svn commit: r508483 - head/security/vuxml
Kai Knoblich
kai at FreeBSD.org
Fri Aug 9 21:13:57 UTC 2019
Author: kai
Date: Fri Aug 9 21:13:56 2019
New Revision: 508483
URL: https://svnweb.freebsd.org/changeset/ports/508483
Log:
security/vuxml: Document security/doas issues
PR: 239629
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri Aug 9 21:12:44 2019 (r508482)
+++ head/security/vuxml/vuln.xml Fri Aug 9 21:13:56 2019 (r508483)
@@ -58,6 +58,36 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="7f7d6412-bae5-11e9-be92-3085a9a95629">
+ <topic>doas -- Prevent passing of environment variables</topic>
+ <affects>
+ <package>
+ <name>doas</name>
+ <range><lt>6.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jesse Smith of Resonating Media reports:</p>
+ <blockquote cite="https://github.com/slicer69/doas/releases/tag/6.1">
+ <p>Previous versions of "doas" transferred most environment variables, such
+ as USER, HOME, and PATH from the original user to the target user.
+
+ Passing these variables could cause files in the wrong path or
+ home directory to be read (or written to), which resulted in potential
+ security problems.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/slicer69/doas/releases/tag/6.1</url>
+ </references>
+ <dates>
+ <discovery>2019-08-03</discovery>
+ <entry>2019-08-09</entry>
+ </dates>
+ </vuln>
+
<vuln vid="f56669f5-d799-4ff5-9174-64a6d571c451">
<topic>bro -- Null pointer dereference and Signed integer overflow</topic>
<affects>
More information about the svn-ports-head
mailing list