CouchDB had three advisories back in January which affect the current databases/couchdb port (see PR ports/178331). Two of those advisories do not appear to affect FreeBSD users, but the third one affects all users including FreeBSD, so deserves listing in vuln.xml. Note that someone needs to poke the CouchDB developers to complete their CVE reports for these vulnerabilities, which are still not published in the CVE repository. How-To-Repeat: Read CHANGES file in couchdb's git repository.
Responsible Changed From-To: freebsd-ports-bugs->secteam Over to maintainer (via the GNATS Auto Assign Tool)
State Changed From-To: open->closed Committed, thanks!
Responsible Changed From-To: secteam->delphij Take.
Author: delphij Date: Sun May 26 08:38:26 2013 New Revision: 319098 URL: http://svnweb.freebsd.org/changeset/ports/319098 Log: Document couchdb XSS vulnerability. PR: ports/178985 Submitted by: wollman Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun May 26 07:50:47 2013 (r319097) +++ head/security/vuxml/vuln.xml Sun May 26 08:38:26 2013 (r319098) @@ -51,6 +51,35 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="4fb45a1c-c5d0-11e2-8400-001b216147b0"> + <topic>couchdb -- DOM based Cross-Site Scripting via Futon UI</topic> + <affects> + <package> + <name>couchdb</name> + <range><lt>1.2.1,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Jan Lehnardt reports:</p> + <blockquote cite="http://mail-archives.apache.org/mod_mbox/couchdb-user/201301.mbox/%3C2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org%3E"> + <p>Query parameters passed into the browser-based test suite + are not sanitised, and can be used to load external resources. + An attacker may execute JavaScript code in the browser, using + the context of the remote user.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-5650</cvename> + <url>http://mail-archives.apache.org/mod_mbox/couchdb-user/201301.mbox/%3C2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org%3E</url> + </references> + <dates> + <discovery>2012-01-14</discovery> + <entry>2013-05-26</entry> + </dates> + </vuln> + <vuln vid="a5b24a6b-c37c-11e2-addb-60a44c524f57"> <topic>otrs -- information disclosure</topic> <affects> _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"