Bug 200760

Summary: textproc/kibana: Security vulnerability CVE-2015-4093
Product: Ports & Packages Reporter: Kubilay Kocak <koobs>
Component: Individual Port(s)Assignee: Antoine Brodin <antoine>
Status: Closed Not A Bug    
Severity: Affects Only Me CC: junovitch, ports-secteam
Priority: --- Keywords: needs-patch, security
Version: LatestFlags: bugzilla: maintainer-feedback? (antoine)
Hardware: Any   
OS: Any   
URL: http://www.securityfocus.com/archive/1/535726/30/0/threaded

Description Kubilay Kocak freebsd_committer freebsd_triage 2015-06-10 11:35:45 UTC 
Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting (XSS) attack. The attack allows execution of arbitrary JavaScript in the context of the userĂ¢??s browser.
Comment 1 Antoine Brodin freebsd_committer freebsd_triage 2015-06-10 11:48:49 UTC 
Kibana 3 is in the ports tree,  kibana 4 is a total rewrite so I don't think we are affected.
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-06-11 01:49:45 UTC 
Good catch.  Kibana 4 isn't in the tree and the advisory is clear on affected versions.  There are two open PRs for adding a Kibana 4 port.

For bug 200582 in https://bugs.freebsd.org/200582, I've provided this information and mentioned it would have to be addressed.  That was the first submission.

Bug 200653 was the second submission in https://bugs.freebsd.org/200653.  That wasn't portlint clean and didn't have build logs so I provided some feedback to the author, mentioned the security issue, and recommended he close the duplicate PR and contribute to the first.