Page MenuHomeFreeBSD

security/vuxml: add www/rubygem-rest-client vulnerabilities
ClosedPublic

Authored by mmoll on May 31 2015, 9:29 PM.

Details

Reviewers
swills
eadler
delphij
mat
Group Reviewers
ports secteam
Summary

Proposed commit message:

security/vuxml: add www/rubygem-rest-client vulnerabilities

PR:		200504
Submitted by:	Sevan Janiyan <venture37@geeklan.co.uk>
Approved by:	swills (mentor), mat (mentor)
Security:	CVE-2015-1820
Security:	CVE-2015-3448
Test Plan

Validation:

mmoll@marduk:/svn/ports/security/vuxml$ make validate
/bin/sh /svn/ports/security/vuxml/files/tidy.sh "/svn/ports/security/vuxml/files/tidy.xsl" "/svn/ports/security/vuxml/vuln.xml" > "/svn/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /svn/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /svn/ports/security/vuxml/files/extra-validation.py /svn/ports/security/vuxml/vuln.xml

Version checking:

mmoll@marduk:/svn/ports/security/vuxml$ env PKG_DBDIR=/svn/ports/security/vuxml pkg audit rubygem-rest-client-1.7.0
rubygem-rest-client-1.7.0 is vulnerable:
rest-client -- session fixation vulnerability
CVE: CVE-2015-1820
WWW: http://vuxml.FreeBSD.org/freebsd/83a7a720-07d8-11e5-9a28-001e67150279.html

rubygem-rest-client-1.7.0 is vulnerable:
rest-client -- plaintext password disclosure
CVE: CVE-2015-3448
WWW: http://vuxml.FreeBSD.org/freebsd/ffe2d86c-07d9-11e5-9a28-001e67150279.html

1 problem(s) in the installed packages found.
mmoll@marduk:/svn/ports/security/vuxml$ env PKG_DBDIR=/svn/ports/security/vuxml pkg audit rubygem-rest-client-1.7.3
rubygem-rest-client-1.7.3 is vulnerable:
rest-client -- session fixation vulnerability
CVE: CVE-2015-1820
WWW: http://vuxml.FreeBSD.org/freebsd/83a7a720-07d8-11e5-9a28-001e67150279.html

1 problem(s) in the installed packages found.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage

Event Timeline

mmoll updated this revision to Diff 5846.May 31 2015, 9:29 PM
mmoll retitled this revision from to security/vuxml: add www/rubygem-rest-client vulnerabilities.
mmoll updated this object.
mmoll edited the test plan for this revision. (Show Details)
mmoll added reviewers: swills, mat.
eadler accepted this revision.Jun 1 2015, 6:38 PM
eadler added a reviewer: eadler.
This revision is now accepted and ready to land.Jun 1 2015, 6:38 PM
delphij edited edge metadata.Jun 1 2015, 6:39 PM

I think the "range" should be <lt>1.6.7_1</lt> so that 2015Q2 changeset (D2707) would be covered?

The change is otherwise fine by the way.

mmoll closed this revision.Jun 1 2015, 6:54 PM

committed in rP388251