Bug 238573

Summary: net/netatalk3: Add VuXML entry for CVE-2018-1160 (fixed in 3.1.12)
Product: Ports & Packages Reporter: Kubilay Kocak <koobs>
Component: Individual Port(s)Assignee: Joe Marcus Clarke <marcus>
Status: Closed FIXED    
Severity: Affects Only Me CC: ports-secteam
Priority: --- Keywords: easy, security
Version: LatestFlags: bugzilla: maintainer-feedback? (marcus)
Hardware: Any   
OS: Any   
URL: https://nvd.nist.gov/vuln/detail/CVE-2018-1160

Description Kubilay Kocak freebsd_committer freebsd_triage 2019-06-15 05:41:53 UTC
The net/netatalk port was updated to 3.1.12 in December 2018

This version fixed CVE-2018-1160 

Upstream states the following on the nature of the vulnerability: "Please update to this latest release as soon as possible as this releases fixes an major security issue (CVE-2018-1160)."

" A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution."

CVSS v3.0 Base Score: 9.8 CRITICAL 
CVSS v2.0 Base Score: 10.0 HIGH 

It appears no security/vuxml entry was added for this vulnerability

Any user running anything less than the latest versions will not be notified that their version is vulnerable

Relevant URL's for the VuXML entry:

https://nvd.nist.gov/vuln/detail/CVE-2018-1160
https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172

"discovery date" should be 20181110 (first mention of CVE [1])
"entry date" should be date of port commit updating to 3.1.12

[1] https://github.com/Netatalk/Netatalk/search?q=CVE-2018-1160&type=Commits
Comment 1 Joe Marcus Clarke freebsd_committer freebsd_triage 2019-06-16 17:07:53 UTC
Documented.
Comment 2 commit-hook freebsd_committer freebsd_triage 2019-06-16 17:08:06 UTC
A commit references this bug:

Author: marcus
Date: Sun Jun 16 17:07:14 UTC 2019
New revision: 504357
URL: https://svnweb.freebsd.org/changeset/ports/504357

Log:
  Add an entry for netatalk3.

  Document the netatalk3 remote code execution vulnerability fixed in 3.1.12.

  PR:		238573

Changes:
  head/security/vuxml/vuln.xml