svn commit: r535958 - head/security/vuxml
Cy Schubert
Cy.Schubert at cschubert.com
Wed May 20 04:46:01 UTC 2020
In message <202005192335.04JNZHn3088504 at repo.freebsd.org>, Sunpoet Po-Chuan
Hsi
eh writes:
> Author: sunpoet
> Date: Tue May 19 23:35:17 2020
> New Revision: 535958
> URL: https://svnweb.freebsd.org/changeset/ports/535958
>
> Log:
> Document rails vulnerability
>
> Modified:
> head/security/vuxml/vuln.xml
>
> Modified: head/security/vuxml/vuln.xml
> =============================================================================
> =
> --- head/security/vuxml/vuln.xml Tue May 19 23:35:10 2020 (r53595
> 7)
> +++ head/security/vuxml/vuln.xml Tue May 19 23:35:17 2020 (r53595
> 8)
> @@ -58,6 +58,57 @@ Notes:
> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> + <vuln vid="85fca718-99f6-11ea-bf1d-08002728f74c">
> + <topic>Rails -- multiple vulnerabilities</topic>
> + <affects>
> + <package>
> + <name>rubygem-actionpack52</name>
> + <name>rubygem-actionview52</name>
> + <name>rubygem-activestorage52</name>
> + <name>rubygem-activesupport52</name>
> + <range><lt>5.2.4.3</lt></range>
> + </package>
> + <package>
> + <name>rubygem-actionpack60</name>
> + <name>rubygem-actionview60</name>
> + <name>rubygem-activestorage60</name>
> + <name>rubygem-activesupport60</name>
> + <range><lt>6.0.3.1</lt></range>
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>Ruby on Rails blog:</p>
> + <blockquote cite="https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-
> 3-and-6-0-3-1-have-been-released/">
> + <p>Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These r
> eleases contain important security fixes, so please upgrade when you can.</p>
As this is displayed verbatim at www.vuxml.org, do we want the entry to say
something like this instead?
<p>Rails 5.2.4.3 and 6.0.3.1 have been released to address the following
CVEs:</p>
> + <p>Both releases contain the following fixes:</p>
And we can drop the above.
Thoughts?
> + <p>CVE-2020-8162: Circumvention of file size limits in ActiveStorage<
> /p>
> + <p>CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack</p>
> + <p>CVE-2020-8165: Potentially unintended unmarshalling of user-provid
> ed objects in MemCacheStore and RedisCacheStore</p>
> + <p>CVE-2020-8166: Ability to forge per-form CSRF tokens given a globa
> l CSRF token</p>
> + <p>CVE-2020-8167: CSRF Vulnerability in rails-ujs</p>
> + </blockquote>
> + </body>
> + </description>
> + <references>
> + <url>https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-
> 1-have-been-released/</url>
> + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3
> 946mreQ</url>
> + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/f6io
> e4sdpbY</url>
> + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/bv6f
> W4S0Y1c</url>
> + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/NOjK
> iGeXUgw</url>
> + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/x9Di
> xQDG9a0</url>
> + <cvename>CVE-2020-8162</cvename>
> + <cvename>CVE-2020-8164</cvename>
> + <cvename>CVE-2020-8165</cvename>
> + <cvename>CVE-2020-8166</cvename>
> + <cvename>CVE-2020-8167</cvename>
> + </references>
> + <dates>
> + <discovery>2020-05-18</discovery>
> + <entry>2020-05-19</entry>
> + </dates>
> + </vuln>
> +
> <vuln vid="37d106a8-15a4-483e-8247-fcb68b16eaf8">
> <topic>Dovecot -- Multiple vulnerabilities</topic>
> <affects>
>
--
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy at nwtime.org> Web: https://nwtime.org
The need of the many outweighs the greed of the few.
More information about the svn-ports-all
mailing list