Bug 269221 - security/vuxml: document CVE-2017-11610 and CVE-2019-12105 for outdated versions of sysutils/py-supervisor
Summary: security/vuxml: document CVE-2017-11610 and CVE-2019-12105 for outdated versi...
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Fernando Apesteguía
URL: https://www.freshports.org/sysutils/p...
Keywords: needs-patch, security
Depends on:
Blocks:
 
Reported: 2023-01-29 11:36 UTC by Graham Perrin
Modified: 2023-09-02 15:43 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Graham Perrin freebsd_committer freebsd_triage 2023-01-29 11:36:35 UTC 
CVE-2019-12105 alone might be negligible (not worth a VuXML entry). 

<https://github.com/advisories/GHSA-6x94-2xr2-xgw3>
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12105>


CVE-2017-11610 is more significant. If there'll be an entry for this one, then there may as well be an entry for both. 

<https://github.com/advisories/GHSA-x7c8-4x3h-874w>
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11610>

> The XML-RPC server in supervisor before 3.0.1, 
> 3.1.x before 3.1.4, 
> 3.2.x before 3.2.4, and 
> 3.3.x before 3.3.3 allows remote authenticated users to execute 
> arbitrary commands via a crafted XML-RPC request, related to 
> nested supervisord namespace lookups.
Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2023-01-29 18:51:31 UTC 
^Triage: reporter is committer, assign accordingly.
Comment 2 Fernando Apesteguía freebsd_committer freebsd_triage 2023-09-02 15:43:04 UTC 
It doesn't make sense to report in 2023 a vulnerability for a port version that hasn't been in our port collection for years.

Closing as discussed with ports-secteam.