the <dates> section misses the <entry> tag which tells the system when the entry had been made.
Apart from that I would like to ask you whether you can send this diff to ports-security which can review this for you, be sure to add an unified diff _attached_ to the mail, so that someone can download it and apply it to the tree and validate whether the entry indeed works etc. Thank you for working on this! Remko On Apr 2, 2012, at 11:16 PM, Helmut Schneider wrote: > Does this look reasonable? > > <vuln vid="cf36b6a1-7d08-11e1-b720-000c2994762c"> > <topic>Typo3 - Cross-Site Scripting, Information Disclosure, Insecure > Unserialize</topic> > <affects> > <package> > <name>typo3</name> > <range><ge>4.6</ge><le>4.6.6</le></range> > </package> > <package> > <name>typo345</name> > <range><ge>4.5</ge><le>4.5.13</le></range> > </package> > <package> > <name>typo344</name> > <range><ge>4.4</ge><le>4.4.13</le></range> > </package> > </affects> > <description> > <body xmlns="http://www.w3.org/1999/xhtml";> > <p>The typo3 security team reports:</p> > <blockquote > cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/";> > <p>Due to a missing signature (HMAC) for a request argument, an > attacker could unserialize arbitrary objects within TYPO3.</p> > <p>Failing to properly HTML-encode user input in several places, the > TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is > required to exploit these vulnerabilities.</p> > <p>Accessing a CLI Script directly with a browser may disclose the > database name used for the TYPO3 installation.</p> > <p>By not removing non printable characters, the API method > t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, > thus is susceptible to Cross-Site Scripting.</p> > </blockquote> > </body> > </description> > <references> > <cvename>CVE-2012-1605</cvename> > <cvename>CVE-2012-1606</cvename> > <cvename>CVE-2012-1607</cvename> > <cvename>CVE-2012-1608</cvename> > > <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/</url> > </references> > <dates> > <discovery>2012-03-28</discovery> > </dates> > </vuln> > > > -------------------------------------------------- > From: "Ruslan Mahmatkhanov" <[email protected]> > Sent: Friday, March 30, 2012 9:07 AM > To: "Jason Helfman" <[email protected]> > Cc: <[email protected]>; <[email protected]>; > <[email protected]>; "Helmut Schneider" <[email protected]> > Subject: Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr > >> Jason Helfman wrote on 30.03.2012 10:30: >>> On Thu, Mar 29, 2012 at 11:21 AM, Ruslan >>> Mahmatkhanov<[email protected]>wrote: >>> >>>> rm 2012-03-29 18:21:21 UTC >>>> >>>> FreeBSD ports repository >>>> >>>> Modified files: >>>> www/typo345 Makefile distinfo pkg-descr >>>> Log: >>>> - update to 4.5.14 >>>> >>>> See >>>> https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/ >>>> >>>> PR: 166467 http://www.FreeBSD.org/cgi/query-pr.cgi?pr=166467 >>>> Submitted by: Helmut Schneider<jumper99 at gmx dot de> (maintainer) >>>> Feature safe: yes >>>> >>>> Revision Changes Path >>>> 1.60 +1 -1 ports/www/typo345/Makefile >>>> 1.42 +4 -4 ports/www/typo345/distinfo >>>> 1.7 +1 -1 ports/www/typo345/pkg-descr >>>> >>>> >>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/Makefile.diff?&r1=1.59&r2=1.60&f=h >>>> >>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/distinfo.diff?&r1=1.41&r2=1.42&f=h >>>> >>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/pkg-descr.diff?&r1=1.6&r2=1.7&f=h >>>> >>>> >>> Are there any plans to document these updates in vuxml? >>> >>> -jgh >>> >> >> No, I haven't. Helmut, would you? >> >> -- >> Regards, >> Ruslan >> >> Tinderboxing kills... the drives. > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/cvs-ports > To unsubscribe, send any mail to "[email protected]" -- /"\ With kind regards, | [email protected] \ / Remko Lodder | [email protected] X FreeBSD | http://www.evilcoder.org / \ The Power to Serve | Quis custodiet ipsos custodes _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[email protected]"
