See: http://seclists.org/oss-sec/2015/q3/92 http://ipython.org/ipython-doc/3/whatsnew/version3.html#ipython-3-2-1
Created attachment 158677 [details] security/vuxml for iPython 3.2.1 % make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit ipython-3.2.0 ipython-3.2.0 is vulnerable: devel/ipython -- CSRF possible remote execution vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/81326883-2905-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit ipython-3.2.1 0 problem(s) in the installed packages found.
Created attachment 158678 [details] py27-ipython-3.2.1.diff devel/ipython patch for update to 3.2.1 Note Poudriere builds on 8.4 to 11 are running right now. It looks like it will take overnight. I will update with Poudriere in the morning.
A commit references this bug: Author: olgeni Date: Mon Jul 13 08:39:09 UTC 2015 New revision: 391882 URL: https://svnweb.freebsd.org/changeset/ports/391882 Log: Document CSRF remote execution vulnerability for devel/ipython (CVE pending). PR: 201515 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: olgeni Date: Mon Jul 13 08:42:40 UTC 2015 New revision: 391883 URL: https://svnweb.freebsd.org/changeset/ports/391883 Log: Update to version 3.2.1. PR: 201515 Submitted by: Jason Unovitch Changes: head/devel/ipython/Makefile head/devel/ipython/distinfo
Thanks. MFH to 2015Q3 and close?
(In reply to Jason Unovitch from comment #5) Diff sent for review - does this have a CVE? I see no reply to the linked email so far.
(In reply to Jimmy Olgeni from comment #6) Super. Thanks. I haven't seen a CVE yet. I'll keep my eye out on my email and pass the word along when I see it since this one isn't the only one I am waiting for.
Created attachment 159056 [details] security/vuxml update with CVE-2015-5607 assignment Jimmy, CVE-2015-5607 was assigned. The existing http://seclists.org/oss-sec/2015/q3/92 reference already covers it; it is just available later in that thread. Patch attached to document the assignment. SVN Log: - Document CVE assignment in iPython 3.2.1 entry PR: 201515 Security: CVE-2015-5607 Security: 81326883-2905-11e5-a4a5-002590263bf5
A commit references this bug: Author: olgeni Date: Wed Jul 22 22:51:34 UTC 2015 New revision: 392700 URL: https://svnweb.freebsd.org/changeset/ports/392700 Log: Document CVE assignment in iPython 3.2.1 entry. PR: 201515 Security: CVE-2015-5607 Security: 81326883-2905-11e5-a4a5-002590263bf5 Changes: head/security/vuxml/vuln.xml
3.2.1 merged in r392704. Thanks!