Bug 178985 - security/vuxml update for couchdb CVE-2012-5650
Summary: security/vuxml update for couchdb CVE-2012-5650
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Xin LI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-26 08:10 UTC by Garrett Wollman
Modified: 2013-05-26 09:40 UTC (History)
0 users

See Also:


Attachments
file.diff (1.41 KB, patch)
2013-05-26 08:10 UTC, Garrett Wollman
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Garrett Wollman 2013-05-26 08:10:00 UTC
CouchDB had three advisories back in January which affect the current
databases/couchdb port (see PR ports/178331).  Two of those advisories
do not appear to affect FreeBSD users, but the third one affects all
users including FreeBSD, so deserves listing in vuln.xml.

Note that someone needs to poke the CouchDB developers to complete
their CVE reports for these vulnerabilities, which are still not
published in the CVE repository.

How-To-Repeat: 
Read CHANGES file in couchdb's git repository.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2013-05-26 08:10:08 UTC
Responsible Changed
From-To: freebsd-ports-bugs->secteam

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Xin LI freebsd_committer freebsd_triage 2013-05-26 09:38:34 UTC
State Changed
From-To: open->closed

Committed, thanks! 


Comment 3 Xin LI freebsd_committer freebsd_triage 2013-05-26 09:38:34 UTC
Responsible Changed
From-To: secteam->delphij

Take.
Comment 4 dfilter service freebsd_committer freebsd_triage 2013-05-26 09:38:40 UTC
Author: delphij
Date: Sun May 26 08:38:26 2013
New Revision: 319098
URL: http://svnweb.freebsd.org/changeset/ports/319098

Log:
  Document couchdb XSS vulnerability.
  
  PR:		ports/178985
  Submitted by:	wollman

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun May 26 07:50:47 2013	(r319097)
+++ head/security/vuxml/vuln.xml	Sun May 26 08:38:26 2013	(r319098)
@@ -51,6 +51,35 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="4fb45a1c-c5d0-11e2-8400-001b216147b0">
+    <topic>couchdb -- DOM based Cross-Site Scripting via Futon UI</topic>
+    <affects>
+      <package>
+	<name>couchdb</name>
+	<range><lt>1.2.1,1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Jan Lehnardt reports:</p>
+	<blockquote cite="http://mail-archives.apache.org/mod_mbox/couchdb-user/201301.mbox/%3C2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org%3E">
+	  <p>Query parameters passed into the browser-based test suite
+	    are not sanitised, and can be used to load external resources.
+	    An attacker may execute JavaScript code in the browser, using
+	    the context of the remote user.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-5650</cvename>
+      <url>http://mail-archives.apache.org/mod_mbox/couchdb-user/201301.mbox/%3C2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org%3E</url>
+    </references>
+    <dates>
+      <discovery>2012-01-14</discovery>
+      <entry>2013-05-26</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="a5b24a6b-c37c-11e2-addb-60a44c524f57">
     <topic>otrs -- information disclosure</topic>
     <affects>
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"