Bug 246657 - security/vuxml tomcat remote code execution
Summary: security/vuxml tomcat remote code execution
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-22 11:43 UTC by rob2g2
Modified: 2020-05-23 11:33 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments
patch for vuxml (1.33 KB, patch)
2020-05-22 11:43 UTC, rob2g2
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rob2g2 2020-05-22 11:43:40 UTC
Created attachment 214755 [details]
patch for vuxml

add CVE-2020-9484 to vuxml
Comment 1 VVD 2020-05-22 11:54:38 UTC
8.5, 9 and 10 was updated already: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246446
7 isn't updated.
Comment 2 rob2g2 2020-05-22 11:57:21 UTC
yes, that happened crazy fast, thank you. but shouldn't vuxml include this CVE to inform users about the security risk if they run an older version?
Comment 3 VVD 2020-05-22 12:04:15 UTC
(In reply to rob2g2 from comment #2)
Yes, ofc.
CVE was announced less than 2 days ago and nobody has done this job yet…
Comment 4 rob2g2 2020-05-22 12:07:50 UTC
patch in my attachment should work to update vuxml
Comment 5 Jochen Neumeister freebsd_committer 2020-05-22 12:49:06 UTC
Take as a part of ports-secteam.
After that, i will MFH the landed committs.
Comment 6 commit-hook freebsd_committer 2020-05-23 09:22:37 UTC
A commit references this bug:

Author: joneum
Date: Sat May 23 09:22:22 UTC 2020
New revision: 536276
URL: https://svnweb.freebsd.org/changeset/ports/536276

Log:
  Add entry for tomcat

  PR:		246657
  Sponsored by:	Netzkommune GmbH

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2020-05-23 11:29:03 UTC
A commit references this bug:

Author: joneum
Date: Sat May 23 11:28:25 UTC 2020
New revision: 536288
URL: https://svnweb.freebsd.org/changeset/ports/536288

Log:
  Update to 8.5.55

  PR:		246446 246657
  Approved by:	ports-secteam (with hat)
  Security:	676ca486-9c1e-11ea-8b5e-b42e99a1b9c3
  Sponsored by:	Netzkommune GmbH

Changes:
  branches/2020Q2/www/tomcat85/Makefile
  branches/2020Q2/www/tomcat85/distinfo
Comment 8 commit-hook freebsd_committer 2020-05-23 11:33:06 UTC
A commit references this bug:

Author: joneum
Date: Sat May 23 11:32:25 UTC 2020
New revision: 536289
URL: https://svnweb.freebsd.org/changeset/ports/536289

Log:
  Update to 9.0.35

  PR:		246446 246657
  Approved by:	ports-secteam (with hat)
  Security:	676ca486-9c1e-11ea-8b5e-b42e99a1b9c3
  Sponsored by:	Netzkommune GmbH

Changes:
  branches/2020Q2/www/tomcat9/Makefile
  branches/2020Q2/www/tomcat9/distinfo
  branches/2020Q2/www/tomcat9/pkg-plist