Bug 269221

Summary: security/vuxml: document CVE-2017-11610 and CVE-2019-12105 for outdated versions of sysutils/py-supervisor
Product: Ports & Packages Reporter: Graham Perrin <grahamperrin>
Component: Individual Port(s)Assignee: Fernando Apesteguía <fernape>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: fernape, thomas
Priority: Normal Keywords: needs-patch, security
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://www.freshports.org/sysutils/py-supervisor/

Description Graham Perrin freebsd_committer freebsd_triage 2023-01-29 11:36:35 UTC 
CVE-2019-12105 alone might be negligible (not worth a VuXML entry). 

<https://github.com/advisories/GHSA-6x94-2xr2-xgw3>
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12105>


CVE-2017-11610 is more significant. If there'll be an entry for this one, then there may as well be an entry for both. 

<https://github.com/advisories/GHSA-x7c8-4x3h-874w>
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11610>

> The XML-RPC server in supervisor before 3.0.1, 
> 3.1.x before 3.1.4, 
> 3.2.x before 3.2.4, and 
> 3.3.x before 3.3.3 allows remote authenticated users to execute 
> arbitrary commands via a crafted XML-RPC request, related to 
> nested supervisord namespace lookups.
Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2023-01-29 18:51:31 UTC 
^Triage: reporter is committer, assign accordingly.
Comment 2 Fernando Apesteguía freebsd_committer freebsd_triage 2023-09-02 15:43:04 UTC 
It doesn't make sense to report in 2023 a vulnerability for a port version that hasn't been in our port collection for years.

Closing as discussed with ports-secteam.