Created attachment 241573 [details] 18 VuXML new entries for vulnerable ports A third batch of new VuXML entries for vulnerable ports discovered with pysec2vuxml (see https://github.com/HubTou/pysec2vuxml). Entries were verified with: # cd /usr/ports/security/vuxml # make validate Here are the ports affected with their respective maintainers: ------------------------------------------------------------------------------------------------------------- Vulns Package Port path Port name Port version Maintainer ------------------------------------------------------------------------------------------------------------- 2 dparse textproc/py-dparse py39-dparse 0.5.1 kai@FreeBSD.org 4 markdown2 textproc/py-markdown2 py39-markdown2 2.3.6 wen@FreeBSD.org 4 pygments textproc/py-pygments-25 py39-pygments-25 2.5.2 nivit@FreeBSD.org 1 django-photologue www/py-django-photologue py39-django-photologue 3.15_1 ports@caomhin.org 2 flask-caching www/py-flask-caching py39-flask-caching 1.9.0 rt@scientifics.de 2 Flask-Cors www/py-flask-cors py39-Flask-Cors 3.0.8 stiginge@pvv.org 1 flask-security www/py-flask-security py39-flask-security 3.0.0_1 meka@tilda.center 4 httpie www/py-httpie py39-httpie 3.0.2 ale@FreeBSD.org 2 httpx www/py-httpx013 py39-httpx013 0.13.3_3 sunpoet@FreeBSD.org 6 Scrapy www/py-scrapy py39-Scrapy 2.5.1 skreuzer@FreeBSD.org 1 treq www/py-treq py39-treq 20.9.0 contact@evilham.com 2 wagtail www/py-wagtail py39-wagtail 4.2_1 sunpoet@FreeBSD.org 1 WsgiDAV www/py-wsgidav py39-WsgiDAV 3.1.0 ultima@FreeBSD.org =============================================================================================================
@ports-secteam: Are any of you working on this? If not, I'd like to shepherd the patch into the Ports tree.
I don't think anyone is looking at this one. Go for it! Thank you.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8862a8fe47b89e74fb40d1cd003f254f817c7290 commit 8862a8fe47b89e74fb40d1cd003f254f817c7290 Author: Hubert Tournier <hubert.tournier@gmail.com> AuthorDate: 2023-08-31 11:13:29 +0000 Commit: Kai Knoblich <kai@FreeBSD.org> CommitDate: 2023-08-31 11:13:29 +0000 security/vuxml: Document 18 py*-* vulnerabilities Vulnerable Python ports discovered with pysec2vuxml. See also: <https://github.com/HubTou/pysec2vuxml>. PR: 270923 Co-Authored by: kai security/vuxml/vuln/2023.xml | 607 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 607 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1bdf5449997cb2ab330504f221f3c5d4b83cab17 commit 1bdf5449997cb2ab330504f221f3c5d4b83cab17 Author: Kai Knoblich <kai@FreeBSD.org> AuthorDate: 2023-08-31 11:18:01 +0000 Commit: Kai Knoblich <kai@FreeBSD.org> CommitDate: 2023-08-31 11:18:01 +0000 textproc/py-dparse: Update to 0.6.3 * Add CPE related entries * Introduce CONDA option to reflect the settings as defined in "setup.py" * Simplify Makefile by switching to USE_PYTHON=pytest Changelog since 0.5.1: https://github.com/pyupio/dparse/compare/0.5.1...0.6.3 PR: 270923 [1] Reported by: Hubert Tournier [1] MFH: 2023Q3 Security: 83b29e3f-886f-439f-b9a8-72e014479ff9 textproc/py-dparse/Makefile | 32 +++++++++++++++++++------------- textproc/py-dparse/distinfo | 6 +++--- 2 files changed, 22 insertions(+), 16 deletions(-)
A commit in branch 2023Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a05ad943d3212db0eccfa10137eb2ef984c058db commit a05ad943d3212db0eccfa10137eb2ef984c058db Author: Kai Knoblich <kai@FreeBSD.org> AuthorDate: 2023-08-31 11:18:01 +0000 Commit: Kai Knoblich <kai@FreeBSD.org> CommitDate: 2023-08-31 11:23:53 +0000 textproc/py-dparse: Update to 0.6.3 * Add CPE related entries * Introduce CONDA option to reflect the settings as defined in "setup.py" * Simplify Makefile by switching to USE_PYTHON=pytest Changelog since 0.5.1: https://github.com/pyupio/dparse/compare/0.5.1...0.6.3 PR: 270923 [1] Reported by: Hubert Tournier [1] MFH: 2023Q3 Security: 83b29e3f-886f-439f-b9a8-72e014479ff9 (cherry picked from commit 1bdf5449997cb2ab330504f221f3c5d4b83cab17) textproc/py-dparse/Makefile | 32 +++++++++++++++++++------------- textproc/py-dparse/distinfo | 6 +++--- 2 files changed, 22 insertions(+), 16 deletions(-)
(In reply to Hubert Tournier from comment #0) Committed, thanks for the entries and CC'ing the maintainers! Unfortunately, quite time has passed, so I have adjusted the entry dates accordingly to match reality. I also noticed that exactly one character was missing from the entry with the VID c2c89dea-2859-4231-8f3b-12be0d475ff. I have padded this with a leading zero: > c2c89dea-2859-4231-8f3b-12be0d475ff -> c2c89dea-2859-4231-8f3b-012be0d475ff
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f58017fbbf3f23ae9073f0202fb3758ec5d0f0a5 commit f58017fbbf3f23ae9073f0202fb3758ec5d0f0a5 Author: Kai Knoblich <kai@FreeBSD.org> AuthorDate: 2023-09-03 07:59:25 +0000 Commit: Kai Knoblich <kai@FreeBSD.org> CommitDate: 2023-09-03 07:59:25 +0000 textproc/py-markdown2: Update to 2.4.10 * Introduce SYNTAX and WAVEDROM options to reflect the settings in setup.py accordingly. * Make the port concurrent safe as it installs a script outside of Python's site-lib directory. * Update WWW as the repository has moved to a new location. * Hook up the test suite. Changelog since 2.3.6: https://github.com/trentm/python-markdown2/compare/2.3.6...2.4.10 PR: 273513, 270923 [1] Reported by: Hubert Tournier [1] Approved by: wen (maintainer) MFH: 2023Q3 Security: c9b3324f-8e03-4ae3-89ce-8098cdc5bfa9 [1] cf6f3465-e996-4672-9458-ce803f29fdb7 [1] textproc/py-markdown2/Makefile | 25 +++++++++++++++++++++---- textproc/py-markdown2/distinfo | 6 +++--- 2 files changed, 24 insertions(+), 7 deletions(-)
A commit in branch 2023Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7cac28e6977bfded94c707a0f09cf8ecb7344da0 commit 7cac28e6977bfded94c707a0f09cf8ecb7344da0 Author: Kai Knoblich <kai@FreeBSD.org> AuthorDate: 2023-09-03 07:59:25 +0000 Commit: Kai Knoblich <kai@FreeBSD.org> CommitDate: 2023-09-03 08:20:24 +0000 textproc/py-markdown2: Update to 2.4.10 * Introduce SYNTAX and WAVEDROM options to reflect the settings in setup.py accordingly. * Make the port concurrent safe as it installs a script outside of Python's site-lib directory. * Update WWW as the repository has moved to a new location. * Hook up the test suite. Changelog since 2.3.6: https://github.com/trentm/python-markdown2/compare/2.3.6...2.4.10 PR: 273513, 270923 [1] Reported by: Hubert Tournier [1] Approved by: wen (maintainer) MFH: 2023Q3 Security: c9b3324f-8e03-4ae3-89ce-8098cdc5bfa9 [1] cf6f3465-e996-4672-9458-ce803f29fdb7 [1] (cherry picked from commit f58017fbbf3f23ae9073f0202fb3758ec5d0f0a5) textproc/py-markdown2/Makefile | 25 +++++++++++++++++++++---- textproc/py-markdown2/distinfo | 6 +++--- 2 files changed, 24 insertions(+), 7 deletions(-)