ports/171013: [vuxml][patch] news/inn: fix plaintext command injection
Eygene Ryabinkin
rea at FreeBSD.org
Fri Aug 24 20:40:01 UTC 2012
>Number: 171013
>Category: ports
>Synopsis: [vuxml][patch] news/inn: fix plaintext command injection
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Aug 24 20:40:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 10.0-CURRENT amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 10.0-CURRENT amd64
>Description:
INN developers report that version 2.5.3 fixes the plaintext command
injection after the channel was TLSized,
http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html
>How-To-Repeat:
Look at
- http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html
- https://www.isc.org/software/inn/2.5.3article
>Fix:
I had extracted the minimal patch from the full one that does upgrade
from 2.5.2 to 2.5.3:
http://codelabs.ru/fbsd/ports/inn/inn-2.5.2-fix-cve-2012-3523.diff
I had checked only buildability of the patched port: see no problems.
Have no INN setup at hand to test the functionality, sorry.
If you'll take the route of adding this minimal patch, VuXML version
specification in a7975581-ee26-11e1-8bd8-0022156e8794 must be changed
from "2.5.3" to "2.5.2_2".
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list