Bug 238573 - net/netatalk3: Add VuXML entry for CVE-2018-1160 (fixed in 3.1.12)
Summary: net/netatalk3: Add VuXML entry for CVE-2018-1160 (fixed in 3.1.12)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Joe Marcus Clarke
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Keywords: easy, security
Depends on:
Blocks:
 
Reported: 2019-06-15 05:41 UTC by Kubilay Kocak
Modified: 2019-06-16 17:08 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (marcus)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kubilay Kocak freebsd_committer freebsd_triage 2019-06-15 05:41:53 UTC
The net/netatalk port was updated to 3.1.12 in December 2018

This version fixed CVE-2018-1160 

Upstream states the following on the nature of the vulnerability: "Please update to this latest release as soon as possible as this releases fixes an major security issue (CVE-2018-1160)."

" A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution."

CVSS v3.0 Base Score: 9.8 CRITICAL 
CVSS v2.0 Base Score: 10.0 HIGH 

It appears no security/vuxml entry was added for this vulnerability

Any user running anything less than the latest versions will not be notified that their version is vulnerable

Relevant URL's for the VuXML entry:

https://nvd.nist.gov/vuln/detail/CVE-2018-1160
https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172

"discovery date" should be 20181110 (first mention of CVE [1])
"entry date" should be date of port commit updating to 3.1.12

[1] https://github.com/Netatalk/Netatalk/search?q=CVE-2018-1160&type=Commits
Comment 1 Joe Marcus Clarke freebsd_committer 2019-06-16 17:07:53 UTC
Documented.
Comment 2 commit-hook freebsd_committer 2019-06-16 17:08:06 UTC
A commit references this bug:

Author: marcus
Date: Sun Jun 16 17:07:14 UTC 2019
New revision: 504357
URL: https://svnweb.freebsd.org/changeset/ports/504357

Log:
  Add an entry for netatalk3.

  Document the netatalk3 remote code execution vulnerability fixed in 3.1.12.

  PR:		238573

Changes:
  head/security/vuxml/vuln.xml