200760 – textproc/kibana: Security vulnerability CVE-2015-4093

Bug 200760 - textproc/kibana: Security vulnerability CVE-2015-4093

Summary: textproc/kibana: Security vulnerability CVE-2015-4093

Status:	Closed Not A Bug

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Antoine Brodin

URL:	http://www.securityfocus.com/archive/...
Keywords:	needs-patch, security

Depends on:
Blocks:

Reported:	2015-06-10 11:35 UTC by Kubilay Kocak
Modified:	2015-06-13 20:52 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (antoine)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kubilay Kocak freebsd_committer

2015-06-10 11:35:45 UTC

Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting (XSS) attack. The attack allows execution of arbitrary JavaScript in the context of the userâ??s browser.

Comment 1 Antoine Brodin freebsd_committer

2015-06-10 11:48:49 UTC

Kibana 3 is in the ports tree,  kibana 4 is a total rewrite so I don't think we are affected.

Comment 2 Jason Unovitch freebsd_committer

2015-06-11 01:49:45 UTC

Good catch.  Kibana 4 isn't in the tree and the advisory is clear on affected versions.  There are two open PRs for adding a Kibana 4 port.

For bug 200582 in https://bugs.freebsd.org/200582, I've provided this information and mentioned it would have to be addressed.  That was the first submission.

Bug 200653 was the second submission in https://bugs.freebsd.org/200653.  That wasn't portlint clean and didn't have build logs so I provided some feedback to the author, mentioned the security issue, and recommended he close the duplicate PR and contribute to the first.