svn commit: r418592 - head/security/vuxml

Mark Felder feld at FreeBSD.org
Fri Jul 15 17:13:54 UTC 2016 

Author: feld
Date: Fri Jul 15 17:13:52 2016
New Revision: 418592
URL: https://svnweb.freebsd.org/changeset/ports/418592

Log:
  Rename vuxml entry, add new detailed reference as primary.
  
  This new reference has much more detailed information. It appears even
  the latest version of struts is affected and this may affect many
  products using the Apache Commons FileUpload Utility such as Jenkins,
  Lucene-Solr, etc. Unfortunately it's difficult to identify which version
  of the Apache Commons FileUpload Utility products may have, so this vuxml
  may be expanded as more products are successfully identified.
  
  PR:		211105
  Security:	CVE-2016-3092

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri Jul 15 16:56:01 2016	(r418591)
+++ head/security/vuxml/vuln.xml	Fri Jul 15 17:13:52 2016	(r418592)
@@ -59,7 +59,7 @@ Notes:
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
   <vuln vid="61b8c359-4aab-11e6-a7bd-14dae9d210b8">
-    <topic>tomcat -- denial of service</topic>
+    <topic>Apache Commons FileUpload -- denial of service</topic>
     <affects>
       <package>
 	<name>tomcat6</name>
@@ -75,13 +75,13 @@ Notes:
       </package>
       <package>
 	<name>apache-struts</name>
-	<range><lt>1.3.2</lt></range>
+	<range><le>2.5.2</le></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
 	<p>Jochen Wiedmann reports:</p>
-	<blockquote cite="http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E">
+	<blockquote cite="http://jvn.jp/en/jp/JVN89379547/index.html">
 	  <p>A malicious client can send file upload requests that cause
 	    the HTTP server using the Apache Commons Fileupload library to become
 	    unresponsive, preventing the server from servicing other requests.</p>
@@ -89,6 +89,7 @@ Notes:
       </body>
     </description>
     <references>
+      <url>http://jvn.jp/en/jp/JVN89379547/index.html</url>
       <url>http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E</url>
       <cvename>CVE-2016-3092</cvename>
     </references>

More information about the svn-ports-all mailing list