt">
> +	  <p>The fetchmailconf program before and excluding version 1.49 opened the
> +	    run control file, wrote the configuration to it, and only then changed
> +	    the mode to 0600 (rw-------). Writing the file, which usually contains
> +	    passwords, before making it unreadable to other users, can expose
> +	    sensitive password information.</p>
> +        </blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2005-3088</cvename>
> +      <url>http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt</url>
> +    </references>
> +    <dates>
> +      <discovery>2005-10-21</discovery>
> +      <entry>2005-10-30</entry>
> +    </dates>
> +  </vuln>
> +  
   ^^ EOL whitespace
>    <vuln vid="1daea60a-4719-11da-b5c6-0004614cc33d">
>      <topic>ruby -- vulnerability in the safe level settings</topic>
>      <affects>

-- 
Simon L. Nielsen
FreeBSD Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-doc/attachments/20051030/2a86bf9a/attachment.sig>

More information about the freebsd-doc mailing list