Bug 238573

Summary:	net/netatalk3: Add VuXML entry for CVE-2018-1160 (fixed in 3.1.12)
Product:	Ports & Packages	Reporter:	Kubilay Kocak <koobs>
Component:	Individual Port(s)	Assignee:	Joe Marcus Clarke <marcus>
Status:	Closed FIXED
Severity:	Affects Only Me	CC:	ports-secteam
Priority:	---	Keywords:	easy, security
Version:	Latest	Flags:	bugzilla: maintainer-feedback? (marcus)
Hardware:	Any
OS:	Any
URL:	https://nvd.nist.gov/vuln/detail/CVE-2018-1160

Description Kubilay Kocak freebsd_committer

2019-06-15 05:41:53 UTC

The net/netatalk port was updated to 3.1.12 in December 2018

This version fixed CVE-2018-1160 

Upstream states the following on the nature of the vulnerability: "Please update to this latest release as soon as possible as this releases fixes an major security issue (CVE-2018-1160)."

" A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution."

CVSS v3.0 Base Score: 9.8 CRITICAL 
CVSS v2.0 Base Score: 10.0 HIGH 

It appears no security/vuxml entry was added for this vulnerability

Any user running anything less than the latest versions will not be notified that their version is vulnerable

Relevant URL's for the VuXML entry:

https://nvd.nist.gov/vuln/detail/CVE-2018-1160
https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172

"discovery date" should be 20181110 (first mention of CVE [1])
"entry date" should be date of port commit updating to 3.1.12

[1] https://github.com/Netatalk/Netatalk/search?q=CVE-2018-1160&type=Commits

Comment 1 Joe Marcus Clarke freebsd_committer

2019-06-16 17:07:53 UTC

Documented.

Comment 2 commit-hook freebsd_committer

2019-06-16 17:08:06 UTC

A commit references this bug:

Author: marcus
Date: Sun Jun 16 17:07:14 UTC 2019
New revision: 504357
URL: https://svnweb.freebsd.org/changeset/ports/504357

Log:
  Add an entry for netatalk3.

  Document the netatalk3 remote code execution vulnerability fixed in 3.1.12.

  PR:		238573

Changes:
  head/security/vuxml/vuln.xml